Thank you so much, @code_armor! Super excited to have you onboard as a Silver exhibitor at #OWASP Global AppSec EU Barcelona 
Check out more details here: https://barcelona.globalappsec.org #developer #cybersecurity #barcelona #applicationsecurity #appsec #supportnonprofit
Speaker Spotlight: Meet @aruneeshsalhotra at the OWASP Security Summit, where he'll be sharing critical insights on #DevSecOps #PromptEngineering and #AppSec
Whether you're a developer, CISO, or tech leader, this is your chance to learn actionable strategies from the best in the game.
Save the date! Your app security IQ is about to level up. https://www.developerweek.com/conference/owasp-security-summit/
Speaker Spotlight: Meet @aruneeshsalhotra at the OWASP Security Summit, where he'll be sharing critical insights on #DevSecOps #PromptEngineering and #AppSec
Whether you're a developer, CISO, or tech leader, this is your chance to learn actionable strategies from the best in the game.
Save the date! Your app security IQ is about to level up. https://www.developerweek.com/conference/owasp-security-summit/
"Cloudflare observed exploitation attempts of CVE-2024-27198 (JetBrains TeamCity authentication bypass) at 19:45 UTC on March 4, just 22 minutes after proof-of-concept code was published."
"The speed of exploitation of disclosed CVEs is often quicker than the speed at which humans can create WAF rules or create and deploy patches to mitigate attacks."
#cloudflare #ApplicationSecurity report
https://blog.cloudflare.com/application-security-report-2024-update
Join #ApplicationSecurity experts @SheHacksPurple ("Alice and Bob Learn Application Security", @adamshostack ("Threat Modeling: Designing for Security"), and @izar_tarandach ("Threat Modeling") as they discuss #ThreatModeling for #developers.
Thank you @semgrep! We look forward to welcoming you to #OWASP Global AppSec Lisbon as one of our Gold Exhibitors and for supporting our Mentoring activity. https://lisbon.globalappsec.org/ #appsec #developer #cybersecurity #applicationsecurity #networking
Here's my cybersecurity highlights from #KubeconEU. Watch the session recordings via #cncf youtube but here's a recap https://techtarget.com/searchitoperations/opinion/Cybersecurity-highlights-from-Kubecon-CloudNativeCon-Europe
#AI #genAI #softwaresupplychainsecurity #cloudsecurity #applicationsecurity #appsec #devsecops #securitycon
@techtarget
I doubt that many of my followers are familiar with Xunlei Accelerator, this application being mostly used in China. I came across it due to its popular Chrome extension with 28 million users. I looked into the security of this applications and… security? What security?
https://palant.info/2024/03/06/numerous-vulnerabilities-in-xunlei-accelerator-application/
An overview:
· Program installation directory writable by any user.
· The built-in browser is based on a three years old Chromium.
· That browser exposed a powerful internal API to arbitrary websites (⇨ code execution among others).
· This browser could also be opened by any website loaded in the user’s regular browser, without any user interaction.
· XSS vulnerabilities in the display of messages in the main application, despite using React (⇨ code execution).
· Electron’s renderer sandboxing effectively rendered ineffective.
· Local webserver using “authentication” based on a “secret” hardcoded string.
· Plugin installation can be triggered by any website (⇨ code execution).
· Plugin list downloads via insecure HTTP connection (⇨ code execution).
· Rudimentary HTTP client used in some places, with memory safety issues and recognizing exactly two server responses.
· Tons of outdated third-party code, including (but not limited to) two years old FFmpeg, twelve years old libpng and eight years old zlib.
The vendor fixed the most obvious ways to exploit these issues. With the communication being spotty to say the least, I don’t know whether they plan to do more.
Did you know that we have a student sponsorship program?
Are you a student or recent graduate from a New Zealand or Australian university, college, or technical school?
We have partnered with Xero, Visa and Summer of Tech to offer free secure development training.
Apply today at https://bit.ly/41X44FJ
#studentsponsorship #securedevelopment #AppSec #ApplicationSecurity
Did you know that we have a student sponsorship program?
Are you a student or recent graduate from a New Zealand or Australian university, college, or technical school?
We have partnered with Xero, Visa and Summer of Tech to offer free secure development training.
Apply today at https://bit.ly/41X44FJ
#studentsponsorship #securedevelopment #AppSec #ApplicationSecurity
Make sure you join us tomorrow for our livestreamed training session “OWASP ASVS: Unlocking Stronger Application Security” with Shanni Prutchi, the author of “OWASP ASVS Demystified: A Practical Guide to Web #ApplicationSecurity Testing.” Let us know if you have ideas for future training sessions! #BFLive
Discover how to prevent unauthorized access to restricted files and directories in Java applications. Check out our guide on mitigating path traversal vulnerabilities. 
https://buff.ly/3SStK1Y #Java #ApplicationSecurity
It's taken me almost a year to write (and edit) my rant about categories and acronyms in cybersecurity. Which acronyms or categories annoy you the most? Security teams don't need more tools, they need efficient ways to mitigate risk and respond quickly to threats or attacks - especially now to keep up with faster development cycles.
https://www.techtarget.com/searchsecurity/opinion/Cloud-native-app-security-Ignore-acronyms-solve-problems
#cloudsecurity #applicationsecurity #appsec #cspm #sast #dast #iast #sca #sbom #ciem #asoc #dspm #aspm #cnapp #cdr #mdr #itdr #ndr #mdr #xdr #edr #cnapp #wapp #devsecops #cybersecurity #infosec #ciso #cso
The questions I want answered for any cloud-based password manager:
· Is its encryption approach sane?
· Does the server have access to any plaintext data?
· Can the server manipulate the data?
· Are users being aided in creating safe credentials?
· Do encryption keys or their components ever leave user’s computer?
· Are there encryption backdoors meant to aid account recovery for example?
· Is the client-side software safe from web-based attacks?
· Are there precautions in place to avoid filling in passwords on the wrong websites?
· Are there precautions in place to avoid filling in passwords on compromised websites without user’s knowledge?
· …
The questions media coverage tends to focus on:
· Are there plain text passwords in memory that someone with administrator privileges on user’s machine could read out?
It takes a village to run a village. We are looking for volunteers to help us bring AppSec Village at DEF CON 31 to life.
Learn more https://www.appsecvillage.com/volunteer
#dc31 #defcon #defcon31 #appsecvolunteers
#appsec #applicationsecurity #appsecurity #apisecurity
