Daily Archives: September 7, 2018

That’s What Hackers Do – Enterprise Security Weekly #105

This week, Paul and John talk BitSight, SentinelOne, Swimlane, Fortinet, and more! After the Enterprise News, we air some pre-recorded interviews from Black Hat and DEF CON with Mimecast CTO Marc French, Director of Solutions of Synopsys Ofer Maor, CEO of ThreatX Bret Settle, and Willy Leichter of Virsec!

 

Full Show Notes: https://wiki.securityweekly.com/ES_Episode105

 

Visit https://www.securityweekly.com/esw for all the latest episodes!

 

Visit https://www.activecountermeasures/esw to sign up for a demo or buy our AI Hunter!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Join us in fighting back against powerful corporations trying to silence news and advocacy organizations

Protest the Protest

This week, Greenpeace—along with Freedom of the Press Foundation and dozens of other advocacy groups—are launching an important campaign called Protect the Protest, which aims to draw attention to dangerous tactic that corporations use all too often to chill the free speech of Americans.

SLAPP suits, or “strategic lawsuits against public participation,” are brought by wealthy individuals or organizations in an attempt to silence critical speech --- powerful people bring these type of libel lawsuits knowing they won’t win on the merits, but they hope they can silence critics by bleeding them dry of resources or bankrupting them altogether.

Greenpeace is the defendant in two particularly egregious lawsuits that we wrote about earlier this year that actually accuse Greenpeace of violating the RICO statute—a law used to go after organized crime—for engaging in routine advocacy. These type of lawsuits chill the speech of non-profit organizations and protesters, and prevent public transparency and accountability of those in power. The suits also directly impact press freedom.

SLAPP suits are particularly dangerous when used against journalists and news organizations. In the past few years, we’ve seen several high profile cases ofextremely wealthy individuals and corporations threaten to sue or actually sue public interest news organizations for libel over stories which they didn’t like.

The non-profit news organization Mother Jones had to fend of an incredibly expensive lawsuit against a billionaire political fundraiser a few years ago that they were worried may ultimately bankrupt the organization. The civil liberties news website Techdirt faced a similar lawsuit that had them contemplating shutting their doors last year. (Both eventually won their cases.)

And of course, billionaire Peter Thiel infamously funded a series of lawsuits that ultimately destroyed Gawker.

The billionaire with the most prolific history of bringing lawsuits against journalists who report critically on him currently occupies the White House. Donald Trump brought over half a dozen SLAPP lawsuits against journalists over his decades in public life and has threatened over a dozen more.

It’s important to emphasize in almost all these cases, the lawsuits were never going to win. Anyone who glanced at the stories in question could tell the speech of the defendants was protected by the First Amendment. The problem is these powerful people often don’t care about winning, they care about inflicting damage. Maybe they will be able to decimate the news outlet by forcing them to spend millions in legal fees. Even if the plaintiff loses, the next time the news outlet will think twice before going forward with an investigation. Or maybe they’ll scare the countless other news organizations who may be planning similar stories.

(Note: while Gawker did lose an invasion of privacy case that eventually bankrupted the company, it had several other libel suits funded by Thiel that were pending, all of which were standard SLAPP suits. The invasion of privacy case would’ve likely been overturned by an appeals court if Gawker had the funding to continue fighting.)

Ultimately, the Protect the Protest campaign is not just about Greenpeace. Luckily, they have an excellent team of lawyers and have decided to very publicly fight back against these dangerous threats. I have no doubt they will prevail. This campaign is about protecting all of the smaller non-profits, the smaller news organizations who will think twice about reporting on people in power due to the fact that they know they may be subject to millions of dollars of litigation for speaking out. And we are proud to stand with them as they expand this fight.

You can find more information about the campaign here, and here’s how you can join the fight.

Belgium Publishes Law Adapting the Belgian Legal Framework to the GDPR

On September 5, 2018, the Law of 30 July 2018 on the Protection of Natural Persons with regard to the Processing of Personal Data (the “Law”) was published in the Belgian Official Gazette.

This is the second step in adapting the Belgian legal framework to the EU GDPR after the Law of 3 December 2017 Creating the Data Protection Authority, which reformed the Belgian Data Protection Authority.

The Law is available in French and Dutch.

“Shifting Left” Requires Remediation Guidance

Shifting security “left” is about more than simply changing the timing of testing. When security shifts to earlier phases of the development lifecycle, it also changes the players responsible for conducting the testing and addressing the results. In the not-so-distant past, the security team would conduct most security testing late in the software development process, pass the results back “over the wall” to developers, and consider their work done. But with the rise of DevOps, and DevSecOps, finding and fixing security-related defects is a shared responsibility between security and development. In addition, security testing has shifted further left, into the realm of the developer. The development team now has a primary responsibility for security in the development phase, and are responsible for making sure their code gets both scanned and fixed. The security team has more of an oversight role in the development phase, focusing on goals and policy. This is a significant change that requires entirely new tasks, skills, priorities, and mindset. But there is one big blocker to this change: the fact that most developers don’t have secure coding skills. Veracode recently sponsored the 2017 DevSecOps Global Skills Survey from DevOps.com and found that less than one in four developers or other IT pros were required to take a single college course on security. Meanwhile, once developers get on the job, employers aren’t advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don’t provide them adequate training in application security. The bottom line is that most developers won’t know what to do with a long list of security flaws.

It follows that if you shift security left, into developer workflows, without adequate training and guidance – you will not create more secure code, but will in fact delay developer timelines and still produce vulnerable code. Shift left only works when developers get the tools and assistance they need to succeed. And a key part of that is remediation guidance. This adds another new task to the security team’s plate: developer training and coaching.

In their recent report, CISO Playbook: Embedding AST in the Software Development Lifecycle, Gartner notes that “organizations can better support AST early in development by prioritizing AST tools and services that integrate into IDEs and produce actionable findings, with an emphasis on the type and quality of information provided to developers. Tools that are fast but contain little guidance on remediation may not achieve the time savings desired, if developers struggle to understand why a vulnerability was introduced and how to fix it.”*

Ultimately, the speed at which you receive security-testing results is meaningless without the guidance needed to address those results.

We have research that supports this idea as well. Each year for our State of Software Security report, we analyze the data accumulated from all the security assessments we have performed the previous year. In our most recent report, we found that organizations that pick up consulting services that offer analysis and advice to developers alongside the scan results show tremendous improvement in fix rates. We looked at the flaws per MB among the organizations that took advantage of remediation coaching, and those that didn’t – both on their first and last scans of the year. The numbers revealed that remediation consulting can contribute to a whopping 88 percent improvement in an organization’s fix rate. Clearly, if developers are given extra resources to accomplish their security goals, they will make progress on the flaw density in their software.

The bottom line is that application security success is about more than finding security flaws; it’s about fixing them. And in a DevOps world, security and development have to work together to ensure that what gets found gets fixed. Make sure your developers are equipped to fix what they find and truly reduce your application security risk.

To get more best practices on embedding security into the development lifecycle, read the entire Gartner report, CISO Playbook: Embedding AST in the Software Development Lifecycle, mentioned above.

 

*Gartner CISO Playbook: Embedding AST in the Software Development Lifecycle, Ayal Tirosh, Prateek Bhajanka, 13 July 2018