Search results for Commercial Security | Breaking Cybersecurity News | The Hacker News

Can you imagine launching a global bug bounty platform with almost 500,000 submissions and 13,000 researchers without consuming a cent from venture capitalists? If not, this success story is for you. The once skyrocketing bug bounty industry seems to be not in the best shape today. While prominent security researchers are talking about a growing multitude of hurdles they experience with the leading commercial bug bounty platforms, the latter are trying to reinvent themselves as "next-generation penetration testing" or similar services. You be the judge of how successful they will be. Generous venture funds have poured many millions into rapidly spending bug bounty startups that have not replaced Managed Penetration Testing (MPT) services (as some declared). However, these startups have positively improved the price/quality ratio of pen testing services on the global market. Amid the uncertainty for the future of commercial bug bounty platforms, the not-for-profit Op...

Chris Hoff, HacKid.org Leads UNITED Security Summit Award Winners Awards Recognize Outstanding Contributions to Propel the Information Security Industry Forward to Meet Future Challenges San Francisco, CA at the UNITED Security Summit – September 20, 2011 –  The first annual  UNITED Security Summit  included an awards ceremony at the official event party, held at Vessel, San Francisco last night. The UNITED Security Summit Awards focus on recognizing the contributions of individuals and organizations that are propelling the information security industry forward, building the level of preparedness in the face of the changing threat landscape.  Winners at the ceremony were recognized specifically for innovation, collaboration, investment in the future or in the industry in general, and leadership. “As a co-sponsor of the UNITED Security Summit awards and participant in the judging process, it’s exciting to see how innovative and collaborative companies in the secu...

While Gartner does not have a dedicated Magic Quadrant for Bug Bounties or Crowd Security Testing yet, Gartner Peer Insights already lists 24 vendors in the "Application Crowdtesting Services" category. We have compiled the top 5 most promising bug bounty platforms for those of you who are looking to enhance your existing software testing arsenal with knowledge and expertise from international security researchers:  1. HackerOne Being a unicorn backed by numerous reputable venture capitalists,  HackerOne  is probably the most well-known and recognized Bug Bounty brand in the world. According to their most recent annual report, over 1,700 companies trust the HackerOne platform to augment their in-house application security testing capacities. The report likewise says that their security researchers earned approximately $40 million in bounties in 2019 alone and $82 million cumulatively. HackerOne is also famous for hosting US government Bug Bounty programs, including ...

The crystal ball gazing has started early this year. Typically, tech prediction pieces emerge after Christmas, but the first 'security trends for 2011' missive has already dropped into my inbox. So, what does the somewhat premature Imperva Application Defense Center think will worry us the most on the IT security front next year? I predict the list will include more Stuxnet-like attacks, insights on the cloud's benefits or drawbacks, and concerns about mobile device security. Let's see if my crystal ball accurately predicts the predictions. Imperva ADC says the top 10 IT security trends for 2011 will be, with my comments in parentheses: Nation-Sponsored Hacking : (Yay, strike one - Stuxnet worm clones prediction right at the top.) These attacks will build on concepts and techniques from the commercial hacker industry to create more powerful Advanced Persistent Threats. (I predict someone will get a Buzzword Bingo full house with that one.) Insider Threat Awarenes...

Set of must-have online security tools that we believe may make a real difference to your cybersecurity program and improve your 2021 budget planning. In September, Gartner published a  list  of "Top 9 Security and Risk Trends for 2020" putting a bold emphasis on the growing complexity and size of the modern threat landscape. Incomplete visibility of external Attack surfaces led to the dramatic increase in disastrous breaches and data leaks during 2020, compromising PII and other sensitive data of millions of victims. These incidents stemmed from sophisticated intrusions by malicious nation-state actors and APT hacking groups, human error, and widespread misconfigurations exposing unprotected cloud storage or databases with confidential data to the Internet. Gartner's security analysts recommend automating laborious security tasks and processes, amid the ongoing shortage of cybersecurity skills, and promptly addressing emerging cloud and containers security risks.  G...

In the modern corporate IT environment, which relies on cloud connectivity, global connections and large volumes of data, the browser is now the most important work interface. The browser connects employees to managed resources, devices to the web, and the on-prem environment to the cloud one. Yet, and probably unsurprisingly, this browser prominence has significantly increased the number of threats that adversaries target the browser with. Attackers are now leveraging the browser's core functionality - rendering and executing web pages for users to access - to perform attacks. The browser is now an attack surface, as well as an attack vector for malicious access to corporate SaaS and web applications through account takeover and the use of compromised credentials. To address this issue, a new guide was recently published ( Download Here ). It analyzes what a solution to these threats would look like. The guide, "Protection from web-borne threats starts with Browser Securit...

Communication is a vital skill for any leader at an organization, regardless of seniority. For security leaders, this goes double. Communicating clearly works on multiple levels. On the one hand, security leaders and CISOs must be able to communicate strategies clearly – instructions, incident response plans, and security policies. On the other, they must be able to communicate the importance of security and the value of having robust defenses to the C-level.  For CISOs and other security leaders, this latter skill is crucial but often overlooked or not prioritized. A new webinar: " How to ace your Infosec board deck ," looks to shed light on both the importance of being able to communicate clearly with management, and key strategies to do so effectively. The webinar will feature a conversation with vCISO and Cybersecurity Consultant Dr. Eric Cole, as well as Norwest Venture Partners General Partner Dave Zilberman.  More so than just talking about the dollar value of a sec...

More and more organizations are choosing Google Workspace as their default employee toolset of choice. But despite the productivity advantages, this organizational action also incurs a new security debt. Security teams now have to find a way to adjust their security architecture to this new cloud workload. Some teams may rely on their existing network security solutions. According to a  new guide , this is a hit and a miss. Network solutions, the guide claims, just don't cover all SaaS and browsing requirements. Meanwhile, Google offers a wide range of native security functionalities built-in to Chrome. These functionalities enable the organization to leverage the browser for consolidating security, simplifying operations and reducing costs. If you're wary about trusting Chrome with your security, then the guide is recommended to read. In great detail, it explains which security features Chrome offers users. These include: Forcing users to sign into Chrome, to ensure the ...

For over a decade, application security teams have faced a brutal irony: the more advanced the detection tools became, the less useful their results proved to be. As alerts from static analysis tools, scanners, and CVE databases surged, the promise of better security grew more distant. In its place, a new reality took hold—one defined by alert fatigue and overwhelmed teams. According to OX Security's 2025 Application Security Benchmark Report , a staggering 95–98% of AppSec alerts do not require action - and may, in fact, be harming organizations more than helping. Our research, spanning over 101 million security findings across 178 organizations, shines a spotlight on a fundamental inefficiency in modern AppSec operations. Of nearly 570,000 average alerts per organization, just 202 represented true, critical issues. It's a startling conclusion that's hard to ignore: security teams are chasing shadows, wasting time, burning through budgets, and straining relations wit...

 Microsoft on Monday confirmed its plans to deprecate NT LAN Manager (NTLM) in Windows 11 in the second half of the year, as it announced a slew of new security measures to harden the widely-used desktop operating system. "Deprecating NTLM has been a huge ask from our security community as it will strengthen user authentication, and deprecation is planned in the second half of 2024," the tech giant  said . The Windows maker  originally announced  its decision to drop NTLM in favor of Kerberos for authentication in October 2023. NTLM's lack of support for cryptographic methods such as AES or SHA-256 notwithstanding, the protocol has also been rendered susceptible to relay attacks, a technique that has been widely exploited by the Russia-linked  APT28 actor  via zero-day flaws in Microsoft Outlook. Other changes coming to Windows 11 include enabling  Local Security Authority (LSA) protection  by default for new consumer devices and the use of v...

Think your WAF has you covered? Think again. This holiday season, unmonitored JavaScript is a critical oversight allowing attackers to steal payment data while your WAF and intrusion detection systems see nothing. With the 2025 shopping season weeks away, visibility gaps must close now. Get the complete Holiday Season Security Playbook here . Bottom Line Up Front The 2024 holiday season saw major attacks on website code: the Polyfill.io breach hit 500,000+ websites, and September's Cisco Magecart attack targeted holiday shoppers. These attacks exploited third-party code and online store weaknesses during peak shopping, when attacks jumped 690% . For 2025: What security steps and monitoring should online retailers take now to prevent similar attacks while still using the third-party tools they need? As holiday shopping traffic increases, companies strengthen their servers and networks, but a critical weak spot remains unwatched: the browser environment where malicious code r...

In yet another instance of threat actors repurposing legitimate tools for malicious purposes, it has been discovered that hackers are exploiting a popular red teaming tool called Shellter to distribute stealer malware. The company behind the software said a company that had recently purchased Shellter Elite licenses leaked their copy, prompting malicious actors to weaponize the tool for infostealer campaigns. An update has since been released to plug the issue. "Despite our rigorous vetting process – which has successfully prevented such incidents since the launch of Shellter Pro Plus in February 2023 – we now find ourselves addressing this unfortunate situation," the Shellter Project Team said in a statement. The response comes shortly after Elastic Security Labs released a report about how the commercial evasion framework is being abused in the wild since April 2025 to propagate Lumma Stealer, Rhadamanthys Stealer, and SectopRAT (aka ArechClient2). Shellter is a pot...

U.S. President Joe Biden on Monday  signed an executive order  that restricts the use of commercial spyware by federal government agencies. The order said the spyware ecosystem "poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person." It also seeks to ensure that the government's use of such tools is done in a manner that's "consistent with respect for the rule of law, human rights, and democratic norms and values." To that end, the order lays out the various criteria under which commercial spyware could be disqualified for use by U.S. government agencies. They include - The purchase of commercial spyware by a foreign government or person to target the U.S. government, A commercial spyware vendor that uses or discloses sensitive data obtained from the cyber surveillance tool without authorization and operates under the control of a foreign g...