secure coding | Breaking Cybersecurity News | The Hacker News

The developers who create the software, applications and programs that drive digital business have become the lifeblood of many organizations. Most modern businesses would not be able to (profitably) function, without competitive applications and programs, or without 24-hour access to their websites and other infrastructure. And yet, these very same touchpoints are also often the gateway that hackers and other nefarious users employ in order to steal information, launch attacks and springboard to other criminal activities such as fraud and ransomware.  Successful attacks remain prevalent, even though spending on cybersecurity in most organizations is way up, and even though movements  like DevSecOps  are shifting security towards those developers who are the lifeblood of business today. Developers understand the importance of security, and overwhelmingly want to deploy secure and quality code, but software vulnerabilities continue to be exploited.  Why? For the 2nd year, Secure Co

Professional developers want to embrace DevSecOps and write secure code, but their organizations need to support this seachange if they want that effort to grow. The cyber threat landscape is becoming more complex by the day. Attackers are constantly scanning networks for vulnerable applications, programs, cloud instances, and the latest flavor of the month is APIs, widely considered an easy win thanks to their often lax security controls. They are so persistent that new apps can sometimes be compromised and exploited within hours of deployment. The Verizon 2021 Data Breach Investigations Report makes it very clear that the threats leveled against businesses and organizations  are more dangerous  today than at any other point in history. It's becoming very clear that the only way to truly fortify the software being created is to ensure that it's built on secure code. In other words, the best way to stop the threat actor invasion is to deny them a foothold into your applications in

For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,

The same 10 software vulnerabilities have caused more security breaches in the last 20+ years than any others. And yet, many businesses still opt for post-breach, post-event remediation, muddling through the human and business ramifications of it all. But now,  a new research study  points to a new, human-led direction. ‍ The following discusses insights derived from a study conducted by Secure Code Warrior with Evans Data Corp titled 'Shifting from reaction to prevention: The changing face of application security' (2021) exploring developers attitudes towards secure coding, secure code practices, and security operations.  Read the report. ‍‍In the study, developers and development managers were asked about their common secure coding practices. The top three methods highlighted were: Scanning applications for irregularities or vulnerabilities after they are deployed Scrutinizing write code to inspect for irregularities or vulnerabilities The reuse of pre-approved code t

Much like technology itself, the tools, techniques, and optimum processes for developing code evolve quickly. We humans have an insatiable need for more software, more features, more functionality… and we want it faster than ever before, more qualitative, and on top of that: Secure. With an estimated 68% of organizations experiencing zero-day attacks from undisclosed/unknown vulnerabilities in 2019, this is an upward trend that we need to address as an industry by shipping secure code at a reasonable speed. While many people and organizations are moving on from Waterfall to Agile — and not everybody is there yet, let's be real — they are already encountering a new problem. Development teams and their operations counterparts are still working in silos, and this is still causing headaches for development managers and their counterparts across the business. In this environment, how can small teams working in an Agile way deliver on that promise of faster deployment, and fast

Programming has five main steps: the identification and definition of the problem, the planning of the solution for the problem, coding of the program, testing, and documentation. It's a meticulous process that cannot be completed without going through all the essential points. In all of these, security must be taken into account. As you come up with a solution to the problem and write the code for it, you need to make sure security is kept intact. Cyber attacks are becoming more and more prevalent, and the trend is unlikely to change in the foreseeable future. As individuals, businesses, organizations, and governments become more reliant on technology, cybercrime is expected to only grow. Most of what people do in contemporary society involves the internet, computers, and apps/software. It's only logical for programmers to be mindful of the security aspect of making applications or software. It's not enough for programmers to produce something that works. After

A vulnerability has been identified in Microsoft Internet Information Services (IIS) that causes the server to incorrectly handle files with multiple extensions separated by the ";" character. For instance, a file named "malicious.asp;.jpg" is treated as an ASP file. This flaw allows attackers to upload malicious executables to a vulnerable web server, bypassing file extension protections and restrictions. Notably, ASP.Net is NOT affected by this vulnerability. Impact and Versions Affected This vulnerability affects all versions of Microsoft IIS. It works successfully on IIS 6 and earlier versions. IIS 7 has not been tested, but it does not work on IIS 7.5. The vulnerability was discovered in April 2008 but reported in December 2009. Severity and Exploitation The impact on IIS is significant, as attackers can bypass file extension protections using a semi-colon after an executable extension, such as ".asp", ".cer", ".asa", and others. This vulnerability affects many IIS versions,