What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-02-14 12:19:04 | What Is an SBOM & Why Do You Need One? (lien direct) | SBOM stands for Software Bill of Materials Before we jump into definitions, let's quickly level set on how we got here. Over the last few years, the way we build software has changed drastically. With the increasing need to move faster and release more frequently, organizations are opting to get rid of monolithic architectures and adopt a microservices architecture for greater agility, resiliency, and efficiency. Developers are now able to use more third-party resources and containers to piece together best-of-breed parts for their applications to run on. As a result, less of the code that makes up an application is owned and managed directly by that organization. Unfortunately, it's difficult to get full transparency into all these pieces since the decision-making process and documentation process can happen in numerous places across an organization. The lack of a concrete way to determine all the components of an application introduces substantial cybersecurity risks,… | |||
|
2022-02-08 12:13:23 | Announcing the 12th Volume of Our State of Software Security Report (lien direct) | The 12th volume of our annual State of Software Security (SOSS) report is now live! Rather than examining a single year of activity associated with an application, in this year's report we looked at the entire history of active applications. By doing so, we can view the full life cycle of applications, which results in more accurate metrics and observations. Aside from looking at the past, we also imagined the future by considering practices - such as Veracode Security Labs training - that might help improve application security. As with all of our SOSS reports, the goal is to help you make informed decisions about your software security program so that you can minimize risk, protect your applications, and meet industry regulations. Some key takeaways: Time is a competitive currency for software development teams. The world is becoming more connected than ever before. But it's not just increased connectivity that's shaping the security landscape - it's the hypercompetitiveness… | |||
|
2021-12-22 22:23:15 | A Review of Log4Shell Detection Methods (lien direct) | None | |||
|
2021-12-18 15:45:23 | Part 4: Using Veracode From the Command Line in Cloud9 IDE (lien direct) | None | |||
|
2021-12-17 16:58:58 | The Good, the Bad, and The Ugly: Understanding the API Security Top 10 List (lien direct) | None | |||
|
2021-12-15 14:19:45 | 58% of Orgs Are Using a Vulnerable Version of Log4j (lien direct) | None | |||
|
2021-12-10 11:59:05 | URGENT: Analysis and Remediation Guidance to the Log4j Zero-Day RCE (CVE-2021-44228) Vulnerability (lien direct) | A previously unknown zero-day vulnerability in Log4j 2.x has been reported on December 9, 2021. If your organization deploys or uses Java applications or hardware running Log4j 2.x your organization is likely affected. Technical summary Yesterday a new Log4J zero-day vulnerability was reported on Twitter: https://twitter.com/P0rZ9/status/1468949890571337731 . The first PoC (Proof of Concept) of the vulnerability is already available at the time of writing - https://github.com/tangxiaofeng7/apache-log4j-poc According to RedHat (source: https://access.redhat.com/security/cve/cve-2021-44228) it's rated as 9.8 CVSSv3 which is almost as bad as it gets. If successfully exploited on your infrastructure, it will result in attackers being able to perform a RCE (Remote Code Execution) attack and compromise the affected server. Given the relative simplicity of the exploit, it's likely that your incident response team will need to deal with an attack. There are multiple reports that the vulnerability is being actively exploited in the wild and needs to be patched promptly, there's already a patched Log4j version available: https://logging.apache.org/log4j/2.x/security.html Am I affected? To check whether your application is likely affected you must verify: Log4j version – all 2.x versions before 2.15.0 (released today, Friday, December 10, 2021) are affected JVM version - if lower than: Java 6 – 6u212 Java 7 – 7u202 Java 8 – 8u192 Java 11 - 11.0.2 If both are true, your Log4j version is older than 2.15.0 and your Java version patch level is older than listed above, you're almost certainly affected. At this time, it's likely that your internet-facing infrastructure may have been already compromised as this vulnerability is being actively exploited, according to this report: https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-acti… Please bear in mind that even if your application does not use log4j directly its surrounding infrastructure such as the application server, message queue server, database server, network devices may be using that combination of Java and log4j version that expose you to this vulnerability. Remediation Using Java 1.8 or higher? Download the latest Log4j mitigated version 2.15.0 from its download page. If you can't upgrade immediately and are using Java 8u121 or later If the Java version is >= 8u121 it is possible to mitigate the issue by setting com.sun.jndi.rmi.object.trustURLCodebase to false and com.sun.jndi.cosnaming.object.trustURLCodebase to falseIt's still preferable to update log4j version to secure one as soon as possible. Using Java version less than 1.8 Source: https://logging.apache.org/log4j/2.x/security.html In earlier versions of log4j >= 2.10 it is possible to mitigate this issue by Setting the system property formatMsgNoLookups: true Or Set the JVM parameter -Dlog4j2.formatMsgNoLookups=true Or Removing JndiLookup class from the classpath example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class How Veracode helps you to address this problem Thanks to our Software Composition Analysis (SCA) product, you can quickly verify whether an application portfolio that you're scanning with us is affected and at elevated risk of being exploited. To verify whether your applications are using vulnerable versions of log4j, log in to the Veracode Platform. Check versions of log4j that are dependencies of your applications by following this guide: https://docs.veracode.com/r/c_SCA_comps *Please note* Veracode SCA customers are able to scan for this vulnerability across their applications. The entry for the vulnerability in our database is here: https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/apache-log4j-2/java/maven/lid-344173/summary Risk management procedures While the development teams work on finding the impacted applications and update all the relevant dependencies, it is advisable to update your Intrusion Prevention Systems (IPS) rulesets to gain more time to work on the remediat | Vulnerability | ||
|
2021-12-02 18:23:23 | Part 3: Using Veracode From the Command Line in Cloud9 IDE (lien direct) | In part three of a four-part series, Clint Pollock, principal solutions architect at Veracode, details how to use Veracode from the command line in the Cloud9 IDE to submit a software composition analysis (SCA) scan. Check out the video and step-by-step instructions below. It's Clint Pollock, principal solutions architect, back again for part three of our four-part series on using Veracode from the command line in Cloud9 IDE. If you haven't done so already, please check out part one on static policy scans and static sandbox scans and part two on the pipeline scanner. For part three, we will dive into open source and third-party libraries. Those are libraries that you don't generally fix. You just need to upgrade and keep an eye on these libraries to make sure that they don't have vulnerabilities. Now, inside of the Veracode application profile, there are results on static analysis and software composition analysis. In addition, if you had manual tests or dynamic scanning, you'll see those results there as well. When you run a static scan, you get a report for the first-party problem. And inside of software composition analysis, you get alerted to to any libraries that have vulnerabilities. You'll also be alerted to newer versions that you can upgrade to so that you don't have those vulnerabilities within your application. This happens automatically. And by default, there's also an SCA agent which gives additional information during your bill job or within your IDE about the third-party library and open source components that are out of date or have vulnerabilities. To set up an agent on your desktop or within your build server, you want to go to software composition analysis, and then agent-based scan. If you don't have these tabs, talk to the application security team. This section of our portal is dedicated to open source findings and problems within. You'll notice you can set up a workspace and then inside of that workspace, you can deploy agents. Agents can be installed on your desktop or in your CI/CD system so that you can get some additional functionality around third-party and open source library issues in your application. Go to agents, create a new agent, and choose your platform. You'll see there are lots of instructions for integrating with other build systems. There is an API token that you have to generate. And then basically just run the command. For installing my cloud nine IDE, choose that option. Once activated, go into the project folder and type in SRC:CLR scan. Now you see all this information that comes out into the actual terminal. There's a lot of problems here, and this application will require some real work to resolve all these issues. That's why you typically start with the very high and high severity items, but in the case of the SCA agent, you are getting one additional data point that is critical here. It's called vulnerable methods. Now the SCA agent is able to detect vulnerable methods, but just by uploading a static scan where you actually get the additional SCA results, it does not give us vulnerable methods. A vulnerable method is where you're actually calling the set of code, where the vulnerability exists in a given library. Therefore this would be considered something extremely high risk, and you should remediate any vulnerable methods as soon as possible by upgrading the library to a version that does not have the problem or replacing it with something else. Assume this particular app has a bunch of problems known as CVEs. This is data coming from the NIST database. Generally, if an open source library gets a problem, there'll be a NIST entry. The issue though is that this can be months after the initial problem has been discovered. So the second area that Veracode offers great value is the premium database. Use machine learning to go out and scour the GitHubs of the world to look at release notes for open source software. If there's any sort of security issues, our system will route that to humans to then be entered into our database. Therefore, you get a bi | Vulnerability | ||
|
2021-11-23 14:21:23 | Don\'t Let Code Injections Mess Up Your Holiday eCommerce Season (lien direct) | The holidays are right around the corner. It's a well-deserved time to spend with your friends and family, and it likely translates to increased online sales. But more eCommerce activity also means increased cybersecurity risks. Most organizations with eCommerce deploy cybersecurity measures such as Content Security Policies (CPSs), to help secure their site and protect their customer's personally identifiable information from a breach. Specifically, CSPs act to defend websites against online scripts that can cause fraud or steal credit card information. And while CSPs do represent a solid first line of defense, as we will soon explore, there is also so much more that organizations need to do to protect against malicious scripts and code injections. That's because CSPs are only as effective as your allow list, so if a hacker targets any services already used by your CSPs, attacks are easy to execute. In this article, we'll dive into how and why code injections are a threat to your web applications, why CSPs are effective but not enough to stop injections and additional measures that you can take to guard against code injections. How are code injections a threat to your web applications? A 'code injection' is a general security term used to refer to cyberattacks that involve injecting malicious code that will then be used by the infected application. It's worth noting that code injection is distinctively different from the similarly named command injection, in that with the latter the hacker is not limited by the functionality of the injected code. Injection flaws are still one of the most critical forms of security risk to web applications. Code injections are usually made possible as a result of poor handling of data. Specifically, code injections can arise as a result of no input or output data validation, which in layman's terms means that the data stored has not been properly 'sanitized.' The application receiving the user input expects to receive only certain types of input, but if a developer is negligent in regards to what can be accepted (such as in regards to format or accepted characters), the hacker can be successful. When a code injection attack is successful, the attacker has access to the database of the application. What are CSPs...and are they enough? A CSP is a set of rules that are defined by a web developer to either allow or block types of requests. This is intended to ensure stronger security for site visitors since it reduces the odds they will open an application on which malicious coding is running. For example, developers can use CSPs to block any code (such as JavaScript) from being uploaded from domains that are unfamiliar. It's ultimately the responsibility of the web application owner to define the CSP for their site, but it's often the developer(s) who will set and enforce those policies. An example of a CSP would be to make it so that all forms of visual media uploaded to a site must come from domains that are individually approved. This will prevent hackers from injecting malicious JavaScript into embedded videos or photos. Setting good CSPs like this is effective but, at the same time, they should never be treated as the only line of defense. There are a few reasons for this. The first is that CSPs can struggle to keep up with innovations in web development. To put this into perspective, if your site's development team is limited by a strict CSP, it's possible that your site could fall behind competitors in terms of innovative deployments Another problem is the fact that according to a recent Enterprise Strategy Group survey, over 76 percent of developers never received security training in their college IT programs. Your developer may not be experienced in, for example, secure coding best practices and may not be able to detect certain forms of malicious activity. You can help remedy this by offering secure code training. Guarding yourself against code injections One of the best cybersecurity strategies to guard your web applications against code injection | Vulnerability Threat | ||
|
2021-11-18 21:38:14 | EWF Conference: Plotting the Course for Your Personal Brand (lien direct) | “Why focus on building your personal brand?” This was the first question that Elana Anderson, Chief Marketing Officer at Veracode, asked during her presentation Plotting the Course for Your Personal Brand at the recent Executive Women's Forum (EWF). Anderson, a lifelong student of marketing, and a former analyst at Forrester Research, has a deep understanding of the importance of both corporate and personal brands and the steps necessary to both build and maintain a brand. To help the viewers grasp the impact that a brand can have on your image, Anderson used a series of words or phrases and asked the audience to guess the well-known women she described. Starting with “humble, holy, self-less, and devoted,” do you think you know who that is? The audience guessed Mother Teresa almost instantaneously. The next one was a bit more challenging: “Powerful, ultra-competitive, willing to take a stand, bold style.” Most guessed the correct answer, Serena Williams. Anderson described the last woman using two very different sets of adjectives: “Disney, tween idol, sunshine and rainbows, wholesome” and “rebellious, provocative, radical transformation, happy hippie.” The answer – of course – is Miley Cyrus. It's quite amazing that two seemingly opposite brand descriptions describe one person. Anderson pointed out that, while there were certainly some excesses of youth along the way, Miley's brand transformation also illustrates a bit of purposeful genius. And, it is also a great illustration of how important it is to take control of your own narrative. Whatever you might think about Miley, there is no question that she has transformed her brand from Disney tween idol to independent woman and musician who cannot be taken for granted. Ready to build out your personal brand? There are steps you can take, starting with defining your purpose: Purpose: Before you can start defining the actions of your personal brand, you need to figure out the end goal for your brand. As Elana stated, “What is it that you're trying to achieve? Are you trying to seek growth and upward mobility at your job? Are you seeking to drive momentum for your own business? Maybe you're trying to develop your personal persona and network and become a market influencer.” Core values: Think about what really matters to you. What do you stand for as an individual? Strengths: What are the core strengths that set you apart from your peers? Try to think outside the box about what makes you unique. Skills: Your skills should be broader than your strengths. Consider both the hard (writing, public speaking) and soft skills (good listener, timely) that you have to support your brand purpose. Looking at past performance reviews can be very helpful in determining your skills. You'll be able to see what others define as your top hard and soft skills. Proof points: Your value, strengths, and skills shouldn't just be “perceived,” you should have evidence to support these attributes. Core brand artifacts: Not everyone has artifacts when they're in the early stage of establishing a brand, but think about any articles or academic papers you have written, any videos or webinars that you have participated in, or a blog or website, that can support your brand. Brand personality and tone: This all ties back to your purpose. How do you want your brand to be perceived? If you're trying to become an influencer, you might want a more playful and fun tone. If you're looking for career advancement, you might opt for a more formal, thought-leader tone. Anderson then explained that work doesn't end after you build out your brand. You have to establish a plan to introduce your new brand. Google yourself to see what your current brand looks like, then start working on establishing your brand via social media, speaking engagements, articles, etc. Once you start integrating your new brand, continuously measure your outcomes and sol | Guideline | ||
|
2021-11-18 19:25:13 | Part 2: Using Veracode From the Command Line in Cloud9 IDE (lien direct) | In part two of a four-part series, Clint Pollock, principal solutions architect at Veracode, details how to use Veracode from the command line in the Cloud9 IDE to submit a static pipeline scan. Check out the video and step-by-step instructions below. It's Clint Pollock, principal solutions architect, back for part two of our four-part series on using Veracode from the command line in Cloud9 IDE. Hopefully you all had a chance to check out part one on static policy scans and static sandbox scans. For part two, I will be moving on to the pipeline scanner. First, let's review the use cases for each of the types of static scans. The static policy scan is the only required scan from a governance perspective. This is something that should be submitted on a regular basis once a month, hopefully, or more. The sandbox was the traditional way that developers would preview a new bill to make sure they hadn't added any new flaws. The pipeline scanner is our newest approach, helping you scan inline, getting results back in less than a minute, and being able to scan applications very quickly in your CI/CD process. And it also helps you to break a build if that's something you want to do on a merge or a pull request. And the IDE scan plugin gives you a GUI that you can use to interact with the results for static analysis. Generally, for any teams that are being onboarded going forward, they will be leveraging the static policy scan on a regular basis through their CI/CD process, and more than likely leverage the pipeline scan for IDE-based scanning or breaking on a merge or a pull request. You should check the supportive platform list for the pipeline scanner and make sure it's a good fit for your app. If not, you just continue using the static policy and static sandbox scanning options. Let's discuss how a developer and team might be using the Veracode functionality. At the developer level, they can use the IDE scanner, which is either a plugin or the pipeline scanner. They can submit sandbox scans and they can even run the SCA agent to check for third-party problems. At the next level, when code is checked in as a group, you're going to want to make sure you run the SCA agent scan to check for any third-party library problems; typically, the pipeline scan, which could break the build if there was any new findings or findings that violate a certain threshold. And then finally, as you go to your production release, you typically want to have a verification step there that will rerun these checks. But most importantly, this is where you have to do the policy scan, which will analyze the entire app and report that app for governance purposes. Let's take a look at the Veracode Docker image for pipeline scanner. You'll notice here that this can be run as an environment. Typically, you'll use this in your CI/CD. And then down below here, you can run this as a command or an alias, which seems to work out better when you're in your IDE terminal. The pipeline scanner will also use the credential file in order to authenticate to the Veracode platform. As a basic parameter to send as the file, the file must be supported and properly compiled for Java. You could send a JAR or WAR, but if it's Javascript, Python.net, you're going to have to send the zip file up for analysis. You can pretty much copy and paste this command again. It's a good idea to be on your project root folder so it sets the present working directory to that. It makes it easy to submit scans on files inside of those folders. Once you've downloaded the Docker image and ran the alias command, you can run the help command to see what options are available. This is optional, but it's a good idea to provide at least the project name for tracking purposes in Veracode Analytics. You can save the output file to the drive, you can create GitLab issues, and you can use the baseline file. The baseline file allows you to fail based on any new findings that show up. So if a developer adds a new finding, it will then fail to build, or you can fail it based on severity. T | |||
|
2021-11-18 13:47:13 | Champion Spotlight: Damian Sniezek (lien direct) | This interview was cross-posted from the Veracode Community. With his third consecutive championship in the Secure Coding Challenge – the monthly coding competition in the Veracode Community – Damian is the latest member of our community to be named a Secure Code Champion. After his win, we spoke with Damian about his experience in the competition and his career growth from a software developer into a Security engineer. A Software Architect at SmartBear, Damian is responsible for the security and engineering excellence of the BitBar Device Cloud solution. He decided to enter the Secure Coding Challenge after seeing the announcement in the Veracode Community Forum. After his first win in May, he went on to consecutively take the top spot for the next two months. Read more from our Q&A with Damian below. About His Experience in the Secure Coding Challenge Q: What did you find most valuable in participating in the Challenge? A: In every engineering challenge I've participated in, I always find a very interesting theoretical component that allows me to better understand the roots of the problem that must be solved. Q: What's your suggestion for participants to stand out in the competition? A: Be focused and have fun. About His Experience Becoming a Security Engineer Q: How have you grown from a software developer into a Security engineer? What are the skillsets and knowledge required for this career change? How did you acquire those skills? A: If I'm being honest, these days, all software developers must also be security engineers. It's funny, but I exactly remember when I decided that I had to focus more on security aspects of my work in the Summer of 2019 when I was working for BitBar (before being acquired by SmartBear) we held an annual "Quality Month." During this month, every team member was encouraged to focus on any product-related idea that they wanted to improve. One of my colleagues proposed to me to implement OWASP ASVS 4.0 in BitBar Device Cloud, and we did it. Soon after that, we had a big external pen test, and the results were good. I think it was a game-changer. And, after that, I attended more security conferences, passed the CEH exam, and have continued to prioritize security in all I do. My Security engineer career was even more boosted after BitBar was acquired by SmartBear as the company takes security very seriously. It was only natural for me to then join an internal SmartBear Security Guild as a representative of our BitBar Device Cloud product. Q: What are the top 3 qualities of a successful Security engineer? A: Continuous learning, continuous skill improvements, and the ability to be patient. Security doesn't like the rush. Be focused on the target: making your application as secure as possible. Q: Is there any tool, resource, forum/meet-up, or course you'd recommend for developers looking to break into the security world? A: As I mentioned earlier, for me, adopting the OWASP ASVS was a real game-changer. I'd recommend learning more about this standard if you haven't already. @Community Announcements | |||
|
2021-11-15 15:38:12 | Veracode Named Top 100 Women-Led Business in Massachusetts by the Commonwealth Institute and The Boston Globe (lien direct) | Veracode was recently recognized by the Commonwealth Institute and Boston Globe Magazine as a Top 100 Women-Led Business in Massachusetts. The honor, which was awarded to Veracode's CEO, Sam King, is given to female leaders across multiple industries who are at the helm of Massachusetts' most noteworthy companies. Sam, who was also recently named a Tech Top 50 recipient by the Mass Technology Leadership Council (MassTLC) for her exemplary leadership over the past twelve months, is helping to make Veracode one of the most noteworthy cybersecurity companies. “It's a great honor for Veracode to be recognized as a Top 100 Women-Led Business in Massachusetts, and I am especially proud that we are the only software company to make the list. This award is a true testament to our teams, who are dedicated to helping our customers secure the software applications that are integral to their business. The passionate people driving Veracode's mission every day are who make this achievement possible.” was the only software company to receive a spot on the prestigious list. Leaders are chosen based on their revenue and operating budget, number of full-time employees in the state, workplace and management diversity, and innovative projects, among other variables. For more information on Veracode's recent awards, including EY Entrepreneur Of The Year® New England, please visit the Veracode blog. And to see the full list of Top 100 Women-Led Businesses in Massachusetts, check out the Boston Globe. Want to stay up to date on the latest Veracode news? Sign up for our monthly newsletter. | Guideline | ||
|
2021-11-10 12:34:31 | Recent Updates to the OWASP Top Ten Web Application Security Risks (lien direct) | The Open Web Application Security Project (aka OWASP) recently announced its latest updates to the venerable OWASP Top Ten list. This publication is meant to bring attention to the most common classes of software-related security issues facing developers and organizations in the hopes of helping them to better plan for and address potential high-severity issues in their codebases. While not specifically an industry standard, it is highly regarded among the security community and is regularly combined with findings from application security vendors and researchers to create a reference point for secure coding practices. The newest edition does make updates to certain conventions but also highlights the consistent issues seen throughout the years, such as injection attacks and insecure components. Initially notable is the more generalized approach to categorization and naming, with OWASP describing the motivation for these changes as a “focus on the root cause over the symptom.” Given the complexity of modern web applications and software stacks, this new focus is a prudent reminder that focusing solely on the high-level presentation of flaws within complicated vulnerability taxonomies will only go so far in preventing breaches, and that true progress at any scale will only be made by remediations that address the underlying cause of discovered issues. Supporting this focus is the inclusion of the new category A04:2021 – Insecure Design, bringing attention to the ever-growing need to address vulnerable application architectures and software flaws much earlier in the development process. While there has been considerable discussion about the industry's need to “shift left” for the past several years, it is apparent that a lack of threat modeling and overall secure design continues to be a major issue for applications of all types. It is nice to see these concerns formally addressed at this level in the broader context of security risk awareness. The addition of A08:2021 – Software and Data Integrity Failures and the higher ranking for A06:2021 – Vulnerable and Outdated Components both appear to be in a similar vein, further underscoring the need for organizations to prioritize the security controls associated with the development pipeline and surrounding technologies as much as the specifics of the application code itself. The frameworks, software libraries, and other tools that development teams rely on are updated with increasing speed. It is easier than ever for organizations to fall behind on patching and management of these supporting components. These areas will continue to be points of security concern for years to come, and the industry should continue the work of better addressing the role of tooling and pipeline concerns, as well as application threat modeling, within the general scope of security issues across the board. The movement of A01:2021 – Broken Access Control to the number one position, while hardly a surprise, is reason for concern primarily due to the obstacles associated with detecting issues of this nature. Underlying many access control flaws are fundamental application logic errors, most of which are currently difficult, if not impossible, to discover with automated scanning of any kind. As most companies are unable to have penetration testers examine every release, applications may only undergo thorough manual security audits relatively infrequently, leaving a large footprint of possible flaws whose discovery and remediation times are measured in months, or even years. Further complexity is introduced as modern web technologies move toward microservice architectures and application containerization, creating a need to test for access control issues related to the nuances of these components as well. While teams may do their best to adhere to a least-privilege model, it quickly becomes more difficult to follow best practice guidelines as additional endpoints and APIs are added and role managemen | Vulnerability Threat Patching | ||
|
2021-11-04 16:19:13 | Using Veracode From the Command Line in Cloud9 IDE (lien direct) | In part one of a four-part series, Clint Pollock, principal solutions architect at Veracode, details how to use Veracode from the command line in the Cloud9 IDE. Check out the video and step-by-step instructions below. Hello, Clint Pollock, principal solutions architect here to explain how to use Veracode completely from a command prompt in your IDE or CI/CD system. I'm going to teach you how to submit a static policy scan and a static sandbox scan. Then, I'm going to clean up some builds using the API, submit a static pipeline scan, a software composition analysis scan, and a dynamic scan … all from the command prompt. Let's get started! The environment I typically work with is an Amazon Cloud9 IDE. I also leverage Docker and a cloned Java app called Vera demo Java from github.com/veracode/verademo. Maven is also useful to have installed to help build the project. Since my IDE already has Docker installed, I can pull down all the necessary images. The first thing I do is make sure the project properly builds. (You want to check out help.veracode.com for the supported languages and frameworks and be sure you're properly packaging your application for a Veracode scan.) Once I upload the application, Veracode's pre-scan process lets me know if there are any compilation problems that need to be addressed. I can see if my verademo.war file was properly built, and – if it was – move on to the next step. (It's a good idea to check your release notes from time to time. In my case, I noticed that back in November, new Docker hub images were released.) In the Docker hub, I start with the API wrapper. (Now in Veracode, you want to submit a static policy scan. That is the only basic requirement. From there if you want to ship left, you can leverage something called the sandbox or the pipeline scanner.) I start by submitting a static policy scan. Then I do some build cleanup and download the report. From there, I have a couple of options. I can run it as an environment, which makes sense if I'm running this within a pipeline; or, if I want to run this in my IDE, I use the Aliases approach. Now I can pull down the API wrapper Docker image to my IDE environment. It's going to set the present working directory that I'm in so that the wrapper can access files from that directory location. I stay on my project route when I run this command. It maps the credentials file from my host operating system so the Docker image can invoke that information. First, I run the help command to see what options are available. Most of the tasks I need to accomplish will fall under these actions. To see all the options, I go to the help center type in API wrapper parameters. It gives me a list of everything the wrapper is capable of. Veracode offers the wrapper to simplify processes around calling the API, but I can certainly call the API directly. Now I go ahead and use the upload and scan option. (The “create” profile is a required parameter.) If the application profile is already created, it will not cause an error. (This is a good default value if you're going to let developers create application profiles on their own. If the application already exists, you can just set this to “false”. And of course, make sure the app name is correct.) From here, I add the version for the scan and the actual file that I want to upload. And if the application was not created, I add the team AWS to that profile. And that's all there is to it for submitting a static policy scan! Now I will walk you through how to submit a sandbox. To start, I add in “create sandbox.” I set that to “true.” (If it's already there, nothing will happen, but if it's not, it will get created.) I add the sandbox name and take note of the app ID, sandbox ID, and the analysis ID or build ID. Now I check and see if the application passed or failed the policy. (A static scan can take a few minutes to complete, depending on the size of the application. A pipeline scan is designed to give you feedback in under a minute. Pipeline scanner is what you'll us | |||
|
2021-11-02 14:09:27 | Champion Spotlight: Cris Rodriguez (lien direct) | This interview was cross-posted from the Veracode Community. Join us in congratulating Cris, the latest Secure Code Champion in the Veracode Community! The Secure Code Champion is an award that recognizes individuals with three championships in the Veracode Community's Secure Coding Challenge competitions. Cris is a principal-level Application Security engineer in a large global travel technology company. In this role, he focuses on application penetration testing and setting the strategy for migrating their apps over to Google Cloud. Before entering the security space, he was a software developer for five years. In this interview, we asked Cris about this experience participating in the Secure Coding Challenges and his career change story. He talked about how he made the career switch from a developer to become a security engineer, and what he thinks is important for someone to be successful in this role. For developers considering a similar career move, he also shared the resources that he found most helpful. About Your Experience in the Secure Coding Challenge What brought you to the Secure Coding Challenge? I got an email about the competition and I enjoy a good challenge. What did you find most valuable in participating in the Challenge? Since there were multiple languages, we were able to experience different solutions for a single bug class. That was helpful since most companies use many languages for their apps. What's your suggestion for participants to stand out in the competition? Trust your instincts and be familiar with using a command line and coding project directory tree. As a security engineer, you'll need to be able to dig into your organization's code if you want to be able to help your developers succeed. About Your Experience Becoming a Security Engineer How have you grown from a software developer into a Security engineer? What are the skillsets and knowledge required for this career change? How did you acquire those skills? I was a software developer for five years before I switched over to security. When I made the switch, I was focusing on penetration so I read as many bug bounty write-ups as I could find and watched many more YouTube tutorials. Hack the box and pentester academy have been very helpful in my learnings. What are the top 3 qualities of a successful security engineer? Attention to detail:We are looking for bugs in code that work so you have to understand what makes a component vulnerable. Communication:The developers are going to push back sometimes so being able to communicate with them is key Vulnerability Knowledge:When the developers push back on a vulnerability you really need to have the knowledge of why it is important to fix it. It also helps if you can demonstrate how the vulnerability can be exploited. Is there any tool, resource, forum/meet-up, or course you'd recommend for developers looking to break into the security world? Read the disclosed write-ups at HackerOne and Bugcrowd. Also, here is a link to a great repo that gathered a lot of write-ups. https://github.com/devanshbatham/Awesome-Bugbounty-Writeups Questions about becoming a security engineer? Or, if you're a fellow security engineer, let's connect! You can follow me on Twitter @Nimbus689 or connect with me on LinkedIn. https://www.linkedin.com/mwlite/in/cristobal-rodriguez-03b3b079 | Hack Vulnerability | ||
|
2021-10-29 14:31:12 | Software Composition Analysis Mitigates Systemic Risk in the Popular NPM Repository (lien direct) | Chris Wysopal, Veracode Chief Technology Officer and Co-Founder, recently sat down to discuss the open source supply chain attack on the popular npm repository. Below is the transcript and corresponding video of his reaction. Just a few days ago, we saw a classic open source supply chain attack where someone modified a JavaScript library, UA-Parser-JS, which is in the npm repository. The attackers modified the library to include password stealers and crypto miners so that the applications of anyone who downloaded that version would be compromised. With an attack like this, the applications that are using this library with this code are going to be running that code with the privileges that they have, wherever they're deployed. In this case, it was malicious code that was planted. I'm sure it was done in such a way that everyone using those libraries is going to become vulnerable. If it's password-stealing code, it's going to grab the passwords and send them to the attackers. In the case of crypto miners, it's going to suck up resources and CPU time and send the money to the attacker's wallets. It's important if you're using any kind of open source – which 99 percent of people building applications are – to use an open source software composition analysis (SCA) tool. What that can do is determine what open source you're using. Veracode SCA does this. Another important thing to do is make sure the vulnerability database that your SCA tool uses is current and up to date. At Veracode, we scan all the open source repos every single night. When this malicious code was inserted, we detected it right away. All of our customers were alerted that if they're using this version of the code, they need to update to the non-vulnerable version immediately. Veracode's recent State of Software Security: Open Source Edition report shows that 79 percent of the open source libraries that developers include are set it and forget it, which means they include it once and they never update it. But the updates tend to be relatively straightforward. In fact, 92 percent of open source flaws can be fixed with an update. And 69 percent of updates are a minor version change or less. It is really important to have good and timely information about the vulnerabilities in the libraries you're using and a good process for updating the libraries … hopefully in a very automated manner. That way you're updating these libraries without any manual effort, probably in minutes or hours instead of months. That could be the difference between an attacker compromising you or not. This is why it's so important to stay on top of all the known vulnerabilities in the open source libraries you're using as part of your application, because when you include that third-party code, your application is likely to become vulnerable to those same problems. Don't fall victim to an open source attack. Learn how Veracode Software Composition Analysis can protect your code. Want to stay up to date on the latest Veracode news? Sign up for our monthly newsletter. | Tool Vulnerability | ||
|
2021-10-29 09:38:32 | Cybersecurity Awareness Month: Top Trends Impacting Your Applications (lien direct) | It's always important to take a pause to evaluate your software security – and what better time to do that than during Cybersecurity Awareness Month? To help get you thinking, we've compiled a list of cybersecurity trends that are happening now and will likely continue throughout the next several years. 1. Ubiquitous Connectivity: We are quickly moving to a world where everyone and everything is connected. Most software is internet-connected, as are most devices. Everything is talking to everything. So as data flows between enterprise applications, cloud-connected or SaaS software, and IoT devices, business risk is growing exponentially. 2. Abstraction & Componentization: Software and technology continue to be the backbone of modern society. As a result, businesses are constantly seeking methods to innovate and build software faster. To move faster, many development teams are turning not only to the cloud but to microservices. With microservices, development teams can break down comprehensive applications into the smallest possible reusable blocks of logic in order to stitch them together into business processes or workflows. 3. Hyperautomation of Software Delivery: Hypercompetitiveness in the market is driving the need to attain speed-to-value and wring out all inefficiencies in processes, including software development. As a result, software development – and all processes that interact with software delivery – must also adapt and become hyperautomated. 4. Evolution of Open Source Libraries: Open source libraries provide teams with common functionality that can be easily incorporated into code to dramatically increase efficiency. Unfortunately, according to our recent State of Software Security: Open Source Edition report, 79 percent of developers never update third-party libraries after including them in the codebase. Since open source libraries are continuing to evolve, not updating third-party vulnerabilities is becoming a significant cause for concern. In fact, almost one-third of applications now have more security flaws in their third-party code than their first-party code. 5. New Cybersecurity Policies: To try and combat increased risk, there are new industry and government regulations coming into play. For example, the Biden administration recently released a new Executive Order on Cybersecurity. The Executive Order will set supply chain standards that all organizations must follow in order to provide software to a federal agency. The standards – aimed at driving down systemic risk – will likely start trickling down to the public sector as well. We expect to see minimum standards for scanning tools, developer secure-code training, and flaw remediation – all areas our products and services are able to support. To sum up the trends, if you are looking to future-proof your software, you should be paying attention to your attack surface, adopting cloud architecture and microservices to improve speed to market, scanning your open source code regularly, and leveraging a unified platform with multiple AppSec testing types to aid compliance efforts. To learn how Veracode can support your software security goals, check out our products and services. Want to stay up to date on the latest Veracode news? Sign up for our monthly newsletter. | |||
|
2021-10-12 15:31:43 | MassTLC Names Sam King a Tech Top 50 Recipient (lien direct) | Sam King, CEO of Veracode, was recently named a Tech Top 50 recipient by the Mass Technology Leadership Council (MassTLC) for her exemplary leadership over the past twelve months. The Mass Technology Leadership Council (MassTLC), the region's leading technology association and premier network for tech executives, entrepreneurs, investors and policy leaders, recognizes tech companies and leaders for their achievements across multiple categories. “The resiliency and determination of the tech ecosystem in this region enables the innovation and leadership that makes Massachusetts so special,” remarked MassTLC CEO Tom Hopcroft. “It is an honor to recognize the people and companies and their amazing stories.” The candidates were awarded based on their contributions in one of the following eight categories: Best Pivot to Meet the New World, Business Accomplishment, Company Culture, Inclusivity Impact, Leadership, New Company of the Year, Tech for Good: Social Responsibility, and Tech to Watch. Sam was recognized in the “leadership” category. “The category recognizes CEOs for their leadership throughout this past year,” said MassTLC. “[These] six outstanding CEOs were able to not only shepherd their employees through difficult times but emerge stronger than before.” This recognition comes just months after Sam was named a winner of the EY Entrepreneur Of The Year® New England award. “I'm thrilled to be included in the Tech Top 50 by the Mass Technology Leadership Council. Massachusetts is well known for its inclusive and innovative technology landscape, and to see Veracode awarded for leading the charge as a software security company is fantastic. This award recognizes our entire team, whose continued dedication and resilience over the past year has helped our customers stay focused on their mission and drive digital transformation securely.” To keep up with Veracode's recent achievements, please visit the Veracode blog. And to hear stories from MassTLC Tech Top 50 winners, including their accomplishments and impact on customers, partners, employees, and the broader community, check out the MassTLC homepage. | Guideline | ||
|
2021-09-30 14:22:27 | .NET 5, Source Generators, and Supply Chain Attacks (lien direct) | IDEs and build infrastructure are being a target of various threat actors since at least 2015 when XcodeGhost has been discovered - https://en.wikipedia.org/wiki/XcodeGhost - malware-ridden Apple Xcode IDE that enabled attackers to plant malware in iOS applications built using it. Attacks executed through builds abuse trust we have in our build tools, IDEs, and software projects. This is slowly changing (for example Visual Studio Code added Workspace Trust feature in one of the recent releases: https://code.visualstudio.com/docs/editor/workspace-trust ), yet at the same time, .NET 5 added a powerful yet dangerous feature that could make attacks similar to described above easier to implement, deliver, and stay under the radar. Source Generators introduction Back in 2020 (https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/ ) Microsoft announced a new and exciting feature of the upcoming .NET 5 - Source Generators. This functionality is intended to enable easier compile-time metaprogramming. Similar in purpose to macros or compiler plugins Source Generators offer more flexibility as they're independent of IDE & compiler and do not require modifications of the source code. Source Generators can be present in your software solution as a part of Visual Studio solution structure, visible as a separate project in the IDE Solution browser. They can also be added, more often, as a nuget library similarly to any other dependency. Compilation pipeline that includes Source Generator, source: https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/&…; As Source Generators follow the same concept as Analyzers they may need to have the install and uninstall script. In a simple scenario, the install script will modify the given project csproj file in order to trigger Source Generator at build time. Similarly - uninstall script will remove any references to the Source Generator from csproj file. Note: supply chain attacks that utilize install scripts or build event scripts are certainly viable and were already attempted in the wild but technique described in this blog post does not use scripts making potential attacks harder to detect. Generators can be used for various purposes, in the most trivial case to inject code that'll be callable from first-party code snippet. Source: https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/ using System; using System.Collections.Generic; using System.Text; using Microsoft.CodeAnalysis; using Microsoft.CodeAnalysis.Text; namespace SourceGeneratorSamples { [Generator] public class HelloWorldGenerator : ISourceGenerator { public void Execute(SourceGeneratorContext context) { // begin creating the source we'll inject into the users compilation var sourceBuilder = new StringBuilder(@" using System; namespace HelloWorldGenerated { public static class HelloWorld { public static void SayHello() { Console.WriteLine(""Hello from generated code!""); Console.WriteLine(""The following syntax trees existed in the compilation that created this program:""); "); // using the context, get a list of syntax trees in the users compilation var syntaxTrees = context.Compilation.SyntaxTrees; // add the filepath of each tree to the class we're building foreach (SyntaxTree tree in syntaxTrees) { sourceBuilder.AppendLine($@"Console.WriteLine(@"" - {tree.FilePath}"");"); } // finish creating the source to inject sourceBuilder.Append(@" } } }"); // inject the created source into the users compilation context.AddSource("helloWorldGenerator", SourceText.From(sourceBuilder.ToString(), Encoding.UTF8)); } public void Initialize(InitializationContext context) { // No initialization required for thi | Malware Tool Threat | ||
|
2021-09-27 18:27:30 | Recap: Virtual Boston Globe Summit (lien direct) | Veracode CEO Sam King had the opportunity to speak at this year's inaugural virtual Boston Globe Summit, “The Great Recovery.” Sam was invited to join the panel, How Boston is Tackling the Biggest Cyber Threats Facing Society, moderated by Gregory T. Huang, Business Editor at the Boston Globe, with guests Greg Dracon of .406 Ventures and Christopher Ahlberg of Recorded Future. The group began by discussing the evolving landscape of software today. Sam noted that the COVID-19 pandemic, a forcing function to remote work environments, kicked digital transformation into action for many organizations, whether or not they were prepared. In fact, a survey from Verizon detailing sentiment among business leaders about the impacts of COVID-19 found that 38 percent of respondents had implemented virtual collaboration technology and a third chose to temporarily close to allow for transitions to new systems that would enable new ways of working. There was also increased adoption of cloud and software as a service. Sam also touched on issues raised by Veracode's co-founder and CTO Chris Wysopal in his testimony to Congress in 2003 which are still as relevant as ever: large amounts of software are still not designed in a defensive way, nor are they built with security testing directly embedded in the software development process. This is especially problematic for businesses and government, so it's vital that organizations pay attention to initiatives like the current administration's Executive Order on Improving the Nation's Cybersecurity. “President Biden came out with the Executive Order a couple of months ago and that is a step in the right direction for two reasons: he is asking federal agencies to do a better job, and he is also using the purchasing power of the federal government to try and secure the extended software supply chain,” Sam noted. As we move forward, what should the role of the government be in security, and which policies did the panel think are most useful? Worth mentioning are the recent Massachusetts state senate hearings in which we learned that residents had lost nearly $100 million from cyberattacks in 2020 according to the FBI Internet Crime Complaint Center annual report. In these cases, the role of government in driving policy may be best achieved by providing resources and educational training so that state and local institutions can improve their systems and build thoughtful security plans that protect their data – and the data of the people who use their services. As Sam commented during the summit, establishing guidelines and then creating some incentives to drive policy is a step in the right direction. Ideally, government should work with the private sector to share information around requirements, ratings, and labels so that software is held to the same standards across the board. Sam once again applauded the executive order, explaining how critical it is for the government to take proactive steps to ensure the security and safety of software by establishing standards around accessing vulnerabilities and implementing security processes. When asked about what we might see in the future of cyberattacks, Sam noted that she hopes the current moment in time is a call to action for everyone, especially those implementing policy and strategy within their organizations. “I think it's going to take a wholesale effort where people that are guiding the strategies of companies and looking at the risks are creating structural change in the organizations they're responsible for,” she continued. Stay up to date on the latest tools, trends, and vulnerabilities in software security by reading our annual State of Software Security report, and watch a recording of the panel. | Guideline | ||
|
2021-09-23 08:55:21 | Application Security Testing Evolution and How a Software Bill of Materials Can Help (lien direct) | Early in my career, I developed web applications. At the time there were practically no frameworks or libraries to help. I was coding with Java using raw servlets and JSPs – very primitive by today's standards. There was no OWASP Top 10 and writing secure code was not something we paid much attention to. I specifically remember coding an open redirect years ago. I didn't know it was a vulnerability at the time. In my mind, it was a great feature for my Java servlet to recognize a special query string parameter that, if present, would trigger a redirection to the given URL! Interestingly, a dynamic scan or penetration test of the application would not have found my vulnerability. The name of the parameter was undocumented and not easy to guess. On the other hand, static application security testing (SAST) or a manual code review would have found it. My first stint at Veracode was in 2012, after six years working as an application security consultant. It was exciting to join an up-and-coming company on the cutting-edge of AppSec testing. Since then, open source software has grown enormously and proliferated in all aspects of application development. Building apps today is faster because of how easy it is to integrate these components into our own projects. Package managers and open source registries like Maven repository, NPM registry, PyPI, and RubyGems.org provide a way for developers to quickly access and leverage a rich plethora of ready-to-use libraries and frameworks. The downside with this model of building applications is that vulnerabilities present in open source components are inherited by our software as well. This has resulted in many data breaches over the years (Equifax via Apache Struts comes to mind). One of the reasons I recently re-joined Veracode is to have the opportunity work with a premier Software Composition Analysis (SCA) tool. SCA is complementary to SAST. While SAST checks 1st-party code for security flaws, SCA looks at 3rd-party code like open source libraries. In terms of the OWASP Top 10, this falls under OWASP #9 – Using Components with Known Vulnerabilities. If your application is using a vulnerable component, it's not necessarily your fault. The vulnerable component may be present because a library that your code is using directly has a dependency on another library. This is called a transitive dependency. Transitive dependencies are pulled in automatically by build systems, aka package managers. Data from our State of Software Security: Open Source Edition report shows that 71 percent of applications have a vulnerability in an open source library on initial scan, and that nearly half of those (47 percent) are transitive. Now let's talk about a software bill of materials (SBOM). An SBOM lists the individual components that are included in a piece of software. This can help with identifying vulnerabilities or license risks that may affect your organization. The concept of an SBOM is not new, but it's garnered much more interest lately due to the recent U.S. Cybersecurity Executive Order. One of its requirements is having an SBOM for all critical software sold to the federal government. There are different SBOM specifications in the marketplace today. I will focus on CycloneDX, which was recently accepted as a flagship OWASP project. CycloneDX is a security-focused SBOM specification and capable of describing the following types of components: Application Container Device File Firmware Framework Library Operating System Service CycloneDX's supported data formats are XML, JSON, and Protobuf. Here's an example of a CycloneDX SBOM in JSON format: Right away we can see that the software represented by this SBOM includes one library –Apache's Commons Collections ver | Vulnerability | Equifax | |
|
2021-09-21 10:49:49 | MPT\'s Value at Veracode (lien direct) | You finally have some budget to buy tools for your application security (AppSec) program! GREAT! Purchasing the correct tools for your AppSec pogram can be overwhelming. Even when looking only at point solutions, there still may be some confusion on the value that various tools can provide. Sometimes you'll find the perfect tool, but others may offer you a similar tool with added manual penetration testing (MPT) as part of the overall bundle. That seems like a great idea for the budget. Let's dive in and see what these types of value these other offerings really provide. First, let's cover the shortcoming of other Automated Tools + Manual Penetration Testing bundles. This is going to be pretty high level and will avoid comprehensive dives for ease of consumption. If you read anything, read the short bulleted list! Who is doing your MPT as part of this engagement? Veracode has world-famous authors and hackers on their MPT teams. Please reach out and ask for our MPT team profile and then google them! Chances are that your bundled MPT is being conducted by offshore teams to provide cost savings. Apps don't get great coverage with MPT This is a light MPT engagement when bundled. Ask for regular pricing so you can see the difference. Typically you can gauge the effectiveness of the offering by comparing the 1-day retail price of MPT to what is offered in the bundled offering. Cheap MPT and any other labor-intensive-based offerings DO NOT SCALE! Think about it. MPT on demand? Do they have people staffed and waiting for you to make a request? How is it that the queue is not long? Also, claimed less than 1% FP rates due to manual labor scrubbing DO NOT SCALE. Remember, anything labor-intensive requires people being on payroll and WORKING. If they are not WORKING, they are on stand-by. We all know that no one is hired to be on stand-by. Why Veracode's Manual Penetration Testing value can NOT be beaten Veracode's value in MPT can be summarized into four major points. Single Pane Looking Glass reports Comprehensive Security Analysis Value, Remediation and AppSec Program Assistance, and scalability. Single pane looking glass report Veracode has a single pane looking glass capability that is unmatched in the industry. You can purchase Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration testing. Then you can generate a report with all the findings on one PDF in the context of a single application. With our big data analytics tools, you can then generate views on the entire organization portfolio or per team application's security posture. Comprehensive security analysis value If you already are a customer of our automated tools, then MPT with Veracode generates a value proposition that CAN NOT be beaten. For example, if you are running daily/weekly SAST, DAST, and SCA checks. MPT will skip all the findings in those reports. This allows us to find more complex and nefarious things that automated tools simply can not do. With other MPT offerings, the vendors must use the hours and will not know to skip the low-hanging fruit that our tools already caught such as SQL Injections, cross-site scripting, etc. Since other vendors don't have access to the same analysis, they must generate as many findings as they can per hour. When you compare hour for hour MPT offerings against Veracode- you will find that Veracode can do more with an hour of MPT than any other vendor can. Remediation and AppSec program assistance Other vendors won't have the experience in providing remediation advice or AppSec program assistance that Veracode has. Don't spend hours looking for answers. Speak to one of our services experts to help you fix the findings we generate or help manage your application security program. This is not an extra add-on, this is included upfront so it is easy to forecast and budget. If your security or dev teams have questions- Veracode is there to help. Scalability No other Vendor can scale like Veracode. In our automated tools, we don't lean on manual labor to generate better findings. I | Tool | ||
|
2021-09-10 08:25:31 | 2003 Testimony to Congress Proves That We Still Have a Long Way to Go In Building Secure Software (lien direct) | Back in May 1998, as a member of the hacker think tank, L0pht, I testified under my hacker name, Weld Pond, in front of a U.S. Senate committee investigating government cybersecurity. It was a novel event. Hackers, testifying under their hacker names, telling the U.S. government how the world of cybersecurity really was from those down in the computer underground trenches. Many in the security community know of the famous L0pht Senate testimony, but very few know that one of the L0pht members testified on Capitol Hill 5 years later. That member was me. This time I testified as a cybersecurity professional using my real name. I was the director of research and development at @stake, an information security consulting company. Back in the summer of 2003, the internet was plagued with worms such as Blaster and Sobig. The U.S. House of Representatives Committee on Government Reform wanted to hold hearings to understand the problem. Why had 400,000 computers been infected with Blaster in less than five days when the patch that would have prevented the attack had been available for over a month? I was asked to testify to help the committee understand vulnerability research. How were the vulnerabilities discovered that lead to worms like Blaster, and why were these latent vulnerabilities there in the first place? The problems I spoke of in 2003, sadly, are still here with us 18 years later. Large amounts of software are still not designed defensively… and not built with security testing embedded in the development process. The economics of software development still leads to the reuse of old insecure software. Computer users still loath updating to new, more secure versions of software due to costs and resources required. I discussed how the root cause of viruses and worms was security flaws in the design or implementation of software. I still believe this today (even though most vulnerabilities are not “wormable” or attackers choose to attack with more precision). I discussed the problems with a ship-it-vulnerable, patch-it-later approach. Even now with some products using auto-updating, patching is often late or doesn't happen at all due to the resources required to patch in an enterprise IT environment. Most of what I spoke of was the world of vulnerability research. Who were the people – like the researchers from the Last Stage of Delirium – that discovered the Blaster vulnerability? Why would they do this? How did they do this? How is it possible that they found a security bug when the vendor didn't? Then I spoke about the safe vulnerability disclosure process: How researchers could work with vendors to keep the internet safer despite vulnerable software everywhere. This type of process is now widely followed by researchers and vendors and is codified into an ISO standard. We have made progress on the challenge of building software more securely, distributing patches better, and handling vulnerability disclosure better. But the gains are far less substantial than they should be after 18 years. In my 2003 testimony, I said, “The current flawed computing infrastructure is not going to change for the better overnight. It will take many years of hard work.” We are still in the “many years” phase and perhaps will be for another decade. Take a look at my 2003 testimony and see for yourself just how far we still need to go. | Vulnerability Patching Guideline | ||
|
2021-09-07 16:31:28 | Digital Signatures Using Java (lien direct) | This is the ninth entry in blog series on using Java Cryptography securely. We started off by looking at the basics of Java Cryptography Architecture, assembling one crypto primitive after other in posts on Cryptographically Secure Random Number Generator, symmetric & asymmetric encryption/decryption & hashes. In the meantime, we had to catchup with cryptographic update in latest versions of Java. Having looked at some of the most common symmetric cryptography based applications a.k.a. Message Authentication Codes and Password Storage, let's take a slight diversion and look at asymmetric cryptography applications starting with Digital Signatures in this post. Skip to the TL; DR Overview: What Is a Digital Signature Digital Signatures are in many ways analogous to physical signatures, providing assurance to the receiver that the received message was created and sent by claimed sender (authentication), binds sender to the data in the received message (non-repudiation) and message was received unaltered (integrity). It doesn't provide any confidentiality of the messages being exchanged. Digital Signatures are asymmetric key based operation, in which private key is used to digitally sign a message and corresponding public key is used to verify the signature. Message Authentication Code as well as Digital Signatures both are used for signing messages. MACs are generated and verified by a shared symmetric key, in contrast digital signature is generated by PrivateKey generated by Asymmetric Encryption (public key cryptography) and verified only by the corresponding PublicKey. This private key would be possessed only by the signing authority. Thus, Digital Signatures provide non-repudiation service which MAC can't. HowTo: How Does It Work? Similar to Message Authentication Codes (MAC), core concept of digital signature revolves around, computing signature on the sender side using PrivateKey applied on hash of the message(M), sending original message and computed signature to receiver. Receiver verifies the signature using PublicKey. If signatures match, non- repudiation, authenticity and integrity of message from intended sender has been verified. Digital Signature Steps: Asymmetric Keys; PrivateKey and PublicKey are generated. Sender safely stores PrivateKey, PublicKey is publicly available. Sender computes Sign of message(M): Sign = SignatureAlgorithm(M, PrivateKey, Hash Algorithm). M || Sign sent to reciever. On receiver side, Sign is verified by computing: Sign' = SignatureAlgorithm(M,PublicKey,Hash Algorithm). If Sign == Sign' , non-repudiation, authenticity and integrity of message from intended sender has been verified. HowTo: Construction of a Digital Signature HowTo: Design Before we dive into full-fledged implementation discussions, we need to make a few design decisions: HowTo: Decide Which Signature Algorithm to Choose? RSA has been de-facto algorithm being used in Digital Signature. However, over time it has been proved fragile[9]. DSA is on its path of deprecation[4] in favor of ECDSA. By steering clear of these two Signature algorithms, we would eliminate more than 50% of Signature algorithms supported by JCA. As we were discussing in our Java Crypto Catch-up post, later Java versions provide us with very mature Elliptic Curve (ECC) support, we should be embracing those schemes. If you want to learn more about how ECC works and compares against other public key generation mechanisms, I have listed some links in references section below. Over time there are many curves floating around, not all are good for cryptographic purposes. You should pick between: Edward Curves: For any new development, I would suggest using Edward Curve based schemes. Both Ed25519 and Ed448 schemes provided by JCA are excellent options. Not yet standardized by government authorities (NIST), but it's on its way. NIST Standardized Curves: If at all[11], you have to abide by government standards, go for ECDSA with an approved curve providing at least 128 bits of security strength. But how to choose a secure curve from 25 options pr | Guideline | ||
|
2021-08-19 08:10:39 | Veracode Ranked as a Strong Performer in Forrester Wave™ Software Composition Analysis Report (lien direct) | Veracode has been recognized in a report Forrester Research recently released, The Forrester Wave™: Software Composition Analysis, Q3 2021. The report helps security professionals select a software composition analysis (SCA) vendor that best fits their needs. The report, which evaluates 10 SCA vendors against 37 criteria, ranks Veracode as a strong performer. The Forrester Wave™ states, “Veracode is a strong choice for customers that are most interested in remediating vulnerabilities in open source components.” Noted in the report is our roadmap, which “...focuses on unifying the SAST and SCA capabilities in the developer environment and enhancing container and IaC security capabilities.” The report also highlighted, “Veracode has concentrated its SCA solution on finding and remediating open source vulnerabilities, with dependency graphs and guidance on a fix's likelihood to break the code - one customer's reference called the dependency graph 'amazing'.” Why is SCA such a critical element of software development? As Forrester explains, “Open source use has exploded, with the average percentage of open source in audited code bases increasing from 36% in 2015 to 75% in 2020.” But we know from Veracode's recent State of Software Security (SOSS): Open Source Edition report that about 79 percent of developers never update third-party libraries after including them in their codebase, which leads to unnecessary breaches. With tools like Veracode Software Composition Analysis in hand, developers have the power to assess and manage the risk of their open source components by scanning open source dependencies for known flaws and leaning on data-driven recommendations for version updating. In fact, our SOSS research unveiled that 92 percent of third-party flaws can be remediated with an update and 69 percent of the updates are minor. Learn more Download The Forrester Wave™: Software Composition Analysis, Q3 2021 report to learn more about what to look for in a software composition analysis vendor and for additional information on Veracode's strong performer ranking in vulnerability detection and remediation. | Vulnerability Guideline | ||
|
2021-08-06 09:32:28 | Recap: Black Hat USA 2021 (lien direct) | Black Hat USA 2021 kicked off this week and we enjoyed the show! In addition to hosting a Cards and Coding virtual casino night to discuss the future of cybersecurity (and give away some prizes), we held a Lunch & Learn with Wallace Dalrymple, CISO of Emerging Markets at Advantasure. In the session, our Founder and CTO Chris Wysopal chatted with Wallace about how Veracode and Advantasure worked together to build a mature application security (AppSec) program while addressing modern software security requirements. As Chris noted when the Lunch & Learn session began, the pandemic drove many organizations to digitally transform most functions of business, quickly, which meant increased security threats - especially for organizations in the healthcare industry where Advantasure thrives. The effort to produce more secure code is especially critical after the Biden Administration's recent Executive Order on cybersecurity, which impacts software security for organizations big and small. We know from our annual State of Software Security report that 75 percent of apps in the healthcare industry have security flaws, and 26 percent have high-severity vulnerabilities. To get ahead of this risk in the pandemic (during which they saw an uptick of cyberattacks by 50%), Advantasure knew they needed to bolster their AppSec program and set themselves up for a successful digital transformation. That's where Veracode came in, helping Wallace and his team build a stronger security program and enable their developers to become more security-minded. “I believe in: if you write it, you own it. You really have to have that buy-in from development, from project managers to deployment teams and release teams, all the way up to the management,” Wallace said. Speaking about Veracode Security Labs he continued, “Veracode provides a platform where we can actually provide a tool for developers to not just learn – not just watch a webinar – but to actually be hands-on and understand the coding mistakes they make through real-time feedback.” Wallace elaborated that their developers have been able to embrace new tools as part of their existing processes, giving them ownership over the efforts and boosting security adoption. If you missed the Lunch & Learn, you can read Advantasure's full story here to see how they got it done. From Big Data to Open Source We also had the chance to sit in on some sessions, one of which delved into the security of big data infrastructures: The Unbelievable Insecurity of the Big Data Stack: An Offensive Approach to Analyzing Huge and Complex Big Data Infrastructures. Sheila A. Berta of Dreamlab Technologies spoke about data ingestion, storage, processing, and access, as well as the techniques threat actors use to get into data infrastructures. As Head of Research for Dreamlab Technologies, Sheila asked the question, “What is a security problem and what is not a security problem in Big Data infrastructures?” What it comes down to, she said, is that security teams need to stay on top of methodologies and keep their skills sharp if they want to proficiently evaluate the security of these infrastructures. The methodology presented by Sheila came with new attack vectors in data; for example, she discussed techniques like the remote attack of a centralized cluster configuration managed by ZooKeeper, as well as relevant security recommendations to prevent these attacks. Another interesting session titled Securing Open Source Software – End-to-End, at Massive Scale, Together was held by Christopher Robinson, the Director of Security Communications at Intel, and Jennifer Fernick, SVP & Global Head of Research at NCC Group. In their discussion, they highlighted that, while open source software is foundational to the Internet, it's also rife with risk if left unchecked. This is a problem we work to combat here at Veracode with tools like Software Composition Analysis and developer enablement programs - our recent State of Software Security: Open Source Edition report found that just over half of | Tool Threat | ||
|
2021-08-02 14:28:46 | SANS Survey Finds Only 29% of Orgs Have Automated Most of Their Security Testing (lien direct) | IT workloads are increasingly moving to the cloud, changing the way organizations develop and deliver software. Deploying and running production systems is now separate from the hardware and network, infrastructure is defined through code, and operations are now part of cloud service APIs. What does this mean for security? Security professionals need to be able to read and write code. They need to build security tests into the continuous integration/continuous delivery pipelines (CI)/(CD). They need to understand the different cloud architectures and platforms. Security tests need to be conducted at a fast pace that won't impact the speed of software deployments. Ideally … security needs to become code. But how are we doing on this quest to the future state of security? SANS Institute examined 281 global organizations to find out what security teams need to understand about software development to meet the demand of high-velocity software deliveries, the skills they need to catch vulnerabilities early, and the impact that cloud architectures and platforms have on this effort. Cloud Platforming For starters, the survey found that 97 percent of organizations use a public cloud provider. But these organizations aren't sticking to just one cloud provider. Over 57 percent of organizations use three or more cloud platforms. Since every cloud platform is different in terms of configuration models, APIs, and services, using multiple can present operational and security challenges. Ideally, organizations need to leverage cloud-agnostic tools – like Terraform – to configure and provision services across multiple cloud platforms using the same toolset and language. Better yet, organizations should be automating cloud configuration through code and platform APIs. Velocity of Delivery and Security Testing With the transition to the cloud and DevOps practices, organizations have been able to deploy new software faster than ever. In fact, the velocity of software delivery has been increased by 14 percent over the past five years alone. But security scans have been lagging behind, causing many organizations to release vulnerable software to production. The survey found that, in most instances, security scans are delayed because organizations are using manual testing instead of automated testing. Only 29 percent of organizations have automated 75 percent or more of their security testing, and fewer than half of organizations have security tests automated into their coding workflows. Operations Software deployments aren't the only thing speeding up. Cyberattacks are also on the rise – happening more frequently and with greater sophistication. Unfortunately, most organizations are not remediating flaws fast enough. Only half of organizations resolve flaws in under a week. Once again, this lag is the result of manual security testing instead of automated testing. As stated in the survey, “Organizations need to leverage DevOps and Agile practices, and automated build chains and automated testing, to get patches out faster with confidence.” Barriers and Enablers If automating build chains and security tests are ideal, why aren't more organizations transitioning to DevSecOps? The survey uncovered that organizational challenges are to blame. The biggest barriers to entry stem from organizational silos, lack of funding, and limited resources/skills. However, that doesn't mean that the transition to DevSecOps isn't possible. Many organizations are successfully transitioning to DevSecOps by leveraging secure coding training, improving communication across the developer, operations, and security teams, and securing management buy-in. When developers and security professionals have secure coding knowledge, they can fix vulnerabilities without having to spend time on Google or Stack Overflow learning remediation tactics. Best of all? With the right knowledge and buy-in, developers and security professionals can integrate automated testing into build chains, automate builds, and enforce security and compliance po | |||
|
2021-08-02 10:56:59 | Champion Spotlight: Hans Dam (lien direct) | This interview was cross-posted from the Veracode Community. With his third consecutive championship in the Secure Coding Challenge – the monthly coding competition in the Veracode Community – Hans Dam is the first in the community to clinch the title of Secure Code Champion. We spoke with him about his experience in the coding competitions and his career growth from a software developer to a DevSecOps manager. As DevSecOps manager currently working at Explorance, Hans manages the DevOps and AppSec teams and is responsible for managing internal application security scans, improving internal processes with automation, and developing tools for deployment and monitoring. His strong passion for DevOps and automation is at the core of his current role. What makes Hans the first Secure Code Champion and how did he get application security under his belt? In this interview, Hans shares his takeaways from the Secure Coding Challenges and his advice for developers looking to break into the security world. About your experience in the Secure Coding Challenge What brought you to Veracode's Secure Coding Challenge? The company I work for, Explorance, was offered a demo of Veracode Security Labs, and I found the gamification aspect of Security Labs exciting. Unfortunately, during the demo, we did not set it up as a competition. Because of this, when Veracode announced a competition involving security best practices and programming, I was hooked. What did you find most valuable in participating in the Challenge? I really like the diversity of programming languages and frameworks used in Veracode Security Labs. I had not touched Go, Flask, or Scala code before I participated in the Secure Coding Challenges. Additionally, it's always nice to brush up on the basics including OWASP TOP 10 vulnerabilities. What's your suggestion for participants to stand out in the competition? Know that you don't have to complete every step described in each Lab. For example, if you make a code change you don't always have to run and test your solution. Many times, it is enough to simply save the file. About your experience becoming a DevSecOps Engineer How have you grown from a software developer into a DevSecOps engineer? What are the skillsets and knowledge required for this career change? How did you acquire those skills? I started at Explorance as a software developer, developing new features for our main product. Based on my experience in previous companies, I saw some areas where we could improve the processes and increase automation. I started creating build scripts, developing internal tools, and playing around with the possibilities of continuous integration. I was then offered to lead our maintenance team, whose main objective was to quickly diagnose and resolve customer issues, in unison with our customer support engineers and operations team. This gave me the perspective of different departments on the product features, reliability, debuggability, deployment, and documentation. I got the opportunity to switch focus and started a role in application security within Explorance. We wanted to increase our focus on security by doing internal security scanning, increasing the application security awareness among developers, and reacting to emerging trends more rapidly. Working with Veracode to identify and mitigate security issues in our products helped me open my eyes to best practices and the many ways things can go wrong when trying your best to rapidly meet customers' needs. My latest role change at Explorance was to become a DevSecOps Manager, which means that I am managing our DevOps and AppSec teams. Within Explorance, the transition from software developer to DevSecOps manager has been a product of me trying out a bunch of different things and the organization believing in me. The main skillsets would be tenacity and listening to your colleagues about how to improve every day. Wha | Threat Guideline | ||
|
2021-07-29 10:06:37 | Veracode CEO Sam King Crowned a Winner in the EY Entrepreneur of the Year® New England Award (lien direct) | For the past 35 years, EY's Entrepreneur of the Year® program has honored leaders from around the world who continue to make positive impacts within their industries. We're thrilled to share that, this year, Veracode's CEO Sam King has been named a winner in the Entrepreneur of the Year® New England award! This prestigious program celebrates entrepreneurs like Sam who are leading successful companies, underscoring each nominee's innovation, financial aptitude, and commitment. Sam is among 15 audacious winners from 10 companies in New England. Awarded to executives who work hard to build leading businesses that create jobs and contribute to their communities, the Entrepreneur of the Year® honor celebrates Sam's dedication to cementing Veracode as a leader of the pack in software security. Sam was selected for her integral role in Veracode's growth, success, and innovation over the past 15 years, initially as a founding team member and then as CEO. Her inspiring leadership, ability to succeed in a complex economic environment and commitment to community, diversity, and mentorship were recognized for their lasting effects on both Veracode and the New England area. Under King's leadership, Veracode has become the fifth largest cybersecurity employer in MA, the #1 women-led software company in MA (The Boston Globe), an eight-time Leader in the Gartner Magic Quadrant for Application Security Testing, and a Leader in the Forrester Wave for Static Analysis Security Testing. Entrepreneur of the Year® regional winners are inducted into the Hall of Fame, which is an “…elite roster of business leaders who have been recognized for their exceptional entrepreneurial achievements” according to EY. As a New England award winner, Sam joins an esteemed multi-industry, international community of unstoppable creators and disrupters from around the globe who are shaking up their industries by breaking boundaries. While the number of awards varies year to year, nominees go through both a regional panel and a national panel of judges to select the strongest candidates and then, if selected, move forward to become national finalists. Sam is now eligible for consideration for the Entrepreneur Of The Year 2021 National Awards. Award winners, including the Entrepreneur Of The Year National Overall Award winner, will be announced in November at the Strategic Growth Forum®, one of the nation's most prestigious gatherings of high-growth, market-leading companies. Watch the full video of the ceremony here. | Guideline | ||
|
2021-07-26 09:56:06 | Announcing the Veracode Security Labs FREE Trial (lien direct) | We're excited to announce a new free trial option of Veracode Security Labs that allows new users to try the full Enterprise Edition for 14 days. Why is this hands-on training solution so critical? Developers are the backbone of the software that powers our world today, but when they lack security skills, it's harder for them to keep up with the rapid pace of modern software development while still producing secure code. Veracode Security Labs helps close these skill gaps by giving developers that inimitable hands-on experience, and now with this two-week trial, you'll have plenty of time to try out these hands-on-keyboard labs with your developers and see just how effective it is in real-time. “Veracode Security Labs engages and actively teaches developers by giving them a containerized space to work with real code and demonstrates how to avoid flaws that have led to some of the headline-making vulnerabilities of the last few years,” says Ian McLeod, Chief Product Officer at Veracode. “With this approach, in as little as five to 10 minutes, developers can learn new skills and deliver secure code on time.” Developer training with tools like Security Labs is critical as vulnerabilities in code are easily weaponized-and they're not going away anytime soon. Verizon's 2021 Data Breach Investigations Report (DBIR) showed that web applications make up 39 percent of all breaches today. And with the recent cybersecurity executive order from the United States government, it's more important than ever that organizations pay attention to the security of their code. Data from a survey by the Enterprise Strategy Group (ESG) shows that a sizeable 53 percent of organizations provide security training to their developers less than once a year. With the responsibility falling on the shoulders of software engineers to keep up with the latest threats and secure coding skills on their own time, Veracode Security Labs can help check those critical training boxes. Training for teams large and small Veracode Security labs Enterprise Edition is great for engineering teams that need hundreds of short labs on a wider range of topics, with included features like a leaderboard and reporting. The Veracode Security Labs Community Edition is a complimentary version with select topics for individual developers who want to start learning on their own. The most inexpensive bug to fix is the one that never gets created. Veracode Security Labs helps developers shift critical security knowledge “left,” or sooner in the software development lifecycle (SDLC) so that their code is checked early and often. In doing so, they're able to leverage those critical nuggets of security knowledge into each step of the development process. Over time, the code developers produce is more secure with fewer flaws and potential exploits, with DevSecOps principles sticking with developers from project to project. That means your team can: Grow essential skills that will help them patch real-world vulnerabilities while coding Maintain an understanding of what cyber attackers like to exploit, and how they go about doing so Quickly apply remediation guidance to the popular programming languages they use most Improve their security knowledge overall while gaining more confidence in their coding skills With features like assignments, progress reports, LinkedIn certification badges, and a leaderboard, the platform fosters healthy competition that encourages developers to level-up alongside their peers. Veracode Security Labs helps satisfy compliance requirements, too, enabling development and security teams to meet ongoing security training requirements and adjust course as industry needs change. If you're ready to get started, sign up for your free two-week trial of Veracode Security Labs here. | Data Breach Guideline | ||
|
2021-07-23 15:50:53 | What Will Cybersecurity Look Like Over the Next Five Years? (lien direct) | As a result of the Covid-19 pandemic, organizations in all industries ramped up their digital transformation efforts to make online operations easier for their employees and customers. But with more and more organizations online, the digital attack surface is growing at a record pace. The more applications with vulnerable code, the more opportunities for a cyberattack. In fact, our research found that 76 percent of applications have at least one security vulnerability. So how will this shape the future of cybersecurity, and software security? There are three key technology trends that we believe will impact cybersecurity, and software security, the most over the next several years. The first trend is ubiquitous connectivity. Think about how quickly the world – and everyone and everything in it – is becoming interconnected. Did you ever think you'd see a day where you can search the Internet from your refrigerator or turn on your television with a simple voice command? By the end of 2019, there were already 7.6 billion active IoT devices – and this number is expected to climb to 24.1 billion by 2030. And on top of the growing number of IoT devices, businesses are increasingly shifting their applications to the cloud. But IoT devices and cloud-connected software bring increased risk. According to the Verizon 2021 Data Breach Investigations Report (DBIR), web applications were the source of over 39 percent of breaches, which is double the amount in 2019. Executive vice president and CEO of Verizon Business, Tami Erwin, cites the pandemic and the sudden shift to the cloud as the cause of increased web application risk. Additionally, wireless and 5G add to the connectivity. Think of the number of people with smartphones checking their emails or shopping online without a firewall. These interfaces rely on APIs. But without the right security, APIs are a prime target for cybercriminals. These trends point to an increased focus on API security, zero-trust models, and a shared responsibility model where organizations focus on application security, while the cloud provider focuses on infrastructure and physical security. The second trend to keep an eye on is abstraction and componentization. Think about how fast companies release new software or technology. It feels like every time you turn around Apple has a new software update. But the speed of software deployments is no longer shocking … it's expected. Companies need to release software rapidly in order to be competitive. To move faster, many development teams are turning not only to the cloud but to microservices. With microservices, development teams can break down comprehensive applications into the smallest possible reusable blocks of logic in order to stitch them together into business processes or workflows. APIs are used to integrate the components, which drives an API-first development approach. In fact, in SmartBear's 2019 State of API Survey, 75 percent of respondents answered that adoption of microservice architecture will drive the biggest growth in API adoption in the next two years. Open source libraries are also used as a way to speed up development. In fact, our State of Software Security report found that 97 percent of the typical Java application is made up of open source libraries. And 46.6 percent of insecure open source libraries in applications are transitive, meaning the library is pulled in indirectly by another library in use. This means that the attack surface doesn't just include the open source libraries that your developer added, it also includes indirect libraries that your open source code is pulling. Going forward, we envision a trusted third-party review authority that manages all public APIs and third-party code in order to make software publishers accountable for independent audits. There's an awareness component here as well. Developers need to be aware of the risk in both the libraries they are pulling in directly and the transitive dependencies of those libraries. Finally, automation will play a big role. For inst | Data Breach Threat | ||
|
2021-07-19 13:17:15 | Executive Order Update: NIST Establishes a Definition for Critical Software and Outlines Scan Requirements for Software Source Code (lien direct) | On May 12, 2021, President Biden announced an executive order to improve the nation's cybersecurity. The order, which outlines security initiatives and timelines, calls for the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) to enhance the security of the software supply chain. One of NIST's first orders of business was to define critical software by June 26, 2021. According to the executive order, the definition of critical software needs to “reflect the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised.” In other words, the definition must be specific enough to help the federal government with purchase decisions and deployment of critical software. NIST met the due date, releasing its definition of critical software. “EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:” Is designed to run with elevated privilege or manage privileges; Has direct or privileged access to networking or computing resources; Is designed to control access to data or operational technology; Performs a function critical to trust; or, Operates outside of normal trust boundaries with privileged access. NIST states, “the definition applies to software of all forms (e.g., standalone software, software integral to specific devices or hardware components, cloud-based software) purchased for, or deployed in, production systems and used for operational purposes.” As the executive order implementation matures, the definition may expand to include additional forms of software, such as: Software that controls access to data Cloud-based and hybrid software Software development tools such as code repository systems, development tools, testing software, integration software, packaging software, and deployment software Software components in boot-level firmware Software components in operational technology (OT) NIST's second initiative – also achieved – was to “identify and make available to agencies a list of categories of software and software products in use or in the acquisition process meeting the definition of critical software.” The categories in the preliminary list include: Identity, credential, and access management (ICAM) Operating systems, hypervisors, container environments Web browsers Endpoint security Network control Network protection Network monitoring and configuration Operational monitoring and analysis Remote scanning Remote access and configuration management Backup/recovery and remote storage Having attended NIST's virtual workshop – one of its many methods for soliciting feedback about its plans to develop software-related standards and guidelines – the definition of critical software was not surprising. NIST could have extended the definition to include software that interacts with critical software, but – understandably – the line had to be drawn somewhere. A black and white definition of critical software is an excellent first step in protecting the federal government from security risk. Just days ago, NIST also released an outline of security measures for critical software – an initiative that was due by July 11, 2021. The security measures include minimum standards for vendors' testing of their software source code, calling for threat modeling using automated testing, static and dynamic analysis, remediation of “must fix” bugs, and the use of secure coding techniques. Hopefully, the new security measures will shake up the way software vendors test their code – even vendors that are not directly impacted by the executive order. If you are looking to get a head start on implementing security measures, now is a good time to start looking at application security (AppSec) solutions. Even if you are only able to meet the minimum requi | Threat | ||
|
2021-07-14 09:53:51 | Key Takeaways for Developers From SOSS v11: Open Source Edition (lien direct) | Our latest State of Software Security: Open Source Edition report just dropped, and developers will want to take note of the findings. After studying 13 million scans of over 86,000 repositories, the report sheds light on the state of security around open source libraries – and what you can do to improve it. The key takeaway? Open source libraries are a part of pretty much all software today, enabling developers to work faster and smarter, but they're not static. Library popularity and usage changes and evolves with trends in software development, and if developers don't keep up with these movements, the organizations they're building innovative applications for are at greater risk of damaging data leaks and cyberattacks. Let's dive into the data. Just over half of developers have a process for selecting third-party libraries As part of this year's report, we ran a survey that asked customers some critical questions about how they interact with third-party libraries. We weren't surprised to see that the customers who put effort into purchasing scanning software have a formal process in place for library evaluation; over half, 52 percent, said yes. The bad news is that a pretty big fraction of respondents (29 percent) are unsure of whether or not they have a formal process in place, while 19 percent said no. While a number of factors might contribute to this problem from company to company, a likely cause is the lack of a developed, shared, and followed policy – something that can be tricky for larger, dispersed teams to manage without all of the DevSecOps puzzle pieces in place. Developers can act fast if they're given the right information, early We know that most developers don't go out of their way to ignore security, so where's the disconnect between how quickly flawed libraries are fixed? The data shows us that when developers have the right information in hand sooner rather than later – for example, contextual information about how a vulnerable library relates to an app – they're able to fix those flawed libraries quickly. In fact, we found that 17 percent of flawed libraries are fixed within an hour of the security scan, while 25 percent are fixed within seven days. There was little change in popularity for Java, but big changes in Swift You'll see above in figure 1 that while some languages like Java didn't change much year over year, others like Swift had quite the shakeup. Swift's top two libraries from 2019, Crashlytics and Fabric, didn't even make it into the top 20 last year. But we know why that happened – Google is the parent company behind Firebase, which acquired Crashlytics and Fabric, giving those two libraries both a boost in popularity. Jackson-databind is popular and vulnerable, while Twisted saw a drop When we looked at the top vulnerable libraries from 2019 and 2020, something jumped out at us for Java. The popular jackson-databind library was both popular and vulnerable, holding steady year over year. However, the Twisted library in Python tells a different story. Note how it dropped dramatically in popularity from 2019 to 2020 in figure 2. We can likely attribute this to the expanding capabilities of functionality within Python as well as the fact that Twisted has had seven CVEs associated with it over the course of its lifetime. The majority of library vulnerabilities are fixable with minor updates It might surprise you that most vulnerabilities in third-party libraries are easy to fix with a minor update. When we dug into the data we found that a whopping 92 percent of flaws can be fixed with a simple update, while 69 percent of updates are a minor version change or less. This means that, having the right contextual information about the flawed libraries and the apps they impact in hand sooner rather than later, developers should be able to update libraries quickly and efficiently. But… …Most libraries are never updated at all Here's where developers seem to run into a wall when it comes to fixing flawed third-party libraries. Fig | Vulnerability | ||
|
2021-06-29 11:30:29 | Speed or Security? Don\'t Compromise (lien direct) | “Speed is the new currency of business.” Chairman and CEO of Salesforce Marc R. Benioff's words are especially potent today as many organizations small and large look for ways to speed up production during their shifts to digital. In software development, speed is a critical factor. Everything from shifting priorities to manual processes and siloed teams can seriously impede deployment schedules. One of the biggest obstacles, however, is a lack of security throughout every step of the production process to ensure that coding mistakes and flaws are found and fixed before they turn into project-derailing problems. A lack of an efficient and flexible AppSec program becomes an issue when you look at the data: Cyberattacks occur every 39 seconds. 60 percent of developers are releasing code 2x faster than before. 76 percent of applications have least at least one security flaw on first scan. 85 percent of orgs admit to releasing vulnerable code to production because of time restraints. A mere 15 percent of orgs say that all of their development teams participate in formal security training. But there's good news, too. We know from our annual State of Software Security report that frequent scanning with the right tools in the right parts of your software development lifecycle can help your team close security findings much faster. For example, scanning via API alone cuts remediation time for 50 percent of flaws by six days, slamming that window of opportunity shut for cyberattackers. The Veracode Static Analysis family helps you do just that. It plugs into critical parts of your software development lifecycle (SDLC), providing automated feedback right in your IDE and pipeline so that your developers can improve the quality of their code while they work. You can also run a full policy scan before deployment to understand what your developers need to focus on and to prove compliance. Together, these scans throughout My Code, Our Code, and Production Code boost quality and security to reduce the risk of an expensive and time-consuming breach down the road. Automation and developer education In addition to having the right scans in the right places, there are supporting steps you can take to ensure the quality of your code without sacrificing speed. Automation through integrations is an important piece of the puzzle because it speeds everything up and boosts efficiency. The automated feedback from Veracode Static Analysis means your team of developers has clear insight into existing flaws so they can begin prioritization to eliminate the biggest risks first. Automation also sets the standard for consistency which, as you go, improves speed. Developer education also helps close gaps in information and communication with security counterparts so that they can work towards a common goal. It goes both ways – if the security leaders at your organization can walk the walk and talk the talk of the developer, everyone will have an easier time communicating goals and solving security problems. One way to close those gaps is through hands-on developer education with a tool like Veracode Security Labs. The platform utilizes real applications in contained environments that developers can hack or patch in real-time so that they learn to think like an attacker and stay one step ahead. Like Static Analysis, Security Labs helps meet compliance needs too, with customized education in the languages your developers use most. The prioritization conundrum Security debt can feel like a horror movie villain as it lingers in the background. But it isn't always teeming with high-risk flaws that should be tackled first, and so it's important to carefully consider how to approach prioritization. A recent analyst report, Building an Enterprise DevSecOps Program, found that everything can feel like a priority: “During our research many security pros told us that all vulnerabilities started looking like high priorities, and it was incredibly difficult to differentiate a vulnerability with impact on the organization from one which | Hack Tool Vulnerability Guideline | ||
|
2021-06-28 09:40:27 | Too Many Vulnerabilities and Too Little Time: How Do I Ship the Product? (lien direct) | The percentage of open source code in the enterprise has been estimated to be in the 40 percent to 70 percent range. This doesn't make the headlines anymore, but even if your company falls in the average of this range, there is no dearth of work to do to clean up, comply with AppSec policies, and ship the product. Phew! So where do you start when it comes to resolving all the vulnerabilities uncovered in your open source libraries? By prioritizing the findings from your scans and addressing the most critical and relevant vulnerabilities first. How do you prioritize? CVSS severities are an obvious choice, but considering the percentage of open source code you are dealing with, and depending on the language under the scanner, this alone might not bring the vulnerabilities to be addressed to a manageable number within your resource and time constraints. We will look at some common prioritization approaches before looking at Veracode's recommendation based on our deep expertise gathered from advising hundreds of customers about this aspect of their AppSec program. Common prioritization approaches You can resolve your findings to comply with your AppSec policy by prioritizing alongside one of a few dimensions. Here is the list of most common prioritization approaches: Threat-focused approach: This zeroes in on the flaws that are actively targeted in the wild through malware, exploit kits, ransomware, or threat actors. Vulnerability-focused approach: This prioritizes flaws and vulnerabilities according to how critical they are. For example, how easy they are to exploit, what their exploitation impact looks like, or if there is a public exploit available. Asset-focused approach: This gives the highest priorities to vulnerabilities that are associated with critical assets, and then orders the rest by how dangerous they are. Some organizations measure the exploitability of different flaws and vulnerabilities, taking a threat-focused approach as outlined above. This can also factor in the maturity of known flaws which sometimes impacts how easy it is to remediate, or how exploitable it is out in the wild. While these approaches are a good starting point and cover the broad base of risk, there is an additional piece of information that can make it easy for security stakeholders and developers to prioritize their Software Composition Analysis (SCA) scan findings when operating under tight resource and time constraints. Vulnerable methods: a powerful arrow in your AppSec quiver If the goal of AppSec is to ship clean code fast, then Veracode's vulnerable methods feature is a powerful arrow in your quiver to hit that target. Veracode's vulnerable methods feature goes beyond severities and exploitability to answer the key question for prioritization: How is this finding from the SCA scan relevant to my code? It answers that question by pointing to the precise function/method that makes a library vulnerable. This allows you to quickly assess whether it is worth the effort to remediate an SCA finding. Once a library is known to be vulnerable, our security research team researches and documents the exact function/method that makes it vulnerable. This team (say hello to them if you visit Singapore) of security experts, data scientists, and programmers continue to add new languages to our repository of languages for which we provide vulnerable methods coverage. When you're ready to tackle your security backlog, examine how particular applications use vulnerable methods and prioritize them in a way that reduces the immediate threat quickly. Getting ahead of possible exploits while reducing debt Security debt and unresolved vulnerabilities can feel daunting to developers and security professionals, especially as open source code only continues to increase its footprint in enterprise applications. But with a powerful tool like Veracode's vulnerable methods, you can go beyond severity or exploitability and focus on what really matters to your organization. Learn more about Veracode's Software Composition Analysis solution by readi | Tool Threat | ||
|
2021-06-25 08:57:23 | Key Takeaways From State of Software Security v11: Open Source Edition (lien direct) | We recently published a special open source edition of our annual State of Software Security (SOSS) report. The State of Software Security v11: Open Source Edition analyzed the data collected from 13 million scans of more than 86,000 repositories, containing more than 301,000 unique libraries. We also added some color and context to the data this year by surveying our customer base and adding the data from 1,744 responses to the report. In last year's open source report, we looked at a snapshot of library usage in applications. This year, we looked beyond the point-in-time snapshot to examine the dynamics of library development and how developers react to library changes, including the discovery of flaws. Here are some of the key takeaways for security professionals: The most popular libraries from last year are not the most popular libraries this year. And the most secure libraries from last year are not the most secure libraries this year. Some languages saw little to no change in library popularity from 2019 to 2020, like Java. But other languages underwent significant changes in their library landscapes. For example, Swift's top two libraries from 2019, Crashlytics and Fabric, did not even break the top 20 in 2020. This is due to the fact that Google (the parent company behind Firebase) acquired both companies and integrated the functionality into Firebase, leading to the meteoric rise in two Firebase libraries. The most secure libraries have also changed. The Twisted library in Python was very secure last year, but this year it's far from secure. This is likely attributable to the expanding capabilities of the built-in functionality in Python, with the built-in library asyncio receiving significant updates in 2016 and late 2018, and perhaps more importantly has only seen one CVE associated with it (CVE-2021-21330), in contrast to Twisted's seven. Security takeaway: What's popular and what's secure in your library landscape can change dramatically within the span of a year. Keeping an inventory of what's in your application is important. 79 percent of developers never update third-party libraries after including them in a codebase. Once developers pick a library or version, they tend to stick with it. 65 percent of libraries appear in the first scan of the repository and are never updated. An additional 14 percent of libraries are added at some point during development and are never updated to a new version. The languages that are most likely to be “set and forgotten about” include Ruby, JavaScript, and Java. Security takeaway: Most third-party libraries aren't updated once added to a codebase. This is especially alarming considering that, in last year's open source report, we found that almost one-third of applications have more security findings in third-party libraries than in the native codebase. And even if a library is secure when you add it to your codebase, we saw above that the security of libraries changes frequently. Open source libraries are not a set-it-and-forget-it activity, but rather one that requires maintenance. When alerted to vulnerabilities, developers act quickly. But that maintenance is not necessarily overly taxing. We found that once alerted to a vulnerability in a library, developers fix nearly 17 percent of vulnerable libraries within an hour and 25 percent within seven days. Security takeaway: With the right information and prioritization, security vulnerabilities in open source libraries can be addressed quickly. Without knowledge of how vulnerabilities relate to their applications, developers struggle to address them. Vulnerabilities can be addressed quickly, but if developers don't have the right contextual information, such as how a vulnerability impacts their application, it can take more than seven months to fix 50 percent of flaws. Those that have the information they need fix 50 percent of flaws in just three weeks. Security takeaway: 92 percent of library flaws can be fixed with an update, and 69 percent of updates are a minor version change or less. But lac | Vulnerability Guideline | ||
|
2021-06-22 14:09:12 | How to Interpret the Various Sections of the Cybersecurity Executive Order (lien direct) | The Biden administration released a new executive order for cybersecurity on May 12, 2021. Although many know the overarching message of the executive order, it's also important to know the specific details outlined in each section. As our CEO Sam King remarked, “It gets really specific about the types of security controls they want organizations to adhere to and government agencies to take into account when they're looking to do business with software vendors in particular.” As we go through each section, we will intersperse thoughts from Sam King and Chris Wysopal, co-founder and CTO at Veracode, as well as thoughts and statements from Forrester analysts, Allie Mellen, Jeff Pollard, Steve Turner, and Sandy Carielli, from their recently aired webinar, A Deep Dive Into The Executive Order On Cybersecurity. Section 1 The first section talks about the overarching policy in the executive order, stating: “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people's security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.” It sets the framework for the order, calling “prevention, detection, assessment, and remediation of cyber incidents” a top priority. And if the Federal Government takes ownership of national cybersecurity, it will not only improve security in the public sector, it should also increase regulations in the private sector. Section 2 Section 2 removes the barriers to sharing threat information. In other words, IT Service Providers can no longer hide information pertaining to breaches – even due to contractual obligations. And they will have to disclose this information in a timely manner. As Turner expresses in the Forrester webinar, “this section really opens up the door for all of the further technology improvements and the way that we want to improve security holistically as we go down toward significantly modernizing the way that the federal government does cybersecurity.” Section 3 Speaking of modernizing the way that the federal government handles cybersecurity, section 3 is specifically aimed at addressing today's sophisticated cyber threat environment. It sets the groundwork for moving the Federal Government to secure cloud services and a zero-trust architecture. As part of the zero-trust policy, vendors providing IT services to the government will have to deploy multifactor authentication and encryption in a specified time period. Section 4 Section 4 enhances software supply chain security. It sets a new precedent for the development of software sold to the government. Developers will be expected to have increased oversight of their software and they will be required to make security data public. Wysopal found “the scope of the software supply chain requirements to be the most notable aspect” of the new executive order, stating, “It's very comprehensive – all the different aspects of delivering secure software that hasn't been tampered with by attackers, that has had software assurance practices built into the development pipeline, and notification to the federal government if a vendor has been compromised – because there's a likelihood that the software was the target.” This section also proposes that software be ranked or labeled based on its security. As Carielli explains in the Forrester webinar, the software will be labeled with a ranking – like energy star of good housekeeping – proving a vendor's security standing. Wysopal is a strong proponent of the labeling program, comparing it to programs used in the UK and Singapore on IoT devices. He sees it as a good way to incentivize vendors to secure their products. King agrees, calling the pilot program a great way to increase transparency and accountability. Sections 5 and 6 Despite all of these new steps in place to prevent cyber incidents, it's still possible for | Threat | ||
|
2021-06-22 08:00:00 | Announcing State of Software Security v11: Open Source Edition (lien direct) | Today, we published the open source edition of our annual State of Software Security report. Solely focused on the security of open source libraries, the report includes analysis of 13 million scans of more than 86,000 repositories, containing more than 301,000 unique libraries. In last year's open source edition report, we looked at a snapshot of open source library use and security. This year, we went beyond the point-in-time snapshot to examine the dynamics of library development and how developers react to library changes, including the discovery of flaws. We also added some context and color to the data by conducting a survey of Veracode users to better understand their development practices and how they use third-party code. The report reveals that although open source libraries are the foundation of almost all software, it's not a solid foundation, but rather a constantly evolving and shifting foundation. However, development practices don't always adapt to the dynamic nature of these libraries, which is leaving organizations exposed. The report's highlights include: What appears secure today might not be tomorrow. We looked at the most popular libraries in 2019 vs. 2020, as well as the most popular libraries with known vulnerabilities in 2019 vs. 2020. Bottom line: You can add open source library use to the list of things that changed dramatically in 2020. What's hot and what's not, and what's secure and what's not, change rapidly. Most libraries are never updated. Despite the dynamic nature of open source libraries, developers aren't managing them quite so dynamically. In fact, 79 percent of the time, developers never update third-party libraries after including them in a codebase. Lack of information can be a roadblock. What is preventing developers from updating vulnerable open source libraries? Our survey found that a lack of contextual information can be one roadblock. Developers who report they need more information -- for instance, understanding how a vulnerable library impacts their application -- take more than seven months just to fix 50 percent of their known flaws. On the other hand, those who feel they do have the information they need fix 50 percent of flaws in just three weeks. When alerted to vulnerable libraries, developer can act quickly. In fact, nearly 17 percent of vulnerable libraries are fixed within an hour of the scan that alerted the developer to the vulnerability; 25 percent are fixed within seven days. Most open source security flaws require only minor fixes. 92 percent of library flaws can be fixed with an update, and 69 percent of updates are a minor version change or less. Learn more. Check out the full report for all the data details, plus our advice on how to use the story told by the numbers to improve your own application security program. | |||
|
2021-06-03 10:32:33 | Digging into AppBoundDomains in iOS (lien direct) | iOS 14 issued a number of changes, as every new release does. But one area where Apple clearly spent a fair amount of time is in their WebViews. Traditionally, UIWebView was the class de jour when a developer wanted to present a web page. In iOS 14 though, UIWebView was officially deprecated in favor of WKWebView. Browser integration has always been a core security concern with iOS, as MobileSafari is the only application that allows the dynamic-code-signing element, to sign generated code, in particular: Javascript. Unfortunately, Javascript exploits have continued to proliferate throughout the world, and iOS is no exception, see this article and this support page for some recent (and highly prominent) examples. These exploits have grown increasingly sophisticated as compared to some of the early examples-check out this page for an albeit old but strikingly simple denial-of-service exploit, i.e. crashing the user's phone. Apple introduced the concept of AppBoundDomains to limit exposure to third-party Javascript, something app developers are, and should, be taking advantage of. The concept is relatively straightforward. By creating an entry in the application's Info.plist the developers list those sites that they trust the incoming Javascript so far as to allow that website access to the WKWebView methods: (void)evaluateJavaScript:(NSString *)javaScriptString completionHandler:(void (^ _Nullable)(_Nullable id, NSError * _Nullable error))completionHandler (void)addUserScript:(WKUserScript *)userScript; window.webkit.messageHandlers Cookie handling is all possible to control as well. Access to the following methods, as described in this blog, is also controlled via the same process. (void)setCookie:(NSHTTPCookie *)cookie completionHandler:(nullable void (^)(void))completionHandler; (void)getAllCookies:(void (^)(NSArray *))completionHandler; The WebKit blog article gives several use cases, and Apple also provided some guidance in a WWDC 2020 video (watch here), where they explicitly said that using AppBoundDomains is a best practice. Veracode has kept up by being able to scan instances of WKWebView in an application's code and ensure that a proper AppBoundDomain entry has been tied to that in the application bundle. If not, we'll alert our customers to that effect, and in those cases usually, a quick fix is all that's necessary, as Apple made this easy to integrate into the application. This is one of the more important, even if straightforward, developments in iOS 14, as anyone who has followed JavaScriptCore and other underlying libraries can tell. It's not a coincidence that many security conferences perennially have very interesting demonstrations and content based on Javascript exploits. Dynamic code has been and likely always will be a security risk to incorporate and so Apple has provided a strong means to limit exposure. Most of these efforts have been made to ensure that built-in privacy protections became the norm on iOS. In the older UIWebView, private data can and has been taken, and this protection is a means to prevent that. For Desktop Safari users, you might notice that recent versions of OS X will now prevent some website trackers from tracking your browsing history, and other data. We live in a connected world, busily browsing the internet, but without the right protections the services provided tend to take the same attitude towards you, and that certainly includes your data. To learn more about iOS security, visit our knowledge base. | |||
|
2021-06-01 16:45:52 | Veracode Named a Leader in 2021 Gartner Magic Quadrant for Application Security Testing (lien direct) |  Veracode has been named a Leader in the 2021 Gartner Magic Quadrant for Application Security Testing (AST) for the eighth consecutive year. Gartner evaluates vendors based on their completeness of vision and ability to execute in the application security testing (AST) market. This recognition comes just months after we were named Gartner Peer Insights Customers??? Choice for AST, proving, in our opinion, the strength of our AST offerings according to both experts and users.
 ???
In addition, we received the highest score for the Enterprise and Public-Facing Web Applications Use Cases in the 2021 Gartner Critical Capabilities for Application Security Testing report.
We???re thrilled to be recognized as a Leader in the Magic Quadrant once again. Committed to helping organizations in every industry code with confidence in our increasingly digital world, we spent the last year striving to enable developers to code securely, and security teams to easily measure and report on the security posture of their organizations.
Veracode has increased its focus and investment in DevSecOps and developer enablement and education, with expanded integrations into developer ecosystems, including AWS CodeStar, secure coding best practices, and expert consultations. The platform offers support for GitHub Actions and GitHub Security Console and issues and pipelines, as well as a pipeline approach that optimizes scan times throughout the software development process. Through the introduction of Veracode Security Labs in early 2020, the company also offers hands-on, interactive security training to developers that aims to enable developers to code securely. As the director of engineering at OneLogin recently remarked, ???Veracode [Security Labs] has significantly reduced the number of defects introduced during the development process and has ingrained security best practices as a primary pillar of creating production-quality code.???
A true enterprise offering includes a comprehensive approach to application security. Veracode credits its high scores for Enterprise and Public-Facing Web Applications in the Critical Capabilities report to a single platform that scans for vulnerabilities in both first-party and open source code with multiple testing types, quick time to deployment without absorbing infrastructure costs, constant updates, and machine learning that facilitates remediation. Unique in the market, Veracode SCA doesn???t rely solely on the National Vulnerability Database (NVD) but also uses machine learning, data mining, and natural language processing to identify potential vulnerabilities inツ?open sourceツ?libraries from commit messages and bug reports.
Software security will be increasingly critical as the world becomes even more connected and digital, and as high-profile cyberattacks prompt more stringent regulations. In fact, nearly a quarter of the Biden administration???s newly launched executive order on cybersecurity is focused on securing the software supply chain, and the 2021 Gartner Magic Quadrant authors highlight that ???Gartner estimates end-user spending in the AST market reached $2.2 billion worldwide in 2020. We have also increased our growth rate proj |
Vulnerability Guideline | ||
|
2021-05-24 10:02:18 | Veracode and Finite State Partner to Address Connected Device Security (lien direct) |   ツ?This article was co-authored by Matt Wyckhouse, CEO ofツ?Finite State.
Over the past decade, we have seen the rapid adoption and expansion of connected devices and embedded systems among businesses. This includes anything from the Internet of Things (IoT) to connected medical devices, building systems, Industrial Control Systems (ICS), and other devices that power our lives and our infrastructure.
In recent years, improved connectivity and the rollout of expanded 5G service is providing an even bigger opportunity for organizations to untether these devices and deliver a rich experience across the enterprise. The result is a swell of highly sophisticated and complex devices; by 2025, the number of connected devices is expected to hit 55.7 billion globally.
Veracode has long been a leader in application security, offering static analysis, software composition analysis, and dynamic analysis, and has now entered into a partnership with Finite State, an expert in connected device security, to help our customers fully address their product security needs.ツ?ツ?ツ?ツ?
While advances in connected device technology have opened the door to new capabilities with greater operational scale and increased efficiencies, devices come with a unique set of security challenges.
Key challenges in securing connected devices
Complex and opaque supply chains make it difficult to assess risk. With a globalized economy and expanding use of open source software in the creation of these devices, it???s becoming more difficult for device manufacturers and their customers to know what exactly is running inside their products and the scope of the security and license risk lurking within.
Only about 20% of code in these devices is first party, on average. Sometimes it???s as little as 5%. Open source makes up a huge amount of the components in connected devices ??? anything from libraries to operating systems can be open source or created by a third party. Traditionally, device manufacturers analyze their first-party code (a difficult process in and of itself) as part of their security program requirements. However, as first-party code has become a smaller component of the underlying code in these devices, manufacturers are often left in the dark when it comes to the majority of their device components.
Greater use of open source presents heightened license risk and compliance adherence. Development teams want to make use of open source componentry to increase speed and scalability of development. However, prolific use of open source expands the tracking and reporting requirements on organizations to maintain compliance with license obligations. Legal and Compliance Teams need near continual update and ongoing assessment of open source license use for audit and other compliance purposes. Manual efforts to do so no longer meet the scaled use of modern product development organizations.
An increase in publicly reported vulnerabilities and security breaches around connected devices is |
Guideline | ★★★★ | |
|
2021-05-21 14:27:34 | Live From RSAC: Disinformation: As Dangerous as Cyber and Physical Threats (lien direct) |  In today???s digital world, we practically live on our phones or computers. Chances are, you don???t go more than 15 minutes without checking your email or social media. And you probably get most of your news from the Internet.
But how do you know what information is real? Two different news sites might be giving a different opinion of the same story. Take the presidential election, for example. There was a frenzy of fake news trying to sway voters in one direction or the other. Covid-19 also brought about a fair share of conspiracy theories and misinformation ??? like the Covid-19 vaccine microchip theory. These theories and propaganda were planted by threat actors to stir chaos and instill fear or doubt.
In an RSA Conference fireside chat this week, Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency and co-founder of Krebs Stamos Group, and Alan Shimel, CEO of MediaOps, explained how to weed through disinformation, what threats fake news pose to cybersecurity teams, and what we can do to help.
As Krebs says, ???I???m leading a commission at the Aspen Institute on the information disorder and there are no silver bullets right now for stopping, for halting, for changing the ecosystem. Whatever the solutions are ??? now or in the future ??? it???s going to take the whole of society, like government, industry, civil society ??ヲ it???s going to take a full effort.???
How do you build your information ecosystem?
It???s challenging to figure out what information to believe when there are so many news outlets. And people tend to be more attracted to drama or stories that align with their views, even if the information is not accurate. Real news is ???boring??? as Krebs says, and fake news is more appealing.
Unfortunately, there is no central source of truth at the moment, so there is no way to say what information is accurate or not. We need to fix this.
How do we counter disinformation?ツ?
Krebs and Shimel discussed the idea of creating one source of truth. Whether it???s at a company, or in government, you need one central repository with the facts.
Take Germany for example. Germany has a monoculture of news that gives them the advantage of one source of ???truth.??? There is one source where you can get your news, and there is no commentary. That doesn???t mean that they don???t still deal with some disinformation, but it???s a lot less than in the United States.
How do you deal with disinformation in cybersecurity?
Disinformation attacks are when threat actors manipulate information to cause unrest. Software companies that work with the government deal with disinformation attacks all the time. For example, threat actors changing the outcome of an election.
The new executive order should help with some of these attacks, but it still doesn???t solve the problem. The government needs more information, especially regarding ransomware. But what companies want to disclose their security problems? And it???s not as if the government can help them with security. Krebs and Shimel noted that we need to incentivize organizations, and we need to make it easy and convenient to report security defects and breaches.
Organizations should also be conducting an analysis of their systems to keep an eye out for potential attacks, and should consider hiring a senior executive to concentrate solely on countering disinformation. Since the world is becoming increasingly digital, this role is more important than ever.
For more on the cybersecurity executive order, and other RSA Conference 2021 sessions, check the Veracode Blog. |
Threat Guideline | ||
|
2021-05-21 12:06:56 | Live From RSAC: Anne Neuberger Addresses President Biden\'s Executive Order on Cybersecurity (lien direct) |  Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, addressed President Biden???s executive order at the virtual RSA Conference this week. The executive order, announced on May 12, 2021, aims to safeguard U.S. cybersecurity and modernize cybersecurity defenses.
As Neuberger explains, this executive order couldn???t come at a more critical time. The Biden administration was challenged with two cybersecurity incidents in the first 100 days ??? SolarWinds and Microsoft Exchange. Note that the session must have been pre-recorded because she didn???t even mention a third attack that disrupted the Colonial Pipeline.
The incidents proved three major lessons:
Adversaries will look for any opening to attack, including the government???s suppliers.
Partnerships are critical. The government needs the private sector, and the private sector needs the government.
The government needs to modernize cybersecurity defenses.
???[These lessons prove that] we need to shift our mindset from incident response to prevention,??? said Neuberger. ???We simply cannot let waiting for the next shoe to drop be the status quo under which we operate.???
In the software development world, we call this being stuck in a ???break/fix??? mentality. It is better to build a software development process that causes less ???breaks.??? That enables you to deliver more software with less failures. We are starting to see cybersecurity learn from software development principals, shifting our cybersecurity problems to the left.
Breaches are more detrimental than most organizations realize. Neuberger noted two staggering statistics. In 2019, Accenture reported an average company spends $13 million per breach. And CIS and McAfee reported that cybercrime cost 1 percent of global GDP in 2018. Organizations are far better off spending the money to secure their applications, including demanding better from their vendors, than waiting for a breach. How many small businesses, schools, hospitals, or government agencies have an extra $13 million to spend on an unexpected breach?
What Neuberger didn???t mention is that that same study from Accenture cited an increase of 67 percent in cyberattacks over the past five years. And if cyberattacks continue at this velocity, Accenture calculates a total value at risk of $5.2 trillion globally over the next five years.
The president???s approach is proactive and includes modernizing cyber defenses, returning to a more active role in cybersecurity internationally, and ensuring that America has a better posture to compete. It was the SolarWinds breach that opened our eyes to the fact that we don???t have modern cyber defenses in place. Software supply chain security is of particular concern.
???The current model of build, sell, and maybe patch means that the products the federal government buys often have defects and vulnerabilities that developers are accepting as the norm with the expectation that they can patch later. Or perhaps they ship software with defects and vulnerabilities that they don???t think merit fixes ??ヲ. That???s not acceptable,??? said Neuberger. ???Security has to be a basic design consideration.??? ツ?ツ?
Neuberger hinted that the executive order might require federal vendors to build software in a secure development environment. And that software leveraged by the federal government should include strong authentication, encryption and limit privileges. As for preexisting critical infrastructure that was built before the Internet, the orde |
Ransomware | Uber | |
|
2021-05-20 17:34:42 | Live From RSAC: AppSec\'s Future and the Rise of the Chief Product Security Officer (lien direct) |  Chris Wysopal, Co-Founder and CTO at Veracode, and Joshua Corman, Chief Strategist of Healthcare and COVID at CISA, presented at the 2021 RSA Conference on AppSec???s future and the need for a new Chief Product Security Officer (CPSO) role.
Wysopal started by quoting entrepreneur Marc Andreessen saying, ???Software is eating the world,??? to express just how much we rely on technology. From our iPhones and laptops to our cars and even our refrigerators ??ヲ software is everywhere.
If we look back at the rise of software, it was largely used originally to automate manual processes in the back office of businesses, like banking software for a teller. But now, we are using software to deliver products to a customer, like a mobile banking application. So as Wysopal stated, ???There???s not just more software. There are different kinds of software.???
And this software that???s being released as products to customers has added risk. Using the mobile banking application as an example, Wysopal noted that it???s riskier to use a customer-facing application to conduct your banking than it is to go to the bank and have a teller use the back-end software. More people have access to the mobile banking application, and anyone in the world could connect to the APIs.
And the risk associated with software products is only going to continue to grow. Consider the way we are creating apps now: APIs are the bloodstream. Each microservice, serverless, container, or public API is more attack surface. Applications that connect with social networking create more attack surface. Migrating to new software and forgetting to retire legacy software leads to more attack surface.
And there is risk with new software trends as well. For example, ubiquitous connectivity is the standard mode for any product now. Abstraction and componentization are also big trends. Instead of writing code, we now frequently use a library or write a script to instruct something else to be built. It???s great to build applications quickly, but it changes the way you have to think about security and supply chain.
That???s why we need a CPSO role, not just a Chief Information Security Officer (CISO). A CISO is concerned about compliance and protecting the company???s brand, but a CPSO would be responsible for managing product risk. Product risk spans so many departments ??? like engineering, compliance, supplier management, and information risk ??? and will likely span even more departments over the next few years. CISOs have too much on their plate to be able to take on product risk.
Corman mentions that many healthcare organizations have started adding a CPSO-type role to their organizations and others should follow suit. Especially given the increase in software breaches. As mentioned in our blog outlining Anne Neuberger???s RSAC address, cyberattacks have increased by 67 percent in the past five years. And many of these breaches ??? like SolarWinds and Microsoft Exchange ??? are having national security implications. In fact, the Biden administration recently released an executive order to safeguard U.S. cybersecurity. So having a role that is dedicated to managing product risk is not only beneficial but arguably essential.
For more summaries of RSA Conference 2021 sessions, check the Veracode Blog, |
Guideline | Uber | ★★ |
|
2021-05-20 16:59:46 | Live From RSAC: Is Digital Transformation Making AppSec Headless? (lien direct) |  Chris Wysopal, Veracode Co-Founder and CTO, recently sat down with Tom Field, ISMG Senior Vice President of Editorial, for an executive interview at the RSA Conference 2021 to discuss if digital transformations are making application security (AppSec) ???headless.???
Headless AppSec is an interesting concept. AppSec was traditionally part of the security role. But, as companies become increasingly digital, it???s too time-consuming for developers to hand off AppSec scans to security. To combat the hand-off, companies have been moving AppSec scans to the development role. But without the right processes in place and without security knowledge, AppSec scans can be just as laborious in the development phase. The ultimate goal is to make security ???headless??? or managed as part of code instead of a separate task.
The pandemic is definitely expediating this shift to headless AppSec. As Wysopal stated, ???There???s no doubt that Covid-19 has accelerated all the things that companies were doing anyway, but on a much longer path.??? Many companies were in the process of a digital transformation but ??? when the pandemic hit ??? they realized that in order to be competitive in the market, they needed to ramp up their shift to digital and move to the cloud for more flexibility.
The pandemic has also caused organizations to change the way that they???re building software. The market is more competitive than ever. So, to keep up, organizations need to iterate quickly and go to market faster. In fact, many organizations are coming up with a new feature in a day and going to production in a day. ツ?
But this speed is proving the need for headless AppSec. You can no longer have different teams building code, testing code, etc. You need to automate these processes and have them handled by one team. Ideally, the developers should be able to not only write code but also diagnose bugs and put fixes in place. ツ?For example, infrastructure itself is becoming very dynamic and programable. Consider the rise of microservices, container security, and Kubernetes. It???s pushing all the things operations used to do into code so that developers can control it.ツ?
Development and operations aren???t the only two functions that should be on the same team, security should be as well. Security tools should be put in the developer pipeline so they can remediate flaws without having to connect with security personnel.
Wysopal advocates for a security champions program to help train interested developers in security best practices. These developers can act as the voice of security on their scrum teams, eliminating the need for a security hand-off. And all security tools should be automated into the developers existing tools and processes so that they don???t have to spend additional time conducting AppSec scans.
This automation could open the door to machine learning and artificial intelligence. Machine learning thrives off data sets from automation. It can evaluate scan data and code that was previously remediated to come up with rules for auto-remediation. If AppSec scans are automated and remediation is automated, that would be the ultimate form of headless AppSec. According to Wysopal, auto-remediation is a very real possibility and we should be seeing it by the end of the year.
For more updates on the RSA Conference 2021, check out the Veracode Blog, daily. |
Uber | ★★★★ | |
|
2021-05-18 14:54:52 | A Closer Look at the Software Supply Chain Requirements in the Cybersecurity Executive Order (lien direct) |  Software security is a big focus of the Biden administration???s recentツ?executive orderツ?on cybersecurity. In fact, an entire section, or 25 percent, of the order is dedicated to software security requirements. In the wake of the SolarWinds cyberattack, the security of the software supply chain is clearly top of mind at the White House, and has prompted these unprecedented and detailed security requirements for any software vendor looking to do business with the federal government. The order states:
The security of software used by the Federal Government is vital toツ?the Federal Government???s ability to perform its critical functions.ツ? The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.ツ? There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.ツ? The security and integrity of ???critical software??? ??? software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) ??? is a particular concern.ツ? Accordingly, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.
How will the requirements be developed, and what do they cover?
The order mandates that NIST will identify existing or develop new standards for software security that ???shall include criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices.??? NIST has 180 days to publish the preliminary guidelines, so we expect to see them before the end of the year.
Once the preliminary guidelines are published, NIST will then, within 60 days, issue guidance on best practices for securing the software supply chain (most likely early 2022). This guidance must include standards for:
Secure software development environments
Generating proof of adherence to the standards
Employing automated tools to ???ensure the integrity of code???
Employing automated tools to check for vulnerabilities and remediate them
Generating proof of the results of the automated tools??? findings
Maintaining data on the origins of all software code
Providing a software bill of materials
Participating in a vulnerability disclosure program
Attesting to conformity with secure software development practices
Ensuring the integrity of open source software in use
The order covers both new software purchases, and a review of existing legacy software.
There will also be guidance coming on what constitutes a software bill of materials and what should be considered ???critical software.???
Finally, the order requires the development of a pilot program that will examine a security labeling and rating system for consumer software products, including IoT devices.
What???s notable?
SBOM requirement:ツ?The requirement to provide a software bill of materials for each software product is a notable acknowledgement of the reality of modern software ??? very little of it is created from scratch, in-house. Just as requirements surrounding nutrition and ingredients labeling evolved over time as food products became more complicated and aware |
Vulnerability Threat | ||
|
2021-05-14 10:33:26 | 2021 Verizon Data Breach Investigations Report Proves That Cybercrime Continued to Thrive During the Pandemic (lien direct) |  Verizon recently published its 2021 Data Breach Investigations Report (DBIR). This year, Verizon analyzed 79,635 incidents, of which 29,207 met their quality standards and 5,258 were confirmed data breaches, from 88 countries around the world.
Despite the global pandemic, the DBIR uncovered that cybercrime continued to thrive. Like previous years, the majority of breaches were financially motivated, and most were caused by external actors illegally accessing data.
Phishing, ransomware, and web app attacks ??ヲ Oh my!
Phishing and ransomware attacks, along with the continued high number of web application attacks, dominated the data breaches for 2021. Phishing attacks were present in a whopping 36 percent of breaches in this year???s dataset, representing an 11 percent increase from last year.
Ransomware attacks increased by 6 percent, accounting for 10 percent of breaches. This increase can likely be attributed to new tactics where ransomware now steals the data as it encrypts it. Ransomware has also proven to be very efficient for cybercriminals. It doesn???t take a lot of hands on keyboards and it???s a relatively easy way for cybercriminals to make a quick buck.
Web applications made up 39 percent of all data breaches. Most of the web applications attacked were cloud-based, which isn???t surprising giving the increased shift to digital during the pandemic. The majority of web application attacks were through stolen credentials or brute-force attacks. 95 percent of organizations that suffered a credentials management attack experienced between 637 to 3.3 billion malicious login attempts throughout the year.
If you look at breaches by region, EMEA ??? comprised of Europe, the Middle East, and Africa ??? had the highest proportion of web application attacks. This is the second year in a row that web applications accounted for the majority (54 percent) of breaches in EMEA. Not surprisingly, the most commonly breached data type in EMEA was credentials ??? which goes hand-in-hand with web attacks.ツ?
In Asia, web application attacks fell second to social engineering attacks and in North America, web application attacks fell third ??? behind social engineering and system intrusion.
Web application threats were also prevalent across the 11 examined industries, especially in the information industry. The retail industry, which has notoriously been susceptible to web application attacks, has decreased its proportion of web application breaches.
What can organizations do to prevent web application attacks? |
Ransomware Data Breach | ||
|
2021-05-13 07:45:23 | New Cybersecurity Executive Order: What You Need to Know (lien direct) |  Last night, the Biden administration released an executive order on cybersecurity that includes new security requirements for software vendors selling software to the U.S. government. These requirements include security testing in the development process and a bill of materials for the open source libraries in use, so known vulnerabilities are disclosed and able to be tracked in the future. Without following these standards, companies will not be able to sell software to the federal government. There are also indications that these practices will make their way into the private sector as much of the software sold to the government is also sold to enterprises. That said, we???re working on a series of blog posts and other content that will break this order down for you and track the development of the standards as they are developed by NIST over the course of the next 12 months. We???ve been advising and collaborating with the government (starting with testifying before Congress 23 years ago), and other standards bodies for years on this very topic, in addition to working with large enterprises in highly regulated industries like financial services and healthcare to help them comply with similar standards. We???ll be using our experience and expertise to share our best practices, lessons learned, and data gathered from helping over 2,500 customers secure their software.
What???s in the order?
In the wake of recent cyberattacks on government agencies through software from SolarWinds and Microsoft, this order aims to better protect government systems from a vulnerable software supply chain. Noting that ???the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced,??? the order includes requirements for:
The security of software eligible for purchase by the federal government
Communication and collaboration on cybersecurity between the private sector and government agencies, and between government agencies
Modernizing the federal government???s cybersecurity
In terms of improving communication and collaboration, initiatives in the order include the establishme |
Vulnerability Threat | ||
|
2021-05-12 09:04:20 | Recent Pipeline Attack Highlights Our Vulnerable Infrastructure (lien direct) |  On Thursday, May 6, Colonial Pipeline, which operates a pipeline that delivers gasoline and jet fuel to nearly 45 percent of the U.S. East Coast, fell victim to a ransomware attack. The attack took over 100 gigabytes of data hostage, causing the company to halt all pipeline operations and shut down several of its systems. The attackers, identified as a criminal gang known as DarkSide, threatened to leak proprietary information unless a ransom is paid.
Not especially sophisticated, this attack seems to be a run-of-the-mill ransomware attack like those we???ve seen in recent years, expect that, instead of shutting down a school, a police department, or a small business, it has shut down a good portion of fuel delivery on the East Coast. What this highlights is that the same vulnerabilities and attack tools/techniques that seem commonplace can have devastating consequences based on the target. Clearly, critical infrastructure has to be more hardened than a small business, but we see this isn???t the case.
The attack comes just months after the SolarWinds and Microsoft breaches, which brought about a proposed executive order by President Joseph Biden to strengthen cybersecurity for federal agencies and contractors. According to The New York Times, which obtained a preliminary draft of the order, ???It would create a series of digital safety standards for federal agencies and contractors that develop software for the federal government.???
But many are now wondering if the executive order is enough. Top executives from firms like Amazon, Microsoft, and Cisco are calling for an international coalition to combat ransomware. As The New York Times states, ???Among the recommendations in the report by the coalition of companies is to press ransomware safe havens, like Russia, into prosecuting cybercriminals using sanctions or travel visa restrictions. It also recommends that international law enforcement team up to hold cryptocurrency exchanges liable under money-laundering and ???know thy customer??? laws.???
Would that deter cybercriminals? And what about preventing the ability to carry out these attacks in the first place? One big issue with prevention is that we typically don???t know how the attackers get in, including in the pipeline attack. Most ransomware attacks stem from phishing, but could also stem from a different vulnerability, including one in software. One noteworthy thing about the Colonial Pipeline attack is that they were first attacked through their IT systems, but shut the OT systems down out of caution.ツ? That means they were not confident the networks were sufficiently isolated.ツ? In the future this needs to be rock solid isolation, like the compartments in a submarine.
That is why I support the idea of an NTSB-like organization for cyber, which is what the government is intending with its upcoming executive order. If a criminal group can shut down 45 percent of the East Coast fuel supply, we need to know what went wrong. Can you imagine if we never found out why an airplane crashed, or why a particular model of car kept malfunctioning? Just as safety in the travel industry is dependent on information sharing and thorough investigating, it???s becoming clear that, in our increasingly digital world, the same can be said for safety in cyberspace. |
Ransomware |
To see everything:
Our RSS (filtrered)
