I would think most would agree that it wouldn’t be too much of a stretch to draw the parallel between security tools and medicines and threats as diseases which brings us to the tried but true analogy of “the medicine is worth the cure”.  While there are many tools and many types of threats, let’s take a look at a few tools, namely SAST, DAST and IAST and how they fit into application security programs.  Static Application Security Testing (SAST)  Static Application Security Testing (SAST) tools use a clear-box testing approach to identify vulnerabilities.  A well understoo ..read more

As we approach the end of 2021, all of us at K2 Cyber Security want to wish you and your families the best holiday season and new year, especially after the almost two years of living with the COVID-19 pandemic.  This last year was especially challenging as we finally developed a vaccine and thought things were getting back to normal, only to have repeated lockdowns and restrictions on travel.  On the IT front, organizations that were forced to accelerate their digital transformation in 2020, found they had to continue to rely on their cloud infrastructure as many of their employees ..read more

A recently discovered vulnerability in LOG4J2 (also referred to as LOG4SHELL) is being widely reported as one of the most dangerous vulnerabilities in application software to date. There is already news that it is being exploited in the wild, putting widely used applications and cloud services at risk. LOG4J2 is a popular Java logging framework developed by the Apache Software Foundation. The vulnerability, CVE-2021-44228, allows for Remote Code Execution (RCE) against users with certain standard configurations.  More details on the vulnerability are found in the vulnerability report, CVE ..read more

A recent article in Dark Reading is reporting that nearly every organization can be infiltrated by cyber attackers, based on data from dozens of penetration tests and security assessments. The article is reporting that the vast majority of businesses can be compromised within a month by a motivated attacker using common techniques, such as compromising credential, exploiting known vulnerabilities in software and Web applications, or taking advantage of configuration flaws. In 93% of cases, an external attacker could breach a target company’s network and gain access to local devices and system ..read more

Security Brief Asia is reporting on new research showing more than 40 billion records were exposed by data breaches in 2021. According to the research from Tenable’s Security Response Teams, they found a considerable increase in breach incidents, with 1,825 breach data incidents publicly disclosed between November 2020 and October 2021, compared with the same period in 2020, which saw 730 publicly disclosed events with just over 22 billion records exposed. The research also found that healthcare and education remain the most-targeted industries worldwide, but in APAC, the technology industry a ..read more

  Back in September of 2021 we wrote that the OWASP working group had a draft of latest Top 10 Web Application Security Risks, their first update since the 2017 revision.  The working group finalized their list and published a final version a month later in October of 2021.  With the list out for a few months now, let’s take a quick look at what’s changed with the new OWASP Top 10. The Top 10 list for 2021 starts out with three new categories, four of the previous categories have been updated with naming and scoping changes, and there is some consolidation in a few categories, a ..read more

  Back on December 8, 2021, we reported that the number of recorded vulnerabilities in the NIST National Vulnerability Database (NVD), hit a record high number of vulnerabilities recorded in a single year for the fifth year in a row.  Now that 2021 has ended, we can see the final tally of vulnerabilities recorded for 2021.  The year ended with a total of 20,061 vulnerabilities recorded, 9.3% over the prior year and the most ever recorded of any year since the database began. One of the surprise of the year was that the number of vulnerabilities rated with a high severity didn’t ..read more

What is Log4J?  With the continuous coverage, it is pretty certain by now every 5th grader knows what Log4Shell is but just in case you missed the news, it is a recently discovered vulnerability in a ubiquitous Java logging framework LOG4J. The vulnerability has been given a CVSS Score of 10, making it the most serious of discovered flaws.  VentureBeat is reporting that Log4J attacks have been attempted on 44% of corporate networks    Log4J Vulnerability ..read more

We recently wrote about the newly discovered vulnerability in LOG4J2 (also referred to as LOG4SHELL).  Since we wrote our blog article, the LOG4SHELL vulnerability has been covered by major news outlets and is poised to pass both the Struts and Heartbleed vulnerabilities in terms of security and financial impact on organizations.  Our previous blog article covered K2 Cyber Security’s ability to help detect the LOG4J2 library with K2 IAST (Interactive Application Security Testing) and also monitor and protect against attacks on the LOG4J2 with K2 RASP (Runtime Application Self P ..read more

While Interactive Application Security Testing (IAST) is still a relatively new technology from the perspective of adoption, it has been around for over 10 years and some of the aspects and capabilities around IAST are well understood, such as improved vulnerability detection, achieved by “looking” inside the application at runtime.    Traditional IAST tools promise significant improvements in accuracy over SAST and DAST tools, by using a runtime vantage point which is important in validating securi ..read more