New rules aim to level up the quality of submissions to Google and Android device Vulnerability Reward Program.

Google and Android will now assess device vulnerability disclosure reports based on the level of information that bug hunters provide in order to encourage more comprehensive submissions.

Vulnerability reports submitted to the Android and Google Vulnerability Reward Program (VRP) will be rated as "High," "Medium," or "Low" quality based on these elements, according to Google Security:

*   The accuracy and detail of the vulnerability description
*   Analysis of its root cause
*   Proof of concept
*   Reproducibility
*   Evidence of reachability

Google and Android have also upped the top bug bounty prize to $15,000.

"Additionally, starting March 15th, 2023, Android will no longer assign Common Vulnerabilities and Exposures (CVEs) to most moderate severity issues," the Google Security blog post announcing the VRP changes said. "The CVEs will continue to be assigned to critical and high severity vulnerabilities."

Bugcrowd founder and chief technology officer (CTO) Casey Ellis applauds the effort by Google to define the elements of a high-quality vulnerability disclosure.

"Nothing happens without effective communication. ... The power of crowdsourcing brings with variability in how vulnerability submitters communicate, and the downstream effectiveness of the report at communicating the risk to those who need to fix it," Ellis says, in response to the new VRP rules. "Google stepping up to help educate the hacker community on 'the things which make communication more effective' is an enormous win for both the space and the community itself."

In 2022 alone, Google's VRPs paid out a record-setting $12 million in bug bounties.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Debuts Quality Ratings for Security Bug Disclosures

85% of AppSec pros say ability to differentiate between real risks and noise is critical, yet only 38% can do so today; mature DevOps organizations cite widespread impact due to lack of cloud-native tools

**Tel Aviv, May 17, 2023** \- Backslash Security, the new cloud-native application security solution for enterprise AppSec teams, today released a new research study, **Breaking the Catch-up Cycle: The New Cloud-Native AppSec Paradigm Survey Report**, exploring how the state of application security has evolved given the rise of cloud-native application development. The study examines the practices, tools, and needs of CISOs, AppSec managers, and AppSec engineers at enterprise organizations of 1,000 or more employees with mature cloud-native app development environments. 

The study reveals that AppSec teams are stuck in a catch-up cycle, unable to keep up with the increasingly rapid, agile dev pace, and playing security defense via an endless and unproductive vulnerability chase. **Notably, 58% of respondents report spending over 50% of their time chasing vulnerabilities, with a shocking 89% spending at least 25% of their time in this defensive mode.** This costly 'defensive tax' — the cost of employing AppSec engineers who chase vulnerabilities rather than drive a comprehensive cloud-native AppSec program — is estimated to be upwards of $1.2 million annually.

Given the accelerated pace of digital innovation across enterprises of all sizes and the blurred lines between AppSec and CloudSec, enterprise AppSec teams are saddled with solutions that have not caught up to the cloud pace. **As a result, AppSec professionals are losing faith in the prevailing AppSec tools:** 

*   Almost all organizations are seeing a widespread impact of the lack of cloud-native AppSec tools, including growing friction between AppSec and dev teams (39%), jeopardized ability to generate revenue (39%), and inability to retain high-value dev talent (38%) and AppSec talent (35%);
*   94% of respondents cited multiple issues with today’s AppSec technologies; top complaints were the considerable amount of time spent prioritizing findings (48%) and that existing AppSec tools are noisy (45%);
*   SAST and DAST are quickly losing ground, with just 32% of respondents stating that they use either of these prevailing standards extensively.

The report emphasizes the urgent need for a **new AppSec paradigm that maps a clear path to a modern standard for cloud-native AppSec success,** characterized by end-to-end visualization of all microservices, automatic identification and prioritization of real risks, and intelligent triaging and remediation. In assessing the importance of these three key tenets of modern AppSec: 

*   82% agree that automating threat model visualization will help AppSec teams save time and manual labor analyzing cloud-native application risks;
*   91% believe correlating application security risks with the application’s exposure to the outside world, such as via open APIs, is important;
*   91% believe differentiating between general code weaknesses and critical vulnerabilities is important;
*   Eight out of the nine total capabilities that define this new cloud-native AppSec paradigm were ranked as “critical” or “important” by 70%+ of respondents.

**However, the AppSec industry suffers from a massive cloud-native enablement gap.** Across all of the most critical capabilities, respondents reported that enablement is sorely lacking: 

*   85% of respondents say the ability to differentiate between real risks and noise is critical to their success, making it the #1 most important capability; yet only 38% of respondents are enabled to do so;
*   This trend persists throughout, including “correlating security findings to the developer or dev team responsible for the fix” (78% vs. 43%); “meeting compliance standards” (78% vs. 38%); and “efficient triaging between Dev and AppSec” (73% vs. 42%).

"What we're hearing across the board is a message of urgency – we've entered a new, cloud-native reality, and it’s time to put an end to the AppSec catch-up game," said Shahar Man, co-founder and CEO of Backslash. "These outdated AppSec methodologies hamper productivity, innovation and talent retention for both AppSec and dev teams. The cloud-native application development paradigm calls for a new, unified approach to application security that will make the friction between development and AppSec teams a thing of the past, enable enterprises to retain valuable talent, and accelerate innovation and growth."

This report surveyed 300 security professionals specifically tasked with application security for their organization, equally split between CISOs, AppSec managers and AppSec engineers from U.S. companies with 1,000 or more employees. Companies represent a wide range of industries. 

Click here to download the report and learn more. 

**About Backslash Security**

Backslash is the first Cloud-Native Application Security solution for enterprise AppSec teams to provide unified security and business context to cloud-native code risk, coupled with automated threat modeling, code risk prioritization, and simplified remediation across applications and teams.

With Backslash, AppSec teams can see and easily act upon the critical toxic code flows in their cloud-native applications; quickly prioritize code risks based on the relevant cloud context; 

and significantly cut MTTR (mean time to recovery) by enabling developers with the evidence they need to take ownership of the process.

Backed by StageOne Ventures, First Rays Venture Partners, D. E. Shaw & Co., and a roster of security veterans as angel investors, including technology entrepreneur and investor Shlomo Kramer, Ron Zoran (former CRO of CyberArk), and Brian Fielder (General Manager, CTO Enterprise Security at Microsoft), Backslash has been deployed across leading technology organizations and Fortune 100 companies. 

More at https://www.backslash.security/.

AppSec Teams Stuck in Catch-Up Cycle Due to Massive Cloud-Native Enablement Gap

As enterprises adopt multicloud, the security picture has become foggy. Cloud workload protection platforms and distributed firewalls are creating clarity.

As enterprises move more of their business infrastructure into the cloud, they are grappling with the challenges of managing multiple cloud environments. Security firms are tackling multicloud security through increased visibility, cross-platform implementations, or a combination of the two.

On Thursday, cloud networking firm Aviatrix announced its new Distributed Cloud Firewall security platform, which combines traffic inspection and policy enforcement across multicloud environments. The firm uses native cloud platform features and its own technology to give companies a consolidated view into the security of their cloud workloads and the ability to push out the same policies to different clouds, says Rod Stuhlmuller, VP of solutions marketing at Aviatrix.

"The architecture is really what's new, not necessarily the capabilities of each of the features," he says. "It's very different than having to reroute traffic to some centralized inspection point for whatever security capabilities you're talking about — that just becomes very complex and expensive to do."

The vast majority of companies (87%) have moved their information infrastructure to a multicloud architecture, with the lion's share (72%) using a hybrid approach that combines both private cloud infrastructure and public cloud services, according to the "Flexera 2023 State of the Cloud Report." Among the top challenges for enterprises are managing their multicloud architectures and the security of their cloud infrastructure, with 80% and 78% struggling with the issues, respectively, according to Flexera.

    

Security and managing multicloud deployments are two top challenges for companies. Source: "Flexera 2023 State of Cloud Report"

As companies deploy workloads to multiple cloud service providers (CSPs), security can suffer. Because CSPs differ in the way that they handle security policies, inspection of traffic, and deploying workloads, companies can quickly lose visibility into security of their cloud infrastructure, says Patrick Coughlin, vice president of technical go-to-market for Splunk, a data and insights cloud platform.

"Let's say, maybe, you go to Google for your machine-learning tooling and workloads, you go to Azure for your core corporate business services, and you go to AWS for cost-efficient storage and overall data management. You may even have some homegrown applications that are legacy and highly regulated that you need to keep on prem," he says. "But what the security team needs is visibility across all of that, and it's a nontrivial challenge to be able to provide not just that visibility but the ability to investigate across all of that when something goes bang in the night."

**The Multicloud Security Mess**

Initially, many providers created virtual instances of their firewall appliances and set them as gateways to cloud infrastructure, but those virtual firewalls have become increasingly difficult to manage, especially across multiple cloud platforms, says John Grady, principal analyst for cybersecurity at Enterprise Strategy Group.

"Virtual firewall instances have been around for a while, but there's been an acknowledgement over the last couple of years that these deployments can be complex and cumbersome and don't take advantage of the key benefits the cloud offers," he says. "So we've seen a general shift toward more cloud-native network security solutions."

With more organizations using multiple infrastructure-as-a-service (IaaS) solutions from the top cloud companies — Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) — finding a solution to the growing complexity is critical.

Aviatrix, for example, allows companies to create an abstracted policy that can be applied across all the cloud platforms using their native security groups, without the administrator needing to go to each cloud. For companies with proliferating workloads, driven by microservice-based software architecture, the number of containers and virtual machines that need to be updated can skyrocket, Stuhlmuller says.

"It's not that we're putting firewalls everywhere, but we're putting the inspection and enforcement capability into the network into the natural path of traffic, with a \[single management console\] that allows us to do central creation of policy but push that distributed inspection enforcement out everywhere in the network."

Other major vendors that focus on cloud workload security, albeit with differing takes on the technologies, include Palo Alto Networks, Trellix, Trend Micro, Rapid7, and Check Point Software Technologies, according to Forrester Research.

**Saving Money Becomes Paramount**

With uncertain economic times worrying the executive suites, cost savings may be the biggest argument for businesses to consolidate their view of their cloud infrastructure. A security architecture based in the cloud and representing every cloud platform in the same way helps companies more efficiently secure their cloud services, but the approach also has the real benefit of being able to save money, says Andras Cser, vice president and principal analyst at Forrester Research.

"Multicloud security cuts costs," he says. "Organizations do not have to invest in procuring and training for multiple cloud providers' security solutions. They can, instead, use a single provider or cloud provider to source all cloud security capabilities from one tool. This reduces errors, improves security posture, and cuts costs."

In addition, consolidating some features leads to cost efficiencies. Distributed firewalls, for example, have the ability to run network address translation (NAT) and charge per hour, as opposed to many vendors that charge per hour and by bandwidth, according to Aviatrix's Stuhlmuller.

Finally, a simpler approach to security in the cloud helps companies reduce the overhead of securing workloads and allows their security professionals to focus on improving the security maturity, says ESG's Grady.

"Many organizations continue to struggle with the skills shortage and are trying to do more with less," he says. "There's an efficiency benefit with a 'write-once, enforce everywhere' model, as well as time savings from not having to deploy individual instances and the associated cloud infrastructure — such as load-balancers — to support them."

Enterprises Rely on Multicloud Security to Protect Cloud Workloads

A newly discovered bug in the open source password manager, if exploited, lets attackers retrieve a target's master password — and proof-of-concept code is available.

For the second time in recent months a security researcher has discovered a vulnerability in the widely used KeePass open source password manager.

This one affects KeePass 2.X versions for Windows, Linux, and macOS, and gives attackers a way to retrieve a target's master password in cleartext from a memory dump — even when the user's workspace is closed.

While KeePass' maintainer has developed a fix for the flaw, it won't become generally available until the release of version 2.54 (likely in early June). Meanwhile, the researcher who discovered the vulnerability — tracked as CVE-2023-32784 — has already released a proof-of-concept for it on GitHub.

"No code execution on the target system is required, just a memory dump," the security researcher "vdhoney" said on GitHub. "It doesn't matter where the memory comes from — can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system."

An attacker can retrieve the master password even if the local user has locked the workspace and even after KeePass is no longer running, the researcher said.

Vdhoney described the vulnerability as one that only an attacker with read access to the host's filesystem or RAM would be able to exploit. Often, however, that does not require an attacker to have physical access to a system. Remote attackers routinely gain such access these days via vulnerability exploits, phishing attacks, remote access Trojans, and other methods.

"Unless you expect to be specifically targeted by someone sophisticated, I would keep calm," the researcher added.

Vdhoney said the vulnerability had to do with how a KeyPass custom box for entering passwords called "SecureTextBoxEx" processes user input. When the user types a password, there are leftover strings that allow an attacker to reassemble the password in cleartext, the researcher said. "For example, when 'Password' is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d."

**Patch in Early June**

In a discussion thread on SourceForge, KeePass maintainer Dominik Reichl acknowledged the issue and said he had implemented two enhancements to the password manager to address the problem.

The enhancements will be included in the next KeePass release (2.54), along with other security-related features, Reichel said. He initially indicated that would happen sometime in the next two months, but later revised the estimate delivery date for the new version to early June.

"To clarify, 'within the next two months' was meant as an upper bound," Reichl said. "A realistic estimate for the KeePass 2.54 release probably is 'in the beginning of June' (i.e. 2-3 weeks), but I cannot guarantee that."

**Questions About Password Manager Security**

For KeePass users, this is the second time in recent months that researchers have uncovered a security issue with the software. In February, researcher Alex Hernandez showed how an attacker with write access to KeePass' XML configuration file could edit it in a manner as to retrieve cleartext passwords from the password database and export it silently to an attacker-controlled server.

Though the vulnerability was assigned a formal identifier (CVE-2023-24055), KeePass itself disputed that description and maintained the password manager is not designed to withstand attacks from someone that already has a high level of access on a local PC.

"No password manager is safe to use when the operating environment is compromised by a malicious actor," KeePass had noted at the time. "For most users, a default installation of KeePass is safe when running on a timely patched, properly managed, and responsibly used Window environment."

The new KeyPass vulnerability is likely to keep discussions around password manager security alive for some more time. In recent months, there have several incidents that have highlighted security issues related to major password manager technologies. In December, for instance, LastPass disclosed an incident where a threat actor, using credentials from a previous intrusion at the company, accessed customer data stored with a third-party cloud service provider.

In January, researchers at Google warned about password managers such as Bitwarden, Dashlane, and Safari Password Manager auto-filling user credentials without any prompting into untrusted pages.

Threat actors meanwhile have ramped up attacks against password manager products, likely as a result of such issues.

In January, Bitwarden and 1Password reported observing paid advertisements in Google search results that directed users who opened the ads to sites for downloading spoofed versions of their password managers.

KeePass Vulnerability Imperils Master Passwords

Plug X and other information-stealing remote-access Trojans are among the malware targeting networking, manufacturing, and logistics companies in Taiwan.

Cyber espionage attacks against organizations in Taiwan have surged against the backdrop of recent political tensions, new research shows.

Trellix this week cited a fourfold rise in malicious phishing emails targeting Taiwanese companies between April 7 and 10 of this year. Networking/IT, manufacturing, and logistics, were hit the most.

The emails followed different archetypes — a fake shipment update from DHL, a fake order for bulk cement, or a fake payment overdue notification.

Some of the emails came fitted with malicious attachments, while others contained links to fake login pages designed to harvest credentials.

Following the jump in malicious emails, the researchers detected an even more significant rise in instances of PlugX — a decade-old remote access Trojan common among Chinese state-linked threat actors. PlugX is perhaps most notable for its stealthiness, using DLL sideloading as a means of circumventing Windows security measures and running arbitrary code on a target machine.

Other infostealer malware families spotted in attacks against Taiwan include Zmutzy — a Trojan written in .NET — and Formbook — a cheap infostealer-as-a-service with downloader capabilities.

Patrick Flynn, head of commercial threat intelligence at Trellix, says the majority of the attacks appear to be nation-state, with about 40% targeting Taiwan officials and agencies.

**Cyberattacks in the China-Taiwan Conflict**

Conflict between China and Taiwan dates back three quarters of a century, with the former claiming sovereignty over the autonomous latter. Tensions have ebbed and flowed ever since, with a recent flare-up precipitating from the parallel conflict in Ukraine, diplomatic meetings between American and Taiwanese officials, and Chinese military drills in the Taiwan Strait. The political and economic implications are severe.

As in Ukraine, cyberattacks have long played a role in the Taiwan conflict — a simpler, more cost-effective, and less politically dangerous weapon of war most often deployed by the more powerful side to target their adversary.

"Cyberwarfare is an attractive option for a number of nation states, as it lets them target their adversaries without escalating to a 'shooting war,'" says Mike Parkin, senior technical engineer at Vulcan Cyber.

In January 2023, for example, Trellix observed a 30-times increase in extortion emails sent to Taiwanese officials. "Though it's unclear if this activity is from China-backed threat actors, it speaks to a continued increase in attacks specifically targeting Taiwan," the researchers explained.

For now, there's no reason to believe that cyber campaigns against Taiwan and its economy will slow down any time soon, so the impetus will fall on organizations to defend themselves.

"In most cases, the things we do to counter common cybercriminals are the same things we should be doing to counter nation-state attacks: training users, up-to-date patches, secure configurations, etc.," Parkin says.

But "state-level threats are likely to have more resources and can deploy more sophisticated malware, more targeted phishing attacks, and they have the time and energy to stay persistent," he says. "Facing threats like that makes it even more important for us to have our security stack at least to baseline."

Trojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict

Risk from artificial intelligence vectors presents a growing concern among security professionals in 2023.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

10 Types of AI Attacks CISOs Should Track

Cybercrime group that often uses smishing for initial access bypassed traditional OS targeting and evasion techniques to directly gain access to the cloud.

A threat actor known for targeting Microsoft cloud environments now is employing the serial console feature on Azure virtual machines (VMs) to hijack the VM to install third-party remote management software within clients' cloud environments.

Tracked as UNC3944 by researchers at Mandiant Intelligence, the threat group is leveraging this attack method to skirt traditional security detections employed within Azure with a living-off-the-land (LotL) attack ultimately aimed at stealing data that it can use for financial gain, Mandiant researchers revealed in a blog post this week.

Using one of its typical method of initial access — which involves compromising admin credentials or accessing other privileged accounts via malicious smishing campaigns — UNC3944 establishes persistence using SIM swapping and gains full access to the Azure tenant, the researchers said.

From there, the attacker has a number of options for malicious activity, including the exportation of information about the users in the tenant, collection of information about the Azure environment configuration and the various VMs, and creation or modification of accounts.

"Mandiant has observed this attacker using their access to a highly privileged Azure account to leverage Azure Extensions for reconnaissance purposes," the researchers wrote. "These extensions are executed inside of a VM and have a variety of legitimate uses."

**Hijacking the VM**

By leveraging in particular the serial console in Microsoft Azure, UNC3944 can connect to a running OS via serial port, giving the attacker an option besides the OS to access a cloud environment.

"As with other virtualization platforms, the serial connection permits remote management of systems via the Azure console," they wrote. "The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer."

UNC3944 is a financially motivated threat group active since last May that typically targets Microsoft environments for ultimate financial gain. The group was previously seen in December leveraging Microsoft-signed drivers for post-exploitation activities.

However, once UNC3944 takes control of an Azure environment and uses LotL tactics to move within a customer's cloud, the consequences go beyond mere data exfiltration or financial gain, one security expert notes.

"By gaining control of an organization's Azure environment, the threat actor can plant deepfakes, modify data, and even control IoT/OT assets that are often managed within the cloud," Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene, said in a statement sent to Dark Reading.

**From the VM to the Environment**

Mandiant detailed in the post how the threat actor targets the VM and ultimately installs commercially available remote management and administration tools within the Azure cloud environment to maintain presence.

"The advantage of using these tools is that they’re legitimately signed applications and provide the attacker remote access without triggering alerts in many endpoint detection platforms," the researchers wrote.

Before pivoting to another system, the attacker set up a reverse SSH (Secure Shell Protocol) tunnel to its command-and-control (C2) server and deployed a reverse tunnel configured such that port forwarding any inbound connection to remote machine port 12345 would be forwarded to the localhost port 3389, they explained in the post. This allowed UNC3944 a direct connection to the Azure VM via Remote Desktop, from which they can facilitate a password reset of an admin account, the researchers said.

The attack demonstrates the evolution and growth in sophistication of both attackers' evasion tactics and targeting, the latter of which now goes beyond the network and the endpoint directly to mobile devices and the cloud, notes Kern Smith, vice president of Americas, sales engineering at mobile security firm Zimperium.

"Increasingly, these attacks are targeting users where organizations have no visibility using traditional security tooling — such as smishing — in order to gain the information needed to enable these types of attacks," he says.

**How to Defend Against this VM Attack**

To thwart this type of threat, organizations must first prevent targeted smishing campaigns "in a way that enables their workforce while not inhibiting productivity or impacting user privacy," Smith says.

Mandiant recommends restricting access to remote administration channels and disabling SMS as a multifactor authentication method wherever possible.

"Additionally, Mandiant recommends reviewing user account permissions for overly permissive users and implementing appropriate Conditional Access Authentication Strength policies," the researchers wrote.

They also directed organizations to the available authentication methods in Azure AD on the Microsoft website, recommending that least-privilege access to the serial console be configured according to Microsoft's guidance.

Microsoft Azure VMs Hijacked in Cloud Cyberattack

Security by design can't be just a best practice — it has to become a fundamental part of software development.

Amid a feverish cybersecurity environment, there is a growing chorus for software to be secure by design. In April, the US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), aligned with the cybersecurity authorities of Australia, Canada, the United Kingdom, Germany, the Netherlands, and New Zealand to create guidelines aimed at supporting software manufacturers to "embed security-by-design and by-default."

In this new paper, the agencies call on software makers to deploy threat modeling at the design stage. These guidelines follow fast on the news that the US government will legislate to introduce liability for software makers to secure the products they manufacture.

All software developers want to build secure software, so why is it so difficult to do, what does effective security by design look like, and what needs to change to embed it in the software development process?

**The Challenge**

The sheer prevalence of cybersecurity breaches is evidence of the huge challenge faced by developers trying to build secure software. Striving to get their products to market quickly, software manufacturers are incentivized to take shortcuts on security. And the challenge of designing secure software is becoming more difficult as software architecture grows in complexity, with every sector of the economy being transformed by software. The recent intention of the White House to hold vendors accountable for poor software security could be seen as an attempt to correct the current market incentives.

This is especially the case with supply chains, which are getting ever more complex, making it difficult to predict how different pieces of software will interact. We've seen this challenge in the growing trend of supply chain attacks that have affected businesses, including Air France, KLM, and Nissan in the past year.

**Security by Design and Threat Modeling**

It is still the case that most software security activities are focused at the end of the development process, but this creates some problems. First, scanning software through application security testing tools can miss more complex flaws in the design of an application. In addition, when you do identify a bug once you have completed development, remediation can be costly and time consuming.

It is much better to identify and address security flaws before code is written, through the process of threat modeling. There are a number of different approaches to threat modeling, but fundamental to them all is analyzing the design of the system as a cross-functional team — development and security teams coming together to identify potential security and privacy issues and developing a plan to solve or mitigate them.

So far, so straightforward. So why isn't this happening? There seem to be three main barriers: skills, responsibility, and practicality.

**Embedding Security by Design**

A fundamental challenge is that many developers enter the workplace without the technical knowledge to build secure software and with little or no experience of threat modeling. It is a software skill that you have to invest in and it takes time to learn. The focus of the developer is, understandably, on the functionality that they are developing, not on how a threat actor might find a vulnerability in that new functionality.

This leads us to the second barrier, which is a lack of clarity over where responsibility for security at the design stage lies, which means in many businesses threat modeling can fall through the cracks. Despite their fundamental role, the development team often views security as the responsibility of the security team. This is also entirely understandable, given that in most businesses the knowledge about the process of threat modeling and of the security risks is held by the security team. Just as you can't design secure software without the engineers, you can't build secure software without the security team's insight into the evolving attack vectors used by threat actors.

Until these two teams are working together at the very start of the software development process and threat modeling is embedded as a community practice with shared responsibility, this problem won't be solved.

The third barrier is that until fairly recently, traditional approaches to threat modeling have been impractical when developing software on a large scale. For an organization that is building many thousands of applications, the traditional approach to threat modeling, as a group in a meeting room with a whiteboard, isn't possible. However, automation of this process is now a reality. As a developer, you can now use automation to generate a threat model that contains relevant threats and countermeasures for you.

This latest guidance from the world's leading cybersecurity agencies should leave us in no doubt that security by design is no longer just best practice — it has to become a fundamental part of software development. The tools exist now to make it possible to achieve, but it must be a shared endeavor, with development and security teams working closely together before a line of code is written.

Embedding Security by Design: A Shared Responsibility

Customized fix recommendations and cut and paste code fixes dramatically reduce remediation times.

**TEL AVIV, Israel****,** **May 17, 2023** **/PRNewswire/ --** OX Security, a leader in software supply chain security, today announced the launch of OX-GPT, the first ChatGPT integration to improve software supply chain security. With the new integration, OX now presents developers with customized fix recommendations and cut and paste code fixes, providing for quick remediation of critical security issues across the software supply chain.

ChatGPT has dramatically changed the cybersecurity landscape. Over the past few months, hackers have already begun using ChatGPT, and other AI models to find and exploit vulnerabilities, develop malware and craft phishing emails.

Yet AI also holds tremendous potential to protect against cyber attacks, and OX Security is the first to use ChatGPT to improve software supply chain security.

Until now, security teams often needed many tools to secure the software supply chain, resulting in too many alerts and fragmented workflows.

"Flooded by alerts, developers often become frustrated and overwhelmed. After wasting enough time chasing false positives, they lose trust in these tools and no longer see the value in the activities that security asks them to perform," said OX Security CEO and co-founder Neatsun Ziv, who served as Check Point's VP of Cyber Security prior to founding OX. "We want to bring that trust back."

The first of its kind ChatGPT integration provides developers with contexts for the specific issues they are facing, including how the code in question could be exploited by hackers, the possible impact of such an attack and potential damage to the organization. It then provides them with control over security and enables faster and easier remediation with cut and paste code crafted to secure and fix the specific issue, along with an explanation of why the fix works.

"Developers' primary focus may not be security," said Shai Sivan, CISO of Kaltura (NASDAQ: KLTR), "but if they could trust that spending a short amount of time to remediate risks pre-production would save them from having to go into crisis mode later, they would take the time to fix those problems."

"By giving developers control and providing them with the information and tools they need to quickly assess and fix the issue, OX-GPT will enable organizations to stay ahead of attackers," Ziv continued.

For more information about OX-GPT, send an email to \[email protected\], or request a demo via OX Security's website: www.ox.security.

**About OX Security**

OX Security believes that security should be an integral part of the software development process, not an afterthought. Founded by Neatsun Ziv and Lior Arzi, who previously led Check Point's Security Group, OX is the first end-to-end software supply chain security solution. OX provides DevSecOps teams with the automation, visibility, and risk insights they need to bring security and integrity to every step of the supply chain, from the earliest planning stages until deployment to production.

SOURCE Ox Security

OX Security Launches OX-GPT, AppSec's First ChatGPT Integration

With the new additions to Satori's Data Security Platform, companies gain unprecedented visibility to answer "Where is all my data?" and "Who has access to it?"

**Sunnyvale, CA — May 17, 2023 —** Satori, the industry’s leading data security platform, today announced the availability of Posture Management, a new capability within Satori’s platform that monitors the authorization of users to data across all of a company’s data stores. In addition, Satori announced the availability of Data Store Discovery, which scans and monitors an organization’s cloud accounts to discover new data stores.

Powered by Satori's opensource Universal Data Permissions Scanner , Posture Management is designed to give companies a comprehensive understanding of who has access to what data within the organization, at all times. Posture Management scans all data permissions, provides an analytics layer over data access in the organization, and tracks KPIs to help improve data access posture. Using Posture Management, companies can proactively eliminate risks of a data breach due to over-privileged data access. In addition, with Posture Management, companies can view authorization permissions over time and at any specific point in time, making compliance audits and forensic investigations easier and more efficient. 

With Data Store Discovery, another new capability within Satori’s Data Security Platform, users can connect Satori directly to their cloud accounts to gain a holistic view of all data stores in the organization. For example, if a team sets up a “shadow” cloud database without proper access controls in place, the data and security teams will know about it immediately and take proper action, such as shutting it down or applying appropriate access control over it.

These capabilities are available to all Satori customers as part of its Data Security Platform, which allows frictionless just-in-time access to data, with a self-service data portal where data users can select the data they need and get access to it according to the organization’s guardrails and policies.

“Data access posture management is a critical capability that every data security platform should encompass, and our new Posture Management can help enterprises stay ahead of the game when it comes to data security and compliance,” said Yoav Cohen, CTO and co-founder of Satori. “Taking action against data security threats reactively is not enough in today's data-driven environment. Our goal is to empower organizations to take a preventative approach to protect their most sensitive and business-critical data. With Posture Management, our customers can take control of their data security and manage risk with ease.”

Both capabilities are available now to all Satori customers. Click here to learn more.   

**About Satori**

In today's complex environment, with the growth of large and diverse cloud-based data, it can be difficult to know who is accessing what data and when. This can lead to serious data security consequences, including overprivileged access and an increased risk of data loss or breach. It's crucial for companies to monitor and manage access to their data on a continuous basis to reduce risk and remain compliant. Satori enables companies to confidently discover and classify sensitive data, apply security policies and permissions, monitor access to sensitive data, and now, track security posture — all in one place. 

Satori is revolutionizing data security. Its data security platform seamlessly integrates into any environment to automate access controls and deliver complete data-flow visibility utilizing activity-based discovery and classification. The platform provides context-aware and granular data access and privacy policies across all enterprise data flows, data access and data stores. With Satori, organizations and their data teams can confidently ensure that data security, privacy and compliance are in place – enabling data-driven innovation and competitive advantage. Learn more at satoricyber.com.

Source

DARKReading