PLATFORM SECURITY

Veracode Research Reveals Software Supply Chain Security Shortfalls for Public Sector

Veracode | March 30, 2022

Veracode, a leading global provider of application security testing solutions, has released new findings that show the public sector has the highest proportion of security flaws in its applications and maintains some of the lowest and slowest fix rates compared to other industry sectors. Analysis of data collected from 20 million scans across half a million applications revealed these sector-specific findings as part of Veracode’s annual report on the State of Software Security (SOSS).

"Public sector policy makers and leaders recognize that dated technology and vast troves of sensitive data make government applications a prime target for malicious actors. That’s why the White House and Congress are working together to update regulations governing cybersecurity compliance. In the wake of May 2021's Executive Order to improve the nation's cybersecurity and protect federal government networks, the U.S. Office of Management and Budget, Department of Defense and the White House have issued four memos addressing the need to adopt zero trust cybersecurity principles and strengthen the security of the software supply chain. Our research confirms this need.”

Chris Eng, Chief Research Officer at Veracode

No Time to Waste: Fix More Flaws Faster

Veracode’s research found that compared to other industries, the public sector has the highest proportion of applications with security flaws, at 82 percent. When it comes to how quickly organizations fix flaws once detected, the public sector posts the slowest times on average—roughly two times slower than other sectors. The research also revealed that 60 percent of flaws in third-party libraries in the public sector remain unfixed after two years, which is double that of other sectors and lags the cross-industry average by more than 15 months. Finally, with only a 22 percent fix rate overall, the public sector is challenged to keep software supply chain attacks from impacting critical state, local, and educational applications.

Eng continued, “Organizations in this sector must act with urgency. They can improve their secure DevOps practices significantly by using multiple types of scanning—static, dynamic, and software composition analysis—to get a more complete picture of an application’s security, which in turn will help them to improve remediation times, comply with industry regulations, and make the case for increasing application security budgets.”

High Severity Flaws Are Priority One

Demonstrating a positive trend, the public sector ranks highly when it comes to addressing high severity flaws. The research reveals that government entities have made great strides to address high severity flaws, which appear in only 16 percent of applications. In fact, the number of high severity flaws has decreased by 30 percent in the last year alone, suggesting that developers in the sector increasingly recognize the importance of prioritizing flaws that present the greatest risks. This is encouraging and may reflect growing understanding of new software security guidelines, such as those outlined in the U.S. Executive Order on Cybersecurity and the U.K. Government Cyber Security Strategy 2022 – 2030.

Eng closed, "Recognizing that time is of the essence, public sector leaders are beginning to set timelines. For example, in “Moving the US Government Toward Zero Trust Cybersecurity Principles”, Shalanda Young has set a deadline of September 30, 2024 for all US federal agencies to meet specific cybersecurity standards. We think that the progress made against high security flaws is a great starting point and support all public sector agencies who seek to gain better control over their software supply chains."

About the State of Software Security Report
The twelfth volume of Veracode’s annual report on the State of Software Security (SOSS) examines historical trends shaping the software landscape and how security practices are evolving along with those trends. This year’s findings are based on the full historical data available from Veracode services and customers and represent a cross-section of large and mid-sized companies, commercial software suppliers, and open-source projects. The report contains findings about applications that were subjected to static analysis, dynamic analysis, software composition analysis, and/or manual penetration testing through Veracode’s cloud-based platform.

About Veracode
Veracode is a leading AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities.

Spotlight

Talking about the threat landscape is no substitute for experiencing it first-hand. "M-Trends 2015: A View from the Front Lines," distills the insights gleaned from hundreds of Mandiant incident response investigations in more than 30 industry sectors. The report provides key insights, statistics, and case studies illustrating how the tools and tactics of advanced persistent threat (APT) actors have evolved over the last year.

Spotlight

Talking about the threat landscape is no substitute for experiencing it first-hand. "M-Trends 2015: A View from the Front Lines," distills the insights gleaned from hundreds of Mandiant incident response investigations in more than 30 industry sectors. The report provides key insights, statistics, and case studies illustrating how the tools and tactics of advanced persistent threat (APT) actors have evolved over the last year.

Related News

NETWORK THREAT DETECTION

Lacework Quarterly Cloud Threat Report Shows the Automated Techniques Cybercriminals are Using to Attack Businesses in the Cloud

Lacework | August 31, 2021

Lacework, the data-driven security platform for the cloud, today released its quarterly cloud threat report, unveiling the new techniques and avenues cybercriminals are infiltrating to profit from businesses. The rapid shift of applications and infrastructure to the cloud creates gaps in the security posture of organizations everywhere. This has increased the opportunities for cybercriminals to steal data, take advantage of an organization's assets, and to gain illicit network access. "It's in enterprises' best interest to start thinking of cybercriminals as business competitors," said James Condon, Director of Research at Lacework. "Last year alone, cybercrime and ransomware attacks cost companies $4 billion in damages. As more companies shift to cloud environments, we're seeing an increase in demand for stolen access to cloud accounts and evolving techniques from cybercriminals, making enterprises even more vulnerable to cloud threats." New research from Lacework Labs, the dedicated research team at Lacework that focuses on new threats and attack surface risks within the public cloud, sheds light on the crimeware and growing ransomware landscape in the face of new threat models and emerging cybersecurity challenges. Based on anonymized data across the Lacework platform from May 2021 - July 2021, key findings of the report include: Initial Access Brokers (IABs) Expand to Cloud Accounts As corporate infrastructure continues to expand to the cloud, so do opportunistic adversaries as they look to capitalize on the opportunity. Illicit access into cloud infrastructure of companies with valuable data/resources or wide-reaching access into other organizations offers attackers an incredible return on investment. In particular, Lacework Labs found Amazon AWS, Google Cloud, and Azure administrative accounts are gaining popularity in underground marketplaces. Threat Actor Campaigns Continue to Evolve: Lacework Labs has observed a variety of malicious activity originating from known adversary groups and malware families. This section showcases those who continue evolving their operators as a valuable return on investment: 8220 Gang Botnet and Custom Miner: Lacework Labs recently found a new cluster of activity linked to an 8220 Gang adversary group campaign of infecting hosts, primarily through common cloud services, with a custom miner and IRC bot for further attacks and remote control. This cluster shows operations are evolving on many levels, including efforts of hiding botnet scale and mining profits.This is indicative of attacks growing in size. TeamTNT Docker Image Compromise: The Lacework Labs team discovered threat actor TeamTNT backdooring legitimate Docker Images in a supply chain-like attack. Networks running the trusted image were unknowingly infected. Developer teams need to be certain they know what's in the image they pull. They need to validate the source or they could open a door to their environment. Popular cloud relevant crimeware and actors: Cpuminer, the open-source multi-algorithm miner, has been legitimately used for years. However, Lacework Labs observed an increase in its illicit use for cryptomining altcoins. Monero and XMRig are the most common accounts for cryptomining against cloud resources, hence activity involving lesser-seen coins and tools may be more likely to go undetected. Cloud services probing: Lacework Labs captures a range of telemetry in both product deployments and custom honeypots, which allows the company to see trends relevant to cloud defense purposes. For these sources, many cloud-relevant applications are continually targeted, but Lacework found that AWS S3, SSH, Docker, SQL and Redis were by far the most targeted. Based on the findings of this report, Lacework Labs recommends that defenders: Ensure Docker sockets are not publicly exposed and appropriate firewall rules/ security groups and other network controls are in place. This will help to prevent unauthorized access to network services running in an organization. Ensure the access policies you set via the console on S3 buckets are not being overridden by an automation tool. Frequent auditing of S3 policies and automation around S3 bucket creation can ensure data stays private. About Lacework Lacework is the data-driven security platform for the cloud. The Lacework Cloud Security Platform, powered by Polygraph, automates cloud security at scale so our customers can innovate with speed and safety. Polygraph is the only security solution that can collect, analyze, and accurately correlate data across an organization's AWS, Azure, GCP, and Kubernetes environments, and narrow it down to the handful of security events that matter. Customers all over the globe depend on Lacework to drive revenue, bring products to market faster and safer and consolidate point security solutions into a single platform. Founded in 2015 and headquartered in San Jose, Calif., with offices all over the world, Lacework is backed by leading investors like Sutter Hill Ventures, Altimeter Capital, Liberty Global Ventures, and Snowflake Ventures, among others.

Read More

ENTERPRISE SECURITY

SecurityScorecard Partners with Tenable to Deliver Complete Cyber Risk Monitoring

SecurityScorecard | August 23, 2021

SecurityScorecard, the global leader in security ratings, today announces a partnership with Tenable the Cyber Exposure company, to deliver a comprehensive view into an organization's risk posture by marrying Tenable's unmatched visibility and depth of analytics into enterprise environments with external cyber monitoring powered by SecurityScorecard. As a result of this partnership, CISOs, IT leaders and security teams are able to review their SecurityScorecard rating, assess their external cybersecurity health, and understand their risk posture directly within the Tenable Lumin dashboard. "Understanding your up-to-date risk posture has become a necessity in a world that's increasingly more complex, dynamic and transient," said Ray Komar, vice president of technical alliances, Tenable. "We're excited to partner with SecurityScorecard to give customers complete visibility into the risks that exist inside and outside their environment, and guidance for how to most effectively reduce that risk, all in a single platform." Point-in-time or periodic cybersecurity testing procedures have become antiquated. Today's cyber risks change by the minute and companies need a solution that keeps pace with the dynamic nature of cybersecurity by continuously monitoring for exposures and measuring the security posture and cyber resilience across the organization. "Organizations must be proactive to address cyber breaches, and security ratings are the foundation to measuring and understanding security resilience in real time," says Aleksandr Yampolskiy, CEO and co-founder of SecurityScorecard. "Together, SecurityScorecard and Tenable are advancing a new standard for continuous monitoring by blending external and internal risk assessments, which provide organizations with a holistic view into the risks that exist in their environments." The integration pairs Tenable Lumin's advanced analytics capabilities for assessing risk alongside real-time visibility of external vulnerabilities from SecurityScorecard. This arms Tenable Lumin customers with the intelligence to develop external risk management and threat detection playbooks through real-time updates, allowing organizations to effectively identify and respond to threats and risks. SecurityScorecard continuously monitors millions of entities globally, and uses non-intrusive proprietary methods to assess their security posture across ten risk categories to instantly deliver an easy-to-understand "A" through "F" rating; including DNS health, IP reputation, web application security, network security, leaked information, hacker chatter, endpoint security, and patching cadence. On a daily basis, these ratings are updated based on objective, publicly-available data that, similar to credit ratings, provides an "outside-in" view of an entity's security posture. About SecurityScorecard Funded by world-class investors including Silver Lake Partners, Sequoia Capital, GV, Riverwood Capital and others, SecurityScorecard is the global leader in cybersecurity ratings with tens of millions of companies continuously rated. Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard's patented rating technology is used by over 18,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, and cyber insurance underwriting. SecurityScorecard continues to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees and vendors. Every company has the universal right to their trusted and transparent Instant SecurityScorecard rating.

Read More

DATA SECURITY

Guardforce AI Bolsters its Cybersecurity and Robot as a Service Solution Services

prnewswire | November 16, 2020

Guardforce AI Ltd. ("Guardforce AI"), a confided in incorporated security arrangements supplier in Asia, reported two key activities to support its security administrations and contributions in the district. Online protection offering Guardforce AI declared today an organization concurrence with Hong Kong-based entrance testing organization Handshake Networking Ltd ("Handshake") to offer organization hazard evaluation administrations in the Asia Pacific area, hoping to catch new open doors in the flourishing business sector for online protection and oversaw security administrations in the locale. As a feature of the arrangement, Guardforce AI will dispatch GFAI RECON "fueled by" Handshake, a devoted digital danger evaluation administration to support little and medium-sized endeavors (SMEs), corporate customers, schools, clinics and different organizations distinguish and recognize weaknesses in their organizations. Asia Pacific's network safety market was esteemed at US$30.5 billion out of 2019, and it is required to enlist a CAGR of 18.3%, during the time of 2020-2025, as indicated by a report from research firm Mordor Intelligence. Digital hoodlums have gotten progressively dynamic as organizations of all sizes move increasingly more of their organizations internet, driving SMEs and huge enterprises the same to commit more assets to battle possible online dangers. "Guardforce AI is always looking to identify and partner with strategic technology providers to enhance the security of our established long-standing customer base in Thailand and capitalize on those new relationships to win new customers in Asia Pacific," said Terence Yap, Chairman of Guardforce AI. "We are continuing to see a converging trend in the physical and cyber world. As such, Guardforce AI will double down its efforts to identify opportunities and develop solutions that will enable us to remain relevant." Dispatched in 2004, Handshake offers a wide assortment of data security consultancy administrations, including entrance testing and weakness evaluation, data frameworks review, consultancy, PC crime scene investigation and security mindfulness preparing. Handshake's prime supporter and Managing Consultant Richard Stagg stated, "We are anticipating having the option to bring our data security ability to Guardforce AI's current clients, and working close by Guardforce AI to additionally build up the market for such administrations across Asia Pacific. The danger to data frameworks has never been higher, so helping organizations and associations prepared themselves for assaults and get ready successful reactions is a mission we pay attention to very". Overseen administrations development with robots Guardforce AI has likewise as of late revealed a robot as a help (RaaS) answer for the business and public areas to encourage warm imaging and temperature estimations. The organization has sent in excess of 100 robots to date in its home market in Thailand, just as in Singapore, Hong Kong, Macau and Malaysia, as a component of a methodology to venture into other security applications and oversaw security administrations and construct new repeating income streams with its current client base and key accomplices in the district. With a background marked by over 38 years in Thailand, Guardforce AI is focused on ensuring money and other high-esteem resources for government associations and organizations, including banks and retailers. Guardforce AI conveys its expert administrations all through Thailand through 21 branches and an armada of in excess of 450 made sure about vehicles. Utilizing inventive innovations that upgrade wellbeing and security, Guardforce AI assists customers with working securely in a universe of complex and advancing dangers. About Guardforce AI Co., Ltd. Guardforce AI Co. Ltd. is a leading integrated security solutions provider that is trusted to protect and transport the high-value assets of public and private sector organizations. Developing and introducing innovative technologies that enhance safety and protection, Guardforce AI helps clients adopt new technologies and operate safely as the Asia Pacific business landscape evolves.

Read More