Threat Modeling | Breaking Cybersecurity News | The Hacker News

Microsoft is warning about the potential abuse of Azure Service Tags by malicious actors to forge requests from a trusted service and get around firewall rules, thereby allowing them to gain unauthorized access to cloud resources. "This case does highlight an inherent risk in using service tags as a single mechanism for vetting incoming network traffic," the Microsoft Security Response Center (MSRC) said in a guidance issued last week. "Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls. Service tags are not a comprehensive way to secure traffic to a customer's origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests." The statement comes in response to findings from cybersecurity firm Tenable, which found that Azure customers whose firewall rules rely on Azure Service Tags could be bypassed. There is no evidence t

In the whirlwind of modern software development, teams race against time, constantly pushing the boundaries of innovation and efficiency. This relentless pace is fueled by an evolving tech landscape, where SaaS domination, the proliferation of microservices, and the ubiquity of CI/CD pipelines are not just trends but the new norm. Amidst this backdrop, a critical aspect subtly weaves into the narrative — the handling of non-human identities. The need to manage API keys, passwords, and other sensitive data becomes more than a checklist item yet is often overshadowed by the sprint toward quicker releases and cutting-edge features. The challenge is clear: How do software teams maintain the sanctity of secrets without slowing down their stride? Challenges in the development stage of non-human identities The pressure to deliver rapidly in organizations today can lead developers to take shortcuts, compromising security. Secrets are the credentials used for non-human identities. Some stan

As a vCISO, you are responsible for your client's cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, "Your First 100 Days as a vCISO – 5 Steps to Success" , which covers all the phases entailed in launching a successful vCISO engagement, along with recommended actions to take, and step-by-step examples.  Following the success of the playbook and the requests that have come in from the MSP/MSSP community, we decided to drill down into specific parts of vCISO reporting and provide more color and examples. In this article, we focus on how to create compelling narratives within a report, which has a significant impact on the overall MSP/MSSP value proposition.  This article brings the highlights of a recent guided workshop we held, covering what makes a successful report and how it can be used to enhance engagement with your cyber security clients.

With the growing reliance on web applications and digital platforms, the use of application programming interfaces (APIs) has become increasingly popular. If you aren't familiar with the term, APIs allow applications to communicate with each other and they play a vital role in modern software development. However, the rise of API use has also led to an increase in the number of API breaches. These breaches occur when unauthorized individuals or systems gain access to an API and the data it contains. And as victims can attest, breaches can have devastating consequences for both businesses and individuals. One of the primary concerns with API breaches is the exposure of sensitive data. APIs often contain or provide access to personal or financial information, and if this data falls into the wrong hands, it can be used for fraudulent activities or identity theft. API breaches can also lead to severe reputational damage for businesses. Customers and stakeholders expect their informatio