What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-05-21 12:06:56 | Live From RSAC: Anne Neuberger Addresses President Biden\'s Executive Order on Cybersecurity (lien direct) |  Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, addressed President Biden???s executive order at the virtual RSA Conference this week. The executive order, announced on May 12, 2021, aims to safeguard U.S. cybersecurity and modernize cybersecurity defenses.
As Neuberger explains, this executive order couldn???t come at a more critical time. The Biden administration was challenged with two cybersecurity incidents in the first 100 days ??? SolarWinds and Microsoft Exchange. Note that the session must have been pre-recorded because she didn???t even mention a third attack that disrupted the Colonial Pipeline.
The incidents proved three major lessons:
Adversaries will look for any opening to attack, including the government???s suppliers.
Partnerships are critical. The government needs the private sector, and the private sector needs the government.
The government needs to modernize cybersecurity defenses.
???[These lessons prove that] we need to shift our mindset from incident response to prevention,??? said Neuberger. ???We simply cannot let waiting for the next shoe to drop be the status quo under which we operate.???
In the software development world, we call this being stuck in a ???break/fix??? mentality. It is better to build a software development process that causes less ???breaks.??? That enables you to deliver more software with less failures. We are starting to see cybersecurity learn from software development principals, shifting our cybersecurity problems to the left.
Breaches are more detrimental than most organizations realize. Neuberger noted two staggering statistics. In 2019, Accenture reported an average company spends $13 million per breach. And CIS and McAfee reported that cybercrime cost 1 percent of global GDP in 2018. Organizations are far better off spending the money to secure their applications, including demanding better from their vendors, than waiting for a breach. How many small businesses, schools, hospitals, or government agencies have an extra $13 million to spend on an unexpected breach?
What Neuberger didn???t mention is that that same study from Accenture cited an increase of 67 percent in cyberattacks over the past five years. And if cyberattacks continue at this velocity, Accenture calculates a total value at risk of $5.2 trillion globally over the next five years.
The president???s approach is proactive and includes modernizing cyber defenses, returning to a more active role in cybersecurity internationally, and ensuring that America has a better posture to compete. It was the SolarWinds breach that opened our eyes to the fact that we don???t have modern cyber defenses in place. Software supply chain security is of particular concern.
???The current model of build, sell, and maybe patch means that the products the federal government buys often have defects and vulnerabilities that developers are accepting as the norm with the expectation that they can patch later. Or perhaps they ship software with defects and vulnerabilities that they don???t think merit fixes ??ヲ. That???s not acceptable,??? said Neuberger. ???Security has to be a basic design consideration.??? ツ?ツ?
Neuberger hinted that the executive order might require federal vendors to build software in a secure development environment. And that software leveraged by the federal government should include strong authentication, encryption and limit privileges. As for preexisting critical infrastructure that was built before the Internet, the orde |
Ransomware | Uber | |
|
2021-05-20 17:34:42 | Live From RSAC: AppSec\'s Future and the Rise of the Chief Product Security Officer (lien direct) |  Chris Wysopal, Co-Founder and CTO at Veracode, and Joshua Corman, Chief Strategist of Healthcare and COVID at CISA, presented at the 2021 RSA Conference on AppSec???s future and the need for a new Chief Product Security Officer (CPSO) role.
Wysopal started by quoting entrepreneur Marc Andreessen saying, ???Software is eating the world,??? to express just how much we rely on technology. From our iPhones and laptops to our cars and even our refrigerators ??ヲ software is everywhere.
If we look back at the rise of software, it was largely used originally to automate manual processes in the back office of businesses, like banking software for a teller. But now, we are using software to deliver products to a customer, like a mobile banking application. So as Wysopal stated, ???There???s not just more software. There are different kinds of software.???
And this software that???s being released as products to customers has added risk. Using the mobile banking application as an example, Wysopal noted that it???s riskier to use a customer-facing application to conduct your banking than it is to go to the bank and have a teller use the back-end software. More people have access to the mobile banking application, and anyone in the world could connect to the APIs.
And the risk associated with software products is only going to continue to grow. Consider the way we are creating apps now: APIs are the bloodstream. Each microservice, serverless, container, or public API is more attack surface. Applications that connect with social networking create more attack surface. Migrating to new software and forgetting to retire legacy software leads to more attack surface.
And there is risk with new software trends as well. For example, ubiquitous connectivity is the standard mode for any product now. Abstraction and componentization are also big trends. Instead of writing code, we now frequently use a library or write a script to instruct something else to be built. It???s great to build applications quickly, but it changes the way you have to think about security and supply chain.
That???s why we need a CPSO role, not just a Chief Information Security Officer (CISO). A CISO is concerned about compliance and protecting the company???s brand, but a CPSO would be responsible for managing product risk. Product risk spans so many departments ??? like engineering, compliance, supplier management, and information risk ??? and will likely span even more departments over the next few years. CISOs have too much on their plate to be able to take on product risk.
Corman mentions that many healthcare organizations have started adding a CPSO-type role to their organizations and others should follow suit. Especially given the increase in software breaches. As mentioned in our blog outlining Anne Neuberger???s RSAC address, cyberattacks have increased by 67 percent in the past five years. And many of these breaches ??? like SolarWinds and Microsoft Exchange ??? are having national security implications. In fact, the Biden administration recently released an executive order to safeguard U.S. cybersecurity. So having a role that is dedicated to managing product risk is not only beneficial but arguably essential.
For more summaries of RSA Conference 2021 sessions, check the Veracode Blog, |
Guideline | Uber | ★★ |
|
2021-05-20 16:59:46 | Live From RSAC: Is Digital Transformation Making AppSec Headless? (lien direct) |  Chris Wysopal, Veracode Co-Founder and CTO, recently sat down with Tom Field, ISMG Senior Vice President of Editorial, for an executive interview at the RSA Conference 2021 to discuss if digital transformations are making application security (AppSec) ???headless.???
Headless AppSec is an interesting concept. AppSec was traditionally part of the security role. But, as companies become increasingly digital, it???s too time-consuming for developers to hand off AppSec scans to security. To combat the hand-off, companies have been moving AppSec scans to the development role. But without the right processes in place and without security knowledge, AppSec scans can be just as laborious in the development phase. The ultimate goal is to make security ???headless??? or managed as part of code instead of a separate task.
The pandemic is definitely expediating this shift to headless AppSec. As Wysopal stated, ???There???s no doubt that Covid-19 has accelerated all the things that companies were doing anyway, but on a much longer path.??? Many companies were in the process of a digital transformation but ??? when the pandemic hit ??? they realized that in order to be competitive in the market, they needed to ramp up their shift to digital and move to the cloud for more flexibility.
The pandemic has also caused organizations to change the way that they???re building software. The market is more competitive than ever. So, to keep up, organizations need to iterate quickly and go to market faster. In fact, many organizations are coming up with a new feature in a day and going to production in a day. ツ?
But this speed is proving the need for headless AppSec. You can no longer have different teams building code, testing code, etc. You need to automate these processes and have them handled by one team. Ideally, the developers should be able to not only write code but also diagnose bugs and put fixes in place. ツ?For example, infrastructure itself is becoming very dynamic and programable. Consider the rise of microservices, container security, and Kubernetes. It???s pushing all the things operations used to do into code so that developers can control it.ツ?
Development and operations aren???t the only two functions that should be on the same team, security should be as well. Security tools should be put in the developer pipeline so they can remediate flaws without having to connect with security personnel.
Wysopal advocates for a security champions program to help train interested developers in security best practices. These developers can act as the voice of security on their scrum teams, eliminating the need for a security hand-off. And all security tools should be automated into the developers existing tools and processes so that they don???t have to spend additional time conducting AppSec scans.
This automation could open the door to machine learning and artificial intelligence. Machine learning thrives off data sets from automation. It can evaluate scan data and code that was previously remediated to come up with rules for auto-remediation. If AppSec scans are automated and remediation is automated, that would be the ultimate form of headless AppSec. According to Wysopal, auto-remediation is a very real possibility and we should be seeing it by the end of the year.
For more updates on the RSA Conference 2021, check out the Veracode Blog, daily. |
Uber | ★★★★ | |
|
2021-04-29 15:20:23 | Executive Order on Cybersecurity Is Imminent: It\'s Been a Long Time Coming (lien direct) |  Following President Biden???s address to Congress last night in which he referenced cybersecurity as a priority twice, news is circulating today that the executive order on cybersecurity is imminent. This news comes as a much awaited and long overdue step towards creating standardization and structure around cybersecurity.
Anne Neuberger, the deputy national security advisor for cyber and emerging technology, says the order will be like the National Transportation Safety Board, or NTSB, for cyber. ???What can we learn with regard to how we get advance warning of such incidents,??? she recently told reporters. She also notes that this executive order will be a starting point that should eventually trickle down to the consumer market as well. ???If we start incentivizing security, then companies, [and] the market will then inherently prioritize it because more people will buy the product,??? she says.
From my perspective, I am happy that this topic is finally coming full circle. In 2013, Chris Wysopal addressed this very topic in a keynote at RVASec where he discussed ???The Future of Government Sharing.???ツ?
In fact, Chris started creating awareness with the federal government 23 years ago when he and some colleagues from hacker thinktank the L0pht testified to Congress in efforts to expose the risks and threats of cybersecurity. Eight years later, I joined Chris when he launched Veracode to actually start solving the critical problem of software security ??? together we focused on helping developers and security teams on not just finding but also fixing vulnerabilities in their software (developed in-house, open source or third-party purchased).
Just last month on International Women???s Day, I sat down with The New York Times cybersecurity reporter Nicole Perlroth and OWASP board member Vandana Verma to discuss this topic at an RSA Conference Podcast ??? sharing that Veracode???s recent research revealed that 66 percent of applications fail to meet the OWASP Top 10 standards, meaning they have a major vulnerability. This highlights that there is work to be done and we must embed security testing into the software development lifecycle so, as developers write code, they write securely. In that discussion, Perlroth said, ???We can???t be trying to band-aid on these fixes after vulnerable code has already made its way to users, but also into critical infrastructure ??ヲ We need to think about security and security design from the start. We have to start bringing in security engineers from the very beginning.???
Part of making software more secure involves integrating security into the software development lifecycle and training developers. We should not expect secure code if we haven???t established clarity on what good looks like, equipped developers with the right guidance, the right knowledge, and the right tools.
The executive order has been a long time coming, and I hope it establishes what the right expectations and accountability should be. We must put structure and standardization around cyber and software security, and there are a number of great examples on how this has been done successfully. One of our customers, an educational software vendor, joined the Veracode Verified program in order to provide evidence of its security processes and |
Uber | ||
|
2021-04-19 09:05:28 | DevSecOps in Practice: How to Embed Security into the DevOps Lifecycle (lien direct) |  You???ve heard of DevOps. And by now, you???ve probably also heard of DevSecOps, which extends DevOps principles into the realm of security. In DevSecOps, security breaks out of its ???silo??? and becomes a core part of the DevOps lifecycle.
That, at least, is the theory behind DevSecOps. What???s often more challenging for developers to figure out is how to apply DevSecOps in practice. Which tools and processes actually operationalize DevSecOps? Until you can answer that question, DevSecOps will be just another buzzword.
To help bridge the gap between theory and practice, let???s walk through what DevSecOps means from a practical perspective, and how to go about embedding it into your development workflows.
DevSecOps, defined
If you???re familiar with DevOps (which encourages collaboration between developers and IT operations engineers in order to speed application delivery), then the meaning of DevSecOps is easy enough to understand. DevSecOps adds security operations teams into the equation so that they can collaborate seamlessly with developers and IT engineers.
DevSecOps places a DevOps spin on basic security concepts. Just as DevOps encourages continuous delivery, DevSecOps is all about continuous security ??? meaning the constant and holistic management of security across the software development lifecycle. Similarly, DevSecOps encourages continuous improvement in the realm of security ??? meaning that no matter how secure you believe your environment is, you should always be looking for ways to improve your security posture even further.
DevSecOps in practice
These are all great ideas to talk about, and it???s easy to see why they are valuable. Security postures are indeed stronger when developers, IT engineers, and security engineers work together, rather than working in isolation. It???s much easier to optimize security when developers prioritize security with every line of code they write, and when IT engineers think about the security implications of every deployment they push out, rather than viewing security as something that someone else will handle down the line.
The big question for teams that want to embrace DevSecOps, though, is how to go about putting these ideas into practice. That???s where things can get tougher. There is no simple methodology that allows you to ???do??? DevSecOps. Nor is there a specific tool that you can deploy or a particular role that you can add to your team.
Instead, operationalizing DevSecOps means building holistic combinations of processes and tools that make it possible to integrate security into DevOps workflows. While the best approach to this will vary from team to team, the following are some general best practices for implementing DevSecOps.
Scanning early and often
One basic step toward implementing DevSecOps is to ensure that you perform security tests and audits at the beginning of the software delivery pipeline. You don???t want to wait until code is written and built to start testing it for flaws (and you certainly don???t want to let it get into production before testing it). Instead, you should be scanning code as it is written, by integrating security tooling directly into your IDEs if possible.
Importantly, security scanning should continue as code ???flows??? down the pipeline. You should scan your test builds and application release candidates before deployment. Security monitoring and auditing should also continue once code is in production.
Automation
Automation is a founding principle of DevOps, and it???s just as important to DevSecOps. Automation not only makes processes faster and more efficient, but also helps reduce friction between the different stakeholders in DevSecOps |
Tool | Uber | ★★★ |
|
2020-10-29 13:04:48 | A Software Security Checklist Based on the Most Effective AppSec Programs (lien direct) |  Veracode???s Chris Wysopal and Chris Eng joined Enterprise Strategy Group (ESG) Senior Analyst Dave Gruber and award-winning security writer and host of the Smashing Security podcast, Graham Cluley, at Black Hat USA to unveil the findings from a new ESG research report, Modern Application Development Security. The research is based on a survey of nearly 400 developers and security professionals, which explored the dynamic between the roles, their trigger points, the extent to which security teams understand modern development, and the buying intentions of application security (AppSec) teams.
As the presenters went through the data, it led to a larger discussion about AppSec best practices and what steps organizations can take to mature their programs. Here are the best practices laid out during the presentation as an easy-to-follow checklist as well as supporting data from the ESG report.
Application security controls are highly integrated into the CI/CD toolchain.
In the ESG survey, 43 percent of organizations agreed that DevOps integration is most important to improving AppSec programs, but only 56 percent of respondents answered that they use a highly integrated set of security controls throughout their DevOps process. Integrating security measures into the CI/CD toolchain not only makes it easier for developers to run AppSec tests, but it also helps organizations discover security issues sooner, which speeds up time to deployment.
Application security best practices are formally documented.
In order to have a successful AppSec program, everyone needs to be on the same page regarding best practices. The CISO should help facilitate the formal documentation of AppSec best practices. Developers and security professionals can reference the list and use it to guide their decisions.
Application security training is included as part of the ongoing development security training program.
Developers have been increasingly tasked with implementing security measures, including writing secure code and remediating vulnerabilities. Most developers don???t receive secure code training courses in college, so it is up to organizations to offer security training. But according to the survey, more than 20 percent of organizations only provide training when developers join the team.
Developers should have multiple, at-leisure training opportunities throughout the year, like virtual or hands-on programs ??? such as Veracode Security Labs. Chris Wysopal pointed out the importance of human touchpoints as part of ongoing developer training. If someone is checking in on developers to make sure they???re completing their training, they???ll likely take it more seriously. Consider a security champions program. The security champions are developers who have an interest in learning about security. If you have at least one security champion on every scrum team, that person can help ensure that their peers are up to speed on the latest security training and best practices.
Ongoing developer security training includes formal training programs, and a high percentage of developers participate.
At-leisure security training is a great way for developers to learn on their own time. But it is also important to implement formal security training with a set completion date and a skills assessment. Without formal security training, developers may not develop the skills they need to write secure code and remediate vulnerabilities. This could lead to slower and more expensive deployments because of rework or vulnerable code being pushed to production.
Accordin |
Tool Vulnerability Guideline | Uber |
1
We have: 6 articles.
We have: 6 articles.
To see everything:
Our RSS (filtrered)
