On May 29, 2013, Google announced  plans to increase the pace of their disclosure timeline for observed zero day vulnerabilities. The measure appears to specifically target issues that were previously unknown and are actively under attack.  Basing this action on their standing recommendation to provide patches within 60 days of discovery, the Internet giant appears to be taking the stance that they will release details of critical vulnerabilities under active exploitation within seven days of the time they are first observed if the vendor cannot release a patch.  According to the article, the premise for this new action is that the longer zero day vulnerabilities go unannounced, the more systems... read more >

In the past few months, Solutionary has seen a great increase in the number of clients taking advantage of our Security Engineering Research Team (SERT) incident response support. Mitigating an active attack is certainly enough to keep organizations entertained for quite a bit of time, but when the attacks are over is it time to relax? 

If you are doing this correctly, your answer should be “no.”

Preparing for and mitigating attacks when they materialize is just the start. Many organizations fail to realize that after the attacks are over, a lot more work is still required. As an example, let’s say your organization identified a successful SQL injection attack allowing attackers to steal your data. You’ve found the vulnerability, patched it, and are ready to move on with your day-to-day organizational agenda,... read more >

There has been a lot of time and energy spent lately on responding to matters relating to Java and the platform’s security. We took a look at how many vulnerabilities were released for the platform going back to 1996. No really big surprise here. There were a lot of them. In fact, this past month (February 2013) we saw a higher number of Java vulnerabilities released in a single month than in any other single month prior.

My suspicion is that the problems currently facing the Java platform probably have more to do with its success than with some fundamental design error or security flaw. The recent surge in Java vulnerability submissions to the National Vulnerability Database could also be prescribed to response from the security community as awareness of the situation has matured.  One way to find out would be to take a closer look and perform a detailed, comparative analysis of the vulnerabilities identified and remediated between versions of Java over time. In... read more >

We have been inundated lately with a series of technical vulnerabilities that affect the environments of organizations around the world. The technical threat is real, active, and seemingly unavoidable.

But let’s not forget that external attacks are not our only worry. Most security nuts have been saying for years that our biggest threat is not external. The “insider threat” is the one that we have to worry about, right? I will take that a step further when I repeat myself. One of the biggest threats that we face on an ongoing manner is “the oops”. I have written about this before, but if I think now about 10 of the biggest breaches of which I have personal knowledge, that number includes six “oopses”, three internal breach, and one external breach.

60% oopses is a little high, but the real numbers might surprise you. From 2005 until September of 2012,... read more >

For nine years running, Solutionary has passed the PCI ASV lab test. It's been nine years since we received our first certification – even before PCI was formed and MasterCard used to run the scanning lab under the Site Data Protection (SDP) program.

As PCI forges ahead, we have been busy increasing and expanding our ASV program including a fully PCI-compliant workflow system built into the ActiveGuard® portal. This lets clients manage false positives, undocumented services, special notes and much more. It’s a breeze, seamlessly integrating your interaction with the findings and the Solutionary Operation... read more >