Green Party Asks for Contact Details over HTTP Connection

None | January 20, 2016

"The Green Party has added a privacy notice to a Freedom of Information (FOI) website which asks users to provide names and email addresses, although the website does not run SSL security.

Spotted by NADPO Chairman Jon Baines, who pointed out on Twitter that the Greens were “defending” FOI by gathering personal data on a page without any privacy notices, the political party has told Infosecurity that it would discuss the HTTPS issue “with our IT team straight away”, and thanked us for raising the important question."

Spotlight

Companies are ever more connected as their information systems develop and become more modernized. Connectivity has become vital in our daily lives especially when it comes to ensuring that infrastructures operate properly. However, it also creates a source of significant vulnerabilities that can damage a company’s information system. So, what are the most common cyber threats threatening your structures? Here is an overview.


Other News
PLATFORM SECURITY

Veracode Research Reveals Software Supply Chain Security Shortfalls for Public Sector

Veracode | March 30, 2022

Veracode, a leading global provider of application security testing solutions, has released new findings that show the public sector has the highest proportion of security flaws in its applications and maintains some of the lowest and slowest fix rates compared to other industry sectors. Analysis of data collected from 20 million scans across half a million applications revealed these sector-specific findings as part of Veracode’s annual report on the State of Software Security (SOSS). "Public sector policy makers and leaders recognize that dated technology and vast troves of sensitive data make government applications a prime target for malicious actors. That’s why the White House and Congress are working together to update regulations governing cybersecurity compliance. In the wake of May 2021's Executive Order to improve the nation's cybersecurity and protect federal government networks, the U.S. Office of Management and Budget, Department of Defense and the White House have issued four memos addressing the need to adopt zero trust cybersecurity principles and strengthen the security of the software supply chain. Our research confirms this need.” Chris Eng, Chief Research Officer at Veracode No Time to Waste: Fix More Flaws Faster Veracode’s research found that compared to other industries, the public sector has the highest proportion of applications with security flaws, at 82 percent. When it comes to how quickly organizations fix flaws once detected, the public sector posts the slowest times on average—roughly two times slower than other sectors. The research also revealed that 60 percent of flaws in third-party libraries in the public sector remain unfixed after two years, which is double that of other sectors and lags the cross-industry average by more than 15 months. Finally, with only a 22 percent fix rate overall, the public sector is challenged to keep software supply chain attacks from impacting critical state, local, and educational applications. Eng continued, “Organizations in this sector must act with urgency. They can improve their secure DevOps practices significantly by using multiple types of scanning—static, dynamic, and software composition analysis—to get a more complete picture of an application’s security, which in turn will help them to improve remediation times, comply with industry regulations, and make the case for increasing application security budgets.” High Severity Flaws Are Priority One Demonstrating a positive trend, the public sector ranks highly when it comes to addressing high severity flaws. The research reveals that government entities have made great strides to address high severity flaws, which appear in only 16 percent of applications. In fact, the number of high severity flaws has decreased by 30 percent in the last year alone, suggesting that developers in the sector increasingly recognize the importance of prioritizing flaws that present the greatest risks. This is encouraging and may reflect growing understanding of new software security guidelines, such as those outlined in the U.S. Executive Order on Cybersecurity and the U.K. Government Cyber Security Strategy 2022 – 2030. Eng closed, "Recognizing that time is of the essence, public sector leaders are beginning to set timelines. For example, in “Moving the US Government Toward Zero Trust Cybersecurity Principles”, Shalanda Young has set a deadline of September 30, 2024 for all US federal agencies to meet specific cybersecurity standards. We think that the progress made against high security flaws is a great starting point and support all public sector agencies who seek to gain better control over their software supply chains." About the State of Software Security Report The twelfth volume of Veracode’s annual report on the State of Software Security (SOSS) examines historical trends shaping the software landscape and how security practices are evolving along with those trends. This year’s findings are based on the full historical data available from Veracode services and customers and represent a cross-section of large and mid-sized companies, commercial software suppliers, and open-source projects. The report contains findings about applications that were subjected to static analysis, dynamic analysis, software composition analysis, and/or manual penetration testing through Veracode’s cloud-based platform. About Veracode Veracode is a leading AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities.

Read More

SOFTWARE SECURITY

ConnectWise Amplifies MSP Cyberattack Defense with Incident Response Service

ConnectWise | April 20, 2022

ConnectWise, the world’s leading software company dedicated to the success of IT solution providers, today announced a new service offering designed to help MSPs and their clients rapidly respond to attacks and recover from security incidents. The ConnectWise Incident Response Service provides direct, around-the-clock access to a team of expert cybersecurity analysts to provide immediate assistance to assess, contain and remediate threats to minimize impact and business disruption. According to the 2022 ConnectWise MSP Threat Report, there was a 10-15% increase in ransomware incidents by quarter in 2021, with 56% of all incidents occurring in the second half of the year. When it comes to cyberattacks, preparation is the best prevention for MSPs that are increasingly becoming targets of threat actors. For MSPs and their clients that often lack resources to properly respond to incidents, the ConnectWise Incident Response Service provides an immediate life-line to skilled cybersecurity experts that accelerate incident resolution and help avoid mistakes that can be costly to business operations. “With a talent shortage, more sophisticated threat actors and more technologies to protect, cybersecurity incidents can quickly overwhelm an MSP and their end client and jeopardize protection of their client’s critical assets. Every second counts in a cyberattack, so having a team of security experts at a moment’s notice is a game-changing force multiplier for an MSP’s successful delivery of cybersecurity services. With this service, MSPs can confidently turn to ConnectWise to gain swift understanding and control of the situation to eradicate threats and prevent costly downtime.” Raffael Marty, General Manager, Cybersecurity, ConnectWise The ConnectWise Incident Response Service also aids in the recovery process with forensic examination of system data, user activity and artifacts of digital evidence to determine the extent of compromise and identify which threat actor might be involved. The ConnectWise Incident Response Service is available today to both ConnectWise partners and non-partners. About ConnectWise ConnectWise is the world's leading software company dedicated to the success of IT solution providers through our unmatched software, services, community. ConnectWise’s innovative, integrated, and security-centric platform – Asio™ - provides unmatched flexibility, automation, and scale that fuels profitable, long-term growth for our Partners. ConnectWise equips TSPs with cybersecurity solutions, unified monitoring and management solutions, and business automation solutions—all while providing industry-leading operational maturity offerings to accelerate business transformation.

Read More

SOFTWARE SECURITY

Contrast Security Introduces Cloud-Native Automation

Contrast Security | April 23, 2022

Contrast Security , the leader in code security that empowers developers to secure-as-they code, today announced the introduction of cloud-native automation for users leveraging Red Hat OpenShift, the industry's leading enterprise Kubernetes platform. Red Hat OpenShift users can now deploy containerized applications with embedded security features within a native continuous integration and continuous delivery (CI/CD) pipelines. This enables Red Hat OpenShift users to retain scalability, while adding automated security testing and protection as a routine part of the software delivery process. These added capabilities result in minimized manual configuration, reduction in additional overhead costs, and overall security efficiencies. Contrast enables customers to continuously monitor OpenShift applications at runtime to deliver the most actionable results without requiring AppSec teams to waste hundreds of hours validating results and causing delays for developers. "Unfortunately many organizations lack the means to implement scalable security gates within their CI/CD pipelines, which translates to insecure code being shipped across distributed cloud environments. Contrast helps these teams drive their DevSecOps transformation with automation at scale. These new capabilities are another component to Contrast's overall mission of ensuring developers are empowered to embed security capabilities within their environments without imposing additional work on them. We want to make security a value-add for everyone." Sanjay Ramnath, Vice President of Product Management at Contrast Security Contrast enables Red Hat OpenShift users to benefit from the following capabilities: Source-to-Image Deployment: Cloud developers can embed Contrast's Assess and Protect agents into their source code image to implement continuous vulnerability detection with runtime context and help protect their apps from targeted attacks in production. CI/CD Jenkins Pipelines: AppSec teams can trigger automated security tests within native Jenkins pipelines and establish security policy gates to mitigate potential vulnerabilities. Alternatively, users can also automate in their Jenkins CI/CD pipelines by pulling the agent from Contrast. OpenShift Pipelines via Tekton: Contrast provides OpenShift users with automated tasks that can be used to create repeatable pipeline templates within OpenShift Pipelines environments. APIs provided by the Contrast Secure Code Platform help initiate automated vulnerability static scanning at build time and instrument applications for security telemetry from within prior to deployment. The Contrast Secure Code Platform is available today with support for Java, .NET, and Node.js applications. About Contrast Security Contrast Security secures the code that global business relies on. It is the industry's most modern and comprehensive Code Security Platform, removing security roadblock inefficiencies and empowering enterprise developers to write and release secure application code faster. Embedding code analysis and attack prevention directly into software with instrumentation, the Contrast platform automatically detects vulnerabilities while developers write code, eliminates false positives, and provides context-specific how-to-fix guidance for easy and fast vulnerability remediation. Doing so enables application and development teams to collaborate more effectively and to innovate faster while accelerating digital transformation initiatives. This is why a growing number of the world's largest private and public sector organizations rely on Contrast to secure their applications in development and extend protection to cloud and on-premise applications in production.

Read More

SOFTWARE SECURITY

Whistic Announces Support of Google’s Minimum Viable Secure Product Framework

Whistic | May 23, 2022

Today, Whistic, the proactive vendor security network for both buyers and sellers, announced support for the Minimum Viable Secure Product (MVSP) framework, a security baseline developed by Google in a collaborative effort with Okta, Slack, and Salesforce. Until the introduction of MVSP, there was no commonly accepted baseline available among security professionals that indicated the importance of security controls. With MVSP, vendors can demonstrate to their customers that they are meeting, at a minimum, the baseline of security as outlined by some of the industry’s top security professionals. “We believe a vendor-neutral security baseline is an important step in establishing minimum acceptable security requirements for enterprise software and services. “By assuring enterprise solutions include the core security building blocks, we can work to reduce third-party risk, and promote security as a key part of the product development lifecycle.” Chris John Riley, Senior Security Engineer at Google Vendors that utilize Whistic to share security documentation via the MVSP help streamline and accelerate the security review process for their customers, helping them to rapidly understand the vendor’s security posture. “Enabling companies to showcase their security posture using the MVSP and other industry frameworks is a key step toward ensuring transparent relationships between vendors and their customers,” stated Nick Sorensen, Whistic CEO. “In addition to announcing support of MVSP, we recently launched Whistic Basic Profile that enables any business regardless of size to proactively share their security posture with customers and publish it to the Whistic Vendor Security Network for free.” Basic Profile allows vendors to self-assess against industry standard frameworks, including MVSP. It also includes a limited number of Profile shares, and the ability to publish to the Whistic Trust Catalog, enabling Whistic customers to conduct Zero-Touch Assessments of the vendor’s security posture. “Okta has already added MVSP to our Whistic Profile and we look forward to seeing more and more of our vendors adopt this baseline in their Profiles,” said Gen Buckley, Director, Customer Assurance Customer Trust at Okta Security and founding committee member of MVSP. “We are always looking for ways to streamline our vendor security reviews and drive a more secure ecosystem, and MVSP helps accomplish that while also promoting transparency and collaboration between vendors and customers.” Marat Vyshegorodtsev, Enterprise Security JAPAC representative at Salesforce adds, “Organizations of all sizes often purchase dozens of software products managed by third parties. The onboarding process alone can take weeks or months, especially when it comes to vetting the security posture for each. MVSP helps solve this—it standardizes this process and eliminates overhead, complexity, and confusion for both parties while ensuring the minimum-security requirements.” About Whistic Located in the heart of the Silicon Slopes in Utah, Whistic is the network for assessing, publishing, and sharing vendor security information. The Whistic Vendor Security Network accelerates the vendor assessment process by enabling businesses to access and evaluate a vendor’s Whistic Profile and create trusted connections that last well beyond the initial assessment. Make security your competitive advantage and join businesses like Airbnb, Okta, Betterment, and Atlassian who are leveraging Whistic to modernize their vendor security programs.

Read More

Spotlight

Companies are ever more connected as their information systems develop and become more modernized. Connectivity has become vital in our daily lives especially when it comes to ensuring that infrastructures operate properly. However, it also creates a source of significant vulnerabilities that can damage a company’s information system. So, what are the most common cyber threats threatening your structures? Here is an overview.

Resources