Security

The Biden administration’s new cybersecurity strategy shifts liability toward software vendors, and developers need to pay attention.

A massive ransomware campaign is exploiting a two-year-old VMware ESXi vulnerability, and the scale of unpatched systems is alarming.

CircleCI discloses a security incident and urges all customers to immediately rotate secrets stored in the platform. A reminder of the risks in our CI/CD supply chain.

LastPass reveals attackers obtained copies of customer vault data, turning an already serious breach into one of the worst password manager incidents in history.

A year after Log4Shell shook the software industry, we examine what’s improved in supply chain security — and what still keeps us up at night.

The OpenSSL 3.0.7 patch for CVE-2022-3602 and CVE-2022-3786 arrived this week — here’s what happened and what it teaches us about vulnerability response.

A teenager allegedly breached Uber’s internal systems through social engineering and MFA fatigue, exposing fundamental weaknesses in how we think about authentication.

Twilio’s breach through a sophisticated phishing attack targeting employees raises hard questions about SMS-based authentication and supply chain trust.

Cloudflare mitigated the largest HTTPS DDoS attack ever recorded at 26 million requests per second. The Mantis botnet represents a new generation of volumetric threats.

CVE-2022-30190, dubbed Follina, exploits Microsoft’s diagnostic tool through Office documents — no macros required.

Heroku’s OAuth token breach exposes the fragile trust chain in platform-as-a-service dependencies and what it means for developers.

A critical RCE vulnerability in Spring Framework has the internet in panic mode, but the actual risk profile is more nuanced than the Log4Shell comparisons suggest.