Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Is your team drowning in container vulnerability noise? Are you spending a lot of time figuring out where to focus resources on and still missing dangerous vulnerabilities? Know that you are not alone. Container environments revolutionized app development by enabling unprecedented velocity, but not without a price. The use of readily available container images of third-party and open-source code enabled much faster cycles, but also facilitated the introduction of vulnerabilities in the application.

Vulnerabilities are everywhere. Vetting, mitigating, and remediating them at scale is exhausting for security practitioners. Let’s keep in mind that no organization has the capacity to find and fix all vulnerabilities. The key is to understand what a vulnerability is, interpret the meanings of the CVSS score, and prioritize and effectively use resources within constrained time limits or delivery windows. Since 2016, new vulnerabilities reported each year have nearly tripled.

A few days ago it was reported that the new Go versions 1.18.1 and 1.17.9 contain fixes for a stack overflow vulnerability in the encoding/pem builtin package, in the Decode function. Given the high popularity of Go among our customers and in the industry at large, this update led us to investigate the vulnerability in previous versions.

As Synk announces its support of unmanaged dependencies (mostly C/C++ libraries), we thought it would be beneficial to introduce our non-C community to some common, high-risk dangers that lurk in the C world (get it?). Think of this as a “beginners guide” to C and C++ vulnerabilities, how they look, what problems they may cause, and how to fix them.

April Patch Tuesday brings 145 vulnerability fixes from Microsoft — the highest number in 19 months—including CVE-2022-26809, a critical remote code execution (RCE) vulnerability in Windows Remote Procedure Call (RPC) Runtime library that impacts all supported Windows products. Notably, Microsoft also released security updates for Windows 7, an end-of-life product since January 2020, which highlights the severity of CVE-2022-26809.

This is the second installment in Trustwave’s in-depth tour of our Security Colony platform. For a broad overview of what Security Colony offers please read 5 Ways CISOs Can Leverage the Power of Trustwave Security Colony. Self-evaluation in any area, much less cybersecurity, can be challenging. Is my performance at work strong and consistent? Am I being friendly to my neighbors?

When I look at IT security I can clearly see how it has changed, being today much more mature now than it’s ever been. Governments are working on policies and legislation forcing companies to prioritize IT security. As a result, the entire bug bounty community has bloomed in a way that I could never imagine, security researchers are now working together with companies to identify and mitigate vulnerabilities in a way that we have never done before.

On Monday, April 11, 2022, NGINX published a security blog post detailing three vulnerabilities in the NGINX LDAP reference implementation. NGINX is web server software that also performs reverse proxy, load balancing, email proxy, and HTTP cache services. No CVE has been assigned to these vulnerabilities at this time. The reference implementation uses Lightweight Directory Access Protocol (LDAP) to authenticate users of NGINX proxied applications.