Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

New year, new cartoon contest! We're flushed with excitement, knowing our clever, cybersecurity-minded readers are going to come up with imaginative captions for our latest cartoon, above. Here are four convenient ways to submit your ideas before the Feb. 8, 2023, deadline.

*   Email _\[email protected\]_ with the subject line "Dark Reading January Toon."
*   Via social media: Twitter, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

Dave Brassey is one bright guy! The manager of privacy, security and risk assurance at Australia-based software company Family Zone Cyber Safety won our December "Kiss and Tell" contest for his caption, below. A $25 Amazon gift card is on the way. Thanks to everyone who submitted an idea!

    

_**"I thought this was a DevOps party? InfoSec is always trying to get in on the action!"**_

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Poker Hand

The report highlights concerning security stats following two years of extreme tech growth.

**OTTAWA,** **ON****,** **Jan.** **19,** **2023** **/PRNewswire/ -** The media industry is at higher risk of cyber attack. According to the newly released State of Penetration Testing as a Service report, an average of 3.75 critical vulnerabilities were found for every MediaTech application tested in 2022. During the same period, the data & analytics industry came second with an average of 1.5 critical vulnerabilities found per client application. Across all industries, 0.9 critical vulnerabilities were identified per client application.

Critical vulnerabilities are the most severe form of application security risk, and include categories of vulnerabilities such as SQL injection (SQLi), remote code execution (RCE), command injections, and unauthorized administrative host/application access. The "OWASP Top 10" also defines a list of the most common and severe vulnerabilities facing software applications today.

Companies facing critical vulnerabilities are at high risk as these issues are easily exploitable and will have significant damaging effects if exploited by a malicious hacker. Negative consequences include unauthorized release of confidential information, access to sensitive customer data, and access to control internal systems. As such, most companies are recommended to fix these within a maximum of 5 days after discovery.

Software Secured, an Ottawa\-based penetration testing firm, released the report based on insights from their client testing in 2021 and 2022. The goal of the report is to help leaders of security and compliance teams understand the most prominent risks facing their software within the next year. Included within the report are explanations on the identified threats and recommendations for companies to stay ahead of hackers. Some other insights gained from their reporting include:

*   Increase in critical-level SQL injection attacks by 250% compared to 2021
*   Increase in high-severity Denial of Service (DoS) attacks by 133% compared to 2021
*   Cross-site scripting (XSS) findings remain the most common critical vulnerability for two years in a row

Penetration testing as a service (PTaaS) is a comprehensive security assessment that is proven to help companies secure their applications, significantly decreasing the likelihood of cyber attacks

Download the full 2022 State of Penetration Testing as a Service report here.

For more information or questions, please visit us online at softwaresecured.com or contact us with the information below:

SOURCE Software Secured

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

The Media Industry Is the Most Vulnerable to Cyber Attacks, Report Shows

ICS/OT cybersecurity firm finds 35% of CVEs in second half of 2022 unpatchable.

**CHANDLER, Ariz.****,** **Jan. 19, 2023** **/PRNewswire/ --** SynSaber, an early-stage ICS/OT cybersecurity and asset monitoring company, announced today the release of the company's second Industrial Control Systems (ICS) Vulnerabilities & CVEs Report. The report analyzes the 920+ CVEs released by CISA in the second half of 2022 to determine the following:

*   Who is reporting the vulnerabilities?
*   What remediations (if any) are available?
*   What are the severity levels and potential impacts?
*   How does the data compare to the CVEs reported in the first half of the year?

"Year after year, there is a deluge of vulnerability disclosures in industrial control systems, often creating anxiety as the security community attempts to patch or remediate each point of exposure — an impossible feat," said Ron Fabela, CTO of SynSaber. "Our goal with this report is to analyze the 920+ CVEs, and gather insights for the ICS industry regarding which CVEs should be taken most seriously and which can be accepted as a part of the organization's risk management strategy."

**Key Findings:**

*   For the CVEs reported in the second half of 2022, 35% have no patch or remediation currently available from the vendor (up from 13% in the first half of the year)
*   While 56% of the CVEs have been reported by the Original Equipment Manufacturer (OEM), 43% have been submitted by security vendors and independent researchers (these figures were consistent with the first half of 2022)
*   28% of the CVEs require local or physical access to the system in order to exploit (up from 23% during the first half of 2022)
*   Of the CVEs reported in the second half of 2022, 22% can and should be prioritized and addressed first (with organization and vendor planning)

The volume of CVEs reported via CISA ICS Advisories and other entities is not likely to decrease. It's important for asset owners and those defending critical infrastructure to understand when remediations are available, and how those remediations should be implemented and prioritized.

For more information on the report, please visit: https://synsaber.com/resources/ics-vulnerabilities-and-cves-second-half-2022/

**About SynSaber:** 

SynSaber is the simple, flexible, and scalable industrial asset and network monitoring solution that provides continuous insight into the status, vulnerabilities, and threats across every point in the industrial ecosystem, empowering operators to observe, detect and defend OT/IT systems and protect critical infrastructure. SynSaber is privately held with funding from SYN Ventures, Rally Ventures, and Cyber Mentor Fund. Learn more at SynSaber.com.

SOURCE SynSaber

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

SynSaber Releases ICS Vulnerabilities & CVEs Report Covering Second Half of 2022

Open architecture, non-standalone roaming, nation-state attacks, ransomware, and the need for more industry collaboration are among the major 5G security challenges that operators must address in the year ahead.

**ROME****,** **Jan. 19, 2023** **/PRNewswire/ --** SecurityGen, the award-winning global provider of security solutions and services for the telecoms industry, today announced its cybersecurity priorities for telecom operators in 2023.

"As 5G's global footprint increases, the number of cyber threats targeting 5G increases as well," said SecurityGen co-founder and CTO Dmitry Kurbatov. "In 2023, operators must be aware of the range of these threats and take necessary steps to properly defend their networks, protect their customers, and safeguard their operations and revenue."

Kurbatov identifies the main factors shaping the risks and threats that operators must prepare for in the year ahead as follows:

      **1.  5G related challenges**

*   **5G is open for integration - but also open to attack**

Unlike previous mobile network generations like 3G and LTE, 5G is designed from the ground up to be flexible and open for integration with multiple external systems. However, the same open architecture that enables this flexibility and easy integration can also make 5G vulnerable and exposed to threats and hidden vulnerabilities.

The challenge for operators is to maximise 5G's advanced functionality and interoperability while also recognizing this vulnerability and minimizing the threats arising from 5G's extra openness compared to previous network generations.

*   **Beware** **of** **roaming traffic from non-standalone 5G**

As operators deploy more 5G networks and more users purchase 5G smartphones, the volume of roaming traffic between 5G networks increases. But the majority of this extra roaming traffic goes through non-standalone 5G networks which still use unsecure legacy technology for their core networks, including signaling protocols such as GTP and Diameter, which have proven to be hackable in recent years.

Without proper security measures in place, 5G is vulnerable to threats originating from non-5G networks carried in non-5G network traffic – but which are able to damage and disrupt 5G services.

      **2.  Cyberattacks from hostile states and organized crime**

Telecom networks are critical national infrastructure, which makes them high-value targets for cyberattacks, especially during times of conflict and heightened geopolitical tensions. The growing use of mobile - especially 5G - for connecting and remote monitoring of everything from energy grids and automated factories to smart cities and transport systems, amplifies the damage and disruption that an attack on an operator's network could inflict. Mobile's importance also makes it a target for organized crime groups to launch financially motivated attacks of their own aimed at operators or their subscribers.

      **3.  Operators as high-value targets for ransomware**

The number and frequency of cyber-attacks such as ransomware and phishing show no signs of slowing down. The threat of ransomware is already well known: however in 2023, expect the bad actors behind them to become more advanced and more selective in their attacks - including targeting mobile networks as the means to breach telecom operators and access the valuable customer data they hold.

      **4.  New industry regulations on security but operators must do more themselves** 

National and pan-regional regulators are pushing the telecom industry to comply with new security requirements that address the heightened threat of cyberattack on digital infrastructure and telecom networks as part of it.

Mobile network security is still perceived as an after-thought. Rather than adopt a network-wide, security-by-design approach, many operators continue to rely on inefficient one-off security techniques which leave parts of their networks exposed to hackers.

      **5.  Effective cybersecurity also depends on** **collaboration**

*   **Hinders knowledge sharing**

When companies and experts share their knowledge and experience, everyone benefits. But with international cooperation undermined by current geopolitical rivalries and tensions, divisions might open between operators and other telecom industry players, industry regulators and national governments that make it more difficult to cooperate on collective joint efforts for better cybersecurity.

*   **Cyber-security skill shortages**

Cyber-security continues to suffer an ongoing shortage of skilled workers, especially in areas that require specific expertise such as telecoms. Combined with the lack of knowledge sharing, the skills shortage makes it harder to encourage and develop new talent. The telecoms industry, led by operators, needs to step up and invest in training initiatives to attract new workers and provide them with the requisite skills needed to grow the cyber-security talent pool.

Against this range of threats, Dmitry identifies the following steps for operators to strengthen the security and resilience of their 5G networks:

*   Make the security of your 5G network as much of a commercial and operational priority as its performance in terms of speed, throughput, and coverage. The current economic conditions should not put operators off investing in proper security measures. Security is more efficient and cost-effective when it is built-in across the entire system, and not just a patch on the surface.
*   Adopt a defence-in-depth approach based on continual network-wide assessments and monitoring. 5G networks are a step-change in complexity that are more like IT systems than legacy mobile networks. Regular security checks, continuous analysis and other established cybersecurity methods fine-tuned for the telecom environment will provide the level of detail and in-depth scrutiny that's needed to ensure a 5G network is secure against advanced attacks.
*   Effective 5G security requires more than just installed software solutions and automated monitoring and testing. Extensive and ongoing training is also essential, so that operator security teams can explore and stay up to date with the latest cyberthreats - and also identify new vulnerabilities as they emerge.

"Operator security teams must be mindful of the new, unique security challenges specific to 5G while at the same time not losing sight of the threats inherited by legacy technologies within 5G's set up," explained Kurbatov.

"Telecom security cannot be solved by a single-point solution, it requires a comprehensive strategic approach along with collaboration between ecosystem players. Operators and their industry partners should cooperate closely with governments and regulators to ensure cybersecurity receives the attention and investment to protect users and ensure that networks remain safe, secure and resilient," he concluded.

**About SecurityGen**

Founded in 2022, SecurityGen is a global company focused on telecom security. We deliver a solid security foundation to drive secure telecom digital transformations and ensure safe and robust network operations. Our extensive product and service portfolio provides complete protection against existing and advanced telecom security threats.

Visit www.secgen.com .

Photo: https://mma.prnewswire.com/media/1986048/SecurityGen\_Dmitry\_Kurbatov.jpg

SOURCE SecurityGen

SecurityGen Identifies the Cybersecurity Priorities for Mobile Operators in 2023

KnowBe4 partners with the Center for Cyber Safety and Education to bolster women
in cybersecurity for the fourth consecutive year.

**TAMPA, Fla., Jan. 19, 2023 /PRNewswire-PRWeb/ --** KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform,  
today announced it is partnering with the Center for Cyber Safety and Education  
to launch a Women in Cybersecurity Scholarship for the fourth consecutive year.

The KnowBe4 Women in Cybersecurity Scholarship will offer $10,000 to be applied  
to tuition, fees, books and required electronics for the recipient. An (ISC)2  
Certification Education Package that includes a certification exam voucher, a  
study course and other materials, practice exams and one year of membership dues paid is also part of this scholarship program. This is a one-time award and  
students may reapply each year in the future to be considered for another  
scholarship. Applicants will be scored in three categories: passion, merit and  
financial need. The application period is now open and will close on February  
28, 2023 at 11:59 p.m. EST.

"KnowBe4 is thrilled to once again partner with the Center for Cyber Safety and  
Education for this incredible scholarship," said Kelly Barrena, VP of global  
talent brand and outreach, KnowBe4. "Women are underrepresented in the  
cybersecurity workforce, therefore it is important to support and promote  
opportunities that diversify the field and encourage women who are pursuing  
related degrees and careers. KnowBe4 looks forward to selecting a deserving  
recipient."

For more information on and to apply for the KnowBe4 Women in Cybersecurity  
Scholarship program administered by the Center for Cyber Safety and Education,  
visit https://www.iamcybersafe.org/s/knowbe4-womens-cyber-scholarships.  

About KnowBe4  
KnowBe4, the provider of the world's largest security awareness training and  
simulated phishing platform, is used by more than 54,000 organizations around  
the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4  
helps organizations address the human element of security by raising awareness  
about ransomware, CEO fraud and other social engineering tactics through a  
new-school approach to awareness training on security. Kevin Mitnick, an  
internationally recognized cybersecurity specialist and KnowBe4's Chief Hacking  
Officer, helped design the KnowBe4 training based on his well-documented social  
engineering tactics. Tens of thousands of organizations rely on KnowBe4 to  
mobilize their end users as their last line of defense.  

About Center for Cyber Safety and Education  
The Center for Cyber Safety and Education (Center) is a non-profit charitable  
trust committed to making the cyber world a safer place for everyone. The Center  
works to ensure that people across the globe have a positive and safe experience  
online through their award-winning educational programs, scholarships, and  
research. Visit http://www.IAmCyberSafe.org to learn more.

KnowBe4 to Offer $10,000 Women in Cybersecurity Scholarship and (ISC) 2 Certification Education Package

New program enables students and early career professionals to learn critical skills required in today's entry-level cybersecurity field, helping address urgent cyber workforce jobs gap.

**ALBUQUERQUE, N.M. and LANHAM, Md., Jan. 19, 2023 /PRNewswire/ --** The International Council of E-Commerce Consultants (EC-Council), a developer of world-class cybersecurity education programs and certifications, today announced that it has partnered with edX, a leading global online learning platform from 2U, Inc. (Nasdaq: TWOU), and committed to expanding access to vital cybersecurity education programs. EC-Council's Essentials Series is the first cybersecurity Professional Certificate of its kind to be offered on edX and includes three foundational industry certification credentials. The beginner level series is designed for learners aspiring to pursue a career in cybersecurity.

"The Essentials Series is purpose-built to help educate up-and-coming cybersecurity professionals and enable them to begin their careers," said Bill Kiriakis, Senior Vice President and Head of North America at EC-Council. "edX is a leader in online learning, bringing courses and certifications to over 46 million learners worldwide. With this new offering, edX and EC-Council can directly help address the global shortage of cybersecurity workers."

EC-Council's Essentials Series includes three individual courses covering network defense, ethical hacking, and digital forensics and costs $447 USDfor the full lab range and certification bundles. The series helps students and early career professionals learn employable skills required in today's entry-level cybersecurity field, educating students in a range of techniques and tactics across industry verticals, such as securing networks, mitigating cyber risks, conducting forensic investigations, ethical hacking, attack vectors, and more.

Cybersecurity continues to be one of the most in-demand professions. According to industry sources, there are now close to 4 million open cyber jobs worldwide and half a million open positions in the US. The industry is struggling to find and retain talent, partially due to access to training and certification programs.

"edX's professional certificate programs are designed to enhance the critical skills needed to succeed in today's most in-demand fields. They drive true career impact in an accessible and affordable way," said Andrew Hermalyn, president of partnerships at edX. "The addition of EC-Council's cybersecurity Essentials Series on edX gives learners the opportunity to earn a valuable credential from a world-class cybersecurity organization."

For more information on EC-Council's programs on edX, visit edx.org/school/ec-council.

**About EC-Council**

The sole mission of EC-Council is to advance the state of the cybersecurity profession on a global scale. Helping organizations, educators, governments, and individuals address global workforce problems is at the heart of the company's mission. To this end, it is developing and curating world-class cybersecurity education programs and certifications. It is also providing cybersecurity services to some of the largest businesses all over the world. More than 2,000 best universities, colleges, and training companies put their faith in EC-Council. This includes seven Fortune 10 companies, 47 Fortune 100 companies, the Department of Defense, global intelligence communities, and NATO. The standards for cybersecurity education are set by EC-Council programs, which have now been implemented in more than 140 countries worldwide. To acquire additional knowledge, please go to https://www.eccouncil.org/.

**About edX**

edX is the global online learning platform that exists to help learners everywhere unlock their potential. edX was founded by Harvard and MIT in 2012 to make the world's best education available to everyone. Today, as a 2U, Inc. company (Nasdaq: TWOU), edX connects over 46 million ambitious learners with the skills, knowledge, and support to achieve their goals. Together with the world's leading universities and companies, edX offers thousands of free and open courses, professional certificates, boot camps, credit-bearing micro credentials, and undergraduate and graduate degrees. Discover purpose-built online programs in technology, business, healthcare, science, education, social work, sustainability, and more at edX.org.

International Council of E-Commerce Consultants Launches Cybersecurity Essentials Professional Certificate Program on edX

There's a fine line between a hacker and an attacker, but it pays to be proactive. Consider tests by ethical hackers, a red team, or pen testers, and then bolster your company's defenses against malicious attacks.

In the world of security, there is no completely secure application or piece of software. At any point in time, a new vulnerability can be discovered, or a new exploit disclosed. The significance of recent exploits such as Log4Shell and PrintNightmare has led many organizations to re-evaluate how they efficiently and effectively discover and patch vulnerabilities before they can be exploited by an attacker.

As most organizations have expanded their technology stacks to keep pace with IT modernization and to help streamline remote work productivity, there are a host of systems and applications that cybercriminals can now exploit to gain access to sensitive company data. Keeping track of the risks and vulnerabilities within each technology is an ongoing challenge for business leaders and security teams, especially as company data is often highly dispersed across technologies and housed within different platforms.

One way to begin the process of better protecting company assets from an attack revolves around being more selective about which vulnerabilities to spend resources on.

**Assess Threat Levels**

The priority of a threat or vulnerability is subjective and will vary depending on the size of the company, the industry it operates within, and the type of data it retains. Companies need to determine if a malicious threat is affecting something that is core to their operating system and how it may impact their business. Sometimes a threat is hibernating, waiting for local privilege escalations, at which point the attacker will strike. Companies need visibility into their vulnerabilities before the malicious hacker has a chance to attack.

To do this and determine the severity of a threat, security teams cannot rely strictly on scanners anymore. If an organization is only running the same scans that the hackers run, they're doing the bare minimum to prevent automated attacks. This may work in the short term ... until the company is specifically targeted for an attack. In this case, the bad guys will be doing much more than the scanners — they will be finding new vulnerabilities, chaining vulnerabilities together, and finding new attack vectors.

Organizations must have knowledge of the same exploits that hackers have,_before_the hackers do, and patch them. One of the best ways to achieve this is utilizing ethical hackers — red teams, pen testers, bug bounties. They go beyond just using scanners. Ethical hackers find vulnerabilities that aren't being scanned for and create proof of concepts for attacks.

**Play-by-Play of an Ethical Hacker**

Here's a quick synopsis of how an ethical hacker could work to protect your organization by exposing vulnerabilities in advance:

**Step 1:** Obtain access

Hackers can often buy access to a company's internal system through the Dark Web for only a few hundred dollars. Alternatively, they can find access through leaked credentials, phishing, or other social engineering strategies.

**Step 2:** Active reconnaissance

Once into the company's internal system, they perform broad reconnaissance, including a network sweep. By doing so, they can enumerate networks, services, directories on hosts, vulnerabilities, and privileges. Using command-line controls, the hacker can look for open ports, such as Web ports, server message blocks (SMB) ports used for network shares, and remote desktop ports for managing workstations.

**Step 3:** Check for low-hanging vulnerabilities

Why pick the lock when the door is left open? Ideally, an attacker would first hope to find vulnerabilities for SMB ports, such as SMBGhost or WannaCry. If the organization has done a good job patching those SMB vulnerabilities and hardened your system, an attacker would then need to continue looking for opportunities.

**Step 4:** Target weak applications

In the attack scenario, the hacker would eventually find a vulnerable unpatched application.

**Step 5**: Elevate privileges

Unless you've disabled any default setting, the hacker would then escalate privileges from a basic user to a system user almost instantly, without the user ever knowing.

**Step 6:** Pass-the-hash

The hacker could then look for any hashes left by high-level users who logged into the endpoint in the past. Once found, a pass-the-hash attack can be executed to get access to systems as the highly privileged user, without knowing the actual user's password.

**Step 7:** Extract privileged credentials

By eventually extracting the proper credentials, the attacker could then gain access to the Domain Controller, giving them host access to Windows domain resources, as well as more workstations and other servers within the domain. With this, the hacker could manipulate systems, exfiltrate sensitive information, and essentially do anything they wanted on the domain.

This synopsis sheds light for a security team on just how easily an attack could be possible. Yet because the hacker was on the organization's side, no damage was really done, and valuable insights were collected on where/how to patch any open attack vectors and reduce the risks of malicious attackers discovering them first.

**Hacker vs. Attacker?**

In the mind of many ethical hackers, one of the biggest questions is where to draw the line. Is it OK to take advantage of an exploit if the intent is to shed light on the vulnerability? Where does a demonstration of a proof of concept cross that line into unethical territory? Would something as benign as sending a harmless email from a company account or even just typing into a Word document deserve scrutiny?

There's a fine line between a hacker and an attacker. Hacking itself is not a crime; rather, it is the motive and how a hacker applies their knowledge that differentiates doing criminal work and doing good work. Whether it's a security team, a red team, or a pen-testing group, or just an individual who found a vulnerability, one should much rather want to know about it before a malicious hacker does. It's much more difficult to clean up an attack than it is to prevent it.

With the right intentions, hacking can make the world a safer place. Just make sure to get permission — stay legal and do it with the right authorizations. Most hackers are good citizens looking to make the world a safer place.

Ethically Exploiting Vulnerabilities: A Play-by-Play

**BOSTON****,** **Jan. 19, 2023** **/PRNewswire/ --** Mendix, a Siemens business and global leader in modern enterprise application development, and Software Improvement Group (SIG), an independent technology and advisory firm for software quality, security and improvement, have announced the release of Mendix Quality & Security Management (QSM), a new cybersecurity solution that provides continuous deep-dive insights into security and code quality to immediately address risks and vulnerabilities. The introduction of Mendix QSM enables enterprises to fuel innovation and growth, while managing cyber risks and building future-fit software.

The Mendix low-code development platform enables companies to accelerate the delivery of new innovations. Succeeding the Mendix Application Quality Monitor (AQM), the new Mendix QSM solution provides IT management, quality assurance teams, and software security experts deep visibility across the entire portfolio of Mendix applications. This enables close control of the software development process without compromising the quality and security of software, ensuring that security oversight is always top of mind for customers.

Mendix QSM is powered by Sigrid®, SIG's software assurance guiding platform. Combining more than 20 best-of-class security scanning tools, it provides a comprehensive overview of how security findings impact business objectives. With Mendix QSM, Mendix clients can scan their Mendix applications, including third-party libraries, for vulnerabilities and incorrectly configured security models, rank for compliance with main industry standards such as OWASP, ISO 5055 and PCI, and receive recommendations and clear guidance on risk mitigation.

Mendix QSM is based on static analysis of application models. Mendix models have been mapped to the ISO 25010 Maintainability model by SIG experts based on the Mendix model metadata. This allows for benchmarking of Mendix applications against a database of thousands of projects, including open-source initiatives. Mendix QSM also presents a five-star rating of the software quality. For example, a four-star software rating means issues are resolved three times faster, throughput increases seven-fold, and productivity increases almost 11-fold compared to a two-star rating.

"Mendix and SIG have been Original Equipment Manufacturer (OEM) partners since 2016," said Hans de Visser, chief product officer at Mendix. "In the past six years, we have strived to empower our customers with fast software development and best-of-industry governance tooling to build future-proof applications. Security is top of mind for our customers, and the new cybersecurity capabilities in Mendix Quality & Security Management is a logical extension to cater to the increasing security demands and requirements of our customers. Mendix and SIG expanded the OEM partnership to help Mendix customers manage the quality of their applications proactively, ensuring faster issue resolution with higher technical quality of software."

Luc Brandts, group CEO at SIG_,_ said, "With the number of cyber attacks growing every day, it is crucial for organizations worldwide to manage the build quality and security of their IT landscapes in a continuous fashion. We are providing this service as part of our quality assurance commitment to our customers. This new and improved joint security solution offers Mendix clients from bit to boardroom the transparency and continuous security insights they require in order to build business-ready applications with total confidence."

SIG inspects and certifies thousands of software systems per year on technical quality according to ISO/IEC 25010 and will continue to add new scanning tools and rules to QSM as part of its ongoing service.

**Connect with Mendix**

*   Follow @Mendix on Twitter
*   Connect with Mendix on LinkedIn

**About Mendix**

In a digital-first world, customers want their every need anticipated, employees want better tools to do their jobs, and enterprises know that sweeping digital transformation is the key to survival and success. Mendix, the low-code engine of the Siemens Xcelerator platform, is quickly becoming the application development platform of choice to drive the enterprise digital landscape. Mendix's industry-leading low-code platform, dedicated partner network, and extensive marketplace support advanced technology solutions that boost engagement, streamline operations, and relieve IT logjams. Built on the pillars of abstraction, automation, cloud, and collaboration, Mendix dramatically increases developer productivity and engages business technologists to create apps guided by their particular domain expertise. Mendix empowers enterprises to build apps faster than ever; catalyzes meaningful collaboration between IT and business experts; and maintains IT control of the entire application landscape. Consistently recognized as a leader and visionary by leading industry analysts, the platform is cloud-native, open, extensible, agile, and proven. From artificial intelligence and augmented reality to intelligent automation and native mobile, Mendix and Siemens Xcelerator are the backbone of digital-first enterprises. The Mendix low-code platform is used by more than 4,000 companies worldwide, over 200,000 applications have already been realized, and the active community comprises more than 300,000 developers.

**About SIG**

Software Improvement Group (SIG) guides business and technology leaders to drive their organizational objectives by fundamentally improving the health and security of their software applications. SIG offers Sigrid® - the software assurance guiding platform - to partners and enterprise organizations to help them measure, evaluate and improve code quality.SIG has the world's largest software benchmark with more than 75 billion lines of code across more than 300 technologies. The SIG laboratory has been accredited according to ISO/IEC 17025 for software quality analysis. Founded in 2000, SIG is headquartered in Amsterdam with regional offices in New York, Frankfurt, Brussels, and Copenhagen.

More information: www.softwareimprovementgroup.com

Mendix and Software Improvement Group Launch a New Software Application Quality and Security Scanning Solution

Research shows that over 50% of organizations performing software development
struggle with fully integrating security into their software development
lifecycle.

**BOULDER, Colo. , Jan. 19, 2023 /PRNewswire-PRWeb/ --** Enterprise Management  
Associates (EMA(TM)), a leading IT and data management research and consulting  
firm, has released a new research report, "Secure Coding Practices - Growing  
Success or Zero-Day Epidemic?" authored by Christopher M. Steffen, managing  
research director of security and risk management at EMA, and Ken Buckler,  
research analyst covering security and risk management at EMA.

From 2015 to 2021, the number of new vulnerabilities per year in the National  
Vulnerability Database grew from 6,487 to 20,139.\* This increase in  
vulnerabilities may be due to a significant skills gap when it comes to secure  
software development. In 2019, a review of the top 20 computer science schools  
found that out of all the schools listed, only one listed security as an  
undergraduate degree requirement for computer science.\*\* Simply put, software  
developers are not being taught secure coding practices at colleges and  
universities, and with a significant number of organizations failing to invest  
in any secure coding training whatsoever, even some of the most seasoned  
developers in the industry may have little to no awareness of secure coding  
concepts.

EMA surveyed 129 professionals across multiple industry verticals, seeking to  
understand how organizations are tackling the challenge of developing secure  
software applications. The results revealed that over half of organizations  
performing software development struggle with fully integrating security into  
their software development lifecycle (SDLC), and many organizations are failing  
to make critical investments in enhancing the security knowledge of their  
development teams.

Some of the key findings include:

\-- 69.3% of organizations have SDLCs that miss critical security steps.  
This includes 45.3% of organizations that do not have a dedicated  
validation step in their security SDLC, 20% of organizations that do  
not have a dedicated planning step, and 4% that do not have a  
dedicated implementation step.  
\-- 100% of organizations using a combination of code reviews, code  
scanning tools, and third-party training saw improvement in their code  
security.  
\-- Only 75% of organizations not using training saw improvement in their  
code security.  
All too often when it comes to cybersecurity, the human element is the most  
overlooked component of any system. With lowest adoption rates (54%) and highest  
code security improvement rates (100%), third-party training appears to be the  
critical component in which some organizations are failing to invest.

"The human element is the first and last line of defense when it comes to any  
cybersecurity program," said Buckler. "The rapidly growing number of software  
vulnerabilities discovered per year clearly outlines the need for better  
cybersecurity practices from the ground up. This includes developing secure  
applications from the start through investing in improving the secure coding  
practices of the industry's software development workforce."

A detailed analysis of the research findings is available in the report, "Secure  
Coding Practices - Growing Success or Zero-Day Epidemic?"

EMA will reveal highlights from the report during the free February 7th webinar,  
"Secure Coding Practices - Growing Success or Zero-Day Epidemic?"

Security Journey sponsored this independent research report. Security Journey  
offers robust application security education tools to help developers and the  
entire SDLC team recognize and understand vulnerabilities and threats to  
proactively mitigate these risks.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Research From EMA Reveals How Organizations Are Struggling to Develop Secure Software Applications

Corsha’s Annual State of API Secrets Management Report finds over 50% of respondents suffered a data breach due to compromised API secrets.

**WASHINGTON, D.C. – January 19, 2023 –** Corsha Inc., a leading API security company, today released new research that paints a picture of cybersecurity professionals who are both frustrated over how much time and attention they must devote to API security and worried that their defenses still remain inadequate. 

The Corsha team recently surveyed more than 400 security and engineering professionals to learn about their API secrets management practices and the challenges they face in thwarting API attacks. Among the key takeaways:

●86% of respondents spend up to 15 hours a week provisioning, managing, and dealing with secrets.

●Over half (53%) of respondents have already experienced a data breach with unauthorized access to their networks or apps due to compromised API tokens.

●72% of respondents use a secrets management solution yet over half (56%) are still concerned about a potential data breach due to their current secrets management practices.

“Security and engineering teams are forced to divert their attention away from forward-facing engineering to focus on secrets management, yet their organizations remain vulnerable to attackers both through lateral attacks and leaked or compromised API secrets to gain illegitimate access to sensitive data,” said Jared Elder, Chief Growth Officer at Corsha. “Data is everything and the potential risk from data breaches associated with leaked API secrets is clearly high and growing.  Yet with an explosion of credentials to provision, rotate, and manage, the good guys find themselves constantly behind the eight ball.” 

**A Rapidly Changing Threat Landscape**

API usage has exploded over the last several years as companies continue to expand their adoption of could native technologies and API-driven ecosystems such as microservices and serverless architectures, hybrid cloud infrastructures, CI/CD pipelines, and a host of other applications and services that are sending and receiving sensitive information through APIs. According to the Corsha survey, 44% of respondents host their API services across multiple clouds. For many enterprises, this often means disjointed secrets management solutions across disparate environments. 

As a result, Corsha survey respondents spend an inordinate amount of time managing API tokens. 78% reported they manage at least 250 API tokens, keys, or certificates across their networks. Unfortunately, their security strategies for API-based communication cannot keep up with the level of scale and automation that’s possible today.

**Outdated Approaches to a Modern Security Challenge**

All APIs have one thing in common: they connect services to facilitate data transfers. That makes them a favorite target for hackers as the number of APIs that depend on secrets increases, and workflows (e.g., secret provisioning and sharing, secret management, monitoring, control) become more difficult. 

According to the Corsha survey, the top three API secrets management pain points are:

1.  Working with certificate authorities (44%)
2.  Rotating secrets (37%)
3.  Provisioning secrets (36%)

The methods respondents most commonly use to address these pain points are often dated, manual, error-prone, and cumbersome.

While many security teams assign specific entitlements to API keys, tokens, and certificates, the survey discovered that more than 42% do not. That means they’re granting all-or-nothing access to any users bearing these credentials, which although is the path of least resistance in access management, also increases the security risk.

Corsha’s researchers also found that more than 50% of respondents have little-to-no visibility into the machines, devices, or services (i.e., clients) that leverage the API tokens, keys, or certificates that their organizations are provisioning. Limited visibility can lead to secrets that are forgotten, neglected, or left behind, making them prime targets for bad actors to exploit undetected by traditional security tools and best practices.

Another red flag: although 54% of respondents rotate their secrets at least once a month, over 25% admit that they can take as long as a year to rotate secrets.  The long-lived, static nature of these bearer secrets make them prime targets for adversaries, much like the static nature of passwords to online accounts. 

**API Security Best Practices**

The Corsha report also outlines what organizations can do to implement effective secrets management processes, including:

●Integrating a good secrets manager to gain overall visibility into all secrets

●Using mTLS when and where possible

●Always set a short expiry on secrets when possible

●Always sign _and_ verify tokens 

●Don’t store or pass secrets in plaintext

“Today, even the most robust modern secrets management implementation isn’t sufficient to prevent APIs from being exploited, which explains why over half of our survey respondents highlighted the continuing worry of suffering a potential data breach due to their current secrets management practices,” added Scott Hopkins, Chief Operating Officer at Corsha.  “The heavy administrative workload and exceedingly manual processes for maintaining good security hygiene around secrets management create significant opportunities for error or oversight.  Organizations would benefit from a stronger, automated, and highly scalable answer to their API authentication woes that can readily integrate into any environment.  Corsha provides a robust added factor to API authentication to protect an organization’s critical systems and data from savvy and opportunistic bad actors.”

It’s also important for security and development teams to recognize that risk is predominantly shifting from human to machine to machine-to-machine and consider what needs to be done to account for this transformation. 

Corsha is on a mission to simplify API security and allow enterprises, developers, and DevSecOps teams to embrace modernization, complex deployments, and hybrid environments with confidence. Using a dynamic, blockchain-based machine identity, Corsha has developed a patented way to provide multi-factor authentication (MFA) for APIs, where API access may be pinned to only trusted machines. With Corsha, each API call now requires a fresh, one-time use credential, enabling zero-trust access for an organization's API services.  

To learn more about the Corsha Platform, visit: https://corsha.com/the-platform/.

Follow this link to read and download the Corsha State of API Secrets Management Report. 

**About Corsha**

Corsha fully automates multi-factor authentication (MFA) for APIs to better secure machine-to-machine communication. Our product creates dynamic identities for trusted clients, and adds an automated, one-time use MFA credential to every API call, ensuring only trusted machines are able or leverage keys, tokens or certificates across your applications, services, and infrastructure. Halt and resume access to a machine or group of machines without revoking secrets or impacting other workloads, leaving compromised secrets are rendered useless using Corsha.

API-first ecosystems are driven by the machines that power them. Whether those are Kubernetes pods, containers, virtual machines, physical servers, IoT devices, or other form factors, risk is shifting from human to machine as we automate more and securing communication between machines often becomes an afterthought. Today, API secrets like keys, tokens and certificates are used as a way to broker access between machines, but these static secrets are often shared, rarely rotated and are being leaked in CI pipelines, logs and code repositories at an alarming rate. 

Corsha is taking all the goodness of MFA and using the same principals like one time use credentials to secure APIs. This provides teams security, visibility and control into the machines that are accessing your APIs and the ability to revoke API access at the drop of a hat. For more information, visit: https://corsha.com/.

Source

DARKReading