Industry Insights

Read the latest cloud security news, trends, and thought leadership from subject matter experts.

Industry Insights
Security Advisory: Insufficient Tenant Separation in Azure Synapse Service
Published: 05/12/2022

This blog was originally published by Orca Security on May 9, 2022. Written by Avi Shua, Orca Security. TL;DROrca Security is issuing this security advisory for CVE-2022-29972 to address hazards in the use of the Microsoft Azure Synapse service. We believe the tenant separation in this service is...

CVE-2022-23648 – Arbitrary Host File Access from Containers Launched by Containerd CRI and its Impact on Kubernetes
Published: 04/06/2022

This blog was originally published by ARMO here. Written by Leonid Sandler, CTO & Co-founder, ARMO. Recently discovered vulnerability - CVE-2022-23648 - in containerd, a popular container runtime, allows especially containers to gain read-only access to files from the host machine. While general...

Why We Created the Global Security Database
Published: 02/22/2022
Author: Kurt Seifried

The Global Security Database is a modern approach to a modern problem. CVE is an old approach to an old problem, one that still exists (legacy code bases), but has been superseded by new and much more complicated IT systems.Stage 1: We can improve CVE from withinIn the beginning (1999) there was ...

SAP Security Patch Day January 2022: Log4j Causes Record-Breaking Number of HotNews Notes
Published: 02/21/2022

This blog was originally published by Onapsis on January 11, 2022. Written by Thomas Fritsch, Onapsis. Highlights of January SAP Security Notes analysis include:January Summary - 35 new and updated SAP security patches released, including 20 HotNews Notes and six High Priority Notes Information ...

Log4j: The Evolution of Vulnerabilities to CVE-2021-45046 and What to Expect in 2022
Published: 01/18/2022

This blog was originally published by Alert Logic here. Written by Josh Davies, Alert Logic. Threat Overview The internet has been alive with talk of Log4Shell (CVE-2021-44228), and for good reason. While the bug appears to have been introduced in 2013, only recently have we observed wi...

What is a Vulnerability?
Published: 01/13/2022
Author: Kurt Seifried

A philosophical but practical exploration of technical vulnerabilitiesLet’s check Merriam-Webster:open to attack or damageThis doesn’t feel complete. What’s missing? Let’s check Wikipedia:In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an atta...

How we ended up with #log4shell aka CVE-2021-44228
Published: 01/10/2022
Author: Kurt Seifried

Quick note: from now on I will refer to log4j version 2 as “log4j2” To learn how to deal with the critical vulnerability in log4j2, read the first blog in this series, Dealing with log4shell. To get a breakdown of the timeline of events, refer to the second blog, Keeping up with log4shell. So how...

Keeping up with log4shell aka CVE-2021-44228 aka the log4j version 2
Published: 12/16/2021
Author: Kurt Seifried

Quick note: from now on I will refer to log4j version 2 as “log4j2”If you use Java within your products or services and haven’t yet patched them, please see “Dealing with log4shell aka CVE-2021-44228 aka the log4j version 2”Trick question: Who helped coordinate the global response on CVE-2021-442...

Dealing with log4shell aka CVE-2021-44228 aka the log4j version 2
Published: 12/14/2021
Author: Kurt Seifried

Quick note: from now on I will refer to log4j version 2 as “log4j2”Update note: This blog entry was updated Dec 17, 2021, to include a note about the second remote code execution vulnerability CVE-2021-45046 in log4jOkay if you haven’t heard about the critical vulnerability in log4j2 then I envy ...

7 Simple but effective tactics to protect your website against DDoS attacks in 2021
Published: 06/04/2021

Written by Tars Geerts, from Mlytics Intro Experts believe that the total number of DDoS attacks will double from the 7.9 million seen in 2018 to over 15 million by 2023. One of the reasons for this significant increase is that DDoS attacks are quite easy to pull off, making them very appeali...

Cloud lateral movement: Breaking in through a vulnerable container
Published: 05/25/2021

This blog was originally published by Sysdig hereWritten By Stefano Chierici, SysdigLateral movement is a growing concern with cloud security. That is, once a piece of your cloud infrastructure is compromised, how far can an attacker reach?What often happens in famous attacks to Cloud environment...

Understanding the OWASP API Security Top 10
Published: 05/11/2021

By Sekhar Chintaginjala (This blog originally appeared on CloudVector) As organizations embrace digital transformation initiatives, they are increasingly consuming and exposing APIs that increase their risk surface. The OWASP API Security Top 10 focuses on the strategies and solutions to un...

Five Actions to Mitigate the Financial Damage of Ransomware
Published: 10/30/2020

By Eran Farajun, Executive Vice President at Asigra, Inc.Ransomware attacks have become a regular occurrence for organizations today, with events that are increasingly targeted, sophisticated, and costly. According to recent reports by the Federal Bureau of Investigation[1], cybercriminals are ta...

FTC Guidance - Six Steps Toward More Secure Cloud Computing
Published: 07/06/2020

By Francoise Gilbert – DataMinding, Inc.The June 15, 2020 FTC Blogpost, titled Six Steps Towards More Secure Cloud Computing provides a concise, valuable checklist for businesses that use or intend to use cloud services, so that they make their use of cloud services safer. The document is a remin...

CVE and Cloud Services, Part 2: Impacts on Cloud Vulnerability and Risk Management
Published: 09/28/2018

By Victor Chin, Research Analyst, Cloud Security Alliance, and Kurt Seifried, Director of IT, Cloud Security AllianceThis is the second post in a series, where we’ll discuss cloud service vulnerability and risk management trends in relation to the Common Vulnerability and Exposures (CVE) system. ...

CVE and Cloud Services, Part 1: The Exclusion of Cloud Service Vulnerabilities
Published: 08/13/2018

By Kurt Seifried, Director of IT, Cloud Security Alliance and Victor Chin, Research Analyst, Cloud Security AllianceThe vulnerability management process has traditionally been supported by a finely balanced ecosystem, which includes such stakeholders as security researchers, enterprises, and vend...

Browse by Topic
Write for the CSA blog
Submit your blog proposal

Sign up to receive CSA's latest blogs

This list receives 1-2 emails a month.