Security Boulevard

The Shift from Compliance-Driven GRC to Dynamic Cyber Risk Management

The world of cybersecurity has undergone a dramatic transformation, moving beyond simple checklists and technical jargon. The focus has shifted from siloed governance, risk, and compliance (GRC) exercises to cyber risk management that aligns security with business priorities. This transition was a key topic in the recent webinar, The Next-Gen CISO’s Guide to Cyber ROI, where experts discussed how organizations must adopt a risk-first mindset rather than a compliance-driven approach.

The post Best Practices for Cyber Risk Management: Why CISOs Must Lead with Real-time Data appeared first on Security Boulevard.

Overview Recently, NSFOCUS CERT detected that the Babuk2 group has been frequently publishing sensitive data of several well-known organizations on its dark web site. The data is from multiple sectors, including government, finance, internet, healthcare, and education, across various countries and regions. Up to this month, at least 71 victims’ data has been disclosed, and […]

The post A Deep Analysis of the Ransomware Group Babuk2’s Recent Activities appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post A Deep Analysis of the Ransomware Group Babuk2’s Recent Activities appeared first on Security Boulevard.

The story of Identity and Access Management (IAM) could be made into a movie with all the drama. The industry and its players have gone from behind-the-scenes underdogs to starring roles. IAM, once just a part of IT, is now arguably the essential element in the security strategies of every organization today, navigating through a...

The post The rise of identity and access management: How IAM evolved to being the new perimeter of cybersecurity appeared first on Strata.io.

The post The rise of identity and access management: How IAM evolved to being the new perimeter of cybersecurity appeared first on Security Boulevard.

How Can Non-Human Identities Improve Access Control Compliance? Is it possible that non-human identities (NHIs) could help elevate your organization’s security outlook? when businesses across various sectors like healthcare, finance, and travel increasingly shift to cloud computing, the strategic importance of sound NHI management cannot be overstated. Navigating the Complexities of NHIs and Secrets Security […]

The post How do I manage access controls for NHIs to meet compliance requirements? appeared first on Entro.

The post How do I manage access controls for NHIs to meet compliance requirements? appeared first on Security Boulevard.

Why Should Staff Be Trained on Non-Human Identities Compliance? Imagine a business environment where machine identities seamlessly communicate with each other, ensuring the smooth running of essential processes. Wouldn’t it be wonderful if they could run securely, free from the threat of security breaches and data leaks? This ideal scenario can become a reality if […]

The post What training is necessary for staff regarding NHI compliance? appeared first on Entro.

The post What training is necessary for staff regarding NHI compliance? appeared first on Security Boulevard.

How Crucial are Non-Human Identities Compliance Metrics? Could you imagine navigating an unknown city without a map? The same goes for managing cybersecurity in our cloud-driven enterprises today. Without clear metrics, we may lose our way amidst the immense array of non-human identities (NHIs) and secrets sprawling within digital. Therefore, Non-Human Identities compliance metrics become […]

The post What metrics should be tracked to ensure NHI compliance? appeared first on Entro.

The post What metrics should be tracked to ensure NHI compliance? appeared first on Security Boulevard.

With recent advancements in AI systems capable of easily solving visual, text, and audio challenges, CAPTCHA can’t offer the level of protection it did when conceived.

The post CAPTCHA’s Demise: Multi-Modal AI is Breaking Traditional Bot Management appeared first on Security Boulevard.

Forrester just published its 2025 Web application Firewall Wave. As a former industry analyst, and as a contributor on the vendor side for Imperva (cough, a leader in the report, cough), let me share some reactions on the shape of this report. The Center of the Universe The first top level header (H1 in the […]

The post The 2025 WAF Wave from the Other Side appeared first on Blog.

The post The 2025 WAF Wave from the Other Side appeared first on Security Boulevard.

Just because you work in a security operations center (SOC) doesn’t mean you have to waste your time chasing  dragons. And by “dragons,” we mean the traditional SOC’s difficulty identifying cyberattacks that originate in the black box of the application layer. 

The post How Contrast ADR Speeds up SOC Incident Response Time| SOC Challenges From Alert Fatigue to Application-Layer Visibility | Contrast Security appeared first on Security Boulevard.

Unlock and structure unstructured data with Tonic Textual on the Databricks Marketplace. Streamline AI workflows now.

The post Tonic Textual is now on the Databricks Marketplace: unstructured data, meet easy ingestion appeared first on Security Boulevard.

Author/Presenter: Ira Victor

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – IATC – Security Trek: The Next Generation appeared first on Security Boulevard.

ManagedMethods Helps Compass’s IT Team Save Time While Keeping Data Secure and Students Safe Compass Charter Schools are fully online TK-12 public charter schools in California. Compass serves about 2,400 students and employs 215 faculty and staff. From a technology standpoint, the schools rely heavily on Google Workspace for Education for instruction, communication, and collaboration. ...

The post A Smarter Approach to Google Cybersecurity & Student Safety at Compass Charter Schools appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.

The post A Smarter Approach to Google Cybersecurity & Student Safety at Compass Charter Schools appeared first on Security Boulevard.

Backdoored Juniper networking devices are at the center of two major cybersecurity stories that highlight the ongoing vulnerability and active targeting of network infrastructure by cyber adversaries. J-Magic and TINYSHELL The first story broke in January 2025, when researchers at Black Lotus Labs, a research arm of the ISP Lumen Technologies, revealed information about an […]

The post Juniper Routers, Network Devices Targeted with Custom Backdoors appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

The post Juniper Routers, Network Devices Targeted with Custom Backdoors appeared first on Security Boulevard.

CodeSonar 9.0 is an exciting upgrade, with increased analysis performance, improved DISA STIG reporting, and Android 15 support. We recommend customers update to this version of CodeSonar as soon as possible to get access to these benefits. Explore the latest features and enhancements in CodeSonar 9.0! Analysis Up to 20% performance improvements for analysis. Android…

The post What’s New in CodeSonar 9.0 appeared first on CodeSecure.

The post What’s New in CodeSonar 9.0 appeared first on Security Boulevard.

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Square Units’ appeared first on Security Boulevard.

IntroductionOn March 21, 2025, a critical vulnerability, CVE-2025-29927, was publicly disclosed with a CVSS score of 9.1, signifying high severity. Discovered by security researcher Rachid Allam, the flaw enables attackers to bypass authorization checks in Next.js Middleware, potentially granting unauthorized access to protected resources. This poses a risk to applications that rely on Middleware to enforce user authorization, validate session data, control route access, handle redirections, and manage UI visibility based on user roles or permissions. RecommendationsUsers whose applications leverage Next.js Middleware for authorization are strongly urged to: Update applications: Upgrade to the patched version listed in the affected versions section below.Stop header exploits: For applications running version greater than 11.1.4 and less than or equal to 13.5.6, where no secure version is available, configure load balancers or web servers to block external requests containing the x-middleware-subrequest header from reaching the Next.js application.Affected VersionsThe following table describes impacted Next.js versions, along with a corresponding patched version.Impacted VersionPatched Version%26gt; 11.1.4 %26lt;= 13.5.6None%26gt; 12.0 %26lt; 12.3.512.3.5%26gt; 13.0 %26lt; 13.5.913.5.9%26gt; 14.0 %26lt; 14.2.2514.2.25%26gt; 15.0 %26lt; 15.2.315.2.3Table 1: Table of impacted Next.js versions and their corresponding patched versions.BackgroundCVE-2025-29927 is an authorization bypass that allows attackers to circumvent Next.js Middleware controls entirely. By including a specially crafted x-middleware-subrequest HTTP header in requests, attackers can bypass authorization checks and gain unauthorized access to protected resources.Potential impacts of this vulnerability include:Unauthorized access: Attackers could gain access to private resources, APIs, or restricted application areas.Data exposure: Exploiting this flaw could lead to the theft of sensitive user information.Privilege escalation: Attackers might execute malicious actions, such as accessing administrative features or altering server states.Content Security Policy (CSP) Bypass: Middleware could be manipulated to modify CSP headers or cookies, potentially compromising application integrity.Cache poisoning: In certain configurations, attackers could exploit Middleware to force the caching of 404 responses in applications using a CDN between the Next.js application and the end user. This could render application pages unavailable, impacting their availability and disrupting user experience.How It WorksThe vulnerability stems from how Next.js Middleware handles requests through the runMiddleware function. This function evaluates the x-middleware-subrequest header from incoming requests to decide whether middleware checks should be enforced. The header value is split using a colon (:) as a delimiter and compared against the middlewareInfo.name, which represents the path or location of the middleware component. If the comparison matches, the request bypasses authorization checks and proceeds directly to its destination. The figure below shows a diagram of the attack flow.Figure 1: A diagram of the attack flow where an attacker abuses CVE-2025-29927.Originally designed to prevent infinite loops in recursive requests, this mechanism unintentionally introduced a loophole. Attackers can craft malicious x-middleware-subrequest headers to exploit this flaw, bypassing middleware controls and gaining unauthorized access to protected resources. The code enabling this vulnerability is shown in the figure below:Figure 2: Next.js Middleware code that enables CVE-2025-29927.Evolution of Middleware file naming and header parsingEarlier Versions (Pre 12.2): In early versions of Next.js (prior to 12.2), middleware files were named _middleware.ts, and only the Pages Router was available. During this period, the middlewareInfo.name value could be determined as pages/_middleware.ts. Attackers could craft a request header like the one below to bypass authorization checks: x-middleware-subrequest: pages/_middleware Next.js 12.2 and later: Starting with version 12.2, Next.js introduced changes to middleware file naming conventions, dropping the underscore (_) prefix. Middleware files became middleware.ts and could also be placed in a /src directory. The middlewareInfo.name could now be guessed as middleware or src/middleware. The corresponding crafted headers to bypass authorization are the following: x-middleware-subrequest: middleware x-middleware-subrequest: src/middleware Latest versions: In recent versions of Next.js, the logic for parsing the x-middleware-subrequest header evolved. The header value is still split using (:) as a delimiter, but the length of the resulting array (“depth”) is compared to a constant called MAX_RECURSION_DEPTH (defaulting to 5). This is done to calculate the number of subrequests and avoid an infinite loop condition. Middleware checks are applied only if the depth exceeds this threshold. Attackers exploit this logic by including repeated entries in the header to meet the required depth while bypassing middleware checks. For example: x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middlewareThe patchThe implemented fix addresses the vulnerability through two key components:Internal header stripping: All HTTP headers intended for internal use, like x-middleware-subrequest, are stripped from external requests during processing.String validation: The x-middleware-subrequest value is now validated against a randomly generated hexadecimal string, ensuring that only legitimate session requests pass authorization checks.This patch effectively mitigates the authorization bypass and ensures that Middleware components cannot be exploited using tampered request headers. The patched code is shown in the figure below:Figure 3: The patched code corresponds to version 15.2.3 of Next.js Middleware.ConclusionCVE-2025-29927 poses a risk to applications using Next.js Middleware for authorization, especially self-hosted instances. Middleware should supplement, not replace, robust security measures placed closer to the data source. The impact variation across hosting platforms highlights the need to consider deployment context in security planning.Zscaler CoverageThe Zscaler ThreatLabz team has deployed protection for CVE-2025-29927.Zscaler Private Access AppProtection6000919: Next.js Middleware Authorization Bypass (CVE-2025-29927)

The post CVE-2025-29927: Next.js Middleware Authorization Bypass Flaw appeared first on Security Boulevard.

​23andMe, the prominent consumer genetic testing company, filed for Chapter 11 bankruptcy on March 23, 2025, due to declining demand for its services and a significant data breach affecting millions of users. Co-founder Anne Wojcicki resigned as CEO but remains on the company’s board. Implications for Customer Genetic Data The bankruptcy raises concerns about the […]

The post Deleting DNA Data From 23andMe appeared first on Centraleyes.

The post Deleting DNA Data From 23andMe appeared first on Security Boulevard.

Threat actors are continuously evolving their tactics to exploit vulnerabilities and gain unauthorized access. That increasingly involves attacks targeting the software supply chain.

The post The Essential Role of Supply Chain Security in ASPM appeared first on Cycode.

The post The Essential Role of Supply Chain Security in ASPM appeared first on Security Boulevard.

Three powerful AI tools enable analysts to automate complex binary analysis. See how security teams can reverse engineer without additional headcount.

The post AI Can Now Reverse Engineer Malware – 3 Tools For Your Arsenal appeared first on Security Boulevard.

Author/Presenter: Emma Stewart Ph.D.

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – IATC – Living With the Enemy – How To Protect Yourself (And Energy Systems) appeared first on Security Boulevard.