What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-04-29 10:49:21 | Votre incontournable AI et application de cloud-Native Appsec au RSAC 2024 Your Must-Know AI and Cloud-Native AppSec Insights at RSAC 2024 (lien direct) |
Cherchez-vous à rattraper les dernières personnes en matière d'IA et d'application native du cloud au RSAC 2024?Veracode organise une série de conférences sur notre stand avec une série de programmes au W San Francisco.Voici tous les détails.
Veracode à RSAC 2024: un aperçu
RSAC 2024 est au coin de la rue et Veracode, un fournisseur visionnaire de solutions de test de sécurité des applications natifs du cloud, sera à l'avant-garde, présentant des innovations révolutionnaires qui façonnent l'avenir de l'AppSec.
Cette année, nous sommes particulièrement ravis de présenter l'acquisition récente de Longbow Security, une décision stratégique qui renforce notre engagement à assurer une sécurité complète du code à cloud.
Selon le magazine des développeurs de l'APP, «L'intégration de Longbow dans Veracode permet aux équipes de sécurité de découvrir rapidement les actifs du cloud et des applications et d'évaluer facilement leur exposition à la menace en utilisant une enquête automatisée et une analyse des causes profondes.Longbow fournit un centralisé…
Are you looking to catch up on the latest in AI and cloud-native Application Security at RSAC 2024? Veracode is hosting a series of talks at our booth along with a series of programs at The W San Francisco. Here are all the details. Veracode at RSAC 2024: A Preview RSAC 2024 is around the corner and Veracode, a visionary provider of cloud-native Application Security testing solutions, will be at the forefront, showcasing groundbreaking innovations that are shaping the future of AppSec. This year, we are particularly excited to showcase the recent acquisition of Longbow Security, a strategic move that strengthens our commitment to providing comprehensive code-to-cloud security. According to App Developer Magazine, “The integration of Longbow into Veracode enables security teams to discover cloud and application assets quickly and easily assess their threat exposure using automated issue investigation and root cause analysis. Longbow provides a centralized… |
Threat Cloud | ★ | |
|
2024-03-18 12:25:43 | Dette de sécurité: une menace croissante pour la sécurité des applications Security Debt: A Growing Threat to Application Security (lien direct) |
Comprendre la dette de sécurité
La dette de sécurité est un problème majeur et croissant dans le développement de logiciels avec des implications importantes pour la sécurité des applications, selon le rapport de l'état de la sécurité des logiciels de Veracode \\.Laissez-vous approfondir un peu plus dans la portée et le risque de dette de sécurité, et obtenir des informations sur les gestionnaires de sécurité des applications pour relever efficacement ce défi.
La dette de sécurité fait référence aux défauts logiciels qui restent non fixés pendant un an ou plus.Ces défauts s'accumulent au fil du temps en raison de divers facteurs, notamment des contraintes de ressources, de la complexité technique ou du manque de priorisation.La dette de sécurité peut être classée comme critique ou non critique et peut exister à la fois dans le code tiers et peut-être plus inquiétant.
Prévalence et impact de la dette de sécurité
Selon des recherches récentes, 42% des applications actives ont une dette de sécurité, 11% portant une dette de sécurité critique qui présente un risque grave pour les organisations.Les grandes applications sont particulièrement sensibles, avec 40% de…
Understanding Security Debt Security debt is a major and growing problem in software development with significant implications for application security, according to Veracode\'s State of Software Security 2024 Report. Let\'s delve a bit deeper into the scope and risk of security debt, and gain some insights for application security managers to effectively address this challenge. Security debt refers to software flaws that remain unfixed for a year or more. These flaws accumulate over time due to various factors, including resource constraints, technical complexity, or lack of prioritization. Security debt can be categorized as critical or non-critical and can exist in both first-party and, maybe more worrying, third-party code. Prevalence and Impact of Security Debt According to recent research, 42% of active applications have security debt, with 11% carrying critical security debt that poses a severe risk to organizations. Large applications are particularly susceptible, with 40% of… |
Threat Technical | ★★★ | |
|
2024-02-26 15:17:44 | Étapes pratiques pour prévenir les vulnérabilités d'injection SQL Practical Steps to Prevent SQL Injection Vulnerabilities (lien direct) |
Dans le paysage numérique d'aujourd'hui, les applications Web et les API sont constamment menacées par des acteurs malveillants qui cherchent à exploiter les vulnérabilités.Une attaque commune et dangereuse est une injection SQL.
Dans ce blog, nous explorerons les vulnérabilités et les attaques de l'injection de SQL, comprendrons leur niveau de gravité et fournirons des étapes pratiques pour les empêcher.En mettant en œuvre ces meilleures pratiques, vous pouvez améliorer la sécurité de vos applications Web et API.
Comprendre les vulnérabilités et les attaques de l'injection SQL
Les attaques d'injection SQL se produisent lorsque les pirates manipulent les requêtes SQL d'une application \\ pour obtenir un accès non autorisé, altérer la base de données ou perturber la fonctionnalité de l'application \\.Ces attaques peuvent entraîner une usurpation d'identité, un accès aux données non autorisé et des attaques enchaînées.
L'injection SQL est une technique où les pirates injectent des requêtes SQL malveillantes dans la base de données backend d'une application Web.Cette vulnérabilité survient lorsque l'application accepte la saisie de l'utilisateur comme une instruction SQL que la base de données…
In today\'s digital landscape, web applications and APIs are constantly under threat from malicious actors looking to exploit vulnerabilities. A common and dangerous attack is a SQL injection. In this blog, we will explore SQL injection vulnerabilities and attacks, understand their severity levels, and provide practical steps to prevent them. By implementing these best practices, you can enhance the security of your web applications and APIs. Understanding SQL Injection Vulnerabilities and Attacks SQL injection attacks occur when hackers manipulate an application\'s SQL queries to gain unauthorized access, tamper with the database, or disrupt the application\'s functionality. These attacks can lead to identity spoofing, unauthorized data access, and chained attacks. SQL injection is a technique where hackers inject malicious SQL queries into a web application\'s backend database. This vulnerability arises when the application accepts user input as a SQL statement that the database… |
Vulnerability Threat Guideline Technical | ★★★ | |
|
2024-02-14 00:30:00 | Aborder la menace de la dette de sécurité: dévoiler l'état de la sécurité des logiciels 2024 Addressing the Threat of Security Debt: Unveiling the State of Software Security 2024 (lien direct) |
Aujourd'hui, je suis fier de partager notre 14e rapport annuel sur la sécurité des logiciels.Notre rapport de 2024 met en lumière la question urgente de la dette de sécurité dans les applications, et elle fournit un réveil aux organisations du monde entier.La demande de vitesse et d'innovation a entraîné l'accumulation de risques connus sous le nom de dette de sécurité.En tant que directeur de recherche chez Veracode, je me suis profondément engagé à permettre aux entreprises de faire face aux défis posés par la dette de sécurité.Soit \\ plonger.
Le paysage changeant des logiciels et de la cybersécurité
Nos recherches sur le rapport de 2024 ont commencé sur la base des résultats de notre rapport de 2023.Nous avons exploré des facteurs qui affectent l'introduction des défauts, les temps de correction et la dette de sécurité.Nous avons constaté que les applications augmentent d'environ 40% sur un an, quelle que soit leur taille d'origine.À mesure que ces applications grandissent et vieillissent, les défauts s'accumulent, ce qui a encore fait monter la dette de sécurité.
Cette année, nous avons cherché à comprendre: «À quel point la dette de sécurité est-elle vraiment risquée?Cela vaut-il la peine de vous attaquer?Et si c'est \\ '…
Today, I\'m proud to share our 14th annual State of Software Security report. Our 2024 report shines a spotlight on the pressing issue of security debt in applications, and it provides a wake-up call to organizations worldwide. The demand for speed and innovation has resulted in the accumulation of risk known as security debt. As Chief Research Officer at Veracode, I\'m deeply committed to empowering businesses to confront the challenges posed by security debt. Let\'s dive in. The Changing Landscape of Software and Cybersecurity Our 2024 report research began based on findings from our 2023 report. We explored factors that affect flaw introduction, remediation times, and security debt. We found that applications grow by about 40% year on year irrespective of their original size. As these apps grow and age, flaws accumulate, further driving up security debt. This year we sought to figure out, “How risky is security debt really? Is it worth tackling? And if it\'… |
Threat | ★★ | |
|
2024-01-02 18:16:59 | Utilisation de la correction de Veracode pour résoudre un défaut d'injection SQL Using Veracode Fix to Remediate an SQL Injection Flaw (lien direct) |
Introduction
Dans cette première dans une série d'articles visant à résoudre les défauts communs à l'aide de Veracode Fix & # 8211;Veracode \'s Ai Security Remediation Assistant, nous examinerons la recherche et la réparation de l'un des types de défauts les plus courants et les plus persistants & # 8211;Une attaque d'injection SQL.
Une attaque d'injection SQL est un exploit malveillant où un attaquant injecte du code SQL non autorisé dans les champs d'entrée d'une application Web, visant à manipuler la base de données de l'application \\.En manipulant les paramètres d'entrée, les attaquants peuvent inciter l'application à exécuter des commandes SQL non désirées.Cela peut entraîner un accès non autorisé, une récupération des données, une modification ou même une suppression.Les attaques réussies d'injection SQL compromettent l'intégrité des données et la confidentialité, posant de graves risques de sécurité.
Exemple de code et d'analyse
Soit \\ une faiblesse dans le code source de l'application Verademo délibérément vulnérable (et disponible librement), en particulier le fichier source userController.java trouvé dans le référentiel d'application dans…
Introduction In this first in a series of articles looking at how to remediate common flaws using Veracode Fix – Veracode\'s AI security remediation assistant, we will look at finding and fixing one of the most common and persistent flaw types – an SQL injection attack. An SQL injection attack is a malicious exploit where an attacker injects unauthorized SQL code into input fields of a web application, aiming to manipulate the application\'s database. By manipulating input parameters, attackers can trick the application into executing unintended SQL commands. This can lead to unauthorized access, data retrieval, modification, or even deletion. Successful SQL injection attacks compromise data integrity and confidentiality, posing serious security risks. Example Code and Analysis Let\'s look at a weakness in the source code of the deliberately vulnerable (and freely available) Verademo application, specifically the UserController.java source file found in the application repository in… |
Threat | ★★ | |
|
2023-12-07 13:23:31 | État des vulnérabilités log4j: combien Log4Shell a-t-il changé? State of Log4j Vulnerabilities: How Much Did Log4Shell Change? (lien direct) |
Le 9 décembre, deux ans depuis que le monde a été très alerte en raison de ce qui a été considéré comme l'une des vulnérabilités les plus critiques de tous les temps: log4shell.La vulnérabilité qui a porté la cote de gravité la plus élevée possible (10,0) était dans Apache Log4J, un cadre de journalisation Java omniprésent que Veracode a estimé à l'époque a été utilisé dans 88% des organisations.
Si exploité, la vulnérabilité du jour zéro (CVE-2021-44228) dans les versions log4j log4j2 2.0-beta9 à 2.15.0 (excluant les versions de sécurité 2.12.2, 2.12.3 et 2.3.1) permettrait aux attaquants une télécommande une télécommande 2.12.2, 2.12.3 et 2.3.1) permettrait aux attaquants une télécommande une distance à distanceExécution de code (RCE) Attaquez et compromettez le serveur affecté.
Il a déclenché un effort massif pour corriger les systèmes affectés, estimés à des centaines de millions.L'apocalypse que beaucoup craignait ne se produisait pas, mais compte tenu de son omniprésence, le comité d'examen du cyber-sécurité du département américain de la sécurité intérieure \\ a déterminé que la correction de Log4Shell prendrait une décennie.
L'anniversaire de deux ans de Log4Shell est un bon…
December 9 marks two years since the world went on high alert because of what was deemed one of the most critical zero-day vulnerabilities ever: Log4Shell. The vulnerability that carried the highest possible severity rating (10.0) was in Apache Log4j, an ubiquitous Java logging framework that Veracode estimated at the time was used in 88 percent of organizations. If exploited, the zero-day vulnerability (CVE-2021-44228) in Log4j versions Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) would allow attackers to perform a remote code execution (RCE) attack and compromise the affected server. It triggered a massive effort to patch affected systems, estimated to be in the hundreds of millions. The apocalypse that many feared didn\'t happen, but given its pervasiveness, the U.S. Department of Homeland Security\'s Cyber Safety Review Board determined that fully remediating Log4Shell would take a decade. The two-year anniversary of Log4Shell is a good… |
Vulnerability Threat | ★★ | |
|
2023-12-04 10:39:37 | Comment l'analyse dynamique vous aide à améliorer l'automatisation des DevSecops How Dynamic Analysis Helps You Enhance Automation for DevSecOps (lien direct) |
DevSecops, également connu sous le nom de DevOps sécurisé, représente un état d'esprit dans le développement de logiciels qui maintient tout le monde responsable de la sécurité des applications.En favorisant la collaboration entre les développeurs et les opérations informatiques et en dirigeant les efforts collectifs vers une meilleure prise de décision de sécurité, les équipes de développement peuvent fournir des logiciels plus sûrs avec une plus grande vitesse et une plus grande efficacité.
Malgré ses avantages, la mise en œuvre de DevSecops peut introduire des frictions dans le processus de développement.Les outils traditionnels pour tester le code et évaluer le risque de sécurité des applications n'ont tout simplement pas été conçu pour la vitesse dont les tests DevOps ont besoin.
Pour naviguer dans ces défis, les équipes de développement doivent commencer avec des outils de test automatisés, car le fait de s'appuyer sur les processus manuels ne peut pas suivre le rythme des délais de développement accélérés.L'automatisation est considérée comme clé pour l'intégration continue de l'analyse de la sécurité et l'atténuation des menaces des flux de travail dynamiques.En tant qu'extension des principes DevOps, DevSecops Automation aide à intégrer les tests de sécurité…
DevSecOps, also known as secure DevOps, represents a mindset in software development that holds everyone accountable for application security. By fostering collaboration between developers and IT operations and directing collective efforts towards better security decision-making, development teams can deliver safer software with greater speed and efficiency. Despite its merits, implementing DevSecOps can introduce friction into the development process. Traditional tools for testing code and assessing application security risk simply weren\'t built for the speed that DevOps testing requires. To navigate these challenges, development teams need to start with automated testing tools, as relying on manual processes can\'t possibly keep pace with accelerated development timelines. Automation is considered key to continuous integration of security analysis and threat mitigation of dynamic workflows. As an extension of DevOps principles, DevSecOps automation helps integrate security testing… |
Tool Threat | ★★★ | |
|
2023-11-27 16:01:16 | Top 5 des risques de sécurité open source Les dirigeants informatiques doivent connaître Top 5 Open Source Security Risks IT Leaders Must Know (lien direct) |
Se cacher dans les logiciels open source (OSS) qui imprègnent les applications du monde entier sont des risques de sécurité open source Les leaders de la technologie doivent être conscients.Le logiciel est l'un des sous-ensembles les plus vulnérables de la technologie avec plus de 70% des applications contenant des défauts de sécurité.Voici les risques de sécurité open source Les leaders informatiques doivent être conscients de protéger la technologie et de l'aider à évoluer en toute sécurité.
Pourquoi aborder les risques de sécurité des logiciels open source
Le 9 décembre 2021, un tweet a exposé une vulnérabilité dans la bibliothèque OSS largement utilisée Log4J.Il ne fallait pas longtemps avant que les attaquants du monde entier ne travaillent pour exploiter la vulnérabilité log4j.Cet incident a été un signal d'alarme à la façon dont la sécurité d'une bibliothèque peut changer rapidement et des mesures proactives doivent être en place pour se protéger de ce danger.
Log4j n'est qu'un exemple de la façon dont les vulnérabilités de l'open source posent des risques importants qui peuvent avoir un impact sur les opérations, la sécurité des données et la santé informatique globale.Les choix technologiques stratégiques peuvent avoir un impact important sur la quantité…
Lurking in the open source software (OSS) that pervades applications around the world are open source security risks technology leaders must be aware of. Software is one of technology\'s most vulnerable subsets with over 70% of applications containing security flaws. Here are the open source security risks IT leaders must be aware of to protect technology and help it scale safely. Why Address Open Source Software Security Risks On December 9, 2021, a Tweet exposed a vulnerability in the widely-used OSS library Log4j. It didn\'t take long before attackers around the world were working to exploit the Log4j vulnerability. This incident was a wake-up call to how the security of a library can quickly change and proactive measures must be in place to protect from this danger. Log4j is just one example of how vulnerabilities in open source pose significant risks that can impact operations, data security, and overall IT health. Strategic technology choices can make a big impact on how much… |
Vulnerability Threat | ★★ | |
|
2023-11-12 22:55:15 | Sécuriser vos applications Web et vos API avec Veracode Dast Essentials Securing Your Web Applications and APIs with Veracode DAST Essentials (lien direct) |
Les applications Web sont l'un des vecteurs les plus courants pour les violations, représentant plus de 40% des violations selon le rapport de violation de données de Verizon \'s 2022.S'assurer que vos applications Web sont suffisamment protégées et continuent d'être surveillées une fois qu'elles sont en production est essentielle à la sécurité de vos clients et de votre organisation.
Rester en avance sur la menace
Les attaquants recherchent constamment de nouvelles façons d'exploiter les vulnérabilités et de violer les applications Web, ce qui signifie que à mesure que leurs méthodes mûrissent et deviennent plus agressives, même les applications les plus développées peuvent devenir vulnérables.Les organisations qui effectuent uniquement des tests de pénétration annuelle sur leurs applications Web peuvent se laisser ouvertes à une violation qui pourrait être facilement empêchée par une analyse de production régulière.
La sécurité des applications décrit une collection de processus et d'outils axés sur l'identification, la correction et la prévention des vulnérabilités au niveau des applications tout au long du développement logiciel…
Web applications are one of the most common vector for breaches, accounting for over 40% of breaches according to Verizon\'s 2022 Data Breach Report. Ensuring that your web applications are sufficiently protected and continue to be monitored once they are in production is vital to the security of your customers and your organization. Staying Ahead of the Threat Attackers are constantly looking for new ways to exploit vulnerabilities and to breach web applications, which means that as their methods mature and they become more aggressive, even the most securely developed applications can become vulnerable. Organizations that only perform annual penetration tests on their web applications may be leaving themselves open to a breach that could be easily prevented with regular production scanning. Application security outlines a collection of processes and tools focused on identifying, remediating, and preventing application-level vulnerabilities throughout the entire software development… |
Data Breach Tool Vulnerability Threat | ★★ | |
|
2023-06-09 12:10:38 | Sécurité des applications à l'ère des attaques dirigés par l'IA Application Security in the Era of AI-driven Attacks (lien direct) |
Introduction
Dans le paysage numérique d'aujourd'hui, l'importance de la sécurité des applications ne peut pas être surestimée, car les entreprises dans le monde sont confrontées à l'évolution des cyber-menaces.Les défenseurs et les attaquants exploitent désormais le pouvoir de l'intelligence artificielle (IA) à leur avantage.À mesure que les attaques basées sur l'IA deviennent de plus en plus sophistiquées, il est crucial que les organisations adoptent une approche globale de la sécurité des applications qui aborde efficacement ce paysage de menace émergent.Dans cet article de blog, nous explorerons l'importance de l'adoption d'une stratégie de sécurité des applications solide face aux attaques axées sur l'IA et de fournir des exemples concrètes pour soutenir nos affirmations.
Le paysage des menaces évolutives: attaques alimentées par l'IA
L'IA a transformé de nombreuses industries, y compris malheureusement la cybercriminalité.Les pirates tirent parti de l'IA pour développer des attaques avancées et automatisées qui peuvent contourner les mesures de sécurité traditionnelles.Laissez-vous plonger dans quelques exemples concrètes d'attaques alimentées par l'IA:
1. MALWOWIRS PUISSANTS AI:…
Introduction In today\'s digital landscape, the importance of application security cannot be overstated, as businesses worldwide face evolving cyber threats. Both defenders and attackers are now harnessing the power of Artificial Intelligence (AI) to their advantage. As AI-driven attacks become increasingly sophisticated, it is crucial for organizations to adopt a comprehensive approach to application security that effectively addresses this emerging threat landscape. In this blog post, we will explore the significance of adopting a robust application security strategy in the face of AI-driven attacks and provide concrete examples to support our claims. The Evolving Threat Landscape: AI-powered Attacks AI has transformed numerous industries, unfortunately including cybercrime. Hackers are leveraging AI to develop advanced and automated attacks that can bypass traditional security measures. Let\'s delve into some concrete examples of AI-powered attacks: 1. AI-powered Malware:… |
Threat | ★★ | |
|
2023-06-07 16:19:57 | 3 raisons de tirer parti de l'IA pour une gestion améliorée des menaces et de la vulnérabilité 3 Reasons to Leverage AI for Enhanced Threat and Vulnerability Management (lien direct) |
Alors que le paysage cyber-menace continue d'évoluer, vous savez qu'il y a un besoin croissant de s'assurer que les applications et les logiciels sont protégés contre les acteurs malveillants.Une approche holistique et intelligente de la gestion des menaces et de la vulnérabilité est essentielle pour assurer la sécurité contre la cyber-risque moderne.En tirant parti des outils alimentés par l'IA, en particulier pour les tâches telles que les défauts de sécurité, vous pouvez gérer et réduire les risques rapidement et efficacement.Laissez \\ explorer pourquoi l'utilisation de l'IA pour renforcer et moderniser vos stratégies de gestion de la menace et de la vulnérabilité remboursera beaucoup de temps à long terme.
Raison 1: pour rester en avance sur les menaces de cybersécurité en évolution rapide
La gestion des menaces et de la vulnérabilité aide les entreprises à comprendre et à répondre aux risques, mais qu'en est-il du moment où le paysage des menaces évolue si rapidement?Lorsque de nouvelles menaces émergent constamment, il est difficile de adopter une approche préventive des attaques potentielles dans les applications, les logiciels et les réseaux.
Par exemple, une nouvelle tendance particulièrement concernant la nouvelle tendance est…
As the cyber threat landscape continues to evolve, you know there\'s a growing need to ensure applications and software are protected from malicious actors. A holistic and intelligent approach to threat and vulnerability management is essential for ensuring security against modern cyber risk. By leveraging AI-powered tools, especially for tasks like remediating security flaws, you can manage and reduce risk quickly and effectively. Let\'s explore why using AI to bolster and modernize your threat and vulnerability management strategies will pay off big time in the long run. Reason 1: To Stay Ahead of Rapidly Evolving Cybersecurity Threats Threat and vulnerability management helps businesses understand and respond to risk, but what about when the threat landscape is evolving so rapidly? When new threats emerge constantly, it\'s challenging to take a preventative approach to potential attacks in applications, software, and networks. For example, one particularly concerning new trend is… |
Vulnerability Threat Prediction | ★★ | |
|
2022-11-21 12:57:33 | As the Holiday Season Begins, 73% of Retail and Hospitality Apps Have a Flaw (lien direct) | After the pandemic upended the retail and hospitality industries, digital transformation became imperative to survival – the key to meeting ever-changing customer expectations and overcoming supply chain complexities. As the landscape continues to shift, 55 percent of retailers say they're open to improving their innovation capabilities, while 51 percent want to adopt new business models. But as retail and hospitality companies deepen their digital capabilities, cyberattackers are looking for ways to exploit vulnerabilities in eCommerce systems, digital payment platforms, and other software systems. Our latest State of Software Security (SOSS) Volume 12 found that 73% of all applications in the retail and hospitality sector have a security vulnerability. This is especially concerning as we enter the busy holiday season, a time of historically elevated threat levels. Yet there is some cause for cheer: Our SOSS findings revealed that when compared to other industries, retail and… | Threat | ★★★ | |
|
2022-07-15 14:41:00 | Three Ways to Align with the White House\'s Cybersecurity Recommendations (lien direct) | The global pandemic and more recent geo-political events have brought an even greater focus on the threat of cyber attacks on individuals and businesses. Even as global lockdowns and restrictions on movement have eased, many organizations have not adapted to remote or hybrid styles of work. The reality that most of the workforce now operates outside a perimeter that can be controlled creates greater opportunity for scammers, hackers and the potential for cyber attacks than ever before. New intelligence suggests that cyber attacks targeted the United States are being considered. To educate companies, the White House provided a fact sheet that included a comprehensive list of security best practices for organizations seeking to rapidly secure their digital infrastructure. The White House statement recommended public and private organizations move with urgency to enhance their cyber security posture and protect critical infrastructures. Specific recommendations include: Mandate the… | Threat | ||
|
2022-07-08 15:48:47 | Unifying Security and Development (lien direct) | Most developers don't learn about secure coding in the college IT programs. And once they join the workforce, they often don't have the time to learn about secure coding. The responsibility of training developers in secure coding best practices usually falls on security practitioners. Security practitioners are notoriously overworked, often lacking the bandwidth to train developers. Organizations are thus turning to AppSec learning experiences built specifically for development teams. These learning experiences deliver the tools and skills needed to keep an AppSec program on track. According to PeerSpot, the number one ranked solution in application security training software is Veracode Security Labs, which gives developers tools and hands-on training to tackle modern threats and adopt secure coding practices. PeerSpot members who use the platform share why it is deserving of its high ranking. Making the Choice for Veracode Security Labs Veracode Security Labs empowers developers… | Tool Threat | ||
|
2022-05-25 23:53:25 | Musings of a Former State CTO Part 1: The Origin Story (lien direct) | For decades, Claire Bailey has crusaded to combat threats to IT devices and networks. Her journey began in the early 1980s when a devastating personal experience inspired her to improve the system. Claire's father died of a heart attack in 1980 amid a heatwave hitting their rural Texas town. The hospital system had recently transitioned to a new model in which emergent patients were seen by dedicated ER doctors, rather than personal or family doctors being summoned in to treat them. As a result, Claire's father was seen by an ER doctor who was unfamiliar with him and made a snap judgment that he was likely experiencing discomfort due to the heat or had eaten something bad. He was sent home, despite his requests to stay. A few hours after his discharge, Claire's father passed away. The family entered into a legal dispute with the ER doctor and the hospital, and in the course of discovery, a deposition revealed that the ER doctor didn't have access to her father's physical medical… | Threat | ||
|
2021-11-23 14:21:23 | Don\'t Let Code Injections Mess Up Your Holiday eCommerce Season (lien direct) | The holidays are right around the corner. It's a well-deserved time to spend with your friends and family, and it likely translates to increased online sales. But more eCommerce activity also means increased cybersecurity risks. Most organizations with eCommerce deploy cybersecurity measures such as Content Security Policies (CPSs), to help secure their site and protect their customer's personally identifiable information from a breach. Specifically, CSPs act to defend websites against online scripts that can cause fraud or steal credit card information. And while CSPs do represent a solid first line of defense, as we will soon explore, there is also so much more that organizations need to do to protect against malicious scripts and code injections. That's because CSPs are only as effective as your allow list, so if a hacker targets any services already used by your CSPs, attacks are easy to execute. In this article, we'll dive into how and why code injections are a threat to your web applications, why CSPs are effective but not enough to stop injections and additional measures that you can take to guard against code injections. How are code injections a threat to your web applications? A 'code injection' is a general security term used to refer to cyberattacks that involve injecting malicious code that will then be used by the infected application. It's worth noting that code injection is distinctively different from the similarly named command injection, in that with the latter the hacker is not limited by the functionality of the injected code. Injection flaws are still one of the most critical forms of security risk to web applications. Code injections are usually made possible as a result of poor handling of data. Specifically, code injections can arise as a result of no input or output data validation, which in layman's terms means that the data stored has not been properly 'sanitized.' The application receiving the user input expects to receive only certain types of input, but if a developer is negligent in regards to what can be accepted (such as in regards to format or accepted characters), the hacker can be successful. When a code injection attack is successful, the attacker has access to the database of the application. What are CSPs...and are they enough? A CSP is a set of rules that are defined by a web developer to either allow or block types of requests. This is intended to ensure stronger security for site visitors since it reduces the odds they will open an application on which malicious coding is running. For example, developers can use CSPs to block any code (such as JavaScript) from being uploaded from domains that are unfamiliar. It's ultimately the responsibility of the web application owner to define the CSP for their site, but it's often the developer(s) who will set and enforce those policies. An example of a CSP would be to make it so that all forms of visual media uploaded to a site must come from domains that are individually approved. This will prevent hackers from injecting malicious JavaScript into embedded videos or photos. Setting good CSPs like this is effective but, at the same time, they should never be treated as the only line of defense. There are a few reasons for this. The first is that CSPs can struggle to keep up with innovations in web development. To put this into perspective, if your site's development team is limited by a strict CSP, it's possible that your site could fall behind competitors in terms of innovative deployments Another problem is the fact that according to a recent Enterprise Strategy Group survey, over 76 percent of developers never received security training in their college IT programs. Your developer may not be experienced in, for example, secure coding best practices and may not be able to detect certain forms of malicious activity. You can help remedy this by offering secure code training. Guarding yourself against code injections One of the best cybersecurity strategies to guard your web applications against code injection | Vulnerability Threat | ||
|
2021-11-10 12:34:31 | Recent Updates to the OWASP Top Ten Web Application Security Risks (lien direct) | The Open Web Application Security Project (aka OWASP) recently announced its latest updates to the venerable OWASP Top Ten list. This publication is meant to bring attention to the most common classes of software-related security issues facing developers and organizations in the hopes of helping them to better plan for and address potential high-severity issues in their codebases. While not specifically an industry standard, it is highly regarded among the security community and is regularly combined with findings from application security vendors and researchers to create a reference point for secure coding practices. The newest edition does make updates to certain conventions but also highlights the consistent issues seen throughout the years, such as injection attacks and insecure components. Initially notable is the more generalized approach to categorization and naming, with OWASP describing the motivation for these changes as a “focus on the root cause over the symptom.” Given the complexity of modern web applications and software stacks, this new focus is a prudent reminder that focusing solely on the high-level presentation of flaws within complicated vulnerability taxonomies will only go so far in preventing breaches, and that true progress at any scale will only be made by remediations that address the underlying cause of discovered issues. Supporting this focus is the inclusion of the new category A04:2021 – Insecure Design, bringing attention to the ever-growing need to address vulnerable application architectures and software flaws much earlier in the development process. While there has been considerable discussion about the industry's need to “shift left” for the past several years, it is apparent that a lack of threat modeling and overall secure design continues to be a major issue for applications of all types. It is nice to see these concerns formally addressed at this level in the broader context of security risk awareness. The addition of A08:2021 – Software and Data Integrity Failures and the higher ranking for A06:2021 – Vulnerable and Outdated Components both appear to be in a similar vein, further underscoring the need for organizations to prioritize the security controls associated with the development pipeline and surrounding technologies as much as the specifics of the application code itself. The frameworks, software libraries, and other tools that development teams rely on are updated with increasing speed. It is easier than ever for organizations to fall behind on patching and management of these supporting components. These areas will continue to be points of security concern for years to come, and the industry should continue the work of better addressing the role of tooling and pipeline concerns, as well as application threat modeling, within the general scope of security issues across the board. The movement of A01:2021 – Broken Access Control to the number one position, while hardly a surprise, is reason for concern primarily due to the obstacles associated with detecting issues of this nature. Underlying many access control flaws are fundamental application logic errors, most of which are currently difficult, if not impossible, to discover with automated scanning of any kind. As most companies are unable to have penetration testers examine every release, applications may only undergo thorough manual security audits relatively infrequently, leaving a large footprint of possible flaws whose discovery and remediation times are measured in months, or even years. Further complexity is introduced as modern web technologies move toward microservice architectures and application containerization, creating a need to test for access control issues related to the nuances of these components as well. While teams may do their best to adhere to a least-privilege model, it quickly becomes more difficult to follow best practice guidelines as additional endpoints and APIs are added and role managemen | Vulnerability Threat Patching | ||
|
2021-09-30 14:22:27 | .NET 5, Source Generators, and Supply Chain Attacks (lien direct) | IDEs and build infrastructure are being a target of various threat actors since at least 2015 when XcodeGhost has been discovered - https://en.wikipedia.org/wiki/XcodeGhost - malware-ridden Apple Xcode IDE that enabled attackers to plant malware in iOS applications built using it. Attacks executed through builds abuse trust we have in our build tools, IDEs, and software projects. This is slowly changing (for example Visual Studio Code added Workspace Trust feature in one of the recent releases: https://code.visualstudio.com/docs/editor/workspace-trust ), yet at the same time, .NET 5 added a powerful yet dangerous feature that could make attacks similar to described above easier to implement, deliver, and stay under the radar. Source Generators introduction Back in 2020 (https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/ ) Microsoft announced a new and exciting feature of the upcoming .NET 5 - Source Generators. This functionality is intended to enable easier compile-time metaprogramming. Similar in purpose to macros or compiler plugins Source Generators offer more flexibility as they're independent of IDE & compiler and do not require modifications of the source code. Source Generators can be present in your software solution as a part of Visual Studio solution structure, visible as a separate project in the IDE Solution browser. They can also be added, more often, as a nuget library similarly to any other dependency. Compilation pipeline that includes Source Generator, source: https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/&…; As Source Generators follow the same concept as Analyzers they may need to have the install and uninstall script. In a simple scenario, the install script will modify the given project csproj file in order to trigger Source Generator at build time. Similarly - uninstall script will remove any references to the Source Generator from csproj file. Note: supply chain attacks that utilize install scripts or build event scripts are certainly viable and were already attempted in the wild but technique described in this blog post does not use scripts making potential attacks harder to detect. Generators can be used for various purposes, in the most trivial case to inject code that'll be callable from first-party code snippet. Source: https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/ using System; using System.Collections.Generic; using System.Text; using Microsoft.CodeAnalysis; using Microsoft.CodeAnalysis.Text; namespace SourceGeneratorSamples { [Generator] public class HelloWorldGenerator : ISourceGenerator { public void Execute(SourceGeneratorContext context) { // begin creating the source we'll inject into the users compilation var sourceBuilder = new StringBuilder(@" using System; namespace HelloWorldGenerated { public static class HelloWorld { public static void SayHello() { Console.WriteLine(""Hello from generated code!""); Console.WriteLine(""The following syntax trees existed in the compilation that created this program:""); "); // using the context, get a list of syntax trees in the users compilation var syntaxTrees = context.Compilation.SyntaxTrees; // add the filepath of each tree to the class we're building foreach (SyntaxTree tree in syntaxTrees) { sourceBuilder.AppendLine($@"Console.WriteLine(@"" - {tree.FilePath}"");"); } // finish creating the source to inject sourceBuilder.Append(@" } } }"); // inject the created source into the users compilation context.AddSource("helloWorldGenerator", SourceText.From(sourceBuilder.ToString(), Encoding.UTF8)); } public void Initialize(InitializationContext context) { // No initialization required for thi | Malware Tool Threat | ||
|
2021-08-06 09:32:28 | Recap: Black Hat USA 2021 (lien direct) | Black Hat USA 2021 kicked off this week and we enjoyed the show! In addition to hosting a Cards and Coding virtual casino night to discuss the future of cybersecurity (and give away some prizes), we held a Lunch & Learn with Wallace Dalrymple, CISO of Emerging Markets at Advantasure. In the session, our Founder and CTO Chris Wysopal chatted with Wallace about how Veracode and Advantasure worked together to build a mature application security (AppSec) program while addressing modern software security requirements. As Chris noted when the Lunch & Learn session began, the pandemic drove many organizations to digitally transform most functions of business, quickly, which meant increased security threats - especially for organizations in the healthcare industry where Advantasure thrives. The effort to produce more secure code is especially critical after the Biden Administration's recent Executive Order on cybersecurity, which impacts software security for organizations big and small. We know from our annual State of Software Security report that 75 percent of apps in the healthcare industry have security flaws, and 26 percent have high-severity vulnerabilities. To get ahead of this risk in the pandemic (during which they saw an uptick of cyberattacks by 50%), Advantasure knew they needed to bolster their AppSec program and set themselves up for a successful digital transformation. That's where Veracode came in, helping Wallace and his team build a stronger security program and enable their developers to become more security-minded. “I believe in: if you write it, you own it. You really have to have that buy-in from development, from project managers to deployment teams and release teams, all the way up to the management,” Wallace said. Speaking about Veracode Security Labs he continued, “Veracode provides a platform where we can actually provide a tool for developers to not just learn – not just watch a webinar – but to actually be hands-on and understand the coding mistakes they make through real-time feedback.” Wallace elaborated that their developers have been able to embrace new tools as part of their existing processes, giving them ownership over the efforts and boosting security adoption. If you missed the Lunch & Learn, you can read Advantasure's full story here to see how they got it done. From Big Data to Open Source We also had the chance to sit in on some sessions, one of which delved into the security of big data infrastructures: The Unbelievable Insecurity of the Big Data Stack: An Offensive Approach to Analyzing Huge and Complex Big Data Infrastructures. Sheila A. Berta of Dreamlab Technologies spoke about data ingestion, storage, processing, and access, as well as the techniques threat actors use to get into data infrastructures. As Head of Research for Dreamlab Technologies, Sheila asked the question, “What is a security problem and what is not a security problem in Big Data infrastructures?” What it comes down to, she said, is that security teams need to stay on top of methodologies and keep their skills sharp if they want to proficiently evaluate the security of these infrastructures. The methodology presented by Sheila came with new attack vectors in data; for example, she discussed techniques like the remote attack of a centralized cluster configuration managed by ZooKeeper, as well as relevant security recommendations to prevent these attacks. Another interesting session titled Securing Open Source Software – End-to-End, at Massive Scale, Together was held by Christopher Robinson, the Director of Security Communications at Intel, and Jennifer Fernick, SVP & Global Head of Research at NCC Group. In their discussion, they highlighted that, while open source software is foundational to the Internet, it's also rife with risk if left unchecked. This is a problem we work to combat here at Veracode with tools like Software Composition Analysis and developer enablement programs - our recent State of Software Security: Open Source Edition report found that just over half of | Tool Threat | ||
|
2021-08-02 10:56:59 | Champion Spotlight: Hans Dam (lien direct) | This interview was cross-posted from the Veracode Community. With his third consecutive championship in the Secure Coding Challenge – the monthly coding competition in the Veracode Community – Hans Dam is the first in the community to clinch the title of Secure Code Champion. We spoke with him about his experience in the coding competitions and his career growth from a software developer to a DevSecOps manager. As DevSecOps manager currently working at Explorance, Hans manages the DevOps and AppSec teams and is responsible for managing internal application security scans, improving internal processes with automation, and developing tools for deployment and monitoring. His strong passion for DevOps and automation is at the core of his current role. What makes Hans the first Secure Code Champion and how did he get application security under his belt? In this interview, Hans shares his takeaways from the Secure Coding Challenges and his advice for developers looking to break into the security world. About your experience in the Secure Coding Challenge What brought you to Veracode's Secure Coding Challenge? The company I work for, Explorance, was offered a demo of Veracode Security Labs, and I found the gamification aspect of Security Labs exciting. Unfortunately, during the demo, we did not set it up as a competition. Because of this, when Veracode announced a competition involving security best practices and programming, I was hooked. What did you find most valuable in participating in the Challenge? I really like the diversity of programming languages and frameworks used in Veracode Security Labs. I had not touched Go, Flask, or Scala code before I participated in the Secure Coding Challenges. Additionally, it's always nice to brush up on the basics including OWASP TOP 10 vulnerabilities. What's your suggestion for participants to stand out in the competition? Know that you don't have to complete every step described in each Lab. For example, if you make a code change you don't always have to run and test your solution. Many times, it is enough to simply save the file. About your experience becoming a DevSecOps Engineer How have you grown from a software developer into a DevSecOps engineer? What are the skillsets and knowledge required for this career change? How did you acquire those skills? I started at Explorance as a software developer, developing new features for our main product. Based on my experience in previous companies, I saw some areas where we could improve the processes and increase automation. I started creating build scripts, developing internal tools, and playing around with the possibilities of continuous integration. I was then offered to lead our maintenance team, whose main objective was to quickly diagnose and resolve customer issues, in unison with our customer support engineers and operations team. This gave me the perspective of different departments on the product features, reliability, debuggability, deployment, and documentation. I got the opportunity to switch focus and started a role in application security within Explorance. We wanted to increase our focus on security by doing internal security scanning, increasing the application security awareness among developers, and reacting to emerging trends more rapidly. Working with Veracode to identify and mitigate security issues in our products helped me open my eyes to best practices and the many ways things can go wrong when trying your best to rapidly meet customers' needs. My latest role change at Explorance was to become a DevSecOps Manager, which means that I am managing our DevOps and AppSec teams. Within Explorance, the transition from software developer to DevSecOps manager has been a product of me trying out a bunch of different things and the organization believing in me. The main skillsets would be tenacity and listening to your colleagues about how to improve every day. Wha | Threat Guideline | ||
|
2021-07-23 15:50:53 | What Will Cybersecurity Look Like Over the Next Five Years? (lien direct) | As a result of the Covid-19 pandemic, organizations in all industries ramped up their digital transformation efforts to make online operations easier for their employees and customers. But with more and more organizations online, the digital attack surface is growing at a record pace. The more applications with vulnerable code, the more opportunities for a cyberattack. In fact, our research found that 76 percent of applications have at least one security vulnerability. So how will this shape the future of cybersecurity, and software security? There are three key technology trends that we believe will impact cybersecurity, and software security, the most over the next several years. The first trend is ubiquitous connectivity. Think about how quickly the world – and everyone and everything in it – is becoming interconnected. Did you ever think you'd see a day where you can search the Internet from your refrigerator or turn on your television with a simple voice command? By the end of 2019, there were already 7.6 billion active IoT devices – and this number is expected to climb to 24.1 billion by 2030. And on top of the growing number of IoT devices, businesses are increasingly shifting their applications to the cloud. But IoT devices and cloud-connected software bring increased risk. According to the Verizon 2021 Data Breach Investigations Report (DBIR), web applications were the source of over 39 percent of breaches, which is double the amount in 2019. Executive vice president and CEO of Verizon Business, Tami Erwin, cites the pandemic and the sudden shift to the cloud as the cause of increased web application risk. Additionally, wireless and 5G add to the connectivity. Think of the number of people with smartphones checking their emails or shopping online without a firewall. These interfaces rely on APIs. But without the right security, APIs are a prime target for cybercriminals. These trends point to an increased focus on API security, zero-trust models, and a shared responsibility model where organizations focus on application security, while the cloud provider focuses on infrastructure and physical security. The second trend to keep an eye on is abstraction and componentization. Think about how fast companies release new software or technology. It feels like every time you turn around Apple has a new software update. But the speed of software deployments is no longer shocking … it's expected. Companies need to release software rapidly in order to be competitive. To move faster, many development teams are turning not only to the cloud but to microservices. With microservices, development teams can break down comprehensive applications into the smallest possible reusable blocks of logic in order to stitch them together into business processes or workflows. APIs are used to integrate the components, which drives an API-first development approach. In fact, in SmartBear's 2019 State of API Survey, 75 percent of respondents answered that adoption of microservice architecture will drive the biggest growth in API adoption in the next two years. Open source libraries are also used as a way to speed up development. In fact, our State of Software Security report found that 97 percent of the typical Java application is made up of open source libraries. And 46.6 percent of insecure open source libraries in applications are transitive, meaning the library is pulled in indirectly by another library in use. This means that the attack surface doesn't just include the open source libraries that your developer added, it also includes indirect libraries that your open source code is pulling. Going forward, we envision a trusted third-party review authority that manages all public APIs and third-party code in order to make software publishers accountable for independent audits. There's an awareness component here as well. Developers need to be aware of the risk in both the libraries they are pulling in directly and the transitive dependencies of those libraries. Finally, automation will play a big role. For inst | Data Breach Threat | ||
|
2021-07-19 13:17:15 | Executive Order Update: NIST Establishes a Definition for Critical Software and Outlines Scan Requirements for Software Source Code (lien direct) | On May 12, 2021, President Biden announced an executive order to improve the nation's cybersecurity. The order, which outlines security initiatives and timelines, calls for the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) to enhance the security of the software supply chain. One of NIST's first orders of business was to define critical software by June 26, 2021. According to the executive order, the definition of critical software needs to “reflect the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised.” In other words, the definition must be specific enough to help the federal government with purchase decisions and deployment of critical software. NIST met the due date, releasing its definition of critical software. “EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:” Is designed to run with elevated privilege or manage privileges; Has direct or privileged access to networking or computing resources; Is designed to control access to data or operational technology; Performs a function critical to trust; or, Operates outside of normal trust boundaries with privileged access. NIST states, “the definition applies to software of all forms (e.g., standalone software, software integral to specific devices or hardware components, cloud-based software) purchased for, or deployed in, production systems and used for operational purposes.” As the executive order implementation matures, the definition may expand to include additional forms of software, such as: Software that controls access to data Cloud-based and hybrid software Software development tools such as code repository systems, development tools, testing software, integration software, packaging software, and deployment software Software components in boot-level firmware Software components in operational technology (OT) NIST's second initiative – also achieved – was to “identify and make available to agencies a list of categories of software and software products in use or in the acquisition process meeting the definition of critical software.” The categories in the preliminary list include: Identity, credential, and access management (ICAM) Operating systems, hypervisors, container environments Web browsers Endpoint security Network control Network protection Network monitoring and configuration Operational monitoring and analysis Remote scanning Remote access and configuration management Backup/recovery and remote storage Having attended NIST's virtual workshop – one of its many methods for soliciting feedback about its plans to develop software-related standards and guidelines – the definition of critical software was not surprising. NIST could have extended the definition to include software that interacts with critical software, but – understandably – the line had to be drawn somewhere. A black and white definition of critical software is an excellent first step in protecting the federal government from security risk. Just days ago, NIST also released an outline of security measures for critical software – an initiative that was due by July 11, 2021. The security measures include minimum standards for vendors' testing of their software source code, calling for threat modeling using automated testing, static and dynamic analysis, remediation of “must fix” bugs, and the use of secure coding techniques. Hopefully, the new security measures will shake up the way software vendors test their code – even vendors that are not directly impacted by the executive order. If you are looking to get a head start on implementing security measures, now is a good time to start looking at application security (AppSec) solutions. Even if you are only able to meet the minimum requi | Threat | ||
|
2021-06-28 09:40:27 | Too Many Vulnerabilities and Too Little Time: How Do I Ship the Product? (lien direct) | The percentage of open source code in the enterprise has been estimated to be in the 40 percent to 70 percent range. This doesn't make the headlines anymore, but even if your company falls in the average of this range, there is no dearth of work to do to clean up, comply with AppSec policies, and ship the product. Phew! So where do you start when it comes to resolving all the vulnerabilities uncovered in your open source libraries? By prioritizing the findings from your scans and addressing the most critical and relevant vulnerabilities first. How do you prioritize? CVSS severities are an obvious choice, but considering the percentage of open source code you are dealing with, and depending on the language under the scanner, this alone might not bring the vulnerabilities to be addressed to a manageable number within your resource and time constraints. We will look at some common prioritization approaches before looking at Veracode's recommendation based on our deep expertise gathered from advising hundreds of customers about this aspect of their AppSec program. Common prioritization approaches You can resolve your findings to comply with your AppSec policy by prioritizing alongside one of a few dimensions. Here is the list of most common prioritization approaches: Threat-focused approach: This zeroes in on the flaws that are actively targeted in the wild through malware, exploit kits, ransomware, or threat actors. Vulnerability-focused approach: This prioritizes flaws and vulnerabilities according to how critical they are. For example, how easy they are to exploit, what their exploitation impact looks like, or if there is a public exploit available. Asset-focused approach: This gives the highest priorities to vulnerabilities that are associated with critical assets, and then orders the rest by how dangerous they are. Some organizations measure the exploitability of different flaws and vulnerabilities, taking a threat-focused approach as outlined above. This can also factor in the maturity of known flaws which sometimes impacts how easy it is to remediate, or how exploitable it is out in the wild. While these approaches are a good starting point and cover the broad base of risk, there is an additional piece of information that can make it easy for security stakeholders and developers to prioritize their Software Composition Analysis (SCA) scan findings when operating under tight resource and time constraints. Vulnerable methods: a powerful arrow in your AppSec quiver If the goal of AppSec is to ship clean code fast, then Veracode's vulnerable methods feature is a powerful arrow in your quiver to hit that target. Veracode's vulnerable methods feature goes beyond severities and exploitability to answer the key question for prioritization: How is this finding from the SCA scan relevant to my code? It answers that question by pointing to the precise function/method that makes a library vulnerable. This allows you to quickly assess whether it is worth the effort to remediate an SCA finding. Once a library is known to be vulnerable, our security research team researches and documents the exact function/method that makes it vulnerable. This team (say hello to them if you visit Singapore) of security experts, data scientists, and programmers continue to add new languages to our repository of languages for which we provide vulnerable methods coverage. When you're ready to tackle your security backlog, examine how particular applications use vulnerable methods and prioritize them in a way that reduces the immediate threat quickly. Getting ahead of possible exploits while reducing debt Security debt and unresolved vulnerabilities can feel daunting to developers and security professionals, especially as open source code only continues to increase its footprint in enterprise applications. But with a powerful tool like Veracode's vulnerable methods, you can go beyond severity or exploitability and focus on what really matters to your organization. Learn more about Veracode's Software Composition Analysis solution by readi | Tool Threat | ||
|
2021-06-22 14:09:12 | How to Interpret the Various Sections of the Cybersecurity Executive Order (lien direct) | The Biden administration released a new executive order for cybersecurity on May 12, 2021. Although many know the overarching message of the executive order, it's also important to know the specific details outlined in each section. As our CEO Sam King remarked, “It gets really specific about the types of security controls they want organizations to adhere to and government agencies to take into account when they're looking to do business with software vendors in particular.” As we go through each section, we will intersperse thoughts from Sam King and Chris Wysopal, co-founder and CTO at Veracode, as well as thoughts and statements from Forrester analysts, Allie Mellen, Jeff Pollard, Steve Turner, and Sandy Carielli, from their recently aired webinar, A Deep Dive Into The Executive Order On Cybersecurity. Section 1 The first section talks about the overarching policy in the executive order, stating: “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people's security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.” It sets the framework for the order, calling “prevention, detection, assessment, and remediation of cyber incidents” a top priority. And if the Federal Government takes ownership of national cybersecurity, it will not only improve security in the public sector, it should also increase regulations in the private sector. Section 2 Section 2 removes the barriers to sharing threat information. In other words, IT Service Providers can no longer hide information pertaining to breaches – even due to contractual obligations. And they will have to disclose this information in a timely manner. As Turner expresses in the Forrester webinar, “this section really opens up the door for all of the further technology improvements and the way that we want to improve security holistically as we go down toward significantly modernizing the way that the federal government does cybersecurity.” Section 3 Speaking of modernizing the way that the federal government handles cybersecurity, section 3 is specifically aimed at addressing today's sophisticated cyber threat environment. It sets the groundwork for moving the Federal Government to secure cloud services and a zero-trust architecture. As part of the zero-trust policy, vendors providing IT services to the government will have to deploy multifactor authentication and encryption in a specified time period. Section 4 Section 4 enhances software supply chain security. It sets a new precedent for the development of software sold to the government. Developers will be expected to have increased oversight of their software and they will be required to make security data public. Wysopal found “the scope of the software supply chain requirements to be the most notable aspect” of the new executive order, stating, “It's very comprehensive – all the different aspects of delivering secure software that hasn't been tampered with by attackers, that has had software assurance practices built into the development pipeline, and notification to the federal government if a vendor has been compromised – because there's a likelihood that the software was the target.” This section also proposes that software be ranked or labeled based on its security. As Carielli explains in the Forrester webinar, the software will be labeled with a ranking – like energy star of good housekeeping – proving a vendor's security standing. Wysopal is a strong proponent of the labeling program, comparing it to programs used in the UK and Singapore on IoT devices. He sees it as a good way to incentivize vendors to secure their products. King agrees, calling the pilot program a great way to increase transparency and accountability. Sections 5 and 6 Despite all of these new steps in place to prevent cyber incidents, it's still possible for | Threat | ||
|
2021-05-21 14:27:34 | Live From RSAC: Disinformation: As Dangerous as Cyber and Physical Threats (lien direct) |  In today???s digital world, we practically live on our phones or computers. Chances are, you don???t go more than 15 minutes without checking your email or social media. And you probably get most of your news from the Internet.
But how do you know what information is real? Two different news sites might be giving a different opinion of the same story. Take the presidential election, for example. There was a frenzy of fake news trying to sway voters in one direction or the other. Covid-19 also brought about a fair share of conspiracy theories and misinformation ??? like the Covid-19 vaccine microchip theory. These theories and propaganda were planted by threat actors to stir chaos and instill fear or doubt.
In an RSA Conference fireside chat this week, Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency and co-founder of Krebs Stamos Group, and Alan Shimel, CEO of MediaOps, explained how to weed through disinformation, what threats fake news pose to cybersecurity teams, and what we can do to help.
As Krebs says, ???I???m leading a commission at the Aspen Institute on the information disorder and there are no silver bullets right now for stopping, for halting, for changing the ecosystem. Whatever the solutions are ??? now or in the future ??? it???s going to take the whole of society, like government, industry, civil society ??ヲ it???s going to take a full effort.???
How do you build your information ecosystem?
It???s challenging to figure out what information to believe when there are so many news outlets. And people tend to be more attracted to drama or stories that align with their views, even if the information is not accurate. Real news is ???boring??? as Krebs says, and fake news is more appealing.
Unfortunately, there is no central source of truth at the moment, so there is no way to say what information is accurate or not. We need to fix this.
How do we counter disinformation?ツ?
Krebs and Shimel discussed the idea of creating one source of truth. Whether it???s at a company, or in government, you need one central repository with the facts.
Take Germany for example. Germany has a monoculture of news that gives them the advantage of one source of ???truth.??? There is one source where you can get your news, and there is no commentary. That doesn???t mean that they don???t still deal with some disinformation, but it???s a lot less than in the United States.
How do you deal with disinformation in cybersecurity?
Disinformation attacks are when threat actors manipulate information to cause unrest. Software companies that work with the government deal with disinformation attacks all the time. For example, threat actors changing the outcome of an election.
The new executive order should help with some of these attacks, but it still doesn???t solve the problem. The government needs more information, especially regarding ransomware. But what companies want to disclose their security problems? And it???s not as if the government can help them with security. Krebs and Shimel noted that we need to incentivize organizations, and we need to make it easy and convenient to report security defects and breaches.
Organizations should also be conducting an analysis of their systems to keep an eye out for potential attacks, and should consider hiring a senior executive to concentrate solely on countering disinformation. Since the world is becoming increasingly digital, this role is more important than ever.
For more on the cybersecurity executive order, and other RSA Conference 2021 sessions, check the Veracode Blog. |
Threat Guideline | ||
|
2021-05-18 14:54:52 | A Closer Look at the Software Supply Chain Requirements in the Cybersecurity Executive Order (lien direct) |  Software security is a big focus of the Biden administration???s recentツ?executive orderツ?on cybersecurity. In fact, an entire section, or 25 percent, of the order is dedicated to software security requirements. In the wake of the SolarWinds cyberattack, the security of the software supply chain is clearly top of mind at the White House, and has prompted these unprecedented and detailed security requirements for any software vendor looking to do business with the federal government. The order states:
The security of software used by the Federal Government is vital toツ?the Federal Government???s ability to perform its critical functions.ツ? The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.ツ? There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.ツ? The security and integrity of ???critical software??? ??? software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) ??? is a particular concern.ツ? Accordingly, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.
How will the requirements be developed, and what do they cover?
The order mandates that NIST will identify existing or develop new standards for software security that ???shall include criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices.??? NIST has 180 days to publish the preliminary guidelines, so we expect to see them before the end of the year.
Once the preliminary guidelines are published, NIST will then, within 60 days, issue guidance on best practices for securing the software supply chain (most likely early 2022). This guidance must include standards for:
Secure software development environments
Generating proof of adherence to the standards
Employing automated tools to ???ensure the integrity of code???
Employing automated tools to check for vulnerabilities and remediate them
Generating proof of the results of the automated tools??? findings
Maintaining data on the origins of all software code
Providing a software bill of materials
Participating in a vulnerability disclosure program
Attesting to conformity with secure software development practices
Ensuring the integrity of open source software in use
The order covers both new software purchases, and a review of existing legacy software.
There will also be guidance coming on what constitutes a software bill of materials and what should be considered ???critical software.???
Finally, the order requires the development of a pilot program that will examine a security labeling and rating system for consumer software products, including IoT devices.
What???s notable?
SBOM requirement:ツ?The requirement to provide a software bill of materials for each software product is a notable acknowledgement of the reality of modern software ??? very little of it is created from scratch, in-house. Just as requirements surrounding nutrition and ingredients labeling evolved over time as food products became more complicated and aware |
Vulnerability Threat | ||
|
2021-05-13 07:45:23 | New Cybersecurity Executive Order: What You Need to Know (lien direct) |  Last night, the Biden administration released an executive order on cybersecurity that includes new security requirements for software vendors selling software to the U.S. government. These requirements include security testing in the development process and a bill of materials for the open source libraries in use, so known vulnerabilities are disclosed and able to be tracked in the future. Without following these standards, companies will not be able to sell software to the federal government. There are also indications that these practices will make their way into the private sector as much of the software sold to the government is also sold to enterprises. That said, we???re working on a series of blog posts and other content that will break this order down for you and track the development of the standards as they are developed by NIST over the course of the next 12 months. We???ve been advising and collaborating with the government (starting with testifying before Congress 23 years ago), and other standards bodies for years on this very topic, in addition to working with large enterprises in highly regulated industries like financial services and healthcare to help them comply with similar standards. We???ll be using our experience and expertise to share our best practices, lessons learned, and data gathered from helping over 2,500 customers secure their software.
What???s in the order?
In the wake of recent cyberattacks on government agencies through software from SolarWinds and Microsoft, this order aims to better protect government systems from a vulnerable software supply chain. Noting that ???the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced,??? the order includes requirements for:
The security of software eligible for purchase by the federal government
Communication and collaboration on cybersecurity between the private sector and government agencies, and between government agencies
Modernizing the federal government???s cybersecurity
In terms of improving communication and collaboration, initiatives in the order include the establishme |
Vulnerability Threat | ||
|
2021-04-23 12:58:34 | Are You Targeting These Risky Red Zone Vulnerabilities? (lien direct) |  Modern software development is full of security risk. Factors like lingering security debt, insecure open source libraries, and irregular scanning cadences can all impact how many flaws dawdle in your code, leading to higher rates of dangerous bugs in susceptible and popular languages. For example, we know from State of Software Security v11 that PHP has a high rate (nearly 75 percent) of cross-site scripting flaws on initial scan, which is also the most common type of open source code vulnerability across nearly every language. It???s a dangerous one.
CRLF injection ??? which is commonly seen in Java and JavaScript ??? can lead to maliciously manipulated web applications if a threat actor is able to inject a CRLF sequence into an HTTP stream. CRLF injection is dangerous and appears in a sizeable 65 percent of applications with a flaw on initial scan, posing a decent risk to apps written in Java and JavaScript if left unchecked.
 ???
But not all flaws are so high-risk for common languages; Information Leakage, for example, is most often seen in .NET, PHP, and Java, typically stemming from a lack of secure code training. To stay one step ahead of even the low-risk (and high-risk) flaws, developers need to be armed with the right knowledge and tools so that they can produce more secure code to reduce the chance of a breach ??? whether low risk or in the danger zone.
 ???
Understanding how flaws impact programming languages across the board is crucial to preventing them. Take note of which languages tend to carry the most high-risk flaws first; whether or not yours in the mix, it???s a good idea to brush up on secure coding best practices and try your hand at hacking and patching real applications with Veracode Security Labs.
You can???t fake it when it comes to security: hands-on-keyboard education is critical to jumping these (and other) hurdles as you create innovative applications. If you want to keep data safe and squash these risky bugs, you have to think like an attacker and avoid flaw-filled curveballs in the future.
To learn more about which vulnerabilities are in the danger zone (and how to go about preventing them), check out our infosheet here. |
Vulnerability Threat Patching Guideline | ||
|
2021-04-23 09:34:12 | Reporting Live From Collision Conference 2021: Part Two! (lien direct) |  If you caught part one of our recap series on this year???s Collision conference, you know we covered a roundtable talk hosted by Veracode???s own Chris Wysopal. The talk focused on the risks of AI and machine learning, delving into discussions of how to manage the security aspects of these future-ready technologies ???ツ?especially when it comes down to consumer privacy.ツ?
Chris also had the opportunity to host a session of his own, covering the critical aspects of modern application security and the reasons that organizations need to get serious about security-minded approaches to their code. Here???s what we learned.ツ?
Secure from the top down
Chris began his session Secure From the Top Down by noting that, today, it???s important to think about application and product security through the eyes of the developer or the builder. With so many applications running in the cloud and so many devices connected to the Internet of Things (IoT), Chris pointed out that the attack surface for threat actors is growing exponentially and that everyone building and deploying technology needs to consider the risks moving forward.
Connected devices are everywhere, Chris said, but they???re not typically behind a firewall. Normally, these devices are connected to 5G or Wi-Fi. According to Chris, this means devices essentially need to secure themselves and all of the connection points where they talk to other devices or they pose a security risk.ツ?
Further, everything is connected through APIs today. ???We used to have big, monolithic software packages with one big block of code,??? Chris said. ???Today, we have a lot of small devices; even with applications running in the cloud, they???re built with microservices and are talking to each other through APIs.??? This is a way an attacker can exploit a device or an application, and means the builders of today need to improve the security around their APIs for a more secure tomorrow.
It???s already a problem; Chris pointed out in his session that, according to the 2020 Verizon Data Breach Investigations Report, 43 percent of breaches come from single page applications. Developers working on building these single page apps need to be more considerate with their security.ツ?
Looking ahead at trends
Time is the biggest competitor for most organizations, according to Chris, and there are three main trends that are going to impact product security moving forward: ubiquitous connectivity, abstraction and componentization, and hyperautomation of software delivery.ツ?
Ubiquitous connectivity
While this involves the rise of APIs and IoT devices, what it really comes down to is that each piece of software connected through the network and APIs must think about securing itself. ???Each code that is exposing an API needs to think about how it will authenticate, encrypt, and secure itself from all |
Data Breach Threat Patching | ||
|
2021-04-13 15:04:46 | The Biggest Breaches and Data Leaks of 2020 (lien direct) |  Year after year, cyberattackers cause unnecessary stress for organizations, disrupting innovation and impacting profit. 2020 was no different ??? last year brought a bevy of damaging breaches that cost organizations precious money and time they couldn???t get back. ツ?
Ranging from thousands to billions of records exposed, breaches big and small gave threat actors access to sensitive information like email addresses, locations, passwords, dates of birth, and more. Impacts were felt across the board with organizations from Nintendo to Broadvoice and even the U.S. Small Business Administration making waves in the news.
The biggest breach, however, went to Keepnet Labs with what was most likely a directory traversal exploit from an unsecured server. This typically allows threat actors to gain unauthorized access to files and, ultimately compromise an entire web server. Unfortunately for Keepnet Labs, attempting to move an unsecured server with their firewall disabled for about ten minutes landed them in the headlines with over 5 billion records leaked from previous cybersecurity incidents, including hash types, passwords, email addresses, email domains, and more.
So why are security breaches still so common? We know from State of Software Security v11 that 76 percent of applications have at least one flaw on initial scan today (24 percent with high-severity flaws), and that organizations with a higher flaw density remediate risky flaws a whopping 63 days slower than others. The good news: some of the biggest breaches from 2020 stemmed from common problems with code quality, CRLF injection, and cryptographic issues, which are preventable with secure coding best practices.
 ???
Check out our full infographic here to see the biggest breaches of 2020 and learn how to prevent similar threats. Looking ahead to 2021 and beyond it???s critical that organizations continue to pivot and improve their security; with the right combination of secure coding best practices, educational training, and integrated testing types, developers can stay one step ahead of these and other modern threats. ツ?ツ?ツ? |
Threat | ||
|
2021-03-16 10:45:23 | Automated Security Testing for Developers (lien direct) |  Today, more than ever before, development organizations are focusing their efforts on reducing the amount of time it takes to develop and deliver software applications. While this increase in velocity provides significant benefits for the end users and the business, it does complicate the process for testing and verifying the function and security of a release.
The days of long-running, waterfall-style development cycles, wherein security was manually evaluated and bolted on at the end, are gone for good. With the move towards an agile development methodology, security testing and remediation is inherently shifting to the left. And to support this, developers must adopt tools to automate security testing for easy vulnerability identification at the earliest point possible in the development lifecycle.
Below, we discuss the why and how of implementing an effective strategy for automated security testing within the development lifecycle.
Shifting security testing to the left
Through the use of automation, security testing can be executed earlier (or left) in the development pipeline. This is advantageous for a variety of reasons. For one, the earlier vulnerabilities are discovered, the less expensive they are to fix. If a security issue was introduced into the code early in the release cycle, it???s more likely that it???ll be resolved in minutes or hours. Whereas, a vulnerability discovered at the end of the release cycle could face complexity that increases the time required to remediate.
Moreover, earlier execution of security tests ensures that vulnerabilities pose less of a threat to the delivery schedule. When security tests are automated as part of the build and integration processes, there is less uncertainty as the release approaches the later stages of the development lifecycle. This reflects well on both development personnel and the organization as a whole.
Shifting security left can also help reduce security debt, which piles up over time and can only add to serious risk if left unchecked. Instead of leaving the prioritization and remediation of bugs and vulnerabilities until the very end, shifting security left encourages collaboration between security and development to tackle this issue and determine which security debt is acceptable, and which should be remediated ASAP, reducing lingering risk.
Automated security testing for developers
So with the intent being to automate and shift security testing to the earliest possible point in the development lifecycle, let???s analyze how this is done in practice.
What are we looking for when we test? What does automated security testing involve?
Automated security testing for applications is accomplished by scanning code for vulnerabilities. Static code analysis, for instance, scans a codebase while the application is not running. The code is evaluated against a set of policies to ensure that developer implementation is in compliance with the security standards set forth by the organization. Non-compliance with any standard would indicate a vulnerability. These vulnerabilities can include anything from failure to properly protect database calls from SQL injection, to non-compliance with PCI standards for processing, storing, and transmitting credit card information. Furthermore, automated security testing can be leveraged to validate the security of third-party libraries being used by the system.
Organizations that wish to shorten their development cycles and enable continuous delivery should uti |
Tool Vulnerability Threat | ★★★ | |
|
2021-03-09 12:50:24 | Putting the Sec in DevSecOps (lien direct) |  Whether a seasoned professional or a fresh computer science grad, every developer has his or her stressful moments of trying to dig through scanning results to mitigate or remediate a vulnerability. Since you work at the speed of ???I need this yesterday,??? it???s a hassle to slow down and fix flaws or even stop to rewrite code entirely.
Effective AppSec today is about executing essential application security (AppSec) tests as you???re writing code. When AppSec is embedded as part of the development process, you???re able to assess security on every code commit with fast and effective results that make your job ??? writing more secure code ??? much easier.ツ?
DevSecOps meets security
With a cyberattack happening every 39 seconds, and 76 percent of applications with at least one security flaw on first scan, AppSec is now a must-have for all organizations creating the apps that power the world. This is even more critical as organizations undergo technology shifts and must bolster their digital fingerprints to keep up with the competition. ツ?
Security testing early in development makes you more efficient as a developer because it improves the quality of your code from the start, meaning you???re not bogged down by bugs and dangerous vulnerabilities later on. It cuts down on risk, saving valuable time that you can then use to create more innovative applications.
With security testing built into your existing workflows, you take on the critical role of improving the security and quality of your code as you develop apps. Once you begin integrating security as part of your coding process to find and fix flaws faster, your team is on the path to an effective DevSecOps engine that produces higher quality code.ツ?ツ?
Securing the future: Integrating security into development
If security is now an essential element of your job as a developer, then security testing needs to be automated and integrated for ultimate efficiency, and you need the right tools to help you keep up with the ever-evolving threat landscape. It isn???t enough to simply check boxes once scans are complete. If you want to make sure that you???re set up for e success in the future, you and your team need:
Good developer training tools like Veracode Security Labs, which offers real-world education you can use while coding. When security training is decentralized and you???re empowered to make decisions that impact the health of your code, your know-how needs to be top-notch. By studying common vulnerabilities with hands-on learning and understanding which flaws are more predominant in certain languages, you???re better prepared when you sit down to write software. For example, we know from State of Software Security v11 (SOSS) that issues with information leakage, CRLF injection, cryptographic bugs, and code quality are the most common flaws found, and they impact popular languages like .NET, Java, PHP, and Python. Boost your knowledge on which flaws cause issues in common languages and you???ll be better prepared to write code that prevents them in the future.
Efficient communication and collaboration with security through training on existing DevOps processes, by learning workflows of security team members, and by ensuring that both teams are operating with the same goals in mind. You should also consider starting or joining a |
Threat | ★★★ | |
|
2020-12-16 10:41:10 | Defense in Depth: Why You Need DAST, SAST, SCA, and Pen Testing (lien direct) |  When it comes toツ?applicationツ?security (AppSec),ツ?most experts recommend usingツ?Dynamic Application Security Testingツ?(DAST)ツ?andツ?Static Application Security Testingツ?(SAST)ツ?as ???complementary??? approaches for robust AppSec. However, these experts rarely specifyツ?howツ?to run them in a complementary fashion.ツ?
At Veracode, we use SAST, DAST,ツ?SCA,ツ?andツ?penツ?testing as theツ?fourツ?pillars of ourツ?defenseツ?in-depthツ?strategy to deliver a ???secure-by-design??? AppSec methodology across the entireツ?softwareツ?developmentツ?lifeツ?cycle.ツ?ツ?
Manualツ?penetrationツ?testingツ?
Most organizations start their AppSec journey by runningツ?manualツ?penetrationツ?testsツ?(MPT).ツ?Penetration testing is necessary to catch vulnerability classes,ツ?such as authorization issues and business logic flaws,ツ?that cannot be found through automated assessments alone. Expertly trained pen testersツ?canツ?reviewツ?an entireツ?environment,ツ?rather than just the application,ツ?and canツ?follow or break the workflows in a way that is difficult forツ?automation to replicate.ツ?Additionally, pen testing is requiredツ?to comply with regulations such asツ?PCI DSS, HIPAA, GLBA, FISMA, and NERC CIP.ツ?
However,ツ?penツ?testing is only one assessment type and can bottleneck developmentツ?velocityツ?because it is a manual process.ツ?ツ?
How does Dynamic Analysis work?ツ?
Dynamicツ?applicationツ?securityツ?testingツ?(DAST)ツ?isツ?an AppSec assessment thatツ?scans all applications and interconnected structures in a running environment without looking deeply into source code. The results of ???outside-in???ツ?dynamicツ?scanningツ?help prioritizeツ?the remediation ofツ?exploitable vulnerabilitiesツ?and immediately reduce AppSec risk as they are fixed. However, it can be challenging to pinpoint theツ?exactツ?line of code toツ?work onツ?using only DAST.ツ?This assessment on its own is limited by the configuration of your scanner and what you choose to test. If you don???t properly configure your scans,ツ?you may miss vulnerabilities and have a false sense of security.ツ?
Additionally, since theツ?applicationツ?isツ?scannedツ?towards the end of theツ?SDLC,ツ?there???s more pressure on development teams to remediate the difficult-to-find vulnerabilities quickly.ツ?This is usuallyツ?whereツ?frictionツ?between development and security increases,ツ?often resulting in unmitigated risk.ツ?ツ?
How does Static Analysis work?ツ?
Staticツ?applicationツ?securityツ?testingツ?(SAST)ツ?is an AppSec assess |
Vulnerability Threat | ||
|
2020-11-24 16:44:20 | State of Software Security v11: Key Takeaways for Developers (lien direct) |  We recently released volume 11 of our annual State of Software Security (SOSS) report, which analyzes the security activity and history of applications Veracode scanned during a one-year period. Giving us a view of the full lifecycle of applications, that data tells us which languages and vulnerabilities to keep an eye on, and how factors like scanning frequency can impact your remediation time.
This year???s report also explores the idea of nature vs. nurture when remediating flaws and improving security. In other words, which security factors do developers like you have control over, and which are completely out of your hands? You likely have no control over the size of your organization and even the size of your application (???nature???), but you can ???nurture??? factors like frequency and scanning via API to improve security efforts.
Read on for key takeaways from SOSS v11 and for more information on what you can do to give your application security (AppSec) a boost.
Using SAST through API improves remediation time
It should be no surprise that the right combination of tools and integrations with frequent scanning means more effective flaw remediation. Data from SOSS v11 backs that up; when running static analysis (SAST) scans through API, organizations can remediate flaws 17.5 days faster on average.
 ???
Efforts like more frequent scanning, pairing dynamic analysis (DAST) with SAST, implementing a steady cadence, and using Software Composition Analysis (SCA) with SAST can help you remediate more vulnerabilities faster and keep your security in check. On the flip side, higher flaw density or a larger application greatly slows the remediation process by more than 50 days ??? especially for larger legacy, applications.
Information Leakage is the most common flaw??ヲ
??ヲwith CRLF injection, cryptographic issues, and code quality close behind. These four most common flaws didn???t change between last year???s report and this year???s report, which means they???re likely not going anywhere anytime soon and important to keep an eye on. ツ?
 ???
For developers, knowing the most common flaws is critical to understanding how they???re introduced, how to prevent them, and how to fix them quickly to ???nurture??? your situation. That???s especially important for the most high-risk vulnerabilities, such as Injection flaws like CRLF and SQL that reign supreme on the list of OWASP Top 10 Web Application Security Risks.
Open source creates an expanding attack surface
You work hard and you work fast. Projects don???t slow down or wait for you to write code from scratch, which is why so many developers like you rely on open source libraries and third-party code to speed up production. But there???s a problem: open source code, though used virtually everywhere, creates a wider attack surface for threat actors. And even trickier, some languages more heavily utilize op |
Threat | ★★★ | |
|
2020-11-19 16:23:50 | Healthcare Orgs: What You Need to Know About TrickBot and Ryuk (lien direct) |  In late October, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) co-authored an advisory report on the latest tactics used by cybercriminals to target the Healthcare and Public Health (HPH) sector. In the report, CISA, FBI, and HHS noted the discovery of, ?????ヲcredible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,??? which they shared as a warning of potential ransomware attacks.
In the report, the agencies found that threat actors are targeting the HPH Sector using TrickBot and BazarLoader malware efforts, which can result in the disruption of healthcare services, the initiation of ransomware attacks, and the theft of sensitive data. As noted in the advisory, these security issues are even more difficult to handle and remediate during the COVID-19 pandemic; something healthcare providers should take that into consideration when determining how much to invest in their cybersecurity efforts.ツ?
The FBI first began tracking TrickBot modules in early 2019 as it was used by cyberattackers to go after large corporations. According to the report, ?????ヲTrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.???
What makes it so dangerous? Researchers found that TrickBot developers created a tool called anchor_dns which uses a single-byte X0R cipher to obfuscate communications and, once de-obfuscated, is discoverable in DNS request traffic. When the malware is successfully executed, TrickBot is copied as an executable file and the copy is placed into one of the following directories:
C:\Windows\
C:\Windows\SysWOW64\
C:\Users\[Username]\AppData\Roaming\
From there, the executable file downloads modules from command and control servers (C2s) and places them into the host???s %APPDATA% or %PROGRAMDATA% directory. Every 15 minutes, the malware runs scheduled tasks on the victim???s machine for persistence, and after successful execution, anchor_dns deploys more malicious .bat scripts and implements self-deletion techniques through commands. The report notes that an open source tracker for TrickBot C2 servers is located here.
BazarLoader and Ryuk ransomware
CISA, FBI, and HHS note in the advisory report that around early 2020, threat actors believed to be associated with TrickBot began executing BazarLoader and BazarBackdoor attacks to infect targeted networks.
???The loader and backdoor work closely together to achieve infection and communicate with the same C2 infrastructure,??? the report says. ???Campaigns using Bazar represent a new technique for cybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware, including Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.???
BazarLoader malware usually comes from phishing emails, the advisory says, with a link to a Google Drive document or another file hosting service housing what looks like a PDF file but is really an executable. The emails often appear personal with recipient or employer names in the subject l |
Ransomware Malware Tool Threat Patching | ★★★ | |
|
2020-10-16 12:17:40 | Watch Here: How to Build a Successful AppSec Program (lien direct) |  Cyberattackers and threat actors won???t take a break and wait for you to challenge them with your security efforts ??? you need a proactive application security (AppSec) program to get ahead of threats and remediate flaws quickly. It???s critical that you stand up an AppSec program covering all the bases, from which roles each team member will have to alignment on KPIs and goals, and even a detailed application inventory to stay on top of your code.
But it isn???t enough to simply set ground rules and define your goals; good AppSec programs succeed because they come from the top-down, with stakeholders committed at the executive level. This helps maintain accountability and ensures that developers and security professionals are aligned when it comes to targets for flaw remediation. Part of that effort involves standing up a Security Champions program, too, enabling your developers to work alongside security and take ownership over securing their code.
If you follow these and other recommendations, your AppSec program should run like a well-oiled machine with the flexibility and security you need to keep creating innovative applications. Watch this video to learn about what goes into building a successful AppSec program, andツ?check out the full How-to Series here.ツ?
ツ?
|
Threat |
1
We have: 36 articles.
We have: 36 articles.
To see everything:
Our RSS (filtrered)
