PLATFORM SECURITY,SOFTWARE SECURITY,END POINT PROTECTION
Wallarm | January 23, 2023
Wallarm, a leading end-to-end API security provider, has recently announced the early release of the Wallarm API leak management solution, an improved API security technology designed to assist organizations in identifying and remediating attacks exploiting leaked API keys and secrets while also providing ongoing protection against hacks in the event of a leak.
Given the recent increase in hacks involving leaked API keys and other API secrets, Wallarm developed the API leak management solution in order to give a comprehensive solution for this issue by automatically detecting leaked API keys and secrets, implementing controls to prevent their use, and protecting against any follow-on attacks. As a result, it prohibits unwanted access to sensitive data within enterprises while also protecting their internal operations and customers from unauthorized use of that data.
With the average cost of an API leak incident being $1.2 million per year, protecting API keys is a security and financial need. However, as locating and revoking API keys is both time-consuming and resource-intensive, Wallarm's proactive API leak management solution focuses on automated detection, remediation, and control using a three-pronged approach:
Detect - Wallarm automatically searches public sources for leaked API secrets, which hackers can discover and exploit in under a minute.
Remediate - Regardless of protocol, Wallarm immediately blocks requests that use compromised API secrets across the entire API portfolio.
Control - Wallarm also continuously monitors and prevents the use of leaked API secrets.
The Wallarm API leak management solution is the first of its kind in the API security space and is coupled with other Wallarm capabilities such as API threat prevention, API discovery and cloud-native WAAP. Wallarm’s API security platform provides customers with full-spectrum visibility, detection, and security for their entire web application and API portfolio, regardless of protocol or environment. This minimizes tool sprawl and costs while also increasing risk management and fostering innovation.
Wallarm, founded in 2016, provides End-to-End API Security solutions to safeguard web applications, APIs, microservices, and serverless workloads in cloud-native environments. With its commitment to developing the cybersecurity industry, it has designed a new security platform to defend tech firms and Global 2000 enterprises throughout their journey from their legacy apps to APIs in cloud-native infrastructures. Hundreds of Security and DevOps teams use Wallarm to discover all of their web apps and API endpoints, traffic flows, and sensitive data consumption for total visibility, secure their whole API portfolio against emerging risks, and respond to incidents automatically for better risk management.
ENTERPRISE SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY
Telos Corporation | January 09, 2023
SteelCloud LLC, a leading CIS and STIG compliance automation software developer and Telos Corporation, a renowned provider of cyber, enterprise, and cloud security solutions to the world's most security-conscious organizations, recently announced entering into a partnership to assist customers in reducing the complexity of NIST Risk Management Framework (RMF) compliance. Customers gain access to all seven RMF phases via a unified, automated solution.
SteelCloud's ConfigOS capabilities take care of the identify/ categorize, select, and implement components of RMF for technical assets. ConfigOS examines an asset, determining whether Security Technical Implementation Guides (STIG) apply, scanning against the STIG standards, identifying compliance indicators, and automating the remediation of findings. Meanwhile, Xacta incorporates and uses this information during the RMF's assessment and authorization processes, as well as when the monitor step is initiated once authorization to operate (ATO) is obtained.
Working together, ConfigOS and Xacta drive decisions to address identification and selection problems while reporting important indicator metrics required to achieve and sustain ATO. STIG and vulnerability data from ConfigOS are integrated into Xacta and mapped to appropriate requirements as part of Assessment and Authorization (A&A), providing customers with a streamlined approach to gaining necessary permissions. Xacta's workflow automation streamlines the whole NIST RMF workflow, managing validation, analysis, documentation, and accreditation processes from start to end.
About Telos Corporation
Telos Corporation provides solutions for continuous security assurance of personnel, systems, and information to the world's most security-conscious enterprises, empowering and protecting them. The company offers enterprise security solutions for identity and access management, organizational messaging, secure mobility, and network management and defense. Telos Corporation serves commercial organizations, regulated sectors, and government customers all around the world.
SteelCloud is a company that creates STIG and CIS compliance software for government and business clients. The company's product reduces the complexity, effort, and cost of implementing federal security standards by automating policy and security repair. SteelCloud has provided enterprise-wide security policy-compliant solutions, easing setup, and ongoing security and compliance support. SteelCloud goods are simple to obtain through our GSA Schedule 70 contract.
ENTERPRISE SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY
Wiz | December 15, 2022
Wiz, the leading cloud security platform that rapidly enables customers to find and remove critical cloud risks, today announced its newest project, The PEACH framework, a tenant isolation framework for cloud applications. This framework will enable industry-wide collaboration and provide cloud customers and cloud application developers with the necessary guidance to build cloud services securely and prevent critical risks in the implementation process.
"Over the past year and a half, Wiz researchers and other members of the cloud security community discovered several cross-tenant vulnerabilities in various multi-tenant cloud applications. "Although these issues have been reported extensively and were dealt with appropriately by the relevant vendors, we've seen little public discussion on how to mitigate such vulnerabilities across the entire industry. This is where we see an opportunity to strengthen the collaboration between members of the security community."
Wiz CEO Assaf Rappaport
Beyond offering a guideline for organizations, PEACH is a starting point for empowering security teams to work together to establish standard transparency and common language when it comes to mitigating cloud threats.
Serving as a step-by-step framework for modeling and improving SaaS and PaaS tenant isolation, PEACH manages the attack surface exposed by user interfaces and provides a clear standard for transparency on tenant isolation assurance. Wiz developed the following parameters based on lessons learned to address the rising cross-tenant vulnerabilities, lack of a standard for transparency, and missing common langue among vendors:
Privilege hardening – ensure tenants and hosts have minimal permissions in the service environment.
Encryption hardening – confirm the data belonging to each tenant is encrypted with a unique key, regardless of where the information is stored.
Authentication hardening – validate that communication between each tenant and the control plane use authentication with a validated key unique to each tenant.
Connectivity hardening – establish that all inter-host connectivity is blocked by default unless explicitly approved by the tenants involved.
Hygiene – verify that unnecessary secrets, software and logs scattered throughout the environment are purged to avoid leaving clues or enabling quick wins for malicious actors.
The second part of the security review process consists of remediation steps to manage the risk of cross-tenant vulnerabilities and improve isolation as necessary. These include reducing interface complexity, enhancing tenant separation, and increasing interface duplication -- all while accounting for operational context such as budget constraints, compliance requirements, and expected use-case characteristics of the service.
This framework was reviewed and collaborated on with cloud security industry experts from AWS, Google, IBM, Netflix and Cisco. Instead of commercializing PEACH though, Wiz will be offering the framework for free.
Wiz secures everything organizations build and run in the cloud. Founded in 2020, Wiz is the fastest-growing software company in the world, scaling from $1M to $100M ARR in 18 months. Wiz enables hundreds of organizations worldwide, including 30 percent of the Fortune 100, to rapidly identify and remove critical risks in cloud environments. Its customers include Salesforce, Slack, Mars, BMW, Avery Dennison, Priceline, Cushman & Wakefield, DocuSign, Plaid, and Agoda, among others. Wiz is backed by Sequoia, Index Ventures, Insight Partners, Salesforce, Blackstone, Advent, Greenoaks and Aglaé.