Appsec adventures

Endor Labs emphasizes the importance of integrating the Exploit Prediction Scoring System (EPSS) with reachability analysis to enhance vulnerability management. EPSS provides insights into the likelihood of a Common Vulnerability and Exposure (CVE) being exploited, aiding in prioritizing remediation efforts. However, EPSS does not account for environment-specific contexts, which is where reachability analysis becomes valuable. Reachability analysis assesses how vulnerabilities propagate within an application's architecture, considering factors like function calls and data flows. By combining EPSS with reachability analysis, organizations can identify vulnerabilities that are both likely to be exploited and accessible within their specific environments, leading to more targeted and effective vulnerability management strategies.   https://www.endorlabs.com/learn/epss-exploit-prediction-reachability-analysis

Critical vulnerabilities, collectively termed "IngressNightmare," have been identified in the Ingress NGINX Controller of Kubernetes environments, potentially impacting over 40% of internet-facing clusters. These flaws allow remote, unauthenticated attackers to execute arbitrary commands, potentially taking full control of affected Kubernetes clusters.  The vulnerabilities include CVE-2025-24514, CVE-2025-1097, and CVE-2025-1098, which enable attackers to inject custom NGINX configuration directives, such as routing rules and security settings. To achieve remote code execution, these flaws can be combined with CVE-2025-1974. This combination of vulnerabilities has been assigned a CVSS severity score of 9.8, highlighting its critical nature.  Organizations utilizing Kubernetes with Ingress NGINX Controller are strongly advised to apply the patches released by Kubernetes maintainers promptly to mitigate these risks and protect their environments from potential exploitation....

Effective March 31, 2025, the Payment Card Industry Data Security Standard (PCI DSS) version 4.0 will require the use of Web Application Firewalls (WAFs) for all organizations handling credit card transactions. This update makes WAFs mandatory to enhance protection against web-based attacks targeting payment applications. WAFs help filter and monitor HTTP/HTTPS traffic, preventing attacks such as SQL injection and cross-site scripting. By implementing WAFs, organizations can proactively detect and block malicious traffic, ensuring the integrity of payment systems. The transition to PCI DSS 4.0 reflects the evolving cybersecurity threat landscape, and organizations are urged to update their security infrastructure to meet the new requirements and avoid penalties.  https://www.cyberdaily.au/security/11884-op-ed-the-new-pci-dss-standard-lands-on-march-31-wafs-are-now-non-optional

Chief Information Security Officers (CISOs) are increasingly advised to prioritize cryptographic agility and implement a Cryptography Bill of Materials (CBOM) to enhance their organization's security posture. Cryptographic agility refers to the ability to quickly adapt and switch encryption methods in response to emerging threats or vulnerabilities, ensuring systems remain secure without significant disruptions. This adaptability allows organizations to address risks associated with advancements like quantum computing, which threatens current encryption standards. A CBOM serves as an inventory of all cryptographic assets, helping manage and assess components to identify and mitigate vulnerabilities. By adopting both cryptographic agility and a CBOM, CISOs can ensure their encryption strategies remain robust and adaptable to evolving threats.  https://www.fastcompany.com/91302853/complete-cryptographic-control-why-cisos-should-prioritize-crypto-agility-and-a-cbom

The National Institute of Standards and Technology (NIST) is facing challenges in managing the growing backlog of Common Vulnerabilities and Exposures (CVEs) in its National Vulnerability Database (NVD). In 2024, CVE submissions increased by 32%, leading to delays despite NIST's efforts to maintain processing speeds. To address this, NIST is enhancing internal processes and exploring machine learning technologies to automate parts of the CVE processing workflow, aiming to reduce the backlog and improve efficiency.   https://gbhackers.com/nist-facing-challenges-in-managing-cve-backlog/#google_vignette

Application Security Posture Management (ASPM) provides organizations with enhanced control over complex application architectures by consolidating security insights from various tools into a unified platform. This centralization enables security teams to manage risks across the entire application portfolio more effectively. Key features of ASPM include centralized risk data aggregation, intelligent risk prioritization based on exploitability and business impact, automated vulnerability investigation to streamline remediation efforts, and simplified compliance reporting to meet evolving regulatory requirements.   https://www.cybersecuritydive.com/spons/how-aspm-gives-you-control-over-complex-architectures/743234/

Chris Hughes' article, "Vulnerability Exploitation in the Wild," examines the findings of the inaugural study on the Exploit Prediction Scoring System (EPSS) conducted by Cyentia and FIRST. The study highlights a significant increase in vulnerability disclosures, with annual totals surpassing 30,000 for the first time in 2024, reflecting a 16% year-over-year growth. Despite this surge, only a small fraction of vulnerabilities are actively exploited; EPSS estimates that merely 5-6% of reported vulnerabilities are known to be exploited in the wild. This disparity suggests that organizations may be allocating resources to address vulnerabilities with low exploitation probabilities, potentially overlooking more pressing threats. Hughes advocates for adopting EPSS as a more effective approach to vulnerability management, enabling organizations to prioritize remediation efforts based on the likelihood of exploitation.   https://www.resilientcyber.io/p/vulnerability-exploitation...

Maya Kaczorowski's blog post, "The Road to Zero Trust is Paved with Good Intentions," explores the challenges organizations face in implementing Zero Trust Architecture (ZTA). Zero Trust shifts security from perimeter-based models to continuous verification of users and devices, assessing access based on user identity and device security status rather than network location. Kaczorowski introduces a maturity model for Zero Trust adoption, starting with establishing visibility of users and devices, followed by implementing per-service authorization, enforcing strict access controls without relying on network location, and addressing residual trust issues. The post emphasizes that achieving a fully Zero Trust environment is aspirational, with many organizations still progressing through these maturity levels. Kaczorowski also highlights that device security is a critical component often overlooked in Zero Trust implementations and advocates for a comprehensive approach that ...

Namanyay Goel's blog post, "New Junior Developers Can't Actually Code," discusses concerns about the impact of AI tools like Copilot, Claude, and GPT on the foundational skills of emerging software developers. While these AI assistants enable faster coding, Goel observes that many junior developers struggle to understand the rationale behind their code, especially when faced with edge cases. He suggests that relying solely on AI-generated solutions may lead to a superficial grasp of programming concepts. To counteract this, Goel recommends adopting a learning-focused approach when using AI, engaging in community discussions on platforms like Reddit and Discord, enhancing code reviews by exploring various problem-solving strategies, and occasionally building components from scratch to deepen understanding.  https://nmn.gl/blog/ai-and-learning

Databricks has introduced VulnWatch, an AI-driven system designed to enhance the prioritization of vulnerabilities within their infrastructure. By automating the detection and ranking of potential threats, VulnWatch reduces the need for manual intervention, allowing security teams to focus on addressing the most critical risks. This approach streamlines threat management and improves overall security posture.   https://www.databricks.com/blog/vulnwatch-ai-enhanced-prioritization-vulnerabilities

Alphabet Inc., Google's parent company, is acquiring Israeli cybersecurity startup Wiz for approximately $32 billion, making it the largest purchase in Alphabet’s history. The deal aims to strengthen Google’s cloud security and enhance its competition with Amazon and Microsoft. Wiz, founded in 2020, specializes in AI-driven cloud security and serves major clients like Morgan Stanley and DocuSign. Alphabet had previously offered $23 billion in 2024, but the deal was delayed due to antitrust concerns. Alphabet expects regulatory approval despite scrutiny over Big Tech mergers. Following the announcement, Alphabet’s shares dropped nearly 3%.  https://www.reuters.com/technology/cybersecurity/google-agrees-buy-cybersecurity-startup-wiz-32-bln-ft-reports-2025-03-18/

 The UK's NCSC advises organizations to transition to post-quantum cryptography (PQC) by 2035. By 2028, they should assess cryptographic needs and plan upgrades. Between 2028 and 2031, priority systems should be updated, with full migration completed by 2035. Early planning and supply chain coordination are essential to ensure security against quantum threats. https://www.ncsc.gov.uk/guidance/pqc-migration-timelines

The article "How to Manage Three Top Kubernetes Security Vulnerabilities" highlights key risks and mitigation strategies for securing Kubernetes environments. First, using insecure container images can introduce vulnerabilities. To prevent this, organizations should scan images for threats and enforce policies that allow only trusted images. Second, misconfigured Kubernetes settings can expose clusters to attacks. Implementing Role-Based Access Control (RBAC) and conducting regular configuration audits help reduce these risks. Finally, an exposed Kubernetes Dashboard can lead to unauthorized access. Securing it with authentication controls or disabling it if unnecessary can enhance security. Adopting these strategies strengthens Kubernetes security.  https://www.cncf.io/blog/2025/02/18/how-to-manage-three-top-kubernetes-security-vulnerabilities/

Path traversal is a security vulnerability that allows attackers to access unauthorized files and directories by manipulating file paths. In Java applications, this issue arises when user input is used to construct file paths without proper validation, potentially exposing sensitive files such as system configurations and application secrets. To mitigate path traversal risks, developers should normalize file paths using getCanonicalPath() and ensure they reside within an intended directory. Validating user input by rejecting suspicious patterns like ../ and enforcing strict filename constraints can further reduce risks. Additionally, using secure APIs that abstract file operations helps prevent unintended access. Implementing these best practices ensures Java applications remain protected against path traversal attacks.  https://systemweakness.com/path-traversal-and-remediation-in-java-28a1edb45853

The article "Verifying the mix: How to handle software-supply-chain security" by Paul Wagenseil, published on March 8, 2025, discusses the critical importance of securing software supply chains amid rising supply-chain attacks and evolving global regulations. A key focus is on the necessity of signing code with secure digital certificates, especially for Internet of Things (IoT) and operational technology (OT) devices. Despite its significance, many companies still overlook this practice. Eric Mizell, Field CTO at Keyfactor, highlighted that numerous organizations fail to sign their code, underscoring a widespread gap in security measures. The article also emphasizes the role of Software Bills of Materials (SBOMs) in enhancing transparency within the software supply chain. SBOMs function like ingredient lists, detailing all components in a software product, thereby aiding in the identification and mitigation of vulnerabilities. This approach aligns with recommendations from...

Legit Security has upgraded its application security posture management (ASPM) platform with a risk-based vulnerability assessment feature. This new feature helps DevSecOps teams prioritize vulnerabilities based on their actual risk, rather than just severity scores. By using AI and machine learning, the platform analyzes security risks in code repositories, APIs, and documentation, providing critical context for effective remediation. It also generates a continuous software bill of materials to support ongoing security management. https://www.scworld.com/brief/legit-security-enhances-aspm-with-risk-based-vulnerability-assessment

ArmorCode has launched two new apps in the ServiceNow Store, enhancing vulnerability management by integrating AI-powered data correlation and remediation. The integration aggregates vulnerability data from over 260 tools into a single actionable item in ServiceNow's Vulnerability Response modules. This improves prioritization, automates deduplication, and accelerates remediation. ArmorCode's AI-driven insights help security teams reduce manual effort and focus on the most critical issues. https://www.businesswire.com/news/home/20250303468135/en/ArmorCode-Announces-ServiceNow-Vulnerability-Response-Integration-and-Apps-Now-Available-in-Store

Microsoft Defender for Cloud has introduced new security features for containers across the software development lifecycle (SDLC). These include a CLI tool for image scanning during the build and development phases, third-party registry vulnerability assessments (like Docker Hub and Jfrog Artifactory), and an AKS security dashboard for Kubernetes clusters. These advancements help developers detect vulnerabilities early, ensure compliance, and integrate security within DevSecOps processes. https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/secure-containers-software-supply-chain-across-the-sdlc/4384925

GitLab has addressed five security vulnerabilities in its Community and Enterprise Editions, with patches released for versions 17.7.6, 17.8.4, and 17.9.1. Two high-severity issues allow attackers to execute malicious code through XSS attacks, while other vulnerabilities could expose unauthorized data. The vulnerabilities were reported via GitLab's bug bounty program. Admins are advised to update their instances promptly. GitLab.com has already been patched, so GitLab Dedicated customers do not need to take further action. https://www.heise.de/en/news/Security-vulnerabilities-in-Gitlab-reported-via-bug-bounty-program-closed-10300345.html

Cryptosoft Inc., a provider of software supply chain managed services for dependency management and vulnerability tracking, has announced securing an investment to expand its services. This funding aims to enhance Cryptosoft's capabilities in managing software dependencies and tracking vulnerabilities, addressing critical challenges in software supply chain security. The investment underscores the growing importance of securing software supply chains and the role of managed services in mitigating associated risks. https://www.prweb.com/releases/cryptosoft-inc-secures-investment-to-expand-software-supply-chain-security-service-302387471.html

The RSA Conference (RSAC) 2025 is scheduled for April 28 to May 1, 2025, at the Moscone Center in San Francisco. The event will focus on key topics such as analytics and intelligence, cloud security, fraud prevention, and incident management. Vasu Jakkal, Microsoft's Corporate Vice President of Security, will deliver a keynote on "Security in the Age of Agentic AI." Other Microsoft executives, including Aanchal Gupta, Angelica Faber, Ann Johnson, Kelly Bissel, and Sherrod DeGrippo, will also participate. Additionally, partners like Akamai, EY, Huntress, MongoDB, and Schneider Electric will be present. Attendees can engage in networking sessions, interactive activities like an exhibition 'bar crawl', learning labs, and hands-on experiences in the sandbox area, featuring activities such as capture the flag and an escape room.   https://www.technologyrecord.com/article/rsac-2025-shaping-the-future-of-security

Google has called for industry-wide memory safety standards to enhance software security. The company emphasizes the importance of adopting secure coding practices and standards to prevent vulnerabilities that could be exploited by attackers. By collaborating on unified guidelines, the tech industry aims to improve the overall security posture of software applications. https://www.techspot.com/news/107006-google-calls-industry-wide-memory-safety-standards-enhance.html

 

The article discloses a command injection vulnerability in the git-checkout-tool npm package, which allows attackers to execute arbitrary commands by manipulating branch names. The vulnerability arises from unsanitized user input passed to the exec() function in Node.js. A proof-of-concept exploit is demonstrated, affecting all versions up to 1.0.6. The post emphasizes the risks of insecure CLI tools and the importance of secure-by-design software. https://www.nodejs-security.com/blog/disclosing-a-command-injection-vulnerability-in-git-checkout-tool/

The article "A Deep Dive into JS Trusted Types Violations" explores the technical process of identifying and addressing Trusted Types (TT) violations during the implementation in Gmail and AppSheet. Trusted Types is a web security mechanism designed to prevent cross-site scripting (XSS) attacks by enforcing safe handling of dynamic content in JavaScript. The article details the challenges faced, methodologies employed, and lessons learned in enforcing Trusted Types within these complex applications, providing insights into enhancing web application security.   https://bughunters.google.com/blog/5850786553528320/a-deep-dive-into-js-trusted-types-violations

The article advocates for standardizing memory safety principles to address long-standing security vulnerabilities in software. It argues that despite advancements in memory-safe technologies, the lack of a shared framework hinders adoption. The authors call for clear terminology and industry-wide standards to promote secure software development and reduce market failures. They emphasize the need for government and industry collaboration to implement effective policies and best practices. https://cacm.acm.org/opinion/it-is-time-to-standardize-principles-and-practices-for-software-memory-safety/

The NCSC report presents a method for distinguishing between forgivable and unforgivable vulnerabilities in software systems. It provides a structured approach to assessing vulnerabilities based on factors like intent, impact, and mitigation feasibility. This framework helps organizations prioritize security flaws, focusing on critical weaknesses that pose significant risks. The methodology supports informed decision-making for software developers, security teams, and policymakers. https://www.ncsc.gov.uk/report/a-method-to-assess-forgivable-vs-unforgivable-vulnerabilities

Google Cloud has introduced quantum-safe digital signatures in Cloud Key Management Service (KMS) to protect against future quantum computing threats. The feature, currently in preview, aligns with NIST's post-quantum cryptography standards and supports secure key management, encryption, and digital signatures. Google is also working with Hardware Security Module vendors to expand support. The goal is to mitigate the "Harvest Now, Decrypt Later" risk, where attackers store encrypted data now to decrypt it later with advanced quantum computing. https://thehackernews.com/2025/02/google-cloud-kms-adds-quantum-safe.html

The project "cvss-bt" enriches the National Vulnerability Database's (NVD) CVSS (Common Vulnerability Scoring System) scores by including temporal and threat metrics. It focuses on improving vulnerability prioritization by considering Exploit Code Maturity/Exploitability, a temporal metric that indicates the level of exploit development for vulnerabilities. This enhancement helps in better assessing the urgency and severity of vulnerabilities based on real-world exploit activity. https://github.com/t0sche/cvss-bt

The OWASP Threat and Safeguard Matrix (TaSM) is a framework designed to help organizations align their cybersecurity strategies with business goals. It overlays major threats with the NIST Cybersecurity Framework's five core functions—Identify, Protect, Detect, Respond, and Recover. The matrix assists in identifying and implementing appropriate safeguards tailored to specific threats, thereby enhancing an organization's overall security posture.  https://owasp.org/www-project-threat-and-safeguard-matrix

The article covers common vulnerabilities in OAuth2, emphasizing how misconfigurations and insufficient understanding of the protocol's complexities can lead to security flaws. It highlights different OAuth flows, including Implicit, Authorization Code, and Client Credentials Flows, along with attacks like token interception. The piece provides recommendations for secure implementations, including OAuth 2.1's updated practices and a comprehensive checklist for developers and testers. https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html

The article "Hardcoded Secrets, Unverified Tokens, and Other Common JWT Mistakes" from Semgrep highlights common security issues with JSON Web Tokens (JWTs). Key mistakes include hardcoding secret keys in code, using the insecure 'none' algorithm, and decoding tokens without verifying their authenticity. To avoid these pitfalls, developers should securely manage secrets, use secure algorithms like 'HS256,' and always verify tokens before processing them. These practices help enhance security and prevent JWT-related vulnerabilities.  https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes

The AWS Config Rules repository by AWS Labs provides a collection of sample custom rules for AWS Config, written in Node.js, Python, and Java. These rules help users evaluate the compliance of AWS resources by defining desired configurations and monitoring deviations. The repository includes guidance for developing custom rules and related tools like the AWS Config Rules Development Kit (RDK) and Config Rules Engine to support large-scale rule management.  https://github.com/awslabs/aws-config-rules

Google secures its cloud environment using a "defense in depth" strategy, ensuring multiple layers of security to prevent single points of failure. Strict access controls limit personnel access to production services, only allowing entry for legitimate business purposes. The company also emphasizes software supply chain security and enforces strong authentication and authorization for inter-service communications. By integrating service identity, integrity, and isolation mechanisms, Google maintains a secure infrastructure for both internal operations and cloud users.  https://cloud.google.com/transform/how-google-does-it-secure-our-own-cloud

In the article "Never Just One Termite: Six Months of Researching OAuth Application Attacks," published on February 11, 2025, Matt Kiely of Huntress details an extensive investigation into malicious OAuth applications targeting Microsoft 365 (M365) environments. Over a six-month period, Huntress discovered that a significant number of M365 tenants had unauthorized or malicious OAuth applications integrated into their systems. These applications, once granted permissions, could access and manipulate user data without detection, posing substantial security risks. The research emphasizes the importance for administrators of M365 tenants to conduct immediate audits of their OAuth applications. Given the prevalence of these malicious integrations, proactive measures are essential to identify and remove unauthorized applications, thereby safeguarding organizational data and maintaining overall security.  https://www.huntress.com/blog/never-just-one-termite-6-months-of-researching...

In the article "Death Knell of the NVD?" published on March 11, 2024, Chris Hughes examines recent concerns surrounding the National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD). The NVD serves as a critical repository for standardized vulnerability management data, widely utilized across the cybersecurity industry. Around February 15, 2024, the NVD announced a transition to a consortium-based approach for vulnerability analysis. This shift raised industry concerns regarding potential delays and the transparency of the analysis process. Data from researchers like Jay Jacobs and Jerry Gamblin indicated a significant increase in vulnerabilities awaiting analysis post-announcement, suggesting a slowdown in the NVD's processing capabilities. The article underscores the NVD's foundational role in the software and vulnerability management ecosystem. Any disruptions or delays in its operations could have widespread implications f...