Threat and Exposure Research

As many as you know, I have been involved in penetration testing since the beginning of my career. It is…

In today’s dynamic threat landscape, relying solely on Common Vulnerabilities and Exposures (CVEs) to assess the exposure and the likelihood…

It’s May, baseball is in full swing and schools are nearly out for summer vacation. This month we take a…

April is here, spring has arrived and everyone in the lower 48 of the United States got to witness a…

March may be absolute madness for the NCAA and people in bunny suits, but it was a fairly quiet month…

February 2024 is off to a ripping start for security research. This month we’re focusing on a piece of open…

The U.S. government this week said the Chinese state-sponsored hacking group known as Volt Typhoon had been embedded into some…

Happy New Year! We open up 2024 with an interesting mix of vulnerabilities, some of which have been patched for…

Happy Holidays! As we close out 2023 we do it with a bit of deja vu (depending on how sharp…

The holiday season has officially arrived, but that hasn’t slowed down security research. November featured some seriously cool exploits and…

September was an exciting month for NopSec as we hosted our Customer Advisory Board meetings in New York City. Thanks…

Summer is slowly cooking everyone into air conditioned spaces as vacations wind down and school winds up. August featured some…

July was a busy month for vulnerability research. We had the opportunity to be picky about our curated selection of…

It’s finally summer! That means kids are out of school and vacations are in full swing, that includes Security Researchers….

May was a rather quiet month for security research, but an excellent write up filtered to the masses from the…

April was a busy month for Microsoft. Patch Tuesday introduced critical Windows fixes to address a pair of remote command…

In March 2023, security researchers identified a number of critical vulnerabilities that could be exploited by attackers to gain access…

In this month’s trending CVEs we have a number of patches released by Microsoft to address critical vulnerabilities identified in…

Happy New Year! In this month’s trending CVEs ManageEngine takes the top spot with yet another unauthenticated remote command execution…

Happy holiday season! December was off the chains, literally. Microsoft released a security update to address a remote command execution…

November 2022 has not been a boring month indeed! One of the most prominent and powerful cryptocurrency exchange – FTX…

Happy Thanksgiving! November was a surprisingly slow month. It’ll be perfect for some light reading over a thanksgiving break. In…

Happy Halloween! The October trending CVEs feature another out of bound write of vulnerability being exploited in the wild that…

In this month’s edition of trending CVEs, we feature a blast from the past that provides an excellent example of…

This month we have five CVEs on the radar. The August 2022 Patch Now Award* this month goes to ManageEngine,…

In prior blogs, we’ve spelled out how an organization finds its vulnerabilities and how security teams consider threat intelligence to…

In this blog, we’ll add to our cybersecurity considerations the concept of threats and threat intelligence. So far, we’ve looked…

Once you’ve started a vulnerability scanning system, you may want to take the next step in identifying vulnerabilities: penetration testing,…

Learn how to identify the right vulnerability scanner(s) for your organization’s needs. So far in this series, we have laid…

Imagine a company that started in early 2012 with a half dozen employees — all working in one office —…

The cybersecurity world talks a lot about “common vulnerabilities and exposures” (CVEs) and compiles ongoing lists of them with a…

Cybercrime has exploded in growth over the past several years to levels that are stunning to contemplate. To put it…

Introduction Within most enterprise environments, authentication is handled by a central system known as the domain controller. The domain controller,…

In previous blogs, we discussed Attack Surface Management (ASM) and explained how ASM is critical to your overall Vulnerability Management…

In our last blog, we discussed what Attack Surface Management (ASM) is. Now we will explore the importance of how…

Back in 2019, when I was a research analyst at Gartner, I started to see a monumental shift in how…

What is Vulnerability Management lifecycle? Vulnerability management lifecycle —Discovery, Detection, Prioritization, Remediation, Validation and Program Intelligence. What is an asset? …

NopSec and CrowdStrike are pleased to announce that the two companies have entered into a global technology partnership, integrating NopSec’s leading enterprise Vulnerability…

Analysis of Verizon 2020 DBIR Report: Vulnerability Management Implications Webinar presented by Michelangelo Sidagni. THIS WEBINAR COVERED… • Asset management…

It is that time of the year again! The Verizon 2020 DBIR report is out again – https://enterprise.verizon.com/resources/reports/dbir/ – and…

Due to COVID-19, NopSec is empowering remote workforces with a much needed relief for businesses. Take Advantage of NopSec’s Amazing…

As an average person I had to refer to the book I read and to the movie I watch to…

The tool “SMBMap” was created nearly seven years ago. Originally based on a Python library called PySMB, it has since…

In celebration of  International Women’s Day 2020, NopSec and Mastercard partner to commemorate women in tech, diversity and product leadership…

NopSec, a leader in vulnerability and cyber threat management, attended Fal.Con UNITE 2019, CrowdStrike Cybersecurity Conference. We have gathered on…

What Enables the Kill Chains for Total System Compromise At NopSec my red teaming service team never stops amazing me…

Security risk professionals need to assess asset values to add business context to vulnerability management prioritization. NopSec understands that it…

NopSec commonly needs to bypass anti-virus / anti-malware software detection during our penetration testing engagements, which leads us to spend…

Three times the vulnerability prioritization When it comes to vulnerabilities, I always say: “not all vulnerabilities are created equal”. Some…

The Lines Are Blurring NopSec started as a penetration testing service delivery company at my kitchen table. The company then…

Spam detection, facial recognition, market segmentation, social network analysis, personalized product recommendations, self-driving cars – applications of machine learning (ML)…

Back in February, we talked about a malicious container ‘break out’ vulnerability in runc (CVE-2019-5736), a universal command-line interface tool…

Spam detection, facial recognition, market segmentation, social network analysis, personalized product recommendations, self-driving cars – applications of machine learning (ML)…

Recently on a customer engagement, I discovered an application that exposed its Web Application Description Language (WADL) XML that describes…

NopSec Inc, a leader in vulnerability prioritization, remediation workflow automation and breach prediction announces the appointments of three new Board…

tl;dr CVE-2019-5736 is a runc vulnerability that allows attackers to obtain root access of any host running a docker container….

2019 is here and it’s back to the workday routine. As a dad with a Jersey bus commute, mornings are…

At this time of the year, like any other year, the security industry goes back to reflect on itself and…

The Great News It has been recently reported that NIST, the agency hosting the National Vulnerability Database (NVD), plans to replace its…

IT Security Teams spend most of their time putting out fires, and just plain dreading and waiting for the next…

Will We Learn the Right Lesson This Time Around? A little over a year ago, Equifax announced a huge breach…

I’d like to diverge from our typical blog topics today to discuss the Offensive Security Certified Professional (OSCP) certification, and…

Many of our clients at NopSec have mature web application security programs with their own internal white hat penetration testing…

It’s a cliché now to declare any year the year of the _____-breach. It’s especially difficult to see around corners…

The black swan theory grew out of a metaphor that referred to something that didn’t exist at one point. When…

On Monday, March 19th, NopSec’s Co-founder & CTO, Michelangelo Sidagni will be speaking at this year’s IANS New York Information…

I have always been fascinated by lateral movement attacks possible within Windows Active Directory environments. Hosts are compromised; credentials extracted;…

As a penetration tester who uses Python in virtually all engagement, here are the top 5 python libraries that I recommend…

Antivirus software is one of the oldest and the most ever present security control against malware and various types of…

Here at NopSec, we have always been fascinated with automation. It has been a focus of ours since the beginning…

CIS 20 Security Controls represent one of the reference frameworks of the most critical controls an organization can implement to…

Data is power virtually everywhere, and it’s all about how you utilize that information. In business, you can use data…

Penetration Testers (aka ethical hackers) use a myriad of hacking tools depending on the nature and scope of the projects they’re…

If you asked car salesmen from different dealerships the question, “How much does a great car cost?” you’re guaranteed to…

We’re proud to build products IT Security Teams actually need and use on a daily basis. We’re a company started…

According to the The Register’s article, last week we started assisting to the widespread exploitation of The Shadow Brokers’ leaked Windows…

Distributed denial of service (DDoS) attacks are a growing but frequently misunderstood threat in the cybersecurity world. Defined generally, a…

Blind assumptions about online security are not the only assumptions that demand attention in the cybersecurity industry today. An article…

The year 2016 will be remembered for some big moments in the world of cybersecurity: the largest known distributed denial…

Each year, NopSec conducts a survey of IT and cybersecurity professionals to glean a snapshot of the current state of…

Growing up as a kid in the 80’s ransom used to be a simple thing. A bad person with a…

Remember Shamoon, the malware that disabled some 35,000 computers at one of the world’s largest oil companies in 2012? If…

Now, let’s talk technical. Malicious executable are used to deliver a payload to a victim. These can be very technical…

The first thing that all organizations need to understand is why social engineering works. In many cases organizations, security professionals,…

Businesses, governments, and consumers alike need to be aware of ransomware – a type of malware that can inflict serious…

NopSec released a featured annual report, “2016 State of Vulnerability Risk Management.” The report reveals key security threats by industry,…

Note: This article was updated in June 2022. Here at NopSec, we are all about risk — our number one…

Securing an environment is a constant game of cat-and-mouse. Safety measures of all kinds can (and should) be put in…

Scanning is an important part of a well-established vulnerability risk management program. Vulnerability scanners allow you to identify the threats…

The information security industry is buzzing about the newest threat, DROWN. According to Drown Attack, “[it] is a serious vulnerability…

Automation Strikes Back! There are tons of technologies out there that are trying to “AUTOMATE” every aspect of human life….

According to FireEye, a U.S. based provider of next generation threat protection, it takes companies, on average, more than 200 days…

For consumers and businesses alike, when it comes to keeping private information private your best defense is vigilance; in both…

When I started my career as a penetration tester, the name of the game was all about breaching the external…

Another day, another hack. And not just any old hacking incident, but one involving yet another healthcare provider, only demonstrating how…

The recent recall of 1.4 million vehicles by Fiat Chrysler has raised many questions and concerns after researchers discovered a security vulnerability…

Information security professionals have a single core mission: to understand technological risks and take the necessary steps to protect information…

Literally a flood of lines have already been written about Security Threat Intelligence and its uses, so I would not…

Enterprise organizations need vulnerability risk management solutions that integrate with the existing authentication and asset management infrastructure. Unified VRM has…

Lately a lot of attention has been directed towards the “DevOps” or “SecOps” disciplines and for good reasons. According to…

At NopSec, we are using vagrant and packer to spin up local dev environments and build our instances across the various hypervisor and cloud…

A couple of days ago I read an interesting article in the Tenable Network Security Blog — here — where…

Penetration Testing, Red Team Operations, Exploit Development, Vulnerability Management, Brute Forcing, Advanced Persistent Threats and even BEAST, CRIME, Zeus, Code…

Our partner Qualys discovered a new vulnerability nick-named “GHOST” (called as such because it can be triggered by the GetHOST…

If you haven’t read the book or watched the movie Fight Club, you may not understand this reference. “1st RULE: You…

Usually I am not particularly a big fan of security doom scenarios, but looking at this week’s security news and…

Heartbleed (CVE-2014-0160) is a vulnerability with a CVSSv2 base score of only 5.0/10.0. Though its CVSS score is relatively low,…

If you’re a security researcher or penetration tester you’re probably already well aware of the extensive array of tools available…

Parameter injection is one of the most common classes of web application vulnerabilities exploited in the wild.  This class of…

Understanding and fulfilling PCI 11, Requirement 3 can be daunting, but NopSec is here to help you through it. 11.1…

Google security researchers Bodo Moller, Thai Duong and Krzysztof Kotowicz recently uncovered a vulnerability in SSL 3.0 that could allow secure connections to…

Call it good timing. After all the horrendous cybersecurity news of the past weeks, it feels great about that our…

It is no secret that hackers have been making the rounds, targeting organizations of all sizes, from national retailers to local financial institutions,…

If you are like us at NopSec one of the companies that operators on Amazon AWS cloud, this past couple…

Threat intelligence is an increasing popular buzzword in security magazine articles and blogs. It also is becoming more prevalent in…

With the time, effort and resources that companies dedicate to penetration testing, it can be frustrating (at best) to not…

A vulnerability assessment, also known as vulnerability testing, is the practice of detecting, classifying, prioritizing, and remediating security vulnerabilities in…

No industry is immune to IT security breaches. Recent breaches at Indiana University, Iowa State, the University of Maryland, and…

Note: This article was updated in June 2022. Risk Based Vulnerability management is the ongoing practice of detecting, classifying, prioritizing,…

This is the time of year when companies gaze into their crystal ball and try to discern what lies ahead….

According to a reports released by the Information Security Forum and ISACA, cyber-security will continue to be a critical issue for businesses in…

Reports in the news make it clear that the sophistication of cyber-attackers continues to evolve. So why do so many…

When IBM Security announced availability of its QRadar Vulnerability Manager earlier this year, vulnerability risk management was solidified as an…

In September the deadline for compliance with changes to the HIPAA rules relating to breaches of unsecured electronic Protected Health Information…

Cyber forensic investigators report that some of the most complicated and audacious hacks started in two simple ways: either with…

As the benefits of cloud computing drive increased adoption by businesses, the fastest growing area of public cloud computing appears…

If you are responsible for IT security in the financial services industry, you may have been asked by a regulator…

NopSec was recognized on the CRN Magazine 2013 list of “Emerging Security Vendors” for the second consecutive year. CRN’s Emerging Vendors…

As every year the Las Vegas security conferences extravaganza unfolds and then passes leaving a head full of new knowledge…

Lisa Xu, Chief Executive Officer at NopSec, knows that an outside perspective is critical to building the company. Lisa recently…

You may have heard the adage, “The best defense is a good offense.” As Chief Marketing Officer at NopSec, I…

Wendy Nather is Research Director within 451 Research’s Enterprise Security Program, providing analysis on the current state of security from the…

I have been attending the Black Hat Conference in Las Vegas for many years now and I have to admit that the…

Robert McGarvey recently covered the topic of account takeover attempts in his regular column in the Credit Union Times. Michelangelo…

I came across a post by Tony Turner titled, “Vulnerability Management is a Lie” and I could hardly wait to…

Recently I got the chance to spend a little more time examining the SANS top 20 Critical Security Controls for…

Do you ever wish there was a single document that would answer all your burning questions? If you’ve ever moved…

The rationale for this blog post is the Rule of Three and, as noted on Wikipedia, the Latin phrase, “omne trium perfectum”….

I came across some news the other day that a local university will start offering a master’s degree in “Cyber-Security…

Is there anybody that has not received an email that starts like this, “<Company name> recently experienced a cyber-attack on…

An industry colleague forwarded me a recent article from Upstart Business Journal titled, “VC firms need to find their feminine…

Lisa Xu, CEO of NopSec, was interviewed recently by BankInfoSecurity.com about her career in information security – a male-dominated field…

Last week at the RSA Conference, Lisa Xu and I had an opportunity to sit down with Tracy Kitten, Managing…

In a recent article posted by Robert McGarvey in the Credit Union Times, Threat of the Week: APT Will Get…

Cyber Security was all over the news recently. Facebook revealed that it was hacked – even though it came out…

Crain’s New York Business, there is an article written by Matthew Flamm that discusses the pervasiveness of cyber attacks and…

It looks like the Federal Government is getting serious about IT security. “Now our enemies are also seeking the ability…

It has been hard to keep up with my news alert due to all the IT security headlines. “Hackers in…

Some of you probably wondered where the NopSec crew and I ended up these days….already tired for blog writing? Not…

The other day I was thinking about the concept of “event correlation” embedded into various SIEM products. Security events can…

Every day I get tot talk to a lot of infosec professionals and business people regarding vulnerability management. They tell…