10 min
Supply Chain Security
Securing the Supply Chain: Lessons Learned from the Codecov Compromise
This blog post is meant to provide the security community with defensive knowledge and techniques to protect against supply chain attacks involving continuous integration (CI) systems
4 min
Vulnerability Disclosure
The Cloudflare (Cloudbleed) Proxy Service Vulnerability Explained
TL;DR
This week a vulnerability was disclosed, which could result in sensitive data
being leaked from websites using Cloudflare's proxy services. The vulnerability
- referred to as "Cloudbleed" - does not affect Rapid7's solutions/services.
This is a serious security issue, but it's not a catastrophe. Out of an
abundance of caution, we recommend you reset your passwords, starting with your
most important accounts (especially admin accounts). A reasonable dose of
skepticism and prudence will go
3 min
Nexpose
Optimizing Adaptive Security: New and Known Assets
Since I started working on Rapid7's Information Security team, I've had
firsthand experience with what is arguably the hardest part of vulnerability
management: Creating and updating a complete inventory of your assets and their
vulnerabilities. While you'll never be able to achieve perfection in this
regard, Adaptive Security in Nexpose
[https://www.rapid7.com/products/nexpose/nx6.jsp] makes it significantly easier
for InfoSec teams to improve their current vulnerability management program with
1 min
Vulnerability Management
March 2015 OpenSSL Security Advisory
Today OpenSSL released a security advisory
[https://openssl.org/news/secadv_20150319.txt] listing 14 vulnerabilities
affecting various versions of OpenSSL. There are 2 High, 9 Moderate, and 3 Low
severity vulnerabilities in the mix.
The security community was anxious that there could be another Heartbleed (or
worse) in this list. Thankfully, this is NOT the case, even among the High
severity vulnerabilities. Many of these vulnerabilities are limited in their
scope, impact, and/or prevalence (es
2 min
Microsoft
A Closer Look at February 2015's Patch Tuesday
This month's Patch Tuesday covers nine security bulletins from Microsoft,
including what seems like a not-very-unusual mix of remote code execution (RCE)
vulnerabilities and security feature bypasses. However, two of these bulletins –
MS15-011 [https://technet.microsoft.com/en-us/library/security/ms15-011] and
MS15-014 [https://technet.microsoft.com/en-us/library/security/ms15-014] –
require a closer look, both because of the severity of the vulnerabilities that
they address and the changes Mi