DATA SECURITY, SOFTWARE SECURITY, WEB SECURITY TOOLS
Legit Security | September 16, 2022
Legit Security, a cyber security company with an enterprise platform to secure an organization’s software supply chain, today announced that it discovered software supply chain attack vulnerabilities in popular open-source projects from Google and Apache. The discovered vulnerability affects GitHub, an extremely popular Source Code Management (SCM) system at the heart of many organization’s software supply chains and used by software developers globally. The Legit Security research team found a new type of CI/CD vulnerability called “GitHub Environment Injection” that allows attackers to take control of the vulnerable project's GitHub Actions CI/CD pipeline. Any GitHub user could exploit this vulnerability to modify the project’s source code, steal secrets, move laterally and attack inside the organization, and ultimately initiate a SolarWinds-like supply chain attack. The vulnerability was found in the Google Firebase project and in a very popular integration framework project from Apache. Both Google and Apache acknowledged and fixed the vulnerabilities after an initial disclosure by Legit Security. Legit Security has published a technical disclosure blog on their website including guidance for organizations to remediate this vulnerability.
Legit Security’s Research Team discovered that a specially crafted payload written to a GitHub environment variable called “GITHUB_ENV” could allow an attacker to execute code on the target pipeline and thereby modify the source code or compromise the repository itself. This attack can be initiated by any GitHub user and is very easy to implement just by creating a “pull request” or a proposed change to the source code. The mere act of submitting the pull request will trigger the vulnerable build action and carry out a successful compromise and the attacker does not need to be subjected a code review approval from the source code maintainer for it to take effect.
The Legit Security team disclosed these issues to Google and Apache project maintainers, along with remediation guidelines, and verified that these vulnerabilities weren’t exploited by a malicious actor. Both projects have been fixed and are now safe. However, these are not the only projects susceptible to this kind of attack. Since using the GITHUB_ENV file is currently considered the “safe” way to change environment variables in GitHub Actions, many repositories are using workflows that write untrusted data into this file, leaving them exposed to supply chain attacks.
“This type of vulnerability joins many other software supply chain vulnerabilities and attacks targeting popular open-source projects, including GitHub, which is the largest and the de facto host of most open-source projects. “We, as a security community, must build the tools and processes to address these threats and allow organizations to trust software and use it safely. Here at Legit Security our mission is to secure every organization’s software supply chain and we are active conducting security research and collaborating on initiatives to achieve this goal."
Liav Caspi, CTO and co-founder of Legit Security
According to Gartner®, nearly half of organizations worldwide will experience an attack on their software supply chains by 2025, a three-fold increase from 2021. There has been a huge rise in attempts to compromise open-source projects and CI/CD build services, including GitHub Actions, to enable wide ranging attacks through software supply chains.
For in-depth analysis of the GitHub Environment Injection vulnerability, along with broader information and guidance on how to protect your organization from software supply chain attacks, please visit the Legit Security website and blog.
About Legit Security
Legit Security protects software supply chains from attack by automatically discovering and securing the pipelines, infrastructure, code and people so that businesses can stay safe while releasing software fast. Legit provides an easy to implement SaaS platform that supports both cloud and on-premises resources and combines automated discovery and analysis capabilities with hundreds of security policies developed by industry experts with real-world SDLC security experience. This integrated platform keeps your software factory secure and provides continuous assurance that your applications are released without vulnerabilities.
DATA SECURITY, PLATFORM SECURITY, SOFTWARE SECURITY
Datadog | October 20, 2022
Datadog, Inc., the monitoring and security platform for cloud applications, today announced the general availability of Cloud Security Management. This product brings together capabilities from Cloud Security Posture Management (CSPM), Cloud Workload Security (CWS), alerting, incident management and reporting in a single platform to enable DevOps and Security teams to identify misconfigurations, detect threats and secure cloud-native applications.
As organizations' cloud architectures become more complex, assessing security risks and collaborating across teams to mitigate them has become increasingly difficult. While security engineers are responsible for identifying threats and misconfigurations, DevOps teams are responsible for remediating them. DevOps and security teams often use multiple point solutions and tools to report on and resolve issues, but these tools provide an incomplete view of security risks and create silos between teams.
Datadog's Cloud Security Management brings together observability and security insights across an organization's entire cloud environment—without the need to deploy additional agents. This shared context provides security engineers with deeper insights to collaborate with DevOps teams and more quickly remediate security issues.
"Tight collaboration between security and DevOps teams is required to mitigate security risks in today's environments. This change has been brought on by the move to the cloud. Security teams today cannot take countermeasures alone without potentially impacting the performance and reliability of production systems. "Datadog Cloud Security Management helps these teams work together to remediate issues quickly by providing a single platform—as opposed to multiple point solutions—that delivers a complete view of an organization's infrastructure and risk exposure."
Prashant Prahlad, VP of Product at Datadog
"Using Cloud Security Management was like having a member of the InfoSec team embedded within our DevOps team," said Chad Upton, Vice President of Infrastructure at FirstUp. "All the security metrics were front and center so they could easily see the number of misconfigured resources in a single view and they didn't have to wait for someone from InfoSec to reach out and let them know there was an issue."
"Because Datadog Cloud Security Management shows observability and security data together, alongside the resource relationship graph, we were able to remove cloud resources that were no longer in use and easily understand the impact of misconfigured cloud resources by visualizing all dependencies," said Ben Collen, Senior Director of Engineering and CISO at Vertex.
Cloud Security Management expands on the foundational capabilities of cloud security posture management and cloud workload security of a CNAPP solution through:
Resource Relationship Graph: By providing a visual risk assessment of misconfigured resources and vulnerabilities across an organization's cloud infrastructure, DevOps teams can take remedial actions based on the impact of the risk.
Custom Detection Rules: Teams can now create fine-grained threat detection rules across all cloud resources—including their associated logs and security incident events.
Resource Catalog (Beta): Engineers can access a comprehensive visual representation of all security risks associated with each cloud resource in a customer's environment and identify the owners of every cloud infrastructure resource to remediate vulnerabilities and misconfigurations.
Datadog is the monitoring and security platform for cloud applications. Our SaaS platform integrates and automates infrastructure monitoring, application performance monitoring and log management to provide unified, real-time observability of our customers' entire technology stack. Datadog is used by organizations of all sizes and across a wide range of industries to enable digital transformation and cloud migration, drive collaboration among development, operations, security and business teams, accelerate time to market for applications, reduce time to problem resolution, secure applications and infrastructure, understand user behavior and track key business metrics.
DATA SECURITY, ENTERPRISE IDENTITY, SOFTWARE SECURITY
SynSaber | October 21, 2022
SynSaber, an early-stage ICS/OT cybersecurity and asset monitoring company, today announced the addition of a new Dynamic Pipeline feature to the company's platform, providing customers with improved scalability and flexibility.
Building upon the product launched in February 2022, this update includes a comprehensive set of features and capabilities to collect, analyze, and curate data at the OT edge. SynSaber was purpose-built to bring edge visibility to industrial networks (oil and gas, water and electric utilities, advanced manufacturing) so that organizations can deploy and scale rapidly, integrate with current technology, and detect threats to protect business-critical assets.
"SynSaber partners with some of the most important critical infrastructure operators in the nation to protect and provide visibility into how ICS/OT assets are exposed to potential cyber attacks. "With our latest update to the platform, customers are now able to extend visibility and flexibility throughout the organization for cybersecurity to act as a business continuity vehicle and empower operators and asset owners to prevent any operational disruption."
Jori VanAntwerp, Co-Founder/CEO of SynSaber
Dynamic Pipeline 's Key Benefits:
Users can modify data sources, processors, and destinations in real-time, enabling dynamic configuration changes without interruption to visibility.
Pipeline configuration can be modified and deployed within SynSaber's visual-based interface.
The ability to dynamically configure Saber sensors from a visual-based interface allows for greater control and ease of access. In addition to the improved scalability and flexibility the dynamic pipeline provides, the v1.1.0 update includes enhancements to some of the existing features from SynSaber version v1.0.0.
These feature improvements include:
Custom flow module enables near real-time processing and analysis of data and asset identification.
Improved Syslog support allows fast and efficient communication with existing infrastructure and technologies.
SynSaber is the simple, flexible, and scalable industrial asset and network monitoring solution that provides continuous insight into the status, vulnerabilities, and threats across every point in the industrial ecosystem, empowering operators to observe, detect and defend OT/IT systems and protect critical infrastructure. SynSaber is privately held with funding from SYN Ventures, Rally Ventures, and Cyber Mentor Fund.
DATA SECURITY, PLATFORM SECURITY, SOFTWARE SECURITY
OneSpan | September 19, 2022
OneSpan™ , the digital agreements security company, today announced the general availability of its secure Virtual Room cloud service which enables organizations to deliver live, high-touch assistance to their customers in a high-assurance virtual environment. This next-generation customer engagement solution gives organizations the ability to balance identity security, authentication, and e-signature solutions from the broader OneSpan portfolio with a high-assurance virtual experience that is the next best thing to entering a branch or meeting in person. Virtual Room complements digital-first transaction experiences by providing a unique opportunity for organizations to create personalized, high-touch, human-assisted interactions, and by improving the customer experience, increasing agreement completion rates, and reducing security risks and fraud.
“Today, businesses requiring a high degree of security and regulatory compliance rely daily on a variety of technologies that use insecure, shared links and expose users to elevated risks including data breaches and compliance violations in the anywhere economy. This should not be the case. Organizations and their customers want to be confident that the person joining a virtual meeting is the person they claim to be. And multi-million dollar business agreements transacted digitally should not be subject to fraud fallout. “Today’s off-the-shelf video conferencing tools do not offer optimal security. As the complexity and value of transactions increase, customers want a live interaction rather than relying on a virtual assistant or self-service experience. We built Virtual Room for these scenarios to help our customers complete an agreement or transaction where they need a personal touch and where security is paramount.”
Matthew Moynahan, President and CEO at OneSpan
Combining OneSpan’s heritage in high-assurance identity verification and authentication with agreement co-browsing, web-enabled videoconferencing, rich collaboration features, and built-in e-signature, Virtual Room helps organizations engage and transact with customers with confidence. Virtual Room can be used for multiple high-value customer agreements, including account opening and maintenance, wealth management, and car financing.
Virtual Room enables organizations to:
Verify the identities of participants, utilizing OneSpan’s identity verification and mobile and hardware authentication solutions;
Interact with signers remotely;
Simultaneously review documents and address questions;
Capture legally binding e-signatures in real-time; and
Record virtual sessions to reinforce the electronic evidence captured in the audit trails.
A recent report from Aragon highlighted the need for higher assurance within these processes. “It’s important for buyers to look for a provider that has global security compliance expertise in all aspects of the workflow, from the initial identity verification and authentication steps, to creating a secure virtual interaction environment and all the way through to securing the final output or artifact of the transaction, for compliance and enforceability purposes. Equally important, buyers should look for a vendor that has the flexibility to adapt any step in the digital workflow to meet local regulations for digital identity, secure customer authentication, transaction risk analysis, and the many other security requirements, which differ from one country to the next.”
As a secure solution for customer-facing digital agreements where the integrity of the agreement is paramount, Virtual Room allows organizations to embrace a new way of working that’s more distributed, virtual, and dynamic, enabled by advancements in cloud technology. With the onset of the anywhere economy, and with more transactions being completed online, identity verification and authentication technologies are critical in the digital agreements process. This purpose-built, high-assurance digital agreement solution includes identification and authentication capabilities that enable organizations to increase the integrity and completion rates of agreements and transactions in a highly-secure and protected ecosystem without impacting user experience or productivity.
OneSpan helps organizations accelerate digital transformations by enabling secure, compliant, and refreshingly easy customer agreements and transaction experiences. Organizations requiring high assurance security, including the integrity of end-users and the fidelity of transaction records behind every agreement, choose OneSpan to simplify and secure business processes with their partners and customers. Trusted by global blue-chip enterprises, including more than 60% of the world’s largest 100 banks, OneSpan processes millions of digital agreements and billions of transactions in 100+ countries annually.