DevSecOps

We return to discussions of OAuth and all sorts of authentication. This time around we're looking at the design of authentication protocols, the kinds of trade-offs they weigh for adoption and security, and how a standard evolves over time to keep pace with new attacks and put to rest old mistakes. Segment resources: https://fusionauth.io/docs/v...

Appsec lessons from the Okta breach, directory traversal (and appsec) lessons from SolarWinds, how CISOs and Boards rank factors around vulns and patching, revisiting cryptocurrency attacks for lessons in business logic and threat modeling, CISA and friends update guidance on Secure Design, and more!

In a bid to strengthen authentication and security measures against relay attacks and unauthorized network access, Microsoft has confirmed that it will be using Kerberos in place of the NT LAN Manager in Windows 11, The Hacker News reports.

It's no surprise that OT security has fared poorly over the last 30+ years. To many appsec folks, these systems have uncommon programming languages, unfamiliar hardware, and brittle networking stacks. They also tend to have different threat scenarios. Many of these systems are designed, successfully, to maintain availability. But when a port scan c...

How HTTP/2's rapid reset is abused for DDoS, a look at the fix for Curl's recent high severity bug, OWASP moves to make CycloneDX a standard, Microsoft deprecates NTLM, VBScript, and old TLS -- while also introducing an AI bug bounty program.

Newly developed cybersecurity guidelines from the U.S. Department of Treasury, Cybersecurity and Infrastructure Security Agency, National Security Agency, and the FBI tackling open source software usage in industrial control systems and operational technology environments have recommended not only up-to-date patches and security updates for all OT and IT systems but also the application of "secure-by-design" and "secure-by-default" philosophies in software development, reports SecurityWeek.

Here’s a quick look at the pros and cons of ChatGPT and how developers can get started.

What if all these recommendations to shift left were more about shifting focus? It's all too easy to become preoccupied with vulns, whether figuring out how to find them earlier in the SDLC or spending time fixing them within specific number of days. Successful DevSecOps approaches can be so much more than just vulns and so much more than just tool...