What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-09-05 15:20:59 | Gestion de l'accès au stockage: séries de développement du cloud-natif sécurisé Managing Storage Access: Secure Cloud-native Development Series (lien direct) |
Créez des applications sécurisées dans le cloud-natives en évitant les cinq premiers pièges de sécurité que nous présentons dans notre série de développement Secure Cloud-Native.Ce blog est la troisième partie de la série, et il vous apprendra comment sécuriser le stockage cloud et gérer les contrôles d'accès sur les seaux S3.
Chaque fournisseur de cloud a géré les services de stockage que votre organisation utilise probablement probablement.Le stockage cloud tel que Amazon Simple Storage Service (Amazon S3) ou Azure Storage Tools sont étroitement intégrés dans les autres services gérés, ce qui le rend simple à gérer.Nous discuterons spécifiquement du service de stockage S3 d'Amazon \\ et de la façon dont il se rapporte au développement sécurisé du cloud-natif.
Une introduction à la configuration du stockage et du contrôle d'accès en cloud sécurisé
Amazon a récemment affronté le cryptage par défaut du serveur (SSE) pour tous les utilisateurs utilisant AES-256.Bien que très probablement, nous (ou du moins aurions du moins dû) avait un cryptage allumé, c'est maintenant une chose de moins à s'inquiéter.De plus, des outils tels que Terraform peuvent…
Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our Secure Cloud-native Development Series. This blog is the third part of the series, and it will teach you how to secure cloud storage and handle access controls on S3 buckets. Each cloud provider has managed storage services that your organization is already probably utilizing. Cloud storage such as Amazon Simple Storage Service (Amazon S3) or Azure storage tools are tightly integrated into the other managed services which makes it simple to manage. We will discuss specifically Amazon\'s S3 storage service and how it relates to secure cloud-native development. An Introduction to Secure Cloud Storage and Access Control Configuration Amazon recently turned-on default server-side encryption (SSE) for all users using AES-256. Though most likely we already (or at least should have) had encryption turned on, it\'s now one less thing to worry about. Additionally, tools such as Terraform can… |
Tool Cloud | ★★ | |
|
2023-08-28 14:07:53 | Comment activer la journalisation : série de développement sécurisé cloud-native How to Enable Logging: Secure Cloud-native Development Series (lien direct) |
Créez des applications cloud natives sécurisées en évitant les cinq principaux pièges de sécurité que nous décrivons dans notre série de développement sécurisé cloud natif.Ce blog est la deuxième partie de la série et il vous apprendra comment et pourquoi activer la journalisation dès le début.
Nous allons parler de l'activation de la journalisation (cloud logging, pour être précis).Quelle est la différence?Pas grand chose, à part le fait qu'il s'agit d'un autre service géré intégré aux outils que nous devrions déjà utiliser.
Pourquoi activer la journalisation ?
Tous les développeurs/ingénieurs savent que nous avons besoin de journalisation.Mais d'autres priorités contradictoires et contraintes de temps font parfois obstacle, et cela devient un « nous ferons cela lors du prochain sprint ».J'ai travaillé sur le côté ingénierie ainsi que sur le côté sécurité, où je devais traquer les problèmes de réseau/d'application ou les incidents de sécurité, pour découvrir que nous n'avions pas de journaux ou de journalisation activés sur des services spécifiques.
L'activation de la journalisation peut être comparée à notre propre santé.Même quand nous sommes jeunes, nous…
Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our Secure Cloud-native Development Series. This blog is the second part of the series, and it will teach you how and why to enable logging from the start. We\'re going to talk about enabling logging (cloud logging, to be specific). What\'s the difference? Not much, other than the fact that it\'s another managed service integrated with the tools we should already be utilizing. Why Enable Logging? All developers/engineers know we need logging. But other conflicting priorities and time constraints get in the way sometimes, and it becomes a “we\'ll do that on the next sprint”. I have worked on the engineering side of things as well as the security side, where I needed to track down network/application issues, or security incidents, only to find that we didn\'t have logs or logging enabled on specific services. Enabling logging can be compared to our own health. Even when we are young, we… |
Tool | ★★ | |
|
2023-08-21 10:25:54 | Les chercheurs en sécurité partagent des idées sur les sujets et les tendances du Black Hat 2023 Security Researchers Share Insights on Black Hat 2023 Topics and Trends (lien direct) |
Choquant à personne: l'intelligence artificielle (AI) était un énorme sujet chez Black Hat USA 2023, mais qu'avons-nous appris à ce sujet?Sans défaut de discussions à ce sujet, il y a de nombreuses informations à prendre en compte.Nous avons demandé aux chercheurs de sécurité logicielle hautement qualifiés qui ont assisté à la fois Black Hat et DefCon pour peser sur les moments les plus perspicaces, en particulier liés à l'IA.Voici ce que nous avons trouvé.
L'IA est une épée à double tranchant pour la sécurité
L'IA présente à la société une épée à double tranchant (surtout en ce qui concerne la cybersécurité).John Simpson, chercheur principal en sécurité, explique: «L'IA est clairement le sujet brûlant;Chez Black Hat et Defcon, l'accent a été mis sur les dangers mais aussi pour parler importants de son utilité potentielle. »
L'interaction complexe entre les avantages et les risques de l'AI \\ souligne la complexité de notre âge numérique en évolution rapide.D'une part, les attaquants utilisent l'IA pour améliorer leurs capacités d'exploitation.À l'inverse, nous sommes en mesure d'améliorer les défenses avec l'IA via des outils…
Shocking to no one: Artificial Intelligence (AI) was a huge topic at Black Hat USA 2023, but what did we learn about it? With no shortage of talks on it, there are many insights to take into account. We asked highly skilled Software Security Researchers who attended both Black Hat and DEFCON to weigh-in on the most insightful moments, particularly related to AI. Here\'s what we found. AI is a Double-edged Sword for Security AI presents society with a double-edged sword (especially when it comes to cybersecurity). John Simpson, Senior Security Researcher, explains: “AI is clearly the hot topic; at both Black Hat and DEFCON there was a lot of emphasis on the dangers but also significant talk about its potential usefulness.” The intricate interplay between AI\'s benefits and risks underscores the complexity of our rapidly evolving digital age. On the one hand, attackers are using AI to enhance their exploit capabilities. Conversely, we are able to enhance defenses with AI through tools… |
★★ | ||
|
2023-08-17 13:01:00 | Amélioration de la sécurité du code avec une AI générative: Utilisation de la correction de Veracode pour sécuriser le code généré par Chatgpt Enhancing Code Security with Generative AI: Using Veracode Fix to Secure Code Generated by ChatGPT (lien direct) |
L'intelligence artificielle (IA) et le codage compagnon peuvent aider les développeurs à écrire des logiciels plus rapidement que jamais.Cependant, alors que les entreprises cherchent à adopter un codage compagnon propulsé par l'IA, elles doivent être conscientes des forces et des limites des différentes approches & # 8211;en particulier en ce qui concerne la sécurité du code.
Regardez cette vidéo de 4 minutes pour voir un développeur générer du code non sécurisé avec ChatGpt, trouvez la faille avec une analyse statique et sécurisez-la avec Veracode Fix pour développer rapidement une fonction sans écrire de code.
La vidéo ci-dessus expose les nuances de la sécurité générative du code AI.Alors que les outils de codage compagnon généraliste comme ChatGpt Excel dans la création de code fonctionnel, la qualité et la sécurité du code sont souvent insuffisantes.Des solutions spécialisées comme le correctif Veracode construit pour exceller dans le code d'insécurité de remédiation apportent une compétence de sécurité vitale à une IA générative.En utilisant des outils généralistes et spécialisés en collaboration, les organisations peuvent permettre à leurs équipes d'accélérer le développement de logiciels qui rencontre fonctionnellement et…
Artificial Intelligence (AI) and companion coding can help developers write software faster than ever. However, as companies look to adopt AI-powered companion coding, they must be aware of the strengths and limitations of different approaches – especially regarding code security. Watch this 4-minute video to see a developer generate insecure code with ChatGPT, find the flaw with static analysis, and secure it with Veracode Fix to quickly develop a function without writing any code. The video above exposes the nuances of generative AI code security. While generalist companion coding tools like ChatGPT excel at creating functional code, the quality and security of the code often falls short. Specialized solutions like Veracode Fix built to excel at remediation insecure code bring a vital security skillset to generative AI. By using generalist and specialist AI tools in collaboration, organizations can empower their teams to accelerate software development that meets functional and… |
Tool | ChatGPT ChatGPT | ★★ |
|
2023-08-07 17:05:41 | Trouver des défauts de sécurité dans vos applications Dart et Flutter: Veracode étend la prise en charge de la sécurité des applications mobiles Find Security Flaws in Your Dart & Flutter Applications: Veracode Expands Mobile Application Security Support (lien direct) |
Veracode a récemment publié un support d'analyse statique pour Dart 3 et Flutter 3.10.Cela permet aux développeurs de tirer parti de la puissance de Dart et de Flutter et de fournir des applications mobiles plus sécurisées en trouvant et en résolvant les défauts de sécurité plus tôt dans le cycle de vie du développement lorsqu'ils sont les plus rapides et les moins coûteux à corriger.La version a également élargi le support étendu de Veracode \\ couvrant plus de 100 langues et cadres, et nous avons pensé qu'il présentait une bonne occasion de plonger dans le sujet du support linguistique: comment nous priorisons les langues pour soutenir, le processus de recherche et ce qui se passe réellement dansDéveloppement du soutien, sur quoi l'équipe travaille actuellement sur & # 8211;et comment les clients peuvent influencer cette direction à travers notre portail d'idées communautaires.
Comment Veracode priorise-t-il les langages et les cadres à prendre en charge?
Il y a plus de langues et de cadres que de ressources et de temps pour les soutenir.Cela signifie que la hiérarchisation est essentielle.Veracode adopte une approche très considérée pour sélectionner…
Veracode recently released Static Analysis support for Dart 3 and Flutter 3.10. This makes it possible for developers to leverage the power of Dart and Flutter and deliver more secure mobile applications by finding and resolving security flaws earlier in the development lifecycle when they are fastest and least expensive to fix. The release also expanded Veracode\'s extensive support covering over 100 languages and frameworks, and we thought it presented a good opportunity to dive into the topic of language support: how we prioritize languages to support, the research process and what goes into actually developing support, what the team is currently working on – and how customers can influence that direction through our Community Ideas Portal. How Does Veracode Prioritize Languages and Frameworks to Support? There are more languages and frameworks than resources and time to support them. This means prioritization is key. Veracode takes a highly considered approach to selecting… |
★★ | ||
|
2023-07-27 17:23:34 | Pourquoi SCA est essentiel pour sécuriser la chaîne d'approvisionnement des logiciels Why SCA is Critical for Securing the Software Supply Chain (lien direct) |
Les faiblesses au sein des chaînes d'approvisionnement logicielles créent un pied pour l'exploitation des cyberattaques.Le problème est si important que même la Maison Blanche a publié un décret exécutif qui parle directement sur ce sujet.«Le gouvernement fédéral doit prendre des mesures pour améliorer rapidement la sécurité et l'intégrité de la chaîne d'approvisionnement des logiciels», indique catégoriquement le décret.Maintenant, vous vous demandez peut-être ce que votre organisation peut faire pour atténuer ce risque.Laissez \\ plonger dans la compréhension des risques dans la chaîne d'approvisionnement des logiciels et les solutions actuellement disponibles pour améliorer la sécurité de votre chaîne d'approvisionnement et la posture globale de cybersécurité.
Comprendre le risque dans la chaîne d'approvisionnement des logiciels
Pour comprendre les risques dans la chaîne d'approvisionnement des logiciels, il faut comprendre ses composants.Ces composants incluent le code source, le contrôle de version, les systèmes de construction, les dépendances, le déploiement de test, l'intégration continue / déploiement continu (CI / CD), la gestion des versions et la surveillance.Chacun de ces composants a différent…
Weaknesses within software supply chains create a foothold for exploitation from cyberattacks. The problem is so significant that even the White House released an Executive Order that speaks directly on this topic. “The Federal Government must take action to rapidly improve the security and integrity of the software supply chain,” states the Executive Order emphatically. Now, you may be wondering what your organization can do to mitigate this risk. Let\'s dive into understanding risk in the software supply chain and the solutions currently available for improving your supply chain security and overall cybersecurity posture. Understanding Risk in the Software Supply Chain To understand risk in the software supply chain, one must understand its components. These components include source code, version control, build systems, dependencies, testing deployment, continuous integration/continuous deployment (CI/CD), release management, and monitoring. Each of these components has different… |
★★ | ||
|
2023-07-20 11:35:59 | SBOM a expliqué: comment SBOMS améliore la sécurité des applications natives dans le cloud SBOM Explained: How SBOMs Improve Cloud-native Application Security (lien direct) |
Un stupéfiant 96% des organisations utilisent des bibliothèques open source, mais moins de 50% gèrent activement les vulnérabilités de sécurité au sein de ces bibliothèques.Les vulnérabilités sont les bienvenus pour violations des mauvais acteurs, et une fois qu'ils ont entré votre système, l'impact peut être colossal.Une facture de matériel logiciel (SBOM) est un outil important pour gérer la sécurité des logiciels open source.Ici, nous explorerons comment les SBOMS aident les organisations à comprendre ce qui est dans leurs applications, à garantir la conformité réglementaire et à gérer le risque global.
Où les SBOM s'inscrivent-ils dans le programme de sécurité de votre application?
Considérez un SBOM comme une loupe qui vous permet de voir de plus près ce qui se passe dans vos applications natives dans le cloud.Les SBOMS fournissent une vue détaillée des composants open source que les développeurs et les professionnels de la sécurité peuvent utiliser pour comprendre la sécurité des bibliothèques et des dépendances tierces utilisées dans une application.Avec ces informations, les équipes peuvent créer des campagnes de cyber-hygiène contre connu…
A staggering 96% of organizations utilize open-source libraries, yet fewer than 50% actively manage the security vulnerabilities within these libraries. Vulnerabilities are welcome mats for breaches from bad actors, and once they\'ve entered your system, the impact can be colossal. A software bill of materials (SBOM) is an important tool for managing the security of open-source software. Here we will explore how SBOMs help organizations understand what\'s in their applications, ensure regulatory compliance, and manage overall risk. Where Do SBOMs Fit in Your Application Security Program? Think of an SBOM as a magnifying glass that allows you to get a closer look at what goes on in your cloud-native applications. SBOMs provide a detailed view of open-source components that developers and security professionals can use to understand the security of third-party libraries and dependencies used in an application. With that information, teams can create cyber hygiene campaigns against known… |
Tool Vulnerability | ★★★ | |
|
2023-07-12 11:17:50 | Améliorer la visibilité, les rapports et l'automatisation avec l'API de rapports de Veracode \\ Improve Visibility, Reporting, and Automation With Veracode\\'s Reporting API (lien direct) |
Un programme de sécurité de haut niveau exploite les données pour stimuler l'optimisation & # 8211;En satisfaisant efficacement les exigences de gouvernance, de rapport et de conformité (GRC), en créant une visibilité pour une hiérarchisation fondée sur les risques et en tirant parti de l'automatisation tout au long du cycle de vie du développement logiciel.Souvent, cependant, les données nécessaires pour conduire ces processus sont réparties sur un écosystème complexe.Heureusement, des solutions comme la nouvelle API de rapport de Veracode \\ offrent une extensibilité des données, ce qui vous permet de tirer parti des données de test de sécurité d'application riche au-delà de la plate-forme Veracode.
Voici trois exemples de la façon dont vous pouvez tirer parti de la nouvelle API de reporting de Veracode \\ pour simplifier les rapports, améliorer l'assistance à la décision et conduire l'automatisation dans votre programme DevSecops.
Utilisation de l'extensibilité des données de test de sécurité des applications pour la visibilité et les rapports centralisés
Rarement, une seule plate-forme ou une seule solution génère toutes les données pertinentes pour un programme DevSecops de l'organisation.Cela signifie que les consommateurs des données non plus…
A high-functioning security program leverages data to drive optimization – by satisfying governance, reporting, and compliance (GRC) requirements efficiently, creating visibility for risk-based prioritization, and leveraging automation throughout the software development lifecycle. Often, however, the data needed to drive these processes is spread across a complex ecosystem. Fortunately, solutions like Veracode\'s new Reporting API provide data extensibility making it easy for you to leverage your rich application security testing data beyond the Veracode platform. Here are three examples of how you can leverage Veracode\'s new Reporting API to simplify reporting, improve decision support, and drive automation in your DevSecOps program. Using Application Security Testing Data Extensibility for Centralized Visibility and Reporting Rarely does a single platform or solution generate all the data relevant to an organization\'s DevSecOps program. This means consumers of the data either… |
★★ | ||
|
2023-07-10 12:57:59 | Comment décider si la vulnérabilité a augmenté How to Decide Whether Vulnerability Remediation Augmented by Generative AI Reduces or Incurs Risk (lien direct) |
Les fournisseurs de sécurité logicielle appliquent une IA générative aux systèmes qui suggèrent ou appliquent des corrections pour les vulnérabilités logicielles.Cette technologie offre aux équipes de sécurité les premières options réalistes pour gérer la dette de sécurité à grande échelle tout en montrant aux développeurs l'avenir qui leur avait été promis;où le travail vise à créer une valeur utilisateur au lieu de faire boucler à un ancien code qui génère de nouveaux travaux.Cependant, il y a certaines préoccupations concernant les risques d'utilisation de l'IA génératrice pour augmenter l'assainissement de la vulnérabilité.Laissez \\ explorer ce paysage en évolution rapide et comment vous pouvez récolter les avantages sans encourir les risques.
Ce qui risque de générer des solutions de remédiation de vulnérabilité augmentée en AI pourrait poser
Les défis juridiques à l'approvisionnement des données exposent le risque de formation des modèles d'IA génératifs sur tous les code.Malheureusement, cela n'a pas empêché de nombreux fournisseurs de prendre la position qu'un modèle formé sur le code open-source est suffisamment à l'abri des problèmes de provenance de l'IP et du code.
Tout le code n'est pas également…
Software security vendors are applying Generative AI to systems that suggest or apply remediations for software vulnerabilities. This tech is giving security teams the first realistic options for managing security debt at scale while showing developers the future they were promised; where work is targeted at creating user value instead of looping back to old code that generates new work. However, there are certain concerns with the risks of utilizing Generative AI for augmenting vulnerability remediation. Let\'s explore this rapidly evolving landscape and how you can reap the benefits without incurring the risks. What Risks Generative AI Augmented Vulnerability Remediation Solutions Could Pose Legal challenges to data sourcing expose the risk of training Generative AI models on all code. Unfortunately, that hasn\'t stopped many vendors from taking the position that a model trained on open-source code is sufficiently safe from IP and code provenance concerns. Not all code is equally… |
Vulnerability | ★★ | |
|
2023-06-28 15:47:09 | Comment réduire mesurablement le risque de sécurité des logiciels avec le correctif veracode How to Measurably Reduce Software Security Risk with Veracode Fix (lien direct) |
Veracode Fix est désormais disponible en complément à l'analyse statique Veracode pour les clients sur l'instance nord-américaine.La disponibilité des clients sur les instances EMEA et Fedramp de Veracode \\ sera bientôt!
À partir de près de deux décennies de sécurisation de logiciels, nous savons que la fixation des défauts, pas seulement les trouver, c'est ce qui a un impact profond sur la posture de sécurité.Cependant, Fixing Flaws est l'un des plus grands défis auxquels les équipes sont confrontées en ce qui concerne la sécurité des applications ... jusqu'à présent.Veracode Fix marque un bond en avant dans la sécurité des logiciels;Il déplace le paradigme des outils de test de sécurité des applications qui trouvent des défauts à des solutions intelligentes qui génèrent des correctifs.Voici comment vous pouvez gagner du temps et sécuriser davantage avec les correctifs générés par AI-Genera, les développeurs peuvent facilement consulter et implémenter sans écrire manuellement de code.
Le problème: trop de temps.Trop peu de sécurité.
Si nous regardons les workflows de correction actuels, les développeurs sont souvent invités à passer du temps qu'ils n'ont pas, en fixant des défauts, ils ne sont pas…
Veracode Fix is now available as an add-on to Veracode Static Analysis for customers on the North American instance. Availability for customers on Veracode\'s EMEA and FedRAMP instances will be coming soon! From nearly two decades of securing software, we know that fixing flaws, not just finding them, is what makes a profound impact on security posture. However, fixing flaws is one of the greatest challenges teams face when it comes to application security...until now. Veracode Fix marks a major leap forward in software security; it shifts the paradigm from application security testing tools that find flaws to intelligent solutions that generate fixes. Here\'s how you can save time and secure more with AI-generated fixes developers can easily review and implement without manually writing any code. The Problem: Too much time. Too little security. If we look at the current remediation workflows, developers are often asked to spend time they don\'t have, fixing flaws they don\'t… |
★★ | ||
|
2023-06-21 14:48:11 | Sécurité des logiciels du secteur public deux ans après le décret exécutif de la cybersécurité Public Sector Software Security Two Years After Cybersecurity Executive Order (lien direct) |
Lorsque le secteur public gagne, nous gagnons tous.L'enracinement pour la sécurité du logiciel du secteur public est quelque chose qui vient naturellement à Veracode.Les agences fédérales s'attaquent à un travail incroyablement difficile, et la voie du succès est significative pour nous tous & # 8211;Quelle que soit notre secteur ou notre industrie.La pression pour la sécurité des logiciels est venue via des exigences spécifiques dans le décret exécutif sur l'amélioration de la cybersécurité de la nation en 2021. Ici \\ est un aperçu de la façon dont la sécurité des logiciels du secteur public fait deux ans plus tard.
Une brève expérience sur le décret exécutif sur la cybersécurité
Nous pensons que la libération du décret (EO) sur la cybersécurité en mai 2021 est longue à venir (regardez notre co-fondateur expliquer pourquoi).Ce qui nous ressort vraiment dans cet EO, c'est à quel point il est orienté vers l'action.L'OE est spécifique sur les types de contrôles de sécurité Les agences gouvernementales doivent adhérer, et il comprend également ce qu'il faut rechercher chez les fournisseurs de logiciels vendus aux agences gouvernementales.
Un élément clé de l'EO est le zéro…
When the Public Sector wins, we all win. Rooting for the security of Public Sector software is something that comes naturally to Veracode. Federal agencies are tackling an incredibly difficult job, and the road to success is meaningful to us all – regardless of our sector or industry. The push for software security came strongly via specific requirements in the Executive Order on Improving the Nation\'s Cybersecurity in 2021. Here\'s a look at how Public Sector software security is doing two years later. A Brief Background on the Executive Order on Cybersecurity We believe the release of the Executive Order (EO) on Cybersecurity in May of 2021 is a long time coming (watch our co-founder explain why). What really stands out to us about this EO is how action-oriented it is. The EO gets specific about types of security controls government agencies must adhere to, and it also includes what to look for in software vendors selling to government agencies. A key element of the EO is the Zero… |
★★ | ||
|
2023-06-20 14:45:25 | L'art de réduire la dette de sécurité en 3 étapes clés The Art of Reducing Security Debt In 3 Key Steps (lien direct) |
Introduction
Dans le paysage en constante évolution des menaces numériques et des défis de la cybersécurité, les organisations sont confrontées à un fardeau important connu sous le nom de dette de sécurité.Tout comme la dette financière, la dette de sécurité revient lorsque les organisations compromettent les mesures de sécurité en faveur des mesures de commodité, de vitesse ou de réduction des coûts.Au fil du temps, cette dette accumulée peut présenter de graves risques pour les données, la réputation et la stabilité globale de l'organisation.Cependant, avec une approche stratégique et un engagement envers les pratiques de sécurité proactives, les organisations peuvent réduire efficacement leur dette de sécurité.Dans cet article de blog, nous explorerons l'art de réduire la dette de sécurité en trois étapes clés, permettant aux organisations de renforcer leur posture de sécurité et de protéger leurs précieux actifs.
Étape 1: évaluer et hiérarchiser les risques de sécurité
La première étape dans la réduction de la dette de sécurité consiste à effectuer une évaluation approfondie des risques de sécurité de votre organisation.Cela implique d'identifier les vulnérabilités, d'évaluer la sécurité existante…
Introduction In the ever-evolving landscape of digital threats and cybersecurity challenges, organizations face a significant burden known as security debt. Just like financial debt, security debt accrues when organizations compromise security measures in favor of convenience, speed, or cost-cutting measures. Over time, this accumulated debt can pose serious risks to the organization\'s data, reputation, and overall stability. However, with a strategic approach and a commitment to proactive security practices, organizations can effectively reduce their security debt. In this blog post, we will explore the art of reducing security debt in three key steps, enabling organizations to strengthen their security posture and safeguard their valuable assets. Step 1: Assess and Prioritize Security Risks The first step in reducing security debt is to conduct a thorough assessment of your organization\'s security risks. This involves identifying vulnerabilities, evaluating existing security… |
Patching Guideline | ★★ | |
|
2023-06-09 12:10:38 | Sécurité des applications à l'ère des attaques dirigés par l'IA Application Security in the Era of AI-driven Attacks (lien direct) |
Introduction
Dans le paysage numérique d'aujourd'hui, l'importance de la sécurité des applications ne peut pas être surestimée, car les entreprises dans le monde sont confrontées à l'évolution des cyber-menaces.Les défenseurs et les attaquants exploitent désormais le pouvoir de l'intelligence artificielle (IA) à leur avantage.À mesure que les attaques basées sur l'IA deviennent de plus en plus sophistiquées, il est crucial que les organisations adoptent une approche globale de la sécurité des applications qui aborde efficacement ce paysage de menace émergent.Dans cet article de blog, nous explorerons l'importance de l'adoption d'une stratégie de sécurité des applications solide face aux attaques axées sur l'IA et de fournir des exemples concrètes pour soutenir nos affirmations.
Le paysage des menaces évolutives: attaques alimentées par l'IA
L'IA a transformé de nombreuses industries, y compris malheureusement la cybercriminalité.Les pirates tirent parti de l'IA pour développer des attaques avancées et automatisées qui peuvent contourner les mesures de sécurité traditionnelles.Laissez-vous plonger dans quelques exemples concrètes d'attaques alimentées par l'IA:
1. MALWOWIRS PUISSANTS AI:…
Introduction In today\'s digital landscape, the importance of application security cannot be overstated, as businesses worldwide face evolving cyber threats. Both defenders and attackers are now harnessing the power of Artificial Intelligence (AI) to their advantage. As AI-driven attacks become increasingly sophisticated, it is crucial for organizations to adopt a comprehensive approach to application security that effectively addresses this emerging threat landscape. In this blog post, we will explore the significance of adopting a robust application security strategy in the face of AI-driven attacks and provide concrete examples to support our claims. The Evolving Threat Landscape: AI-powered Attacks AI has transformed numerous industries, unfortunately including cybercrime. Hackers are leveraging AI to develop advanced and automated attacks that can bypass traditional security measures. Let\'s delve into some concrete examples of AI-powered attacks: 1. AI-powered Malware:… |
Threat | ★★ | |
|
2023-06-09 01:53:07 | Faites bien les choses avec une approche complète de la sécurité des applications Get It Right First Time with a Comprehensive Approach to Application Security (lien direct) |
Introduction
Dans le paysage numérique en évolution rapide, garantissant une solide sécurité des applications est primordiale pour les organisations.Avec l'émergence d'attaques alimentées par l'IA et d'autres menaces sophistiquées, il est crucial d'intégrer des tests complets de sécurité des applications (AST) dans le cycle de vie du développement logiciel (SDLC).En tirant parti d'une plate-forme AST efficace qui offre une couverture complète, les organisations peuvent intégrer de manière transparente les tests de sécurité des applications en tant que partie naturelle et essentielle du processus de développement.Dans ce billet de blog, nous explorerons l'importance d'une plate-forme AST avec une couverture complète de renforcement de la sécurité des applications au sein du SDLC.
La nécessité de tests de sécurité des applications complets
Les applications deviennent plus complexes et que les vulnérabilités continuent d'évoluer, les tests complets de sécurité des applications sont cruciaux.Les méthodes de test traditionnelles à elles seules sont souvent insuffisantes pour identifier toutes les faiblesses potentielles de sécurité.En adoptant un…
Introduction In the rapidly evolving digital landscape, ensuring robust application security is paramount for organizations. With the emergence of AI-powered attacks and other sophisticated threats, it is crucial to integrate comprehensive Application Security Testing (AST) into the Software Development Lifecycle (SDLC). By leveraging an effective AST platform that provides comprehensive coverage, organizations can seamlessly incorporate application security testing as a natural and essential part of the development process. In this blog post, we will explore the significance of an AST platform with comprehensive coverage in strengthening application security within the SDLC. The Need for Comprehensive Application Security Testing As applications become more complex and vulnerabilities continue to evolve, comprehensive application security testing is crucial. Traditional testing methods alone are often insufficient to identify all potential security weaknesses. By adopting an… |
★★ | ||
|
2023-06-08 03:48:20 | Cinq conseils de leadership pour créer votre entreprise pour le succès de l'APPSEC Five Leadership Tips to Set Up Your Business for AppSec Success (lien direct) |
Introduction
Dans le paysage numérique d'aujourd'hui, garantissant que la sécurité de vos applications est d'une importance capitale.AppSec, abréviation de la sécurité des applications, implique de protéger vos applications logicielles contre les menaces et les vulnérabilités potentielles.Bien que la mise en œuvre de pratiques robustes de l'APPSEC soit cruciale, un leadership efficace joue un rôle essentiel dans la mise en place de votre entreprise pour le succès de l'APPSEC.Dans ce blog, nous explorerons cinq conseils de leadership clés pour vous aider à hiérarchiser et à établir une base solide pour la sécurité des applications au sein de votre organisation.
Promouvoir une culture de sécurité
Les dirigeants doivent favoriser une culture où la sécurité est une priorité absolue.Promouvoir la sensibilisation des risques AppSec et fournir une formation régulière sur les pratiques de codage sécurisées.Encouragez une communication ouverte sur les problèmes de sécurité et impliquez toutes les parties prenantes dans le processus.En faisant de la sécurité une valeur fondamentale, les employés comprendront son importance et contribueront activement aux efforts de l'APPSEC.Tirant l'extraction de la plate-forme de Veracode \\, comme…
Introduction In today\'s digital landscape, ensuring the security of your applications is of paramount importance. AppSec, short for Application Security, involves safeguarding your software applications against potential threats and vulnerabilities. While implementing robust AppSec practices is crucial, effective leadership plays a vital role in setting up your business for AppSec success. In this blog, we will explore five key leadership tips to help you prioritize and establish a strong foundation for application security within your organization. Promote a Culture of Security Leaders should foster a culture where security is a top priority. Promote awareness of AppSec risks and provide regular training on secure coding practices. Encourage open communication about security concerns and involve all stakeholders in the process. By making security a core value, employees will understand its importance and actively contribute to AppSec efforts. Leveraging Veracode\'s platform, such as… |
★★ | ||
|
2023-06-07 16:19:57 | 3 raisons de tirer parti de l'IA pour une gestion améliorée des menaces et de la vulnérabilité 3 Reasons to Leverage AI for Enhanced Threat and Vulnerability Management (lien direct) |
Alors que le paysage cyber-menace continue d'évoluer, vous savez qu'il y a un besoin croissant de s'assurer que les applications et les logiciels sont protégés contre les acteurs malveillants.Une approche holistique et intelligente de la gestion des menaces et de la vulnérabilité est essentielle pour assurer la sécurité contre la cyber-risque moderne.En tirant parti des outils alimentés par l'IA, en particulier pour les tâches telles que les défauts de sécurité, vous pouvez gérer et réduire les risques rapidement et efficacement.Laissez \\ explorer pourquoi l'utilisation de l'IA pour renforcer et moderniser vos stratégies de gestion de la menace et de la vulnérabilité remboursera beaucoup de temps à long terme.
Raison 1: pour rester en avance sur les menaces de cybersécurité en évolution rapide
La gestion des menaces et de la vulnérabilité aide les entreprises à comprendre et à répondre aux risques, mais qu'en est-il du moment où le paysage des menaces évolue si rapidement?Lorsque de nouvelles menaces émergent constamment, il est difficile de adopter une approche préventive des attaques potentielles dans les applications, les logiciels et les réseaux.
Par exemple, une nouvelle tendance particulièrement concernant la nouvelle tendance est…
As the cyber threat landscape continues to evolve, you know there\'s a growing need to ensure applications and software are protected from malicious actors. A holistic and intelligent approach to threat and vulnerability management is essential for ensuring security against modern cyber risk. By leveraging AI-powered tools, especially for tasks like remediating security flaws, you can manage and reduce risk quickly and effectively. Let\'s explore why using AI to bolster and modernize your threat and vulnerability management strategies will pay off big time in the long run. Reason 1: To Stay Ahead of Rapidly Evolving Cybersecurity Threats Threat and vulnerability management helps businesses understand and respond to risk, but what about when the threat landscape is evolving so rapidly? When new threats emerge constantly, it\'s challenging to take a preventative approach to potential attacks in applications, software, and networks. For example, one particularly concerning new trend is… |
Vulnerability Threat Prediction | ★★ | |
|
2023-05-27 10:43:28 | Sécuriser la chaîne d'approvisionnement des logiciels: protéger contre les téléchargements de code insécurité Securing the Software Supply Chain: Protecting Against Insecure Code Downloads (lien direct) |
Introduction
Dans le monde interconnecté d'aujourd'hui, la sécurisation de la chaîne d'approvisionnement des logiciels est cruciale pour maintenir une sécurité des applications robuste.Les développeurs comptent souvent sur les gestionnaires de packages pour importer des code et des bibliothèques tiers, mais cette commodité comporte des risques.Les téléchargements de code insécurité peuvent introduire des vulnérabilités qui compromettent l'intégrité de votre logiciel.
Dans ce billet de blog, nous explorerons les étapes essentielles pour sécuriser la chaîne d'approvisionnement et empêcher les développeurs de télécharger du code insécurité à partir des gestionnaires de packages.
Sécurité du gestionnaire de package: Commencez par l'utilisation d'un gestionnaire de packages réputé qui hiérarte la sécurité.Les gestionnaires de packages populaires comme NPM, PYPI et Maven ont des fonctionnalités de sécurité intégrées, y compris la signature de package, la numérisation de vulnérabilité et le suivi de la dépendance.Ces mesures aident à garantir que les packages que vous téléchargez proviennent de sources de confiance.
Audit et test de code: implémentez un processus d'audit et de test de code rigoureux pour identifier les vulnérabilités dans votre base de code.Régulièrement…
Introduction In today\'s interconnected world, securing the software supply chain is crucial for maintaining robust application security. Developers often rely on package managers to import third-party code and libraries, but this convenience comes with risks. Insecure code downloads can introduce vulnerabilities that compromise the integrity of your software. In this blog post, we will explore essential steps to secure the supply chain and prevent developers from downloading insecure code from package managers. Package Manager Security: Start by using a reputable package manager that prioritizes security. Popular package managers like npm, PyPI, and Maven have built-in security features, including package signing, vulnerability scanning, and dependency tracking. These measures help ensure the packages you download are from trusted sources. Code Auditing and Testing: Implement a rigorous code auditing and testing process to identify vulnerabilities within your codebase. Regularly… |
Vulnerability | ★★ | |
|
2023-05-25 06:50:21 | Colliding with the Future: The Disruptive Force of Generative AI in B2B Software (lien direct) | Au cours des derniers mois, notre fascination collective pour l'IA a atteint des hauteurs sans précédent, conduisant à un afflux d'informations et de discussions sur ses implications potentielles.Il semble que partout où nous nous tournions, l'IA domine la conversation.L'IA a captivé l'imagination des amateurs de technologie, des chercheurs et des individus de tous les jours.
À l'âge de 11 ans, j'ai reçu mon tout premier ordinateur, le légendaire spectre ZX.Avec le recul, il est difficile de croire combien a changé depuis.Quelques années plus tard, j'ai construit avec impatience mon propre ordinateur 286, une fière réalisation qui a alimenté ma passion pour la technologie et l'ingénierie logicielle.
Ces premières expériences m'ont laissé une marque indélébile, inculquant un sentiment d'excitation et de curiosité qui a enduré à ce jour.C'est ce même enthousiasme qui me remplit maintenant en me plongeant dans les royaumes captivants de l'intelligence artificielle (IA) et de l'apprentissage automatique (ML).
Ces premières expériences ressemblaient à un changement tectonique dans ma vie.Maintenant, comme nous…
Over the past few months, our collective fascination with AI has reached unprecedented heights, leading to an influx of information and discussions on its potential implications. It seems that wherever we turn, AI dominates the conversation. AI has captivated the imaginations of tech enthusiasts, researchers, and everyday individuals alike. At the tender age of 11, I received my very first computer, the legendary ZX Spectrum. Looking back, it\'s hard to believe how much has changed since then. A few years later, I eagerly built my own 286 computer, a proud accomplishment that fueled my passion for technology and software engineering. Those early experiences left an indelible mark on me, instilling a sense of excitement and curiosity that has endured to this day. It is this very same enthusiasm that now fills me as I delve into the captivating realms of Artificial Intelligence (AI) and Machine Learning (ML). Those first experiences felt like a tectonic shift in my life. Now, as we… |
★★ | ||
|
2023-05-25 06:50:21 | En collision avec le futur: la force perturbatrice de l'IA générative dans le logiciel B2B Colliding with the Future: The Disruptive Force of Generative AI in B2B Software (lien direct) |
Au cours des derniers mois, notre fascination collective pour l'IA a atteint des hauteurs sans précédent, conduisant à un afflux d'informations et de discussions sur ses implications potentielles.Il semble que partout où nous nous tournions, l'IA domine la conversation.L'IA a captivé l'imagination des amateurs de technologie, des chercheurs et des individus de tous les jours.
À l'âge de 11 ans, j'ai reçu mon tout premier ordinateur, le légendaire spectre ZX.Avec le recul, il est difficile de croire combien a changé depuis.Quelques années plus tard, j'ai construit avec impatience mon propre ordinateur 286, une fière réalisation qui a alimenté ma passion pour la technologie et l'ingénierie logicielle.
Ces premières expériences m'ont laissé une marque indélébile, inculquant un sentiment d'excitation et de curiosité qui a enduré à ce jour.C'est ce même enthousiasme qui me remplit maintenant en me plongeant dans les royaumes captivants de l'intelligence artificielle (IA) et de l'apprentissage automatique (ML).
Ces premières expériences ressemblaient à un changement tectonique dans ma vie.Maintenant, comme nous…
Over the past few months, our collective fascination with AI has reached unprecedented heights, leading to an influx of information and discussions on its potential implications. It seems that wherever we turn, AI dominates the conversation. AI has captivated the imaginations of tech enthusiasts, researchers, and everyday individuals alike. At the tender age of 11, I received my very first computer, the legendary ZX Spectrum. Looking back, it\'s hard to believe how much has changed since then. A few years later, I eagerly built my own 286 computer, a proud accomplishment that fueled my passion for technology and software engineering. Those early experiences left an indelible mark on me, instilling a sense of excitement and curiosity that has endured to this day. It is this very same enthusiasm that now fills me as I delve into the captivating realms of Artificial Intelligence (AI) and Machine Learning (ML). Those first experiences felt like a tectonic shift in my life. Now, as we… |
★★★ | ||
|
2023-05-22 10:41:02 | Une nouvelle ère d'AppSec: 10 fois en tant que leader de Gartner & Reg;Magic Quadrant ™ pour les tests de sécurité des applications A New Era of AppSec: 10 Times as a Leader in Gartner® Magic Quadrant™ for Application Security Testing (lien direct) |
Ten représente l'achèvement d'un cycle et le début d'un nouveau, car il y a dix chiffres dans notre système de nombres de base-10.Nous avons scanné près de 140 billions de lignes de code, nous ne pouvons donc aider à reprendre le seul et le zéro dans notre annonce passionnante.C'est la dixième publication du Gartner & Reg;Magic Quadrant ™ pour les tests de sécurité des applications (AST), et nous sommes heureux d'annoncer que nous sommes un leader pour le dixième temps consécutif.Voici un aperçu du nouveau cycle que nous voyons commencer: la nécessité d'une sécurité logicielle intelligente.
Des tests de sécurité des applications à la sécurité des logiciels intelligents
Ce marché n'est pas ce qu'il était auparavant, et nous voyons un nouveau cycle commençant que nous considérons comme la nécessité d'une sécurité logicielle intelligente.Ce qui a commencé comme un outil de balayage de code SaaS reconnu est devenu une plate-forme de sécurité logicielle intelligente qui empêche, détecte et répond aux défauts de sécurité et aux vulnérabilités et gère les risques et la conformité pour des milliers d'organisations de premier plan autour du…
Ten represents the completion of a cycle and the beginning of a new one, as there are ten digits in our base-10 number system. We\'ve scanned nearly 140 trillion lines of code, so we can\'t help but pick up on the one and the zero in our exciting announcement. It\'s the tenth publication of the Gartner® Magic Quadrant™ for Application Security Testing (AST), and we are pleased to announce we are a Leader for the tenth consecutive time. Here\'s a look at the new cycle we see beginning: the need for intelligent software security. From Application Security Testing to Intelligent Software Security This market isn\'t what it used to be, and we see a new cycle beginning which we see as the need for intelligent software security. What started as a recognized SaaS code scanning tool has evolved into an intelligent software security platform that prevents, detects, and responds to security flaws and vulnerabilities and manages risk and compliance for thousands of leading organizations around the… |
Tool Cloud | ★★★ | |
|
2023-05-18 11:24:49 | 25 ans plus tard: Réfléchir le témoignage du Congrès de L0pht \\ de 1998 et l'évolution de la cybersécurité 25 Years Later: Reflecting on L0pht\\'s 1998 Congress Testimonial and the Evolution of Cybersecurity (lien direct) |
Je reviens sur le témoignage de L0PHT \\ avant le Congrès en 1998 avec un mélange de fierté et de réflexion.Cela fait vingt-cinq ans depuis que notre groupe de pirates (ou chercheurs en vulnérabilité, si vous voulez) s'est intensifié pour sensibiliser à l'importance de la sécurité Internet devant certains des législateurs les plus puissants du monde.Cet événement a marqué le début d'un long voyage vers l'augmentation de la sensibilisation à la cybersécurité et de la mise en œuvre de mesures pour protéger notre monde numérique.Laissez \\ jeter un coup d'œil à jusqu'où nous venons et ce qui doit encore être fait.
La brûlure lente: du témoignage de L0pht \\ à l'action gouvernementale
Le témoignage de 1998 de L0PHT \\ a préparé le terrain pour les 25 prochaines années de sensibilisation à la sécurité Internet.Cependant, il a fallu des années au changement pour commencer à se produire.Même mon témoignage de 2003 au Congrès a toujours prouvé que nous avons un long chemin à parcourir dans la construction de logiciels sécurisés.Les roues du progrès ont commencé à tourner lorsque certaines recommandations du rapport de la Commission de la Solarium 2020 ont été mises en œuvre, appelant le…
I look back on L0pht\'s testimony before Congress in 1998 with a mix of pride and reflection. It\'s been twenty-five years since our group of hackers (or vulnerability researchers, if you will) stepped up to raise awareness about the importance of internet security in front of some of the world\'s most powerful lawmakers. This event marked the beginning of a long journey towards increased cybersecurity awareness and implementation of measures to protect our digital world. Let\'s take a look at how far we\'ve come and what still needs to be done. The Slow Burn: From L0pht\'s Testimony to Government Action L0pht\'s 1998 testimony set the stage for the next 25 years of internet security awareness. However, it took years for change to start happening. Even my 2003 testimony to Congress still proved that we have a long way to go in building secure software. The wheels of progress began to turn when some recommendations from the 2020 Solarium Commission Report were implemented, calling for the… |
Vulnerability | ★★ | |
|
2023-05-09 09:12:11 | Une introduction au codage sécurisé avec des moteurs de modèle An Introduction to Secure Coding with Template Engines (lien direct) |
En 2022, tout en parcourant des listes de vulnérabilités récemment divulguées, je suis tombé sur certaines vulnérabilités open source d'Adobe Commerce / Magento [1], qui auraient été exploitées dans la nature et peuvent être exploitées pour atteindre l'exécution du code distant, une combinaison qui toujoursme motive à jeter un coup d'œil à la vulnérabilité.Adobe a fourni un fichier de correctif simple qui supprime efficacement les caractères {{et}} lorsqu'il est rencontré dans l'entrée fournie à deux composants spécifiques et il est raisonnable de supposer que la vulnérabilité implique le système de templation intégré de Magento \\.
Bien que Magento utilise son propre système de modèles personnalisé, ces vulnérabilités m'ont fait réfléchir aux défis généraux auxquels les développeurs sont confrontés lorsqu'ils essaient de s'assurer qu'ils utilisent un moteur de modèle d'une manière qui n'introduisait pas de défauts de sécurité.Après avoir parcouru les montagnes de la documentation et même la plongeon dans le code de certains des moteurs de modèle les plus populaires, il est devenu très clair que la quantité de travail…
Back in 2022 while browsing through lists of recently disclosed vulnerabilities, I happened upon some Adobe Commerce/Magento Open Source vulnerabilities [1], that were reported to be exploited in the wild and can be exploited to achieve remote code execution, a combination which always motivates me to take a quick look at the vulnerability. Adobe provided a simple patch file that effectively removes {{ and }} characters when encountered in input provided to two specific components and it is reasonable to assume that the vulnerability involves Magento\'s built-in templating system. Although Magento uses its own custom templating system, these vulnerabilities got me thinking about the general challenges developers face when trying to ensure they are using a template engine in a way that does not introduce security flaws. After looking through mountains of documentation and even diving into the code of some of the most popular template engines, it became very clear that the amount of work… |
Vulnerability | ★★ | |
|
2023-04-18 07:00:00 | Introduction de Veracode Fix: Automatiser les correctifs pour les logiciels non sécurisés avec des suggestions de code sécurisées générées par l'IA Introducing Veracode Fix: Automate Fixes for Insecure Software with AI-Generated Secure Code Suggestions (lien direct) |
La gestion du risque de sécurité des logiciels est une course à enjeux élevés qui devient plus difficile à gagner.Entrez le correctif Veracode: la solution d'assainissement intelligente qui vous aide à rembourser la dette de sécurité à grande échelle et à fournir des logiciels plus sécurisés, plus rapidement, pour moins d'efforts et de coûts.Tirant parti d'un modèle d'apprentissage automatique basé sur GPT formé sur le jeu de données propriétaire de Veracode \\, Veracode Fix est une IA spécialisée formée par un apprentissage automatique profond qui excelle dans la fixation du code non sécurisé et réduit considérablement le travail et le temps nécessaires pour remédier aux défauts.
Le problème: créer des défauts plus rapidement que nous ne pouvons les résoudre
Les défauts de sécurité des logiciels sont créés plus rapidement qu'ils ne sont fixes.De nombreux facteurs y contribuent & # 8211;du nombre et de la complexité des applications à la croissance des applications au cours de leur vie.L'effet net est que la dette de sécurité augmente.Et, comme toute dette, il ne peut être différé que si longtemps et accumuler tant avant qu'il ne se manifeste par des conséquences financières, stratégiques et de sécurité importantes.
Capacité de correction…
Managing software security risk is a high-stakes race that\'s getting harder to win. Enter Veracode Fix: the intelligent remediation solution that helps you pay down security debt at scale and deliver more secure software, faster, for less effort and cost. Leveraging a GPT-based machine learning model trained on Veracode\'s proprietary dataset, Veracode Fix is a specialized AI trained by deep machine learning that excels at fixing insecure code and dramatically reduces the work and time needed to remediate flaws. The Problem: Creating Flaws Faster than We Can Fix Them Software security flaws are created faster than they are fixed. Many factors contribute to this – from the number and complexity of applications to the growth of applications over their lifetimes. The net effect is that security debt is growing. And, like any debt, it can only be deferred so long and accrue so much before it manifests in significant financial, strategic, and security consequences. Remediation capacity… |
★★★ | ||
|
2023-04-13 13:42:44 | Quelles sont les implications de sécurité du codage de l'IA? What Are the Security Implications of AI Coding? (lien direct) |
Le codage AI est ici, et il transforme la façon dont nous créons un logiciel.L'utilisation de l'IA dans le codage révolutionne activement l'industrie et augmente la productivité des développeurs de 55%.Cependant, ce n'est pas parce que nous pouvons utiliser l'IA dans le codage que nous devons l'adopter aveuglément sans considérer les risques potentiels et les conséquences involontaires.Il vaut la peine de prendre un moment à considérer: quelles sont les implications de sécurité du codage assisté par l'IA, et quel rôle l'IA devrait-il jouer dans la façon dont nous créons et sécurisez notre logiciel?
Exploration de deux implications de sécurité du codage de l'IA
À vrai dire, les implications complètes de l'IA générative et du codage assisté par l'IA, souvent appelé codage compagnon, sont inconnues et se déroulent d'ici la semaine.Cependant, voici deux domaines clés que nous pouvons explorer aujourd'hui autour des implications de sécurité du codage de l'IA.
1. Comment le codage de l'IA affecte la sécurité et l'intégrité du logiciel qu'il est utilisé pour créer
Soit \\ commencer par la sécurité des suggestions de code générées par l'AI.Plus de 70% des applications logicielles…
AI coding is here, and it\'s transforming the way we create software. The use of AI in coding is actively revolutionizing the industry and increasing developer productivity by 55%. However, just because we can use AI in coding doesn\'t mean we should adopt it blindly without considering the potential risks and unintended consequences. It\'s worth taking a moment to consider: what are the security implications of AI-assisted coding, and what role should AI play in how we both create and secure our software? Exploring Two Security Implications of AI Coding Truth be told, the full implications of generative AI and AI-assisted coding, often called companion coding, are unknown and unfolding by the week. However, here are two key areas we can explore today around the security implications of AI coding. 1. How AI Coding Affects the Security and Integrity of the Software it is Used to Create Let\'s start with the security of AI-generated code suggestions. Over 70% of software applications… |
★★ | ||
|
2023-03-30 13:14:38 | Nous sommes bons pour trouver des défauts de sécurité, mais qu'en est-il de les réparer? [We\\'re Good at Finding Security Flaws, But What About Fixing Them?] (lien direct) | La technologie est une épée à double tranchant.D'une part, il peut rendre de nouvelles expériences possibles et augmenter la productivité.D'un autre côté, il introduit de nouvelles menaces et des vecteurs d'attaque;Et cela peut élargir encore plus l'écart entre notre capacité à produire des logiciels et notre capacité à le sécuriser.Il est plus rapide de créer et de trouver des défauts de sécurité ne nous rend pas plus vite à les réparer;Les données nous montrent qu'une vulnérabilité sur quatre reste ouverte bien plus d'un an après la première découverte.Au lieu de cela, alors que nous augmentons la productivité et nous améliorons de détecter les défauts, nous nous trouvons dans une situation où nous créons et trouvons des défauts plus rapidement que nous ne pouvons les réparer.
Le résultat: la dette de sécurité s'accumule et les organisations doivent ralentir le développement, dépenser de l'argent pour accroître leur capacité à corriger les défauts, ou à augmenter le risque et l'exposition à des menaces de cybersécurité toujours plus fréquentes, sophistiquées et sévères.Laissez \\ plonger plus loin dans le problème, puis examinez les solutions potentielles.
Trois facteurs contribuant au…
Technology is a double-edged sword. On one hand, it can make new experiences possible and elevate productivity. On the other hand, it introduces new threats and attack vectors; and it can widen the gap even further between our ability to produce software and our ability to secure it. Getting faster at creating and finding security flaws does not make us faster at fixing them; data shows us that one in four vulnerabilities remain open well over a year after first discovery. Instead, as we increase productivity and get better at detecting flaws, we find ourselves in a situation where we create and find flaws faster than we can fix them. The outcome: Security debt accrues, and organizations must slow development, spend money to increase their capacity to fix flaws, or instead increase risk and exposure to ever more frequent, sophisticated, and severe cybersecurity threats. Let\'s dive further into the problem and then look at potential solutions. Three Factors Contributing to the… |
★★★ | ||
|
2023-03-27 18:25:46 | Il faut un village: le pouvoir du partenariat dans la création de logiciels sécurisés [It Takes a Village: The Power of Partnership in Creating Secure Software] (lien direct) | La sécurité des applications est bien plus que la numérisation.Le programme de partenaire Velocity aligne Veracode et nos partenaires car ensemble, nous livrons des solutions et des services de sécurité des applications qui permettent aux clients de créer un programme DevOps sécurisé.Le programme Velocity Partner autorise nos partenaires dans leur rôle de conseiller de confiance pour répondre aux exigences clés de sécurité et à des défis commerciaux auxquels les clients sont confrontés tout au long de leur parcours de sécurité des applications.
Veracode fournit des informations clés, de l'intelligence du marché, du développement des compétences et des meilleures pratiques pour les partenaires afin d'aider les clients à tirer parti de la sécurité comme un avantage concurrentiel.Les clients ont accès à des solutions et services de sécurité des applications innovantes, gérés par Veracode Partners, pour améliorer leur posture de sécurité.En travaillant avec Veracode Partners, les clients peuvent efficacement développer et fournir des applications sécurisées, réduire les risques et se conformer en toute confiance aux réglementations et exigences de l'industrie et du gouvernement.
Veracode a développé Advanced…
Application security is about so much more than scanning. The Velocity Partner Program aligns Veracode and our Partners as together we deliver application security solutions and services that enable customers to build a secure DevOps program. The Velocity Partner Program empowers our partners in their trusted advisor role to address key security requirements and business challenges customers are facing throughout their application security journey. Veracode provides key insights, market intelligence, skills development, and best practices for partners to help customers leverage security as a competitive edge. Customers have access to innovative application security solutions and services, managed by Veracode Partners, to enhance their security posture. By working with Veracode Partners, customers can effectively develop and deliver secure applications, reduce risks, and confidently comply with industry and government regulations and requirements. Veracode has developed advanced… |
★★ | ||
|
2023-03-08 04:08:04 | Breaking Barriers and Embracing Equity: Stories of Women in STEM (lien direct) | “Through the process of equity, we can reach equality,” states the description of this year's International Women's Day theme: Embrace Equity. Sharing stories of women who have broken barriers in STEM is a reminder of what can be achieved when equity is embraced. As Scientific American writes, “...the findings are clear: for groups that value innovation and new ideas, diversity helps.” Let's take a moment to honor some brilliant individuals who have made it possible for more diverse voices to be heard in STEM industries – from one of the first women in STEM until now. Elisa Leonida Zamfirescu In 1912, before women in most countries could vote, Elisa Leonida Zamfirescu became one of the first women in the world to obtain a degree in engineering, inspiring generations of women who followed her. The World Record Academy quotes a newspaper from 1912 as follows: “In engineering, the future of women is great, Miss Elisa Leonida has passed the final exam with great success, obtaining the… | ★★ | ||
|
2023-03-03 11:03:14 | Resolving CVE-2022-1471 with the SnakeYAML 2.0 Release (lien direct) | In October of 2022, a critical flaw was found in the SnakeYAML package, which allowed an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Finally, in February 2023, the SnakeYAML 2.0 release was pushed that resolves this flaw, also referred to as CVE-2022-1471. Let's break down how this version can help you resolve this critical flaw. Exploring Deserialization SnakeYAML is a popular Java library to parse YAML (YAML Ain't Markup Language format). The library can parse all YAML 1.1 specifications [1], native types [2] and supports serializing and deserializing Java objects. The Remote Code Execution vulnerability is due to the library not restricting Java types when deserializing objects using `Constructor`. Java Serialization has the great promise of taking the state of a full object graph and saving it externally, then magically restoring its state when we deserialize. This is a big promise as… | Vulnerability | ★★ | |
|
2023-03-02 13:39:02 | Answering the Call: 3 Software Security Pillars Addressed by the National Cybersecurity Strategy (lien direct) | Staying ahead of the cyberattack curve in a constantly evolving world requires a comprehensive strategy. Today's release of the Biden-Harris Administration's National Cybersecurity Strategy provides an extensive roadmap for impacting both public and private security efforts. In this blog post, we'll take an in-depth look at three of the most software-related strategic objectives: software liability, open-source software usage, and cybersecurity workforce readiness. Software Liability Overview Software liability refers to the legal and financial responsibility of individuals or entities for any damages or losses caused by their software. This can include issues such as security vulnerabilities, bugs, or other defects that result in harm to users or their data. The National Cybersecurity Strategy states: “Poor software security greatly increases systemic risk across the digital ecosystem... We must begin to shift liability onto those entities that fail to take reasonable precautions… | ★★ | ||
|
2023-02-28 12:25:03 | SAST Tools: How to Integrate and Scale Security Workflows in the SDLC (lien direct) | Static Application Security Testing (SAST) tools present a significant opportunity for organizations looking to reduce application security risk. However, not all workflows or tools are created equal. Using the right SAST tools at the right times, you can seamlessly integrate and scale security workflows throughout the software development lifecycle (SDLC). In this post, we'll walk through examples of how easily you can work with Veracode's SAST tools for first-party and third-party code scanning when using Azure DevOps and Visual Studio – and the different plugins available. Ticket Follow Up Let's start where all developers' workdays begin: the ticketing system. In this scenario, it's the Azure DevOps Workboard, and the idea is that you have run a SAST policy scan. A Veracode policy scan effectively tests at the integration or systems level. Through integration, the tool can automatically generate security bug tickets inside of Azure DevOps based on scan results. From the ticket… | Tool | ★★★ | |
|
2023-02-06 11:01:16 | How to Leverage Veracode Container Security to Secure Cloud-native Application Development (lien direct) | Cloud-native software development is a driving force because it empowers teams to build and deploy applications at speed and scale. Along with microservices, cloud infrastructure, and API's, containers are a crucial part of this development process. Let's look at the security implications of containers in cloud-native application development and how to manage the security challenges they pose. What are containers? A container is known as a standard package of software. It bundles an application's code together with the related configuration files and libraries, and with the dependencies required for the application to run. This allows you to deploy cloud-native applications seamlessly across public, hybrid, or private cloud environments. For example, just as shipping industries use physical containers to isolate different cargos-for example, to transport in ships and trains regardless of the cargo inside-containers also work in this way as they help us ship self-contained units of… | General Information | ★★ | |
|
2023-02-02 14:16:00 | 4 Categories of Container Security Vulnerabilities (& Best Practices to Reduce Risk) (lien direct) | Containerization is becoming increasingly common due to portability, ability to isolate application dependencies, scalability, cost effectiveness, and ease of use. The ability to easily package and deploy code has changed the way that organizations work with applications. But like with Windows servers years ago, or AWS today, any time one specific technology gains a significant portion of the market share, it becomes a target for attackers. Here's what you need to know about the security risks of vulnerable containers. Some Background on Container Vulnerabilities When containers were first released, an attacker would have to first discover that an organization was using containerization and then try to find a way to exploit those containers. Today, it's a safe bet that containers are in use, and if an organization's containers aren't secured, they can present a quick way into a company's infrastructure. To minimize the risk of your company being breached, you can (and should)… | ★★ | ||
|
2023-01-31 13:33:18 | Quick Start Guide: Integrate Veracode in Your DevOps Pipeline (lien direct) | For today's DevSecOps teams, the demands continue to intensify. Application portfolios and codebases continue to grow, while cyberattacks remain an ever-present danger. More than ever, it's vital to ensure security gaps are identified and addressed with maximum speed and efficiency. In order to do this, you need to establish a continuous feedback loop on security threats, so you can realize optimized, sustained results – which is exactly how Veracode helps. Here we'll outline how you can get started with Veracode in a matter of minutes, and we'll detail all the ways we can help after your initial scans are complete. How to Quickly Get Started with Veracode Here's an overview of the process of getting started with Veracode in two environments: GitHub and Azure. For each, we'll outline the process for doing scans using our Veracode Static Analysis (SAST) and Veracode Software Composition Analysis (SCA) solutions. These solutions offer the fastest way to get scanning coverage in your… | ★ | ||
|
2023-01-16 18:06:02 | 6 Reasons You Need to Run SCA Scans on Projects in VS Code (lien direct) | We love open-source software (OSS). Not only does it save time and effort, but it's also incredibly rewarding to collaborate with other developers on major projects. Plus, it opens the door for innovation that otherwise wouldn't be possible at this scale. However, with code comes responsibility, and so it's imperative to understand the risk OSS libraries carry when we're integrating them into projects. Running a Software Composition Analysis (SCA) scan will help highlight dependencies and any issues in the OSS libraries being used. Here's six reasons why scanning OSS dependencies while you code helps in the long run. 1. Save Yourself from Agitation Later The longer you wait for security checks, the harder they will be to fix later. Plus, when you do the SCA scan on your own time, as opposed to delaying until a ticket comes in from another team, then you're not tied to their completion dates. 2. Understand Risk in Your Projects and Potential OSS Libraries You Want to Pull In By… | ★★★ | ||
|
2023-01-11 06:03:06 | 3 Key Takeaways from the State of Software Security 2023 Report (lien direct) | It's one of our favorite times of the year – the unveiling of our annual State of Software Security (SoSS) report. Software security issues can have devastating effects on organizations, damaging their financial stability and reputations. That's why our research this year centered on a crucial question: what can be done to avoid introducing security flaws in the first place? We dug into 17 years of data and analyzed three-quarters of a million applications to provide security and development teams with concrete steps they can act on together to minimize risk, protect applications, and meet industry regulations. Plus, we turn some conventional wisdom about open source on its head. Let's dive in. 1. 32 percent of apps contain security flaws at the first scan, and by the five-year mark, this jumps to 70 percent. By the time they move into production, nearly one-third of all applications have security flaws, and applications grow by about 40 percent year on year irrespective of their… | ★★★ | ||
|
2022-12-19 07:30:00 | (Déjà vu) With Gratitude to Our Customers. We Couldn\'t Do Any of This Without You. (lien direct) | It's the end of another year, and we want to take a quick moment to reflect on the debt of gratitude we owe our customers. Thanks to you, we're all leagues closer to a world where software is developed secure from the start. You constantly astound us with your dedication to securing your apps for your customers, and we are grateful you've chosen us as your security partner. You value the competitive advantage of making secure software and have proven it by reaching new heights in 2022. Let's dive into some of the stories from this year and celebrate what your progress, feedback, and successes have allowed us all to achieve. Scalable and reliable software security are unquestionably valuable, but determining how to achieve it within seamless developer workflows can present a challenge. Cloud-native electronic health records application developer Azalea Health incorporates secure coding best practices with Veracode. VP of Engineering Andrew McCall, told us that rather than treating… | ★★ | ||
|
2022-12-19 07:30:00 | Holiday Customer Gratitude Blog (lien direct) | It's the end of another year, and we want to take a quick moment to reflect on the debt of gratitude we owe our customers. Thanks to you, we're all leagues closer to a world where software is developed secure from the start. You constantly astound us with your dedication to securing your apps for your customers, and we are grateful you've chosen us as your security partner. You value the competitive advantage of making secure software and have proven it by reaching new heights in 2022. Let's dive into some of the stories from this year and celebrate what your progress, feedback, and successes have allowed us all to achieve. Scalable and reliable software security are unquestionably valuable, but determining how to achieve it within seamless developer workflows can present a challenge. Cloud-native electronic health records application developer Azalea Health incorporates secure coding best practices with Veracode. VP of Engineering Andrew McCall, told us that rather than treating… | ★★ | ||
|
2022-12-07 13:15:44 | What We\'ve Learned About Reducing Open-source Risk Since Log4j (lien direct) | I share a birthday with the Log4j event. However, unlike this event, I've been around for more than one year. On December 9th, 2021, a Tweet exposed a zero-day vulnerability in Log4j, a widely-used piece of open-source software. The announcement made headlines everywhere, and cybersecurity was suddenly put in the spotlight. It was a wake-up call for many because, in an instant, software that had been considered secure was suddenly at tremendous risk. Looking back over the aftermath of the past year, here's what Log4j has taught us about reducing open-source risk. What Log4j Has Revealed About the Risk of Open-source Libraries With a CVSS severity level of 10 out of 10, the urgent response to Log4j was warranted. Upon the announcement, we quickly discovered that 58 percent of enterprises were using the vulnerable version of Log4j, and Microsoft shared shortly after the announcement that state-backed hackers around the world had already tried to exploit the Log4j vulnerability. How… | Vulnerability | ★★ | |
|
2022-12-05 11:55:00 | Despite Security Scrutiny on Tech Industry, Nearly One-fourth of Applications Have High-severity Flaws (lien direct) | The United States, United Kingdom and other governments around the globe are making strides to defend against software supply chain attacks and strengthen the cybersecurity resilience of their departments, partners, and stakeholders. Technology companies are following these developments and emerging government guidance closely, understanding that in a post-SolarWinds and Log4j world, their roles in securing the software they create – along with the applications they use to deliver new innovations – are rapidly evolving. This heightened awareness has not fully translated into stronger security measures, however. Our recent State of Software Security v12 (SOSS) report found that, when compared to other industries, the technology sector has the second-highest proportion of applications with security flaws, as well as the highest proportion of applications with high-severity flaws. Given the nature of the industry, it could be argued that tech companies create far more applications –… | ★★★ | ||
|
2022-11-21 12:57:33 | As the Holiday Season Begins, 73% of Retail and Hospitality Apps Have a Flaw (lien direct) | After the pandemic upended the retail and hospitality industries, digital transformation became imperative to survival – the key to meeting ever-changing customer expectations and overcoming supply chain complexities. As the landscape continues to shift, 55 percent of retailers say they're open to improving their innovation capabilities, while 51 percent want to adopt new business models. But as retail and hospitality companies deepen their digital capabilities, cyberattackers are looking for ways to exploit vulnerabilities in eCommerce systems, digital payment platforms, and other software systems. Our latest State of Software Security (SOSS) Volume 12 found that 73% of all applications in the retail and hospitality sector have a security vulnerability. This is especially concerning as we enter the busy holiday season, a time of historically elevated threat levels. Yet there is some cause for cheer: Our SOSS findings revealed that when compared to other industries, retail and… | Threat | ★★★ | |
|
2022-11-18 15:03:25 | Anatomy of a Stored Cross-site Scripting Vulnerability in Apache Spark (lien direct) | One of the services that Veracode offers is a consultation with an Application Security Consultant – a seasoned software developer and application security expert. In the context of a consultation, my team works with the software engineers of Veracode's customers to understand and, ideally, remediate security flaws found by the Veracode tool suite. There is a well-defined difference between a security flaw (a defect that can lead to a vulnerability) and a vulnerability (an exploitable condition within code that allows an attacker to attack it). While working with potentially dozens of different customer applications every week, we usually have a strong gut feeling for when a security flaw might constitute an exploitable vulnerability and should receive extra attention. During one of our consultations, a set of similar Cross-site Scripting (XSS) flaws was discovered by Veracode Static Analysis in what turned out to be 3rd party JavaScript files belonging to Apache Spark. After some… | Tool Vulnerability Guideline | ||
|
2022-11-15 13:53:58 | 4 Reasons Scan Results May Differ Over Time: Advice from an Application Security Consultant (lien direct) | You didn't change anything in your code, yet the scan is different this time. Here's advice from an Application Security Consultant on why that may be. Have you ever wondered why you scan code one day and get one result, and then scan the same code a month later and get different results – even though you never changed anything? As Application Security Consultants at Veracode, we often receive questions from developers about unanticipated differences in findings between one static scan and another. Typically, developers will make some changes in their application between scans, but it is common for changes that appear unrelated to developer activity to be encountered. In this article, we'll explore four of the reasons why this may occur. 1. Changes in Seemingly Unrelated Code Obviously, changes in code that remediate findings effectively will result in those findings no longer being reported. Changes that add new functionality may include security defects, and these new findings… | |||
|
2022-11-07 18:43:58 | The Power of Manual Penetration Testing in Securing Your Attack Surface (lien direct) | When it comes to protecting software, don't count on automated testing to find all the vulnerabilities in your code. Here's why manual penetration testing is more essential (and more accessible) than one might think. Humans find vulnerable vectors automation can't. While it's not breaking news that any mature DevSecOps programs should include automating application analysis into the software development lifecycle, there is no silver bullet for ensuring the security posture of the entire attack surface. Stopping attackers from gaining access to sensitive information requires a well-rounded program that covers the software development lifecycle from end to end - from static code testing, testing third-party libraries, to dynamic analysis and manual penetration testing. Organizations that want to keep their software as secure as possible can't afford to leave any stone unturned. Manual penetration testing or “pen testing” has long been the great revealer of both successes and… | |||
|
2022-11-02 12:48:33 | How Government Agencies Can Secure Mission Critical Software in the Cloud (lien direct) | Government agencies are instructed by Executive Order to improve the delivery of digital services to citizens while also safeguarding critical data and systems. Often, this leads to a difficult decision between speed of application production and software security. However, as recent events have shown, sacrificing security in the name of speed compromises the safety of citizens and government infrastructure. Here's why the government is prioritizing software security and how agencies can reliably secure software development in the cloud and on-premises. Why is the Government More Focused than Ever on Improving Software Supply Chain Security? The following executive orders and memoranda make it clear that cybersecurity, and software security in particular, is a national priority. Let's explore why they were created and what they require from you. Executive Order on Improving the Nation's Cybersecurity In 2021, the Biden administration issued an executive order on cybersecurity that… | Guideline | ||
|
2022-11-01 10:23:26 | What You Need to Know About OpenSSL-3.0.7 (lien direct) | OpenSSL released version 3.0.7 with security fixes for High Severity vulnerabilities CVE-2022-3786 & CVE-2022-3602 discussed here. Here's how to know if you're affected and what to do if you are. Am I affected? At this moment it seems that OpenSSL versions between 3.0.0 and 3.0.6 and applications using the OpenSSL library within the affected versions are vulnerable. OpenSSL 3.x was released just about one year ago: OpenSSL 3.0 Has Been Released! - OpenSSL Blog; container images, distributions and software released before this date are unlikely to be affected. OpenSSL can be installed through a package manager that install it in well-known locations and configure it at system level, or it can be downloaded on the system as a compiled binary or even compiled locally from source code. These different approaches don't allow to list all possible ways to detect the versions of OpenSSL installed on the system. LibreSSL is not affected by this vulnerability (oss-security - Re:… | Vulnerability | ||
|
2022-10-25 12:41:33 | Why Security is Central to Citizen Experience Part 3: A Helping Hand from the Private Sector (lien direct) | The final part of this series reveals how Veracode's FedRAMP authorization is all about supporting the government and its citizens. (Part three in a three-part series.) Building trust in government is both my passion and part of my character. Last year, when I found myself contemplating my next career move, I knew that I wanted to be at an innovative company devoted to rebuilding trust in federal agencies. It didn't take long for me to realize that Veracode and I were a perfect fit. Immediately I saw how the company's mission and innovative application-security technology aligned with my values. I joined the Veracode team in May, bringing to my new job a wealth of private- and public-sector experience. I also arrived with a mental map for navigating government, a map that was updated during the Covid era. Indeed, agencies are having to overcome new technological obstacles that emerged during the pandemic. The challenge to advance cybersecurity, for example, has strained the… | |||
|
2022-10-24 11:17:45 | Why Security is Central to Citizen Experience Part 2: The Changing Cyber Landscape of Government (lien direct) | The second part of this series is about what's driving the cybersecurity changes across government. (Part two in a three-part series.) Throughout my career, I've seen a lot of change in the realm of cybersecurity. Whether in private- or public-sectors, from pre- to post-pandemic, I've witnessed the struggles of agencies coming to terms with digital transformation and cybersecurity. What I've found is that federal agencies are expected to keep pace with their civilian counterparts while abiding by mandates to add an extra layer of security to digital operations. Factor in upheavals caused by the pandemic, and it's clear why the public sector has been feeling the immense pressure to quickly tighten its cybersecurity practices. Global Pandemic Prior to the pandemic, you came into the office, and your network access was granted simply because you were in the building. This all changed when agencies had to figure out how to work remotely with little to no planning. Agencies that were… | |||
|
2022-10-21 13:16:35 | Why Mitigate Flaws to Manage Risk: Advice from an Application Security Consultant (lien direct) | Documenting flaws that you don't prioritize today will save you time should they become high-severity flaws in the future. Here's the best way to approach them. The topic of mitigations is a commonplace source of questions and discussion for our Application Security Consulting group. This is a complicated topic, and I hope the following helps to provide some understanding and guidance on how to think about the role and purpose mitigations play in the security posture of an application and in your security program. What is a mitigation? In the Veracode system, a mitigation is basically an annotation on a finding - or flaw, typically one detected through static analysis – which explains why the finding does not require code change in order to remediate the risk. In other words, it is an explanation of how the risk reported via the finding is already being addressed effectively. It is important to differentiate findings that are mitigated from the idea of a false positive finding.… | |||
|
2022-10-20 11:15:29 | Why Security is Central to Citizen Experience Part 1: Lessons from a Federal Executive (lien direct) | The first part of this series is about why my return to the private sector is still motivated by American citizens. (Part one in a three-part series.) Government agencies have critical missions that affect the entire American population. The thing is, their core missions typically aren't technology; they're everything from delivering food stamps and stable roads to social security. Veracode's top mission is technology, and it allows the government agencies to fulfill their critical core missions. That's why I made the move from the public sector to the private sector by joining the Veracode team. How it All Started My experience in government, the private sector, product development, and IT security makes me specifically tailored to fight malicious cyberthreats. My career began by tracking legislation at Congressional Quarterly (CQ), and I got into product management before it was as prevalent as it is today. I often fell into the marketing and advertising departments and spent… | |||
|
2022-10-18 13:08:45 | Despite Lowest Software Flaw Frequency, Manufacturing\'s Fix Times Lag and Create Ransomware Risk (lien direct) | In 2021, manufacturing became cybercriminals' most targeted industry as a surge in global ransomware attacks disrupted manufacturing operations and exacerbated supply chain woes. This put even more pressure on manufacturing organizations that were already feeling the heat. Recognizing that ransomware attacks can stem back to software vulnerabilities, many manufacturers are exploring ways to strengthen their software security programs. Our recent State of Software Security report v12 (SOSS), which analyzed 20 million scans across half a million applications, identified several manufacturing-specific trends that may help focus these efforts. First up, some good news: The manufacturing industry now boasts the lowest number of software security flaws across all sectors, dethroning financial services from last year's top spot. However, the manufacturing sector is also tied for the lowest number of flaws that are fixed. This means that manufacturing companies have security flaws in… | Ransomware |
To see everything:
Our RSS (filtrered)
