SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2022-10-04 11:20:28	How to See Yourself in Cyber: Top Tips from Industry Leaders (lien direct)	It's 2022 and as we all know, the world is a very different place. However, one thing that has not changed is the importance of cybersecurity. In fact, it's more important now than ever before, as the SolarWinds hack and Executive Order prove. That's why for Cybersecurity Awareness Month this year, we asked cybersecurity pioneers and leaders to get their insights on staying cyber safe. Here are their thoughts on CISA's 4 Things You Can Do to See Yourself in Cyber. Enable Multi-Factor Authentication “With the continued rise in cybercrime, there are a few simple steps every person should take to protect themselves, if they aren't already. CISA's first recommended step to stay 'cyber-safe' is to implement multi-factor authentication. It significantly lessens the likelihood of being hacked via unauthorized access and compromised credentials, which, according to Verizon's 2021 Data Breach Investigations Report, were the gateway for 61% of data breaches. Enabling multi-factor…	Data Breach Hack Guideline		★★
	2021-11-02 14:09:27	Champion Spotlight: Cris Rodriguez (lien direct)	This interview was cross-posted from the Veracode Community. Join us in congratulating Cris, the latest Secure Code Champion in the Veracode Community! The Secure Code Champion is an award that recognizes individuals with three championships in the Veracode Community's Secure Coding Challenge competitions. Cris is a principal-level Application Security engineer in a large global travel technology company. In this role, he focuses on application penetration testing and setting the strategy for migrating their apps over to Google Cloud. Before entering the security space, he was a software developer for five years. In this interview, we asked Cris about this experience participating in the Secure Coding Challenges and his career change story. He talked about how he made the career switch from a developer to become a security engineer, and what he thinks is important for someone to be successful in this role. For developers considering a similar career move, he also shared the resources that he found most helpful. About Your Experience in the Secure Coding Challenge What brought you to the Secure Coding Challenge? I got an email about the competition and I enjoy a good challenge. What did you find most valuable in participating in the Challenge? Since there were multiple languages, we were able to experience different solutions for a single bug class. That was helpful since most companies use many languages for their apps. What's your suggestion for participants to stand out in the competition? Trust your instincts and be familiar with using a command line and coding project directory tree. As a security engineer, you'll need to be able to dig into your organization's code if you want to be able to help your developers succeed. About Your Experience Becoming a Security Engineer How have you grown from a software developer into a Security engineer? What are the skillsets and knowledge required for this career change? How did you acquire those skills? I was a software developer for five years before I switched over to security. When I made the switch, I was focusing on penetration so I read as many bug bounty write-ups as I could find and watched many more YouTube tutorials. Hack the box and pentester academy have been very helpful in my learnings. What are the top 3 qualities of a successful security engineer? Attention to detail:We are looking for bugs in code that work so you have to understand what makes a component vulnerable. Communication:The developers are going to push back sometimes so being able to communicate with them is key Vulnerability Knowledge:When the developers push back on a vulnerability you really need to have the knowledge of why it is important to fix it. It also helps if you can demonstrate how the vulnerability can be exploited. Is there any tool, resource, forum/meet-up, or course you'd recommend for developers looking to break into the security world? Read the disclosed write-ups at HackerOne and Bugcrowd. Also, here is a link to a great repo that gathered a lot of write-ups. https://github.com/devanshbatham/Awesome-Bugbounty-Writeups Questions about becoming a security engineer? Or, if you're a fellow security engineer, let's connect! You can follow me on Twitter @Nimbus689 or connect with me on LinkedIn. https://www.linkedin.com/mwlite/in/cristobal-rodriguez-03b3b079	Hack Vulnerability
	2021-06-29 11:30:29	Speed or Security? Don\'t Compromise (lien direct)	“Speed is the new currency of business.” Chairman and CEO of Salesforce Marc R. Benioff's words are especially potent today as many organizations small and large look for ways to speed up production during their shifts to digital. In software development, speed is a critical factor. Everything from shifting priorities to manual processes and siloed teams can seriously impede deployment schedules. One of the biggest obstacles, however, is a lack of security throughout every step of the production process to ensure that coding mistakes and flaws are found and fixed before they turn into project-derailing problems. A lack of an efficient and flexible AppSec program becomes an issue when you look at the data: Cyberattacks occur every 39 seconds. 60 percent of developers are releasing code 2x faster than before. 76 percent of applications have least at least one security flaw on first scan. 85 percent of orgs admit to releasing vulnerable code to production because of time restraints. A mere 15 percent of orgs say that all of their development teams participate in formal security training. But there's good news, too. We know from our annual State of Software Security report that frequent scanning with the right tools in the right parts of your software development lifecycle can help your team close security findings much faster. For example, scanning via API alone cuts remediation time for 50 percent of flaws by six days, slamming that window of opportunity shut for cyberattackers. The Veracode Static Analysis family helps you do just that. It plugs into critical parts of your software development lifecycle (SDLC), providing automated feedback right in your IDE and pipeline so that your developers can improve the quality of their code while they work. You can also run a full policy scan before deployment to understand what your developers need to focus on and to prove compliance. Together, these scans throughout My Code, Our Code, and Production Code boost quality and security to reduce the risk of an expensive and time-consuming breach down the road. Automation and developer education In addition to having the right scans in the right places, there are supporting steps you can take to ensure the quality of your code without sacrificing speed. Automation through integrations is an important piece of the puzzle because it speeds everything up and boosts efficiency. The automated feedback from Veracode Static Analysis means your team of developers has clear insight into existing flaws so they can begin prioritization to eliminate the biggest risks first. Automation also sets the standard for consistency which, as you go, improves speed. Developer education also helps close gaps in information and communication with security counterparts so that they can work towards a common goal. It goes both ways – if the security leaders at your organization can walk the walk and talk the talk of the developer, everyone will have an easier time communicating goals and solving security problems. One way to close those gaps is through hands-on developer education with a tool like Veracode Security Labs. The platform utilizes real applications in contained environments that developers can hack or patch in real-time so that they learn to think like an attacker and stay one step ahead. Like Static Analysis, Security Labs helps meet compliance needs too, with customized education in the languages your developers use most. The prioritization conundrum Security debt can feel like a horror movie villain as it lingers in the background. But it isn't always teeming with high-risk flaws that should be tackled first, and so it's important to carefully consider how to approach prioritization. A recent analyst report, Building an Enterprise DevSecOps Program, found that everything can feel like a priority: “During our research many security pros told us that all vulnerabilities started looking like high priorities, and it was incredibly difficult to differentiate a vulnerability with impact on the organization from one which	Hack Tool Vulnerability Guideline
	2020-08-06 17:05:49	Live from Black Hat: Hacking Public Opinion with Renée DiResta (lien direct)	Psychological operations, orﾂ?PsyOps, is a topic I???ve been interested in for a while. It???s aﾂ?blend of social engineering and marketing, both passions of mine. That's why I found the keynote byﾂ?Renﾃｩeﾂ?DiResta,ﾂ?Research Managerﾂ?at theﾂ?Stanford Internet Observatory, particularly interesting.ﾂ? The Internet Makes Spreading Information Cheap & Easyﾂ? Disinformation and propaganda areﾂ?oldﾂ?phenomenaﾂ?that can be traced back to the invention of the printing press ??? and arguably before then.ﾂ?With the advent of theﾂ?Internet, the cost of publishing dropped to zero. There are no hosting costs on certain platforms, butﾂ?especially in the beginning, theﾂ?blogosphere was veryﾂ?decentralized,ﾂ?and it was hard to get people to read your content.ﾂ?With theﾂ?rise of social media,ﾂ?you can share your content and it can become viral. At the same time, content creation becomes easier.ﾂ?All of thisﾂ?eliminates cost barriers andﾂ?gatekeepers.ﾂ?ﾂ? State Actors ???Hack??? Our Opinionsﾂ? As social media platforms matured, the algorithms that curate content become more and more sophisticated. They are trying to group people and deliver personalized targeting of content, which allows adversaries to analyze and game the algorithms.ﾂ?ﾂ? State actors don???t just influence, they start hacking public opinion, which involves fake content producers and fake accounts. They can do this more effectively because they understand the ecosystem extremely well, typically applying one of four tactics, sometimes in combination:ﾂ?ﾂ?ﾂ? Distract:ﾂ?Taki	Hack	APT 28	★★★★★
	2020-08-05 13:33:41	Live From Black Hat: Stress-Testing Democracy - Election Integrity During a Global Pandemic with Matt Blaze (lien direct)	Technology and elections are heavily interrelated ??? but it wasn???t always that way. We started to adopt technology once weﾂ?weren???t able toﾂ?fit everyone into a town hall. The first piece of technology was simply a piece of paper and a ballot box. We may not think of it asﾂ?technology,ﾂ?but the ballot box can be tampered with.ﾂ?ﾂ? That technology gave us ballot secrecy, a trait that aﾂ?hand-raiseﾂ?in the town hall didn???t. This raised the barﾂ?to a level that is expected from other voting technologies since then, which can be tougher with voting machines and electronic evaluation of ballot boxes. Our Confidence in the outcome of an election depends on the integrity of the methodology we use to do this. ???ﾂ?ﾂ? Matt Blaze, this year???sﾂ?Black Hat keynoteﾂ?speaker,ﾂ?is a researcher in the areas of secure systems, cryptography, and trust management. He is currently the McDevitt Chair of Computer Science and Law at Georgetown University.ﾂ?ﾂ? Blazeﾂ?has been working on election security for years. He???s neverﾂ?encounteredﾂ?a problem bigger andﾂ?moreﾂ?complexﾂ?than democraticﾂ?elections. The reason for this is that the requirements are contradictory: Weﾂ?don???t want to be able to figure out how someone voted, but we wantﾂ?transparencyﾂ?into whether or notﾂ?our vote was counted as cast and that the system is not corrupted. The paper ballot box seems to do thisﾂ?pretty well, and other technology solutions require you to be a lotﾂ?more clever.ﾂ?Another snag is that you cannot recover from a bad election very easily. You can???t redo it easily before the term is up.ﾂ?ﾂ? U.S.ﾂ?voting isﾂ?highlyﾂ?decentralized	Hack		★★★★★
	2020-07-30 10:25:39	Announcing Veracode Security Labs Community Edition (lien direct)	We recently partnered with Enterprise Strategy Group (ESG) to survey software development and security professionals about modern application development and how applications are tested for security. The soon-to-be-announced survey found that 53% of organizations provide security training for developers less than once a year, which is woefully inadequate for the rapid pace of change in software development. At the same time, 41% say that it???s up to security analysts to educate developers to try to prevent them from introducing significant security issues. So, where???s the disconnect? Communication breakdowns and misaligned training priorities between security and development teams are part of the problem. As developers are being asked to ???Shift Left??? to take on more responsibility for secure code earlier in the software development lifecycle, it???s increasingly more important for developers to get the training they need to not just create world-class applications ??? ones that have security designed in from the beginning. Enterprise-grade tools for all developers Veracode Security Labs Enterprise Edition is perfect for engineering teams, but we wanted every individual developer to have access to the same quality of training, from casual hobbyists to professionals interested in improving their secure coding skills. I???m excited to announce Veracode Security Labs Community Edition, where developers worldwide can hack and patch real applications to learn the latest tactics and security best practices with guidance while exploring actual code on their own time; and it???s free! With Veracode Security Labs Community Edition, you now have the tools you need to close any gaps in security knowledge that are holding you back. It???s a module that fits within the Veracode Developer Training product family, featuring tools and robust programs built with interactivity in mind so that developers can get their hands on a practical training tool at a moment???s notice. Here are the differences between the Community Edition and Enterprise Edition: ??? While the Enterprise Edition has features that support the efforts of development teams with full compliance-based curricula, rollout strategies, and progress reporting, the Community Edition offers selected topics and one-off labs for individuals who are looking to strengthen their security knowledge. Though there are differences that enable scalability for organizations and teams, the benefits for individual developers remain the same: The ability to exploit and remediate real-world vulnerabilities to learn what to look for in insecure code. Fast and relevant remediation guidance in the context of the most popular programming languages. Easy and fun hands-on training that provides professional growth. Improved security knowledge while building confidence through interactive trial and error. When you practice breaking and fixing real applications using real vulnerabilities, you become a sharper, more efficient developer ??? especially with a variety of challenges to choose from as you go. We plan to expand the number of labs and challenges over time but initially, the Community Edition will cover topics ranging from beginner to advanced, including:	Hack Tool Vulnerability		★★★★

Last update at: 2024-06-28 20:07:49
See our sources.

To see everything: Our RSS (filtrered)