Appsec adventures

The article discusses the rapid advancement of artificial intelligence (AI) technologies and their transformative impact across various sectors. It highlights how AI is revolutionizing industries by enabling more efficient data processing, enhancing decision-making processes, and automating complex tasks. The piece emphasizes the integration of machine learning algorithms and neural networks in developing innovative solutions, leading to significant improvements in productivity and operational efficiency. Additionally, it explores the role of AI in driving technological innovation, fostering new business models, and creating opportunities for growth in the digital economy. https://substack.com/home/post/p-157686829%3Fsource%3Dqueue

On February 18, 2025, China initiated a global call for proposals to develop post-quantum cryptographic algorithms, aiming to establish national standards for encryption resistant to quantum computing threats. This initiative, led by the Institute of Commercial Cryptography Standards (ICCS) under the Chinese Cryptography Standardization Technical Committee, seeks international participation to evaluate algorithms based on security, performance, and implementation feasibility. Experts suggest that China's move reflects concerns over potential vulnerabilities in US-led encryption standards and a broader push for technological self-reliance. This development highlights the global competition in quantum-resistant encryption, with China pursuing independent standards to enhance its cybersecurity infrastructure. The urgency stems from the growing capabilities of quantum computers, which pose a direct threat to current encryption methods.  https://thequantuminsider.com/2025/02/18/china-la...

On February 17, 2025, Brazil established the Federal Biometric Service to oversee the issuance of the Carteira de Identidade Nacional (CIN), the country's biometric national identity card. The new law mandates that the service implement systems capable of performing both one-to-many and one-to-one biometric checks against its stored data. Fingerprint data must adhere to the NIST Fingerprint Image Quality (NFIQ) 2 standard, based on ISO/IEC 29794-4, while facial biometrics should comply with ICAO’s 9303 specification, aligning with ISO/IEC 29794-5. Additionally, the service is required to meet NIST’s FRTE evaluations and MINEX III fingerprint template interoperability standards. The law specifies acceptable false non-identification rates (FNIR) for various fingerprint types and mandates liveness detection for facial biometrics, with expectations for Level 1 testing against ISO/IEC 30107-3 for low-risk transactions and Level 2 for high-risk transactions. An implementation plan for th...

On February 18, 2025, HackRead reported on two critical vulnerabilities in OpenSSH, identified by the Qualys Threat Research Unit (TRU). The first vulnerability, CVE-2025-26465, affects the OpenSSH client and permits machine-in-the-middle attacks, potentially allowing attackers to impersonate legitimate servers and compromise SSH session integrity. This flaw exists regardless of the 'VerifyHostKeyDNS' setting and has been present since OpenSSH version 6.8p1. The second vulnerability, CVE-2025-26466, impacts both the client and server, enabling pre-authentication denial-of-service attacks that consume excessive system resources, leading to potential outages. Introduced in version 9.5p1, this issue persists up to version 9.9p1. Users are strongly advised to upgrade to OpenSSH version 9.9p2 to mitigate these vulnerabilities.  https://hackread.com/critical-openssh-flaws-expose-users-mitm-dos-attacks/

The Hacker News published an article on February 19, 2025, titled "The Ultimate MSP Guide to Structuring and Selling vCISO Services," providing a roadmap for Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) to develop and market virtual Chief Information Security Officer (vCISO) services. Developed in collaboration with Jesse Miller, founder of PowerPSA Consulting, the guide addresses challenges in structuring, pricing, and selling vCISO offerings. It emphasizes evaluating current security services to formalize them into a vCISO package, assessing clients by industry, size, and security maturity to identify those who would benefit most, and structuring scalable service packages using frameworks and automation. The article highlights the importance of understanding client business drivers, evaluating their security leadership readiness, and aligning services accordingly to build a successful vCISO practice.  https://thehackernews.com/2025/02/the-...

In February 2025, InverseCos published an article titled "An Inside Look at NSA (Equation Group) TTPs from China’s Lens," which examines alleged cyber activities of the NSA's Equation Group, referred to by Chinese cybersecurity entities as "APT-C-40." The article aggregates insights from Chinese sources, including Qihoo 360, Pangu Lab, and the National Computer Virus Emergency Response Center (CVERC), focusing on the reported 2022 cyberattack on China's Northwestern Polytechnical University. According to these reports, the NSA's Tailored Access Operations (TAO) unit deployed over 40 unique malware strains to conduct data theft and espionage. Attribution methods cited include analysis of attack timings aligning with U.S. working hours and identification of American English language settings and keyboard usage. The article notes that these allegations remain unverified by independent sources and aims to share perspectives from Chinese cybersecurity researc...

In 2024, VulnCheck observed a 20% increase in publicly reported exploited vulnerabilities, identifying 768 CVEs compared to 639 in 2023. Notably, 23.6% of these were exploited on or before their public disclosure date, slightly down from 27% the previous year. The data indicates that exploitation can occur at any stage in a vulnerability's lifecycle. Initial exploitation reports came from 112 unique sources, including security companies, government agencies, non-profits, and product vendors. Monthly reporting volumes varied, with spikes linked to industry events and the onboarding of new reporting sources. These findings underscore the dynamic nature of vulnerability exploitation and the importance of timely disclosure.   https://vulncheck.com/blog/2024-exploitation-trends

 sbomify is an open-source Software Bill of Materials (SBOM) management platform designed to help organizations efficiently generate, manage, and analyze SBOMs for their software projects. It provides tools to create comprehensive inventories of software components, track dependencies, and ensure compliance with security and licensing requirements. The platform is actively maintained, with its source code and documentation available on GitHub. https://github.com/sbomify/sbomify

The OWASP SAMM Skills Framework, introduced on February 9, 2025, is a new initiative donated by Siemens to enhance software security practices within organizations. This framework assigns specific responsibilities to SAMM (Software Assurance Maturity Model) streams, clarifying which roles are involved in advancing each stream. It provides guidance on the necessary skills and training for each role, aligning SAMM-related activities with appropriate stakeholders and their required competencies. This alignment helps organizations identify the right personnel and visualize shared responsibilities, ensuring a structured approach to secure product development. Implementing the OWASP SAMM Skills Framework involves several key steps. Organizations must first map responsibilities to roles, ensuring each task is assigned to the right individual. Next, they must evaluate and align stakeholders with specific SAMM streams, validating that those assigned understand and accept their roles in advanci...

 In the article "Beyond the Basics: Advanced Linux Hardening Techniques," author Grant Knoetze delves into sophisticated strategies for enhancing the security of Linux systems. Building upon foundational practices, Knoetze emphasizes the importance of implementing advanced measures to protect against evolving threats. Key recommendations include adopting the zero-trust security model, which operates on the principle of "never trust, always verify," ensuring that every access request is thoroughly authenticated and authorized. Additionally, the article highlights the necessity of continuous monitoring and auditing of system activities to detect and respond to suspicious behavior promptly. Knoetze also discusses the implementation of micro-segmentation to isolate critical system components, thereby limiting the potential impact of a security breach. By integrating these advanced hardening techniques, organizations can significantly bolster their Linux environments aga...

 In the blog post "The Overlooked Attack Surface: Securing Code Repositories, Pipelines, and Developer Infrastructure," authors Karin Magriso and Ziad Ghalleb discuss the increasing importance of securing developer infrastructure as a core component of modern Application Security Posture Management (ASPM). They highlight that while traditional application security has focused on code scanning and runtime protection, attackers are now targeting the tools and processes involved in software development, such as code repositories, build pipelines, and dependencies. The authors emphasize that compromised developer environments can lead to significant security breaches, as evidenced by incidents like the Ultralytics PyPI attack in 2024, where attackers injected malicious code into a widely used open-source library. To address these vulnerabilities, the post introduces Wiz Code, a solution that extends security posture management and threat detection across the entire software suppl...

 CodeSheriff.NET is a security scanning tool designed for ASP.NET Core websites. Unlike traditional scanners, it leverages the .NET Compiler Platform (Roslyn) to perform in-depth code analysis, aiming to reduce false positives and identify more vulnerabilities. Users can operate CodeSheriff through the CodeSheriff.LocalUI for selecting solutions to scan and specifying output locations. For testing purposes, a companion website with known vulnerabilities is available. https://github.com/ScottNorberg-NCG/CodeSheriff.NET

 Sectigo has introduced Sectigo PQC Labs, a platform developed in partnership with Crypto4A to facilitate the transition to post-quantum cryptography. This sandbox environment aligns with the National Institute of Standards and Technology (NIST) standards, enabling organizations to test and implement quantum-resistant cryptographic certificates within their existing infrastructures. Sectigo PQC Labs addresses threats like "Harvest Now, Decrypt Later" and concerns about long-lived digital signatures. Kevin Weiss, Sectigo's CEO, emphasizes the platform's role in preparing organizations for quantum-era security challenges. The collaboration with Crypto4A ensures robust key management through quantum-safe Hardware Security Modules (HSMs). CEO Bruno Couillard of Crypto4A highlights the urgency of transitioning to new cryptographic algorithms, noting NIST's 2030 deadline to deprecate current standards. Sectigo PQC Labs offers a secure environment for organizations to te...

 In the article "Security Is a Pricing Problem," the author argues that the primary challenge in cybersecurity is not technical but economic. Organizations often prioritize cost-cutting over investing in robust security measures, leading to vulnerabilities. The author suggests that businesses should view security as an investment rather than an expense, emphasizing the long-term benefits of proactive security measures. By aligning security investments with business objectives, companies can achieve a balance between cost and risk management, ultimately enhancing their overall security posture. https://securityis.substack.com/p/security-is-a-pricing-problem

The transcript is a presentation by a CISO on application security (AppSec), emphasizing the importance of integrating security throughout the Software Development Life Cycle (SDLC) while prioritizing efforts based on organizational needs. Key points include maintaining an application inventory, focusing on true positives to eliminate vulnerabilities, and avoiding over-reliance on tools like SAST and DAST that can produce false positives or struggle with modern architectures. The speaker advocates for contextually relevant training, early threat modeling, and secure templates for microservices, while cautioning about the challenges of bug bounty programs. The overall message is to be intentional in security practices, learn from verified vulnerabilities, and collaborate closely with engineering teams to build a robust and scalable AppSec program.  

 A recent survey by Jit reveals that 61% of developers consider security a low priority due to organizational pressures for rapid feature delivery. Chris Romeo of Devici highlights that secure coding hasn't been prioritized as much as feature delivery or quality. MJ Kaufmann from O'Reilly Media adds that tight deadlines make security seem like an obstacle rather than a key part of development. Mike McGuire from Black Duck Software notes that DevOps teams prioritize speed, with top teams aiming for cycle times under a day, while even slower teams are pressured to deploy within a week. https://securityboulevard.com/2025/02/what-developers-think-about-application-security-might-surprise-you/

 In the blog post, Josh Grossman discusses recent changes to Semgrep, an open-source static analysis tool. Semgrep allows users to find patterns in code with custom rules and is licensed under LGPL. Until December 2024, its rule library was under Commons Clause, which had commercial usage limitations. In December 2024, the license for Semgrep rules was updated to restrict usage to internal purposes only, prohibiting distribution or offering them as a service. This led to concerns among users, prompting the creation of the Opengrep fork to provide an open alternative. Grossman reflects on both the challenges and benefits of these changes. https://joshcgrossman.com/2025/01/28/whats-going-on-with-sem-open-grep/

 The blog post explores using Google's Gemini 2.0 AI to automate and scale threat modeling. The author aimed to address security documentation bottlenecks in rapid development. Challenges included inconsistent Markdown generation and ineffective prompts. By developing a multi-step prompt strategy and a new agent, Github2Agent, the author enabled a multi-turn conversation with Gemini, generating 1,000 threat models. The experiment highlights AI's potential in automating cybersecurity processes and improving security analysis efficiency. https://xvnpw.github.io/posts/scaling-threat-modeling-with-ai/

 ThreatPad is a free, web-based tool for collaborative threat modeling. Users can create models anonymously, share a secret link for team collaboration, and document threats with mitigations. Data is secured with end-to-end encryption, and only encrypted data is processed by the server. It is designed for short-lived threat models, such as security training or demonstrations, and is not suitable for confidential or corporate data. Users must keep their unique links secure to maintain access to their threat models. https://threat-modeling.net/threatpad/

The "cookie sandwich" technique exploits how web servers parse cookies containing special characters, potentially compromising HttpOnly cookies. By embedding quotes and legacy cookies within a cookie header, an attacker can manipulate the server's interpretation, leading to the exposure of sensitive cookies to client-side scripts. This vulnerability arises because certain servers process cookies in a way that allows such manipulation, highlighting the need for robust cookie handling and validation to prevent unauthorized access. https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique

The GitHub Blog article "How AI Enhances Static Application Security Testing (SAST)" explores the integration of artificial intelligence (AI) into SAST tools to improve vulnerability detection in codebases. Traditional SAST tools rely on predefined models to identify potential vulnerabilities, which can be limited and may miss complex issues. By incorporating AI, these tools can analyze code more comprehensively, identifying a broader range of vulnerabilities, including those that are context-dependent or subtle. This enhancement leads to more accurate and efficient security assessments, enabling developers to address potential threats proactively.  https://github.blog/ai-and-ml/llms/how-ai-enhances-static-application-security-testing-sast

The whitepaper "BLAST, the AI-powered SAST Scanner" introduces BLAST, a tool that enhances Static Application Security Testing (SAST) by integrating Large Language Models (LLMs) with Abstract Syntax Trees (ASTs) and advanced static analysis techniques. This enables BLAST to achieve deeper semantic understanding of code, leading to more accurate vulnerability detection and reduced false positives. Traditional SAST tools often struggle with complex codebases and context-sensitive vulnerabilities, but BLAST addresses these issues by reasoning about code like human analysis, effectively identifying both business logic vulnerabilities and conventional SAST issues.  https://corgea.com/blog/whitepaper-blast-ai-powered-sast-scanner

The article "Helm Secret Scanning" from Cycode discusses the importance of detecting and managing sensitive information, such as API keys and passwords, within Helm charts used in Kubernetes deployments. It emphasizes that hardcoding secrets into Helm charts can lead to security vulnerabilities, as these charts are often stored in version control systems and may be accessible to unauthorized users. To mitigate these risks, the article recommends implementing secret scanning tools that can automatically detect exposed secrets within Helm charts. By integrating such tools into the development workflow, organizations can identify and remediate potential security issues before they are deployed to production environments. Additionally, the article highlights the importance of educating development teams about the risks associated with hardcoding secrets and promoting best practices for secret management. This includes using secure storage solutions and environment variables to ...

The article "A Realistic Take on AI Agents in Software Development" examines the evolving role of AI agents in the software development process. It emphasizes that while AI agents can automate certain tasks, they are not a replacement for human developers. Instead, they serve as tools to enhance productivity by handling repetitive tasks, allowing developers to focus on more complex and creative aspects of software development. The article also discusses the importance of integrating AI agents into existing workflows and the need for developers to understand their capabilities and limitations to use them effectively.  https://harrywetherald.substack.com/p/a-realistic-take-on-ai-agents-in

Semgrep has secured $100 million in a Series D funding round led by Menlo Ventures, with participation from existing investors. The investment will help advance Semgrep's mission to make exploiting software vulnerabilities costly and challenging. The company plans to enhance its code and supply chain security offerings, focusing on detecting and remediating security issues. Semgrep’s platform provides tools for static application security testing (SAST), software composition analysis (SCA), and identifying hardcoded secrets. This funding reflects the growing importance of security in software development.  https://semgrep.dev/blog/2025/series-d-announcement

The GitHub Blog post "Attacks on Maven Proxy Repositories" discusses vulnerabilities in Maven repository managers, specifically Sonatype Nexus and JFrog Artifactory. It explains how specially crafted artifacts can exploit these systems, leading to pre-authentication remote code execution and the poisoning of local artifacts. The post provides proof-of-concept exploits that demonstrate these security risks.  https://github.blog/security/vulnerability-research/attacks-on-maven-proxy-repositories

Bishop Fox's blog post introduces "raink," an open-source ranking algorithm designed to enhance Large Language Models (LLMs) in document ranking tasks. LLMs often face challenges in accurately ranking documents due to issues like missing outputs, rejection of tasks, repetition, and inconsistency. To address these, raink employs a pairwise approach, simplifying the ranking process and improving consistency. This method reduces task complexity for LLMs and resolves calibration issues, though it may be more computationally intensive than other approaches. Raink is available as a command-line tool for various applications.  https://bishopfox.com/blog/raink-llms-document-ranking

 In 2024, the cybersecurity market experienced significant growth, marked by substantial funding, mergers and acquisitions (M&A), and the integration of artificial intelligence (AI). The industry saw 621 funding rounds totaling $14 billion across 112 unique product categories. M&A activity included 271 transactions valued at $45.7 billion. AI-focused cybersecurity funding grew by 96% year-over-year. Product-based companies dominated funding, securing $12.3 billion, while services showed a shift toward hybrid models. Geographically, the U.S. led with $10.9 billion in funding, while Europe, Israel, and the UK also demonstrated resilience. https://www.returnonsecurity.com/p/the-state-of-the-cybersecurity-market-in-2024

In the blog post "Improving Kubernetes Security: Lessons from an Istio Configuration Finding," CrowdStrike discusses a security issue identified in Istio, a popular Kubernetes add-on. The issue involved the ProxyImage annotation feature, which, if misconfigured, could lead to security vulnerabilities. The article details the research process, findings, potential ramifications, and the steps taken to disclose and remediate the issue. This case underscores the importance of proper configuration and continuous monitoring of Kubernetes add-ons to maintain a secure environment. https://www.crowdstrike.com/en-us/blog/istio-configuration-finding-improve-kubernetes-security/

 In the blog post "Secure by Design: Google's Blueprint for a High-Assurance Web Framework," Google discusses its approach to creating a web framework that prioritizes security from the outset. The framework is designed to automatically enable features that enhance security, scalability, and adaptability, all while maintaining a positive developer experience and preventing regressions. This proactive strategy aims to significantly reduce exploitable web vulnerabilities by integrating robust security measures directly into the development process.  https://bughunters.google.com/blog/6644316274294784/secure-by-design-google-s-blueprint-for-a-high-assurance-web-framework

In January 2025, President Trump issued several executive orders that significantly altered federal cybersecurity initiatives. He dismissed all 15 members of the Cyber Safety Review Board (CSRB), a nonpartisan entity established in 2022 to investigate major cybersecurity incidents. This action occurred while the CSRB was examining cyber intrusions by Chinese state-sponsored hackers targeting U.S. telecommunications providers. Additionally, Trump voided a Biden administration executive order aimed at mitigating risks associated with artificial intelligence, asserting that the previous approach hindered development. He also called for the creation of a strategic cryptocurrency reserve, signaling a shift in the administration's focus on digital currencies. These decisions have led to significant changes in the federal cybersecurity landscape, raising concerns about the continuity and effectiveness of ongoing initiatives.  https://krebsonsecurity.com/2025/01/a-tumultuous-week-for-feder...

 The article "Securing the SDLC for No-Code Environments" emphasizes the importance of integrating security measures throughout the Software Development Life Cycle (SDLC) in no-code platforms. It highlights that while no-code tools enable rapid application development, they can inadvertently introduce security vulnerabilities if not properly managed. The piece advocates for embedding security practices into the development process, ensuring that applications built on no-code platforms are secure and compliant.  https://www.forbes.com/councils/forbestechcouncil/2025/02/10/securing-the-sdlc-for-no-code-environments/

Sunshine is an open-source tool developed by the CycloneDX project to visualize Software Bill of Materials (SBOM) in the CycloneDX JSON format. It generates an HTML report that includes charts and tables representing components, dependencies, vulnerabilities, and licenses within a software project. To use Sunshine, you provide a CycloneDX JSON file as input, and it outputs an HTML document offering a comprehensive overview of the project's software components and their associated metadata. Sunshine is useful for organizations looking to enhance transparency and manage software supply chain risks.  https://github.com/CycloneDX/Sunshine

 Spikee is an open-source tool developed by WithSecure™ Labs to assess prompt injection vulnerabilities in Large Language Model (LLM) applications. Prompt injection involves manipulating the interaction between LLMs and applications to execute unauthorized actions, such as data exfiltration or malicious payload execution. Spikee enables security professionals to create custom datasets targeting specific attack scenarios, facilitating the identification of potential vulnerabilities in LLM features. The tool supports automated testing through integration with Burp Suite Intruder and offers a custom target feature for tailored assessments. By utilizing Spikee, organizations can proactively evaluate and enhance the security of their LLM applications, mitigating risks associated with prompt injection attacks. https://labs.withsecure.com/tools/spikee

The article "Applying Generative AI for CVE Analysis at an Enterprise Scale" discusses the challenges enterprises face in managing Common Vulnerabilities and Exposures (CVEs) due to the increasing complexity of modern software dependencies. It highlights that traditional methods of scanning and patching are becoming unmanageable as the number of reported security flaws continues to rise. To address this, the article introduces "Agent Morpheus," a generative AI application designed to enhance CVE analysis. This AI agent automates the process of determining whether a vulnerability exists, generates a checklist for thorough investigation, and assesses the exploitability of the CVE. By leveraging generative AI, organizations can improve their vulnerability defense mechanisms while reducing the workload on security teams.  https://developer.nvidia.com/blog/applying-generative-ai-for-cve-analysis-at-an-enterprise-scale/

 The article "Implementing OWASP ASVS" discusses the importance of the OWASP Application Security Verification Standard (ASVS) in enhancing application security. It emphasizes that integrating ASVS into the software development lifecycle provides a structured framework for assessing and improving security measures. The piece outlines how ASVS offers a comprehensive set of security requirements across various levels, enabling organizations to tailor their security practices to specific needs and risk profiles. By adopting ASVS, development teams can systematically identify vulnerabilities, implement appropriate controls, and ensure that security considerations are consistently addressed throughout the development process. https://softwaremill.com/implementing-owasp-asvs/

The article "Django Security Best Practices: A Comprehensive Guide for Software Engineers" discusses essential security practices for protecting Django applications against threats like XSS, SQL Injection, CSRF, and session hijacking. It stresses the importance of keeping Django updated to patch vulnerabilities, enabling HTTPS to encrypt data transmission, and using a strong, unique SECRET_KEY for cryptographic signing. It also recommends hardening database security by restricting privileges, using Django's ORM to avoid SQL injection, and enabling security middleware like SecurityMiddleware and Content Security Policy (CSP). Other suggestions include protecting against XSS through Django's template system, preventing CSRF attacks, securing user authentication with strong passwords and 2FA, auditing dependencies for vulnerabilities, and monitoring and logging security events to respond to threats in real-time. Following these best practices can significantly improve ...

 In January 2025, OWASP ZAP released version 2.16.0 with several key updates. A redesigned spidering method improves the crawling of modern web applications, particularly those using JavaScript frameworks. The new version also introduces detachable tabs for a more flexible workspace. The minimum Java version required has been updated to Java 17. Additionally, the Client Spider was introduced to enhance crawling by capturing events, DOM changes, and user interactions in modern web apps. The project welcomed new contributors and updated its roadmap for ongoing development. https://www.zaproxy.org/blog/2025-02-04-zap-updates-january-2025/

In Edition 18 of the Boring AppSec newsletter, the author discusses the concept of diminishing returns in application security. The piece emphasizes that while initial security measures can significantly reduce risk, the effectiveness of additional efforts may decrease over time. The author advocates for a balanced approach, suggesting that organizations should prioritize fundamental security practices before investing in advanced measures. The article also highlights the importance of continuous assessment and adaptation to ensure that security investments align with evolving threats and provide meaningful risk reduction.  https://boringappsec.substack.com/p/edition-18-the-diminishing-returns

 The Linux Foundation Europe and the Open Source Security Foundation (OpenSSF) have launched an initiative to assist stakeholders in the open source ecosystem with implementing the European Union's Cyber Resilience Act (CRA). This collaboration aims to develop and formalize security and compliance guidelines in partnership with open source project maintainers, software providers, foundations, and initiatives. The CRA, which came into force in December 2024, seeks to enhance the cybersecurity of networked devices within the EU by mandating that applicable software products meet specific security requirements. https://www.heise.de/en/news/Linux-Foundation-and-OpenSFF-help-to-implement-the-requirements-of-the-CRA-10275663.html

 Tenable Holdings, Inc. will acquire Vulcan Cyber Ltd. for approximately $150 million, including $147 million in cash and $3 million in restricted stock units. The deal is expected to close in Q1 2025. Vulcan Cyber, founded in 2018, specializes in cybersecurity services and has raised $55 million from investors. The acquisition aims to enhance Tenable's Exposure Management platform with Vulcan Cyber’s AI-powered risk prioritization and automated remediation features, helping organizations streamline security operations and address vulnerabilities effectively. https://www.investing.com/news/company-news/tenable-to-acquire-vulcan-cyber-for-150-million-93CH-3837141