2023 is a year of “digital forest fires.” The MOVEit and the Barracuda Networks’ email supply chain attacks underscore the massive butterfly effect a single software flaw can have on the threat landscape. Supply chain attacks spread like a forest fire. Once cybercriminals compromise widely used software, attackers gain access to potentially all organizations that use that software.
The Cybersecurity and Infrastructure Security Agency (CISA) just released a report highlighting the most commonly exploited vulnerabilities of 2022. With our role as a reverse proxy to a large portion of the Internet, Cloudflare is in a unique position to observe how the Common Vulnerabilities and Exposures (CVEs) mentioned by CISA are being exploited on the Internet. We wanted to share a bit of what we’ve learned.
Michigan State University is a large school located in East Lansing, Michigan. This public university has more than 49,000 students per semester and is set over a location spread across 5,300 acres. The university caters to hundreds of thousands of students over time, many of whom may have been exposed due to a recent data breach. The breach wasn't on the university itself, but it likely impacted many of the students attending Michigan State.
When you rely on a tool to support you in an intense situation, you probably want reassurance that it got tested for extreme conditions. For example, if you’re about to go skydiving, you'd want to know that the parachute strapped to your back underwent rigorous testing and will perform it's needed most. The same is true with the systems supporting our security initiatives. What happens when those systems are under high pressure in an emergency?
As organizations increasingly adopt continuous delivery practices and deploy code as often as every few seconds, the number of vulnerabilities in your code and the potential for them to go undetected increases. Not knowing which vulnerabilities to focus on can be extremely costly—both in terms of the resources needed to address them as well as the risk they pose for your system.
With the SEC's adoption of new rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies, one thing is clear: better definitions are required.
Let’s say you’ve built a PHP application, but you want to separate it from supporting infrastructure in a way that keeps things lightweight, portable, and still quite secure. You’d like other developers to be able to work on it without having to recreate whole environments. In short, what you want to do with your application is containerize it — package it and its dependencies into containers that can be easily shared across environments.
Over the last decade, many vulnerabilities were initially perceived as critical or high but later deemed less important due to different factors. One of the famous examples was the “Bash Shellshock” vulnerability discovered in 2014. Initially, it was considered a critical vulnerability due to its widespread impact and the potential for remote code execution.
