In three separate incidents, engineers at the Korean electronics giant reportedly shared sensitive corporate data with the AI-powered chatbot.

Recent reports about engineers at Samsung Electronics inadvertently leaking sensitive company information via ChatGPT in three separate incidents highlight why policies governing employee use of AI services in the workplace are quickly becoming a must for enterprise organizations.

The Economist Korea, one of the first to report on the data leaks, described the first incident as involving an engineer who pasted buggy source code from a semiconductor database into ChatGPT, with a prompt to the chatbot to fix the errors. In the second instance, an employee wanting to optimize code for identifying defects in certain Samsung equipment pasted that code into ChatGPT. The third leak resulted when an employee asked ChatGPT to generate the minutes of an internal meeting at Samsung.

The incidents played out exactly the same way that researchers have been warning that they could, since OpenAI made ChatGPT publicly available in November. Security analysts have noted how, in all instances where users share data with ChatGPT, the information ends up as training data for the machine learning/large language model (ML/LLM). They have noted how someone could later retrieve the data using the right prompts. 

ChatGPT creator, OpenAI, itself has warned users on the risk: "We are not able to delete specific prompts from your history. Please don't share any sensitive information in your conversations," OpenAI's user guide notes.

**Samsung Enacts Emergency Anti-ChatGPT Measures**

The situation has apparently prompted a rethink of ChatGPT use at Samsung after the third incident, just barely three weeks after the South Korean electronics giant allowed employees access to the generative AI tool. The company had initially banned the technology over security and privacy concerns before relenting.

The Economist reported Samsung's emergency measures to limit ChatGPT use internally as including restricting employees from asking questions of ChatGPT that were larger than 1,024 bytes and considering disciplinary action against employees who share corporate data with LLMs such as ChatGPT.

Samsung did not respond to a Dark Reading request seeking clarification on the three incidents and the company's response to them. Security researchers, however, have been warning that such leaks could become common as employees begin leveraging ChatGPT for various use cases within the enterprise.

A study that Cyberhaven conducted earlier this year found many workers at client companies pasting source code, client data, regulated information, and other confidential data into ChatGPT. Examples included an executive who pasted his company's 2023 strategy document into the chatbot so it could generate a PowerPoint slide presentation, and a doctor who entered a patient's name and medical diagnosis so ChatGPT could generate a letter to the patient's insurance company.

**AI: A Risk vs. Benefit Gamble for Enterprises**

"From an employee's perspective, ChatGPT-like tools offer the potential to be exponentially more productive, making them hard to ignore," says Krishna Vishnubhotla, vice president of product strategy at Zimperium. However, it's important to consider the risks vs. rewards equation, which will vary depending on specific roles and responsibilities, he notes. For instance, employees working with intellectual property would require more guidance and precautions on how to use tools like ChatGPT he says: "It is crucial for organizations to understand how productivity will look and where it will come from before they embrace this opportunity."

Michael Rinehart, vice president of artificial intelligence at Securiti, says it's important to remember that advanced Generative AI tools such as ChatGPT cannot distinguish between what they should and should not memorize during training. So, organizations that want to harness them for different use cases should consider using tools for classifying, masking, or tokenizing personal and other sensitive data.

Or "a second approach is the use of differential privacy. Differential privacy offers provable protection of individuals in structured data," Rinehart says.

**Differential Privacy**

Rinehart describes differential privacy as a technique for protecting data in a dataset. "It involves adding noise — or error — to real data," he says. The synthetic data will have many of the important characteristics of real-world data without exposing the individuals in the dataset. "If used properly, even if the synthetic dataset were leaked, privacy would still be protected. Enterprise-grade synthetic data generators with differential privacy are now available," he says.

Rinehart perceives attempts by organizations to ban ChatGPT use in the workplace as ill conceived and unlikely to work. "A consistent story in the field of security is that it may be better to offer a secure path to using a tool than to block it," he says. "If a tool offers incredibly high benefits, people may attempt to circumvent blocks to take advantage of it."

Melissa Bischoping, director of endpoint security at Tanium, says the issue with sharing data to ChatGPT lies in the fact that the creators can see the data and use it to understand how the model continues to train and grow. Once a user shares information with ChatGPT, that information becomes part of the next model. 

"As organizations want to enable use of powerful tools like ChatGPT, they should explore options that allow them to leverage a privately trained model so their valuable data is only used by their model and not leveraged by iterations on training for the next publicly available model."

Samsung Engineers Feed Sensitive Data to ChatGPT, Sparking Workplace AI Warnings

National land numerical information data conversion tool all versions improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker.

_stop_2023/04/10

国土数値情報・位置参照情報データ公開のお知らせ

令和４年度に作成・更新した下記のデータについて令和５年５月～６月にかけて公開いたします。  
（公開予定データ・順不同）  
土地利用３次メッシュ、土地利用細分メッシュ、都市地域土地利用細分メッシュ、土地利用詳細メッシュ（土地利用メッシュデータ公開範囲：北陸、関東、中部）  
行政区域、国・都道府県機関、市町村役場等及び公的集会施設、  
洪水浸水想定区域、土砂災害警戒区域、津波浸水想定、高潮浸水想定区域、雨水出水浸水想定区域、  
高速道路時系列、バス停留所、バスルート、鉄道、鉄道時系列、駅別乗降客数  
位置参照情報

_stop_2023/03/31

国土数値情報データ変換ツールの提供停止について

国土数値情報ダウンロードサイトにて提供してきた『国土数値情報データ変換ツール』に、  
XML外部エンティティ参照の不適切な制限の脆弱性(CWE-611)が判明したため提供を停止しました。  
過去に、当該ツールをダウンロードしているご利用者におかれましては、当該ツールの利用停止・削除を実施いただくようお願い申し上げます。  
詳しくはこちらをご覧ください。

_stop_2023/03/24

システムのメンテナンスに伴うホームページの運営について

2023年3月28日（火）14:00～16:30にシステムのメンテナンスを行います（進捗状況により延長する可能性があります。）。  
そのため、メンテナンス中は、GISホームページへのアクセスが断続的に出来なくなります。  
利用者の皆さまには大変ご迷惑をおかけしますがよろしくお願いします。

_stop_2022/11/28

システムのメンテナンスに伴うホームページの運営について

2022年12月1日（木）14:00～17:00、及び2022年12月2日（金）14:00～15:00にシステムのメンテナンスを行います。  
そのため、メンテナンス中は、GISホームページへのアクセスが断続的に出来なくなります。  
利用者の皆さまには大変ご迷惑をおかけしますがよろしくお願いします。

_stop_2022/9/14

ビジネスアイデアコンテスト『イチBizアワード』開催

内閣官房主催「地理空間情報」を活用したビジネスアイデアコンテスト『イチBizアワード』の公募が、2022年7月19日より開始しており、2022年9月30日（金）18:00まで受付中とのことです。本コンテストについて内閣官房よりメッセージが届いておりますので紹介いたします。  
なお、応募方法や詳細については、公式サイトをご覧ください。  
https://www.g-idea.go.jp/

（内閣官房のメッセージ）  
内閣官房では地理空間情報のポテンシャルを最大限活かした新しいサービスビジネスが生まれ、発展することで、よりよい社会や生活を実現し未来を切り開きたい、という思いで『イチBizアワード』を企画いたしました。  
『イチBizアワード』では、「いつ、どこで、何が、どのような状態か」といった、位置や時間に関する情報を活用したものであれば、どんなアイデアでも自由にご応募いただけます。  
既にあるビジネスアイデアやこんなサービスがあったらいいなという、ちょっとしたアイデアまで、沢山のアイデアの応募をお待ちしています。  
応募いただいたアイデアは、専門知識や発信力をもつ審査員に審査いただき、「事業化部門」「マッチング部門」「ちょっとしたサービスアイデア部門」の３つの部門で表彰します。  
加えて協賛企業とのマッチングの機会もあり、実現に向けて後押しします。 奮ってのご応募をお待ちしております。

_stop_2022/8/9

システムのメンテナンスに伴うホームページの運営について

2022年8月17日（水）14:00～17:00にシステムのメンテナンスを行います（進捗状況により延長する可能性があります。）。  
そのため、メンテナンス中は、GISホームページへのアクセスが断続的にできなくなることがあります。  
利用者の皆さまには大変ご迷惑をおかけしますがよろしくお願いいたします。

_stop_2022/07/05

システムのメンテナンスに伴うホームページの運営について

2022年7月7日（木）13:00～15:30、及び2022年7月8日（金）15:30～16:30にシステムのメンテナンスを行います（進捗状況により延長する可能性があります。）。  
そのため、メンテナンス中は、GISホームページへのアクセスが断続的にできなくなることがあります。  
利用者の皆さまには大変ご迷惑をおかけしますがよろしくお願いいたします。

_stop_2022/06/06

システムのメンテナンスに伴うホームページの運営について

2022年6月9日（木）16:00～17:30にシステムのメンテナンスを行います（進捗状況により延長する可能性があります。）。  
そのため、メンテナンス中は、GISホームページへのアクセスが断続的にできなくなることがあります。  
利用者の皆さまには大変ご迷惑をおかけしますがよろしくお願いいたします。

_stop_2022/03/28

システムのメンテナンスに伴うホームページの運営について

2022年3月30日（水）17:00～18:00にシステムのメンテナンスを行います（進捗状況により延長する可能性があります。）。  
そのため、メンテナンス中は、GISホームページへのアクセスが出来なくなります。  
利用者の皆さまには大変ご迷惑をおかけしますがよろしくお願いします。

_stop_2022/03/24

利用者アンケートを開設しました

当サイトへの感想やご意見を募集するアンケートを開設しました。画面左メニューの「利用者アンケート」からご回答いただけます。  
ご回答いただました内容は今後のサイト運営に役立てて参りますので、是非ご協力の程よろしくお願いいたします。

_stop_2022/03/23

システムのメンテナンスに伴うホームページの運営について

2022年3月25日（金）18:00～18:10にシステムのメンテナンスを行います（進捗状況により延長する可能性があります。）。  
そのため、メンテナンス中は、GISホームページへのアクセスが断続的に出来なくなります。  
利用者の皆さまには大変ご迷惑をおかけしますがよろしくお願いします。

_stop_2022/02/22

位置参照情報ページについて

本日14:00頃、位置参照情報ページが復旧いたしました。  
利用者の皆さまには大変ご迷惑をおかけしました。今後ともよろしくお願いします。

_stop_2022/02/19

システムのメンテナンスに伴うホームページの運営について

GISホームページは、現在、メンテナンス中でホームページに断続的にアクセスができなくなることがあります。  
利用者の皆さまには大変ご迷惑をおかけしますがよろしくお願いします。

_stop_2022/02/18

システムのメンテナンスに伴うホームページの運営について

2022年2月24日（木）15:00～15:10にシステムのメンテナンスを行います。  
そのため、メンテナンス中は、GISホームページへのアクセスが断続的に出来なくなります。  
利用者の皆さまには大変ご迷惑をおかけしますがよろしくお願いします。

_stop_2022/02/14

システムのメンテナンスに伴うホームページの運営について

2022年2月18日（金）18:30～19:30にシステムのメンテナンスを行います（進捗状況により延長する可能性があります。）。  
そのため、メンテナンス中は、GISホームページへのアクセスが断続的に出来なくなります。  
利用者の皆さまには大変ご迷惑をおかけしますがよろしくお願いします。

_stop_2021/11/10

システムのメンテナンスに伴うホームページの運営について

2021年11月13日（土）9:00～10:00にシステムのメンテナンスを行います（進捗状況により延長する可能性があります。）。  
そのため、メンテナンス中は、GISホームページへのアクセスが断続的に出来なくなります。  
利用者の皆さまには大変ご迷惑をおかけしますがよろしくお願いします。

_stop_2021/01/12

システムのメンテナンスに伴うホームページの運営について

2021年1月15日（金）にシステムのメンテナンスを行います。  
それに伴い、よりセキュリティが強固な設定となり、セキュリティが弱い暗号化を使用しているブラウザからは接続できなくなります。  
閲覧できない場合は、現在ご利用のMicrosoft Edge、Mozilla Firefox、Google Chromeが最新のバージョンかご確認いただき、最新のバージョンへアップデートをお願いいたします。

_stop_2020/12/12

三大都市圏計画区域データ PDF･KMLダウンロードページ開設のお知らせ

こちらに 国土数値情報 三大都市圏計画区域 データから作成した、PDF･KMLファイルのダウンロードページを開設しました。

_stop_2020/07/07

ウェブマッピング調整中のお知らせ　（対応完了しました）

ウェブマッピングシステムは、現在データセットを準備中です。準備ができ次第、順次公開いたします。  
国土数値情報データの内容を確認するには、GISをご利用になるか、geojson形式のファイルをご利用ください。

_stop_2020/07/01

GISホームページ業務移管のお知らせ

令和２年度の国土交通省の組織改編に伴い7月1日よりGISホームページは以下の局に移管となります。  
国土数値情報・位置参照情報　不動産・建設経済局  
国土調査（土地分類調査・水調査）　国土政策局

_stop_2020/06/30

国土数値情報閲覧マニュアル公開のお知らせ

国土数値情報閲覧マニュアル（QGIS）、Geojsonデータ閲覧マニュアルの公開を開始いたしました。  
こちらからダウンロードの上、ご活用ください。  
（現在、ウェブマッピングシステムは調整中になっております。国土数値情報データの内容確認にはこちらのマニュアルをご活用ください。）

_stop_2020/05/18

【重要】GISホームページのリニューアルのお知らせ

2020/05/18よりGISホームページをリニューアルしました。  
なお、一部のデータについては、今後今月末を目処に順次登録して参りますので、データが登録されるまで今しばらくお待ち願います。

（2020/05/22追記）  
GISホームページで対応するブラウザは以下のとおりです。  
対応ブラウザ以外をご利用された場合、画面が正しく表示されない場合がございます。  
Microsoft Edge （最新版）、Mozilla Firefox （最新版）、Google Chrome （最新版）  
ご不明な点などがございましたら、以下の問い合わせ窓口までご連絡願います。  
国土数値情報問合せ受付け窓口　：shitsumon@ksjask.info

CVE-2023-25955: お知らせ

Summary Summary Azure provides developers and security operations staff a wide array of configurable security options to meet organizational needs. Throughout the software development lifecycle, it is important for customers to understand the shared responsibility model, as well as be familiar with various security best practices. This is particularly important in deploying Azure Functions and in provisioning Azure Role Based Access Control as customers are responsible for configuring and managing applications, identity, and data.

**Summary Summary**

Azure provides developers and security operations staff a wide array of configurable security options to meet organizational needs. Throughout the software development lifecycle, it is important for customers to understand the shared responsibility model, as well as be familiar with various security best practices. This is particularly important in deploying Azure Functions and in provisioning Azure Role Based Access Control as customers are responsible for configuring and managing applications, identity, and data. It is possible for customers to grant overly broad permissions. When this happens, there is a risk that these permissions could be abused to gain access to additional resources within a customer’s tenant. One such issue was recently reported by Orca Security and investigated by the Microsoft Security Response Center who determined it was not a security issue. However, the situation warranted discussion and improvement to help customers more effectively deploy environments with least privilege and defense-in-depth to be more resilient against attackers.

As part of ongoing experience improvements, the Azure Functions team plans to update how Functions client tools work with storage accounts. This includes changes to better support scenarios using identity. After identity-based connections for AzureWebJobsStorage are generally available and the new experiences are validated, identity will become the default mode for AzureWebJobsStorage, which is intended to move away from shared key authorization.  

Additionally, customers should review the guidance below to ensure their environments are configured to their organizational needs with least privilege.

**Azure Functions and Azure Storage Authorization In-Depth Azure Functions and Azure Storage Authorization In-Depth**

Azure Functions uses storage for several purposes. The AzureWebJobsStorage connection is used for general runtime behaviors, such as handling trigger checkpointing data and distributed lock management. Azure Functions code may be stored in the account specified by the AzureWebJobsStorage connection, but this depends on the deployment method selected. This is not the default for most setups, and Functions offers multiple deployment options for application code, including referencing content stored in a different blob store. The AzureWebJobsStorage connection uses a storage account connection string by default, though there is a preview of identity-based connections for AzureWebJobsStorage.  

In addition to leveraging the default storage account connection string, customers may want to provision access to users within their environment. Per the shared responsibility model, access management is a responsibility of the cloud customer and an important aspect of creating role assignments is the selection of the correct scope of assignment adhering to the security principle of least privilege. Apps and users should not be given broader access than is strictly necessary. Azure also offers features for granting bounded access through privileged identity management.  

By default, the only individuals that have access to listKeys is the individual that created the storage account and any inherited owners. Microsoft recommends providing granular access to users, using built-in roles such as Storage Blob Data Reader or Storage File Data SMB Share Reader, to grant permission to read storage account contents. Neither of these roles include permission to list storage account keys or otherwise modify content. Storage account keys provide full access to your storage account’s configuration and all its data, and like any access credential should be carefully protected. Other built-in roles may grant the Microsoft.Storage/storageAccounts/listKeys/action permission that is excessive for users only requiring read access.

Should excessive privileges be granted and subsequently used, customers could still gain insights into the data plane actions taken against that storage account through Azure Monitor. The Activity Log describes control plane operations, and can be used to monitor which users have accessed the shared storage keys. Activity logs are enabled by default for all storage accounts.  Customers can do this by searching for “listKeys” in the storage account where their Azure Function is stored. Resource logs can also be enabled and configured in Azure Monitor to identify any modifications to the contents of the storage account.  Customers are highly encouraged to have activity logs and resource logs configured on their storage accounts and consistently review their logs for suspicious activity. You can also monitor how clients authorize access to storage accounts, as well as identify clients that are authorizing their storage requests using shared keys or shared access signature (SAS).

As part of ongoing experience improvements, the Azure Functions team plans to update how Functions client tools work with storage accounts. This includes changes to better support scenarios using identity. After identity-based connections for AzureWebJobsStorage are generally available and the new experiences are validated, identity will become the default mode for AzureWebJobsStorage.  Going forward, Azure Functions clients will also help users enable ‘StorageWrite’ resource logging for storage accounts created in those experiences. Additionally, we have updated the Azure Functions documentation to better clarify best practices to configure storage account access for users with least privileges.

Azure Storage also continues to invest in security, including comprehensive support for identity-based authorization. Blob Storage offers full support for role-based access control (RBAC), including role-assignment conditions with Azure ABAC. We provide a comprehensive set of built-in roles to easily limit access with minimum privileges. Azure Files now includes support for Azure AD Kerberos over SMB and is adding support for OAuth over REST. This will also enable support for identity-based authorization for accessing Files in the Azure portal. We’re also planning for guidance and support so that new storage accounts can have shared key and shared access signature (SAS) authorization disabled by default  to encourage use of role-based access. In the interim, organizations can enforce the use of identity-based authorization for Storage using Azure Policy.

Microsoft Defender for Cloud (MDC) also provides enhanced monitoring for Storage accounts, to include automatic discovery of sensitive data to enrich security alerts,  malware scanning, and detections for unusual access patterns, use of compromised authentication tokens, and data exfiltration.

**Recommended Actions for Customers Recommended Actions for Customers**

To minimize the overall risk of abuse, we recommend that customers employ the following practices regarding user access to storage accounts:

1.  Review the permissions of users to ensure least-privilege access to the storage account. Furthermore, you can limit the permission grants to the minimum scope required (ex. Storage account or resource group).
    
2.  Monitor Activity Log for access to account keys
    
3.  Enable StorageWrite resource logs for storage accounts that host Azure Functions along with a lifecycle policy to manage retention of the logs for a duration of your choice.
    
4.  When storing application code in blob storage, consider using a storage account dedicated to that purpose so that you can limit access.
    
5.  Enable MDC for storage accounts
    

In addition to the above recommended actions, we have made updates to existing documentation. Customers are encouraged to review the updated documents:

Storage considerations for Azure Functions

Securing Azure Functions

**Conclusion Conclusion**

In summary, we appreciate the opportunity to investigate the findings reported by Orca Security. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research. Researchers who report security issues to the Microsoft Security Response Center are also eligible to participate in Microsoft’s Bug Bounty Program.

Orca’s report has highlighted opportunities for us to continue to improve to help customers correctly configure their environments with least privilege. The risk of these scenarios can be minimized by applying proper RBAC administration and ensuring that users are delegated the lowest level of permissions necessary. Using identity-based connections for AzureWebJobsStorage, currently in preview, prevents use of over-privileged permissions. Azure Storage also offers robust monitoring to detect unusual or unauthorized changes on a storage resource. At the same time, we believe that our guidance for customers around properly configuring user privileges for storage account access can be clarified further, so we have made updates to our existing documentation to reflect that. As always, we encourage our customers to follow security best practices to limit their exposure to vulnerabilities and other types of security events.

Best practices regarding Azure Storage Keys, Azure Functions, and Azure Role Based Access

Wacom Driver 6.3.46-1 for Windows and lower was discovered to contain an arbitrary file deletion vulnerability.

CVE-2022-38604: Wacom Driver Arbitrary File Deletion Vulnerability

Wacom Driver 6.3.46-1 for Windows was discovered to contain an arbitrary file write vulnerability via the component \Wacom\Wacom_Tablet.exe.

CVE-2022-43293: Wacom Driver Arbitrary File Write\Overwrite Vulnerability

Ubuntu Security Notice 6003-1 - Xi Lu discovered that Emacs did not properly handle certain inputs. An attacker could possibly use this issue to execute arbitrary commands.

    ==========================================================================Ubuntu Security Notice USN-6003-1April 06, 2023emacs24 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Emacs could be made to run programs as your login if it received specially crafted input.Software Description:- emacs24: GNU Emacs editorDetails:Xi Lu discovered that Emacs did not properly handle certaininputs. An attacker could possibly use this issue to executearbitrary commands.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   emacs24                                 24.5+1-6ubuntu1.1+esm3   emacs24-common                  24.5+1-6ubuntu1.1+esm3In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6003-1   CVE-2023-28617

Ubuntu Security Notice USN-6003-1

Complex multicloud environments present organizations with security challenges, but also opportunities for efficiency.

Many enterprises find themselves with hybrid and multicloud environments. While the days where everything was either on-premises or in private clouds are gone, it is far from the case that enterprises have put all — or even the vast majority of — their applications and infrastructure into the cloud. Further, it is nearly never the case that an enterprise has consolidated everything into a single cloud provider; instead, businesses operate with a complex mix of diverse environments. It appears that this will be the case for quite some time.

What may be less known, or at least less considered, is the amount of complexity and the number of challenges that these environments bring. What this means for most enterprises is that they find themselves struggling to efficiently manage and secure hybrid and multicloud environments. In addition, many enterprises find themselves spinning up and maintaining multiple technology stacks within each environment, often requiring entire teams dedicated to this function. As the popular security mantra so aptly says, complexity is the enemy of security.

How so? For starters, complexity introduces the opportunity for human error and oversight. This often brings with it security holes, which in turn increase the attack surface of business-critical applications and the infrastructure they run on.

To get an idea of how complex of an environment most enterprises are faced with, let's look at a few data points from F5's "2023 State of Application Strategy" report:

*   85% of organizations operate multiple application architectures and locations.
*   90% of organizations that maintain multicloud infrastructures report challenges.
*   42% of organizations leverage four or more cloud providers.
*   37% of applications are deployed on-premises.
*   15% of applications are deployed in the cloud.
*   58% of organizations are using digital services to substantially drive the business, with those services accounting for half or more of the firm's annual revenue.

The data clearly articulates the complexity that most enterprises face, and it also shows that hybrid and multicloud environments — and the challenges they bring — are here to stay.

**Business Challenges of Multicloud Environments**

What are some of these challenges that businesses face? While not an exhaustive list, here are a few of them:

*   Managing and securing multiple complex environments.
*   Applying policy and security consistently across diverse environments.
*   Easily provisioning the required networking and security infrastructure.
*   Deploying applications easily where required across the ecosystem.
*   Ensuring the requisite connectivity and security across applications.
*   Needing a central console to manage multiple complex environments.
*   Gaining visibility into infrastructure and applications to ensure health, compliance, and security.
*   Properly monitoring for and responding to infrastructure and security issues.

Thankfully, enterprises have options when it comes to addressing these points and can leverage distributed cloud and multicloud solutions to help reduce complexity and simplify. Doing so allows enterprises to more efficiently and effectively manage and secure their hybrid and multicloud environments.

**What to Look for in Distributed Cloud**

When looking at distributed cloud solutions, enterprises should take into account a few important points:

*   Workload protection and application security (at layer 7) is a must, particularly for applications that span multiple environments.
*   While many solutions provide network security (layers 3 and 4), fewer seamlessly integrate workload protection and application security on top of network security.
*   The user layer (layer 8) is extremely important when looking to protect against automated attacks and fraud. This is mainly because differentiating between human and automated traffic and between legitimate and fraudulent traffic requires an understanding of intent that can only be gleaned from the user layer.
*   A central console that brings everything together and facilitates the management and security of both applications and infrastructure is imperative.
*   Inclusion in the architecture and design of the enterprise early on, with an ability to flexibly consume different features and grow around, is central.
*   An ability to efficiently address what the market demands — flexibility and fast pace — without introducing complexity and security holes is important.

Although it requires some investment and effort, taking control of the challenges that hybrid and multicloud environments present is essential for enterprises to remain competitive, keep costs under control, reduce complexity, and adequately manage and secure both applications and infrastructure. The sooner an enterprise begins tackling these challenges, the sooner it can efficiently and securely provide its customers the functionality they seek.

How and Why to Put Multicloud to Work

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg WordPress plugin before 2.7.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins

CVE-2023-1425

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form.

CVE-2023-0546

The Article Directory WordPress plugin through 1.3 does not properly sanitize the `publish_terms_text` setting before displaying it in the administration panel, which may enable administrators to conduct Stored XSS attacks in multisite contexts.

Tag

#perl