Aggregator

公司成立三年多，即将举办首场产品发布会。对于开发布会这事儿，此前是犹豫的。毕竟 ToB 市场决策链条长，没有谁会根据发布会，一冲动，就下单采购。相反，台下来的可能都是友商，而客户在忙着写年终总结。有这

在广袤的全球市场中勇攀高峰。

环境异常 当前环境异常，完成验证后即可继续访问。 去验证

This daily article is intended to make it easier for those who want to stay updated with my regular Dark Web Informer and X/Twitter posts.

A vulnerability has been found in hornetq 2.4.9 and classified as problematic. Affected by this vulnerability is the function createTempFile. The manipulation leads to information disclosure. This vulnerability is known as CVE-2024-51127. The attack needs to be done within the local network. There is no exploit available.

A vulnerability, which was classified as critical, has been found in Hotfoon 4.0. This issue affects some unknown processing of the file hotfoon4.exe of the component URL Handler. The manipulation leads to memory corruption. The identification of this vulnerability is CVE-2002-2385. The attack may be initiated remotely. Furthermore, there is an exploit available.

Cyberattacks against OT/ICS engineering workstations are widely underestimated, according to researchers who discovered malware designed to shut down Siemens workstation engineering processes.

A Threat Actor Claims to be Selling Forti VPN Access to an Unidentified Company in USA

A vulnerability was found in Quectel BG96 BG96MAR02A08M1G. It has been rated as critical. This issue affects some unknown processing of the component NAS Message Handler. The manipulation leads to improper authentication. The identification of this vulnerability is CVE-2024-54984. Access to the local network is required for this attack to succeed. There is no exploit available.

A vulnerability was found in Quectel BC95-CNV V100R001C00SPC051. It has been declared as critical. This vulnerability affects unknown code of the component NAS Message Handler. The manipulation leads to improper authentication. This vulnerability was named CVE-2024-54983. Access to the local network is required for this attack. There is no exploit available.

A vulnerability was found in Zimbra Collaboration Suite 9.0/10.0/10.1. It has been classified as problematic. This affects an unknown part of the file /h/rest of the component Webmail Classic UI. The manipulation leads to file inclusion. This vulnerability is uniquely identified as CVE-2024-54663. It is possible to initiate the attack remotely. There is no exploit available.

Fortinet has patched CVE-2023-34990 in its Wireless LAN Manager (FortiWLM), which combined with CVE-2023-48782 could allow for unauthenticated remote code execution (RCE) and the ability to read all log files.

A vulnerability was found in Tibbo AggreGate Network Manager up to 6.34.02 and classified as critical. Affected by this issue is some unknown functionality. The manipulation leads to unrestricted upload. This vulnerability is handled as CVE-2024-12700. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Quectel BC25 BC25PAR01A06 and classified as critical. Affected by this vulnerability is an unknown functionality of the component NAS Message Handler. The manipulation leads to improper authentication. This vulnerability is known as CVE-2024-54982. The attack can be launched remotely. There is no exploit available.

在探讨SDL的成效之前，先回溯下SDL实施的初衷：即在软件开发的各个阶段中，力求尽早且全面地识别并解决漏洞及潜在的安全风险，从而转变以往软件上线后频繁应对安全事件的不利局面。基于这一初衷，至少可提炼出以下三个关键的成效衡量指标： 1、漏洞数量：实施SDL前后，相同周期内发现的漏洞数量，展示实施SDL带来的漏挖能力提升效果； 2、漏洞修复率：已发现漏洞的修复率，也是比较SDL前后，展示SDL流程或措施在该方面的提升效果； 3、安全事件发生率：统计SDL前后的，外部发现漏洞的数量，展示SDL在降低安全事件发生率方面的效果。 此外，这些都是结果指标，若SDL在建设过程中，还可以添加过程指标，证明SDL带来的好处： 1、安全测试覆盖率：统计SDL前后的安全提测工单数量，包括代码审计、开源组件检测、动态扫描、渗透测试等； 2、漏洞检出能力：统计SDL前后的漏洞检测能力，如针对某类漏洞的检测能力增强或填补空白。 综上所述，以上指标均可作为衡量SDL成效的重要依据。为了更直观地展示这些指标的变化趋势与对比情况，建议采用图表等可视化手段进行展示，以便更好地理解和分析SDL的实施效果。 更多软件安全内容，可以访问： 1、SDL100问：我与SDL的故事 SAST误报太高，如何解决？ SDL需要哪些人参与？ 设计阶段应开展哪些安全活动？ 有哪些不错的安全设计参考资料？ 安全设计要求怎么做才能落地？ 有哪些威胁建模方法论？ 如何选择开源组件安全扫描(SCA)工具？ SCA工具扫描出很多漏洞，如何处理？ SCA工具识别出高风险协议，如何处理？ 应该如何选型代码安全扫描工具？ 白盒检测工具存在局限性，如何进行补偿？ SCA用什么系统做，自研还是外购？ 有没有好用的SDL平台？ Sonar是否好用以及误报率咋样？ 如何推进有问题的jar包更新？ SCA工具的误报率怎样？ 在研发安全流程落地方面，有何经验？ 如何说服业务完成checklist自检？ SDL 38/100问：sdl会对项目变更代码做review吗？ 2、SDL创新实践系列 首发！“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键：研发安全团队 DevSecOps实施关键：研发安全流程 DevSecOps实施关键：研发安全规范 从安全视角，看研发安全 数字化转型下的研发安全痛点