CyberCureME - Cyber Security Marketplace’s Post

A researcher has released a proof-of-concept (PoC) exploit and analysis for a critical vulnerability, tracked as CVE-2024-40711, used in Veeam's backup and replication software. As an unauthenticated remote code execution (RCE) flaw, the vulnerability has a CVSS score of 9.8 and threatens environments that are running versions 12.1.2.172 and below.

Check out my latest blog post over at the FOSSA site where I look at some of the crazy new features in OWASP CycloneDX SBOM/xBOM Standard v1.6 Specification. It's getting wild how much you can do with CDX these days and I can't wait to see how the tooling ecosystem responds! #xbom #sbom #cyclonedx #attestations #quantum #cryptography #supplychainsecurity #cybersecurity #cdxa #mlbom #cbom

Exciting news from the OWASP CycloneDX project! Version 1.6 is out, bringing enhancements to the industry-leading bill of materials specification, alongside new best practices for practitioners. Here's what's in store: 🔍 Expanded support: CycloneDX 1.6 goes beyond software bill of materials (SBOM) with features like Cryptographic BOM (CBOM), Machine Learning BOM (MLBOM) enhancements, and Attestation support. 📈 Standardization process: With the aim of standardization through Ecma TC54, CycloneDX 1.6 aligns closely with industry standards like SPDX while retaining its utility. 💡 Cryptographic BOM (CBOM): Captures cryptographic assets, aiding in understanding and mitigating security risks related to cryptography, including quantum-resistant cryptography. 🔒 CycloneDX Attestations (CDXA): Allows stating compliance with regulatory requirements, supporting "compliance as code" and enhancing security processes in the software pipeline. 🤖 Machine Learning BOM (MLBOM) Enhancements: Improvements include capturing environmental factors like energy consumption and CO2 emissions, promoting ecological practices for AI. 📚 Authoritative Guides: Accompanying CycloneDX 1.6 release are comprehensive guides on SBOM, CBOM, and Attestations, providing users with detailed information and examples for producing BOMs. Which type of BOMs are you using today? #SoftwareDevelopment #Cybersecurity #SBOM #OpenSource #FOSSA #SCA

Previously, we shared OWASP's top 10 risks, receiving great feedback. Now, we offer a detailed summary and analysis! #Key_Point_1 #3 points on authorization 😮 From API functions to objects, and to object properties, the scope of required authorization control has increased. 🔒Top 1: Broken Object Level Authorization 🔒Top 3: Broken Object Property Level Authorization 🔒Top 5: Broken Function Level Authorization #Key_Point_2 #4 new 2023 entries Attackers simulate normal API access but have ulterior motives, disrupting internal servers. 🛡️Top 4: Unrestricted Resource Consumption 🛡️Top 6: Unrestricted Access to Sensitive Business Flows 🛡️Top 7: Server Side Request Forgery When using third-party API services, do evaluate the security risks of their API services. 🛡️Top 10: Unsafe Consumption of APIs Check out our blog to delve deeper into API subjects.▼▼ https://lnkd.in/gTVV7vx7

Vulnerability management in today's complex software environment is best served by software vendors working together to ensure software customers can easily consume high quality vulnerability data. How does this get figured out? By moving forward collectively with a CVE program that engages with all CNAs and enables a standards-based approach for data quality and scale.

They say this #CPTS course from #HackTheBox is far more in-depth and difficult than the #OSCP, which is reassuring and foreboding at the same time. Everything module on footprinting... the final lab within it was a hard difficulty, and they really meant it. Used onesixtyone to find the proper community to snmp walk the target, used the credentials found from the walk to access the user's email through IMAP to find a private key given to them by their admin, used that private key to ssh into their environment, and finally navigated through the user's history which showed how to access their MySQL database in order to find the requested user password. Module: Footprinting (Difficulty: Medium) #TryHarder #HTB

A cause for concern… as quoted from article from Tom Pace: "This is not a good state of affairs. This data set is relied on by many people around the world. This is going to make patching more difficult and slower." Open source alternatives mentioned in article: VulnCheck and Open Vulnerability Database.

NVD Leaves Thousands of Entries Without Enriched Information   The US National Institute of Standards and Technology’s (NIST’s) National Vulnerability Database (NVD) is in the midst of making changes to its processes, resulting in thousands of new entries lacking enrichment: vulnerability analyses and descriptions, as well as lists of affected software, CVSS scores, and links to patches and additional information. Some researchers are reporting that more than 2,000 recently-added vulnerabilities lack enrichment data. https://lnkd.in/eixG7KY9

The latest update for #SecurityScorecard includes "National Vulnerability Database

ITAD is the most secure IT disposal option. When data-bearing IT assets are no longer in use and are left dormant in storage, they pose a risk to your organization's data security. Even if you use standard delete commands, residual sensitive data can still be retrieved from your redundant assets. Learn about DCRs Certified Data Erasure services at dcr.ca!