今日已更新 63 条资讯 | 累计 20533 条内容
关于我们

标签:#cybersec

找到 170 篇相关文章

产品设计

My First Cybersecurity Writeup – VAPT Experience

Overview This is my first real-world cybersecurity VAPT experience inside an enterprise insurance company environment. I worked across network infrastructure, web applications, internal devices, and physical security — and learned how professional security assessments are actually performed beyond labs and CTFs. Introduction I am a cybersecurity enthusiast focused on SOC operations, web application penetration testing, and vulnerability assessment. In this engagement, I worked on assessing the security posture of an insurance company across its network infrastructure, devices, web applications, and physical security controls. This was my first real-world experience working in an enterprise environment, and initially I was not fully confident about the workflow. However, with the guidance and support of my senior, I was able to understand the process step by step and actively contribute to the assessment. Objective Identify security vulnerabilities across network, web, and internal systems Assess exposure of critical assets Analyze potential attack paths in the environment Evaluate basic physical security controls Scope of Work Network infrastructure assessment Web application security testing Device-level security review Basic physical security evaluation Tools Used Nessus (vulnerability scanning) Burp Suite (web application testing & request interception) Nmap (network discovery & port scanning) GVM / OpenVAS (vulnerability assessment) OWASP ZAP (automated web scanning) Wireshark (packet analysis & traffic inspection) Approach / Methodology Performed network discovery using Nmap to identify active hosts and open ports Conducted vulnerability scanning using Nessus and GVM to detect known security issues Analyzed web application behavior using Burp Suite and OWASP ZAP Intercepted and inspected HTTP/HTTPS traffic to understand request/response flow Used Wireshark to analyze packet-level communication and detect anomalies Evaluated system exposure across internal devic

2026-05-29 原文 →
AI 资讯

GHES Key Rotation, Bug Bounty Program Refocus, AI Agent Permission Fatigue

GHES Key Rotation, Bug Bounty Program Refocus, AI Agent Permission Fatigue Today's Highlights This week's top security news features critical action for GitHub Enterprise Server users with a signing key rotation due to an ongoing investigation. We also cover GitHub's strategic refocusing of its bug bounty program for higher quality submissions and an interactive look at AI agent permission fatigue. Investigation update: GitHub Enterprise Server signing key rotation (GitHub Blog) Source: https://github.blog/security/investigating-unauthorized-access-to-githubs-internal-repositories/ This alert details a critical security update for GitHub Enterprise Server (GHES) customers, urging immediate action to rotate signing keys. The blog post indicates an investigation into unauthorized access to GitHub's internal repositories, which has necessitated this widespread security measure. While specific details of the breach or vulnerability are not fully disclosed, the requirement for a signing key rotation points to a potential compromise of cryptographic keys, which are fundamental to authentication and supply chain integrity. Such incidents could lead to unauthorized code signing, repository tampering, or other severe supply chain attacks, underscoring the importance of robust secrets management and incident response protocols. The advisory emphasizes a proactive stance for GHES administrators to protect their environments by following the provided guidance. This incident highlights the pervasive risk of supply chain attacks and the critical role of secure key management in enterprise environments. It reminds organizations that even trusted platforms like GitHub are targets and necessitates vigilant monitoring and swift action in response to security advisories. The prompt action from GitHub, though implying a significant security event, also showcases their commitment to transparency and securing their ecosystem by guiding customers through the necessary remediation steps to

2026-05-29 原文 →
AI 资讯

CISA Security Leak

Crazy story : Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history. News article .

2026-05-22 原文 →
AI 资讯

On AI Security

Good report : Executive Summary: Let’s say you wanted to make sure that your AI is secure. Can you just maximize the security and privacy benchmark and call it a day? Nope, because benchmarks don’t actually work for measuring AI capabilities (even when they are NOT emergent systemic properties like security). So let’s take a step back: how do you measure security in the first place? Good question. Over the last 30 years, security engineering for software evolved from black box penetration testing, through whitebox code analysis and architectural risk analysis to de facto process-driven standards like the Building Security In Maturity Model (BSIMM). Software had a very deep impact on business operations, and it appears that AI is going to have an even deeper impact. Will a software security-like measurement move work for AI? Probably. In the meantime we can make real progress in AI security by cleaning up our WHAT piles and managing risk by identifying and applying good assurance processes. (Spoiler alert: no matter what we do, we still don’t get a security meter for AI, so we need to be extra vigilant about security.)...

2026-05-20 原文 →