Developer-focused education crucial as pen-testers find the same application security problems, over and over again
Digital transformation has completely changed how businesses consume applications and software. Businesses are increasingly looking to technology to drive greater efficiencies and create new revenue streams, with Gartner predicting that the enterprise software spend will increase to $351 billion this year. More from CA Veracode's Colin Domoney (@colindomoney).
The latest targets of attackers are developers and insecure development processes, highlighting the need to instill security checkpoints in the development process.
It was reported that a malicious WordPress plugin has been discovered which has been used to hijack more than 200,000 websites. The plugin called Display Widgets has been found to contain a backdoor that could allow hackers to access what is posted on the site and modify content on infected pages. Colin Domoney (@colindomoney), Consultant Solution Architect at Veracode commented.
Some are concerned by the prospect of automation threatening the jobs of humans, but it could give skilled professionals the time to defend against cyberattacks more effectively.
In this episode of the O'Reilly Security Podcast, Courtney Allen talks with Chris Wysopal (@WeldPond), co-founder and CTO of Veracode. They discuss the increasing role of developers in building secure software, maintaining development speed while injecting security testing, and helping developers identify when they need to contact the security team for help.
According to CA Veracode's Colin Domoney (@colindomoney), open source software brings a new set of challenges but if implemented correctly it keep your organisation just as secure as proprietary software.
Cyber criminals and security researchers are constantly finding new ways to hack IoT devices. Julian Totzek-Hallhuber, Solutions Architect at Veracode, explains why "Security by Design" is so important for IoT devices.
Despite the many hacks and breaches consistently making headlines, businesses can't afford to slow down their development processes because they don't want to lose out to the competition. This places them in an awkward position: deciding between speed and an extra step for the sake of security. But the worry is misplaced; companies don’t need to trade speed for security or security for speed.
More from Veracode's Pete Chestna (@PeteChestna)
Scientists in China have found that ultrasound frequencies that human ears cannot perceive, could be used to issue commands to smart home assistants, such as Alexa, Siri and Cortana. Dubbed DolphinAttack, researchers at Zhejiang University said in a research paper, that they managed to successfully test attacks on several products, including Alexa, Cortana, Google Now, Huawei HiVoice, Samsung S Voice, and Siri.
Security researchers have warned that voice assistants made by the likes of Amazon, Google and Apple could be ‘hacked’ by remote attackers broadcasting commands in ultrasonic frequencies. Researchers in China found that broadcasting the commands via a loudspeaker enabled them to activate the assistant from several metres, in what they called a “DolphinAttack."
A team of researchers from the Zhejiang University in China have demonstrated how several popular speech recognition systems can be controlled using ultrasound via an attack method they have dubbed “DolphinAttack.” The experts tested Apple’s Siri, Google Now, Samsung’s S Voice, Huawei’s HiVoice, Microsoft’s Cortana, Amazon’s Alexa and the speech recognition system in an Audi Q3 vehicle. They modulated various voice commands on ultrasonic carriers, at a frequency of 20,000 Hz or higher, in order to make them inaudible to humans.
The Federal Office for the Protection of the Constitution has warned of hacker attacks on the German federal election months ago. Could criminals distort the result by attack?
When the polling stations close on September 24, it can become critical. For then the votes of the federal election are counted. From the level of the regional election leaders it becomes digital. And here the security authorities count with hacker attacks on the server. Werner Maaßen, President of the Federal Office for the Protection of the Constitution, has warned of hacker attacks on the Bundestag election for several months. The Chancellery and election officers take these reminders very serious. "Together with the employees of the Federal Office for Security in Information Technology, we have looked very intensively for weaknesses and are well prepared," says Klaus Pötzsch from the office of the federal election leaders. Thus, the rapid notifications with the first counting results in the election night are passed over the telephone. (…)
According to Veracode's Julian Totzek-Hallhuber, the planning of a possible attack is dependent on whether the election is simply to be disturbed or manipulated. In the first case, the hacker would start an overload attack on the switching computers of the telecommunication companies that provide the trunks for the management network. Many millions of data packets are shot down on the exchange machine until they get to their knees. In this case the count would be delayed by many hours. (…)
"Those who want to chop the federal elections in September have already completed the preparations for the attack", says Totzek-Hallhuber.
Can the German federal election be hacked? Reports of security problems are currently hitting waves. In focus: A software that counts the results of individual polling points. In fact, however, it is more of a secondary importance. And then there would be the good old paper.
The federal election is a decentralized matter - federalism wants it so. Cities and municipalities largely decide independently, as they manage, for example, election results. The statutory provisions of the Federation provide only one framework. In addition, the election officerr gave some urgent recommendations, which should be taken into account in the counting of the votes on the election day and the subsequent transmission. (…)
"As a hacker, I would attack exactly this data transfer," says IT security officer Julian Totzek-Hallhuber from the security specialist Veracode. "Because it is based on public lines and is thus in principle vulnerable."
In today’s application economy, we’re seeing ever-greater demand on software development. Software and applications have risen to the front office, where missed deadlines result in lost revenues and poor functionality can lead to lost customers. Increasingly, businesses are embracing DevOps to feed their need for speed, binding the previous separate developer and operations teams.
More from Veracode's Maria Loughlin (@marialoughlin).
A new survey by the firm Veracode found that 70% of information technology professionals feel their security education is not adequate for their current positions. In this week’s podcast we talk to Maria Loughlin (@MariaLoughlin), the VP of Engineering at Veracode about why that is, and how to fix it.
DevOps is turning out to be more security-friendly than most predicted. In the recent AppSec and DevOps Trends Report from ESG and Veracode, 45 percent of IT pros revealed that DevOps is actually bringing application security to the forefront and making it even easier to implement and manage. The report surveyed 400 IT, cybersecurity, and application developer professionals involved with application security initiatives about their perspective on AppSec’s role in a DevOps world. While conventional wisdom would say that security testing would have a hard time fitting into a fast-paced, frequent releasing DevOps environment, this isn’t always the case.
More from Veracode's Chris Wysopal (@WeldPond)
When the Trump administration removed the Moscow-based Kaspersky Lab AO from the list of cybersecurity vendors authorized to protect U.S. government agencies, it highlighted an uncomfortable question: Should corporate America also avoid software built in Russia, China, or others areas of the world where hackers thrive?
At this stage, when so little public information about the government's Kaspersky concerns is available, it would be an overreaction to ditch foreign-built security software altogether, numerous experts told WSJ Pro. Instead, businesses should scrutinize the open-source libraries of code that often provide the foundation for developers building corporate software and applications. Coders from around the world contribute to the open-source libraries that other professional developers then re-purpose for their clients' uses for projects as minor as a small application up to an entire operating system.
"Some of these open-source libraries have hundreds of committers who submit. If you were thinking maliciously, this is the way you'd go about it because you'd go for something that's already deployed widely," said Chris Eng (@chriseng), vice president of research at Veracode, the application security company recently acquired by CA Inc. "It's less about vetting for geography and more a factor of 'Will this library help me make a program with the functionality I need, so I don't have to write it all from scratch?'" More from Wall Street Journal's Jeff Stone.
The latest government ‘cyber governance health check’ and a survey of the UK’s top 350 companies revealed that more than two-thirds of boards have not received training to deal with a cyber incident.
Hackers are known to always be on the lookout for new ways to scale up their attacks, and so go after businesses and organisations that may help them exploit vulnerabilities to infect a wider network of targets. A LinkedIn bug, recently uncovered by security experts, could have provided cybercriminals with just such an avenue of attack.
The 2017 DevSecOps Global Skills Survey, sponsored by Veracode and acquired by CA Technologies, and DevOps.com, found that while 65 percent of DevOps professionals believe it is very important to have knowledge of DevOps when entering IT, they’re not receiving the necessary training through formal education to be successful in today’s DevSecOps world (70 percent). DevSecOps refers to the practice of integrating security into the development and testing of software for a “shift left” mentality for faster, better quality outcomes.
The saw is that sometimes you need a thief to catch a thief, and so it may be with the current crisis in cyberspace around intelligent bots, fake news and the hacking of multiple elections — a hacker army, paid or unpaid, could do a lot to stop the onslaught. Only, with some notable exceptions, the professionals possessing the skills to ferret out and combat the bad guys are hobbled by laws and held at arm's length by society, per the New York Times' Kevin Roose.
I spoke with a few professional hackers and cyber experts. Among the former is Eugene Dokukin, a Ukraine-based man who has run a one-man campaign against Russia since the 2014 Ukraine invasion. In an hour-long chat by Skype, he said the fight goes on — petitioning companies like PayPal, Twitter, Facebook and Google to shut down accounts that he thinks support Russia's cyber war, and hacking into them himself if that doesn't work. "I am a white hat. I am ethical, even if I use unethical methods against the Russians," he said. "It is war."
Travelers to Europe and the Middle East need to be aware of an on-going malware campaign that is targeting hotel and hospitality Wi-Fi networks and being used to glean guest and corporate information.
The HPE Application Lifecycle Manager (ALM) is enriched by Veracode with a Flaw Synchronizer plug-in. Security vulnerabilities are to be identified and corrected at an early stage in the software development lifecycle (SDLC). The Veracode HPE ALM Flaw Synchronizer plug-in automatically imports the findings of static and dynamic security tests into the HPE Application Lifecycle Manager. Development teams can manage the security findings directly in their integrated backlog.