PLATFORM SECURITY

Veracode Research Reveals Software Supply Chain Security Shortfalls for Public Sector

Veracode | March 30, 2022

Veracode, a leading global provider of application security testing solutions, has released new findings that show the public sector has the highest proportion of security flaws in its applications and maintains some of the lowest and slowest fix rates compared to other industry sectors. Analysis of data collected from 20 million scans across half a million applications revealed these sector-specific findings as part of Veracode’s annual report on the State of Software Security (SOSS).

"Public sector policy makers and leaders recognize that dated technology and vast troves of sensitive data make government applications a prime target for malicious actors. That’s why the White House and Congress are working together to update regulations governing cybersecurity compliance. In the wake of May 2021's Executive Order to improve the nation's cybersecurity and protect federal government networks, the U.S. Office of Management and Budget, Department of Defense and the White House have issued four memos addressing the need to adopt zero trust cybersecurity principles and strengthen the security of the software supply chain. Our research confirms this need.”

Chris Eng, Chief Research Officer at Veracode

No Time to Waste: Fix More Flaws Faster

Veracode’s research found that compared to other industries, the public sector has the highest proportion of applications with security flaws, at 82 percent. When it comes to how quickly organizations fix flaws once detected, the public sector posts the slowest times on average—roughly two times slower than other sectors. The research also revealed that 60 percent of flaws in third-party libraries in the public sector remain unfixed after two years, which is double that of other sectors and lags the cross-industry average by more than 15 months. Finally, with only a 22 percent fix rate overall, the public sector is challenged to keep software supply chain attacks from impacting critical state, local, and educational applications.

Eng continued, “Organizations in this sector must act with urgency. They can improve their secure DevOps practices significantly by using multiple types of scanning—static, dynamic, and software composition analysis—to get a more complete picture of an application’s security, which in turn will help them to improve remediation times, comply with industry regulations, and make the case for increasing application security budgets.”

High Severity Flaws Are Priority One

Demonstrating a positive trend, the public sector ranks highly when it comes to addressing high severity flaws. The research reveals that government entities have made great strides to address high severity flaws, which appear in only 16 percent of applications. In fact, the number of high severity flaws has decreased by 30 percent in the last year alone, suggesting that developers in the sector increasingly recognize the importance of prioritizing flaws that present the greatest risks. This is encouraging and may reflect growing understanding of new software security guidelines, such as those outlined in the U.S. Executive Order on Cybersecurity and the U.K. Government Cyber Security Strategy 2022 – 2030.

Eng closed, "Recognizing that time is of the essence, public sector leaders are beginning to set timelines. For example, in “Moving the US Government Toward Zero Trust Cybersecurity Principles”, Shalanda Young has set a deadline of September 30, 2024 for all US federal agencies to meet specific cybersecurity standards. We think that the progress made against high security flaws is a great starting point and support all public sector agencies who seek to gain better control over their software supply chains."

About the State of Software Security Report
The twelfth volume of Veracode’s annual report on the State of Software Security (SOSS) examines historical trends shaping the software landscape and how security practices are evolving along with those trends. This year’s findings are based on the full historical data available from Veracode services and customers and represent a cross-section of large and mid-sized companies, commercial software suppliers, and open-source projects. The report contains findings about applications that were subjected to static analysis, dynamic analysis, software composition analysis, and/or manual penetration testing through Veracode’s cloud-based platform.

About Veracode
Veracode is a leading AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities.

Spotlight

Delivering advanced cybersecurity in mobile communications may sound simple, but the reality is a complex, constantly evolving undertaking. The cyberthreat landscape changes literally by the hour and requires constant vigilance and innovation throughout the entire U.S. mobile industry - an industry that provides 3.8 million direct and indirect jobs across the nation. It is a constant risk to be managed, where opposing forces must constantly adapt their strategies and tactics to keep the advantage. 

Spotlight

Delivering advanced cybersecurity in mobile communications may sound simple, but the reality is a complex, constantly evolving undertaking. The cyberthreat landscape changes literally by the hour and requires constant vigilance and innovation throughout the entire U.S. mobile industry - an industry that provides 3.8 million direct and indirect jobs across the nation. It is a constant risk to be managed, where opposing forces must constantly adapt their strategies and tactics to keep the advantage. 

Related News

DATA SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY

JupiterOne Recognized as a Sample Vendor for Cyber Asset Attack Surface Management (CAASM) in Gartner® Hype Cycle™ for Cyber Risk Management, 2022

JupiterOne | August 19, 2022

JupiterOne, the industry's leading provider of cyber asset attack surface management (CAASM) technology, today announced that it was named as a Sample Vendor for CAASM in the latest release of the Gartner Hype Cycle for Cyber Risk Management, 2022. According to Gartner, "In 2022, the global risk landscape continues to be impacted by the ongoing COVID-19 pandemic conditions, the Russian invasion of Ukraine, labor shortage, worsening climate change, and inflation. In particular, the increased inflation rate and labor market tightness mean that organizations must do more with fewer resources." The Gartner report notes that security and risk management (SRM) leaders continue to struggle to: "Position risk management as a decision-making practice. Either because of their rigid focus on framework-based controls or inability to scale their security and risk controls for individual projects Inform cyber and technology decisions in an ever-expanding operating ecosystem Gain sufficient transparency in evaluating environmental, social and governance risks and incidents, local and worldwide. Mitigate global supply chain risks as these risks continue to form a web of complexity and volatility. Look for ways to automate and inform risk assessment with data-driven insights." One solution category that addresses these challenges is the cyber asset attack surface management (CAASM) space, where solutions aggregate and track assets such as endpoints, servers, devices, and applications. By consolidating internal and external cyber assets, users can use queries to find gaps in coverage for security tools such as vulnerability assessment and endpoint detection and response (EDR) tools. JupiterOne pioneered a graph-based approach to CAASM that allows customers to track and monitor IP addresses and analyze and map all intra-asset relationships. As the Gartner analysts explained, "CAASM enables security teams to improve basic security hygiene by ensuring security controls, security posture, and asset exposure are understood and remediated. Organizations that deploy CAASM reduce dependencies on homegrown systems and manual collection processes, and remediate gaps either manually or via automated workflows. Organizations can visualize security tool coverage, support attack surface management (ASM) processes, and correct systems of record that may have stale or missing data." The drivers of CAASM adoption, according to Gartner, include: "Full visibility into all information technology (IT), Internet of Things (IoT) and operational technology (OT) assets under an organization's control, which improves understanding of the attack surface area and existing security control gaps or serves as part of a wider ASM process. Quicker audit compliance reporting through more accurate, current and comprehensive asset and security control reports. Consolidation of existing products that collect asset and exposure information into a single normalized view, which reduces the need for manual processes or dependencies on homegrown applications. Access to consolidated asset views for multiple individuals and teams across an organization, such as enterprise architects, security operations teams and IT administrators, who can benefit from viewing and querying consolidated asset inventories with a view to achieving business objectives." The recent Gartner report on Top Trends in Cybersecurity 2022 cited "Attack Surface Expansion" as one of the year's top security trends resulting from the expanding digital footprint of modern organizations. According to the report, "A dramatic increase in attack surface is emerging from changes in the use of digital systems, such as new hybrid work, accelerated use of public cloud, more tightly interconnected supply chains, expansion of public-facing digital assets and increased use of operational technology." In our opinion, security leaders who reinvent the cybersecurity function and technology architecture can better position their organizations to maintain and grow value in an increasingly agile, distributed, and decentralized environment. JupiterOne was named a Sample Vendor for CAASM in the latest release of the Gartner Hype Cycle for Security Operations, 2022. The report is available for complimentary download from JupiterOne. Additionally, Gartner recognized JupiterOne as a Representative Provider for CAASM in the Innovation Insights for Attack Surface Management and as a Sample Vendor in the Gartner Hype Cycle for Workload and Network Security, 2022 research reports. "JupiterOne is honored to receive yet another recognition from Gartner. Right now, the world is full of uncertainty, making it challenging to conduct business. More than ever, businesses must prioritize effective security measures. Security leaders can get invaluable insights by tracking their assets and making efficient use of their resources. Overall, organizations can make better data-driven business decisions while keeping security risks in mind." Erkang Zheng, Founder and CEO at JupiterOne About JupiterOne JupiterOne is a cyber asset attack surface management (CAASM) platform company providing visibility and security into your entire cyber asset universe. Using graphs and relationships, JupiterOne provides a contextual knowledge base for an organization's cyber asset operations. With JupiterOne, teams can discover, monitor, understand, and act on changes in their digital environments. Cloud resources, ephemeral devices, identities, access rights, code, pull requests, and much more are collected, graphed, and monitored automatically by JupiterOne.

Read More

SOFTWARE SECURITY

CertiK Reaches for the Skies With the Release of Its New Security Services

CertiK | July 16, 2022

CertiK, the leading global Web3 and blockchain security firm, today announced the launch of several web3 Skynet security features to bolster end-to-end security for the web3 world. New features include: Skynet Trust Score - a new scoring mechanism aimed at simplifying the definition of crypto project risk, increasing transparency into scoring mechanisms and demonstrating market health. Skynet Cohort Analysis Panel - a way for projects to see how they rank against other similar projects in order to help users contextualize the risk of a project by displaying its performance against comparable projects. Badges and honors for project achievements to strengthen credentials in their respective fields The Skynet service, launched in June 2021, uses a comprehensive set of signals, curated from code scanning analysis, on chain security analytics, and machine learning to provide 24/7 monitoring of threats for crypto projects. To date, Skynet has helped to protect and monitor over 4 billion transactions. As part of its strategy, CertiK set out on a mission to address both business and consumer value services through its security leaderboard found on its website. Delivering on this promise, CertiK’s release of new Skynet features provides further simplicity and transparency to consumers around project risk, while also giving credit to projects where needed through badges and honors. “We’re very excited to launch these new Skynet features. “Through feedback from customers and the community, we’ve recognized the need to innovate around security risk in a simpler way that caters to both business and consumer needs. This is just the beginning of our journey as we continue to innovate in response to community needs and deliver on our promise of securing the web3 world.” Kevin Liu, Chief Product Officer at CertiK As part of its portfolio expansion, CertiK also recently released on its Twitter an autonomous security alert channel, which provides real-time alerts to the community on hacks, flash loan attacks, rugpulls and suspicious activity. To date, CertiK has flagged over $1.45 Billion in security incidents since the release of the service in February this year. The growing demand for Web3 security has driven further development and operation of more innovative and data-driven security products for the blockchain industry. CertiK is meeting these demands through innovative products like Security Leaderboard, Code Auditing, KYC and now this next series of Skynet security features. About CertiK CertiK’s mission is to secure the Web3 world. Starting with blockchain, CertiK applies cutting-edge innovations from academia into Enterprise, enabling mission-critical applications to be built with security and accuracy. Headquartered in New York City, CertiK was founded by computer science professors Ronghui Gu and Zhong Shao. CertiK is backed by industry leaders, including Insight Partners, Tiger Global, Sequoia, Coatue Management, Advent International, Goldman Sachs, Lightspeed, SoftBank Vision Fund 2, Hillhouse Capital, Binance, Coinbase Ventures, and more.

Read More

DATA SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY

Aunalytics Launches Security Patching Platform as a Service

Aunalytics | September 27, 2022

Aunalytics, a leading data management and analytics company delivering managed IT and data platform services for mid-sized and enterprise businesses, today initiated its Security Patching Platform, Co-managed Patching as a Service to complement the company’s Advanced Security solution suite. Windows OS and supported 3rd party patch management allow for tighter security in the defense against cyberattacks and the new offering ensures active remediation. According to a 2022 Data Breach Investigations Report by Verizon, around 70 percent of successful cyberattacks exploited known vulnerabilities with available patches, making it important to update operating systems and applications regularly to prevent such attacks. Now, Aunalytics’ new technology as a service includes the tools, structure, strategy and intelligence for managing patch deployment and is a complete solution with best practices, templates, libraries, and built-in alert thresholds. Lack of security patching leads to vulnerabilities within an organization’s information systems, internal controls, or system processes, which can then be exploited by cybercriminals. Using a collection of tools, cyber attackers use the vulnerability to gain unauthorized access to corporate systems and data. Identifying and resolving vulnerabilities is very important since a successful exploit can lead to a full-scale system breach. Workstation and server application patching ensures that organizations have baseline protection against the latest security vulnerabilities, preventing such attacks before they occur. However, patching can be difficult to manage and update in real-time as software fixes are published on an ongoing basis. Setting up and coordinating manual patching across an organization can be extremely cumbersome, taking days to organize, schedule, and execute across an entire company. McKinsey cites good patch management as a top proactive maintenance measure that can help organizations prevent cyberattacks. However, knowing the priority level for patch installment can be confusing and lead to poor patch management as a result. Enlisting the help of a partner to employ security patching best-practices can add true value to many organizations. Aunalytics patch detection, download, and installment methods are developed considering each client's security and uptime requirements and prioritized in order of threat potential. Aunalytics’ experienced security patching team proactively monitors for updates, eliminating worry for end users and server administrators. As part of the new service, users gain access to comprehensive security solutions with customized alerting and vulnerability prioritization, leveraging proprietary solutions and processes. The platform facilitates collaboration between IT and security teams and includes the following capabilities: Inventory and performance management and proactive alerting Patch deployment control strategy, prioritization, planning Patch vetting and blacklisting intelligence Windows Operating System patch management Supported 3rd Party Patch Management Anti-Malware DNS-based Malware Protection Device Encryption Management Innovative management tool library “Security patch exploits can have extremely damaging effects on an organization, decreasing revenues or causing reputational damage, making it imperative to have security patching in place. “Aunalytics’ Security Patching Platform services allow for the rapid resolution of these concerns to maintain the highest levels of cyber-resiliency.” Chris Nicholson, Vice President of Managed IT Services About Aunalytics Aunalytics is a leading data management and analytics company delivering Insights-as-a-Service for mid-sized businesses and enterprises. Selected for the prestigious Inc. 5000 list for two consecutive years as one of the nation’s fastest growing companies, Aunalytics offers managed IT services and managed analytics services, private cloud services, and a private cloud-native data platform for data management and analytics. The platform is built for universal data access, advanced analytics and AI -- unifying distributed data silos into a single source of truth for highly accurate, actionable business information.

Read More