Robert Lemos

README | Robert Lemos

NIST vulnerability bottleneck underscores fragility of software security
A sudden halt to the ranking of vulnerability severity has left government agencies and some companies without an approved source of ranking and prioritization.
Uncertainty hits the cybersecurity jobs market
Despite forecasts of healthy demand for cybersecurity skills, workers see more cuts and a more intense hiring process in their futures.
Zero-days aren't just for nation-states anymore
In 2023, attackers continue to wield more zero-day exploits against companies and individuals, using them for ransomware, surveillance and espionage.
CVSS 4.0 is shaking up vulnerability management. Here’s what’s changed
CVSS 4.0 urges companies to go beyond base scores, allowing them to more accurately judge the threat posed by particular vulnerabilities.
Attackers see developers as low-hanging fruit
Developers must be increasingly wary of actively malicious code that makes its way into their software supply chains.
MOVEit Transfer saga shows danger of the 'Dark Middle'
When attackers find vulnerabilities in software used by service providers with dozens or hundreds of clients, the impact of a breach can quickly spiral out of control.
Memory safety is the first step, not the last, towards secure software
The U.S. government and technology giants alike are urging developers to replace C and C++ with modern, memory-safe languages like Rust. Will it be enough?
Death by digital: attacks on healthcare put people at risk
At least one person has died as what was arguably the direct result of a digital attack on a hospital, but cybercriminals seem unlikely to stop.
How AI could inflame one of the costliest cyber scams
Deepfakes, stolen email addresses and identity fraud drive continued gains in business email compromise attacks. How can defenders fend them off?
Attackers are on the edge. Where are defenders?
VPNs, virtualization hosts, secure email gateways and other network “edge” devices have become a common entry point for attackers in significant enterprise breaches. How can defenders respond?
As APIs proliferate, attackers follow
With APIs accounting for more than half of all internet traffic, attacks on mobile and web application endpoints continue to grow.
How defenders are experimenting with artificial intelligence
AI dominated conversations at the RSA Security Conference in May, but underneath the hype, some real changes are in the works.
Home is where the hackers are: The dizzying task of securing remote work
Increases in phishing attacks, credential stuffing against corporate cloud services and unpatched vulnerabilities in consumer hardware have all skyrocketed since the COVID pandemic upended work routines. With more employees logging in from home, locking down workers’ security habits and local networks has never mattered so much.
Flawed choices: Developers continue to use vulnerable open-source dependencies
While the open-source ecosystem continues to make progress on securing the production of widely used components, developers need better tools and a security culture to benefit.
Russia-Ukraine cyber conflict splits APT groups, raises threat level
The global cyberthreat landscape has changed since Russia’s invasion of Ukraine but not necessarily in the ways predicted.
AI code assistants need security training
Multiple studies have found that generative neural networks that produce code also reproduce security vulnerabilities in their datasets.
SBOMs are billed as a balm for supply chain risks. What’s the holdup?
The fallout of the Log4Shell vulnerability accelerated efforts to require a software bill of materials (SBOM) for the apps, libraries and other digital tools we rely on, but when it comes to generating and using this information, obstacles abound.
Ghosts of Log4j: Open-source vulnerabilities confound software developers
Most of the code in typical applications comes from open-source projects, importing dozens — and often, hundreds — of components created by volunteers. As the Log4j incident shows, those deep dependencies can carry critical vulnerabilities.