Caleb Sima

𝗧𝗵𝗲 𝗦𝘁𝗮𝘁𝗲 𝗼𝗳 𝗶𝗙𝗿𝗮𝗺𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 iFrame is a common webpage component used to display payment pages from the acquirer, payment facilitator or payment gateway.  In an interesting article by Abigail Amadi from Jscrambler, she outlined the common methods of attacking iFrames, how it relates to PCI DSS and what you can do about it. https://lnkd.in/gF2VwYB3 In my second last article featuring sponsors at the PCI Europe and Asia Pacific Community Meetings, thank you to Pedro Fortuna, John Elliott and the Jscrambler team for being sponsors at the PCI EUCM.  Pedro and John also represent Jscrambler as a PCI Principal Participating Organization (the higher tier member) and a PCI Board of Advisors member. I have covered about this issue with merchants’ page scripts in earlier posts. https://lnkd.in/ggF-gETE and https://lnkd.in/gkrr_MmV If you are a larger eCommerce (CNP) merchant and have no idea how to address this, do consider attending the PCI Community Meetings where experts will be present to demonstrate what the problem is.  There are two more conferences (Amsterdam from 14-16 Oct, Bangkok from 5-6 Nov) so make use of this opportunity to learn how to protect your organization's reputation and your customers' sensitive payment data.  https://lnkd.in/gNbE4wHH Smaller merchants are welcomed to join the Community Meetings but you should consult your Compliance Accepting Entity(ies), which is likely your acquirer (merchant bank), on suitable actions.  You may also refer to this information supplement published on the PCI Perspectives Blog: https://lnkd.in/g3BFxAEH Disclaimer: PCI Council is a neutral body and my personal post is not an endorsement of any organization or solution. PCI Security Standards Council #pcissc #pcicommunity #pcidss #pcidssv4 #datasecurity #cybersecurity #payments #paymentsecurity Video credit: Thank you Canva for your platform and the royalty-free video.

21

Two newly disclosed N-able vulnerabilities, CVE-2025-8875 and CVE-2025-8876, have been added to CISA’s KEV Catalog. They affect N-able’s N-central remote monitoring and management (RMM) platform. These flaws allow local code execution and command injection but require authentication to exploit, meaning they are unlikely to be used at the beginning of an exploit chain. Alexander Culafi at Dark Reading covers the details, noting the vulnerabilities impact versions prior to 2025.3.1. The article also features insight from Rapid7's Seth Lazarus: “They require authentication to achieve exploitation, which is much less severe than what we’ve recently seen, and likely why exploitation in the wild doesn’t appear to be widespread.” Read the full breakdown here: https://lnkd.in/eiukB6HM

77

Jason Soroko and I explain the major news items from the most recent CA/Browser Forum face-to-face meeting in Tokyo on the Root Causes Podcast. Topics include MPIC, 47-day certificate term, and Temporary Restraining Orders. Audio: https://lnkd.in/g-RaJifc Video: https://lnkd.in/gDJuyRAg

34

1 Comment

CyberArk just crushed their Q1'25 report on every metric and amped up the message on their identity platform story. This call had a different tone. It was confident and assertive in a way we haven't seen from this new management team yet. Good for them — the results they've been putting up and the strategic moves they've been making have put them in a position where they have every reason to feel confident. Lots to talk about here: → The cross-selling machine with access management, machine identity, IGA, and more is working. Nine of the top 10 deals from the quarter were multi-solution. About half of all new customers (~200) in the quarter purchased two or more solutions. In other words, CyberArk is not just selling PAM — it's PAM plus something (or many things). They even managed to sell a six-figure Zilla deal (IGA product acquired last quarter) to a financial services company already. The CyberArk brand de-risked the purchase. This is exactly what CyberArk has done successfully multiple times: build or buy a solid but reasonably priced asset, then leverage the brand/trust/credibility of CyberArk to grow it. On the M&A side, it worked with both Conjur (secrets) and Idaptive (access mgm't). Zilla is the next attempt. (Note: Venafi was a pretty big business with its own brand/reputation already, so I wouldn't count it in this example. They will probably still see some uplift, though.) → A relatively obscure certificate lifecycle change might end up being a huge tailwind for machine identity (Venafi). The CA/B forum just voted to shorten cert expiration to 47 days (vs. the 398 it is today). Probably doesn't sound like a big deal unless you understand how gnarly (and operationally risky) it is to manage certs in an enterprise. CA/B's current plan is to tighten the screws in phases, so the 47 day thing won't hit until 2029. Even the first phase (200 days) in 2026 basically makes manual renewals unmanageable, though. TL;DR - huge boost for Venafi. → It's really difficult to compete in enterprise without a broad workforce identity platform. CyberArk's message to earlier stage identity competitors was loud and clear: large customers want broad identity platforms, not scattered tools that solve narrow use cases. It's harder than ever to compete in the workforce identity market — mostly because larger scale identity companies are doing a good job with building platforms (or at least coherent product suites). --- It sure seems like the days of CyberArk being a relatively quiet, understated, meat-and-potatoes type of company are over. They are turning the page and evolving into a cybersecurity industry leader who consistently puts up growth at scale and pushes the limits of the identity market. Lots of work to do still on bringing the new pieces of their stack together, but you can't argue with the results here.

257

9 Comments