Software Security

Keeper Security Protects Against Supply Chain Attacks with New Open Source Project

Keeper Security Protects Against Supply Chain Attacks

Keeper Security, the leading provider of zero-trust and zero-knowledge cybersecurity software protecting passwords, passkeys, privileged access, secrets and remote connections, today announces a new open source project for software developers and DevOps to easily and securely sign git commits with their Keeper vault. Through Keeper Secrets Manager (KSM), users can now use Secure Shell (SSH) keys stored in their Keeper Vault to digitally sign commits to confirm the authenticity of their code.

Git is a version control system that tracks changes in your software projects, and a git commit is a snapshot of these changes at a specific point in time, accompanied by a brief message describing the modifications. Keeper and developers at The Migus Group teamed up to create the open-source solution to sign git commits using the SSH keys stored in a user's Keeper Vault. The integration provides developers with a secure and encrypted repository for their SSH keys and removes the practice of storing them on disk, both increasing security and streamlining DevOps workflows.

The rise in software supply chain attacks highlights the need for organizations to prioritize security around the software supply chain. Signing git commits is a recommended best practice for developers to confirm the authenticity and integrity of code releases. As developers sign commits with SSH keys, they are provided with cryptographic proof of authorship, which helps secure the supply chain by assuring users the software originates from a legitimate source and remains unaltered since its signing. Digital signatures can also feed into a Software Bill of Materials (SBOM) to indicate whether a line-item in the SBOM is trusted, depending on the code signature status.

The ability to store SSH keys and other credentials in Keeper Vault offers a layer of protection and ease-of-use that hasn't been the standard, said Craig Lurey, CTO and Co-founder of Keeper Security. Our integration enables developers to validate the software code with a cryptographic digital signature and transparent logging, making what historically has been a complex process into a simple one. In the future, all code will be signed, and the software supply chain will have one source of truth that will reduce supply chain attacks.

"Our customers are asking for help insulating themselves from supply chain attacks, so we were already working to do that, often using Keeper," said Adam Migus, Founder and CEO of The Migus Group. "So, we thought working with them to make the git commit-signing process both safer and easier would be a win-win-win. Our customers can now seamlessly sign commits with keys that never leave their vaults. However, the broader community also gains an example of secure commit signing with benefits of central key management."

The SSH keys for signing commits are secured in KSM, a fully managed cloud-based, zero-knowledge platform for securing infrastructure secrets such as API keys, database passwords, SSH keys, certificates and any type of confidential data. KSM eliminates secrets sprawl by removing hard-coded credentials from source code, config files and CI/CD systems. The fully managed, cloud-based and IT friendly solution was named an overall leader on the 2023 KuppingerCole Leadership Compass for Secrets Management. KSM is supported on Windows, MacOS and Linux. It utilizes a zero-knowledge security architecture and is highly secure withISO 27001 and SOC 2 compliance, as well as FedRAMP and StateRAMP Authorization, among numerous other certifications.

Keeper's integration helps support a broader government and industry effort to bring increased security and visibility to the open source community. The ease of providing a cryptographic digital signature allows developers to validate that the software in use is exactly what it is claiming to be and enhances security for both developers and end-users alike.

About Keeper Security
Keeper Security is transforming cybersecurity for organizations around the world with next-generation privileged access management. Keeper's zero-trust and zero-knowledge cybersecurity solutions are FedRAMP and StateRAMP Authorized, FIPS 140-2 validated, as well as SOC 2 and ISO 27001 certified. Keeper deploys in minutes, not months, and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance. Trusted by thousands of organizations to protect every user on every device, Keeper is the industry leader for best-in-class password management, secrets management, privileged access, secure remote access and encrypted messaging. Learn more at KeeperSecurity.com.

Spotlight

Organizations are losing IT and security control Once upon a time, IT and security teams focused mostly on managing their organization’s on-prem environment. But as business requirements changed, customer bases became global, and remote work took root, these technology teams were handed responsibility across more domains: cloud


Other News
End Point Protection

Malwarebytes Unveils New K-12 ThreatDown Bundle to Defend Schools and Districts from Cyberattacks

Malwarebytes | January 24, 2024

Malwarebytes, a global leader in real-time cyber protection, today announced the availability of ThreatDown K-12 Bundle, combining the cybersecurity technologies and services that K-12 education institutions need into a streamlined, cost-effective bundle. Purpose-built to reduce risk, complexity and costs for districts and schools, the ThreatDown K-12 Bundle delivers unified protection with an intuitive, easy-to-manage design. The ThreatDown K-12 Bundle allows schools to optimize device uptime and improve productivity, while protecting students and staff, devices and data from the latest cyber threats. "Schools are increasingly facing cyber threats with limited IT resources, leading to a rise in ransomware attacks that affect staff, teaching, and student well-being," said Marcin Kleczynski, Founder and CEO of Malwarebytes. "Historically, cost barriers prevented schools from adopting cybersecurity managed services. Our K-12 Bundle packages together everything districts need to reduce risk and comply with regulations within a manageable budget. We're committed to making powerful protection and managed services accessible to vulnerable schools and students." Bridging the Cybersecurity Gap for Resource-constrained K-12 IT Teams Modern K-12 educational institutions have a wide range of school-, staff- and student-owned devices – from traditional laptops, desktops and servers to Chromebooks, iPadOS, iOS, and Android devices. While these devices greatly enrich the student learning experience and streamline operations for staff, they also introduce new risks. Key features of the ThreatDown K-12 Bundle include: Award-winning endpoint security: K-12 Bundle is built on ThreatDown's strongest AI/ML-driven prevention, detection and response technologies fortified by built-in innovations to reduce the attack surface. These technologies simplify the process of finding and patching software vulnerabilities and prevent unauthorized programs from executing. 24x7x365 managed services: The K-12 Bundle combines ThreatDown advanced technologies with Managed Detection and Response (MDR) service of ThreatDown cybersecurity experts to manage security and resolve alerts around the clock, delivered as an affordable, hassle-free bundle. Unified endpoint management: ThreatDown extends powerful endpoint protection across workstations, servers and mobile device to substantially strengthen schools' cybersecurity postures in compliance with new and pending regulations. Quick and easy to deploy, the K-12 Bundle saves time and resources with unified endpoint management for both traditional and mobile devices – all from a single, cloud-native console. Centralized, real-time visibility: K-12 IT teams can easily view activity across all devices in real time. With a unified platform and visibility for traditional and mobile endpoints, teams can monitor and protect devices from a single pane of glass. Teams can understand the threats to devices in their environments and mitigate potential risks. Advanced mobile protection: ThreatDown K-12 Bundle provides effective protection for Chromebooks, iPadOS, iOS, and Android devices, guarding against the latest mobile threats such as ransomware, malicious apps, and potentially unwanted programs (PUPs). With real-time protection, schools can also prevent accidental access to harmful websites, safeguard against malicious apps, block unwanted in-app ads, and enable a secure mobile experience for students. About Malwarebytes Malwarebytes is a global cybersecurity leader delivering award-winning endpoint protection, privacy and threat prevention solutions worldwide. Built on decades of experience as the last resort to find and eradicate the latest malware, Malwarebytes is now trusted by millions of individuals and organizations to stop threats at each stage of the attack lifecycle, secure digital identities and safeguard data and privacy. A world class team of threat researchers and proprietary AI-powered engines provide unmatched threat intelligence to detect and prevent known and unknown threats. The company is headquartered in California with offices in Europe and Asia. For more information and career opportunities, visit https://www.malwarebytes.com.

Read More

Software Security

Trellix and One Source Deliver Industry-Leading Managed Detection and Response Security Services

Trellix | January 22, 2024

Trellix, the cybersecurity company delivering the future of extended detection and response (XDR), today announced an expanded strategic partnership with One Source, a Managed Security Services Provider (MSSP) and technology delivery partner. Customers benefit from a Fortune 500 SOC capability built on the Trellix XDR Platform with AI-guided intelligence, enabling faster detection, investigation, and remediation. Trellix, the cybersecurity company delivering the future of extended detection and response (XDR), today announced an expanded strategic partnership with One Source, a Managed Security Services Provider (MSSP) and technology delivery partner. Customers benefit from a Fortune 500 SOC capability built on the Trellix XDR Platform with AI-guided intelligence, enabling faster detection, investigation, and remediation. “The partnership aligns with Trellix’s ongoing commitment to secure organizations from advanced cyber threats,” says Sean Morton, SVP of Professional Services at Trellix. “Leveraging One Source’s MDR capabilities and expanded footprint, we enable more businesses to build cyber resilience, with continued innovation in our combined products and solution offerings to stay ahead of bad actors.” One Source has multiple SOCs leveraging Trellix’s technology, staffed by the industry’s top experts to provide Managed Detection and Response (MDR) capabilities. Their team implements a proactive cyber strategy for customers specific to industry, technology environment, and vulnerabilities, built on the Trellix XDR Platform with 24x7 monitoring. The partnership and combined expertise benefits customers with enhanced services like managed threat detection and response, incident response, security operations and analytics, threat intelligence, threat hunting and forensics, and training and enablement. “The Trellix and One Source partnership is extremely powerful; the former offers an incredible set of security solutions, and the latter excels at personalized deployment and execution,” said Paul Moline, Chief Information Officer, Lindsay Automotive Group. “I never anticipated we could protect our environment with the same security solutions used by government agencies and Fortune 50 companies: I can now sleep at night.” The Trellix XDR Platform’s open architecture and broad set of native security controls across endpoint, email, network, cloud, and data security integrates with over 500 third-party tools to create multi-vector, multi-vendor event correlation and context to speed up investigations. The Trellix Advanced Research Center provides an additional layer of protection by continuously informing the platform with information from millions of global sensors on the latest threat vectors, tactics, and recommendations. One Source experts apply these insights to stay ahead of the constantly evolving threat landscape. “The collaboration with Trellix is a game-changer in reshaping the cybersecurity landscape,” says Eric Gressel, Executive Vice President of Sales, One Source. “Thanks to our partnership, we have access to the highest level of cyber intelligence to fend off newly-revealed hackers and their means of attack, enabling our customers with the most comprehensive offering of enhanced Managed Security Services to protect their businesses.” One Source has a proven track record supporting global businesses spanning retail, restaurant, automotive, healthcare, financial, and manufacturing industries. Trellix customers can rely on One Source's leading Managed Security Services to optimize technology expenses while enhancing telecom connectivity, IT infrastructure, and cybersecurity strategies. About Trellix Trellix is a global company redefining the future of cybersecurity and soulful work. The company’s open and native extended detection and response (XDR) platform helps organizations confronted by today’s most advanced threats gain confidence in the protection and resilience of their operations. Trellix, along with an extensive partner ecosystem, accelerates technology innovation through machine learning and automation to empower over 40,000 business and government customers with living security. More at https://trellix.com. About One Source One Source helps businesses simplify a complex technology world. One Source is the leading provider of Technology and Managed Security Services for enterprises. Today, One Source manages more than 2,500 customers, 45,000 business locations, and over one million assets throughout North America. In addition to Managed Security Services, One Source provides Managed Technology Expense Management, 24 / 7 local helpdesk, procures and provisions telecom & IT solutions, and manages customer service requests. One Source frequently generates triple-digit ROI for customers through contract negotiation, portfolio optimization, and ongoing expense management. In addition, One Source leverages partnerships with industry leaders, including Trellix to bring Fortune 500 security solutions and fully managed services to the mid-market. One Source's approach empowers businesses to focus on customers and revenue-generating activities. Learn more at https://www.onesource.net/.

Read More

Software Security

Salt Security API Protection Platform Wins Gold in 13th Annual Best in Biz Awards

Salt Security | December 13, 2023

Salt Security, the leading API security company, today announced that the Salt Security API Protection Platform has been named a Gold Winner in the "Enterprise Product of the Year - Security Software" category in the Best in Biz Awards 2023. The Salt Security API Protection Platform is a best-in-class solution that combines the power of cloud-scale big data and time-tested ML/AI to detect and prevent API attacks. With its patented approach to blocking today's low-and-slow API attacks, only Salt provides the adaptive intelligence needed to protect APIs. By correlating activities across millions of APIs and users over time, Salt delivers deep context with real-time analysis and continuous insights into API threats and vulnerabilities, including those outlined in the OWASP API Security Top 10 list. "APIs sit at the core of today's modern applications, connecting enterprises to vital data and services," said Michael Nicosia, co-founder and COO, Salt Security. "Given the amount of sensitive information being transmitted through APIs, along with the growing complexity of API attacks, strong API security has become critical for modern businesses. The Salt platform is the only solution that provides cloud-scale big data and real-time analysis across all application environments, pinpointing and stopping attackers in their tracks. We are honored to have our solution's unique capabilities recognized by the Best in Biz Awards." According to the Salt Labs State of API Security Report, Q1 2023, 94% of organizations experienced security problems in production APIs in the past year, with a 400% increase in unique attackers overall in the last six months. The Salt platform protects APIs across their full lifecycle – build, deploy and runtime phases. Through its unique API Context Engine (ACE) architecture, the Salt platform provides API design analysis in pre-production, discovers all APIs, pinpoints and stops API attackers, and provides remediation insights learned during runtime to harden APIs. "As in years past, determining winners in some categories was a matter of selecting the very best from among the very good and came down to the smallest details," said Best in Biz Awards staff. "Each year, the judges are impressed by the innovations, growth, and change emanating from the winning companies and permeating across layers of society, from their employees through clients to local and global communities." The 13th annual program saw intense competition among more than 600 entries from public and private companies, representing all industries and regions in the U.S. and Canada and ranging from some of the most iconic global brands to the most innovative start-ups and beloved local companies. This year's judges highlighted the winning companies' breadth and depth of innovation, their novel approaches to employing new technologies, impressive workplace benefits and employee diversity and inclusion programs, as well as continued community involvement and critical investments in environment and corporate social responsibility programs. About Salt Security Salt Security protects the APIs that form the core of every modern application. Its patented API Protection Platform is the only API security solution that combines the power of cloud-scale big data and time-tested ML/AI to detect and prevent API attacks. By correlating activities across millions of APIs and users over time, Salt delivers deep context with real-time analysis and continuous insights for API discovery, attack prevention, and hardening APIs. Deployed quickly and seamlessly integrated within existing systems, the Salt platform gives customers immediate value and protection, so they can innovate with confidence and accelerate their digital transformation initiatives. For more information, visit: https://salt.security/ About Best in Biz Awards Since 2011, Best in Biz Awards has been the only independent business awards program judged by a who's who of prominent reporters and editors from top-tier publications from North America and around the world. Over the years, judges in the prestigious awards program have ranged from Associated Press to the Wall Street Journal and winners have spanned the spectrum, from blue-chip companies that form the bedrock of the global economy to some of the world's most innovative start-ups and nimble local companies. Each year, Best in Biz Awards honors are conferred in two separate programs: North America and International, and in 100 categories, including company, team, executive, product, and CSR, media, PR and other categories. For more information, visit: http://www.bestinbizawards.com.

Read More

Platform Security

SentinelOne to Expand Cloud Security Capabilities with Acquisition of PingSafe

SentinelOne | January 05, 2024

SentinelOne (NYSE: S), a global leader in AI-powered security, today announced that it has agreed to acquire PingSafe. The acquisition of PingSafe’s cloud native application protection platform (CNAPP), when combined with SentinelOne’s cloud workload security and cloud data security capabilities, is expected to provide companies with a fully integrated platform that drives better coverage, hygiene and automation across their entire cloud footprint. The planned integration of PingSafe’s CNAPP into SentinelOne's Singularity™ Platform signifies a paradigm shift in cloud security. Rather than relying on point solutions or a standalone cloud security platform, companies can now access a unified, best-of-breed security platform complete with advanced, real-time, AI-powered security operations to protect the entire enterprise across endpoints, identities, and clouds. “With the addition of PingSafe, we intend to redefine cloud security by fusing best-of-breed cloud workload protection, AI and analytics capabilities with a modern and comprehensive CNAPP,” said Ric Smith, Chief Product and Technology Officer, SentinelOne. “This new approach to cloud security will eliminate the need for companies to navigate the complexity of multiple-point solutions, triage and investigate with incomplete context, or pipe data between disparate data silos. Instead, they can comprehensively manage their entire attack surface from a single platform that, unlike legacy CNAPP and standalone providers, delivers the full context, real-time interaction and analytics needed to correlate, detect and stop multi-stage attacks in a simple, automated way.” Transforming Cybersecurity SentinelOne has been steadily extending its cloud security capabilities beyond cloud workload security, and the acquisition of PingSafe will accelerate this strategy. The move also aligns with the Singularity Unity Release strategy SentinelOne announced in November to transform security operations centers. “SentinelOne is a pioneer and leader in AI-powered security, and we share a common mission to secure the cloud and make the Internet a safer place,” said Anand Prakash, founder and CEO of PingSafe and one of the world’s top five white hat hackers. “The combination of our cutting-edge CNAPP capabilities with SentinelOne’s market-leading AI security platform will supercharge cloud security by providing world-class protection for multi-cloud infrastructure, from development to deployment.” Leading Cloud Security with Enterprise-Wide AI and Analytics PingSafe is a robust CNAPP solution that delivers dynamic, real-time monitoring of multi-cloud workloads, simple setup and configuration and low false positive rates. And customers view it as superior to alternative solutions in the market. “With more than $100 billion in transactions flowing through our network, nothing is more important than ensuring the security of our environment,” said Ashwath Kumar, Principal Security Engineer at Razorpay, one of the largest payment processors in India. “With PingSafe, we can cut through the noise delivered by many CNAPP solutions to identify and prioritize the most critical threats and take an offensive approach to preventing them before they impact our business.” “We operate in a regulated but growing industry. It is an industry where one needs to adapt to change at lightning speed, and ensuring compliance in doing so is a key requirement,” said Prajal Kulkarni, CISO Groww. “We must be able to quickly identify, prioritize and respond to cloud misconfiguration seamlessly and correlate issues across our large cloud environment, and PingSafe provides us with a centralized dashboard that makes this easy and cost-effective to do.” With the acquisition of PingSafe, SentinelOne will offer differentiated capabilities such as advanced secrets scanning of runtime and build-time environments and an attack surface management rules engine that runs breach and attack simulation scenarios against Internet-exposed cloud assets to identify how an adversary could compromise those assets. These capabilities will be in addition to core CNAPP capabilities like cloud security posture management, Kubernetes security posture management, agentless vulnerability scanning, and shift-left Infrastructure as code scanning. “Combined with our Singularity Data Lake, Purple AI, endpoint security, and identity security capabilities, PingSafe will enable us to provide a compelling and cost-effective alternative to standalone CNAPP offerings unlike anything else in the market and a superior, more integrated user experience,” Smith said. About SentinelOne SentinelOne is a global leader in AI-powered security. SentinelOne’s Singularity™ Platform detects, prevents, and responds to cyber attacks at machine speed, empowering organizations to secure endpoints, cloud workloads, containers, identities, and mobile and network-connected devices with speed, accuracy and simplicity. Over 11,500 customers, including Fortune 10, Fortune 500, and Global 2000 companies, as well as prominent governments, trust SentinelOne to secure the future today. To learn more, visit www.sentinelone.com

Read More

Spotlight

Organizations are losing IT and security control Once upon a time, IT and security teams focused mostly on managing their organization’s on-prem environment. But as business requirements changed, customer bases became global, and remote work took root, these technology teams were handed responsibility across more domains: cloud

Resources