Posts by Justin Pagano

10 min Supply Chain Security

Securing the Supply Chain: Lessons Learned from the Codecov Compromise

This blog post is meant to provide the security community with defensive knowledge and techniques to protect against supply chain attacks involving continuous integration (CI) systems

4 min Vulnerability Disclosure

The Cloudflare (Cloudbleed) Proxy Service Vulnerability Explained

TL;DR This week a vulnerability was disclosed, which could result in sensitive data being leaked from websites using Cloudflare's proxy services. The vulnerability - referred to as "Cloudbleed" - does not affect Rapid7's solutions/services. This is a serious security issue, but it's not a catastrophe. Out of an abundance of caution, we recommend you reset your passwords, starting with your most important accounts (especially admin accounts). A reasonable dose of skepticism and prudence will go

3 min Nexpose

Optimizing Adaptive Security: New and Known Assets

Since I started working on Rapid7's Information Security team, I've had firsthand experience with what is arguably the hardest part of vulnerability management: Creating and updating a complete inventory of your assets and their vulnerabilities. While you'll never be able to achieve perfection in this regard, Adaptive Security in Nexpose [] makes it significantly easier for InfoSec teams to improve their current vulnerability management program with

1 min Vulnerability Management

March 2015 OpenSSL Security Advisory

Today OpenSSL released a security advisory [] listing 14 vulnerabilities affecting various versions of OpenSSL. There are 2 High, 9 Moderate, and 3 Low severity vulnerabilities in the mix. The security community was anxious that there could be another Heartbleed (or worse) in this list. Thankfully, this is NOT the case, even among the High severity vulnerabilities. Many of these vulnerabilities are limited in their scope, impact, and/or prevalence (es

2 min Microsoft

A Closer Look at February 2015's Patch Tuesday

This month's Patch Tuesday covers nine security bulletins from Microsoft, including what seems like a not-very-unusual mix of remote code execution (RCE) vulnerabilities and security feature bypasses. However, two of these bulletins – MS15-011 [] and MS15-014 [] – require a closer look, both because of the severity of the vulnerabilities that they address and the changes Mi