**BE'ER SHEVA, Israel, Feb. 23, 2023 /PRNewswire/ --** Rezilion announced today the release of the company's new research, "Hiding in Plain Sight: Hidden Vulnerabilities in Popular Open Source Containers," uncovering the presence of hundreds of docker container images containing vulnerabilities that are not detected by most standard vulnerability scanners and SCA tools.

The research revealed numerous high severity/critical vulnerabilities hidden in hundreds of popular container images, downloaded billions of times collectively. This includes high-profile vulnerabilities with publicly known exploits. Some of the hidden vulnerabilities are known to be actively exploited in the wild and are part of the CISA known exploited vulnerabilities catalog, including CVE-2021\-42013, CVE-2021\-41773, CVE-2019\-17558.

This finding follows Part I of the research, released in October, which was the first quality assessment for leading open-source and commercial vulnerability scanners and SCA tools. The vulnerability scanner benchmark survey discovered the most common causes for scanner misidentifications, including false positive and negative results.

The new research dives deeper into one of the root causes identified in the assessment - inability to detect software components not managed by package managers. The study explains how the inherent method of operation of standard vulnerability scanners and SCA tools relies on acquiring data from package managers to know what packages exist in the scanned environment, making them susceptible to missing vulnerable software packages in multiple common scenarios in which software is deployed in ways that circumvent these package managers. This research shows precisely how wide this gap is and its impact on organizations using third-party software. The report provides numerous real-world examples of some of the most popular docker container images that contain dozens of such hidden vulnerabilities. The report also offers recommendations on minimizing the risk presented in the research.

According to the report, package managers circumventing deployment methods are extremely common in Docker containers. The research team has identified over 100,000 container images that deploy code in a way that bypasses the package managers, including most of DockerHub's official container images. These containers either already contain hidden vulnerabilities or are prone to have hidden vulnerabilities if a vulnerability in one of these components is identified.

The report identifies four different scenarios in which software is deployed without interaction with package managers, such as the application itself, runtimes required for the operation of the application, dependencies as are necessary for the application to work, and dependencies required for the deployment/build process of the application that are not deleted at the end of the container image build process and shows how hidden vulnerabilities can find their way to the container images.

"We hope this research will educate developers and security practitioners of the existence of this gap so that they will be able to take appropriate actions to minimize the risk as well as push vendors and open-source projects to add support for these types of scenarios," said Yotam Perkal, Director, Vulnerability Research at Rezilion. "It's important to note that as long as vulnerability scanners and SCA tools fail to accommodate for these situations, any container image that installs packages or executables in this manner may eventually contain 'hidden' vulnerabilities if any of these components become vulnerable."

To download the full report, please visit: https://info.rezilion.com/scanner-research-part-ii

**About Rezilion:**

Rezilion's software supply chain security platform automatically assures that the software you use and deliver is free of risk. Rezilion detects third-party software components on any layer of the software stack and understands the actual risk they carry, filtering out up to 95% of identified vulnerabilities. Rezilion then automatically mitigates exploitable risk across the SDLC, reducing vulnerability backlogs and remediation timelines from months to hours, while giving DevOps teams time back to build.

Learn more about Rezilion's platform at www.rezilion.com and get a 30-day free trial.

Rezilion Research Discovers Hidden Vulnerabilities in Hundreds of Docker Container Images

(ISC)2 members and cybersecurity professionals worldwide are encouraged to share their expertise, best practices and experiences with their peers and career hopefuls.

**ALEXANDRIA, Va.****,** **Feb. 23, 2023** **/PRNewswire/ --** (ISC)² – the world's largest nonprofit association of certified cybersecurity professionals – today opened the Call for Presentations for the 13th annual (ISC)² Security Congress 2023. The conference will bring together thousands of cybersecurity leaders for several days of professional development, networking and exploration of the latest cybersecurity best practices at The Gaylord Opryland Resort in Nashville, Tenn., Oct. 25-27. The Call for Presentations is open now and closes on March 23 at 11:59 PST.

"Professional development helps employees advance their skills; this is a critical piece for cybersecurity professionals on their career journey. One of the most exciting and valuable aspects of Security Congress is the spirit of community and helping one another learn and grow as professionals," said Clar Rosso, CEO, (ISC)². "We are looking for speaking proposals that not only encourage thought-provoking discussions around key cybersecurity issues and trends but will provide cybersecurity professionals with practical advice and takeaways to better defend against tomorrow's threats."

Speaking proposals should address industry-specific topics and issues and provide inclusive, unique, and diverse perspectives and experiences that are relatable to a global cybersecurity audience. Successful submissions will align with one of the following domains: 

*   Governance, Risk and Compliance (GRC)
*   Cyber Leadership 
*   Cloud Security
*   Security Operations
*   Software Security
*   Network Security
*   Emerging Technologies

Speakers selected to present will receive a complimentary All Access pass, as well as a VIP Speakers-only reception, CPE credits and more. 

For more information about the speaking requirements, please visit the 2023 (ISC)² Security Congress Call for Presentations Portal.

**About (ISC)²**

(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our association of candidates, associates and members, nearly 330,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™. For more information on (ISC)², visit www.isc2.org, follow us on Twitter or connect with us on Facebook and LinkedIn.

SOURCE (ISC)2

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

(ISC)² Opens Security Congress 2023 Call for Presentations

CloudNativeSecurityCon North America 2023 was a vendor-neutral cloud-native security conference. Here's why it was important.

Cloud-native technology is growing in importance, and the Cloud Native Computing Foundation (CNCF), part of the Linux Foundation, is a key organization driving collaboration on cloud security throughout the industry.

That collaboration includes events such as KubeCon Americas and Europe, which often feature cloud-native security as a key topic, but seeing the importance of cloud native security, CNCF took the next step and created a separate event.

CloudNativeSecurityCon North America 2023 (CNSC) recently took place in Seattle, and served as the first vendor-neutral, practitioner-driven conference focused exclusively on cloud-native security. The event featured over 800 attendees and 50 sponsors. It had 70-plus sessions for all security levels of technologists.

**Security Is People-Powered; Industry Collaboration Is a Solution**

Security remains a pressing issue for the cloud-native and open source community, said Priyanka Sharma, Executive Director, CNCF. During her keynote, she said there are 7.1 million-plus cloud-native developers according to Slash Data.

She emphasized that the industry needs "a paradigm shift to level up our performance," as cloud usage will continue to grow, and so will the threats related to it.

Though the organizations are doing their part to secure their cloud environments, Sharma indicated that top-down approach may not be the best way, instead having a more bottom-up approach from the community, pointing to software security vendor Snyk's "2022 State of Cloud Security Report," which showed 77% of organizations saw poor training and collaboration as a major cloud security challenge.

    

Source: CNSC

Having siloed teams working in different countries, using different tools, and counting on unmonitored policies are common security challenges in many enterprise security scenarios, but when they involve the cloud, it multiplies difficulties to the security environment further. Hence, Sharma stated, "Security is people-powered," and having industry-level collaboration from all the stakeholders along with a shared asset directory will improve cloud security across the industry. Even after all the talks about innovation and right approach done in the cloud-native space, a skill shortage is something the industry is still facing. CNCF announced Kubernetes and Cloud Associate (KCSA) certification, to address the biggest challenge of lack of technical expertise in cloud-native environment.

CNCF organizes itself with Technical Advisory Groups (TAGs) for different focus areas, and it is looking to a Security TAG to help organizations with facilitating the security for projects across the cloud-native ecosystem. It's a 165-member team that supports CNCF projects through education, partnership, and project engagement. This group will help with security features for any CNCF projects; any incubating project within the organization must now go through a security audit by the Security TAG. The Sigstore project that was adopted by Kubernetes was an example of such open, multivendor collaboration.

**Key Conference Topics**

Themes that popped up during the event — including SBOM, runtime security, infrastructure as-a-code security, code to secure policies and authentication, and ChatGPT — indicated that the adoption of cloud-native applications will continue to grow, and the industry must prioritize security for these applications. The thought of having an open source security tool for securing open source code makes sense. Today, CNCF has 21 security-related open-source projects: Open Policy Agent (OPA) and Update Framework TUF have graduated with five other incubating projects, and the rest are in the sandbox stage.

**Software Supply Chain Security**

    

Source: CNSC

Many sessions at the conference were focused on understanding what the software supply chain means and why securing it remains important.

A talk by a Yahoo representative highlighted how 85% to 97% of enterprise code uses open source components, and any vulnerabilities in these may pose security threats. That issue underscores the importance of having security ingrained at every stage of the software development life cycle (SDLC), from application development to CI/CD pipeline down to production.

Code dependencies have become one of the most common reasons leading to supply chain attacks. According to a recent report on software supply chain security, supply chain attacks have grown 742% year-over-year in the past three years. Therefore, a DevSecOps approach is important to ensure the DevOps workflow is maintained by making security seamless. It means having security as an intrinsic part of application development, integration, and operation in DevOps-centric environments.

**"Shift Right" Is as Important as "Shift Left"**

Deployment of applications in the cloud has been a fast-track initiative for many enterprises, often in support of digital transformation initiatives, but many of the same security challenges, such as software vulnerabilities, managing configuration and permission, compliance, and detecting and responding to threats, plaguing traditional applications also hamper cloud application security.

From the cloud-native point of view, two trends are most visible. The first is the way in which "shift left" corresponds to the usage of CI/CD security, having centralized responsibilities and dependencies that can be monitored. It points to moving security toward an earlier stage in the software development life cycle, namely that security is built in from the time the source code is created.

But the second trend is "shift right," which is gaining equal importance in understanding what is going on in the runtime environment as the workload deployed on microservices and orchestrated by Kubernetes. The Falco project with CNCF (originally started by Sysdig), which is based on eBPF technology, seeks to help organizations understand what every process is doing in its containers and hosts. It is like a security camera for the cloud environment.

**Software Bill of Materials**

Log4j was a top of mind during the show, highlighting how it disrupted the operations of many organizations in so many different ways.

Similar high-profile attacks on the supply chain were the reason for the US federal government to issue an executive order to create guidelines for securing software solutions used for the government. The change of approach to building software using third-party dependencies makes having full transparency in the application important.

So, the approach of maintaining a software bill of materials (SBOM) that will offer a listing all components, modules, and libraries used in the application and also drawing the relationship between supply chain components is becoming increasingly important.

One interesting exchange during the conference tackled how to handle metadata that will be collected over time by each software element. In a panel, a Google representative mentioned its new product, Graph for Understanding Artifact Composition (GUAC), which functions like an aggregator for this metadata in a high-fidelity graph database.

**Sponsor Landscape**

    

Source: Omdia

CNSC was a relatively small-scale conference, but its sponsors represented vendors distributed across the industry. Approximately 55% were security vendors, 18% technology vendors offering some security, 12% were technology vendors that use in-house security product but do not sell the security product as a stand-alone offering, and 15% non-security vendors.

**A Strong Start**

The first-ever CNSC was a strong start for the cloud-native community to create a place to gather each year for a focused look at security challenges and opportunities in cloud-native environments.

CNCF is doing a great job getting different types of vendors together and supporting cloud-native security projects. This is exposing developers to security concerns. On the contrary, traditional security teams also must learn to work better with developers and ensure security approaches align with development priorities and business objectives.

This is just a first step toward solving the problems related to cloud-native security. There is more collaboration with people and process to be done in future.

Top Takeaways From CloudNativeSecurityCon 2023

Sharing attestations on software supply chain data that are formed into a policy will give us a framework to interpret risk and develop compliance directives.

Companies are facing two major truths this year: More cybersecurity regulation and fewer resources.

For the former, it's about time. Cybersecurity needs baseline requirements and government regulations can be a useful forcing function. It's encouraging to see a renewed focus on areas that need real attention, especially software supply chain security. Considering the latter, it means companies are facing a steep climb ahead to implement these new regulations in a year of economic uncertainty. Nonetheless, regulations are here, more regulations are coming, and companies need to adapt.

In a recent article, I discussed a few issues with the software bill of materials (SBOM) format as a standard, which includes:

*   Requirements vs. optional fields

*   Complete lack of provenance consideration

But this year, the biggest hurdle will be adoption.

**The Software Vendor Adoption Problem**

ACMECorp is an example of a company that produces software products. We'll refer to one of its products as "Anvil" and its customers as "Clients."

Clients want ACMECorp to release its SBOMs for Anvil so Clients can understand if they're affected by software supply chain issues, vulnerabilities, or license risks. Clients also want to be able to understand quickly if they're affected as new issues arise.

Regulatory bodies want to require ACMECorp to release SBOMs so Clients can be better informed. ACMECorp may very well _want_ to provide this information to Clients as well, but this is a massive undertaking.

For all software products, ACMECorp will now need to:

1.  Identify all software components used as dependencies. This is at minimum dozens and at most tens of thousands of individual software components.
2.  Identify all the _potential_ security issues. This includes a security audit of a product and all of its dependencies.
3.  Investigate each potential security issue and determine ACMECorp's response, which will range somewhere between "we have to fix this now" and "not applicable." The resulting analysis from the software security team charged with performing this work will inevitably meander through teams of lawyers to determine exposure and risk. This is crucial, because ACMECorp will need this information to:
4.  Stand up a new department to handle the barrage of inevitable questions and challenges from Clients to the responses developed.
5.  Release SBOMs to Clients with as little detail as possible to protect intellectual property and limit exposure.
6.  Do the entire process again for every version that is released, in perpetuity, and keep historical records.

It's a heavy lift, but ACMECorp will need to have a version of the above (or at least a start to it) that it expects Clients to accept.

**The Client Adoption Problem**

Clients that wish to consume Anvil's SBOM (and hundreds or thousands of other SBOMs) now have a huge additional workload to adopt any technology.

Companies already have a vulnerability management problem, and this will multiply the burden. As SBOM is a self-reporting mechanism, Clients will not be inclined to simply rely on an SBOM as an authoritative source of truth. Instead, they will require their already overburdened application, product security, and legal teams to find ways to validate ACMECorp's SBOMs after each release.

**Let's Aim for the Better**

I'm bullish on the goals of SBOMs. We must have a complete, up-to-date inventory of components used in a software product. We must understand the implications of security events and issues and how they affect companies, governments, and users. My hope is that we can work together to build a far better process than we have with the current iteration of SBOM.

First, we must release ourselves from the idea that simply sharing data from vendor to customer will solve the challenges SBOM hopes to address. As I outlined above, it is guaranteed only to make additional work. Instead, we should think about how we can share _attestations_ on software supply chain data.

Vendors want to show customers their products' security posture is well-defended. Customers want to have assurance that the security posture of third-party products and services aligns with their threat model and risk tolerance. These goals are achieved by interpreting the software supply chain data and answering questions relevant to the goals. The context around the data is key to these outcomes.

A huge amount of the security goals vendors and customers hope to answer can be codified, then constructed into policies that can be agreed upon by vendor-to-consumer relationships. The tests or attestations for these policies can be open source, with collaboration from both the security and development industries. This will allow open understanding of the value of the attestations, and their weaknesses that can be improved upon. It can give us a shared framework to interpret software supply chain risk.

Groups of attestations in the form of a policy can be quickly tested as vendors develop software to plan for the end-state requirements. Customers can use this to rapidly understand the software supply chain risk of a vendor's product. That might mean opting for an on-premises version hosted in a controlled environment, or contract requirements to better meet the needs of the customer, but it gives vendors and customers a common taxonomy to better align with each other.

Attestations and policies allow us to effectively build compliance directives in a way that vendors can manage through the product and software development life cycle. Changes to attestations can be scheduled and road-mapped without piles of meetings to coordinate individual issues. These compliance directives can be rapidly evaluated to understand regulatory impact, which we know to be on the horizon anyway. These attestations can extend to show transparency and provenance of the vendor data provided as input. Overall, this gives us the required common ground to build trust.

Finally, an enormous part of this process can be automated. We can much more effectively focus the time of our security and development teams where it's needed, instead of preparing and consuming a never-ending stream of SBOM data dumps.

Cheers to the year of the SBOM. We're all in this together.

This Will Be the Year of the SBOM, for Better or for Worse

A combined team of UL Solutions safety science experts will address automotive cybersecurity, functional safety, automated driving and software development processes to help customers bring safer, more secure innovations to market.

**NORTHBROOK, Ill., Feb. 22, 2023 /PRNewswire/ --** UL Solutions, a global leader in applied safety science, today announced that it is leveraging its collective expertise to drive innovation in automotive safety by combining members of its functional safety and cybersecurity teams to enable a more holistic approach to testing, inspection and certification for automotive safety. This new interdisciplinary team provides a well-rounded approach to addressing advanced mobility technologies.

As safety, security and quality are highly interrelated and a vital part of the automotive industry, original equipment manufacturers (OEM) and automotive component and system suppliers are increasingly looking for a sole provider with holistic solutions that support multiple standards, regulations and other technical requirements.

"Our newly combined team provides OEMs and suppliers with end-to-end thinking to address evolving challenges in cybersecurity, functional safety, automated driving and Automotive Software Process Improvement Capability Determination, or Automotive SPICE," said Jody Nelson, managing director of functional safety and cybersecurity in the Identity Management and Security group at UL Solutions. "This broad expertise proves critical when developing control systems for safety-related applications as vehicles become more interconnected with numerous external devices, networks and systems."

In a future where most vehicles are fully electric, dependency shifts from gas stations and fossil fuels to charging stations and electricity. The resiliency of electric vehicle charging systems and the electric power grid becomes increasingly essential for transportation amid the rising popularity of electric vehicles (EV) and the potential for cyberattacks. Combining automotive cybersecurity and functional safety expertise better prepares UL Solutions to address these emerging challenges in electrification.

The team's integrated expertise also helps automotive OEMs and suppliers to navigate new and evolving requirements from the U.S. Federal Motor Vehicle Safety Standards (FMVSS), China Compulsory Certification (CCC), United Nations (UN) Economic Commission for Europe (ECE), and other applicable standards and regulations for new mobility technologies, including:

*   The Cyber Resilience Act
*   The Radio Equipment Directive (RED)
*   ISO/SAE 21434, Road vehicles – Cybersecurity engineering
*   ISO 24089, Road vehicles – Software update engineering
*   UN Regulation No. 155 – Cyber security and cyber security management system
*   UN Regulation No. 156 – Software update and software update management system
*   ISA/IEC 62443, Security for Industrial Automation and Control Systems
*   ETSI EN 303 645, Cybersecurity Standard for Consumer IoT Devices

Launching this team further builds on UL Solutions' commitment to the automotive industry. The company recently took another significant step to help advance automotive safety and better serve OEMs and suppliers by acquiring Kugler Maag Cie, a German-based provider of process excellence, assessment and training solutions supporting the automotive industry. With this acquisition, UL Solutions enhances its services to provide customers with testing and certification of automotive processes and safety-critical system services.

**About UL** **Solutions**  
A global leader in applied safety science, UL Solutions transforms safety, security and sustainability challenges into opportunities for customers in more than 100 countries. UL Solutions delivers testing, inspection and certification services, together with software products and advisory offerings, that support our customers' product innovation and business growth. The UL Certification Marks serve as a recognized symbol of trust in our customers' products and reflect an unwavering commitment to advancing our safety mission. We help our customers innovate, launch new products and services, navigate global markets and complex supply chains, and grow sustainably and responsibly into the future. Our science is your advantage.

UL Solutions Advances Automotive Safety and Security

Hackers will take anything newsworthy and turn it against you, including the world's most advanced AI-enabled chatbot.

Scammers are capitalizing on the runaway popularity of and interest in ChatGPT, the natural language processing AI — impersonating it in order to infect victims with a Trojan malware called Fobo, in order to steal login credentials for business accounts.

ChatGPT is the world's most advanced chatbot, published by developers OpenAI back in November. It’s been a resounding success: It's regularly overloaded with users demanding that it write marketing copy, or poems, or answer questions about philosophy. (In fact, OpenAI has developed a $20-per-month subscription plan for users who want to bypass these slowdowns.) And a meme has been making the Internet rounds recently, about how long it took the world's biggest apps to reach 1 million users. Netflix, for example, took 3.5 years. Facebook, 10 months. Spotify, five months. ChatGPT? Five days.

In the same way they do any big news item — COVID-19, the Ukraine war, take your pick — hackers have twisted the popularity of ChatGPT into phishing bait. And now, according to a blog post from Kaspersky, a fresh campaign is utilizing social media impersonation to lead unsuspecting victims to a fake ChatGPT landing page, where "signing up" means downloading an info-stealing Trojan called Fobo. The Trojan seeks out business account credentials, which could be used for follow-on attacks of a greater scale.

According to the report, this blatant scam has already spread to Africa, the Americas, Asia, and Europe.

**Faking ChatGPT to Hack Business Accounts**

The researchers at Kaspersky have observed grifters running social media accounts that either impersonate the OpenAI/ChatGPT brand directly or pretend to be communities for fans of the program.

Sometimes, the accounts post neutral content relating to ChatGPT, with a malicious link at the bottom. Other times, according to the blog post, they post "fake credentials for the pre-created accounts that are said to provide access to ChatGPT. To motivate potential users even further, the attackers say that each account already has US $50 on its balance, which can be spent on using the chatbot."

The real program has an entirely optional subscription plan but is otherwise free to use for the general public.

Unwitting social media users who follow the malicious links in these posts land on a ChatGPT homepage, which is like for like with the real thing in almost every way.

A convincing fake ChatGPT. Source: Kaspersky

Clicking the "download" button — suspicious in itself, as ChatGPT has no desktop client — triggers the installation of an executable file.

"If this archive is unpacked and the executable file run," according to Kaspersky researchers, "then, depending on the version of Windows, the user sees either a message saying installation failed for some reason, or no message at all — at which point the process seems to end."

Behind the scenes, however, a Trojan horse has been unleashed. The Trojan looks for login credentials for apps like Google, Facebook, and TikTok, stored in the victim's browser. But in particular, Kaspersky explained, it's looking for usernames and passwords for business accounts.

With employee usernames and passwords, the attackers could possibly perform more significant follow-on attacks against enterprises.

"On finding a business account in one of these services," the researchers explained, "it tries to get additional information, such as how much money was spent on advertising from the account and what its current balance is."

**How to Avoid ChatGPT Scams**

That the perpetrators of this campaign chose ChatGPT as their vehicle is no coincidence. Among its many more frivolous uses, the chatbot has proven popular in business settings. Employees are using it to write emails, copy, and marketing materials faster, support interviews and research projects, and much more.

To avoid engaging with a malicious fake, though, Kaspersky recommended avoiding "offers" like those from this story, utilizing security software, and not clicking on links — better to go through a search engine or type the URL straight into your browser.

As of this writing, Kaspersky has not responded to a direct request for comment by Dark Reading. So, in substitute, we asked the ChatGPT bot to provide insight on the matter. It had this to say:

_"In conclusion, the rise of hackers impersonating ChatGPT to steal login credentials is a serious threat that should not be underestimated. The implications of such attacks are far-reaching and potentially devastating for individuals, organizations, and even entire industries. As technology continues to evolve, we can expect these types of attacks to become more sophisticated and difficult to detect. It is, therefore, imperative that individuals and organizations take proactive measures to protect themselves, such as regularly changing passwords, enabling two-factor authentication, and staying vigilant for signs of phishing attacks. Only by working together and taking these steps can we hope to mitigate the risks posed by hackers impersonating ChatGPT and other forms of cybercrime in the future."_

Scammers Mimic ChatGPT to Steal Business Credentials

Open source software dependencies are affecting the software security of different industries in different ways, with mature industries becoming more selective in their open source usage.

The proportion of open source codebases with vulnerabilities has continued to remain level over the past two years, but the number of applications with high-risk vulnerabilities has dropped to its lowest level in four years.

That's according to the "2023 Open Source Security and Risk Analysis" (OSSRA) report, published by Synopsys on Feb. 22. The annual study, based on audits of more than 1,700 applications, found that almost every software program (96%) included some kind of open source software component, with the average codebase consisting of 76% open source code. While the number of codebases with at least one vulnerability remained mostly stable over the past three years at slightly more than 80% — 84% in 2022 — the number of applications with high-risk vulnerabilities has dropped to about half (48%) of all applications tested, from a peak of about 60% in 2020.

Overall, the data shows some bright spots in the struggle against vulnerable dependencies, of which the average application has 595, but there's no broad trend toward greater application security, says Mike McGuire, a senior software solutions manager at Synopsys Software Integrity Group.

"Organizations are struggling to keep up with the scale of open source usage," he says. "If you take those almost 600 components per application on average, and multiply that by the number of vulnerabilities that are disclosed on an annual basis, then you can really, really start to drown in the work."

    

Overall open source usage remained mostly level, as did overall vulnerable codebases. Source: Synopsys

Open source components, and the dependencies on which popular application frameworks rely, continue to pose security problems for software makers and application developers. The ubiquity of some components — such as Log4j in the Java ecosystem — continues to cause security issues for many applications based on open source frameworks.

**Outdated Dependencies Are Common**

Applications that include a lot of components — and by extension, those components' dependencies — can have deep dependency trees that make it hard to find every vulnerability. Nearly all applications (91%), for example, included at least one open source component that has no development in the past two years, a likely sign that the project is no longer being maintained and, therefore, represents a security risk.

Nearly one in eight applications also had more than 10 different versions of a specific codebase, with each likely imported from a different component and that component's dependencies.

Failing to eliminate those older codebases represents a risk, Synopsys stated in the OSSRA report.

"Open source was in nearly everything we examined this year; it made up the majority of the codebases across industries, and it contained troublingly high numbers of known vulnerabilities that organizations had failed to patch, leaving them vulnerable to exploit," the report stated. "It is crucial to understand that while open source itself does not pose any inherent level of risk, failing to manage it does."

Whether more dependencies means more vulnerabilities is still a relationship under investigation. JavaScript frameworks, for example, tend to have the greatest number of dependencies, but JavaScript applications tend to be less vulnerable than Java and .NET applications, according to a report released by software-security firm Veracode in January.

**Don't Fall Behind With Open Source Dependencies**

The impact of open source code on security varies by industry, according to the OSSRA report. Some industries have increased their open source usage, while others have consolidated their portfolio. Depending on their level of maturity, the impact on security can be different.

Education technology companies, for example, have adopted open source components to drive new features and applications required by schools during the push for online teaching during the pandemic. In that industry, open source software accounted for more than 80% of codebases in 2022, up from about a third in 2018. Other sectors also saw dramatic, if not so stark, increases in usage. The aerospace, aviation, automotive, transportation, and logistics sector, for example, also nearly doubled its usage of open source components over five years.

The significant increase in adoption has led to many companies losing visibility into what is making up their software and what needs patching, McGuire says.

"More organizations are using more open source components, but they just don't have the programs in place to track those \[patches\] down," he says. "Once you get underwater with those updates — it's just like any other technical debt or debt in general, right? — it's really tough to claw your way back."

Other industries have reduced their usage of open source software, likely by consolidating on fewer projects as dependencies, according to the report. Both the Internet and software infrastructure sector, and the telecommunications and wireless sector, have reduced the contribution of open source software to their codebases to under 60%. Both industries also saw fewer high-severity vulnerabilities.

Half of Apps Have High-Risk Vulnerabilities Due to Open Source

The platform uses no-code policy workflows to automate the provisioning and revoking of permissions.

To keep businesses running smoothly in a multicloud environment, people and applications both need a web of permissions to access all the tools required to complete their tasks. Getting the balance right, however, is a perennial challenge at which most companies fail. A startup named Entitle aims to change that.

The company is debuting a permissioning system that the company says spreads decision-making responsibility beyond the IT department, to the business unit leaders who actually know who the users are and what they need in the way of permissions.

The fundamental problem has been around for years. In 2021, CloudKnox revealed that nearly all of the identities on the major cloud platforms (90% to 95%, depending on platform) used no more than 5% of the permissions granted. And a 2022 year-end wrap-up from Permiso showed that the average user and role still only uses 5.3% of their permissions. 

The more lax the permission situation, the more likely it is that a bad actor will leverage their way into the network via an insecure account that has more access than it needs.

Entitle works to remedy that risk by issuing just-in-time permissions that can be revoked after a certain period or when a task has been completed. It also makes it easy to grant, change, and revoke permissions in bulk for people — employees or third parties — who are joining, leaving, or changing jobs, with what the startup calls "one-click on/offboarding." An access review panel collects the details of all permissions each human or machine identity has for overview, auditing, and compliance purposes.

    

Entitle's Workflows function. Source: Entitle

Perhaps the most unusual aspect of the Entitle platform is its Workflows function, shown above, which is where a company can set rules to automatically approve permissions requests or send them to the proper role (for instance, direct manager or app admin) for approval. That should cut down on manual work and improve the ability of programs and people to get emergency access in order to reduce bottlenecks — a serious consideration when balancing productivity and security.

Of course, Entitle is not the first or only company to embrace the principle of least privilege. Authomize, for example, launched in 2020 with its own version of automated permissioning, and Delinea created a way for users to execute a privileged action without having to expand their role. But considering the security and business risks posed by access creep, ensuring that every user gets only the access they need is an important function.

Entitle Brings Fine-Grained Cloud Permissions Management Out of Stealth

Thanks to burnout and stress, Gartner predicts churn and even departure from profession among half of today's security leaders by 2025.

Enterprises can expect to see some pretty dramatic churn in their cybersecurity departments in the next two years if they're not proactive about countering security burnout. A prediction out today by Gartner estimates that almost half of cybersecurity leaders will change jobs by 2025. More startling, the analyst firm predicts that one in four leaders will exit the security stage completely.

According to Deepti Gopal, director analyst for Gartner, cybersecurity professionals are generally facing "unsustainable levels of stress." For CISOs and other security managers, the mental and emotional fallout from occupying the scapegoat role is not only spurring many them to look outside of their current jobs or their professions, it's also impacting their effectiveness when they stay.

"CISOs are on the defense, with the only possible outcomes that they don’t get hacked or they do," Gopal says. "The psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams."

**Negative Unemployment & Burnout Persist in Cybersecurity**

For a long time now, the need for cybersecurity expertise has gone unfilled across the entire industry. Per last year's (ISC)2 estimates, by 2025 there will be a shortfall of 3.5 million cybersecurity experts. Even as other jobs in the tech industry begin to evaporate in the face of tech sector layoffs, cybersecurity appears to be immune to this. A report earlier this month from (ISC)2 showed that only 10% of corporate executives expect to lay off members of their cybersecurity teams this year.

However, these seemingly positive numbers about job security in the cybersecurity world could actually be a red flag for what's currently ailing the profession. That is, burnout and job dissatisfaction are making it tough to recruit and retain talent. A different survey out this week from Magnet Forensics shows this phenomenon within the rank-and-file population of security analysts and investigators: More that half of these security pros reported feeling burned out in their jobs.

Often, the discussion of cybersecurity burnout revolves around topics like alert fatigue and workload imbalances, particularly among security operations center (SOC) workers. For example, the Magnet report showed that 64% of those workers cited alert fatigue as playing a role in their burnout. However, the news that one in four CISOs will leave their profession altogether hints at even deeper issues.

**The Trouble With CISO Satisfaction**

CISOs aren't necessarily running down alerts constantly the way their employees are, but they're overloaded with other career fatigue factors.

"CISOs are constantly trying to balance high expectations against an absence of the tools needed to meet those expectations," Gartner analysts wrote in the prediction piece. "Compliance-centric cybersecurity programs, significantly low executive support, and subpar industry-level maturity are all indicators of an organization that does not view security risk management as critical to business success."

One of the big factors that could have CISOs reconsidering their career trajectory in cybersecurity altogether is the fear about what will happen to their professional reputation if their company gets breached, says Diana Kelley, a veteran cybersecurity executive and co-founder and CSO of Cybrize, a cybersecurity workforce planning platform. She says CISOs and CSOs worry about "having their name dragged through the mud" after a breach, or even facing criminal charges, which feels more possible in the fallout from the conviction of Uber's Joe Sullivan last year.

"I'm also curious if downward pressure on the level of the CISO and the salary are having an impact," Kelley muses. "CISOs have long been talking about getting to the C-suite and reporting to the CEO, but I've heard more CISOs complain about getting pushed down a level and far fewer celebrating leveling up to true C-suite."

While some media outlets have lauded compensation packages for CISOs that are crossing the $1 million mark, the truth is that most are much lower, Kelley says.

"If you aspired to be a CISO for the $1 million payday and now are in a role where you're under extreme pressure, getting up at 3 a.m. on Saturday to deal with breaches, and being paid $234,000 — while your buddy who's doing DevOps is making $250,000 and sleeping all weekend — you might just say, 'to heck with cyber!'"

1 in 4 CISOs Wants to Say Sayonara to Security

A DoD email server hosted in the cloud (and now secured) had no password protection in place for at least two weeks.

A US Department of Defense email server hosted on Microsoft Azure's government cloud service reportedly was found wide open to the public Internet for a period of about two weeks before it was properly secured.

According to a report on TechCrunch, a security researcher spotted the email server containing internal US military messages, some with sensitive personal information, including an SF-86 questionnaire that federal workers fill out as part of their security clearance process. It was one of a group of email servers in the US Special Operations Command (USSCOM) but likely on the civilian side, the report said.

The email server appeared to have been misconfigured and was running without password protection. Once TechCrunch alerted USSCOM, the agency fixed the issue. "\[W\]hat we can confirm at this point is no one hacked US Special Operations Command's information systems," a USSCOM spokesperson told TechCrunch.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading