In a recent CA Veracode study, 93 percent of respondents said they used external code components. More and more commercial and open source components are used in software development. If a vulnerability becomes known, but only about half of the developers update these code components, according to a CA Veracode study.
It was not the usual Congressional scene in room 2237 of the Rayburn House Office Building on Tuesday afternoon. More people in the audience than usual had hair dyed pink or green, and opted for T-shirts instead of button-down attire. And the name tags on the table in front of the room sported an unusual set of monikers: Kingpin, Mudge, Weld Pond, and Space Rogue. The occasion was a reunion of four members of the hacking collective L0pht Heavy Industries, organized by the Congressional Internet Caucus Academy and the Senate Cybersecurity Caucus, almost 20 years after L0pht members warned of rampant insecurity online in the Senate’s first cybersecurity hearing.
Chris “Weld Pond” Wysopal said the major shift is that ethical hackers once were viewed as a nuisance or worse, but are now embraced for bug bounty programs or take roles at companies. “In 10 years they went from ‘Please go away’ to ‘Thank you very much, here's some money,’” said Wysopal, now chief technology officer at cybersecurity company CA Veracode. Wysopal also said he remembers senators asking at that first hearing if a nation-state might ever employ a group of hackers like themselves. “It all seemed so theoretical,” he said. “We all know 20 years later this is happening constantly.”
Twenty years ago this week, a collective of young hackers came to Washington with a warning for Congress: Software and computer networks everywhere were woefully insecure. During that now-infamous hearing in May 1998, one told senators that “any of the seven individuals seated before you” could take down the Internet in just half an hour.
"As businesses continue on their digital transformation journey, their dependency on software increases, which in turn creates a greater surface for hackers to attack. Recent research has revealed that 77% of all software applications have at least one vulnerability when first scanned. The top cybersecurity concern for businesses will therefore be the risk posed by vulnerabilities in software, which cybercriminals will look to exploit in order to exfiltrate data, inject ransomware or mine cryptocurrency. To mitigate these attacks, organisations will need to ensure that their software is secure, and an effective way of doing this is to test for vulnerabilities in web and software applications early and often. In this way vulnerabilities can be discovered and fixed before they can be exploited by hackers." - Paul Farrington, director, EMEA Solutions Architects, CA Veracode.
Hackers from the Boston collective The L0pht testified on Capitol Hill 20 years ago this weekend, in what became a landmark moment for the legitimization of white hat hackers and an altogether surreal event in the annals of the U.S. Senate. Today, four of them return to discuss how things have changed. What they're saying: L0pht alumni Chris "Weld Pond" Wysopal and Cris "Space Rogue" Thomas emailed Codebook to explain what actually did change.
Another widespread worm attack is "inevitable," but spreading a different more lucrative or destructive payload, experts say.
In honor of “blockchain week,” which is kicking off in New York City, I’ve been thinking about the security of smart contracts, self-executing computer programs designed to encode business relationships. A smart contract might codify, for example, an agreement like this: If Justify, a racehorse, wins the Kentucky Derby, pay $10 in Bitcoin to some lucky fellow’s digital wallet. The code eliminates the need for a bookie.
A year after the global WannaCry attacks, the EternalBlue exploit that was a key enabler for the malware is still a threat to many organisations, and many UK firms have not taken action, security researchers warn
Cryptocurrency exchanges and apps aren’t just among the most valuable targets for hackers, they also remain among the most vulnerable. That’s the warning Chris Wysopal, chief technology officer at the security-tools firm Veracode, offered during a talk at the Collision conference here on May 1. It’s something that should be at the top of concerns for people looking to trade or invest in cryptocurrencies such as bitcoin, which are generated through increasingly complex mathematical “mining” and allow pseudonymous transactions online and across international borders — and have increased in value wildly, even after recent plunges.
Using these risky snippets of code has become standard for developers, but what do they actually think about them?
An investigation carried out by CA Veracode, a leading company in the security market and acquired by CA Technologies, clarifies the differences between the security and hygiene of open source components. According to the survey, almost half of programmers (48%) do not update developed solutions that use open source or commercial components, even when the market discloses a new security vulnerability. This and other data highlight the lack of awareness of security organizations, placing them at risk.
Open source components are often part of other software in the company. This can cause security problems. The following best practices provide more security.
Frequently, open source components are part of other software in the company. This can bring security problems. The following best practices provide more security.
Proof-of-concept code showing how an NTFS flaw can shut down Windows systems was published by a security researcher nine months after he disclosed it to Microsoft.
Using open-source software is now the norm for most development teams, but with this usage comes several associated security risks. Chris Eng, VP of research for CA Veracode, chatted with SC Media's Online Editor Doug Olenick on the security issues surrounding the use of open-source software and what can be done to ensure that the code being used has been vetted and is safe.
Security teams have worked quietly in the background of software quality projects for years. The DevSecOps process puts the long-lost co-worker, security, front and center.
DevSecOps isn’t yet as widely known or practiced as DevOps, but that could be changing. 2018 has been a wake-up call for enterprises that haven’t deeply integrated security practices throughout their IT organizations. In just a few short months, news has broken about major attacks and/or breaches at Sears and Delta Air, oil and gas pipelines, Panera Bread, Saks Fifth Avenue and Lord & Taylor, European financial institutions, MyFitnessPal, at least 1,000 Magento-based ecommerce sites, Orbitz, FedEx, Boeing, the city of Baltimore, and the city of Atlanta.
Organizations are increasingly incorporating open source code elements into their development to accommodate agile development methodologies and swift go-to-market requirements, but not many are addressing the security concerns that follow this decision, says CA Veracode CTO Chris Wysopal.
Throughout the history of mankind, civilizations have risen and fallen due to a variety of factors. For the most part, the collapse of a civilization wasn’t sudden, but a gradual decline brought on by multiple causes like changing culture, climate or even the introduction of a new culture (such as when Europeans came to the “new world”).
Only half of developers using open source components in their software update them to use the most secure version, according to CA Veracode.
Organisations often unaware of the inherent security risk of using third-party components in their applications.
Shift left testing is an increasingly popular approach to testing applications and software, where the testing is generally performed earlier in the development project timeline (hence ‘shifted left’) and is a fundamental aspect of the DevOps approach.
“There is a lot of inherent risk in leveraging open source libraries to assemble software,” said Sam King, general manager for CA Technologies’ Veracode unit, SourceClear’s new home which specializes in application security, in a statement emailed to Fortune. One recent consequence of that risk: last year’s Equifax data breach, which was caused by the big three credit bureau using a vulnerable version of Apache Struts, a popular open source software project.
Using open source components saves developers time and companies money. In other words, it's here to stay. Here's a look at what it will take to improve open source security.