Web application security

News 29 May 2024
Proofpoint exposes AFF scammers’ piano gambit

Ransomware and nation state actors dominate the headlines, but fraud and scams still net career cyber criminals thousands from unsuspecting members of the public. Proofpoint reports on a campaign targeting victims of a musical inclination Continue Reading
Opinion 29 May 2024
How to avoid joining the Dead Java Code Society

Unused or dead Java code is bogging down software engineers and developers, causing weird dependencies and security risks. Eric Costlow of Azul shares some advice on how to avoid becoming a member of a rather unpleasant club Continue Reading

News 22 May 2024

ORBs: Hacking groups’ new favourite way of keeping their attacks hidden

Beware the ORB: why attacks on your network could come from a home router down the street Continue Reading
News 15 May 2024

Critical SharePoint, Qakbot-linked flaws focus of May Patch Tuesday

A critical SharePoint vulnerability warrants attention this month, but it is another flaw that seems to be linked to the infamous Qakbot malware that is drawing attention Continue Reading
News 06 May 2024

Microsoft beefs up cyber initiative after hard-hitting US report

Microsoft is expanding its recently launched Secure Future Initiative in the wake of a hard-hitting US government report on recent nation state intrusions into its systems Continue Reading
News 03 May 2024

Adobe expands bug bounty programme to account for GenAI

Adobe has expanded the scope of its HackerOne-driven bug bounty scheme to incorporate flaws and risks arising from the development of generative artificial intelligence Continue Reading
News 02 May 2024

How Okta is fending off identity-based attacks

Okta has been bolstering the security of its own infrastructure and building new tools to scan customer environments for vulnerable identities, among other efforts to fend off identity-based attacks Continue Reading
News 01 May 2024

Australia’s Qantas apologises for mobile app data breach

Australian flag carrier Qantas has apologised after a glitch in its mobile application temporarily enabled some customers to view the flights and booking details of other frequent fliers on two separate occasions Continue Reading
News 01 May 2024

Secure coding benchmark to increase standards among developers

Developer security advocate Secure Code Warrior has launched what it claims is the industry’s first benchmark designed to quantify the security competence of its customers’ software developer teams Continue Reading
News 30 Apr 2024

Bad bot traffic in Australia grew 23% in 2023

Traffic from bad bots that perform malicious tasks accounted for 30.2% of Australia’s internet traffic in 2023 Continue Reading
News 25 Apr 2024

Zero trust is a strategy, not a technology

Zero-trust security should be seen as a strategy to protect high-value assets and is not tied to a specific technology or product, says the model’s creator John Kindervag Continue Reading
News 24 Apr 2024

Mandatory MFA pays off for GitHub and OSS community

Mandating multifactor authentication for select developers has been a huge success for GitHub, the platform reports, and now it wants to go further Continue Reading
News 24 Apr 2024

Cyber training leader KnowBe4 to buy email security firm Egress

Security awareness training and phishing simulation specialist KnowBe4 is to buy email security expert Egress Continue Reading
News 24 Apr 2024

TikTok ban sails through US Senate

A law that will ban TikTok in the US unless its owner sells up pronto passed the US Senate by a landslide majority after being included in a package of military aid Continue Reading
News 16 Apr 2024

CW Innovation Awards: Balancing security and user experience

The National University of Singapore’s Safe initiative has strengthened the security of IT systems and end-user devices while prioritising user experience through passwordless access Continue Reading
News 15 Apr 2024

More social engineering attacks on open source projects observed

In the wake of the recent XZ Utils scare, maintainers of another open source project have come forward to say they may have experienced similar social engineering attacks Continue Reading
News 12 Apr 2024

Apple iPhone security alert renews spyware concerns

An Apple security alert received by users in 92 countries raises fresh fears over ongoing campaigns by users of mercenary spyware products Continue Reading
News 10 Apr 2024

Cyber crooks poison GitHub search to fool developers

Researchers share data on new technique whereby malicious actors are manipulating GitHub’s search function and using cleverly crafted repositories to distribute malware Continue Reading
News 10 Apr 2024

Salesforce helps customers establish bug bounty programmes

Salesforce has added new learning content to its Trailhead platform designed to help customers develop their own bug bounty programmes Continue Reading
News 08 Apr 2024

What Cisco’s Splunk acquisition means for APAC customers

APAC organisations can expect better visibility and insights into their networks and applications along with automation and response capabilities to improve their digital resilience Continue Reading
News 01 Apr 2024

Open source alert over intentionally placed backdoor

A backdoor in the open source XZ Utils data compression library could have led to widespread compromise across the Linux ecosystem - and the community is on the trail of a developer who seems to be behind it Continue Reading
News 29 Mar 2024

Organisations getting better at spotting identity fraud

As the barriers to committing identity fraud continue to drop, organisations should consider more sophisticated technical measures to successfully up their game, according to a report Continue Reading
News 28 Mar 2024

UK plc going backwards on cyber maturity, Cisco report claims

Fewer UK organisations believe their cyber security postures have reached a mature level than did so 12 months ago, as they struggle to keep up with new challenges and a fast-evolving threat landscape Continue Reading
News 27 Mar 2024

Cyber spies, not cyber criminals, behind most zero-day exploitation

Analysis from Google has found that zero-day vulnerabilities are much more heavily exploited for espionage purposes than for financially motivated cyber crime Continue Reading
News 21 Mar 2024

US sues Apple, alleging smartphone monopoly

A major legal action against Apple over its dominance of the smartphone market has kicked off in the US, alleging anticompetitive practices on Apple’s part that have damaged the sector and restricted consumer choice Continue Reading
News 19 Mar 2024

Australia’s cyber security spending to grow 11.5% this year

Highly publicised cyber attacks and growing regulatory obligations are keeping security and risk top of mind for Australian organisations this year, says Gartner Continue Reading
News 13 Mar 2024

US authorities move a step closer to banning TikTok

Lawmakers in Washington DC have moved a step closer to enacting a broad national ban on controversial video app TikTok in the US, with global ramifications Continue Reading
News 12 Mar 2024

March Patch Tuesday throws up two critical Hyper-V flaws

Two critical vulnerabilities in Windows Hyper-V stand out on an otherwise unremarkable Patch Tuesday Continue Reading
News 08 Mar 2024

OSS leaders detail commitments to bolster software security

CISA has announced a number of actions to help secure the global open source ecosystem, as leading package repositories including the Python and Rust foundations advance their own initiatives Continue Reading
News 06 Mar 2024

Apple patches zero-days amid ‘foundational’ post-quantum update

Apple’s iOS 17.4 update not only fixes zero-day flaws that are being actively exploited, but includes important new security protocols to safeguard users against future attacks Continue Reading
News 05 Mar 2024

Rapid7 hits out over botched vulnerability disclosure

Software development firm JetBrains and security specialist Rapid7 fall out over the handling of a critical vulnerability disclosure, while customers are left rushing to patch Continue Reading
News 27 Feb 2024

Black Basta and Bl00dy ransomware gangs exploiting ConnectWise vulns

More ransomware gangs have been observed exploiting two dangerous vulnerabilities in ConnectWise ScreenConnect software, prompting new warnings for users to get patching Continue Reading
News 27 Feb 2024

VulnCheck bug listing to help track new threats quicker

Exploit intelligence firm VulnCheck launches a proprietary Known Exploited Vulnerabilities catalogue in hopes of improving end-user access to intel on emerging threats and reaching those that the likes of CISA do not Continue Reading
News 22 Feb 2024

Cyber experts alarmed by ‘trivial’ ConnectWise vulns

The disclosure of two dangerous vulnerabilities in the popular ConnectWise ScreenConnect product is drawing comparisons with major cyber incidents, including the 2021 Kaseya attack Continue Reading
News 21 Feb 2024

CVE volumes set to increase 25% this year

The number of reported Common Vulnerabilities and Exposures is likely to grow significantly in 2024, hitting a new high of almost 35,000, according to Coalition, a cyber insurance specialist Continue Reading
News 15 Feb 2024

Security-by-design push prompts new ISC2 accreditations

Security-by-design has become a hot-button regulatory issue. ISC2 has decided now is the time to upskill cyber pros around these vital software and hardware development principles Continue Reading
News 14 Feb 2024

Microsoft: Nation-state hackers are exploiting ChatGPT

Threat actors from China, Iran, North Korea and Russia have all been probing use cases for generative AI service ChatGPT, but have yet to use such tools in a full-blown cyber attack Continue Reading
News 14 Feb 2024

Microsoft patches two zero-days for Valentine’s Day

Two security feature bypasses impacting Microsoft SmartScreen are on the February Patch Tuesday docket, among more than 70 issues Continue Reading
News 13 Feb 2024

New variants of Qakbot malware under development

Despite its infrastructure having been taken down by the FBI last year, someone appears to be actively working on a new and improved version of the infamous Qakbot malware Continue Reading
News 13 Feb 2024

Hunter-killer malware volumes seen surging

Latest Picus Security report on malware tactics, techniques and procedures reveals an increasing focus on disabling security defences Continue Reading
News 09 Feb 2024

MoD ethical hacking programme expands after initial success

The Ministry of Defence has expanded the scope of its defensive security partnership with HackerOne Continue Reading
Definition 08 Feb 2024

clinical decision support system (CDSS)

A clinical decision support system (CDSS) is an application that analyzes data to help healthcare providers make decisions and improve patient care. Continue Reading
Definition 05 Feb 2024

personal health record (PHR)

A personal health record (PHR) is an electronic summary of health information that a patient maintains control of themselves, as opposed to their healthcare provider. Continue Reading
News 25 Jan 2024

Bugcrowd sees surge in vulnerability submissions, led by public sector

Crowdsourced vulnerability disclosure and bug bounty platform Bugcrowd says it saw a 151% uptick in submissions related to government and public sector organisations in 2023 Continue Reading
Opinion 25 Jan 2024

Mitigating the risks of modern application development

Organisations need to have visibility over their software supply chain, secure and monitor interfaces to legacy systems and adopt zero trust to mitigate the risks of modern application development Continue Reading
News 24 Jan 2024

Inside Cisco’s security platform strategy

Raj Chopra, senior vice-president of Cisco’s security business, outlines the company’s security platform strategy and how it brought different products together into a single platform Continue Reading
News 24 Jan 2024

Critical vulnerability exposes Fortra GoAnywhere users

Fortra GoAnywhere MFT users must take steps to address a newly disclosed zero-day vulnerability without delay Continue Reading
News 24 Jan 2024

Salesforce’s bug bounty programme paid out $3m in 2023

Ethical hackers disclosed more than 4,000 vulnerabilities to Salesforce last year through its bug bounty programme, and received over $3m in rewards Continue Reading
Opinion 18 Jan 2024

Powering up cyber security defences with AI

AI holds great promise when it comes to securing valuable, and vulnerable, data, but security teams face some challenges if they are to get the best out of it, writes IBM’s Christopher Meenan Continue Reading
News 11 Jan 2024

Cisco fixes high-impact flaw in unified comms platform

Cisco unified comms customers are urged to patch a critical vulnerability in Unity Connection, a messaging and voicemail product Continue Reading
News 10 Jan 2024

Davos 2024: AI-generated disinformation poses threat to elections, says World Economic Forum

Disinformation and misinformation are the top risks facing businesses, governments and the public over the next two years Continue Reading
News 10 Jan 2024

Windows Kerberos, Hyper-V vulns among January Patch Tuesday bugs

Microsoft starts 2024 right with another slimline Patch Tuesday drop, but there are some critical vulns to be alert to, including a number of man-in-the-middle attack vectors Continue Reading
News 10 Jan 2024

SEC social media hack highlights value of MFA

The US SEC briefly appeared to approve new bitcoin trading rules after a social media account was targeted by troublemakers, proving the value of MFA once again Continue Reading
News 21 Dec 2023

Top 10 cyber crime stories of 2023

Ransomware gangs dominated the cyber criminal underworld in 2023, a year that will prove notable for significant evolutionary trends in their tactics Continue Reading
Opinion 20 Dec 2023

Beyond the office walls: Safeguarding remote workers from attack

Remote working has enabled people to work from almost anywhere but has piled pressure on cyber pros. Three years after Covid, how are best practices evolving and what can we expect going forward? Continue Reading
Opinion 20 Dec 2023

Zero-trust principles: Your gateway to securing remote workers

Remote working has enabled people to work from almost anywhere but has piled pressure on cyber pros. Three years after Covid, how are best practices evolving and what can we expect going forward? Continue Reading
Opinion 20 Dec 2023

What we learned in cyber in 2023, and what to look out for

PA Consulting's Rasika Somasiri looks back at a busy 12 months in the cyber security world, and highlights some key learnings from 2023 Continue Reading
News 19 Dec 2023

Top 10 cyber security stories of 2023

The past 12 months have seen the security agenda dominated by the usual round of vulnerabilities, concerns over supply chain security and more besides, but it was the chaotic state of global geopolitics that really made an impact Continue Reading
Opinion 19 Dec 2023

Security Think Tank: Anytime, anywhere access is achievable

Remote working has enabled people to work from almost anywhere but has piled pressure on cyber pros. Three years after Covid, how are best practices evolving and what can we expect going forward? Continue Reading
News 18 Dec 2023

How threat intelligence is applied in DNS security

Infoblox’s director of security architecture explains how the company leverages its threat intelligence capabilities to help organisations stay ahead of DNS security threats Continue Reading
News 14 Dec 2023

The Security Interviews: Talking identity with Microsoft’s Joy Chik

Microsoft’s president of identity and network access, Joy Chik, joins Computer Weekly to discuss the evolving threat landscape in identity security, using innovations in artificial intelligence to stay ahead, and advocating for the coming passwordless future Continue Reading
News 13 Dec 2023

Microsoft’s Christmas present for cyber teams: no zero-days

Barely 30 vulnerabilities, and no zero-days, have been fixed in the final Patch Tuesday drop of 2023 Continue Reading
Opinion 07 Dec 2023

Considerations for the security of evolving workspaces

Remote working has enabled people to work from almost anywhere but has piled pressure on cyber pros. Three years after Covid, how are best practices evolving and what can we expect going forward? Continue Reading
Opinion 04 Dec 2023

Cyber and remote working: How Covid moved the cursor

Remote working has enabled people to work from almost anywhere but has piled pressure on cyber pros. Three years after Covid, how are best practices evolving and what can we expect going forward? Continue Reading
News 01 Dec 2023

The Security Interviews: Mark McClain, SailPoint Technologies

SailPoint founder and CEO Mark McClain reflects on how the concept of identity has evolved over the past 20 years, and points to rapid evolution still to come Continue Reading
News 28 Nov 2023

Volume of unique malware samples threatens to overwhelm defenders

A massive increase in malware volumes could cause problems for security teams tasked with adapting their defences against them Continue Reading
News 24 Nov 2023

APAC organisations warm to microsegmentation

Nearly two-thirds of organisations in the APAC region see microsegmentation as a way to protect their IT assets, but lack the skills to deploy the technology Continue Reading
News 23 Nov 2023

North Korean APTs go all in on supply chain attacks, warns NCSC

Threat actors linked to the North Korean regime are becoming more adept at targeting software supply chains in the service of their cyber attacks Continue Reading
News 22 Nov 2023

An inside look at a Scattered Spider cyber attack

Threat researchers at ReliaQuest share the inside track on a Scattered Spider cyber attack they investigated Continue Reading
News 15 Nov 2023

November Patch Tuesday heralds five new MS zero-days

Microsoft pushes fixes for five new zero-days in its latest monthly update Continue Reading
News 15 Nov 2023

How Gigamon is making its mark in deep observability

Gigamon CEO Shane Buckley talks up the company’s ability to inspect encrypted network traffic for malicious activity, how it stands out with its deep observability capabilities and the tailwinds that are fuelling its growth Continue Reading
News 13 Nov 2023

Rogue state-aligned actors are most critical cyber threat to UK

The prospect of rogue nation-state-aligned attackers bringing down the UK’s critical infrastructure is keeping the NCSC up at night Continue Reading
News 02 Nov 2023

Admins told to take action over F5 Big-IP platform flaws

Two vulnerabilities in the widely used F5 Networks Big-IP platform are now being exploited in the wild Continue Reading
News 01 Nov 2023

Darktrace CEO Poppy Gustafsson on her AI Safety Summit goals

As the AI Safety Summit at Bletchley Park takes place, Computer Weekly caught up with Darktrace CEO Poppy Gustafsson to find out what one of the UK’s most prominent AI advocates wants from proceedings Continue Reading
News 31 Oct 2023

SEC sues SolarWinds, alleging serious security failures

SolarWinds and its CISO have been charged with fraud and internal control failures by the US authorities amid allegations of a series of cyber security failings leading up to the 2020 Sunburst attacks Continue Reading
News 27 Oct 2023

Tech firms cite risk to end-to-end encryption as Online Safety Bill gets royal assent

Tech firms continue to be concerned that the Online Safety Bill could undermine end-to-end encryption despite government reassurances Continue Reading
News 27 Oct 2023

Google launches bug bounties for generative AI attack scenarios

Google expands its bug bounty programme to encompass generative AI and takes steps to grow its commitment to supply chain security as it relates to the emerging technology Continue Reading
News 24 Oct 2023

Cisco hackers likely taking steps to avoid identification

Cisco confirms that a drop in detections of devices compromised by two zero-days was likely the result of reactive measures taken by the threat actors to avoid discovery Continue Reading
News 24 Oct 2023

Research team tricks AI chatbots into writing usable malicious code

Researchers at the University of Sheffield have demonstrated that so-called Text-to-SQL systems can be tricked into writing malicious code for use in cyber attacks Continue Reading
News 23 Oct 2023

Cisco pushes update to stop exploitation of two IOS XE zero-days

Cisco releases updates to thwart exploitation of two flaws affecting users of its IOS XE software Continue Reading
News 19 Oct 2023

Fears grow over extent of Cisco IOS XE zero-day

Researchers have identified spiking numbers of victims of a recently disclosed Cisco zero-day, as users of the networking supplier’s IOS XE software are urged to take defensive measures Continue Reading
News 19 Oct 2023

Loughborough Uni to create five cyber AI research posts

Supported by Darktrace, Loughborough University is to recruit five doctoral researchers focusing on cross-disciplinary research in AI and cyber security Continue Reading
News 17 Oct 2023

What it takes to succeed in DevSecOps

Providing engineering leadership and balancing between speed and security are some areas that organisations will need to focus on in their DevSecOps journey Continue Reading
News 03 Oct 2023

CIISec scores DSIT funding to expand successful CyberEPQ scheme

DSIT has committed to enhanced funding to expand CIISec’s CyberEPQ education programme after recording excellent results to date Continue Reading
News 28 Sep 2023

Businesses disconnected from realities of API security

Business leaders feel confident they’ve got a handle on API security, but at the same time, incidents are through the roof, according to a report Continue Reading
News 28 Sep 2023

Security and risk management spending to grow 14% next year

Growth in public cloud services will stand out over the next 12 months, as Gartner projects an overall 14% increase in cyber spending in 2024 Continue Reading
News 28 Sep 2023

Yahoo picks Intigriti to run crowdsourced bug bounty programme

Digital media brand Yahoo is setting up a crowdsourced bug bounty programme with ethical hacking specialist Intigriti, and is reaching out to the Capture the Flag community to participate Continue Reading
Opinion 25 Sep 2023

Security Think Tank: Three ways to identify the best encryption use cases

The Security Think Tank assesses the state of encryption technology, exploring topics such as cryptographic techniques, data-masking, the legal ramifications of end-to-end encryption, and the impact of quantum Continue Reading
News 18 Sep 2023

Unregulated DeFi services abused in latest pig butchering twist

Pig butchering scammers are taking advantage of the unregulated nature of DeFi crypto trading apps to siphon off even more money from their victims, according to the latest findings of an ongoing investigation Continue Reading
Opinion 18 Sep 2023

Security Think Tank: A user’s guide to encryption

The Security Think Tank assesses the state of encryption technology, exploring topics such as cryptographic techniques, data-masking, the legal ramifications of end-to-end encryption, and the impact of quantum Continue Reading
News 14 Sep 2023

Google, Microsoft and Mozilla push browser updates to foil zero-day

A zero-day in Google’s Chrome browser was first reported by surveillance researchers at The Citizen Lab and Apple, but also affects other browsers Continue Reading
News 13 Sep 2023

GitHub fixes race condition that could have led to ‘repojacking’

A subtle flaw in how GitHub handled repository creation and user renaming could have had serious consequences for the open source community, but has now been fixed. Learn more about how it worked Continue Reading
News 13 Sep 2023

Storm-0324 gathers over Microsoft Teams

An initial access broker associated with several different ransomware operations is now conducting Microsoft Teams phishing attacks Continue Reading
News 13 Sep 2023

Patch Tuesday: Microsoft fixes zero-days in Word and Streaming Service

September 2023 brings a light Patch Tuesday, with two zero-days and five critical vulnerabilities listed in the latest release Continue Reading
News 11 Sep 2023

Salesforce and Zoom embrace ethical hackers. You should, too

Software companies Salesforce and Zoom discuss their successful bug bounty programmes, what they learned at a recent in-person hackathon in which they participated, and why others shouldn’t be scared of hackers Continue Reading
News 08 Sep 2023

Apple patches Blastpass exploit abused by spyware makers

Apple has patched two vulnerabilities that formed an exploit chain which has been allegedly abused by spyware company NSO Continue Reading
News 07 Sep 2023

UK minister fails to reassure tech companies over encryption risk

Technology companies say reassurances by government ministers that they have no intention of weakening end-to-end encrypted communication services do not go far enough Continue Reading
E-Zine 07 Sep 2023

CW EMEA: The value of valuing people

In this month’s CW EMEA ezine, we look at HR software and strategies that can help combat staff attrition, find out how Finland’s and Sweden’s plans to join NATO have initiated activity in the Nordic cyber security sector already, consider the data privacy challenges associated with generative AI, and find out why it is important for companies to implement new cryptography standards now in preparation for quantum-safe communication. Read the issue now. Continue Reading
News 06 Sep 2023

French supreme court dismisses legal challenge to EncroChat cryptophone evidence

Defence lawyers plan to appeal to the European Court of Human Rights after the French supreme court disallowed an appeal over the legality of EncroChat evidence Continue Reading
News 05 Sep 2023

Researchers find flaw in Mend.io security platform

WithSecure’s research team uncovered an authentication flaw in an application security platform developed by Mend.io, which has now been fixed Continue Reading
News 04 Sep 2023

How startup Once.net and Cloudflare secured the 2023 Eurovision vote

When the Eurovision Song Contest introduced paid-for public voting from outside Europe in 2023, it faced new cyber challenges. Learn how Dutch startup Once.net and Cloudflare teamed up to secure and support the big night Continue Reading
News 01 Sep 2023

Threat actors exploiting unpatched Juniper Networks devices

A series of vulnerabilities in Juniper Networks firewalls and switches appear to be being exploited in the wild to enable remote code execution, with thousands of devices thought to be exposed Continue Reading