All news with #appsec tag

Nine Essential Open-Source Security Tools for Teams

🔒 This article highlights nine widely used open-source security tools that help defenders identify vulnerabilities, analyze network traffic, perform forensic investigations, and manage threat intelligence. It stresses community-driven development and transparency as core advantages of open-source solutions and notes that independent review often speeds discovery and remediation. Representative tools covered include ZAP, Wireshark, BloodHound, Autopsy, MISP, Let's Encrypt, GnuPG, Yara and osquery, with attention to extensibility, multi-platform support, and practical deployment considerations for security teams.

Browser Extension Management: Enterprise Buyer's Guide

🔒 Browser extensions present a significant, often unmonitored enterprise risk: they can run privileged code, inject scripts into web apps, access cookies and local storage, and persist via background processes. Keep Aware offers a Buyer’s Guide to Browser Extension Management that outlines these technical attack surfaces and illustrates how to reduce exposure. The guide compares common controls — GPO/MDM, EDR, enterprise browsers — with purpose-built browser security extensions to show trade-offs between visibility, enforcement, and user experience.

Four-Step EASM Framework to Reduce External Cyber Risk

🔍 External Attack Surface Management (EASM) requires a continuous, automated approach to discover internet-facing assets, detect vulnerabilities and prioritize remediation. The article outlines a practical four-step process — identify and classify assets, risk detection, risk assessment, and prioritization and remediation — to reduce external cyber risk. A real-world Jenkins misconfiguration illustrates how shadow IT and configuration changes can expose sensitive data, and why centralized, recurrent EASM platforms that integrate with existing workflows and provide actionable guidance are essential. Effective defense combines fast MTTD from tools with responsive teams to achieve timely MTTR.

Secure-by-Default: Simple Defaults to Shrink Attack Surface

🔒 This article argues that adopting a security-by-default mindset—setting deny-by-default policies, enforcing MFA, and employing application Ringfencing™—can eliminate whole categories of risk early. Simple changes like disabling Office macros, removing local admin rights, and blocking outbound server traffic create a hardened environment attackers can’t easily penetrate. The author recommends pairing secure defaults with continuous patching and monitored EDR/MDR for comprehensive defense.

When Browsers Become the Attack Surface: Rethinking Security

🔒 As enterprises shift more critical work to the browser, adversary Scattered Spider (UNC3944) targets live browser data—saved credentials, calendars, and session tokens—to achieve account takeover and persistent access. The article highlights techniques like Browser-in-the-Browser overlays, JavaScript injection, malicious extensions, and token theft that evade conventional EDR. It recommends elevating browser-native controls: runtime JavaScript protection, session-token binding, extension governance, API restrictions, and integrated browser telemetry so CISOs treat browser security as a primary defense layer.

Webinar: Code-to-Cloud Visibility — Foundation for AppSec

🔒 Join a focused 60-minute webinar on September 18, 2025 at 2 PM EST to learn why leading teams are prioritizing code-to-cloud visibility to reduce app risk and accelerate remediation. Experts will share practical steps to map code issues to cloud behavior, prioritize critical applications and automate fixes to shrink vulnerability counts and remediation time. Attendees receive a free ASPM checklist and a recording to apply learnings immediately.

Securing Cloud-Native Workloads From Code to Runtime

🔒 Lacework FortiCNAPP unifies CSPM, CWP, CIEM, and CDR to secure cloud-native workloads from development through runtime. It integrates with CI/CD pipelines to scan IaC, container images, and libraries, and leverages FortiDevSec for static and dynamic testing so vulnerabilities are caught before deployment. At runtime, behavior-based workload protection, cloud audit log analysis, and Fortinet Composite Alerts produce high-fidelity detections, while FortiWeb and automation via FortiSOAR enable edge blocking and orchestrated remediation.

YARA-X 1.0.0 Stable Release: Faster, Safer YARA Now

🚀YARA-X 1.0.0 is now stable, delivering a Rust-based, memory-safe engine while preserving broad compatibility with existing YARA rules. YARA-X runs heavy regular expressions and deep loops roughly 5–10× faster than the legacy YARA 4.x engine and returns clearer, line-accurate error messages. The CLI adds colored output, JSON/YAML dumps, shell completions and a built-in formatter to improve tooling and developer workflows. VirusTotal reports stable, production use in Livehunt and Retrohunt at scale and encourages users to test and provide feedback.

Code Insight Expands to Cover Software Supply Chain Risks

🛡️ VirusTotal’s Code Insight now analyzes a broader set of software supply chain formats — including CRX, XPI, VSIX, Python WHL, NPM packages, and MCP protocol integrations. The tool inspects code logic to detect obfuscation, dynamic code fetching, credential theft, and remote command execution in extensions and packages. Recent findings include malicious Chrome and Firefox extensions, a deceptive VS Code extension, and compromised Python and NPM packages. This capability complements traditional signature- and ML-based classification by surfacing behavior-based risks.

CISA Seeks Update to SBOM Minimum Requirements Guidance

📝 CISA has issued a request for public comment on an updated guideline defining minimum elements for a software bill of materials (SBOM), intending to reflect advances in tooling and wider adoption since the 2021 NTIA document. The effort traces to President Biden’s EO 14028 and subsequent OMB guidance (M-22-18) requiring improved software supply chain security. Recent shifts in leadership and the OpenSSF’s announcement about the SBOM working group have reshaped the community landscape. Stakeholders may submit comments through October 3, 2025.

postMessage Risks: Token Exposure and Trust Boundaries

🔒 MSRC presents a deep dive into misconfigured postMessage handlers across Microsoft services and the systemic risk posed by overly permissive trust models. The report, authored by Jhilakshi Sharma on August 25, 2025, documents token exfiltration, XSS, and cross-tenant impact in real-world case studies including Bing Travel, web.kusto.windows.net, and Teams apps. It summarizes mitigations such as removing vulnerable packages, tightening Teams app manifests, enforcing strict origin checks for postMessage, and applying CSP constraints to reduce attack surface.

Mesh Messaging Apps: Use Cases, Risks, and Best Practices

📡 Decentralized peer-to-peer "mesh" messaging apps let nearby phones communicate without internet using Bluetooth or Wi‑Fi Direct. Popular and emerging apps — including BitChat, Bridgefy, Briar, and White Mouse — offer offline messaging with varying privacy features and tradeoffs. While useful for disasters, festivals, or local coordination, these tools have limited range, higher battery use, and mixed encryption reliability; favor open-source and independently audited projects.

CISA Seeks Comment on Updated SBOM Minimum Elements

📝 CISA opened a public comment period on updated guidance for the Minimum Elements for a Software Bill of Materials (SBOM), with submissions accepted through October 3, 2025. The draft refines required data fields, strengthens automation and machine-readable support, and clarifies operational practices to help organizations produce scalable, interoperable, and comprehensive SBOMs. Stakeholders are encouraged to provide feedback via the Federal Register to inform a future final release.

Tackling the National Gap in Software Understanding

🔍 CISA, with partners including DARPA, OUSD R&E, and the NSA, is leading an interagency effort to close a national gap in software understanding that endangers critical infrastructure. A new Sandia National Laboratories report, The National Need for Software Understanding, describes the gap’s causes, risks, and options for remediation. CISA urges manufacturers to design software for independent analysis and invites experts and mission owners to engage on research priorities.

AI-Assisted Coding: Productivity Gains and Persistent Risks

🛠️ Martin Lee recounts a weekend experiment using an AI agent to assist with a personal software project. The model provided valuable architectural guidance, flawless boilerplate, and resolved a tricky threading issue, delivering a clear productivity lift. However, generated code failed to match real library APIs, used incorrect parameters and fictional functions, and lacked sufficient input validation. After manual debugging Lee produced a working but not security-hardened prototype, highlighting remaining risks.

Hidden Risks of Browser Extensions and How to Stay Safe

🔒 Browser extensions can provide useful features but also expose users and organizations to significant risk. Malicious or compromised add-ons may steal credentials, session cookies, and browsing data, inject ads or malware, redirect users, or run background tasks like cryptomining. Scrutinize developer credentials and permissions, prefer official web stores, keep browsers updated, and enable security software and MFA.

MSRC Announces 2025 Most Valuable Security Researchers

🏆 The Microsoft Security Response Center (MSRC) announced its 2025 Most Valuable Researchers (MVRs), recognizing security researchers who submitted valid vulnerability reports under Coordinated Vulnerability Disclosure. The Top 10 MVRs were ranked by total points earned for valid reports submitted between July 1, 2024 and June 30, 2025, and MSRC also highlights annual Technical Leaderboards by product area such as Azure, Office, Windows, and Dynamics 365. Awardees receive digital badges and MSRC swag boxes, and badges recognize achievements for Accuracy, Impact, and Volume.

Chrome on Android: Advanced Protection Enhancements

🔒 Android's Advanced Protection extends Google's device-level security and integrates with Chrome on Android, enabling three core protections to guard high-risk users such as journalists and officials. It forces HTTPS via the Always Use Secure Connections mode, turns on full Site Isolation for devices with 4GB+ RAM, and reduces attack surface by disabling V8's higher-level JavaScript optimizers. Settings are available on Android 16 in Chrome 137+, and enterprises can control behaviors via policies while affected users should enable automatic updates and join the Advanced Protection Program for maximum defense. These measures trade some performance for stronger exploitation resistance.

Rising Star: Dylan, MSRC’s Youngest Security Researcher

🔒 At 13, Dylan became the youngest researcher to collaborate with the Microsoft Security Response Center (MSRC), demonstrating notable technical skill, persistence, and professional communication. He progressed from Scratch to HTML and source-code analysis, discovering vulnerabilities in Teams and other services and reporting them responsibly. His findings influenced bug bounty terms to admit younger researchers while he continues to balance school, competitions, and extracurriculars.

Android security and privacy updates in 2025 — protections

🔒 Google outlines a suite of Android security and privacy enhancements for 2025, focused on countering scams, fraud, and device theft. New in-call protections block risky actions during calls with unknown contacts, and a UK pilot will extend screen-sharing warnings to participating banking apps. AI-powered Scam Detection in Google Messages has been expanded and runs on-device to preserve privacy, while a new Key Verifier enables public-key verification for end-to-end encrypted messages. Additional theft protections, Advanced Protection device settings, and updates to Google Play Protect round out the release.