Category Archives: Software Security

2018 Faces New Threats, But Same old Problems

Every year brings with it a new set of cyber-threats but unfortunately, the cyber-threats of 2017, 2016 and beyond are still with us.Phishing for authentication credentials, social engineering to install

The post 2018 Faces New Threats, But Same old Problems appeared first on The Cyber Security Place.

Password Managers: Business Gains vs Potential Pains

The growth in cybersecurity continues unabated and we see companies investing more and more in the area. According to Gartner, enterprise cybersecurity spending will rise to $96.3bn in 2018. Much

The post Password Managers: Business Gains vs Potential Pains appeared first on The Cyber Security Place.

Cryptominers Replace Ransomware as No. 1 Threat

Cryptominers surged to the top of detected malware incidents, displacing ransomware as the No. 1 threat.Comodo Cybersecurity Threat Research Labs’ first-quarter global malware report shows that the world is already

The post Cryptominers Replace Ransomware as No. 1 Threat appeared first on The Cyber Security Place.

Ransomware, healthcare and incident response: Lessons from the Allscripts attack

The actors behind SamSam launched a devastating attack against Allscripts in January, 2018. As Allscripts worked its incident response plan, things started to unravel. Here are the lessons learned. On

The post Ransomware, healthcare and incident response: Lessons from the Allscripts attack appeared first on The Cyber Security Place.

Most Web Apps Contain High-Severity Vulnerabilities

An analysis of web applications shows that 94% of applications tested had at least one high-severity vulnerability.According to Positive Technologies’ Web Application Vulnerabilities in 2017 report, collated through the security

The post Most Web Apps Contain High-Severity Vulnerabilities appeared first on The Cyber Security Place.

Large scale data breaches provide drive for DevSecOps investments

Breaches related to open source components have grown 50 percent since 2017, and an eye-opening 121 percent since 2014, according to a new survey from open source governance and DevSecOps

The post Large scale data breaches provide drive for DevSecOps investments appeared first on The Cyber Security Place.

Common IT Tools are the Hacker’s Favorites

Malware, along with targeted attacks that can move laterally and evade traditional detection methods, are a huge and growing concern. Popular hacker tools like Mimikatz are being combined with stolen NSA

The post Common IT Tools are the Hacker’s Favorites appeared first on The Cyber Security Place.

The continuous fluctuation of Bitcoin comes with the threat of cyber attacks

The cryptocurrency hype seems to have died down for now. But when it inevitably resurges, will there be security implications?Bitcoin is the flavour of the month at the moment, but

The post The continuous fluctuation of Bitcoin comes with the threat of cyber attacks appeared first on The Cyber Security Place.

Beyond malware: why breach detection is the new normal

As attack methods have grown increasingly complex, breach detection has become a must for organisations.Malware and the understanding of malware variants, families, and strains have been at the heart of

The post Beyond malware: why breach detection is the new normal appeared first on The Cyber Security Place.

Why it’s time to get serious to crypto-jacking: the ‘new age’ cyber threat

What’s becoming painstakingly apparent amidst these developments is the great lengths hackers will go to in order to take advantage of the systems of both public and private companies. Crypto-jacking

The post Why it’s time to get serious to crypto-jacking: the ‘new age’ cyber threat appeared first on The Cyber Security Place.

Ransomware incidents double, threatening companies of all sizes

Ransomware is the most common malware used when it comes to breaches, according to Verizon’s 2018 Data Breach Investigations Report. Verizon’s 2018 Data Breach Investigations Report (DBIR) is out, and

The post Ransomware incidents double, threatening companies of all sizes appeared first on The Cyber Security Place.

Securing your network in the IoT revolution

Instituting a comprehensive device management plan is essential to locking down Shadow IT at your organisation. The relationship between network security and the Internet of Things (IoT) has never been

The post Securing your network in the IoT revolution appeared first on The Cyber Security Place.

17% of Workers Fall for Social Engineering Attacks

In tests that imitated the actions of hackers by sending emails to employees with links to websites, password entry forms and attachments, 17% of the messages would have led to

The post 17% of Workers Fall for Social Engineering Attacks appeared first on The Cyber Security Place.

One-Fifth of Open-Source Serverless Apps Have Critical Vulnerabilities

More than 20% of open-source serverless applications contain critical security vulnerabilities, according to an audit by PureSec. An evaluation of 1,000 open-source serverless projects revealed that 21% of them contained

The post One-Fifth of Open-Source Serverless Apps Have Critical Vulnerabilities appeared first on The Cyber Security Place.

Is blockchain technology really the future of the Internet?

Blockchain technology has the potential to revolutionize how business transactions take place.For those who have no idea who Satoshi Nakamoto is, it is the name used by the unknown person

The post Is blockchain technology really the future of the Internet? appeared first on The Cyber Security Place.

100% of Web Apps Contain Vulnerabilities

A totality – a full 100% – of web applications are vulnerable to hackers.According to Trustwave’s 2018 Global Security Report, derived from the analysis of billions of logged security and

The post 100% of Web Apps Contain Vulnerabilities appeared first on The Cyber Security Place.

What should define an enterprise encryption strategy?

The impact of the cyber security landscape is changing, with ‘protecting against specific identified threats’ knocking compliance off the top spot as the number one reason for deploying encryption. Securing

The post What should define an enterprise encryption strategy? appeared first on The Cyber Security Place.

How to Cure the Healthcare System’s ‘Cyberflu’

Expensive, top-heavy, bureaucratic – the healthcare system is all that, but we’re all grateful to be living in an era when medicine has advanced to the point that it keeps

The post How to Cure the Healthcare System’s ‘Cyberflu’ appeared first on The Cyber Security Place.

Unaware and Under Attack: Why Cybercrime Must be Top of Mind for Business

I am not really aware of any business in 2018 that doesn’t leverage the internet for their operations. From websites, email, paying bills online or receiving electronic payments, these are

The post Unaware and Under Attack: Why Cybercrime Must be Top of Mind for Business appeared first on The Cyber Security Place.

Using biometrics to protect crypto currency

The rise of crypto currency is something that investors have monitored closely. Whether Bitcoin, Zcash or Ripple, the rise of this digital currency is here to stay. With this boom

The post Using biometrics to protect crypto currency appeared first on The Cyber Security Place.

Open source software security challenges persist

Using open source components saves developers time and companies money. In other words, it’s here to stay. Here’s a look at what it will take to improve open source security.

The post Open source software security challenges persist appeared first on The Cyber Security Place.

Does Ransomware-as-a-Service Enable More Cyber-Criminals?

Ransomware is continuing to dominate the headlines, with attacks like WannaCry and NotPetya causing chaos. In fact, last year, over 50% of organizations where hit by ransomware, and on average

The post Does Ransomware-as-a-Service Enable More Cyber-Criminals? appeared first on The Cyber Security Place.

Steps to Take to Beat the Insider Threat in 2018

Hackers get the headlines, but a data breach is more likely to originate inside your own office walls. Errors, negligence and malicious intent by employees are the leading causes of

The post Steps to Take to Beat the Insider Threat in 2018 appeared first on The Cyber Security Place.

Preventing the Next Ransomware Attack

2018 is quickly moving by us, and while we have yet to see an attack on the scale of 2017’s WannaCry or NotPetya, it’s clear that the adversaries are not

The post Preventing the Next Ransomware Attack appeared first on The Cyber Security Place.

Cryptocurrency Hacking Raises Threats of Financial Vulnerability

After suffering through rampant ransomware attacks, the internet is now being overrun by a new category of threats caused by cryptocurrency miners. As cryptocurrencies take hold and their prices fluctuate,

The post Cryptocurrency Hacking Raises Threats of Financial Vulnerability appeared first on The Cyber Security Place.

Cryptojacking takes over from ransomware as cybercriminal’s choice

Symantec report finds cryptocurrency-related hacks gaining popularity at the expense of ransomware.Ransomware may be finally losing its popularity among cybercriminals, who instead are increasingly turning to cryptojacking, research has claimed.

The post Cryptojacking takes over from ransomware as cybercriminal’s choice appeared first on The Cyber Security Place.

Outdated cyber defences putting companies at risk

Legacy systems are no match for ransomware and other new cyber threats.As cyber threats such as phishing, malware and cryptojacking have grown increasingly sophisticated, new research has revealed that legacy

The post Outdated cyber defences putting companies at risk appeared first on The Cyber Security Place.

No-Brainer Strategies to Your Protect IT Infrastructure

According to a survey conducted by Kaspersky Lab and B2B International, 90% of businesses that answered admitted to experiencing a security threat to their IT infrastructure and 46% of them

The post No-Brainer Strategies to Your Protect IT Infrastructure appeared first on The Cyber Security Place.

Criminals Using Web Injects to Steal Cryptocurrency

Man-in-the-browser attacks targeting Blockchain.info and Coinbase websites, SecurityScorecard says.Criminals have deployed a variety of tactics in recent months to try and profit from the cryptocurrency boom.One of them is the

The post Criminals Using Web Injects to Steal Cryptocurrency appeared first on The Cyber Security Place.

Top Ten Ways to Detect Phishing

Despite being a tactic that pre-dates the internet, and recalls the days of scams surrounding depositing large amounts of money in your bank account, phishing remains a major problem of

The post Top Ten Ways to Detect Phishing appeared first on The Cyber Security Place.

Does Patching Make Perfect?

We’ve heard it time and time again: patches and updates are the key to mitigating vulnerabilities that lead to epic Equifax-sized breaches. The logic goes that security incidents can be

The post Does Patching Make Perfect? appeared first on The Cyber Security Place.

Understanding the Relationship Between AI and Cybersecurity

DaThe first thing many of us think about when it comes to the future relationship between artificial intelligence (AI) and cybersecurity is Skynet—the fictional neural net-based group mind from the

The post Understanding the Relationship Between AI and Cybersecurity appeared first on The Cyber Security Place.

Malware leverages web injects to empty users’ cryptocurrency accounts

Criminals trying to get their hands on victims’ cryptocurrency stashes are trying out various approaches. The latest one includes equipping malware with Man-in-the-Browser capabilities so they can hijack online accounts

The post Malware leverages web injects to empty users’ cryptocurrency accounts appeared first on The Cyber Security Place.

The Real Reasons Behind Your Web Security Woes

Why is it that so many people struggle to get their arms around web and application security? Some of the answers to this question are quite obvious, but others are

The post The Real Reasons Behind Your Web Security Woes appeared first on The Cyber Security Place.

SWAMP, the Software Assurance Marketplace

SWAMP-Logo-Final-Med

I recently took a fresh look at the “SWAMP”, the Software Assurance Marketplace- it is a great idea and a valuable resource.  The short and incomplete story is that SWAMP is a suite of software analysis tools integrated into a centralized, cloud-based software testing environment- and it is available to software developers, software tool developers, and researchers- for free.

From their website:

“Software is a crucial component of daily living, affecting worldwide economic structures and the services we depend on every day. With the increasing rate of security breaches, it is clear that conventional network security solutions are no longer able to defend our privacy, corporate data, and critical banking information. Today’s applications need to be built more securely at the code level, and that code needs to be tested regularly.

The SWAMP was developed to make it much easier to regularly test the security of these applications and to provide an online laboratory for software assessment tool inventors to build stronger tools. Testing is often complicated and challenging, because comprehensive testing requires the use of several disparate tools with no central means of managing the process. The SWAMP is a no-cost, high-performance, centralized cloud computing platform that includes an array of  open-source and commercial software security testing tools, as well as a comprehensive results viewer to simplify vulnerability remediation. A first in the industry, the SWAMP also offers a library of applications with known vulnerabilities, enabling tool developers to improve the effectiveness of their own static and dynamic testing tools. Created to advance the state of cybersecurity, protect critical infrastructures, and improve the resilience of open-source software, the SWAMP integrates security into the software development life cycle and keeps all user activities completely confidential.”

The current test environment is able to test software written in C/C++, Java (including Java on Android), Ruby and Python- with JavaScript and PHP in development.  SWAMP will support eight languages by the end of the year.  There are currently sixteen tools in the suite with more being added, and numerous commercial companies are participating- including Veracode, CodeDX, Goanna, GrammaTech, and Parasoft.

The Marketplace team includes some serious academic centers for technology, the Morgridge Institute and the Department of Computer Sciences at U of Wisconsin-Madison, the Pervasive Technology Institute at Indiana University, and the National Center for Supercomputing Applications (NCSA) at U of Illinois Urbana-Champaign.  In my conversation with Bart Miller and Miron Livny of SWAMP it was clear that this project was built for practical use in the real-world, it is not an academic exercise- this is immensely practical and useful stuff.

There are many more details on their background page, including some impressive tech specs (at least I consider 700 cores, 5 TB of RAM, and 104 TB of HDD impressive).

We are going to try to get folks from SWAMP on the Security Weekly Podcast to discuss the marketplace in depth.  Stay tuned for more on that.

 

Jack

Software Security – Hackable Even When It’s Secure

On a recent call, one of the smartest technical folks I can name said something that made me reach for a notepad, to take the idea down for further development later. He was talking about why some of the systems enterprises believe are secure really aren't, even if they've managed to avoid some of the key issues.

Let me explain this a little deeper, because this thought merits such a discussion.

Think about what you go through if you're testing a web application. I can speak to this type of activity since it was something I focused on for a significant portion of my professional career. Essentially the whole of the problem breaks down to being able to define what the word secure means. Many organizations that I've first-hand witnessed stand up a software security program over the years follow the standard OWASP Top 10. It's relatively easy to understand, it's fairly well maintained, and it's relatively easy to test software against. It's hard to argue with the notion that the OWASP Top 10 is not the standard for determining whether a piece of software is secure or not.

Herein lies the problem. As many of you who do software security testing can testify to, without at least a structured framework (aka checklist) to go against, the testing process becomes never-ending. I don't know about you, but I've never had the luxury of taking all the time I needed, everything always needed to go live yesterday and I or my team was always the speed bump on the way to production readiness. So we first settled on making sure none of the OWASP Top 10 were present in software/applications we tested. Since this created an unreal amount of bugs, we narrowed scope down to just the OWASP Top 2. If we could eliminate injection and cross-site scripting the applications would be significantly more secure, and everything would be better.

Another issue, then. After all that testing, and box-checking, when we were fairly sure the application didn't have remote file includes, cross-site scripting (XSS), SQL Injection or any of that other critical stuff - we allowed the app to go live and it quickly got hacked. The issue this caused for us was not only one of credibility, but also of confusion. How could the app not have any of those critical vulnerabilities but still get easily hacked?!

Now back to the issue at hand.

The fact is that even when you've managed to avoid all the common programming mistakes, and well-known vulnerabilities you can still produce a vulnerable application. Look at what EBay is going through right now. Fact is, even though there may not be any XSS or SQLi in their code - they still have issues allowing people to take over accounts. Why? It's because there is more to securing an application than making sure there aren't any coding mistakes. Fully removing the OWASP Top 10 (good luck with that!) from all your code bases may make your applications more safe than they are now - but it won't make them secure. And therein lies the problem.

When you hand your application over to someone who is going to test it for code issues like the OWASP Top 10, and only that, you're going to miss massive bugs that may still lurk in your code. Heartbleed anyone? Maybe there is a logic flaw in your code. Maybe there is a procedural mistake that allows for someone to bypass a critical security mechanism. Maybe you've forgotten to remove your QA testing user from your production code. Thing is, you may not actually know if you just test it for app security issues with traditional or even emerging tools. Static analysis? Nope. Dynamic analysis? Nope. Manual code review? Maybe.

The ugly truth is that unless you have someone who not only understands what the code should do under normal conditions - but also what it should never do, you will continue to have applications with security issues. This is why automated scanners fail. This is why static analysis tools fail. This is why penetration testers can still fail - unless they're thinking outside the code and thinking in terms of application functionality and performance.

The reality is that for those applications that simply can't easily fail - you not only need to get it tested by some brilliant security and development minds, but also by someone who understands that beautiful combination of software development, security, and application business processes and design. Someone who looks at your application and says: "You know what would be interesting?"...

In my mind this goes a great deal to explaining why there are so many failing software security programs out there in the enterprise. We seem to be checking all the right boxes, testing for all the right things, and still coming up short. Maybe it's because the structural integrity hasn't been validated by the demolitions expert.

Test your applications and software. Go beyond what everyone tells you to check and look deep into the business processes to understand how entire mechanisms can be abused or entirely bypassed. That's how we're going to get a step closer to having better, more safe and secure code.