Tag: Risk Based Security

  • CISA’s BOD 22-01: How to Prioritize 100 Vulnerabilities in Two Weeks

    [This was originally published on riskbasedsecurity.com, and had considerable edits/enhancements done by Curtis Kang.] CISA BOD 22-01 introduces the directive for government vendors to mitigate 292 CVE IDs, or 301 vulnerabilities, 100 of them within a short timeframe. It is well-meaning and brings potentially valuable focus, but it will put pressure on teams working with…

  • WhiteSource on ‘Open Source Vulnerability Databases’ – Errata

    [This was originally published on the OSVDB blog.] On September 8, 2016, Jason Levy of WhiteSource Software published a blog titled “Open Source Vulnerability Database”. Almost two years later it came across my radar and I asked via Twitter if WhiteSource was interested in getting feedback on the blog, since it contained errata. They never…

  • You Didn’t Think the Sony Saga Was Over, Did You?

    You Didn’t Think the Sony Saga Was Over, Did You?

    [This was originally posted to the Risk Based Security blog. Unfortunately, no copy made it to the Internet Archive. A re-imagined version appeared on the Flashpoint Blog. The original is below.] On November 24th, 2014 a Reddit post appeared stating that Sony Pictures had been breached and that their complete internal network, nationwide, had signs…

  • Our Reports Clickbait? No. Click Here To Find Out Why…

    Our Reports Clickbait? No. Click Here To Find Out Why…

    [This was originally posted to the Risk Based Security blog (now 404 and no IA copy), with contributions from Jake Kouns.] Last week, we published our 2018 mid-year report that included an overview of the vulnerabilities that we have tracked and included in VulnDB. We highlighted a key takeaway from the report in the title:…

  • The Duality of Expertise: Microsoft

    [This was originally published on the OSVDB blog.] The notion of expertise in any field is fascinating. It crosses so many aspects of humans and our perception. For example, two people in the same discipline, each with the highest honors academic can grant, can still have very different expertise within that field. Society and science…

  • Badlock: The Day of Reckoning [Update #4]

    Badlock: The Day of Reckoning [Update #4]

    [This was originally published on the RBS Blog.]. Word circulated earlier today that Badlock would be revealed at 1PM EST, which is curious given that Microsoft’s “Patch Tuesday” releases are not always public by that time. Almost ten minutes before 1PM, word of the patches being public were making the rounds. The three patches and associated…

  • Bad Luck Over The Upcoming Badlock Vulnerability?

    Bad Luck Over The Upcoming Badlock Vulnerability?

    It has only been twenty-one days after the last named vulnerability (DROWN), and now we have the next one! Early on March 22nd, the security industry started hearing rumors of ‘Badlock’ and then the site announcing it began making the rounds. The domain was registered by Johannes Loxen out of Germany on March 11, 2016, to…

  • Yes, Font Files can Own Your Computer! For Over a Decade…

    [This was originally published on RiskBasedSecurity.com.] On February 5, the Cisco Talos research team published an advisory covering several vulnerabilities in the Graphite (a.k.a. libgraphite) project. According to the vendor page, it “is a ‘smart font’ system developed specifically to handle the complexities of lesser-known languages of the world.” This prompted the media and some in our industry to comment…

  • Our New Year Vulnerability “Trends” Prediction!

    [This was originally published on RiskBasedSecurity.com.] Shortly after a year closes out, the industry is treated to dozens of security companies that want to tell you all about vulnerability totals and trends from the previous year. In many cases, the companies offering the predictions are armchair experts of a sorts, who do not aggregate vulnerability…

  • Reviewing the Secunia 2013 Vulnerability Review

    [This was originally published on the OSVDB blog.] On February 26, Secunia released their annual vulnerability report (link to report PDF) summarizing the computer security vulnerabilities they had cataloged over the 2013 calendar year. For those not familiar with their vulnerability database (VDB), we consider them a ‘specialty’ VDB rather than a ‘comprehensive’ VDB (e.g.…