The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack

CVE-2022-0328

The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack

CVE-2022-0616

In Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4, an incorrectly applied authorization check allows users who have certain access to a namespace to move that namespace to a different project.

CVE-2020-10676: Announcements

If you want to know what post-quantum cryptography is or why any one will care, see part 1 of my series.On August 24, 2023 the National Institute of Standards and Technology (NIST) published its first draft of post-quantum algorithms. The technologies behind those algorithms were described in part 2 (hash-based signatures) and part 3 (lattice-based cryptography) of this series.This leads to the question: If NIST already has serviceable post-quantum replacements for the Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) algorithms, why would they need any other technology? The an

_If you want to know what post-quantum cryptography is or why any one will care, see_ _part 1_ _of my series._

On August 24, 2023 the National Institute of Standards and Technology (NIST) published its first draft of post-quantum algorithms. The technologies behind those algorithms were described in part 2 (hash-based signatures) and part 3 (lattice-based cryptography) of this series.This leads to the question: If NIST already has serviceable post-quantum replacements for the Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) algorithms, why would they need any other technology? The answer is because lattice-based cryptography is relatively new and it would be good to have an alternative in case a general solution to the underlying lattice-based problems or the various derived module-based lattice problems is found. One option is to use error correction codes as a cryptographic primitive.

**The basics**

Error correction codes are digital codes used to reliably send data through an unreliable channel. If there is some noisy transmission line, which is the most common example, transmission reliability can be increased by encoding the data to be sent down the line in packages with extra redundant bits. This larger package is called a code word, and only certain values in the space represented by the larger package are valid code words. In a noisy channel, corruption of some of the bits would yield an invalid code word, so the error is detected. Furthermore, if the space between code words is big enough, a reasonable guess can be made about which code word was probably corrupted and the error can be corrected.

"The space between" or the "distance between" code words is measured by the number of bits that are different in each. This is generally called the Hamming distance. Through the rest of this post, distance, closeness, etc., will all be shorthand for the Hamming distance. Related to Hamming distance is the idea of Hamming weight. The Hamming weight of a value is simply the number of 1 bits in that value. Error values purposefully introduced in encryption schemes usually choose Hamming weights large enough to be secure and small enough to be corrected.

This process not only has been understood for decades, but has been formalized into a full mathematical system. The mapping from a base value (**a**), to be transmitted, to a code word (**w**), that is sent down the channel, is accomplished by treating the base value as a vector of bits and multiplying it by a matrix **G** called a generator:

              _w = a . G_

Generators are created by concatenating two arrays: **I**, (called the identity matrix) which is a square matrix with ones in the diagonal and zeros everywhere else and **P** (called the parity matrix) which has the error coding values.

This form is called the standard form. It maps a basic value (**a**) to a larger dimension code word (**w**) of the form a concatenated with parity information (**p**) where **w** = **a** || **p**. As noted earlier, not all values of size **w** map are a valid code word mapping to a given **a**, so **w** can be used to detect if there was corruption if the received value on the channel (**w**’) isn’t a valid code word. Furthermore, if the size of **w** is sufficiently larger than the size of **a**, the distances between various code words are large enough, and the error is small enough, the corrupted value **w**’ can be used to determine what the original **w** was, and thus to determine the original **a**. To correct w’, you can use the **P** matrix to calculate a new matrix call, the parity check matrix **H**.

Then use **H** to calculate **s** (called the syndrome) as follows:

                               _s = H . w'_

If **w**’ is a valid code word, then the syndrome (**s**) will be zero. This is why **H** is called the parity check matrix. In addition if **s** is non-zero and the error in **w**’ is small enough you can use **s** to recover the error (**e**) where **w’ = w + e**, and thus the original **w = w’ + e** (in binary arithmetic addition is xor and is the same as subtraction so **e + e = 0**). Unfortunately, in the general case, mapping **s** to **e** involves trying all possible errors and calculating their expected **s** values, storing them in a table, then looking up the error from the table using **s**. If you select **H** carefully, however, you can create a function which gives you **e** from **s** directly. Once you have the error (**e**), you can calculate the correct **w**, and then recover **a**. This means we can create a function Dg based on **H**, which will take a corrupted **w**’ and give us the original **a**.

**Efficient mapping syndromes to errors****Hamming codes**

There are several schemes which are used to build **H** in such a way that we can calculate the error from the syndrome efficiently. The most common scheme is to build up a parity matrix (**P**) that takes log2(n) bits (where n is the size of the code word (**w**)). A parity check matrix that can create this encoding would look like this:

and the generator, **G**, would look like this:

When the syndrome is calculated, the resulting value **s** is the single bit that was changed. For example, say the original message was **a** \= 1 1 0 0. Multiplying a by **G** results in a **w** \= 1 1 0 0 0 0 1. If the first (high) bit is corrupted (**w**’ = 0 1 0 0 0 0 1) , **s** \= Hw'= | 1 1 1 | = 7. If the second bit is corrupted, **w**’= 1 0 0 0 0 0 1, **s** \= | 1 1 0 | =6. The syndrome **s** will point directly to the single bit that was corrupted, with exception of corruption of the last bit and the first parity bit. In those cases they are swapped. This works because the parity check matrix (**H**) was chosen such that half the bits in the rows are 1. This matrix was arranged as a binary count in the column starting with 1 on the right and moving to 7 on the left. To preserve "standard form" 3 and 4 are swapped, which is why there is some result swapping in the syndrome. These are called Hamming codes (not to be confused with Hamming weight or Hamming distance) and they are popular because they are easy to implement for both encoding and error correction. They are not the most efficient encoding scheme for correcting multibit errors with the minimum size code word, however. That would be Goppa codes.

**Goppa codes**

Goppa codes were developed to give the most efficient mapping of maximum correctable error versus smallest size difference between **w** and **a**. The scheme involves picking several base values and functions and building up **H** from powers of those values multiplied by polynomials of these functions. To find the error, the syndrome is turned into a polynomial, then that polynomial is processed into an oracle function. The oracle function can be queried for each bit of the error to determine whether it is 1 or zero. The actual math is beyond this article, but the full algorithm can be found here.

**Low density parity check codes**

Goppa codes, while quite efficient, can be very complicated. Another scheme used in coding is called low density parity check. In this scheme, the number of "1" bits in the parity check matrix is small. This allows efficient decoding of the result while being able to correct many errors. The idea is that because the density of 1s in the parity check matrix is small, the connections between the error bits and syndrome bits are small. This fact can be used to create probabilistic algorithms for picking likely error bits by walking down each error bit and seeing how likely that error bit would be one or zero based on the connection this error bit has to the syndrome bits, and the value of the connected syndrome bits. The result can be run iteratively with each iteration getting closer to the correct answer. This is sometimes called a "bit flipping decoder" as it starts with a guess for the error bits and flips the guess each iteration based on the probability that the current guess is wrong. Unlike the other codes, the chance of success is probabilistic, but the probability of failure can be made to be quite low.

**Turning Goppa codes into a public key encryption algorithm**

In 1978, Robert McEliece turned Goppa codes into a cryptographic system as follows:

**1\. Generate a key pair:**

1.  Construct a Goppa code **H** (which has a reversible function Dg)
2.  Put **H** in standard form **H**\=\[**P**T||**I**\]
3.  Calculate **G**\=\[**I**|**P**\]
4.  Choose an invertible permutation array **P**r (and array that just moves the columns around without disturbing the values), and another invertible random array **S**
5.  Calculate **Gp=SGPr**
6.  The public key is the array **Gp**
7.  The private key is Dg (invertible function for **G** based on **H**), **S\-1** and **Pr\-1**

**2\. To encrypt a message:**

1.  Calculate **c=mGp+e** where **e** is a noise vector and **m** is the message, turned into a vector
2.  Send ciphertext **c**

**3\. To decrypt the message:**

1.  Calculate **m**\= Dg(c**P**r\-1)**S**\-1

The arrays **S** and **P**r hide the details of our original matrix **G** so the attacker doesn’t know **H** and thus can’t perform the Goppa algorithm to recover the error. Note that the encrypt step 1 looks a lot like a lattice operation, where **Gp** is a ‘cooked’ lattice array.

The main drawback to this is the public key, **Gp**, is very large (order of megabytes). It has decades of cryptanalysis, so we are confident in its security. A slightly modified version is a Round 4 finalist in the NIST post-quantum "competition" called Classic McEliece. It is described below.

Other error correcting code schemes have been proposed to replace Goppa codes in the McEliece scheme. Those schemes have been broken. Attempts at making a signature scheme based on error correcting codes have also been broken.

**Code-based encryption schemes in NIST Round 4**

Round 3 of the NIST Post Quantum Cryptography Standardization resulted in four algorithms selected for standardization: Crystals-Kyber, Crystals-Dilithium, Falcon and Sphincs+. Crystals-Kyber is a lattice-based key-encapsulation mechanism (KEM), while Crystals-Dilithium and Falcon are lattice-based signatures. Sphincs+ is a stateless hash-based signature scheme. These are discussed in part 2 and part 3 of this series. The remaining signature algorithms in round 3 (Rainbow, GeMSS and Picnic) were broken, and the remaining non-lattice-based KEM algorithms moved to Round 4. Those algorithms are Classic McEliece, BIKE, HQC and SIKE. SIKE has been broken, and the remaining three algorithms are code-based. In the following descriptions I use the nomenclature and formatting used in the specifications for the standards in each description, which actually varies between the different specs.

**Classic McEliece**

Classic McEliece modernizes Robert McEliece’s original scheme. First, instead of using a generator (**G**) to encode a message (**m**), the parity check matrix (**H**) is used to generate a syndrome (**s**) from a random error value (**e**). This **e** is used in a key derivation function (KDF) to generate the encapsulated key. Decapsulation is done by finding the **e** value from the syndrome and using it in the KDF. If the decode fails, a fake KDF is used to hide the failure to prevent creating an oracle. Since the parity check matrix is in standard form (Pt || I) and I is the known identity Matrix, the public key only needs to be the **P**t portion, which the spec calls **T**. So the steps for Classic McEliece are:

**1. Generate a key pair:**

1.  Construct a Goppa code **H** (which has a reversible function Γ)
2.  Put H in standard form **H**\=\[**I**||**T**\]
3.  The public key is the array **T**
4.  The private key is **Γ** and **s**, which is a fixed random per-key noise value

**2. To encapsulate a key:**

1.  Calculate **C=\[I|T\]e** where e is a noise vector
2.  K=H(1, **e, C**) where H() is a hash function
3.  Return the key K and the cipher text **C**

**3. To decrypt the message:**

1.  set b to 1
2.  Use Γ to find e from **C**. If no **e** found, set b to 0. and **e** to **s**
3.  K=H(b, **e, C**)

Public keys in Classic McCliece are between 260 KBytes and 1 Mbyte with cipher texts around 96 to 200 bytes.

**BIKE – bit flipping and medium density codes**

While Classic McEliece reduces the public key down from the traditional McEliece encrypt, it is still too large for many operations. This is unavoidable when using Goppa codes. If Hamming or low density codes are used, however, arrays can be constructed by using a single row vector and shifting that vector in each succeeding row. This is called a cyclical or quasi-cyclic array. BIKE uses quasi-cyclic arrays to reduce key sizes. BIKE also uses medium density parity check codes, which function like low density codes, but there are more connections between error bits and various syndrome bits. The steps for BIKE are:

**1. Generate a key pair:**

1.  Find **h**0 and **h**1 each with an appropriately low hamming weight (for medium density). These are our quasi-cyclic parity check arrays
2.  Calculate **h=h1h0\-1**
3.  The public key is the array **h**
4.  The private key is **h0, h1** and **σ**, which is a fixed random per key noise value

**2. To encapsulate a key:**

1.  Find m, a uniformly random message
2.  Calculate e0,e1 =hashH(m), which uses m to determine e0 and e1 with appropriately low hamming weights
3.  Calculate e0 + e1**h** and m xor hashL(e0||e1). These two make up the ciphertext c
4.  K = hashK(m, c)

**3\. To decrypt the message:**

1.  (c0,c1) = split the components of c
2.  e0,e1\= decode(c0**h0, h0,h1**) using a black-gray bit flip algorithm. This could fail in which case set e0,e1 is set to 0, 0
3.  m’ = c1 xor hashL(e0||e1)
4.  if (e0,e1) == hashH(m’) then K= hashK(m’, c) else K = hashK(m’,σ)

This works because **h0** and **h1** are appropriately hidden by calculation **h=h1h0\-1**. The values e0 and e1 are hidden with **e0+e1h**, and m is hidden by xoring with the hash of e0||e1. Decoding works because **c0h0** gives **e0h0+e1h1**, which can be used as the syndrome to decode e0 and e1 with knowledge of **h0** and **h1** using bit flipping. Correct reconstruction of e0 and e1 from m’ guarantees that the decode was successful. Unsuccessful decodes are hidden by calculating a fake K from σ.

Public keys and cipher texts sizes are roughly equivalent to each other and vary between 1500 bytes to 5kBytes.

**HQC – reducing the key size and Hamming codes**

HQC also uses quasi-cyclic arrays to reduce the key sizes. HQC doesn’t hide the Generator matrix, **G**. Instead it defines **G** as either a traditional Hamming generator, a Reed-Solomon generator, or a Reed-Muller generator (The latter two are modern Hamming variants). **G** is public and anyone can use **G** to recover the original message as long as the error bits are small enough (have a low enough Hamming weight). HCQ instead encodes a message using more error bits than can be recovered and the private key is used to reduce those error bits down to a recoverable value.

**1. Generate a key pair:**

1.  The generator **G** is already given
2.  Find a random array **h** (not the parity matrix of **G**), and vectors **x** and **y**. The former have hamming weights w
3.  Calculate **s= x +hy**
4.  The public key is **h,s**
5.  The private key is **x, y**

**2. To encapsulate a key:**

1.  Find **m**, a uniformly random message
2.  Use **m** and a salt to find **e, r1**, and **r2** where the hamming weight of **e** is **we** and the hamming weights of **r1** and **r2** is **wr**
3.  Calculate **u=r1+hr2, v=mG+sr2+e**
4.  K = K(**m, c**), d=H(**m**), c=(**u,v**)
5.  Because **sr2** creates a larger error than is recoverable, the attacker can’t use the decode operation on v directly
6.  Cipher text is (**c, d**, salt)

**3. To decrypt the message:**

1.  **(u,v) = c**
2.  Recover **m’** = Decode(**v-uy**). Note that **v-uy= mG+xr2+hyr2+e-r1y-hyr2 = mG+xr2\-r1y+e**. The hamming weights of **x, y, r1, r2**, and **e** are chosen so that the error **xr2\-r1y+e** is below the decoding threshold and **m** should be recovered.
3.  Verify **d**\=H(**m**’) and c=Encode(**m**’,salt). If they aren’t, abort
4.  K= K(**m**’, **c**)

The public key sizes for HQC run from 2.2 kBytes to 7.2 kBytes with cipher texts roughly 2x the size of the public key.

**Wrap up**

Code-based KEMs are likely to be the next type of KEM standardized by NIST. They are based on very well understood systems we use to provide data integrity on communications channels today. Some forms have held up to cryptanalysis for half a century, but unfortunately those forms have very large key sizes.

Post-quantum cryptography: Code-based cryptography

By Owais Sultan
SBOM or Software Bill of Materials implies a comprehensive inventory of all the constituent elements or components of the software.
This is a post from HackRead.com Read the original post: The Best Ways to Automate SBOM Creation

For the DevOps and software engineer, there’s nothing more important than having a safe and secure product. With **cybersecurity hacks** becoming more than a passing trend today, it has become imperative to take extreme steps to protect the software supply chain and its many components.

**Why is software cybersecurity important?**

The Software Development Life Cycle (**SDLC**) is a lengthy process. Given how fast-paced the world of software development is, it is common to have engineers use several other third-party sources and components to aid them rather than build everything from scratch.

This method is rather important for quick product and update delivery. However, the truth is that it exposes software to several corruptions and vulnerabilities, which, when exploited by hackers, become gaping security weaknesses that can compromise the entire project.

These vulnerabilities often exist for considerable dwell periods, such as in the case of the **SolarWinds hack**, before discovery. In the latter’s case, the vulnerabilities lay undiscovered for several months.

The respective hackers (**suspected Russians**) were only too glad to take advantage of the illegal backdoor to the software, stealing dollars worth of private and government data, including state secrets.

Upon discovery, the phenomenon shook the entire software industry, highlighting the importance of maintaining top-notch security practices throughout the development pipeline.

Since then, many standardized approaches have emerged. One essential way to protect your supply chain’s integrity is to assess the **SBOM**.

In this article, we’ll comprehensively examine the concept of SBOM and go on to explain the best ways to automate its creation.

Read on.

**What is SBOM?**

SBOM is an acronym for Software Bill of Materials. **Software Bill of Materials definition** implies a comprehensive inventory of all the constituent elements or components of the software.

In a non-software context, an SBOM can be likened to the ingredients that make up a canned good, including its source. Here, it would include the manufacturers of the can m, the farm where the raw ingredients were sourced, and so on.

An SBOM includes all third-party components used in software development, including code libraries, packages, patch status, dependencies, component version, license type, etc.

**What formats does the SBOM take?**

So vital is the data contained with SBOMs, particularly to mitigating the risk involved in cyberattacks, that the **US government has strict regulations** regarding it.

By law, software companies working with the government are required to provide a comprehensive SBOM in any one of three standardized formats.

These formats are identified by the NTIA (National Telecommunications and Information Administration) as methods for generating a comprehensive SBOM inventory list inclusive of software entities and related metadata.

Here are the three formats:

*   ●       OWASP Cyclone DX
*   ●       SPDX (Software Package Data Exchange)
*   ●       SWID (Standard for Software Identification)

The SPDX is an open standard for SBOM generation containing security references, copyrights, and software components.

On the other hand, the OWASP CycloneDX standard is used in generating inventories of third-party and proprietary software constituents for risk analysis. This makes it ideal for documenting information like firmware, libraries, containers, operating systems, frameworks, etc.

SWID is an ISO (International Organisation for Standardization) definition that consists of an XML file containing software components inventory such as patch statuses, licenses, and installation bundles.

> A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management.
> 
> CISA

**Why is it important to automate SBOM generation?**

SBOM formats are designed to be machine-readable. As they comprise so much data, the manual analysis, curation, and processing of this data is time-consuming.

Even the smallest software is often composed of several components. Culling an inventory of these constituents is a near-impossible task per manual execution.

As such, automating the process the crucial to generating SBOMs. This way, there will be better consistency in the change implementation after release. Additionally, it facilitates the digital cryptographic verification and signing of components by vendors. Besides, it ensures continuous scanning to generate SBOMs, inherently making them valuable to the Continuous Integration/Continuous Delivery pipeline.

Also, SBOM automation offers machine speeds, thus saving valuable time. Instead of devoting crucial hours to curating the inventory, your software organization can focus on effective deployment. Additionally, it becomes easy to flag and isolate the faulty component and run update scans for **risk mitigation if vulnerabilities are detected**.

**Methods for automating SBOM creation**

There are three common methods of automating SBOM creation:

**SCA tools**

SCA stands for **software composition analysis**. These tools automate SBOM creation by comprehensively analyzing third-party code integrity, license compliance, and software security.

The process is highly efficient, guarantees code integrity boosts productivity, and does not compromise security.

Some of the components that SCA tools investigate include the following:

*   ●       Binary files
*   ●       Manifest files
*   ●       Source code
*   ●       Container images.

SCA tools provide security and reliability by analyzing tons of data points. Today, they’re highly useful in the cloud niche.

**Use plugins**

Another way to generate SBOMs is to use plugins within the **CI/CD pipeline**. This involves creating and auditing SBOMs in the DevOps pipeline.

A common plugin is the CycloneDX maven plugin which generates comprehensive SBOMs based on various project dependencies.

To begin with, the pox.xml file will have to be configured, with the culmination of the process being a generation of a bom.json file.

Next, the inventory is audited by a Dependency-Check SCA tool, after which the SBOM is finally generated.

**Use Scribe**

Scribe is an all-in-one software supply chain tool that helps developers generate comprehensive SBOMs.

The tool provides end-to-end security as far as your **software supply chain** is concerned, with a steady assurance of quality and code integrity throughout the SDLC.

The generated SBOMs can be shared with your team and your vendors, granting unhindered insight into code tampering and vulnerabilities in your software project.

With Scribe, you get comprehensive visibility, actionable insights, evidence-based compliance, and code integrity validation.

**Conclusion**

SBOMs are indispensable as far as the software supply chain is concerned. They’re the link between software developers and their respective project dependencies.

Without the comprehensive outlines they provide, optimizing cybersecurity practices within the development pipeline will be impossible.

As such, it’s important to generate a standardized SBOM in the course of a project’s development. It’s more than just essential- it is a necessity.

1.  **Importance of Automation for Businesses**
2.  **Importance of Tax Automation in Digital Business**
3.  **How Automation Affects The Interpreting Services**
4.  **Software Tech – Amp Up Your Onboarding Experience**
5.  **Cybersecurity Automation: How Businesses Benefit From It**

The Best Ways to Automate SBOM Creation

Picture this: you stumble upon a concealed secret within your company's source code. Instantly, a wave of panic hits as you grasp the possible consequences. This one hidden secret has the power to pave the way for unauthorized entry, data breaches, and a damaged reputation. Understanding the secret is just the beginning; swift and resolute action becomes imperative. However, lacking the

Picture this: you stumble upon a concealed secret within your company's source code. Instantly, a wave of panic hits as you grasp the possible consequences. This one hidden secret has the power to pave the way for unauthorized entry, data breaches, and a damaged reputation. Understanding the secret is just the beginning; swift and resolute action becomes imperative. However, lacking the necessary context, you're left pondering the optimal steps to take. What's the right path forward in this situation?

Secrets management is an essential aspect of any organization's security strategy. In a world where breaches are increasingly common, managing sensitive information such as API keys, credentials, and tokens can make all the difference. Secret scanners play a role in identifying exposed secrets within source code, but they have one significant limitation: **they don't provide context. And without context, it's impossible to devise an appropriate response plan.**

****Context and Response: Key factors in addressing exposed secrets****

When it comes to addressing exposed secrets, context is everything as you are the guardian of your secrets. Without it, you don't know the severity of the exposure, the potential impact, and the best course of action.

Here are some key factors to consider when contextualizing exposed secrets:

**1 — Classify secrets based on sensitivity and importance**

Not all secrets are created equal. Some are more critical to your organization's security than others. Classifying your secrets based on their sensitivity and importance will help you prioritize which ones need immediate attention and remediation.

**2 — Understand the scope of exposure and potential impact**

Once you've classified the exposed secret, it's crucial to assess the scope of the exposure. Has the secret been leaked to a public repository/darknet, or is it still in your internal systems? Understanding the extent of the exposure will help you determine the potential impact and risk on your organization and help create your response plan.

**3 — Identify the root cause of the exposure**

Getting to the exposure's root cause is essential for an exposed secrets remediation process, and to prevent future attacks. By identifying how the secret was exposed, you can take steps to address the underlying issue- preventing similar incidents from occurring in the future. This could involve updating security policies, improving code review processes, or implementing additional access controls.

**4 — Secrets enrichment**

Secrets, while seemingly meaningless strings of characters, carry significant metadata. This includes ownership details, creation, rotation timestamps, assigned privileges for cloud service access, associated risks, and much more. Entro uses this wealth of information to construct a dynamic threat model or a secret lineage map that illustrates the connections between applications or compute workloads, the secrets they employ, and the cloud services they access — thus providing a comprehensive view of each secret's security and compliance status.

****Remediation and Prevention: Securing your organization's Secrets****

Addressing exposed secrets requires a process of remediation and prevention. Here's how you can secure your organization's secrets effectively:

**1 — Mitigate the impact of exposed secrets:**

Take swift action to mitigate the potential harm stemming from the revealed secret. This could entail changing or invalidating the compromised secret, reaching out to impacted parties, and vigilantly observing for any unusual or suspicious behavior due to the disclosure. In certain cases, it might be necessary to engage law enforcement or seek assistance from external security experts.

**2 — Implement policies and processes to prevent future exposures:**

Learn from the exposure and take steps to prevent similar incidents. This might include crafting or revising your company's security protocols, adopting secure development methodologies, and educating staff on effectively managing confidential data. It's also crucial to regularly audit your secrets management processes to ensure compliance and effectiveness.

**3 — Regular monitoring and auditing of secrets:**

Monitoring your organization's secrets is vital in identifying potential exposures and mitigating risks. Implementing automated tools and processes to monitor and audit secrets will help you keep track of sensitive information, detect anomalies, and trigger alerts for any unauthorized access or changes.

****Leveraging technology for effective secrets management****

As your organization grows, managing secrets manually becomes increasingly complex and error-prone. Leveraging technology can significantly enhance your secrets management strategy.

****1** — **Embrace automation**:**

Automation can help streamline the process of managing exposed secrets, providing you with faster detection, classification, and response capabilities. Look for tools that integrate with your existing security workflows, reducing the need for manual intervention. Through its auto-discovery process, Entro can identify the owner of each secret or token, automate resolution procedures, and detect misconfigurations in vaults and secrets stores, ensuring a faster response to security incidents.

****2** — **Platforms that provide essential context**:**

Some advanced secrets management platforms go beyond simple scanning, offering valuable context that can help you respond more effectively to exposed secrets. Entro is one such platform, and very uniquely so since it goes above and beyond to create the most comprehensive secret lineage maps to provide valuable context, enabling a more effective response to exposed secrets.

****3** — **Integration with existing tools**:**

Ensure your chosen technology can easily integrate with your existing security tools and workflows. Seamless integration will help you maintain a consistent security posture across your organization and maximize your current investments in security solutions.

****Conclusion****

Effectively handling exposed secrets is crucial for protecting your company's confidential data and maintaining trust among stakeholders. Recognizing the significance of context in dealing with revealed secrets empowers you to make informed choices regarding fixing and preventing issues. Integrating technology and a strong approach to managing secrets into your workflow enhances your organization's security posture, minimizing the chances of unauthorized entry and data breaches.

Appreciating this pivotal aspect of cybersecurity, it becomes clear that it's not merely about awareness but also action. This is where solutions like Entro come into play. Specifically designed to tackle the challenges we've explored, Entro offers a comprehensive approach to secrets management that transcends basic scanning. It provides the crucial context needed for effective remediation and prevention. It creates a dynamic threat model map using this context, thus positioning your organization a step ahead in the face of security threats

Protecting your organization's sensitive data is too critical to be left to chance. As such, it's time to harness the power of proactive and strategic management of exposed secrets. Check out our use cases to explore how Entro can empower you to strengthen your organization's security posture.

Book a demo to learn more about Entro and how it can benefit your organization.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Exposed Secrets are Everywhere. Here's How to Tackle Them

An SQL Injection in the Nextcloud Lookup-Server < v0.3.0 (running on https://lookup.nextcloud.com) caused unauthenticated users to be able to execute arbitrary SQL commands.

CVE-2019-5476

**SANTA CLARA, Calif.****,** **Feb. 7, 2023** **/PRNewswire/ --** Valtix, the industry's first multi-cloud network security platform as a service, today announced findings from its 2023 Multi-cloud Security Report, which found that 95% of companies are pushing toward a multi-cloud environment, but only 58% believe they have the security architecture to support it. Respondents in the survey of more than 200 U.S. IT leaders cited complexities, gaps and other challenges between the overall strategy and the infrastructure they ultimately create.

The survey found that multi-cloud activity continues to rise with 93% of respondents currently having workloads and data on more than one cloud. Of those not yet in a multi-cloud environment, a full 94% expect to be multi-cloud within 12 months. Companies are embracing multi-cloud twice as fast this year compared to Valtix's year-ago survey. At that time, only 62% of organizations were multi-cloud, with 84% expecting to get there within two years.

"Multi-cloud continues as a strategic priority for most organizations in 2023—yet it also remains a concern for nearly all organizations," said Vishal Jain, co-founder and CEO of Valtix. "Very few companies have the tech, talent and confidence they need to put in place a comprehensive security infrastructure across multiple clouds. While many companies are still unintentional in their cloud choice, leaders are increasingly looking for proactive ways to leverage multi-cloud to benefit the business."

According to the survey, organizations cited several 'unintentional' factors that have accelerated their journey to a multi-cloud environment, including (1) shadow IT (51%), (2) different ISVs that support different clouds (48%), and (3) mergers and acquisitions (47%).

Even as adoption accelerates, 28% of IT leaders surveyed strongly believe multi-cloud is a "bad idea," citing issues such as (1) difficult to consistently secure (38%), lack multi-cloud security and management tools (35%) and (3) lack of multi-cloud reference architectures (32%). Only 57% of IT leaders are sure that multi-cloud security is achievable with current resources and technology, but admit they need to embrace it anyway, as 95% consider multi-cloud a "strategic priority" this year.

**Other findings:**

*   **Cloud Service Providers (CSPs) fail to define portability standards:** As businesses increasingly leverage CSPs for this cloud transformation, IT leaders surveyed were not hopeful CSPs will define portability standards anytime soon. A full 97% of IT leaders believe that CSPs should help define standards to enable better multi-cloud portability. However, 58% surveyed believe security standardization in a multi-cloud environment is a 'myth' and never achievable. Nearly all (90%) of organizations surveyed evaluate third-party security technology in addition to the security tools CSPs provide.
*   **Multi-cloud is a budgetary drain:** Managing multiple distinct security architectures with multi-cloud security is prohibitively expensive for 86% of organizations.
*   **The rise of the cloud security architect:** The Cloud Security Architect is growing as a common role with 86% of organizations currently employing an in-house cloud security architect. Moreover, 89% of organizations require every cloud project to adhere to a cloud security reference architecture.
*   **Cloud security posture management viewed as a commodity:** 67% of IT leaders view CSPM technology provided by the cloud providers as being critical to their success. Only 53% of organizations are looking to make a new CSPM technology investment in 2023.

A complimentary copy of the full report can be downloaded at https://valtix.com/lp/2023-multi-cloud-security-report/.

Follow Valtix on Twitter and LinkedIn to learn more.

**About the Survey**

Valtix commissioned an independent research firm to survey 200 IT leaders in the US about the problems they face with multi-cloud security, the tools they're using, the tools they want to use in the future, and the skills they need to scale and secure on multiple cloud platforms. The survey, which was conducted in January 2023, used a random sample of US IT leaders and has a margin of error of +/- 6.9% at the 95% confidence level.

**About Valtix**

Valtix is on a mission to protect every workload, every app architecture, across every cloud. Deployable in just 5 minutes, Valtix was built to combine robust multi-cloud security with cloud-first simplicity and on-demand scale. Powered by a cloud-native architecture, Valtix provides an innovative approach to cloud network security called Dynamic Multi-Cloud Policy™, which links continuous visibility with advanced security controls. The result: security that is more effective, adaptable to change, and aligned to cloud agility requirements. Join 4 of the top 10 pharmaceuticals and leaders across every industry – sign up free in minutes.

Valtix Survey: 95% of Organizations Say Multi-cloud Is a 'Strategic Priority' but Only 58% Have the Security Architecture to Support It

Ethical hackers and bug bounty hunters invited to test Department of Defense assets

Jessica Haworth 17 January 2023 at 14:04 UTC

Ethical hackers and bug bounty hunters invited to test Department of Defense assets

  

The US Department of Defense (DoD) is holding its third annual Hack The Pentagon challenge, it announced this week.

Hack The Pentagon was launched in 2016, opening the door for security researchers to look for vulnerabilities in some of its top assets.

Since its creation, the program has seen more than 600 ethical hackers and bug bounty hunters invited to find bugs in DoD resources, resulting in the disclosure of more than 700 issues so far.

Read more of the latest bug bounty news

In a statement posted to the US government website, the DoD confirmed it will be organizing a third iteration of the competition this year.

It also confirmed that it is looking for contractors to partner on the program.

“The DoD’s first Vulnerability Disclosure Policy (VDP) established a 24/7 pathway for security experts to safely disclose vulnerabilities on public-facing DoD websites and applications,” the US government website states.

“DDS \[Defense Digital Service\] has ongoing contracts with security firms HackerOne, Synack, and Bugcrowd to facilitate assessments for DoD components and military services against their respective assets.”

**Going further**

In 2021, the DoD expanded its VDP beyond its public-facing websites and web applications to encompass all publicly accessible information systems.

This brought into scope all public-facing DoD networks, radio frequency-based communication platforms, IoT devices, and industrial control systems, among other technologies.

BACKGROUND US government launches ‘Hack the DHS’ bug bounty program

Also 2021, the US Department of Homeland Security (DHS) also launched a bug bounty program, inviting selected security researchers to test for vulnerabilities in its systems.

Dubbed ‘Hack the DHS’, the program, held in 2022, included three different phases – a pen test, a live hacking event, and a detailed review process.

More than 450 vetted security researchers identified 122 vulnerabilities, of which 27 were subsequently determined to be critical, the DHS revealed, adding that it awarded a total of $125,600 for the bugs.

RECOMMENDED Tell us what you think – fill out this quick survey and be in with a chance of winning Burp Suite swag

US government announces third Hack The Pentagon challenge

Xpdf prior to 4.04 lacked an integer overflow check in JPXStream.cc.

*   CVE-2018-7173: fixed in 4.01 \[JBIG2Stream.cc\]
    
*   CVE-2018-7174: fixed in 4.01 \[XRef.cc\]
    
*   CVE-2018-7175: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-7452: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-7453: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2018-7454: fixed in 4.01 \[XFAForm.cc\]
    
*   CVE-2018-7455: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8100: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8101: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8102: fixed in 4.01 \[JBIG2Stream.cc\]
    
*   CVE-2018-8103: fixed in 4.01 \[JBIG2Stream.cc\]
    
*   CVE-2018-8104: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8105: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8106: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8107: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-11033: fixed in 4.00
    
*   CVE-2018-16368: fixed in 4.01 \[Splash.cc\]
    
*   CVE-2018-16369: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2018-18454: fixed in 4.01 \[Stream.cc\]
    
*   CVE-2018-18455: fixed in 4.01 \[GfxState.cc\]
    
*   CVE-2018-18456: fixed in 4.01 \[Gfx.cc\]
    
*   CVE-2018-18457: fixed in 4.01 \[Stream.cc\]
    
*   CVE-2018-18458: fixed in 4.01 \[Stream.cc\]
    
*   CVE-2018-18459: fixed in 4.01 \[Stream.cc\]
    
*   CVE-2018-18650: reporting an out-of-memory errors is the proper response
    
*   CVE-2018-18651: fixed in 4.01 \[Catalog.cc\]
    
*   CVE-2019-9587: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2019-9588: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2019-9589: fixed in 4.02 \[PSOutputDev.cc\]
    
*   CVE-2019-9877: fixed in 4.02 \[Lexer.cc\]
    
*   CVE-2019-10020 / CVE-2019-10024 / CVE-2019-10025: fixed in 4.02 \[Gfx.cc\]
    
*   CVE-2019-12360: fixed in 4.02 \[FoFiTrueType.cc\]
    
*   CVE-2019-12493: fixed in 4.02 \[GfxState.cc\]
    
*   CVE-2019-12515: fixed in 4.02 \[Gfx.cc\]
    
*   CVE-2019-12957: fixed in 4.02 \[FoFiType1C.cc\]
    
*   CVE-2019-12958: fixed in 4.02 \[FoFiType1C.cc\]
    
*   CVE-2019-13281: fixed in 4.02 \[Stream.cc\]
    
*   CVE-2019-13282: fixed in 4.02 \[Function.cc\]
    
*   CVE-2019-13283: fixed in 4.02 \[FoFiType1.cc\]
    
*   CVE-2019-13286: fixed in 4.02 \[JBIG2Stream.cc\]
    
*   CVE-2019-13287: fixed in 4.02 \[Gfx.cc\]
    
*   CVE-2019-13288: fixed in 4.02
    
*   CVE-2019-13289: fixed in 4.02 \[JBIG2Stream.cc\]
    
*   CVE-2019-13291: fixed in 4.02 \[Stream.cc\]
    
*   CVE-2019-14288 / CVE-2019-14289: fixed in 4.02 \[JBIG2Stream.cc\]
    
*   CVE-2019-14290 / CVE-2019-14291 / CVE-2019-14292 / CVE-2019-14293: fixed in 4.02 \[GfxState.cc\]
    
*   CVE-2019-14294: fixed in 4.02 \[JPXStream.cc, JPXStream.h\]
    
*   CVE-2019-15860: old bug in 2.00, no longer relevant
    
*   CVE-2019-16088: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2020-25725: fixed in 4.03 \[SplashOutputDev.cc\]
    
*   CVE-2020-35376: fixed in 4.03 \[FoFiType1C.cc\]
    
*   CVE-2022-24106: fixed in 4.04 \[Stream.cc\]
    
*   CVE-2022-24107: fixed in 4.04 \[JPXStream.cc\]
    
*   CVE-2022-30524: will be fixed in 4.05 \[TextOutputDev.cc\]
    
*   CVE-2022-33108: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2022-38171: fixed in 4.04 \[JBIG2Stream.cc\]

Search

lenovo warranty check/lookup | check warranty status | lenovo support us