Software Integrity Blog

Archive for the 'Security Standards and Compliance' Category

 

OWASP Top 10 web application security risks

The OWASP Top 10 2017 is a list of the most significant web application security risks. How are you addressing these top 10 web app vulnerabilities?

Continue Reading...

Posted in Security Standards and Compliance, Software Architecture and Design, Web Application Security | Comments Off on OWASP Top 10 web application security risks

 

SEC getting more aggressive on financial cyber lapses

SEC security measures, or cyber enforcement actions, are powerful incentives for financial institutions to protect investments and data from theft and fraud.

Continue Reading...

Posted in Financial Services Security, Security Standards and Compliance | Comments Off on SEC getting more aggressive on financial cyber lapses

 

Don’t expect jailed CEOs, but Wyden at least puts consumer privacy on the table

The Consumer Data Protection Act (as outlined in the CDPA draft circulated in early November by Sen. Ron Wyden) might not send CEOs to jail, but it will certainly help protect Americans’ data.

Continue Reading...

Posted in Security Standards and Compliance | Comments Off on Don’t expect jailed CEOs, but Wyden at least puts consumer privacy on the table

 

Better passwords in California won’t help much

The new California password law demonstrates lawmakers’ misunderstanding of how connected devices work, how the internet works, and even how passwords work.

Continue Reading...

Posted in Internet of Things, Security Standards and Compliance | Comments Off on Better passwords in California won’t help much

 

LifeLock lesson—Third party security is your security

On July 25, on his blog Krebs on Security, Brian Krebs covered a flaw in how LifeLock processed “unsubscribe” information related to its marketing activities. For those unfamiliar with LifeLock, it is a subsidiary of Symantec offering identity monitoring and protection services in the U.S. market. Brian outlined an issue impacting recipients of LifeLock marketing material who wished to opt out of further email communications by clicking on a “please remove me from this list” style link within the marketing material. Unfortunately, there was a flaw in that process that allowed anyone to discover email addresses associated with other users. In Symantec’s response, they indicate the issue was limited to the use of a third-party marketing platform used to process marketing communications, not the core LifeLock service, and that with the exception of the security researchers’ efforts, there was no indication of other access attempts. The areas we can all learn from With this as background, we can see several activities occurring here:

Continue Reading...

Posted in General, Security Standards and Compliance | Comments Off on LifeLock lesson—Third party security is your security

 

Hackers target cryptocurrency exchange, new Spectre vulnerabilities, and healthier healthcare

Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Security Mashup. Watch the episode below:

Continue Reading...

Posted in Medical Device Security, Security Standards and Compliance, Webinars | Comments Off on Hackers target cryptocurrency exchange, new Spectre vulnerabilities, and healthier healthcare

 

GDPR raises the stakes on data breaches

Another week, another list of data breaches resulting from vulnerabilities in third-party contractors for high-profile companies.

Continue Reading...

Posted in Data Breach, Security Standards and Compliance | Comments Off on GDPR raises the stakes on data breaches

 

Timehop breach provides GDPR response template

The Timehop breach disclosed 21 million individuals’ account information. And now we know what public disclosure of a breach might look like under GDPR.

Continue Reading...

Posted in Data Breach, Security Standards and Compliance | Comments Off on Timehop breach provides GDPR response template

 

Data breaches and more data breaches—oh my!

It’s been quite an interesting few weeks in the land of data breach disclosures. We started with Under Armour disclosing a breach in their MyFitnessPal application that impacted 150 million users. A few days later, Lord & Taylor and Saks Fifth Avenue disclosed a breach impacting millions of their in-store shoppers. Later the same day, we learned that Panera Bread had been leaking private user details for its millions of online users for eight months. Three days later we had yet another breach disclosure from Delta Airlines and Sears Holdings, who were using third-party chat services from [24]7.ai. The [24]7.ai breach then expanded to include Kmart and Best Buy a few days later.

Continue Reading...

Posted in Data Breach, Security Standards and Compliance | Comments Off on Data breaches and more data breaches—oh my!

 

What you need to know about the Singapore Cybersecurity Bill

The newly ratified Singapore Cybersecurity Bill is Singapore’s answer to securing critical information infrastructure (CII) providers, minimizing threats from malicious actors. But now that the bill has been signed into law, analysts and practitioners alike are raising concerns about the high costs and logistic challenges of enforcing it.

Continue Reading...

Posted in Security Standards and Compliance | Comments Off on What you need to know about the Singapore Cybersecurity Bill