Application Security – CyberSecurity Confabulation

5 cybersecurity practices for custom software development

Posted 1 month ago by Jane Devry

Whether you are going to build a custom CRM system, custom ERP tool, or any other bespoke solution, you need to ensure that this software is properly secured. Otherwise, it can be exposed to a wide range of cyber threats, which puts your corporate and customer data at risk. Even a single data breach could be devastating for a business, which is highlighted by examples of NVIDIA, CNA Financial, and hundreds other companies.

As a software development firm with 25+ years of experience, we use a mix of practices to prevent vulnerabilities in the solutions we implement and ensure maximum data protection for our clients. In this article, we share some of the most useful techniques to help you build a more secure bespoke solution.

1. Establish a secure software development policy

Before starting the development process, your company should establish a secure software development policy. Generally speaking, this document includes rules a company and its developer teams should adhere to reduce software development security risks. A practical and effective secure development policy should cover three key software development aspects:

•Security expertise

First of all, the policy should define a set of requirements for developers’ qualifications and experience in ensuring software security. By hiring specialists that meet these conditions, you can increase the chances of developing a secure solution.

•Processes

The policy should also describe key software development processes, including coding, testing, and deployment, and specify how developers should perform them to ensure the security of both the software and the development environment. For example, this can involve validating a new piece of source code against the company’s security standards before committing it into the code repository.

•Technology

Finally, the policy should guide developers on tools and technologies to use during the software development lifecycle. For instance, it can prescribe developers to only use development frameworks and libraries that have been approved by a company’s security team.

You can develop such a policy from scratch, which can be challenging, especially if this is your first development project. To streamline the creation of such a policy, a company can purchase a pre-made policy template from one of the cybersecurity practitioners and develop their own on its basis.

2. Create a secure-by-design software architecture

To ensure maximum software security, you should build a custom solution secure by design, choosing the right software architecture. We recommend adhering to the following universal principles during the software design phase:

•Defense in depth

This principle prescribes software architects to implement multi-layered security controls to ensure comprehensive software defense.

•Economy of mechanism

This principle implies that software architects should avoid overcomplicating the solution’s design since the more complex the software is, the more difficult it becomes to test and secure.

•Weakest link

This principle emphasizes the need to pay attention to all parts of the solution, even those considered unimportant or less important, since any software system is only as secure as its weakest link.

3. Conduct threat modeling

Once you have created the optimal software architecture, we recommend you to thoroughly evaluate it from a security perspective before continuing with the development. To begin with, you can create a comprehensive data flow diagram (DFD) to highlight all user paths and data flows and have a full overview of the solution’s work.

Once you understand the solution’s architecture better, you should study the existing threat landscape to determine what risks exist in your industry and market niche. Then, you should conduct a threat analysis to understand whether the solution would be vulnerable to these risks, and if it is, consider refining the architecture.

4. Write secure code and review it regularly

When developers proceed to coding, it’s critical that they adhere to secure coding practices to help them prevent the creation of vulnerabilities that hackers can exploit. For example, the official secure coding checklist from OWASP requires developers to ensure code integrity by using unique identifiers, such as hashes or checksums. It also prescribes developers to encrypt their code stored in code repositories by using secure cryptographic libraries.

In addition, developers should regularly review their code to identify potential security issues early on. To optimize this aspect of development (which can be especially relevant in large custom development projects), teams can use automated code review tools, such as PHP Coding Standards Fixer, Snyk Code, or Pylint.

5. Use a mix of security testing techniques

Regular testing is an important aspect of software security where developers identify and fix vulnerabilities before attackers exploit them. Developer teams should conduct multiple types of tests to gain a more comprehensive view of the solution’s security state. These should include penetration testing (which involves simulating a hacker attack), API security testing (which helps identify common vulnerabilities in API code), software composition analysis (which involves analyzing third-party tools and libraries for vulnerabilities), and other types of tests.

Final thoughts

If you are planning to develop a custom solution, you should prioritize software security to minimize any potential risks of sensitive data exposure. The practices listed in this article can help you achieve the desired protection level of your solution. Regardless of your custom project’s specifics, scale, and complexity, it’s also recommended to involve third-party experts in the software development.

An experienced development company can provide you with a tailored secure software development policy, help design a fully-protected software architecture, and assist you with coding, testing, or any other development aspects to help you build a more robust bespoke solution.

The post 5 cybersecurity practices for custom software development appeared first on Cybersecurity Insiders.

5 cybersecurity practices for custom software development

Posted 1 month ago by Jane Devry

1. Establish a secure software development policy

•Security expertise

•Processes

•Technology

2. Create a secure-by-design software architecture

•Defense in depth

This principle prescribes software architects to implement multi-layered security controls to ensure comprehensive software defense.

•Economy of mechanism

This principle implies that software architects should avoid overcomplicating the solution’s design since the more complex the software is, the more difficult it becomes to test and secure.

•Weakest link

This principle emphasizes the need to pay attention to all parts of the solution, even those considered unimportant or less important, since any software system is only as secure as its weakest link.

3. Conduct threat modeling

4. Write secure code and review it regularly

5. Use a mix of security testing techniques

Final thoughts

The post 5 cybersecurity practices for custom software development appeared first on Cybersecurity Insiders.

5 cybersecurity practices for custom software development

Posted 1 month ago by Jane Devry

1. Establish a secure software development policy

•Security expertise

•Processes

•Technology

2. Create a secure-by-design software architecture

•Defense in depth

This principle prescribes software architects to implement multi-layered security controls to ensure comprehensive software defense.

•Economy of mechanism

This principle implies that software architects should avoid overcomplicating the solution’s design since the more complex the software is, the more difficult it becomes to test and secure.

•Weakest link

This principle emphasizes the need to pay attention to all parts of the solution, even those considered unimportant or less important, since any software system is only as secure as its weakest link.

3. Conduct threat modeling

4. Write secure code and review it regularly

5. Use a mix of security testing techniques

Final thoughts

The post 5 cybersecurity practices for custom software development appeared first on Cybersecurity Insiders.

2024 Application Security Report -Fortinet

Posted 4 months ago by Jane Devry

Introduction

In today’s digital ecosystem, the expansion of application and API landscapes offers both opportunities and challenges for organizations. Advancements in application development and integration foster unparalleled business agility and innovation but also enlarge the attack surface, creating numerous opportunities for threat actors to exploit. This complexity presents a formidable challenge for IT security teams to maintain visibility and control, ensuring comprehensive protection against increasingly sophisticated adversaries.

The 2024 Application Security Report, based on a detailed survey of over 500 cybersecurity professionals, is aimed at uncovering current trends, challenges, and practices in application security.

Key findings include:

• Application Vulnerability: Half of the respondents report that their applications were compromised in the past year, highlighting the prevalent risk and the critical need for more robust security measures.

• Expertise Gap: Only 19% of security professionals identify as experts in application security, highlighting a significant need for further development of skills among the remaining 81% to effectively counteract cyber threats.

• Visibility Challenges: 45% of participants are not confident in their awareness of all applications used within their organizations, underlining the difficulties in achieving comprehensive application visibility.

• Bot Attack Concerns: 45% raised concerns over their preparedness to defend against sophisticated bots, emphasizing the evolving nature of threats that organizations face.

• Patch Management Hurdles: 40% of respondents acknowledge that they are unable to patch vulnerabilities in a timely manner, leaving organizations vulnerable to attacks.

We sincerely thank Fortinet for their essential contribution to this survey. The insights and best practices derived from this survey highlight the critical areas for organizations to focus their efforts in order to minimize and reduce their attack surface. With the right tools—those capable of discovering and enhancing visibility of digital assets while employing sophisticated measures like machine learning and threat analytics—businesses are better equipped to safeguard applications and APIs against advanced threats.

We trust that our readers will find this report helpful in their journey towards improved application security and in navigating the complexities of modern digital landscapes with confidence.

Thank you,

Holger Schulze

Founder, Cybersecurity Insiders

Application Security Expertise

Application security is a critical part of cybersecurity that demands nuanced expertise to effectively navigate its complexities. Applications are becoming increasingly vulnerable due to the rapid pace of digital transformation and the complexity of modern, cloud-first software development. This environment, rich with APIs and third-party services, opens numerous attack vectors. Furthermore, threat actors’ evolving tactics, such as AI-automated attacks, often outpace organizational security measures and elevate risk.

Only 19% of the survey respondents identify as experts, possessing extensive experience and a profound grasp of application security, including leadership in security projects. 46% of participants have intermediate proficiency in application security, reflecting an understanding and practical engagement with application security measures.

This majority indicates a workforce capable of implementing essential security practices, yet possibly lacking in advanced skills or experience. However, the 35% at the beginner and novice stages highlights a substantial segment that might not yet effectively contribute to safeguarding applications, underscoring a need for targeted upskilling.

To bridge this expertise gap, organizations should prioritize comprehensive training and development for those at the beginner and novice levels. Tailored programs that enhance practical skills and theoretical knowledge in application security will be critical. Furthermore, fostering an environment that encourages collaboration and knowledge exchange among all expertise levels can accelerate the collective advancement towards a more secure application ecosystem.

Confidence in Application Security Posture

Reflecting on the varied levels of application security expertise, it’s also beneficial to examine the confidence levels among cybersecurity professionals regarding their organization’s application security posture. This confidence speaks to both the strength of security measures in place and how well these measures are understood and implemented by the cybersecurity team.

More than half of the survey respondents (53%) report a concerning lack of confidence in their organization’s application security posture, with 35% being only moderately confident and 18% slightly or not at all confident. This suggests a high degree of doubt in the existing application security strategies.

By focusing on state-of-the-art security practices and tools, as well as cybersecurity training, organizations can not only strengthen their application security posture but also enhance the confidence of their cybersecurity professionals in the organization’s overall security strategy.

Prioritizing Application Security Concerns

Cybersecurity professionals’ wide-ranging concerns about application security reflect the complex nature of this challenge and the need for a comprehensive approach to protect applications at all development stages and across different environments.

The top concern is data protection, noted by 43% of respondents (and in the same spot as in our 2021 survey), underlining the continued importance of shielding sensitive information from unauthorized access and breaches. Close behind, 42% emphasize the need for effective threat and breach detection (up from the #4 spot in 2021), highlighting the necessity for advanced monitoring to quickly spot and address threats. Securing cloud applications, a concern for 40%, points to the shift towards cloud environments and their specific security challenges (rising from the #5 spot in 2021). Additional worries include malware defense, mentioned by 35%, and the task of managing an increasing number of vulnerabilities, identified by 31% of participants. This underscores the evolving threat landscape and the need for vigilant vulnerability management.

Organizations should adopt a comprehensive security strategy, integrating advanced technologies like encryption, modern Web Application Firewalls (WAFs), and Cloud Workload Protection Platforms (CWPP) to enhance data and cloud application security. Embracing DevSecOps principles ensures security is an integral part of the development lifecycle, addressing vulnerabilities in in-house applications. This approach helps tackle key security concerns, fostering a robust and adaptable security posture.

Recent Application Breaches

The frequency and recency of application related security incidents within organizations offer crucial insights into the current cybersecurity landscape and the effectiveness of prevailing security measures.

Notably, 50% of respondents reported an application breach within the last year. This statistic highlights the continuous threat activity and the essential need for effective detection and rapid response. Collectively, It indicates that half of the surveyed organizations have encountered recent security incidents, emphasizing the critical need for improved security measures.

On the other side, 36% experienced breaches between 1-5 years ago, pointing out that while many have avoided recent incidents, the threat of breach remains. The 14% with breaches occurring more than 5 years ago suggests either ongoing security success or potential gaps in detecting newer incidents.

Organizations should thus focus on implementing robust, real-time monitoring and response solutions, including next-generation firewalls, web app and API solutions, and automated security orchestration. Embracing continuous security assessment and a Zero Trust model—verifying every access request—can significantly reduce incident risks.

Common Application Attack Vectors

In the context of recent incidents, understanding the types of attacks against applications sheds light on adversary tactics and informs the creation of targeted defense strategies. The array of attack vectors over the past year reflects the complexity of the threat landscape and the need for a comprehensive security approach.

Malware leads the reported attack vectors at 29%, underscoring the need for robust endpoint protection andup-to-date defenses against malicious software. Following closely, 26% of organizations encountered exploits of software vulnerabilities, highlighting the critical need for continuous vulnerability management and timely patching to mitigate the risk of exploitation.

Stolen credentials, reported by 21% of respondents, underscores the importance of robust authentication mechanisms, including multi-factor authentication (MFA), to prevent unauthorized access. DDoS attacks and information leakage, both at 19%, further illustrate the diverse methods attackers employ to disrupt services and exfiltrate sensitive data, calling for advanced threat detection and data protection solutions.

Cross-site scripting and brute force attacks, each cited by 18% and 17% of participants respectively, alongside application misconfiguration and content spoofing, stress the importance of secure coding practices, comprehensive security assessments, and the deployment of solutions such as Web Application Firewalls (WAFs) to defend against these prevalent threats. These common attack vectors underscore the urgent need for organizations to bolster their security posture through a combination of proactive, AI-driven threat intelligence, real-time monitoring, and the adoption of Zero Trust principles.

Application Hosting Strategies

The choice of hosting environment for applications significantly influences an organization’s operational flexibility, scalability, and security posture. This decision reflects not only technological preferences but also strategic priorities regarding data sovereignty, access control, and threat mitigation.

The largest group of respondents, 38%, reveals a preference for hybrid cloud environments, suggesting a strategic balance between the scalability and innovation offered by cloud services and the control and security associated with on-premises resources. This approach likely reflects an understanding of the nuanced security needs across different hosting environments, as well as a desire to leverage the benefits of both without fully committing to the security and compliance complexities of a cloud-only approach. The on-premises/datacenter model, favored by 23% of organizations, underscores a continued reliance on traditional hosting methods, possibly due to regulatory requirements, data sensitivity concerns, or specific performance needs. While offering greater control over security configurations, this choice requires robust internal security measures and infrastructure maintenance.

Private cloud solutions, selected by 21%, highlight the importance of exclusive resource utilization within a controlled environment, offering a compromise between the scalability of cloud services and the security and control of on premises hosting. Public cloud adoption, at 18%, while the least common response, still represents a significant portion of organizations moving towards fully cloud-based solutions, attracted by their cost-effectiveness, scalability, and the evolving security features offered by cloud providers. In light of the varied attack vectors mentioned earlier, it’s crucial for organizations to tailor their security strategies to their chosen hosting environments. Hybrid and multi-cloud architectures demand sophisticated security orchestration and policy management to ensure consistent security postures across different platforms. For on-premises and private cloud environments, dedicated security controls and vigilant monitoring are paramount. Public cloud users must navigate shared responsibility models, ensuring that their configurations and usage adhere to best security practices. Emphasizing advanced threat protection, data encryption, and identity and access management across all environments can help mitigate the specific risks associated with each hosting model.

Navigating Application Awareness

Ensuring comprehensive awareness of all applications within an organization is crucial for mitigating security risks, especially in the context of shadow IT, where unauthorized applications can introduce vulnerabilities. Only 21% of survey respondents feel very confident in their knowledge of applications used, highlighting either effective control measures or a possible underestimation of their organization’s true application landscape.

Conversely, the 45% indicating varying degrees of uncertainty (somewhat confident to not confident) underscores the challenges shadow IT presents, from bypassing security protocols to complicating compliance. This finding emphasizes the need for strong governance strategies and technologies like application discovery tools to reveal hidden applications.

To curb the risks of shadow IT and enhance organizational security posture, fostering an environment of security consciousness and clear policies for technology adoption is crucial. Initiatives should focus on bridging IT governance with organizational innovation, ensuring a secure and adaptable application environment.

API Inventory Confidence

APIs play a critical role in application integration and communication, yet they introduce unique security challenges and shadow IT risks without careful management and documentation.

A majority (58%) feel confident or very confident in their knowledge of all APIs in their organization, suggesting effective governance and discovery practices in place for these crucial components. This level of assurance suggests robust API management strategies, including the use of API gateways and management platforms to catalog and secure API landscapes. However, this level of assurance could also suggest a degree of overconfidence among cybersecurity professionals, potentially overlooking gaps in their API inventory management.

On the other hand, 42% expressing some doubt or outright lack of confidence underscores the complexities and challenges in achieving complete visibility over their API footprint. This group highlights the potential for shadow APIs—unauthorized or undocumented APIs that can expose organizations to severe security threats due to inadequate oversight.

To tackle these issues, a balanced approach of technology and policy is essential. Organizations should adopt advanced API tools that include discovery for enhanced visibility and security across all APIs. It’s also crucial to foster a culture that emphasizes clear governance around API creation and use, encouraging developers to maintain up-to-date API documentation and reviews. This strategy not only reduces the risks associated with shadow APIs but also bolsters the security infrastructure, ensuring APIs are consistently managed according to security best practices.

Defending Against Sophisticated Bots

The rise of sophisticated, human-like bots marks a significant cybersecurity challenge, where distinguishing between legitimate user interactions and automated, often AI-powered, attacks becomes increasingly difficult. These bots can mimic human behavior, making them particularly effective at evading detection and exploiting vulnerabilities in applications and APIs.

A majority (55%) feel confident or very confident in their ability to defend against such advanced bots. This suggests a high level of optimism or trust in current security measures and strategies to identify and mitigate these threats. However, the 45% who are only somewhat confident or not confident at all reflect the complexities involved in defending against bots that closely emulate human behavior. This concern suggests a recognition of the inadequacy of traditional security measures and a call for more advanced, innovative solutions to adapt to the advancing tactics of automated threats.

To better prepare for human-like bots, leading organizations invest in next-generation security solutions that incorporate advanced machine learning and behavioral analytics. These technologies can analyze patterns of activity to distinguish between genuine users and sophisticated bots. Additionally, fostering a culture of continuous learning and adaptation is crucial, encouraging teams to stay informed about the latest threat vectors and defense mechanisms.

Bot Attack Concerns

In the context of preparing for sophisticated bots, understanding the most concerning bot attacks provides important insight into the threat landscape and guides defense strategies.

Credential stuffing, identified by 49% of respondents, emerges as the tope concern, underscoring the acute awareness of the risks associated with unauthorized access to user accounts. This type of attack leverages stolen username-password pairs (often from a data breach) to gain access to accounts across different services through large-scale automated login requests. Closely following at 47% are DDoS (Distributed Denial of Service) attacks. These attacks disrupt service availability, directly impacting business operations and damaging reputations. Card fraud and web scraping attacks, with 35% and 33% respectively, also rank high. Card fraud represents a direct financial threat to organizations and their customers, while web scraping can lead to the loss of intellectual property and competitive advantages, underscoring the broad implications of bot attacks beyond just security breaches.

To mitigate these bot threats, organizations should employ a layered security approach that includes advanced features such as browser fingerprinting, biometric detection, real-time threat intelligence, and comprehensive analytics. Educating users on the importance of secure password practices and implementing multi-factor authentication can further reduce the risk of credential stuffing and other bot-related attacks.

Resources for Vulnerability Management

Swift detection and remediation of application vulnerabilities are key to a secure application landscape, particularly against the backdrop of complex threats, from sophisticated bots to credential stuffing attacks.

Sixty percent of survey respondents, including those agreeing or strongly agreeing, reflect confidence in their organization’s vulnerability management resources. This confidence suggests trust in the effectiveness of their tools, processes, and teams to preemptively address security vulnerabilities.

However, an alarming 40% of organizations say they can’t detect and remediate vulnerabilities in time, leaving organizations exposed. This group reports gaps in their vulnerability management practices, possibly due to constraints in budget, expertise, or technology.

Improving vulnerability management requires strategic investments in both advanced technology and skill development. Organizations should consider leveraging automated security scanning tools, continuous integration/continuous deployment (CI/CD) pipelines with integrated security checks, and threat intelligence platforms to gain insights into emerging threats. Equally important is fostering a culture of security within development teams, ensuring that security is a priority throughout the application lifecycle, from design to deployment.

Strategies for Application Monitoring

Organizations employ a variety of monitoring techniques to ensure their applications remain resilient against cyber threats. The reliance on firewalls, as indicated by 56% of participants (up from 43% in our 2021 survey), showcases the continued importance of this foundational security measure in protecting applications from unauthorized access and attacks. Meanwhile, 50% of organizations actively monitor applications in production (unchanged since 2021), utilizing threat intelligence to identify and respond to potential security issues in real-time. Endpoint security, mentioned by 36%, highlights the recognition of protecting not just the application environment but also the devices accessing these applications that could serve as entry points for attackers.

To further enhance application security monitoring, organizations should consider integrating security solutions like Web Application Firewalls (WAFs) and automated vulnerability scanning tools. These technologies, coupled with a robust security culture that emphasizes the importance of security at every stage of the application lifecycle, can provide a comprehensive defense mechanism against potential threats.

Adopting WAF Protection

The deployment of Web Application Firewalls (WAFs) across both on-premise and cloud environments is a vital part of modern cybersecurity strategies. A majority of organizations, 67%, use WAFs (up from 46% in 2021), which underscores their effectiveness in safeguarding applications from a wide range of threats, including SQL injection, cross-site scripting (XSS), and other sophisticated attacks that target the application layer.

This high WAF adoption rate reflects a strategic approach to application security and the necessity to protect assets regardless of their deployment environment. This security posture is essential, especially with the rise of hybrid cloud models, ensuring consistent protection across diverse infrastructures.

For the 33% not currently utilizing WAFs, adopting this technology presents an opportunity to strengthen their security framework. Integrating a WAF into security architectures provides an additional layer of defense, offering real-time threat analysis and mitigation capabilities.

A staggering 90% of survey respondents highlight the importance of Web Application Firewalls (WAFs) in securing API workloads, an increase from 79% in 2021, signaling a shift in application security priorities. This consensus reflects a recognition of WAFs’ role in countering modern cyber threats. With APIs serving as vital channels for data exchange and application functionality, they increasingly attract cyber attacks due to their widespread use, potential vulnerabilities, and access to sensitive data.

Ensuring that WAFs can effectively interpret and protect API traffic has become essential to address these security challenges head-on.

API Security Strategies

The survey responses reveal varied approaches to API security, emphasizing the importance of tailored solutions to protect these critical interfaces. API access controls like OAuth, used by 47% of respondents, underscores the importance of robust authentication to restrict API interactions to authorized entities.

Additionally, 44% of organizations rely on application-native security measures, such as API keys and rate limiting, indicating a decentralized approach to safeguarding against abuse. Meanwhile, 37% incorporate API gateway features into their security infrastructure, such as WAFs, to strengthen API protection through network-level controls. The adoption of dedicated API gateways by 28% and API discovery tools by 18% reflects strategies aimed at managing API interactions and uncovering APIs across the digital ecosystem, respectively.

This array of API security measures illustrates the comprehensive and layered defense mechanisms organizations deploy to navigate the complexities of API security more effectively.

Application Security Best Practices

In the face of evolving cyber threats, fortifying application security has never been more important. Below are essential best practices derived from industry insights and survey findings, designed to empower cybersecurity professionals with actionable strategies for enhancing their organization’s defense mechanisms against sophisticated attacks.

IMPLEMENT ROBUST AUTHENTICATION & ACCESS CONTROLS:

Deploy mechanisms like OAuth and multi-factor authentication to ensure application access is restricted to authorized users and systems.

DEPLOY WEB APPLICATION FIREWALLS (WAFS):

Utilize WAFs to protect both on-premise and cloud-hosted applications from a range of threats, aligning with our findings that 67% of organizations use WAFs for comprehensive protection.

SECURE APIS VIGOROUSLY:

Choose a WAF that discovers and protects your APIs as well as your web applications. The significant concern for protecting API workloads is confirmed by 90% of organizations.

MONITOR APPLICATIONS & UTILIZE THREAT INTELLIGENCE ACTIVELY:

Keep a vigilant eye on application performance and potential security threats in real time, a practice adopted by 49% of organizations.

ENCRYPT SENSITIVE DATA DILIGENTLY:

Protect sensitive data through encryption both in transit and at rest. Prioritizing the protection of data, as 43% of respondents did, is crucial in safeguarding against breaches and ensuring privacy.

ASSESS VULNERABILITIES & APPLY PATCHES REGULARLY:

Conduct continuous vulnerability assessments and apply patches promptly to address security flaws.

IMPLEMENT RATE LIMITING & API KEYS:

Utilize rate limiting and API keys for each application to prevent abuse and ensure secure API usage, as indicated by the 44% of organizations that rely on application centric security controls.

DEVELOP A SECURITY-FOCUSED CULTURE:

Foster a security-aware culture within the organization, emphasizing the importance of security best practices across all roles involved in application development, deployment, and use.

By adhering to these best practices, cybersecurity professionals can significantly enhance the security posture of their application footprint, effectively mitigating risks and ensuring a resilient defense against the evolving threat landscape.

Methodology and Demographics

The 2024 Application Security Report is based on a comprehensive global survey of 507 cybersecurity professionals conducted in February 2024, to uncover how cloud user organizations are adopting the cloud, how they see cloud security evolving, and what best practices IT cybersecurity leaders are prioritizing in their move to the cloud. The respondents range from technical executives to IT security practitioners, representing a balanced cross-section of organizations of varying sizes across multiple industries.

—

Fortinet (NASDAQ: FTNT) secures the largest enterprises, services providers, and government organizations around the world. Fortinet empowers our customers with complete visibility and control across the expanding attack surface and the power to take on ever-increasing performance requirements today and into the future. Only the Fortinet Security Fabric platform can address the most critical security challenges and protect data across the entire digital infrastructure, whether in networks, application, multi-cloud, or edge environments. Fortinet ranks #1 as the company with the most security appliances shipped worldwide and more than 730,000 customers trust Fortinet to protect their businesses. www.fortinet.com

—

Cybersecurity Insiders brings together 600,000+ IT security professionals and world-class technology vendors to facilitate smart problem-solving and collaboration in tackling today’s most critical cybersecurity challenges.

Our approach focuses on creating and curating unique content that educates and informs cybersecurity professionals about the latest cybersecurity trends, solutions, and best practices. From comprehensive research studies and unbiased product reviews to practical e-guides, engaging webinars, and educational articles – we are committed to providing resources that provide evidence-based answers to today’s complex cybersecurity challenges.

Contact us today to learn how Cybersecurity Insiders can help you stand out in a crowded market and boost demand, brand visibility, and thought leadership presence.

Email us at info@cybersecurity-insiders.com or visit cybersecurity-insiders.com

The post 2024 Application Security Report -Fortinet appeared first on Cybersecurity Insiders.

Upcoming June 11th CISA Deadline Exposes Widespread Unpreparedness in Software Security Compliance

Posted 9 months ago by Jane Devry

A recent study by Lineaje has uncovered a startling lack of preparedness among organizations for the upcoming U.S. Cybersecurity & Infrastructure Agency’s (CISA) Secure Software Development Attestation Form deadline. The research, conducted at RSA Conference 2024, reveals that a mere 20% of companies are ready to meet the June 11, 2024, compliance deadline, a critical component of Executive Order (EO) 14028.

EO 14028, which mandates software producers to work with the U.S. government to confirm the deployment of key security practices, has been a focal point following a surge in software supply chain attacks. In 2023, these attacks affected over 2,700 U.S. organizations, marking a 58% increase from the previous year and underscoring the urgency of compliance.

Despite the clear risks and the mandate for Software Bills of Materials (SBOMs) since May 2021, Lineaje’s survey indicates that 84% of companies have yet to implement SBOMs into their development process. This gap in action suggests a disconnect between government cybersecurity efforts and industry implementation.

65% of security professionals are unfamiliar with EO 14028.
56% cite security vulnerabilities as their top concern, yet compliance adherence follows at only 22%.
60% use open-source software, but only 16% are confident in its security.

Budget constraints and staffing shortages are cited as primary barriers to securing software and adopting necessary tools, with 45% pointing to budget limitations and 36% to lack of staffing resources.

This report serves as a wake-up call for the industry to prioritize cybersecurity compliance and awareness, as the consequences of inaction could be dire for both individual organizations and national security at large.

The post Upcoming June 11th CISA Deadline Exposes Widespread Unpreparedness in Software Security Compliance appeared first on Cybersecurity Insiders.

The six rules of secure software development

Posted 10 months ago by Jane Devry

Code Responsibly: Developers’ Blueprint for Secure Coding

Software is more important than ever – our connected world’s beating heart is made of it. Unfortunately, as the importance of software increases, so does the activity of cybercriminals and other bad actors trying to make a profit at the developers’ expense. The Department of Homeland Security has long claimed that 90% of security incidents are a consequence of defects in the design or code of software. Many developers are unarmed against this onslaught – the number of new vulnerabilities discovered in software has been steadily going up each year since 2016 and this trend is showing no signs of slowing down. If anything, the process is accelerating at a worrying rate. But this doesn’t mean the situation is hopeless – far from it! Many of these security problems have been known for a long time and we have a long list of industry best practices to help deal with them. In this eBook we introduce our six rules of secure software development that present the most important things you can do right now to stem the tide.

1. Shift left

The rule of ʻshift left’ has turned into a bit of a buzzword in the last 7-8 years. Like the rest of these six rules, this is not a great revelation or a closely-held secret – in fact, the concept of shift-left testing was originally coined in 2001 in a Dr. Dobb’s article by Larry Smith. Back then, ʻshift left’ referred to testing early and often to nd defects as early in the SDLC as possible – literally shifting activities to the left in the V-model of software development.

So, what does this have to do with security?

The idea is simple: move security considerations earlier in the software development lifecycle. Obviously, the earlier a security issue is discovered, the cheaper it is to x it. Programmers shouldn’t just rely on security experts to “do security stuff” a few weeks before shipping the code, but each team member should be actively involved with preventing, finding, and eliminating potential vulnerabilities during development. Of course, this only works if developers actually have the necessary security expertise! This makes understanding the potential threats and best practices (and thus, secure coding) absolutely critical for everyone: all architects, developers, testers and ops folks, not just a few chosen security champions.

This makes understanding the potential threats and best practices (and thus, secure coding) absolutely critical for everyone: all architects, developers, testers and ops folks, not just a few chosen security champions.

2. Adopt a secure development lifecycle approach

It is tempting to deal with software security as an ʻadd-on’ to the process: a brief penetration test just before release, or maybe a two-week security review at the end of a project. But as discussed before in the context of shifting left, the later we deal with a security issue, the more expensive it gets. And, unfortunately, a lot of security issues stem from decisions made at an early stage of development such as design or even requirements specification!

We can solve this conundrum by building security in: instead of just ‘doing security’ at a certain point in the development Lifecycle, we introduce security activities throughout the entire software development lifecycle (SDLC). This is an established best practice popularized within Microsoft via the MS SOL (Security Development Lifecycle) as well as security experts via the BSIMM (Build Security In Maturity Model) or the OWASP SAMM (Security Assurance Maturity Model):

We can solve this conundrum by building security in: instead of just ʻdoing security’ at a certain point in the development lifecycle, we introduce security activities throughout the entire software development lifecycle (SDLC). This is an established best practice popularized within Microsoft via the MS SDL (Security Development Lifecycle) as well as security experts via the BSIMM (Build Security In Maturity Model) or the OWASP SAMM (Security Assurance Maturity Model):

MS SDL is the most prescriptive of the three – which makes sense, considering it was a process that Microsoft originally developed for internal use in the early 2000s. Its 12 main practices cover security training of all stakeholders, the creation and maintenance of security requirements, threat modeling via data flow diagrams (DFD), secure use of cryptography, managing the risk of third-party components, heavy use of automated tools (SAST, DAST, SCA) and incident response.
BSIMM, on the other hand, is a descriptive model. It is released every year, containing data about what companies are doing these days to improve their security and provides a scorecard to measure your company’s security posture. Then you can figure out which of those activities are most reasonable to implement in your specific context. The activities are grouped into 4 domains: Governance (managing a software security initiative with training as one of its three pillars) Intelligence (threat modeling and proactive security guidance), SSDL touchpoints (building security into development via design and code reviews as well as security testing), and Deployment (secure configuration and maintenance).
OWASP SAMM is also a prescriptive model, giving concrete guidance in various categories, depending on what maturity level (1to3) the company is aiming for in the area of Governance (improving security at the organizational level-via education and guidance among others), Design (security requirements, secure design and threat modeling), Implementation (secure build and deployment including vulnerability management), Verification (manual and automated security testing and reviews), and Operations (incident response, hardening and patch management).

As for validating the real-world use of these models: the longitudinal analysis in BSIMM 14 (2023) shows that companies are steadily improving their security posture. In particular, after adopting BSIMM, companies tend to implement a secure SDLC, scale it with the development of security champions, create (and enforce) a security policy, and manage the risk of third-party components. The two priorities after these are threat modeling and security training for engineering teams. As a matter of fact, training engineers on security is emphasized in all of the above models: it is the very first practice in SDL and is part of Governance in both BSIMM and SAMM.

As a final note, penetration testing is often brought up as a one-size-fits-all solution. It is true that a quick and focused test to identify vulnerabilities in the system is useful as an ‘acid test’ before release. But over-reliance on penetration testing is quite dangerous, and it is not a real substitute for secure software development! On the other hand, training developers in security is included in each of these secure SDLC models, with good reason.

3. Cover your entire IT ecosystem

When we’re talking about securing code, we don’t just mean the code specifically written by you – but also all third-party code that’s included in the application. What are weak links in the npm supply chain? Zahan et al (2022) points out that 80% of all code in modern software comes from third-party packages! That is a massive attack surface, and ultimately the hackers don’t care where the weak point in the system is and how it got there. If a third-party component is vulnerable, they’ll exploit it just the same -as it happened with the Log4Shell vulnerability at the end of 2021 that impacted almost every Java application – and thus, Java developer – in the world.

Not to mention that it is also lucrative for attackers to perform supply chain attacks: injecting malicious code into one of the open-source packages (or replacing them entirely). This can be difficult to notice if the package in question is, maybe, a forgotten dependency-of-a-dependency-of-a-dependency somewhere. The attack trends support this as well: according to the paper, supply chain attacks against applications (not just talking about npm here!) have increased 650% in 2021 alone. The SolarWinds supply chain attack against the United States government was so impactful it has shaped the country’s cybersecurity strategy as a whole.

These issues are exacerbated in the container world – for example, the ‘Red Kangaroo’ study has found that at the end of 2020, 80% of all images on Docker Hub were found to contain at least one known vulnerability, with 51 % of all images containing critical vulnerabilities!

We like to say that

“vulnerabilities in third-party code are not your fault, but they will definitely become your problem”.

You definitely need to have vulnerability management processes in place to identify, assess, and deal with vulnerabilities discovered in any of the program’s dependencies – and a strategy on how to release security patches and even hotfixes if the situation calls for it.

4. Move from reaction to prevention

Discussing code security goes hand in hand with robustness and resilience. Resilience implies a system that is not significantly impacted by failures (limiting the amount of damage they can do, and making it possible to recover from them), while robustness implies a system that anticipates failures and prevents them from happening in the first place. Even though both of these are important, preventing an incident is always better than reacting to an incident after the fact!

There are two philosophies to ensure robustness and resilience that are sometimes said to be opposites of each other: design by contract and defensive programming.

Design by Contract (DbC) defines so-called contracts for functions to declare expected preconditions, postconditions and invariants – and works under the assumption that these contracts will not be broken. These contracts are frequently implemented via asserts (not present in production code) and in case there is a failure at runtime, they are typically handled via exceptions. In type-safe languages, DbC may be a built-in feature of the language itself that won’t even allow compilation if the contracts can be violated. Rust is a good example for this.
Defensive programming assumes that any interaction with the system may be incorrect, erroneous, or even malicious. To this end, the developer should explicitly implement input validation in functions that process user input of any kind. Input validation means the implementation of checks that verify that the received input corresponds to the developer’s expectations. This should happen in the context of the specific function, “there and then”, right before the input is to be used. If the input fails these checks, it is rejected, so that no piece of code will be executed with unexpected inputs it is not prepared to handle.

Design by contract seems to be better for code efficiency and maintainability – after all, implementing defensive programming techniques requires writing additional code, which adds complexity and is itself a potential source of bugs. But when we look at code security, the goal is to reduce the attack surface and thus guard against intentional misuse, which is exactly what defensive programming provides. Furthermore, reacting to a bad input after it’s already been processed is much more dangerous than proactive input validation that can catch it beforehand. This is recognized by many secure coding standards (see e.g. MISRA C:2023 Directive 4.14)

Just to reiterate: in security, preventing an error is always better than catching the error after it has already happened!

As an example, consider processing an XML document describing a money transfer. Following DbC, we can define a ‘contract’ (an XML schema) and make sure the input conforms to it. This prevents many different attacks (e.g. the attacker duplicating tags, or specifying a negative value for the money transfer). But not every kind of bad in put can be covered by a schema. Just a few examples: the attacker can send us a document that references a nonexistent user, performs XXE, contains an invalid transaction date (e.g. 2 years in the future), or performs a cross-site scripting attack against the recipient by specifying a comment like <script>alert(‘hacked’)</script>.

This doesn’t mean that design by contract is bad – in fact, those techniques are very useful, but they need to be combined with defensive programming techniques to effectively protect against vulnerabilities. Whenever code security is concerned, input validation is perhaps the single most critical thing you can do according to experts – it’s the first category in the Seven Pernicious Kingdoms and its improper use comprise the root cause of many other vulnerability types; it is #5 on the OWASP Proactive Controls (OPC) list, and also has its own cheat sheet on OWASP! Even redundancy isn’t necessarily a dirty word here – in fact, validating the same input multiple times (in different parts of the code) is an example of defense in depth, which is an essential protection principle. For example, even if the XML schema ensures that the money transfer value isn’t negative, the function doing the transfer should still have a sanity check on the value to be transferred. We should simply accept that everyone makes mistakes, and the code should be always prepared for that.

5. Mindset matters more than tech

If you ask anyone “what do you do to prevent cyberattacks?”, it is likely the answer will be “firewalls and IDS”. It’s true that web application firewalls and intrusion detection systems are important (see A9 in the OWASP Top Ten 2021!), but they won’t solve the problem of vulnerable code. They may mitigate the effects of already existing vulnerabilities and make exploitation of these vulnerabilities more difficult, but even in that arena the attackers are constantly coming up with new ways to get around perimeter defenses (e.g. Server-side Request Forgery aka SSRF) and evade WAF filters to deliver their payload.

As a matter of fact, no firewall could stop the exploitation of zero-days like Heartbleed or Log4Shell before it was already too late.

But how do we deal with vulnerable code, especially in codebases that have been around for decades?

The sheer amount of code that developers must deal with is increasing rapidly. Source graph’s The Emergence of Big Code (2020) shows that developers have to work with remarkably more code than ever before: 51 % of participants claimed the amount of code at a company has increased by a factor of 100 compared to the previous 10 years, and over 90% of them said coding velocity and the value of the code itself has also increased drastically. In order to find, fix, and prevent vulnerabilities, developers need to be responsible for them and take ownership of the code in question -that can be a challenge by itself in these massive code bases.

And then there is legacy code…

Some companies are looking at Al to solve this problem by automatically identifying vulnerabilities or just making sure all code is secure. Putting aside the nascent and vulnerable nature of machine learning applications, this ultimately relies on these AIs being able to write secure code by default. But right now, that goal is far out of reach. Let’s face it: we’re still light-years away from achieving flawless Al-generated code. Consider that the models are mainly trained on the ‘wisdom of the masses’: open-source projects and popular third-party Q&A sites such as Stack Overflow. Such sources have been hotbeds of vulnerable code exam pies in the past (see Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security Fischer et al, 2017).

As always: garbage in means garbage out.

On the other hand, it doesn’t help to put the responsibility for security on developers’ shoulders while failing to give them the necessary resources and support for it.

Bruce Schneier pointed out in 2019 that even though 68% of security professionals believe it’s a programmer’s job to write secure code, they also think less than half of them can actually spot security holes.

Gitlab’s yearly Global Developer Report from 2022 underscored this as well: as DevOps transforms into DevSecOps, security is becoming the #1 concern. More importantly, now that 43% of “Sec” teams are fully responsible for security, despite the vast variety of tools at their disposal they feel much less optimistic and confident about this responsibility than the “Dev” and “Ops” part of the triad (56% vs 76%!). Automation is not going to solve the problem by itself. It isn’t a coincidence that DevSecOps folks sometimes call SAST tools “False Positives as a Service’.

Tools are handy and valuable, but there is no substitute for human expertise.

6. Invest in secure coding training

As we’ve seen so far, there are two challenges in cybersecurity today: how to deal with issues from the past (unknown vulnerabilities in existing code, legacy code, and third-party code) and how to deal with issues in the future (vulnerabilities in all code written by the developers from this point on).

For the first question, we have lots of answers: various code analyzers, testing tools, and vulnerability management. However, for the second question, the only realistic answer is writing code that is free of such vulnerabilities. And that’s not something a tool can do for us.

The only solution is education: making developers aware of these security problems in all phases of the SDLC and giving them the necessary mindset and skills so they will be able to avoid them (and spot them in existing code).

This is also well reflected in real-world numbers. Is Secure Coding Education in the Industry Needed? An Investigation Through a Large Scale Survey (Gasiba et al, 2021) indicates that over half of developers are not aware of secure coding guidelines and issues-furthermore, developers overestimate their awareness of security issues, leading to a false sense of security.

The best method to address this discrepancy is through secure coding education supported with hands-on exercises. Developers need to see vulnerable code in action, see the (often devastating) consequences of vulnerability exploitation, and then actually fix the vulnerable code themselves. Only this way will they acquire the needed skills and fully understand and retain knowledge about these vulnerabilities.

CTF – Capture the flag

Capture the ag (CTF) events and platforms are popping up as a popular alternative in this area. CTFs are popular when it comes to improving the offensive skills of cyber security experts: they are fun (and gamified out-of-the-box), they provide realistic hacking scenarios, and they help establish the ʻhacker mindset’. But when it comes to defensive best practices and establishing company-wide secure coding initiatives, they have pretty clear deficiencies compared to real training: a relative inability to cater to developers without prior experience in security, weak (or even negative) motivation for developers less interested in competition, and poor coverage of ʻless cool’ (but still critically important) security issues.

Sometimes microlearning is also brought up as a possible solution: teaching about security issues in small bite-sized (even just 5- or -minute) videos or brief activities that programmers can check when they first encounter such an issue or just during their free time (if such a thing exists at all). But secure coding is one of the areas where this doesn’t really work. As per Amy Fox’s 2016 article Microlearning for Effective Performance Management:

“Microlearning is not a panacea for every training need. If an employee is learning something for the first time, particularly a complex skill, individual coaching or another form of more intensive training may be best. Microlearning often is best used for reinforcement to help learning stick and to build up employees’ skills.”

In the context of secure coding, microlearning can be effective only as a reinforcement technique once developers already know about vulnerabilities and best practices – in other words, once they have already taken part in an in-depth training course.

And that’s exactly what we believe in: with blended learning, developers should first establish a deep foundation for secure coding in their programming language(s) of choice via an instructor-led training course. And once this is achieved, they can follow it up with regular monthly ‘bite-sized’ e-learning modules to keep their skills sharp and up to date.

Finally, a note about gamified capture the flag (CTF) events and platforms. CTFs are popular when it comes to improving the skills of cyber security experts: they are fun (and gamified out-of-the-box), they provide realistic hacking scenarios, and they help establish the ‘hacker mindset’. But when it comes to learning about secure coding, they have pretty clear deficiencies compared to blended learning: they tend to focus on ‘fun’ attack scenarios and thus ignore many common vulnerability types, they aren’t adaptive to the needs of individual participants, and their competitive aspects can actually have a negative effect on motivation. On the other hand, blended learning also drives high engagement without having to lose the benefits of gamification. If you’re interested in the details, we have analyzed these limitations in a separate article: CTF in secure coding education – a critical look.

About Cydrill

Established in 2019 and recognized by Enterprise Security in 2021 as one of the top companies shaping the cybersecurity landscape, Cydrill is on a mission to tackle the root cause of poor cyberdefense: inadequate coding practices.

Cydrill’s blended learning journey provides training in proactive and effective secure coding for developers from Fortune 500 companies all over the world. By combining instructor-led training, e-learning, hands-on labs, and gamification, Cydrill provides a novel and effective approach to learning how to code securely.

Learn more about our courses and learning environment.

The post The six rules of secure software development appeared first on Cybersecurity Insiders.

SAFOUS ZERO TRUST ACCESS – Comprehensive Cybersecurity for the Modern Enterprise

Posted 11 months ago by Jane Devry

The Safous Zero Trust Access (ZTA) solution emerges as a comprehensive cybersecurity platform, designed to tackle the growing challenges enterprises face in protecting digital assets in an increasingly interconnected and dynamic world. With the rise of remote work, BYOD policies, and sophisticated cyber threats, the demand for robust, flexible security solutions is more critical than ever.

Safous ZTA steps into this evolving landscape with a secure, identity-based access management solution that embodies the principles of the Zero Trust model. It addresses key concerns such as data breaches, unauthorized access, and the complex management of hybrid work environments. Safous ZTA enhances security while also streamlining user experience and administration, offering a solution that balances stringent security requirements with operational efficiency.

CYBERSECURITY TRANSFORMATION

The cybersecurity landscape is witnessing a significant transformation, driven by the adoption of cloud computing, the decentralization of network perimeters, and the increasing sophistication of cyberattacks. The inadequacies of traditional security measures, such as VPNs, are becoming apparent, marked by scalability issues, vulnerability due to the outdated castle-and-moat security model, and a lack of agility in adapting to new technological challenges. Zero Trust solutions, exemplified by the Safous ZTA platform, rise to meet these challenges, providing a scalable, secure, and agile framework that aligns with the needs of contemporary remote work and cloud adoption, thereby ensuring robust protection for modern workforces.

PRODUCT OVERVIEW

Safous ZTA is an all-in-one platform that offers secure access management across various users, devices, and locations. By leveraging cloud technology, Safous ensures seamless and secure connections to enterprise applications and data. Its suite of features, including Multi-Factor Authentication (MFA), Single Sign-On (SSO), both agentless and agent-based access, and comprehensive audit trails, enables Safous ZTA to accommodate a broad spectrum of use cases, including BYOD, legacy application security, third-party, and inter-company access. What sets Safous apart is its unique blend of adaptability, comprehensive security features, and commitment to data sovereignty, positioning it as a superior choice for enterprises seeking to fortify their defenses with Zero Trust principles.

KEY VALUE AND BENEFITS

Safous ZTA offers a holistic approach to cybersecurity, designed to meet the dynamic requirements of modern enterprises through its versatile and comprehensive security framework.

Key highlights include:

In a rapidly evolving cybersecurity landscape, the CISSP stands out with unique features that set it apart as a top-tier certification. Here are its key differentiators:

• Robust Access Control and Compliance: Safous ZTA champions identity-based access control, adhering to Zero Trust principles to ensure that only authenticated and authorized users gain access to resources. This strict verification approach not only enhances security but also streamlines compliance and operational productivity, making it easier for organizations to manage user access and compliance reporting.

• Adaptable Security for Modern Workforces: Safous’s support for both agentless and agent based access accommodates various devices and environments, including BYOD setups. This flexibility, combined with features like continuous authentication and role-based access control, provides enhanced security for remote and hybrid work models, ensuring adaptability without compromising on security.

• Advanced Security Features: The platform distinguishes itself with comprehensive security features such as advanced data control, session recording, and supervised access. These capabilities not only assist in preventing data leaks and breaches but also in minimizing the organization’s attack surface through application-level access control and Remote Browser Isolation (RBI).

• Scalability and Security Synergy: The inherent flexibility and scalability of Safous ZTA support a wide array of devices and user scenarios, including BYOD policies. This ensures that as organizations grow and evolve, their security measures can adapt accordingly, offering robust protection across the enterprise.

TRUE ZERO TRUST ARCHITECTURE

The Zero Trust model, recognized increasingly as a standard in cybersecurity, addresses the limitations of traditional security perimeters by ensuring access is granted based on stringent authentication, validation, and authorization. Safous ZTA leverages this architecture to enhance remote work security, defend against sophisticated cyber-attacks, and safeguard cloud applications, epitomizing a “True Zero Trust” approach through comprehensive security and compliance features.

1. Data Sovereignty and Security: By not storing any customer data in the Safous cloud and instead keeping it in the customer’s location, Safous upholds the highest standards of data sovereignty and security, aligning with the Zero Trust principle of minimizing exposure and risk.

2. Enhanced Authentication and Access Control: The integration of Multi-Factor Authentication (MFA), device authentication, and Single Sign-On (SSO) across any application or system strengthens user verification processes. This ensures that access is securely managed and granted only to authenticated and authorized users, further embodying the Zero Trust ethos of “never trust, always verify.”

3. Compliance Enablement: Safous’s capability to enable advanced compliance requirements demonstrates its commitment to meeting the stringent regulatory standards that govern data protection and privacy. This aspect is crucial for organizations navigating the complex landscape of global compliance mandates, ensuring they can achieve and maintain compliance through robust security controls.

Together, these elements form the core of Safous’s True Zero Trust model, offering a secure, compliant, and user-friendly solution that protects against modern cyber threats while facilitating seamless access to digital resources. By consolidating various security functions into a single platform, Safous simplifies the management of high-risk access scenarios. This unified approach not only reduces the complexity and potential for security gaps but also enhances the overall security posture with a comprehensive set of tools designed to protect against advanced threats.

ALL-IN-ONE SOLUTION FOR HIGH-RISK ACCESS

Safous’s all-encompassing approach to cybersecurity positions it as a versatile and comprehensive solution for high-risk access, meeting the varied and evolving needs of modern digital enterprises:

• Comprehensive Access Options: The platform’s support for both agentless and agent-based access ensures flexibility and coverage for various user scenarios and device types, making it adaptable to the specific security requirements of IT, IaaS, SaaS, and OT environments.

• Versatile Deployment: With options for cloud and on-premises setup, Safous is designed to seamlessly integrate into any infrastructure, supporting hybrid work models by offering secure access regardless of where users or resources are located.

• Extended Enterprise Security: Safous addresses the challenges of third-party and Bring Your Own Device (BYOD) access by providing secure pathways for external vendors and employees’ personal devices, thereby extending the enterprise security perimeter without compromising the integrity of internal networks.

• Collaboration Across Boundaries: The solution facilitates secure inter-company access, enabling organizations to collaborate more efficiently while maintaining stringent security measures. This capability is essential for businesses that rely on close partnerships and need to share resources securely with other entities.

• Legacy Application Protection: Recognizing the challenges that legacy applications pose to modern security architectures, Safous ensures these applications are securely accessible. This protection is vital for organizations relying on older systems that may not natively support contemporary security protocols.

ADVANCED AI AND OT THREAT DEFENSE

Additionally, Safous ZTA demonstrates its forward-thinking approach by addressing emerging threats from advanced AI and the unique security challenges of operational technology (OT) environments:

• Safous addresses the increasing risks from supply chain attacks and third-party breaches through its secure access capabilities.

• The platform provides secure pathways for external vendors, suppliers, and partners to access enterprise resources without compromising internal networks.

• Stringent access controls, auditing, and monitoring ensure visibility into third-party interactions, mitigating potential supply chain vulnerabilities.

• Safous enables secure inter-company collaboration while maintaining robust security postures across organizational boundaries.

ADAPTING SECURITY TO COMBAT AI-BASED THREATS

By adhering to the core principle of “never trust, always verify.” Safous ensures continuous monitoring and evaluation of all network interactions, regardless of origin, thereby enabling the early detection of abnormal behavior or access patterns through AI and machine learning algorithms. By implementing strict access controls, minimizing privilege levels, and enforcing micro-segmentation, Zero Trust significantly reduces the attack surface, making it harder for AI-driven attacks to proliferate or move laterally across the network. Furthermore, enhanced authentication methods, including multi-factor authentication and behavioral analysis, strengthen defenses against sophisticated AI threats. This proactive and comprehensive security posture ensures that even the most advanced AI threats are identified and mitigated promptly, safeguarding critical data and systems effectively within a Zero Trust environment.

ROBUST OT AND REMOTE PRIVILEGED ACCESS MANAGEMENT (RPAM)

Safous provides comprehensive Remote Privileged Access Management (RPAM) capabilities, securing remote privileged access for both IT and Operational Technology (OT) environments.

Its advanced authentication, access controls, and oversight functionalities make it well-suited for securing critical OT systems and cyber-physical systems (CPS). By replacing or augmenting traditional remote access tools, Safous enhances security for organizations operating CPS, where cyber threats can have catastrophic consequences. The platform streamlines secure remote access for third-party vendors and contractors, a crucial requirement for industrial enterprises relying on external support.

COMPREHENSIVE ANTI-DATA-LEAKAGE FEATURES

Safous’s robust security architecture is fortified by comprehensive anti-data-leakage features, integrating flexible access and data control mechanisms to prevent unauthorized disclosure and maintian the integrity of critical data:

COMPREHENSIVE ANTI-DATA-LEAKAGE FEATURES

• Privileged Access Management: By tightly controlling privileged accounts, Safous minimizes the risk of security breaches that could lead to data leakage, ensuring only authorized users haveaccess to critical systems and data.

• MFA/SSO and Integration with Identity Providers (IdPs): Multi-Factor Authentication (MFA) and Single Sign-On (SSO) capabilities ensure a robust authentication process. MFA enhances security by requiring multiple forms of verification from users, while SSO simplifies the user experience by allowing a single set of credentials to access multiple applications. Integration with Identity Providers (IdPs), including local IdP, LDAP/MS Active Directory, and any SAML/OpenID IDaaS (such as AzureAD, Okta, etc.), facilitates seamless identity management and provisioning.

• Audit Trail: Maintaining a detailed record of all system and user activities, Safous’s audit trails enhance visibility and accountability, allowing for the quick identification and response to potential security incidents that could result in data leakage. Safous also enables the close monitoring of users considered to be of low trust, ensuring that their actions do not compromise data security and are in compliance with organizational policies.

• Recording of Critical Sessions: By capturing video recordings of critical sessions, Safous provides an additional layer of security and oversight, allowing organizations to review and analyze user actions retrospectively for signs of mishandling or unauthorized data access.

• Web Browsing Isolation: Safous’s browser isolation feature prevents data leakage by isolating the browsing session from the end user’s device, thereby ensuring that any malicious content encountered online does not reach the corporate network or endpoints.

EASY IMPLEMENTATION

Implementing Safous Zero Trust Access is straightforward and hassle-free, involving a simple two-step process that begins with the installation of the App Gateway. This gateway acts as a centralized control hub for managing critical functions like user authentication and application access. Following this, configuring your policies is made easy through the Safous portal, requiring no additional software. The solution is browser-based and agentless, making it not only easy to deploy but also to scale according to your organization’s needs, emphasizing its user-friendly approach to robust cybersecurity.

CONCLUSION

Safous Zero Trust Access emerges as a holistic and future-proof cybersecurity solution tailored to the evolving needs of modern enterprises. By upholding true Zero Trust principles, implementing robust anti-data leakage mechanisms, and offering advanced capabilities to protect against unauthorized access attacks often stemming from leaked accounts via phishing attacks. Safous ZTA indirectly shields against some of these emerging, and Safous positions itself as an indispensable partner in fortifying digital defences. It proactively addresses the growing risks from supply chain attacks and third-party breaches through its secure access capabilities for the extended enterprise. By fortifying the security perimeter and fostering secure collaboration, Safous enables organizations to confidently embrace partnerships and third-party integrations while safeguarding against potential supply chain vulnerabilities. As technology landscapes transform, Safous remains committed to continuous innovation, ensuring its platform remains resilient and adaptive in the face of emerging cybersecurity challenges.

The post SAFOUS ZERO TRUST ACCESS – Comprehensive Cybersecurity for the Modern Enterprise appeared first on Cybersecurity Insiders.

Enhancing Application Code Security: Best Practices and Strategies

Posted 1 year ago by Naveen Goud

In today’s digital landscape, the security of application code is paramount to protect sensitive data, prevent unauthorized access, and safeguard against cyber threats. As technology advances, so do the techniques used by malicious actors to exploit vulnerabilities in software. Therefore, developers must implement robust security measures to fortify their application code against potential attacks.

Here are some best practices and strategies to enhance the security of application codes:

1. Secure Coding Standards: Adhering to secure coding standards is the foundation of building secure applications. Developers should follow established guidelines such as OWASP (Open Web Application Security Project) Top 10 and CWE (Common Weakness Enumeration) to mitigate common vulnerabilities like injection attacks, cross-site scripting (XSS), and insecure deserialization.

2. Input Validation and Sanitization: Validate and sanitize all user inputs to prevent injection attacks, such as SQL injection and XSS. Use input validation techniques such as white-listing and regular expressions to ensure that only expected data formats are accepted, thereby reducing the risk of malicious input.

3. Authentication and Authorization: Implement strong authentication mechanisms, such as multi-factor authentication (MFA) and OAuth, to verify the identity of users accessing the application. Additionally, enforce proper authorization controls to restrict access to sensitive resources based on user roles and privileges.

4. Data Encryption: Encrypt sensitive data both at rest and in transit to prevent unauthorized access. Utilize strong encryption algorithms and secure key management practices to safeguard data confidentiality. Implement Transport Layer Security (TLS) protocols for secure communication between the application and its clients.

5. Secure Configuration Management: Maintain secure configurations for all components of the application stack, including web servers, databases, and third-party libraries. Disable unnecessary services, apply patches promptly, and configure security set-tings according to industry best practices to reduce the attack surface.

6. Secure Development Lifecycle (SDLC): Integrate security into every phase of the software development lifecycle, from design and development to testing and deployment. Conduct regular security assessments, code reviews, and penetration testing to identify and remediate security vulnerabilities early in the development process.

7. Dependency Management: Monitor and manage dependencies on third-party libraries and components to mitigate the risk of supply chain attacks. Keep dependencies up-to-date by applying security patches and conducting periodic vulnerability scans to detect and remediate known vulnerabilities.

8. Error Handling and Logging: Implement robust error handling mechanisms to grace-fully handle exceptions and prevent information leakage that could aid attackers. Utilize centralized logging and monitoring solutions to track and analyze application logs for signs of security incidents or abnormal behavior.

9. Security Training and Awareness: Provide security training and awareness programs for developers to educate them about common security threats and best practices. Foster a security-conscious culture within the development team to prioritize security through-out the software development lifecycle.

10. Continuous Improvement: Embrace a culture of continuous improvement by regularly evaluating and enhancing the security posture of the application code. Stay informed about emerging security threats and evolving best practices to adapt and respond effectively to new challenges.

By incorporating these best practices and strategies into the development process, organizations can significantly enhance the security of their application code and mitigate the risk of security breaches and cyber attacks. Remember, security is not a one-time effort but an ongoing commitment to protecting sensitive data and preserving the integrity and trustworthiness of applications in an increasingly interconnected world.

The post Enhancing Application Code Security: Best Practices and Strategies appeared first on Cybersecurity Insiders.

Application Security Posture Management

Posted 1 year ago by Rapid7

Accelerating the Remediation of Vulnerabilities From Code To Cloud

Written by Eric Sheridan, Chief Innovation Officer, Tromzo

In this guest blog post by Eric Sheridan, Chief Innovation Officer at valued Rapid7 partner Tromzo, you’ll learn how Rapid7 customers can utilize ASPM solutions to accelerate triaging, prioritization and remediation of findings from security testing products such as InsightAppSec and InsightCloudSec.

Application Security’s Massive Data Problem

Application Security teams have a massive data problem. With the widespread adoption of cloud native architectures and increasing fragmentation of development technologies, many teams amass a wide variety of specialized security scanning tools. These technologies are highly specialized, designed to carry out comprehensive security testing as a means of identifying as many vulnerabilities as possible.

A natural byproduct of their deployment at scale is that, in aggregate, application security (appsec) teams are presented with thousands – if not millions – of vulnerabilities to process. If you’re going to deploy advanced application security testing solutions, then of course a significant amount of vulnerability data is going to be generated. In fact, I’d argue this is a good problem to have. It’s like the old saying goes: You cannot improve what you cannot measure.

Here’s the kicker though: given a backlog of, lets say 200k vulnerabilities with a severity of “critical” across the entire product stack, where do you start your remediation efforts and why? Put another way: is this critical more important than that critical? Answering this question requires additional context, of which is often manually obtained by appsec teams. And how do you then disseminate that siloed vulnerability and track its remediation workflow to resolution? And can you replicate that for the other 199,999 critical vulnerabilities? This is what I mean when I say appsec teams have a massive data problem. Accelerating remediation, reducing risk, and demonstrating ROI requires us to be able to act on the data we collect at scale.

Introducing Application Security Posture Management

Overcoming Application Security’s massive data problem requires a completely new approach to how we operationalize vulnerability remediation, and this is exactly what Application Security Posture Management (ASPM) is designed to solve. In a recent Innovation Insight, Gartner defined ASPM as follows:

“Application security posture management analyzes security signals across software development, deployment and operation to improve visibility, better manage vulnerabilities and enforce controls. Security leaders can use ASPM to improve application security efficacy and better manage risk.” - Gartner

Obtaining and analyzing “security signals” requires integrations with various third party technologies as a means of deriving the context necessary to better understand the security implications of vulnerabilities within your enterprise and its environment. To see this in action, let’s revisit the question: “Is this critical more important than that critical?” A robust ASPM solution will provide you context beyond just the vulnerability severity as reported by the security tool. Is this vulnerability associated with an asset that is actually deployed to production? Is the vulnerability internet-facing or internal only? Does either of these vulnerable assets process sensitive data, such as personally identifiable information (PII) or credit card information? By integrating with third party services such as Source Code Management systems and Cloud runtime environments, for example, ASPM is able to enrich vulnerabilities so that appsec teams can make more informed decisions about risk. In fact, with this additional context, an ASPM helps Application Security teams identify those vulnerabilities representing the greatest risk to the organization.

Identifying the most significant vulnerabilities is only the first step, however. The second step is automating the remediation workflow for those vulnerabilities. ASPM enables the scalable dissemination of security vulnerabilities to their respective owners via integration with the ticketing and work management systems already in use by your developers today. Better yet, Application Security teams can monitor the remediation workflow of vulnerabilities to resolution all from within the ASPM. From a collaboration perspective, this is a massive win-win: development teams and appsec teams are able to collaborate on vulnerability remediation using their own respective technologies.

When you put all of this together, you’ll come to understand the greatest value-add provided by ASPM and realized by our customers at Tromzo:

ASPM solutions accelerate the triage and remediation of vulnerabilities representing the greatest risk to the organization at scale.

ASPM Core Capabilities

Effectively delivering on an integrated experience that accelerates the triage and remediation of vulnerabilities representing the greatest risk requires several core capabilities:

The ability to aggregate security vulnerabilities across all scanning tools without impeding your ability to use the best-in-class security testing solutions.
The ability to integrate with and build context from development tools across the CI/CD pipeline.
The ability to derive relationships between the various software assets and security findings from code to cloud.
The ability to express and overlay organizational- as well as team-specific security policies on top of security vulnerabilities.
The ability to derive actions and insights from this metadata that help prioritize and drive to remediation the most significant vulnerabilities.

Doing this effectively requires a tremendous amount of data, connectivity, analysis, and insight. With integrations across 70+ tools, Tromzo is delivering a best-in-class remediation ASPM solution.

How Rapid7 Customers Benefit from an ASPM Solution

By its very nature, ASPM fulfills the need for automation and efficiency of vulnerability remediation via integration across various security testing solutions and development technologies. With efficiency comes real cost savings. Let’s take a look at how Rapid7 customers can realize operational efficiencies using Tromzo.

Breaking Down Security Solution Silos

Rapid7 customers are already amassing best-in-class security testing solutions, such as InsightAppSec and InsightCloudSec. ASPM enables the integration of not only Rapid7 products but all your other security testing products into a single holistic view, whether it be Software Composition Analysis (SCA), Static Application Security Testing (SAST), Secrets Scanning, etc. This effectively breaks down the silos and operational overhead with individually managing these stand-alone tools. You’re freeing yourself from the need to analyze, triage, and prioritize data from dozens of different security products with different severity taxonomies and different vulnerability models. Instead, it’s: one location, one severity taxonomy, and one data model. This is a clear win for operational efficiency.

Accelerating Vulnerability Remediation Through Deep Environmental and Organizational Context

Typical security teams are dealing with hundreds of thousands of security findings and this takes us back to our question of “Is this critical more important than that critical?”. Rapid7 customers can leverage Application Security Posture Management solutions to derive additional context in a way that allows them to more efficiently triage and remediate vulnerabilities produced by best-of-breed technologies such as InsightAppSec and InsightCloudSec. By way of example, let’s explore how ASPM can be used to answer some common questions raised by appsec teams:

1. Who is the “owner” of this vulnerability?

Security teams spend countless hours trying to identify who introduced a vulnerability so they can identify who needs to fix it. ASPM solutions are able to help identify vulnerability owners via the integration with third party systems such as Source Code Management repositories. This automated attribution serves as a foundation to drive remediation by teams and individuals that own the risk.

No more wasted hours!

2. Which vulnerabilities are actually deployed to our production environment?

One of the most common questions that arises when triaging a vulnerability is whether it is deployed to production. This often leads to additional questions such as whether it is internet-facing, how frequently the asset is being consumed, whether the vulnerability has a known exploit, etc. Obtaining answers to these questions is tedious to say the least.

The “code to cloud” visibility offered by ASPM solutions allows appsecteams to quickly answer these questions. By way of example, consider a CVE vulnerability found within a container hosted in a private registry. The code-to-cloud story would look something like this:

A developer wrote a “Dockerfile” or “Containerfile” and stored it in GitHub
GitHub Actions built a Container from this file and deployed it to AWS ECR
AWS ECS pulled this Container from ECR and deployed it to Production

With an integration into GitHub, AWS ECR, and AWS ECS, we can confidently conclude whether or not the Container hosted in AWS ECR is actually deployed to production via AWS ECS. We can even take this further: By integrating within GitHub, we can even map the container back to the corresponding Dockerfile/Containerfile and the team of developers that maintain it.

No more laborious meetings!

3. Does this application process PII or credit card numbers?

Appsecteams have the responsibility of helping their organization achieve compliance with various regulations and industry standards, including GDPR, CCPA, HIPAA, and PCI DSS. These standards place emphasis on the types of data being processed by applications, and hence appsec teams can understand what applications process what types of sensitive data. Unfortunately, obtaining this visibility requires security teams to create, distribute, collect, and maintain questionnaires that recipients often fail to complete.

ASPM solutions have the ability to derive context around the consumption of sensitive data and use this information to enrich applicable security vulnerabilities. A vulnerability deployed to production that stands to disclose credit card numbers, for example, will likely be treated with the highest of priority as a means of avoiding possible fines and other consequences associated with PCI DSS.

No more tedious questionnaires!

4. How do I automate ticket creation for vulnerabilities?

Once you know what needs to be fixed and who needs to fix it, the task of remediating the issue needs to be handed off to the individual or team that can implement a fix. This could involve taking hundreds or thousands of vulnerabilities, de-duplicating them, and grouping them into actionable tasks while automating creation of tickets in a format that is consumable by the receiving team. This is a complex workflow that not only involves automating correctly formatted tickets with the right level of remediation information, but also tracking the entire lifecycle of that ticket until remediation, followed by reporting of KPIs. ASPM solutions like Tromzo are perfectly suited to automate these ticketing and governance workflows, since ASPMs already centralize all vulnerabilities and have the appropriate contextual and ownership metadata.

Leverage ASPM to Accelerate Vulnerability Remediation

ASPM solutions enable Rapid7 customers to accelerate the remediation of vulnerabilities found by their preferred security testing technologies. With today’s complex hybrid work environments, the increased innovation and sophistication of attackers, and the underlying volatile market, automated code to cloud visibility and governance is an absolute must for maximizing operational efficiency and Tromzo is here to help. Check out www.tromzo.com for more information.

The Biggest SAP Cybersecurity Mistake Businesses Make—And How To Prevent It

Posted 1 year ago by cyberinsiders

[By Christoph Nagy, SecurityBridge]

In the high-stakes world of cybersecurity, even a tiny miscue can lead to giant consequences. Human error, whether it be something as small as a misplaced password or a misconfigured Amazon S3 Bucket, can compromise the data of millions of customers—and incur many millions more in fines and penalties after a successful attack takes place.

As new threats evolve, companies must concentrate on reducing attack surfaces and not leaving doors open to give bad actors easy wins. There are no small mistakes—every mistake in cybersecurity is potentially catastrophic.

Several oversights that have quietly grown into some of the most significant cybersecurity missteps can be found within SAP software configurations and include underestimating security risks, being overconfident that native SAP security is good enough, and assuming prior patches are all that is needed to harden the system well into the future. These seemingly small oversights often promote significant cybersecurity gaps.

A False Sense of Security

Despite SAP software housing some of the most sensitive company data imaginable (most notably customer and financial data), SAP-specific cybersecurity is a lower priority at an alarming percentage of organizations.

The fact is SAP dramatically increases the attack surface a company must safeguard—it follows, then, that additional security measures should be applied. Mistakenly, organizations believe that out-of-the-box SAP security is good enough, redirecting the vast majority of the cybersecurity budget to other systems.

That disconnect between where the most risk is and where security resources are deployed is an enormous hole in a company’s defense; hackers are penetrating networks at lightning speed and quickly finding the easy-entry security holes. If companies ignore that they are exposing their enormous SAP data trove, it’s only a matter of time before a breach happens.

The Biggest Mistake

To close these security gaps, companies must consider SAP as core to every cybersecurity initiative. Unfortunately, when organizations regularly install patches to keep their software landscape current, they often push off many SAP patches to be handled later. In other words, SAP cybersecurity is considered last among other core IT operations.

This is a mistake that can cost companies dearly. Any IT system could be attacked from the very second it’s activated. If patches or security updates don’t happen until a later date, that interim is putting the systems at a much higher risk. Given the number of trouble tickets at most organizations, it’s not unusual for security updates that aren’t considered a priority to languish on the “to-do” list for a long time. And when such an essential data source, like an SAP system, goes improperly guarded for that long, it’s only a matter of time before a hacker discovers this weakness.

How to Avoid That Mistake

Simply put, SAP cybersecurity needs to be established as an ongoing process across all IT departments and be well-staffed. Sure, every department head loves to argue that they could use more staffing, but remember that SAP cybersecurity is often at the core of many companies. During an attack, nearly everything shuts down, and business is ceased as all focus goes into stopping the intruders and assessing the damage. Suppose you aren’t putting the people and the funding into SAP cybersecurity. In that case, it doesn’t matter how much you pour into the other parts of the company—it all grinds to a halt if there aren’t intelligent people with security tools capable of keeping up with cybercriminals.

Conclusion

Cybersecurity is not solely infrastructure security; complex business applications like SAP that run on top of the infrastructure bring vulnerabilities to the IT risk scenario. Even though those systems are often valuable targets for cybercriminals, thanks to the sensitive nature of their data, many organizations don’t adequately work security for these platforms into their processes. As previously mentioned, SAP’s out-of-the-box security does not provide adequate protection. SAP system landscapes have their architecture, which requires unique solutions and tactics to protect them.

Organizations aware of the potential SAP risk can find a fix through third-party solutions that can utilize automation, establish baselines, and harden the framework to shrink attack surfaces—rather than performing much of this work manually.

About the author:
Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member and CEO at SecurityBridge–a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.

The post The Biggest SAP Cybersecurity Mistake Businesses Make—And How To Prevent It appeared first on Cybersecurity Insiders.