Cybersecurity best practices, tips, and the latest news discussed by security professionals.
Read on to find the topic that interests you the most!
Selecting the right Java framework will help you get the most out of Java and build applications quickly and securely. In this guide, you’ll learn about the different types of Java frameworks, how to choose the best one for your project, and some of the advantages of using each.
Learn about Insecure Direct Object Reference and the steps you can take as a developer to make sure your applications are safeguarded against cyberattacks.
Having the right security mindset is important, so we asked an expert about learning security and building security awareness!
Authentication and authorization both can be associated with common security vulnerabilities. Here are some ways to prevent them!
NFTs (non-fungible tokens) set a new standard for data security and identification. Learn how to quickly and effectively implement them at your company today.
Security research plays a vital role in the development lifecycle. But how does it help to ensure application security? We asked an expert!
Understanding serialization and deserialization vulnerabilities is the first step toward building secure applications. For most developers, it’s a challenge to find the right balance between coding securely and meeting other objectives like tight deadlines. This often results in products that are vulnerable to deserialization attacks which would be otherwise difficult to stage.
The purpose of this post is to present one of the most popular authorization manager open standards JWT. It goes into depth about what JWT is, how it works, why it is secure, and what the most common security pitfalls are.
Software development and application security go hand-in-hand. We asked the CISO of Skyscanner about this crucial relationship.
Every year, Ruby is becoming more and more popular thanks to its elegance, simplicity, and readability. Security, however, is an issue we can’t afford to neglect.
New security vulnerabilities are discovered every day. The common goal of everyone, including attackers, is to detect these security vulnerabilities.
Being up-to-date with the latest information security trends is not easy. Deploying them on a regular basis is even harder. We asked an expert for best practices!
Cybernews asked our CEO Mark about the importance of secure coding training, current security challenges, and more!
The hacker group Lapsus$ claims to have breached Samsung and stolen 190GB of data, including the source code. Here is everything you need to know!
Zero Trust is a security framework requiring all users, whether inside or outside your organization, to be authenticated, authorized, and continuously validated. This allows for security configuration to happen before granting or keeping access to applications or data.
Understanding the importance of API security is just the beginning of an extensive process to secure your APIs from attacks.
Today’s vehicles are equipped with software to make driving a safer and more enjoyable experience. But what about the cybersecurity risks? We asked an expert!
The new OWASP Top 10 list has been released to show us the new priorities of security risks that web applications face.
Capture the Flag competitions are one of the best ways to equip your developers with the secure coding skills they need. Learn about the benefits of CTF events in our blog post!
2021 is coming to a close, and it’s time to take stock of the security lessons we’ve all learned this year. This way we can better understand and prepare for the security threats we’ll face next year.
Ransomware attacks have been on the rise lately. Europe’s largest electronic supply store is the latest victim of this growing threat.
The cloud data system has numerous advantages as well as many dangers. 80% of companies have had at least one data breach in the past months.
Companies understand the way you handle data security has a direct impact on their bottom lines. This has led to most companies requiring all vendors to have a special compliance certificate called an SOC2.
ISO 27001 belongs to the set of security standards that explicitly requires the security training of all employees, including developers responsible for building the products and operating the business infrastructure.
Our team attended Hacktivity, the biggest IT security conference in Central and Eastern Europe – a whole day full of interesting presentations and workshops. Click to see how we liked it!
Most employee passwords fail to follow even the simplest anti-theft precautions, such as creating passwords with a minimum of 12 characters. In a recent study of 15.2 billion passwords, only 2.2 billion were found to be unique.
Cryptocurrencies have been a popular trading asset in recent years. But what are the possible security risks that come with this technology?
Cybersecurity is, by nature, a negative asset. As with any protective measure, one of the biggest challenges is to measure the value (or return on investment, ROI) of cybersecurity. It is even more difficult to get stakeholders – customers, users, and decision-makers – in the company to understand its value.
The increasing threat of security breaches mostly has to do with the increasing amount of information being stored. Although individuals are responsible for most data creation, 80% of all data is stored by enterprises.
Security breaches can impact any organisation. Insecure coding practices may result in increased security risk, and put businesses in jeopardy. Click to read our post about 6 secure coding rules to live by!
What are the best ways to teach cybersecurity to teams and individuals? How can you motivate developers to improve their security skills? We asked Jonathan Meyers, Head of Cybersecurity at Cybrary.
Even though security has started to become a growing concern, the immense pressure to ship applications on time means that instead of being an integral part of the development process, for most teams it’s still an afterthought.
How do you start learning IT security? What’s the difference between the offensive and the defensive way?
Our CTO, Gábor, shares how he got involved in the world of cybersecurity and gives you some useful tips.
In payment transactions, security is critical, and any weakness does not only compromise the data, but can result in credit card fraud that causes huge losses for the stakeholders.
The pandemic has spread through the word, affecting almost every industry. We discuss the aspects of CODIV-19 on cybersecurity.
Banking information, login credentials, insurance numbers. A few of the data stored by many financial institutions. We asked an expert about the best practices to protect these information.
Exposing data, especially sensitive data, is a long-time-coming threat. Since personal information such as addresses, payment details, non-hashed passwords, config files, and so on are very popular targets among attackers, it’s obvious that sensitive information is supposed to be protected from unauthorized access.
Compliance standards are a valuable but mostly misunderstood part of the corporate culture. Like any other certificate, a compliance certificate demonstrates that the entity/business operates according to a commonly accepted standard and signals trust towards third parties. A successful compliance certificate eases regulatory processes, opens new markets, and in general speeds up revenue generation, which is the key metric for businesses.
Application security is one of the cornerstones of cybersecurity, and it is critical to defend a successful business operation. To strengthen cybersecurity defenses, businesses have to apply rigorous testing and remediate the issues that were found.
Python is a high-level, flexible programming language that offers some great features. To be as effective as possible, it is important to possess the knowledge to make the most out of coding with Python.
Money management moves towards complete automation, and the evolution of cybercrime follows along. The money heist has changed, we all know that. Cyberspace takes more and more of that cake, but the reason behind attacks remains the same: money, in any form.
Telecommunications is everywhere. Hence, this area is more exposed to external threats than others. It is crucial to ensure a strong line of defense in this industry, so your entire organization has up-to-date protection and is aware of best practices.
Security champions represent an essential part of any security programs. They lead their teams on security projects, ensure internal security and help keeping security on the top of your mind. But how exactly they operate in a business? We asked Alexander Antukh, Director of Security at Glovo for professional insights.
Security champions play a vital role in establishing and maintaining a security culture in an engineering organization. See how to turn your developers into security champions!
As the company grows the leadership wants to establish a security program to ensure the solid and undisrupted operation of the business. Security at this point is essential, especially when calculating the loss from a halted business, even for a few hours.
OWASP Top 10 Vulnerabilities in 2021 based on the non-official proposal of Ivan Wallarm. Here is what we know.
For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.
To build an enterprise security program, one has to go back to the well-known fundamentals of organizational change: People, Process, and Technology (originates from Harold Leavitt’s “Applied Organization Change in Industry”, 1964).
If you are working on Java projects you might have heard about other languages that run on the JVM, like Clojure, Kotlin, or Scala. Programmers like to try new things out but is it worth it to pick one of them over Java?
How can we make security education a whole lot more accessible and fun? The tutorial framework is the answer. In this article we dive into how to create interactive learning environments running inside containers.
Containers have been around for over a decade. Yet before Docker’s explosive success beginning in 2013 they were not wide-spread or well-known. Long gone are the days of chroot, containers are all the rage, and with them, we have a whole new set of development and security challenges.
What are the key benefits of practical security training for developers? Here are some tips on how you can build a case for a developer security program.
Not a single day goes by without a devastating security breach affecting someone, somewhere. In the first six months of 2019 alone, over 4 billion records around the globe have been exposed due to easily preventable data leaks.
Explore the key elements of this Cross-Site Scripting vulnerability in the Google search engine.
Ever-increasing amounts of information are produced, stored, processed, and transferred enabling products and services across all industries. A substantial amount of this information relates to an identified or identifiable natural person i.e., its personal data. The processing of personal data can, unfortunately, also summon risks to individuals’ rights and freedoms, sometimes materializing in real harm.
Even if you use HTTPS, your browsing habits can still be tracked by observing your DNS queries. Besides the lack of confidentiality, plain old DNS doesn’t provide data integrity and authenticity either. This article discusses DNS security and privacy and points out the problems that can arise from lacking in these attributes and gives some tips on how to remedy them.
The US Postal Service launched its Informed Visibility program last year to provide better insight into their mailstream service. For example, one can obtain near real-time notifications about delivery dates and identify trends. However, they have made much more data available than intended, at least 60 million customers were exposed to anyone who is registered on http://www.usps.com.
Containers are often treated as if they were virtual machines which are far from the truth, they are a lot less isolated from the host system. However, there is a myriad of ways to enhance isolation. This blog post will give you an overview of Linux container security.
Even though modern C++ ( the standard since C++11) has made programming in this language much more secure, it also introduced new vulnerabilities hidden under its layers of abstractions. In C and older versions of C++, the concept of pointers wasn’t easy to grasp for beginners. You had to worry about null dereference, dangling pointers, deallocation, etc. However, the Middle Ages are over, we have smart pointers now.
How would you like the idea of being escorted by armed security staff from the grocery store to your home in order to protect the valuable air fresheners you have just bought? Would you be confused, would you visit the store again?
IT security is a really huge topic and until you find your first bug you can’t be sure that you have the required amount of knowledge, luck, and patience. Joining the club of bug bounty hunters as a newbie is hard, so let me share my story with you.
Blockchain-based platforms are becoming increasingly popular due to their ability to maintain a public distributed ledger, providing reliability, integrity, and auditability for transactions without a trusted entity.
In one of our recent posts, we wrote about the difficulties of adopting infrastructure automation in a previously static environment. As experience shows, it’s never easy to get accustomed to a tool when the size of your team excels in numbers. Exploring its strengths, weaknesses, and boundaries, adopting best practices could take weeks.
In the past decade, Spring Framework became a well established and prominent web framework for developing Java applications. The most exciting and essential changes in the Spring ecosystem was the birth and progression of Spring Boot. No matter what you need, Spring Boot provides comprehensive, easy-to-use, and interdisciplinary development environment tools for deployment and assists in the whole development lifecycle.
The Facebook breach was discovered after the social media company saw an unusual spike of user activity that began on September 14, 2018. A few days later, on Tuesday, September 25, Facebook’s engineering team discovered an unprecedented security issue, that affected about 30 million users. The social media giant says the flaw has been patched, but the people behind this attack are still unknown.
In this article, we will cover how to use Ansible for infrastructure automation. Here at Avatao, we are big believers in infrastructure-as-code which is a way of infrastructure automation using the practices from software development. Setup tasks, configuration, identity, and access management are coded as reproducible definitions. This dramatically reduces the chance of human error. Changes in the infrastructure are reproducible and auditable. We can also make use of software development tools such as version control or automated testing and deployment.
Great developers possess a wide variety of skills, from technological expertise to product thinking. You need some of these for your current job, others you just picked up over the years. Nevertheless, it’s all valuable and contributes to the fact that you are seen as a seasoned software engineer.
Tackling the versioning pains of a greenfield project with cats. New projects can force us, developers to face certain challenges that we won’t even have to think about when working on an already existing codebase.
These include stuff like “how are we going to ship our code to customers/clients?” or coming up with a way to distinguish between versions.
As more and more infrastructures are moved to the cloud datacenters, services offered by the cloud providers became an obvious target for exploitation and cloud security in practice is more important than ever. Configuring these services to be as secure as possible is a new challenge coming from the datacenter world.
In this article, we will discuss different methods to avoid common pitfalls in terms of Git security. We live in a world where it is hard not to know Git, the most popular Distributed Version Control System (DVCS). Free and open-source, it has been initially created by Linus Torvalds to be used for the development of the Linux Kernel. These days, Git is completely omnipresent in the IT industry. It is the key element of platforms such as GitHub or GitLab and used as a package management system by the Go language for example.
Being cloud-native won’t save you from external threats if you as a user are not aware of basic network security needs – cloud providers simply cannot do everything for you while due to the heavy demand to scale our services, there is unexpected urgency to be cloud-native. This shift allows for abstracting our infrastructure- and network layers into the software-defined space of clouds. Simultaneously, traditional perimeter security issues move silently to the table of IaaS providers, but certain control parameters are still in our hands.
If you have found a vulnerability and you want to act responsibly, discretion is most important. Always remember you have information that can be exploited by black-hats putting not only the enterprise and its reputation but its users at risk.
Access control, or authorization, is how a web application grants access to resources to some users, and not others. These resources mostly fall into two categories: sensitive data, which should only be accessed by certain entities, and functions that can modify data on the webserver, or even modify the server’s functionality. Authorization checks are performed after authentication: when a user visits a webpage, first they have to authenticate themselves, i.e. login, then if they try to gain access to a resource, the server checks if they are authorized to do so.
The security model of web is rooted in the same-origin policy. Each origin is isolated from the rest of the web and codes should only have access to their origin’s data. Because of this model, browsers trust every code that shows up on a page as it’s a part of the pages’ security origin.
A company has to be mature enough to implement a responsible disclosure policy – or at least mature enough to implement its own tailor-made program. Implementing a responsible disclosure policy can show your security consciousness, yet if you do it wrong, the effects can be detrimental.
The trend to move to the cloud seems to be unstoppable that raises more and more security concerns. AWS can be considered the leader in the market of cloud service providers. It offers more than a hundred different cloud services and it is used by over a million companies. Given such an enormous volume of business, it should come as no surprise that AWS has its dedicated service to help developers keep their cloud infrastructure more secure. This service is called IAM which stands for Identity and Access Management.
As the enterprise architecture becomes more and more complex, the task of the Chief Security Information Officer (CISO) becomes overwhelming. CISOs have a tough time finding talented cybersecurity professionals to support their job. In an interesting article in VentureBeat, Nir Donitza and Gal Ringel wrote about the cybersecurity landscape of Israel in 2018, and what it might predict from global cybersecurity. A few of their findings point to some interesting trends.
You’ve probably read about the Equifax breach and the Apache Struts vulnerability in NY Times, in Bloomberg or somewhere else. The breach resulted in the leakage of 143 million user profiles, including Social Security numbers, birthdates and addresses.
The time pressure of an approaching deadline is a good excuse to go fast when establishing the quality and security of the produced software. Everybody says that security is important, but the reality is that we’ll always find a good reason to neglect it if it is not built in entirely
into our Software Development Life Cycle (SDLC).
This is the final part of this blog series. If you haven’t done already so, you can read the first, and second part of our story also.
It was early 2013, in the middle of my Ph.D. studies when two master students (András Gazdag and Levente Fritz) asked me to talk about memory corruption vulnerabilities.
We are more than happy to welcome Tamás Koczka (aka “KT”) who is one of the key members of the CrySyS Student Core and the !SpamAndHex team. He participated at approximately 80 CTF events (including 7 finals abroad) solving hundreds of challenges from various topics in information security.
In our previous blog, we gave you a small introduction to Cross-site Scripting (XSS) attacks and added some easy challenges to get a taste of web security. It seems, however, that XSS is still one of the top vulnerabilites on the web. An attack against Yahoo Mail and various sandbox escape techniques keeps this topic hot.
Binary analysis starts with the understanding of different file formats. Fortunately, there are several tools (e.g., CFF explorer, FileAlyzer) that help you to understand their internal structure, however, most of these tools are not generic enough and do not expose APIs or SDKs. As a result, when automated analysis is required you have to implement your own scripts to parse those binaries.
We are more than happy to welcome Chris Wysopal, (also on Twitter) as the next security expert on our blog. Chris, the CTO of Veracode, is one of the key influencers in IT security today. He is a regular speaker at conferences such as Black Hat or the RSA conference.
We are more than happy to welcome Zoltán Balázs, (also on Twitter) as the next security expert on our blog. Zoli has long track records in bypassing security defense products. He regularly gives talks at security conferences such as DEFCON, Botconf or Hacktivity. He is now working as the CTO for MRG-Effitas. Here is his story.
Charlie Miller is well-known in the security community for his exceptional hacking results. He won the Pwn2Own contest at CanSecWest 4 times by exploiting various Apple products (e.g., Safari, iOS) . Then he surprised the world by performing a remote hack on a Jeep Cherokee. He is now with us to shed light on how he approaches complex systems and finds their weaknesses. Here is his story.
This is the second part of our !SpamAndHex series. You can read the first part here. Everything starts with a vision. It was in 2009 at the very beginning of my master studies at the Budapest University of Technology and Economics (in short BME) in Hungary when my advisor, Levente Buttyán (head of CrySyS Lab) contacted Engin Kirda who was tenured faculty at Institute Eurecom (Graduate School and Research Center) at that time if there is a project I could work on together with other iSecLab guys.
We are more than happy to welcome Mateusz Jurczyk (aka “j00ru”), (also on Twitter) as the second security expert on our blog. When talking about low-level Windows kernel security, we are unable to avoid his name. He won the Pwnie Award 3 times and was nominated 6 times in various categories. He is one of the key members of the Dragon Sector CTF team which became the best team in the world in 2014 on CTF time. Here is his story.
In this new series, we talk to security experts on how they started their journey in this exciting field. The first is Gabor Molnar (aka “mg”), (also on Twitter) who independently co-discovered the infamous Rosetta Flash vulnerability and got nominated for a Pwnie award for the best server-side bug at BlackHat 2014. Here is his story.
The South Korean CTF team CyKor, (also on Facebook) is one of the best CTF teams in the world. Together with other South Korean security experts like Junghoon Lee (aka “lokihardt”) and the members of Raon_ASRT the DEFKOR CTF team was formed which won the DEFCON CTF Finals in 2015 and ranked 3rd in 2016. As team CyKor they ranked 2nd on Belluminar 2016, a top invite-only hacking contest organized by POC and Qihoo 360. Here is their story.
Summer just started in 2011, when Gábor Pék, Buherátor and Bencsáth Boldizsár (aka “Boldi”) decided to do some nice hacking over the summer instead of going to splash in Lake Balaton all summer long. The annual international university hacking competition called iCTF was a big challenge with top competing teams.
Get started with Avatao
Copyright © 2022 Avatao