Welcome to Labs

How effective is secure code review for discovering vulnerabilities?

We’ve recently discussed application security and the trend we’re seeing in which companies are increasingly implementing security early on in the Software Development Life Cycle…

HTTP/3 and QUIC: A new era of speed and security?

HTTP/3 is the third and upcoming major version of the Hypertext Transfer Protocol (HTTP) used across the web.HTTP has been the main protocol on the…

Articles

Preventing exploitation of the Follina vulnerability in MSDT

The Follina Exploit A zero-click Remote Code Execution (RCE) vulnerability has started making the rounds which is leveraging functionality within applications such as Microsoft Word. This vulnerability exists when the...

Application Security 101 – HTTP headers

1. Strict-Transport-Security The HTTP Strict Transport Security (HSTS) header forces browsers and other agents to interact with web servers over the encrypted HTTPS protocol, which secures users from Man in...

New Exchange RCE vulnerability actively exploited

Exchange admins now have another exploit to deal with despite still reeling from a number of high profile attacks this year including ProxyLogon and ProxyShell. A new high severity Remote Code Execution (RCE) exploit for on-premise Exchange Servers has been published and is being actively exploited in the wild.

How effective is secure code review for discovering vulnerabilities?

We’ve recently discussed application security and the trend we’re seeing in which companies are increasingly implementing security early on in the Software Development Life Cycle (SDLC). In our blog post exploring the impact of adopting application security, we described a common scenario involving assessing an application that was ready for release. Through the assessment, critical…

Application Security (AppSec)

There is a movement in the IT security world that is gaining traction, and it is based around the implementation of security within applications from the beginning. You may have heard buzzwords like “AppSec”, “DevSecOps” and “Shift Left”, but what do they actually mean? What does it take to “Shift Left” when developing a secure…

Enhancing Security in your Software Development LifeCycle – Dealing with Dependencies

The adoption of agile practices has resulted in the emergence of shift-lift testing, where testing is performed much earlier in the Software Development LifeCycle (SDLC). Traditional waterfall models performed testing to the right of, or following, development. The benefits of testing earlier and more often cannot be underestimated. However, where does this leave security and…

Exchange Server Emergency Mitigation Service

It has been a tough few months for Microsoft. After the SolarWinds/NOBELLIUM attacks, Microsoft Exchange customers were afflicted with a slew of vulnerabilities. In March 2021, the ProxyLogon vulnerability emerged, followed by an exploit that surfaced in April 2021 called NSA Meeting. In August 2021, Orange Tsai released a series of new vulnerabilities called ProxyOracle and ProxyShell,…

VMware vCenter Critical RCE Vulnerability

Last week, VMware released a security advisory that contained information regarding several high severity vulnerabilities, which are present within all currently supported versions of the vCenter Server virtualisation management software. Security researchers George Noseevich and Sergey Gerasimov reported a critical severity vulnerability within the advisory (CVE-2021-22005) that can be used to achieve command execution on…

Introduction to Windows 11 (beta) security

Windows 11, coming October 5th 2021, is expected to become the new operating system of choice for most home, business and enterprise users. With a long history of poor backward compatibility, unintelligible configuration options and confusing support lifecycles, IT professionals around the world are holding their breath, waiting to see if Microsoft has hit the…

TOP