DATA SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY
Legit Security | December 12, 2022
Legit Security, a cyber security company with an enterprise platform that protects an organization's software supply chain from attack and ensures secure application delivery, today announced that it discovered a new class of software supply chain vulnerabilities that leverage artifact poisoning to attack underlying software development pipelines. The vulnerability was found in GitHub Actions, a platform for orchestrating and automating software development pipelines, and the vulnerability was identified in the highly popular programming language Rust. Many other GitHub Action projects remain potentially vulnerable and a technical disclosure blog including information to protect organizations from attack is available on Legit Security’s website.
The discovered pipeline vulnerability could allow any GitHub user to replace legitimate development artifacts with malicious ones, enabling attackers to modify source code, steal secrets and create CodeCov-like wide-reaching software supply chain attacks. Rust, an extremely popular programming language used by millions of developers, acknowledged and fixed the vulnerability after initial disclosure by the Legit Security Research Team.
GitHub Actions is part of the extremely popular GitHub source code management system at the heart of many organization’s software supply chains and used by software developers globally. The vulnerability affects the GitHub Actions artifacts storage mechanism, which is used to store and transfer build artifacts between software development build jobs. Due to a limitation in the cross-workflow artifact communication mechanism, vulnerable workflows cannot distinguish between legitimate project artifacts and artifacts that were created by the project’s forks or copies, allowing any user to create a fork, and then craft a malicious artifact that will be treated as a legitimate one.
“This is a different class of vulnerability that can lead to attacks and modification of the development pipeline itself, not just modification of the code. “A simple analogy could be made to a car assembly line. This is an attack on the assembly line itself that could include stealing sensitive parts, turning off certain steps, or substituting any valid part for a malicious one. It’s a powerful attack vector that gives cyber criminals a lot of options to inflict damage. In this case, the vulnerable targets are software supply chains that use GitHub Action.”
Liav Caspi, co-founder and CTO, Legit Security
The Legit Security Research Team also disclosed the security issue to the GitHub security team. GitHub responded by simply updating their API to include information that could help prevent this vulnerability. It should be noted that GitHub didn’t address the root cause of the issue, thus leaving many other GitHub Action projects vulnerable to the aforementioned software supply chain attacks. Legit Security’s technical disclosure blog includes important information on how to protect organizations from this type of attack. More information about general GitHub security best practices can also be found here.
Legit Security protects an organization's software supply chain from attack and ensures secure application delivery, governance and risk management from code to cloud. The platform’s unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments, and allow security issues to be prioritized based on context and business criticality to improve security team efficiency and effectiveness.
DATA SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY
1Password | November 07, 2022
1Password, a leader in human-centric security and privacy, today announced the acquisition of Passage, a developer-first passwordless authentication company. 1Password will use Passage's technology to launch a passwordless authentication platform for enterprises – enabling a safer, simpler, and more secure end-user experience across any platform or device.
"1Password is focused on empowering companies and consumers to have safer and simpler digital experiences. As the world evolves, that means helping companies and consumers navigate all the complexities on the path to a passwordless future," said Jeff Shiner, chief executive officer of 1Password. "With today's Passage acquisition, we are committing to giving businesses and end users what they want and deserve: the convenience of passwordless without compromising security."
Together, 1Password and Passage Identity will enable developers, businesses, and consumers to make progress toward a passwordless future by accelerating adoption of passkeys. Passkeys represent the opportunity to replace passwords in favor of more secure and seamless user experiences. With passkeys, the pain of forgotten passwords is a thing of the past, and users minimize exposure to phishing attacks. For businesses, passwordless authentication can improve top- and bottom-line revenue by eliminating forgotten customer passwords and reducing sign-up friction.
"Passwords are ubiquitous, but ever-changing requirements can make them a hassle to use, and that can harm the user experience and cause real ramifications for businesses. "1Password's market leadership and human-centric mission make them a natural fit to achieve our shared vision of a secure, user-friendly experience that enables businesses to deliver a frictionless and safe experience to users on any device – no QR codes required."
Cole Hecht, co-founder and chief executive officer of Passage
The entire Passage team, including co-founders Cole Hecht (CEO) and Anna Pobletts (CTO), will bring their technical expertise and exclusive focus on passkey authentication to 1Password. The Passage team will continue to focus on developing passkey-first authentication for consumer-facing businesses. This solution will be available in beta in early 2023.
The FIDO Alliance is an open industry association focused on improving authentication standards to minimize password use and improve online security. "Enterprises around the world are rapidly adopting FIDO-based solutions in order to accelerate the journey toward a safer, passwordless future," said Andrew Shikiar, executive director and CMO of the FIDO Alliance. "With the Passage acquisition, 1Password has bolstered their solution offering which stands to help more companies reduce reliance on passwords in favor of user-friendly and unphishable FIDO authentication."
1Password's human-centric security keeps people safe, at work and at home. Our solution is built from the ground up to enable anyone – no matter the level of technical proficiency – to navigate the digital world without fear or friction. The company's award-winning security platform is re-shaping the future of authentication, including passwordless. 1Password is trusted by over 100,000 businesses such as IBM, Slack, Snowflake, Shopify, and Under Armour and protects the most sensitive information of millions of individuals and families across the globe. The company's ultimate goal is to help consumers and businesses get more done in less time – with security and privacy as a given.
INFOSEC PROJECT MANAGEMENT,PLATFORM SECURITY,SOFTWARE SECURITY
NowSecure | January 03, 2023
NowSecure, the leader in standards-based mobile app security and privacy software, announced the introduction of its latest solution, NowSecure Mobile Pen Testing as a Service (PTaaS), which will bridge the gap between manual and automated mobile security assessments for continuous security.
NowSecure PTaaS is designed to provide mobile developers and security teams with a more cost-effective and efficient pen testing solution. The solution combines periodic expert manual assessments with continuous automated testing to optimize comprehensive coverage at a higher frequency. With this combination, the all-inclusive portal and service can instantly discover concerns early in the developer pipeline, provide consulting help to repair security issues promptly, and accelerate the release of high-quality software into production.
As organizations struggle with tightening budgets in conjunction with an increased threat of mobile cyber assaults, there is an industry demand for a cost-effective, higher-coverage, higher-frequency, mobile AppSec testing solution.
"According to Coalfire and NowSecure's 4th Annual Penetration Risk Report, 99% of mobile applications pose security or privacy threats."
By integrating NowSecure's latest offering, Mobile PTaaS, CISOs and security leaders can optimize their budget for penetration testing while prioritizing continuous, comprehensive security testing. The NowSecure Mobile PTaaS cloud-based platform, built on tens of thousands of pen tests and over 12 years of mobile application security experience, provides a comprehensive set of automatic, continuous, and manual assessments, including:
Expert pen testing periodically depending on the specific demand and timeline
On-demand and continuous security testing is built into the CD/CI and dev toolchains
Automatic ticket generation with incorporated remedial resources
Consultation with an experienced pen tester on remediation
Optional industry standard(s) certifications and validations
All-in-one SAST, IAST, DAST, APISec, and SBOM
Simple-to-use dedicated SaaS platform
A Chicago-based mobile security company, NowSecure safeguards the worldwide mobile app economy as the leading authority in standards-based mobile application privacy and security automation. The company is trusted by the most demanding enterprises for its comprehensive security testing solution package for DevSecOps, mobile app supply-chain monitoring, Pen Testing as a Service (PTaaS), professional mobile pen testing, and training courseware.
NowSecure actively contributes to and supports the open-source mobile security community, industry standards, and certifications such as ADA MASA, OWASP MASVS, NIAP, ioXt, and others. The firm is SOC 2-certified and has been recognized by Gartner, IDC, TAG Cyber, and Deloitte Fast 500.