What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-06-20 14:45:25 | L'art de réduire la dette de sécurité en 3 étapes clés The Art of Reducing Security Debt In 3 Key Steps (lien direct) |
Introduction
Dans le paysage en constante évolution des menaces numériques et des défis de la cybersécurité, les organisations sont confrontées à un fardeau important connu sous le nom de dette de sécurité.Tout comme la dette financière, la dette de sécurité revient lorsque les organisations compromettent les mesures de sécurité en faveur des mesures de commodité, de vitesse ou de réduction des coûts.Au fil du temps, cette dette accumulée peut présenter de graves risques pour les données, la réputation et la stabilité globale de l'organisation.Cependant, avec une approche stratégique et un engagement envers les pratiques de sécurité proactives, les organisations peuvent réduire efficacement leur dette de sécurité.Dans cet article de blog, nous explorerons l'art de réduire la dette de sécurité en trois étapes clés, permettant aux organisations de renforcer leur posture de sécurité et de protéger leurs précieux actifs.
Étape 1: évaluer et hiérarchiser les risques de sécurité
La première étape dans la réduction de la dette de sécurité consiste à effectuer une évaluation approfondie des risques de sécurité de votre organisation.Cela implique d'identifier les vulnérabilités, d'évaluer la sécurité existante…
Introduction In the ever-evolving landscape of digital threats and cybersecurity challenges, organizations face a significant burden known as security debt. Just like financial debt, security debt accrues when organizations compromise security measures in favor of convenience, speed, or cost-cutting measures. Over time, this accumulated debt can pose serious risks to the organization\'s data, reputation, and overall stability. However, with a strategic approach and a commitment to proactive security practices, organizations can effectively reduce their security debt. In this blog post, we will explore the art of reducing security debt in three key steps, enabling organizations to strengthen their security posture and safeguard their valuable assets. Step 1: Assess and Prioritize Security Risks The first step in reducing security debt is to conduct a thorough assessment of your organization\'s security risks. This involves identifying vulnerabilities, evaluating existing security… |
Patching Guideline | ★★ | |
|
2021-11-10 12:34:31 | Recent Updates to the OWASP Top Ten Web Application Security Risks (lien direct) | The Open Web Application Security Project (aka OWASP) recently announced its latest updates to the venerable OWASP Top Ten list. This publication is meant to bring attention to the most common classes of software-related security issues facing developers and organizations in the hopes of helping them to better plan for and address potential high-severity issues in their codebases. While not specifically an industry standard, it is highly regarded among the security community and is regularly combined with findings from application security vendors and researchers to create a reference point for secure coding practices. The newest edition does make updates to certain conventions but also highlights the consistent issues seen throughout the years, such as injection attacks and insecure components. Initially notable is the more generalized approach to categorization and naming, with OWASP describing the motivation for these changes as a “focus on the root cause over the symptom.” Given the complexity of modern web applications and software stacks, this new focus is a prudent reminder that focusing solely on the high-level presentation of flaws within complicated vulnerability taxonomies will only go so far in preventing breaches, and that true progress at any scale will only be made by remediations that address the underlying cause of discovered issues. Supporting this focus is the inclusion of the new category A04:2021 – Insecure Design, bringing attention to the ever-growing need to address vulnerable application architectures and software flaws much earlier in the development process. While there has been considerable discussion about the industry's need to “shift left” for the past several years, it is apparent that a lack of threat modeling and overall secure design continues to be a major issue for applications of all types. It is nice to see these concerns formally addressed at this level in the broader context of security risk awareness. The addition of A08:2021 – Software and Data Integrity Failures and the higher ranking for A06:2021 – Vulnerable and Outdated Components both appear to be in a similar vein, further underscoring the need for organizations to prioritize the security controls associated with the development pipeline and surrounding technologies as much as the specifics of the application code itself. The frameworks, software libraries, and other tools that development teams rely on are updated with increasing speed. It is easier than ever for organizations to fall behind on patching and management of these supporting components. These areas will continue to be points of security concern for years to come, and the industry should continue the work of better addressing the role of tooling and pipeline concerns, as well as application threat modeling, within the general scope of security issues across the board. The movement of A01:2021 – Broken Access Control to the number one position, while hardly a surprise, is reason for concern primarily due to the obstacles associated with detecting issues of this nature. Underlying many access control flaws are fundamental application logic errors, most of which are currently difficult, if not impossible, to discover with automated scanning of any kind. As most companies are unable to have penetration testers examine every release, applications may only undergo thorough manual security audits relatively infrequently, leaving a large footprint of possible flaws whose discovery and remediation times are measured in months, or even years. Further complexity is introduced as modern web technologies move toward microservice architectures and application containerization, creating a need to test for access control issues related to the nuances of these components as well. While teams may do their best to adhere to a least-privilege model, it quickly becomes more difficult to follow best practice guidelines as additional endpoints and APIs are added and role managemen | Vulnerability Threat Patching | ||
|
2021-09-10 08:25:31 | 2003 Testimony to Congress Proves That We Still Have a Long Way to Go In Building Secure Software (lien direct) | Back in May 1998, as a member of the hacker think tank, L0pht, I testified under my hacker name, Weld Pond, in front of a U.S. Senate committee investigating government cybersecurity. It was a novel event. Hackers, testifying under their hacker names, telling the U.S. government how the world of cybersecurity really was from those down in the computer underground trenches. Many in the security community know of the famous L0pht Senate testimony, but very few know that one of the L0pht members testified on Capitol Hill 5 years later. That member was me. This time I testified as a cybersecurity professional using my real name. I was the director of research and development at @stake, an information security consulting company. Back in the summer of 2003, the internet was plagued with worms such as Blaster and Sobig. The U.S. House of Representatives Committee on Government Reform wanted to hold hearings to understand the problem. Why had 400,000 computers been infected with Blaster in less than five days when the patch that would have prevented the attack had been available for over a month? I was asked to testify to help the committee understand vulnerability research. How were the vulnerabilities discovered that lead to worms like Blaster, and why were these latent vulnerabilities there in the first place? The problems I spoke of in 2003, sadly, are still here with us 18 years later. Large amounts of software are still not designed defensively… and not built with security testing embedded in the development process. The economics of software development still leads to the reuse of old insecure software. Computer users still loath updating to new, more secure versions of software due to costs and resources required. I discussed how the root cause of viruses and worms was security flaws in the design or implementation of software. I still believe this today (even though most vulnerabilities are not “wormable” or attackers choose to attack with more precision). I discussed the problems with a ship-it-vulnerable, patch-it-later approach. Even now with some products using auto-updating, patching is often late or doesn't happen at all due to the resources required to patch in an enterprise IT environment. Most of what I spoke of was the world of vulnerability research. Who were the people – like the researchers from the Last Stage of Delirium – that discovered the Blaster vulnerability? Why would they do this? How did they do this? How is it possible that they found a security bug when the vendor didn't? Then I spoke about the safe vulnerability disclosure process: How researchers could work with vendors to keep the internet safer despite vulnerable software everywhere. This type of process is now widely followed by researchers and vendors and is codified into an ISO standard. We have made progress on the challenge of building software more securely, distributing patches better, and handling vulnerability disclosure better. But the gains are far less substantial than they should be after 18 years. In my 2003 testimony, I said, “The current flawed computing infrastructure is not going to change for the better overnight. It will take many years of hard work.” We are still in the “many years” phase and perhaps will be for another decade. Take a look at my 2003 testimony and see for yourself just how far we still need to go. | Vulnerability Patching Guideline | ||
|
2021-04-23 12:58:34 | Are You Targeting These Risky Red Zone Vulnerabilities? (lien direct) |  Modern software development is full of security risk. Factors like lingering security debt, insecure open source libraries, and irregular scanning cadences can all impact how many flaws dawdle in your code, leading to higher rates of dangerous bugs in susceptible and popular languages. For example, we know from State of Software Security v11 that PHP has a high rate (nearly 75 percent) of cross-site scripting flaws on initial scan, which is also the most common type of open source code vulnerability across nearly every language. It???s a dangerous one.
CRLF injection ??? which is commonly seen in Java and JavaScript ??? can lead to maliciously manipulated web applications if a threat actor is able to inject a CRLF sequence into an HTTP stream. CRLF injection is dangerous and appears in a sizeable 65 percent of applications with a flaw on initial scan, posing a decent risk to apps written in Java and JavaScript if left unchecked.
 ???
But not all flaws are so high-risk for common languages; Information Leakage, for example, is most often seen in .NET, PHP, and Java, typically stemming from a lack of secure code training. To stay one step ahead of even the low-risk (and high-risk) flaws, developers need to be armed with the right knowledge and tools so that they can produce more secure code to reduce the chance of a breach ??? whether low risk or in the danger zone.
 ???
Understanding how flaws impact programming languages across the board is crucial to preventing them. Take note of which languages tend to carry the most high-risk flaws first; whether or not yours in the mix, it???s a good idea to brush up on secure coding best practices and try your hand at hacking and patching real applications with Veracode Security Labs.
You can???t fake it when it comes to security: hands-on-keyboard education is critical to jumping these (and other) hurdles as you create innovative applications. If you want to keep data safe and squash these risky bugs, you have to think like an attacker and avoid flaw-filled curveballs in the future.
To learn more about which vulnerabilities are in the danger zone (and how to go about preventing them), check out our infosheet here. |
Vulnerability Threat Patching Guideline | ||
|
2021-04-23 09:34:12 | Reporting Live From Collision Conference 2021: Part Two! (lien direct) |  If you caught part one of our recap series on this year???s Collision conference, you know we covered a roundtable talk hosted by Veracode???s own Chris Wysopal. The talk focused on the risks of AI and machine learning, delving into discussions of how to manage the security aspects of these future-ready technologies ???ツ?especially when it comes down to consumer privacy.ツ?
Chris also had the opportunity to host a session of his own, covering the critical aspects of modern application security and the reasons that organizations need to get serious about security-minded approaches to their code. Here???s what we learned.ツ?
Secure from the top down
Chris began his session Secure From the Top Down by noting that, today, it???s important to think about application and product security through the eyes of the developer or the builder. With so many applications running in the cloud and so many devices connected to the Internet of Things (IoT), Chris pointed out that the attack surface for threat actors is growing exponentially and that everyone building and deploying technology needs to consider the risks moving forward.
Connected devices are everywhere, Chris said, but they???re not typically behind a firewall. Normally, these devices are connected to 5G or Wi-Fi. According to Chris, this means devices essentially need to secure themselves and all of the connection points where they talk to other devices or they pose a security risk.ツ?
Further, everything is connected through APIs today. ???We used to have big, monolithic software packages with one big block of code,??? Chris said. ???Today, we have a lot of small devices; even with applications running in the cloud, they???re built with microservices and are talking to each other through APIs.??? This is a way an attacker can exploit a device or an application, and means the builders of today need to improve the security around their APIs for a more secure tomorrow.
It???s already a problem; Chris pointed out in his session that, according to the 2020 Verizon Data Breach Investigations Report, 43 percent of breaches come from single page applications. Developers working on building these single page apps need to be more considerate with their security.ツ?
Looking ahead at trends
Time is the biggest competitor for most organizations, according to Chris, and there are three main trends that are going to impact product security moving forward: ubiquitous connectivity, abstraction and componentization, and hyperautomation of software delivery.ツ?
Ubiquitous connectivity
While this involves the rise of APIs and IoT devices, what it really comes down to is that each piece of software connected through the network and APIs must think about securing itself. ???Each code that is exposing an API needs to think about how it will authenticate, encrypt, and secure itself from all |
Data Breach Threat Patching | ||
|
2021-01-26 12:06:18 | Did You Read Our Most Popular 2020 Blog Posts? (lien direct) |  What was top of mind for your peers regarding AppSec in 2020?
Yes, we realize no one really wants a 2020 retrospective ??? who wants to look back at that mess? But we are going to carry on with our annual look-back at our most popular blogs from the previous year. We always gain a lot of insight with this exercise ??? we find out what resonated with security professionals and developers, uncover trends, and learn what people have questions or concerns about. We hope you find this valuable too.
So what were the hot AppSec topics in 2020? Topping the list: Developer security training, best practices made practical, open source security, technical details on vulnerabilities, and, of course, the sudden shift to remote work and a digital world last March. Did you catch all these popular blog posts?
Developer security training
Our new Security Labs offering was a hot topic last year. Clearly, training developers on secure coding is a requirement and a concern for many. If you want to see what Security Labs is all about, check out the Community Edition. Developers can use it to learn to code securely by hacking and patching real apps, at no cost.
Announcing Veracode Security Labs Community Edition
Stay Sharp and Squash Security Debt With Veracode Security Labs
Our survey report with ESG covered some of the pain points organizations are facing regarding security training, and blogs on that topic were in our most-viewed list as well.
16% of Orgs Require Developers to Self-Educate on Security
How 80% of Orgs Can Overcome a Lack of Training for Developers
Best practices for the rest of us
Our guide on AppSec best practices vs. practicalities and its associated blog were among our most-read content pieces last year. Highlighting not only what to strive for, but also where to start, with application security seemed to resonate with many.
Best Practices and Practical Steps to Guide Your AppSec Journey
Securing open source code
As with the past several years, open source security was one of the most popular topics. The first open source edition of our annual State of Software Security report got a lot of attention in 2020. Take a look at the report to get the results of our analysis of 351,000 external libraries in 85,000 apps. We unearthed some really interesting data about the number of dependencies in open source libraries, and about challenges and best practices in securing them.
Announcing Our State of Software Security: Open Source Edition
Breaking Down Risky Open Source Libraries by Language
Details on vulnerabilities and secure coding
Blogs that take a technical deep dive into particular vulnerabilities typically resonate with our audience, and last year was no exception. Our blog posts on spring view manipulation vulnerability and preventing sensitive data exposure got a lot of attention in 2020.
Write Code That Protects Sensit |
Vulnerability Patching | ||
|
2021-01-12 15:14:33 | Veracode Named a Leader in The Forrester Wave: Static Application Security Testing, Q1 2021 (lien direct) |  If you???re looking to start or optimize an AppSec program in 2021, the Forrester WaveTM report is a good place to begin your research. The report not only details essential elements of AppSec solutions, but also ranks 12 static application security testing (SAST) vendors based on their current offering, strategy, and market presence.
Development speeds and methods are changing and the requirements for a SAST solution are evolving as well. Forrester notes that SAST providers need to build their security solutions into the software development lifecycle (SDLC); integrate them into the CI/CD pipeline; protect new architectures like containers; and provide accurate, actionable results.
To help development teams and security and risk professionals identify the industry???s foremost SAST providers, Forrester conducted a 28-criterion evaluation. The research and analysis identified Veracode as a leader among SAST providers. The Forrester report noted, ???For firms looking for an enterprise-grade SAST tool, Veracode remains a top choice.???
The Forrester report specifically mentions, ???Veracode has invested in the developer experience.??? Veracode???s SAST offering is fully cloud-based and offers three different levels of scans that aid developers:
IDE Scan provides focused, real-time security feedback while the developer codes. It also helps developers remediate faster and learn on the job through positive reinforcement, remediation guidance, code examples, and links to Veracode application security (AppSec) tutorials.
Pipeline Scan happens in the build phase. It directly embeds into teams??? CI tooling and provides fast feedback on flaws being introduced on new commits. It helps answer the question, ???is the code my team is writing secure????
Policy Scan reviews code before production to ensure that applications are meeting policy compliance and industry standards. It helps answer the question, ???are my organization's applications secure????
Veracode also offers Security Labs, which trains developers to tackle evolving security threats by exploiting and patching real code. Through hands-on labs that use modern web apps, developers learn the skills and strategies that are directly applicable to their organization's code. Detailed progress reporting, email assignments, and a leaderboard encourage developers to continuously level up their secure coding skills.
We believe prioritization is another important strength for Veracode. As the Forrester report states, ?????ヲVeracode???s graphical representation of code flaws according to risk and ease of fix [are] unmatched in the market.??? In addition, the report states, ???References complimented Veracode's premium support,??? and Veracode is highly rated by customers for remediation guidance. As one customer stated, ???the relationship [with Veracode] really stands out.???
Learn more
Download The Forrester WaveTM: Static Application Security Testing, Q1 2021 report to learn more on what to look for in a SAST vendor and for more information on Veracode???s position as a Leader. |
Patching Guideline | ★★★★★ | |
|
2020-11-19 16:23:50 | Healthcare Orgs: What You Need to Know About TrickBot and Ryuk (lien direct) |  In late October, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) co-authored an advisory report on the latest tactics used by cybercriminals to target the Healthcare and Public Health (HPH) sector. In the report, CISA, FBI, and HHS noted the discovery of, ?????ヲcredible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,??? which they shared as a warning of potential ransomware attacks.
In the report, the agencies found that threat actors are targeting the HPH Sector using TrickBot and BazarLoader malware efforts, which can result in the disruption of healthcare services, the initiation of ransomware attacks, and the theft of sensitive data. As noted in the advisory, these security issues are even more difficult to handle and remediate during the COVID-19 pandemic; something healthcare providers should take that into consideration when determining how much to invest in their cybersecurity efforts.ツ?
The FBI first began tracking TrickBot modules in early 2019 as it was used by cyberattackers to go after large corporations. According to the report, ?????ヲTrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.???
What makes it so dangerous? Researchers found that TrickBot developers created a tool called anchor_dns which uses a single-byte X0R cipher to obfuscate communications and, once de-obfuscated, is discoverable in DNS request traffic. When the malware is successfully executed, TrickBot is copied as an executable file and the copy is placed into one of the following directories:
C:\Windows\
C:\Windows\SysWOW64\
C:\Users\[Username]\AppData\Roaming\
From there, the executable file downloads modules from command and control servers (C2s) and places them into the host???s %APPDATA% or %PROGRAMDATA% directory. Every 15 minutes, the malware runs scheduled tasks on the victim???s machine for persistence, and after successful execution, anchor_dns deploys more malicious .bat scripts and implements self-deletion techniques through commands. The report notes that an open source tracker for TrickBot C2 servers is located here.
BazarLoader and Ryuk ransomware
CISA, FBI, and HHS note in the advisory report that around early 2020, threat actors believed to be associated with TrickBot began executing BazarLoader and BazarBackdoor attacks to infect targeted networks.
???The loader and backdoor work closely together to achieve infection and communicate with the same C2 infrastructure,??? the report says. ???Campaigns using Bazar represent a new technique for cybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware, including Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.???
BazarLoader malware usually comes from phishing emails, the advisory says, with a link to a Google Drive document or another file hosting service housing what looks like a PDF file but is really an executable. The emails often appear personal with recipient or employer names in the subject l |
Ransomware Malware Tool Threat Patching | ★★★ |
1
We have: 8 articles.
We have: 8 articles.
To see everything:
Our RSS (filtrered)
