When we think about cybercrime and retail it is natural to focus on websites being targeted with attacks. Indeed, there has been a shocking rise in the number of cyberattacks perpetrated against online retailers in the past year. Dakota Murphey explains why store owners and security managers need to also protect their physical locations from the cyber threat, too, however.

_This article was written by Dakota Murphey._

Figures from SonicWall's Biannual Report revealed that e-commerce and online retail businesses saw a 264% surge in the past 12 months in ransomware attacks alone. These kinds of statistics are extremely worrying for retail businesses, so it is unsurprising that websites and digital security are at the forefront of retailers' minds.

However, for those retailers that have a physical store as well as an online presence, there might be an assumption that the cybersecurity in-store doesn't need to be considered as a top priority. Well, doing so could be a big mistake.

In this article, we take a look at why retail stores are more vulnerable to cybercrime than ever before.  

**Security Is Weaker**

There can be no doubt that one of the major issues around security in-store is the issue of complacency. It is assumed that physical stores themselves are unlikely to be targeted by cybercriminals — surely it is more likely that they will put their resources into using hacking or phishing? 

In reality, cybercriminals are always looking for ways to maximize their time — they want quick wins. Increasingly, as retail stores are less well protected they are being seen as an easy way into the computer system of a company. Perhaps the lesson that needs to be learned here is that you should never assume that you won't or can't be attacked.

Cybercriminals are far more sophisticated than they've ever been. If there are gaps in security, they can identify and tap into them. Retailers, for instance, need to balance consumers' privacy and data protection with their own tight security measures that protect their internal IT systems and physical stores. Failure to install security effectively and comply can result in firms facing fines for breaches in privacy laws under stringent CCTV regulations and GDPR guidelines.

**Stores and Websites Are Intrinsically Linked**

You might think that there is a divide inside your business: your physical store and your online store. However, it is generally the case that your physical premises are linked to your digital system just as much as an office might be. Do you log in to your system at work? Do you track customers' details using an IT system? 

For the majority of businesses, the physical store is actually just as dependent on your IT system as the site online. This presents a potential problem. If your physical retail store can potentially allow access to your whole IT system, cybercriminals can use nefarious methods in your physical premises. 

**The Rise of the Internet of Things**

Physical stores are increasingly reliant on Internet of Things devices — that being any device that is connected to the Internet. This might include stock checkers, smart shelves, predictive maintenance equipment and much more. 

Physical security devices such as CCTV, video surveillance, and alarm systems are often connected to the Internet and can also be a vulnerability for targeted cyberattacks. The wider use of video surveillance technology and other types of physical devices extends to more than pure crime detection. They have intelligent capabilities that can be applied to monitor crowds, secure physical sites, and support building management platforms. 

Although such integrated systems do a good job in providing smart data to support security firms and facilities managers managing retail sites, any data, files and surveillance videos can be vulnerable to cyberattacks. 

Whether stored or managed on cloud-based applications or as on-premise solutions, such physical security devices that protect retail stores also open up another potential entry point to your IT system that criminals can exploit. And, if CCTV, video surveillance and alarm systems are not managed properly, they can be a major problem.

**The Invasion of Shadow IT**

Shadow IT is the use of any kind of software or applications that aren't approved by the IT team. This is becoming a big problem, especially in stores where staff make use of personal devices as a part of their role. 

"The popularity of shadow IT is partly due to its perceived benefits," says George Glass, head of threat intelligence at cybersecurity specialists Redscan, "these include the ability to take initiative in setting up and using technology and the freedom to adopt systems and software more quickly in order to reduce workload. However, these apparent benefits come at a significant cost."

The issue arises when this shadow IT is not checked for vulnerabilities or is not kept up to date because it is not known by the IT team. These vulnerabilities and flaws can present a potential opening for cybercriminals. 

**Prioritizing Speed of Service Over Security**

It is naturally the case that many businesses in retail want to prioritise fast and effective customer service. Unfortunately, this can ultimately result in good security practices being overlooked in favour of getting on with tasks. For example, if a customer comes in requesting a password reset on their account, there may be some pressure to simply go ahead with this rather than following the correct procedure. 

Retail stores need to understand the interconnected nature of cybercriminals and in-person crime. With the rise in cashless retail and a surge in online sales (that has witnessed an unprecedented rise in recent years), retailers' IT security has had to keep in step and reposition itself with the evolution of consumers' buying habits. This increased awareness, however, has been reinforced by the UK Government's measures to support security technology within the retail industry. 

While retail stores are more vulnerable than ever to cybercrime, there is much that businesses can do to mitigate risk. Perhaps the most important factor is providing staff training to ensure that everyone understands their role in preventing cybercrime. 

_Dakota Murphey_ _is a freelance tech writer._

_**This story first appeared on**_ _**IFSEC Global**__**, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.**_

Why Retail Stores Are More Vulnerable Than Ever to Cybercrime

When we depend on an open commons as our computing foundation, we need it to be secure, and the most effective way to do that is through open solutions.

Open source software is deeply embedded in enterprises today: from the Linux kernel to data center infrastructure, and from databases to application servers and front ends. The importance of securing the supply chain has become front and center in the industry, with the US government's involvement and the formation of industry bodies such as OpenSSF to work on solutions.

We know that we must secure the open source software we use — it's also important that open source be an integral part of the solutions that we create. Proprietary solutions alone are not enough to counter the threat to the ever-expanding areas of vulnerability. To properly secure our software dependencies in depth, solutions must interoperate tightly with key open source infrastructure such as the Linux kernel and Kubernetes.

Through our experience with creating the Falco runtime threat detection tool, and contributing it as open source to the Cloud Native Computing Foundation (CNCF), we've learned valuable lessons about how important it is to provide open source solutions for security.

**1\. Collaborative development goes broad and deep.**

Security is a never-ending battle against expanding attacks and attack surfaces. Through collaboration, we are able to bring together more expertise, apply more scrutiny, and cover a broader range of use cases than through proprietary development. Nobody can be an expert on everything, but many people can come together to contribute their singular deep expertise into an open source project.

While Falco's core competency specializes in monitoring Linux syscalls, the team strategically added a plug-in interface. Through this, other infrastructure can be secured, from Kubernetes admission controllers to cloud services such as AWS CloudTrail or Okta. The open nature of the project means that experts in particular platforms — whether open or proprietary — can contribute their know-how and help the entire user base. Proprietary approaches can't reach this same level of scale.

Moreover, you don't need to ask anyone's permission to extend open source to cover a new service or platform: If what you need isn't there, and you're able to contribute, you can ensure that your needs will be covered in the future.

**2\. Standards-based development promotes choice.**

When open source software is part of a multivendor body such as the CNCF and in widespread use, adopters can reasonably view it as being a _de facto_ standard. Using open source standards provides an interoperable framework in which an ecosystem of tools, support, and training exist. As a user, you always have the freedom to control your own solution by directly using the open source, or choosing commercial tools that interoperate.

Drawing from Falco as an example, multiple vendors such as Sysdig, Red Hat, and Sumo Logic have built their own solutions based on the codebase. At their core, they are aligned on the protocols that Falco uses for event capture, meaning users get choice, a richer ecosystem of tools that use the standards, and future optionality.

**3\. Open source is transparent.**

Open source gives you the full visibility to examine exactly how a piece of software works. This transparency brings a double benefit.

First, if you're trusting every node in your systems with a tool, you want assurance about its security. Even if you're not auditing the code yourself, you benefit from many contributors with the resources to find and fix vulnerabilities. For software that has achieved widespread adoption, these contributors likely include cloud-scale operators with deep expertise.

Second, open source brings you insight and possibly influence on the direction of the software. You can become a contributor and influence technical direction, or allocate funding towards supporting its sustained development. When that software lives inside an industry foundation, you may benefit from established standards in governance, auditing, and sustainability.

**4\. Modern platforms are built on open source.**

To provide the assurance users need, security should be considered as an integral factor of any platform, not an optional extra. Open source is the engine room of the modern software stack, and therefore security solutions must also reach into the open source foundations. The cloud-native era has driven new approaches to operations and architecture, and security is no exception. Following the desire to "shift left" and incorporate security earlier in the software development life cycle, the same benefits apply to doing that with the open source foundations that run our enterprise platforms.

**Conclusion**

Open source is the only approach with the agility and broad reach to set up the conditions to meet modern security concerns. Users depending on massive open source infrastructure — the basis of today's clouds — should be careful of any security solution that does not acknowledge and leverage open source itself.

When we depend on an open commons as our computing foundation, we need it to be secure, and the most effective way to do that is through open solutions.

**About the Author**

    

Edd Wilder-James' career spans open standards, open source, and data analytics, in roles covering technology, content, business, and strategy. At Sysdig, his team is committed to growing Falco as the standard for runtime threat detection. Previously, Edd led teams working on open source programs at Google, working with TensorFlow, Kubeflow, Go, and Kubernetes. He has over two decades in the open source world, chairing OSCON for six years, and is a former Debian and GNOME contributor.

4 Reasons Open Source Matters for Cloud Security

Older bugs in the AnyConnect Secure Mobility Client are being targeted in the wild, showcasing patch-management failures.

A pair of known security vulnerabilities in the Cisco AnyConnect Secure Mobility Client for Windows is being actively exploited in the wild, despite being patched for two-plus years.

The networking giant is warning that cybercrime groups are pressing two local privilege escalation (LPE) bugs into service, with active exploit chains against the VPN platform being observed starting this month.

The first flaw (CVE-2020-3153, with a CVSS score of 6.5) would allow a logged-in user to send a specially crafted IPC message to the AnyConnect process to perform DLL hijacking and execute arbitrary code on the affected machine with SYSTEM privileges. The second issue (CVE-2020-3433, with a CVSS score of 7.8) could allow a logged-in user to copy arbitrary files to system-level directories with SYSTEM privileges.

"In October 2022, the Cisco Product Security Incident Response Team became aware of additional attempted exploitation of this vulnerability in the wild," Cisco noted in the updated advisories.

The situation showcases the danger that older vulnerabilities continue to pose to companies and individuals. LPE patches are often de-prioritized in the glut of updates that businesses are faced with every month, but exploit chains often combine a remote code execution (RCE) bug for initial access with an LPE exploit for burrowing deeper into corporate networks and uncovering sensitive information.

The US Cybersecurity and Infrastructure Security Agency (CISA) also this week added the bugs to its Known Exploited Vulnerabilities (KEV) catalog, along with four even older bugs in Cisco's Gigabyte gaming and graphics drivers (CVE-2018-19320, CVE-2018-19321, CVE-2018-19322, CVE-2018-19323). Sophos flagged exploitation of the latter earlier in the month by the BlackByte ransomware gang.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cisco Warns AnyConnect VPNs Under Active Cyberattack

Concerns about breaches of sensitive information due to execution of malware scripts and growing adoption of cloud-based services are fueling growth of the content security market.

**CHICAGO, Oct. 26, 2022 /PRNewswire/** — The global Content Security Market size is expected to grow from an estimated value of USD 1,345 million in 2022 to 2,219 million USD by 2027, at a Compound Annual Growth Rate (CAGR) of 10.5% from 2022 to 2027**.** Some factors driving the Content Security Market growth include concerns regarding increased breach of sensitive information due to execution of malware scripts, growing adoption of cloud-based services/solutions, increased need to widespread information/content and engagement through advanced user interface, and user experience platforms.

**Download PDF Brochure:** https://www.marketsandmarkets.com/pdfdownloadNew.asp?id=194651579

**By Organization size, large enterprises are expected to witness higher market share during the forecast period**

The adoption of cloud services or solutions to take advantage of the digitalization era has been the primary area of interest for businesses in the context of both large and medium-sized businesses. At the same time, it gives hackers a chance to steal sensitive data by inserting malware scripts into website content, phishing emails, and other forms of communication. When it comes to considering the adoption of new technology, there is no doubt that large corporations are typically the ones to do so. This suggests that clever con scammers or whip-smart hackers have their sights set on these businesses. However, the small and medium-sized businesses are not far behind in adopting cloud services. In addition to considering cloud adoption for its cost-effectiveness and ability to automate manual processes, small business leaders should also consider data protection and security. The technology industry benefits from the growth of cloud users and its ecosystem. In addition, these business leaders must be aware of the drawbacks associated with utilizing lucrative services or deploying cloud solutions. Because of the growing concerns over data security, this makes it possible to envision content security as a possibility.

**Request Sample Pages:** https://www.marketsandmarkets.com/requestsampleNew.asp?id=194651579

**By vertical, BFSI segment is expected to witness highest market share during the forecast period**

The scope of content security and protection extends beyond a small number of industry verticals like BFSI, IT and ITeS, retail and e-commerce, media, and entertainment, and so on. BFSI is one of the industries that sets the standard for the adoption of digital technologies to streamline operations and operations as digital initiative grows. It includes banks, insurance companies, and financial institutions. From a strategic perspective, the BFSI industry is the most attractive target for scammers or hackers due to the sectors rapid digital progress and the substantial amount of consumer information it holds. As a result, the number of cybercrimes and frauds has increased steadily over time. There have been alarming numbers of cases involving the use of email content, phishing emails, and UI/UX that direct users to scripted altered websites. This shows how important it is to protect the public interest and content security in the global market.

**Get 10% Free Customization on this Report:** https://www.marketsandmarkets.com/requestCustomizationNew.asp?id=194651579

**By region, Asia Pacific is projected to grow with fastest growth rate during the forecast period**

When it comes to the content security market, North America is believed to hold most of the market share. It is not surprising that it has topped the list because it has witnessed a variety of cybercrimes, allowing the region to investigate a variety of malware or suspicious content origins. Digital transformation, on the other hand, has been a major focus of Asia-Pacific efforts to boost regional economic growth and integration. Asia-Pacific now ranks among the worlds fastest-growing regions, making it a huge potential market for content security. China, India, and Japan are a few of the regions most technologically advanced nations, which are facilitating the swift implementation of content security laws and regulations to improve data security. Additionally, despite the increasing number of cyberattacks and threats, businesses in the Asia-Pacific region have been adapting to the new digital trends.

**Key Players**

Major vendors in the **Global Content Security Market** include Cartesian Inc. (US), Microsoft Corporation (US), Trend Micro Inc. (Japan), Check point Software Technologies (Israel), Barracuda Networks (US), Sophos Technologies Pvt. Ltd (UK)., Proofpoint (US), Forcepoint (US), Verimetrix (France), Lookout (US), CommScope (US) and Infosec Information Technologies (Istanbul) are few key players in the content security market.

**Browse Adjacent Markets** : Information Security Market Research Reports & Consulting

**Related Reports**

**IDaaS Market** — Global Forecast to 2027

**Operational Technology (OT) Security Market** — Global Forecast to 2027

**Zero Trust Security Market** — Global Forecast to 2027

**Cybersecurity Insurance Market** — Global Forecast to 2027

**Supply Chain Management (SCM) Market** — Global Forecast to 2027

**About MarketsandMarkets™**

MarketsandMarkets™ provides quantified B2B research on 30,000 high growth niche opportunities/threats which will impact 70% to 80% of worldwide companies' revenues. Currently servicing 7500 customers worldwide including 80% of global Fortune 1000 companies as clients. Almost 75,000 top officers across eight industries worldwide approach MarketsandMarkets™ for their painpoints around revenues decisions.

Our 850 fulltime analyst and SMEs at MarketsandMarkets™ are tracking global high growth markets following the "Growth Engagement Model – GEM". The GEM aims at proactive collaboration with the clients to identify new opportunities, identify most important customers, write "Attack, avoid and defend" strategies, identify sources of incremental revenues for both the company and its competitors. MarketsandMarkets™ now coming up with 1,500 MicroQuadrants (Positioning top players across leaders, emerging companies, innovators, strategic players) annually in high growth emerging segments. MarketsandMarkets™ is determined to benefit more than 10,000 companies this year for their revenue planning and help them take their innovations/disruptions early to the market by providing them research ahead of the curve.

MarketsandMarkets's flagship competitive intelligence and market research platform, "Knowledge Store" connects over 200,000 markets and entire value chains for deeper understanding of the unmet insights along with market sizing and forecasts of niche markets.

Content Security Market Worth $2.2 Million by 2027 - Exclusive Study by MarketsandMarkets(TM)

Google admitted to loss of data responsive to 2016 search warrant and agreed to program enhancements, reporting obligations, and a first-of-its-kind Independent Compliance Professional.

The Department of Justice on Oct. 25 filed a stipulation and agreement resolving a dispute with Google over the loss of data responsive to a search warrant issued in 2016.

Pursuant to the first-of-its-kind resolution, Google has agreed to reform and upgrade its legal process compliance program to ensure timely and complete responses to legal process such as subpoenas and search warrants, as required under the Stored Communications Act (SCA) and other applicable legal authorities. To monitor that Google fulfills its legal obligations, an Independent Compliance Professional will be retained to serve as an outside third-party related to Google’s compliance enhancements.

“The Department is committed to ensuring that electronic communications providers comply with court orders to protect and facilitate criminal investigations,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “This agreement demonstrates the Department’s resolve in ensuring that technology companies, such as Google, provide prompt and complete responses to legal process to ensure public safety and bring offenders to justice.”

“The warrant underlying this agreement was sought in connection with a significant criminal investigation,” said U.S. Attorney Stephanie Hinds for the Northern District of California. “This agreement will help to ensure that, moving forward, Google will maintain the technical capability and resources necessary to comply with lawful warrants and orders, such as the one at issue in this case, that are critical to federal criminal investigations.”

As detailed in the Statement of Facts accompanying today’s agreement, in 2016, the United States obtained a search warrant in the Northern District of California for data held at Google related to the investigation of the criminal cryptocurrency exchange BTC-e. The warrant was issued under the SCA, the federal statute that requires providers such as Google to disclose customer communications when served with a warrant signed by a judge and supported by probable cause.

After the warrant was reviewed by a judge in the Northern District of California, sworn, signed, and served on Google, the Second Circuit Court of Appeals issued a decision holding that SCA search warrants did not reach data stored outside of the United States. Google halted execution of the search warrant and made rolling productions containing only information it could confirm was stored in the United States. Because Google’s data preservation tools at the time stored data in the United States – and thus brought the data under undisputed U.S. jurisdiction – Google also endeavored to create new tools that would prevent the data from being repatriated. Google and the government litigated regarding the search warrant through 2017 and into 2018, when Congress clarified that the SCA does indeed reach data that U.S. providers choose to store overseas. In the intervening time, data responsive to the warrant was lost.

In resolving the matter with the department, Google has agreed to numerous improvements to its legal process compliance program, as set forth in the filed agreement. The improvements are tailored to ensure that Google complies with its legal obligations to respond to lawful court orders, including those issued pursuant to the SCA. Google will maintain sufficient compliance staffing levels to support the enhancements to the program and will allocate engineering resources to support legal process compliance.

Google has further committed to implement processes and procedures to ensure timely response to legal process, as required under the SCA and other relevant legal frameworks, and to generate a compliance timeliness record for missed deadlines, which will be made available to the government upon request. Google will also develop and maintain needed tools to retrieve data in response to legal process, and to develop plans for legal process responses corresponding to new product launches.

The agreement (PDF) also provides that an Independent Compliance Professional will verify the accuracy of assertions in all reports contemplated by the agreement and evaluate Google’s assessment of its compliance with the enhancements to Google’s Legal Process Compliance Program set forth in the agreement. Pursuant to the agreement and in consultation with the mandated Independent Compliance Professional, Google will assemble periodic reports and updates regarding its Legal Process Compliance Program and its implementation of the enhancements set forth in the agreement. Google will provide these reports to the government, the Google Compliance Steering Committee, and the Audit and Compliance Committee of the Alphabet Board of Directors.

In the filed stipulation, Google represented to the court that it spent over $90 million on additional resources, systems, and staffing to implement legal process compliance program improvements.

Google will maintain its lawful protections of user data, and the agreement does not provide the United States access to Google user data.

Senior Counsel C. Alden Pelker of the Criminal Division’s Computer Crime and Intellectual Property Section and Corporate and Securities Fraud Section Chief Lloyd Farnham for the Northern District of California negotiated the agreement on behalf of the government.

Google Enters Into Stipulated Agreement to Improve Legal Process Compliance Program

Independent research from Encore uncovers hidden costs of cyber attacks.

**Maidenhead, UK, Oct. 26, 2022** — Over half (54%) of office workers would reconsider working for a company that had recently experienced a cyber breach. That's according to a new study by cybersecurity technology provider, Encore.

An independent study of 100 C-level executives, 100 Chief Information Security Officers (CISOs) and 500 office workers in the US and the UK, conducted by Censuswide, sought to uncover the gap that remains between boards and security teams when it comes to addressing cyber demands.

Only a third (33%) of staff said they would be "completely unphased" if their employer suffered a cyber break-in.

The majority (57%) of C-level executives polled said they have been breached in the last 12 months alone. Most office workers, however, were unaware, with only 39% believing their organisation had been the victim of a successful attack.

"The immediate financial cost of a cyber-attack remains the number one concern for businesses," said Brendan Kotze, CEO and Co-Founder at Encore. "But security teams are learning that there is a long tail to these breaches, with employees at risk of losing faith in their company, its ethics and values and its overarching responsibilities to the general public. In a competitive market, this is a stark warning to businesses across the world. Keeping your staff in the dark about cyber risk is a fundamental error, not to mention the additional impact of delayed disclosure to customers."

Almost half (41%) of C-level executives polled named reputational damage as one of the biggest costs to their business following a cyber-attack, with 34% agreeing that loss of clientele or their trust was a significant cost.

Despite many admitting to suffering a cyber breach in the last year, the overwhelming majority (92%) of CISOs and C-level executives polled believe their business is secure at any given moment. Kotze believes that a mindset shift is needed at an organisational level, treating cyber incidents and the security of employee and customer data as a fundamental part of normal business operations, not a function that sits on the outside, looking in.

"There is a very real problem of security feeding a false sense of confidence," he continues. "This is a risk that must be addressed through data and reporting. All too often, we see C-level executives treat their security investments as a sure way of securing their business against persistent and motivated attackers. Security or being 'Cybersafe' is not something you can measure at a single point in time – it needs to be an ongoing effort."

Kotze concludes: "Being able to instil confidence in a wide range of stakeholders, from clients to investors to staff, is fundamental to the modern business. Trust is the bedrock of success and should be the same for security as it is as a business enabler. If all companies prepare and respond to threats as if their existence (or at least a very substantial part of it) is at risk, our chances of blocking or swiftly responding to attacks is considerably higher. Cybersecurity is no longer enough; we need to channel Cyber Safety to build resilience and establish trust both internally and externally."

To further explore the true cost of cyber breaches, please find the full research report here: https://www.encore.io/the-true-cost-of-cyber-ebook?utm\_source=pr&utm\_campaign=encore-cyber-ebook&utm\_id=cyber-ebook

**About Encore**

With more than 25 years' experience providing professional services and cyber security consulting for the largest companies in the world, we brought this knowledge to Encore, the leader in internal and external cybersecurity (CAASM and EASM). Our team is comprised of offensive security experts and security engineers, and consultants that know the mindset and tooling of the attackers, the internal operational obstacles, the challenges faced by security management and how to get the most out of security tooling.

Encore visualises information that can be confusing and often overwhelming, providing accurate and action-based reporting and visibility across numerous security controls, through one secure portal.

For more information, or to get in touch, visit our website: https://www.encore.io

54% of Staff Would Reconsider Working for a Firm That Had Experienced a Cyber Breach, Research Finds

Led by Microsoft's M12 venture fund, Valence's Series A round accelerates the company's ability to help customers secure their SaaS mesh from risk created by democratized end-user adoption, third-party integrations, unmanaged identities, and external data sharing.

**SAN FRANCISCO, Oct. 26, 2022 (BUSINESS WIRE)** — In just under a year since exiting stealth in 2021, Valence Security, the industry leader in SaaS security remediation, is announcing its $25 million Series A round led by Microsoft's M12 venture fund with participation from seed investor YL Ventures and additional investors including Porsche Ventures, Akamai Technologies, Alumni Ventures, and Michael Fey, CEO of Island and former president of Symantec. This new investment round brings Valence's total funding to $32 million.

The democratization of IT has deeply embedded SaaS applications into every business function within organizations, from sales and marketing to R&D. These SaaS applications empower end users to adopt and interconnect them directly and at scale, evolving into a sprawling and risky SaaS mesh of applications, integrations, users and data. Security teams struggle to gain the required visibility to manage the SaaS mesh risk surface leaving insecure SaaS access and usage, unmanaged shadow identities, ungoverned data sharing and misconfigured third-party integrations, all prime targets for attackers.

Current SaaS security solutions fail to provide security teams with the visibility and business context they need to effectively understand, prioritize and respond to SaaS mesh risks. The Valence Collaborative SaaS Security Remediation platform fills these needs. Valence engages business users to ensure that security decisions are made within the context of business needs and that end users work with and see security teams and processes as business enablers, not impediments. Valence empowers security teams to prioritize SaaS security, configuration and compliance risks, and enables automated and decentralized remediation workflows across the distributed organization.

"We initially launched Valence to address the critical need we saw to harden organizations against the growing risks of SaaS supply chain attacks in a way that takes into account business context and doesn't impede the velocity of SaaS adoption and usage," says Yoni Shohet, CEO and co-founder of Valence. "With the continuous surge in additional SaaS security breaches in 2021, accelerating into 2022 with attacks on inherently secure services such as Okta, Google and GitHub, our commitment to building the first collaborative, automated remediation platform has paid off. Customer response has been overwhelmingly positive and demand for our solution has been strong. As we have expanded our vision to include collaborating with end users to remediate other SaaS risks such as external data sharing and user identities managed outside of the organization's IdP, our value to our customers as their go-to SaaS security solution has only continued to grow."

This new approach to collaboratively remediating SaaS risks found a lot of interest in M12. "Recognizing the growing threat of SaaS supply chain attacks, we have been looking closely at startups in this space," said Mony Hassid, managing director and EMEA lead at M12. "We were impressed with Valence's approach to identify SaaS security risks, engage the end user to gain business context, achieve business application owner buy-in when remediating SaaS supply chain risks, and address further SaaS risks such as misconfigurations, data protection and identity security."

"We have been with Valence since the start," states John Brennan, senior partner at YL Ventures. "The progress the team made in such a short period of time is amazing and we're excited to continue supporting the team together with great partners like M12. Valence's Series A round will enable them to further accelerate the growth of their go-to-market team and programs in the U.S. It will also facilitate the rapid expansion of their R&D team to fully realize their vision of enabling organizations to secure their growing mesh of SaaS applications, integrations, user identities and data sharing, without slowing down the fast pace of SaaS adoption, usage and innovation that end users have grown used to."

**About Valence Security**

Valence Security is the first security company to offer collaborative remediation workflows that engage with business users to contextualize and reduce SaaS data sharing, supply chain, identity and misconfiguration risks with scalable policy enforcement and automated workflows. With Valence, security teams can secure their critical SaaS applications like Microsoft 365, Google Workspace, Salesforce and Slack and ensure continuous compliance with internal policies, industry standards and regulations, without impeding business productivity or the speed of SaaS adoption. Valence is backed by leading cybersecurity investors like Microsoft's M12 and YL Ventures and is trusted by leading organizations. For more information, go to valencesecurity.com.

Valence Security Announces $25M Series A to Scale Delivery of Collaborative SaaS Security Remediation Solutions to Customers

As more of the software stack consists of third-party code, it's time for a more-advanced open source vetting system.

Cyberattacks' frequency and severity remain a growing concern for organizations large and small. Hardly a day goes by without news about a major breach or break-in. Yet it's also clear that methods are evolving and becoming stealthier. One of the more disturbing trends is attackers embedding malware in legitimate products and supply chains.

The SolarWinds attack in 2020 demonstrated just how devastating supply chain attacks can be and how far they can reach. As customers of security firm FireEye downloaded and installed legitimate patches for its Orion IT-monitoring platform, malware hidden in open source software (OSS) code infiltrated their systems.

**No Simple Task**

Gaining control of the software supply chain is vital, yet it's no simple task. OSS has emerged as an essential part of the business world and increasingly delivers critical building blocks used to produce proprietary and commercial software. A growing array of products rooted in the physical world — vehicles, airplanes, medical devices, consumer electronics, and industrial machinery, to name a few — rely on OSS to operate. Hacks and attacks on these systems represent a serious and even potentially fatal risk, ranging from ransomware to sabotage.

Yet the problem is broader. Most software developed today, including applications and code embedded in physical products, contains third-party code that falls into two separate categories:

*   **Pre-built components** that perform a specific function and are available for purchase off-the-shelf, and
*   **Commissioned code** that is developed on an outsourced basis for use in the purchasing company's product.

Both of these types of third-party code can contain embedded and undocumented OSS, which may harbor security vulnerabilities.

**Can You Trust Your Partners?**

Avoiding software supply chain risks is increasingly difficult. Much of the software any organization uses derives from a trusted vendor or partner — or it's a mash-up based on numerous sources. When patches and updates come from trusted sources and appear authentic, there's typically no reason to inspect them. However, if attackers successfully plant malware in legitimate software and it goes undetected through final release production, it can become a mass malware-dissemination tool.

As the SolarWinds attack showed, an organization's defenses are only as good as the supply chain's weakest link. An enterprise can take numerous steps to ensure that the OSS it utilizes is secure, yet it's next-to-impossible to guarantee that the third-party code a partner or vendor supplies is equally vetted. Unfortunately, everyone relies on different techniques, tests, and standards.

While open source code isn't inherently more dangerous than proprietary code, the widespread adoption of OSS means that the same code components can wind up in numerous applications, products, and systems. In fact, roughly 70% to 90% of any software "stack" consists of third-party code. This includes industries and sectors as diverse as public transportation, consumer electronics, telecom, and major software applications used by universities, government agencies, and others.

Moreover, open source code risks are on the rise. Hackers and attackers use several highly effective methods to target resources such as Python repositories (i.e., Python Package Index, or PyPI) and JavaScript package manager npm. This can lead to malware that installs cryptomining software or steals credentials and authentication tokens. An attack can also embed malware in seemingly legitimate code, such as a recent case where 186 npm typosquatting packages appeared in open source code for Linux systems.

**Cracking Down on Bad Code**

Recently, a group of organizations joined together under the umbrella of the Linux Foundation to build a framework for verifying open source code.

This group — OpenSSF (Open Source Security Foundation) — includes heavyweights such as AWS, Google, IBM, and Microsoft, as well as specialized vendors such as Akamai, Indeed, and Socket Security. Its 10-point plan \[PDF\] aims to create more consistent open source code production methods, improve vulnerability discovery and remediation, and reduce patching response times for open source software.

OpenSSF hopes to achieve these results via expanded use of digital signatures on software releases; replacing non-memory-safe languages; standard third-party code reviews; improved education and training for developers and others; and improved tools and best practices for the software supply chain.

All of this leads to a best practice referred to as a software bill of materials (SBOM). It delivers a catalog of OSS as well as other software that's present in third-party (building block) code. It also displays any security vulnerabilities that this software may contain.

**An Eye on Observability**

Getting to a more-advanced open source vetting framework also requires a closer look at the code itself. This is particularly important because organizations not only rely on OSS but also a hybrid approach that revolves around pre-built, off-the-shelf components and custom building blocks, developed internally or by outsourcing partners.

Nearly 60% of software products today contain third-party code, according to VDC Research, most of which uses open source components under the hood. Gaining the needed insight into this code is difficult because conventional software composition analysis (SCA) has inherent limitations. While SCA remains a useful tool for decomposition of software and spotting vulnerabilities, there's also the need to examine and analyze binary files. This makes it possible to scan the code that runs, rather than inspecting only the pieces in the build environment.

Binary SCA finds vulnerabilities in third-party code and OSS without actual source software; it provides deep semantic matching; it's equipped to conduct analysis on real-time code; and it delivers crucial elements such as audit logging, risk reporting, API analysis, and SBOM generation and output, including formats such as PDF, CSV, SPDX, JSON, and CycloneDX. It's a best-practice framework that delivers a comprehensive view of OSS components and other code.

With these pieces in place, it's possible to improve vulnerability detection across all sources of the software in an application or product, boost audit and compliance capabilities, and establish a coveted SBOM. There's no way to stop crooks and cybergangs from attacking organizations through the software supply chain, but the combination of an industry framework and the right inspection technology minimizes the risks and maximizes the gains of open source software.

Open Source Is Just the Tip of the Iceberg in Software Supply Chain Security

Majority of vulnerability scanner tools overwhelming teams with false positives and missing exploitable vulnerabilities.

**BE'ER SHEVA, Israel, Oct. 26, 2022 /PRNewswire/** — Rezilion, an automated vulnerability management platform accelerating software security, announced today the release of the company's Vulnerability Benchmark Report, which provides visibility into the inaccuracies and noise that are created by the market's most popular commercial and open source scanning technologies.

"Every day there are a multitude of new vulnerability disclosures across the software ecosystem, driving end-users to rely on vulnerability scanners to detect if these potentially exploitable vulnerabilities exist within their environment," said Yotam Perkal, Director of Vulnerability Research with Rezilion. "With a proven variability in the accuracy of the scanning tools on the market, companies are paying the cost of time spent triaging irrelevant vulnerabilities and worst, in the case of false negative detections, create blind spots for the organization and a false sense of security."

**Inconsistent results in scanners are common.** In this first-of-its-kind benchmark and root cause analysis, Rezilion researchers examined 20 popular containers on DockerHub, ran them locally, and scanned them using six different, popular vulnerability scanners in the commercial and open source market.

Each vulnerability scanner reported a different number of vulnerabilities, equating to less than 50 percent of common findings, exposing an exceptional amount of false positives and negatives. As a result, Rezilion has opened issues/support tickets for the misidentification of **over 1,600 different CVEs**.

**Key Findings:**

*   **Recall:** Compared to the ground truth (i.e., taking false negatives into account), scanners returned only 73% of relevant results out of all vulnerabilities that should have been identified, including those the scanners failed to detect.
*   **Precision:** On average, out of the total number of vulnerabilities reported by the scanners, only 82% were relevant results (identified correctly), regardless of vulnerabilities that scanners failed to report (18% were false positives).
*   Over 450 high and critical-severity vulnerabilities were misidentified across the 20 containers.
*   On average, across the 20 containers examined, the scanners failed to find (false negative result) more than 16 vulnerabilities per container.

"The primary problem is that the scanner performance data is not transparent and leaves end-users without visibility to accurately evaluate effectiveness of vulnerability scanners," continued Perkal. "With this research, we're committed to driving the industry forward and proactively approaching the issue. Rezilion's ultimate goal is to provide transparency about the performance of the scanners and improve the quality of vulnerability scanning across the board."

**Best Practices:**

*   Understand your specific scanner's capabilities and limitations and ensure your scanner of choice matches your specific needs.
*   Be mindful of the root causes for misidentification as presented in the research, and don't trust your scanner's results blindly.
*   Utilize a Software Bill of Materials (SBOM) to validate the accuracy of your scanner output and achieve visibility into your software dependencies.

**To download the full report, please visit:** https://www.rezilion.com/lp/scanning-the-scanners-what-vulnerability-scanners-miss-and-why/.

**About Rezilion:**

Rezilion's platform automatically secures the software you deliver to customers. Rezilion's continuous runtime analysis detects vulnerable software components on any layer of the software stack and determines their exploitability, filtering out up to 95% of identified vulnerabilities. Rezilion then automatically mitigates exploitable vulnerabilities across the SDLC, reducing vulnerability backlogs and remediation timelines from months to hours while giving DevOps teams time to build.

Learn more about Rezilion's software attack surface management platform at www.rezilion.com and get a 30-day free trial.

**SOURCE:** Rezilion

Rezilion Vulnerability Scanner Benchmark Report Finds Top Scanners Only 73% Accurate

New service from BlackBerry's Threat Research and Intelligence Team reduces unknowns to enhance detection and response.

**NEW YORK, Oct. 26, 2022 /PRNewswire/** — Today, at the BlackBerry Security Summit, BlackBerry Limited (NYSE: BB; TSX: BB) announced the release of its new Cyber Threat Intelligence (CTI) offering, a professional threat intelligence service to help customers prevent, detect, and effectively respond to cyberattacks.

Delivered on a quarterly subscription basis, BlackBerry's new CTI service  
provides actionable intelligence on targeted attacks and cybercrime-motivated  
threat actors and campaigns, as well as intelligence reports specific to  
industries, regions, and countries. BlackBerry's CTI will save organizations  
time and resources by focusing on specific areas of interest relevant to a  
company's security goals.

"Being cyber resilient means making the right decisions at the right time," said  
Ismael Valenzuela, Vice President, Threat Research and Intelligence at  
BlackBerry. "Cyberattacks are becoming more sophisticated and threat actors move  
quickly. BlackBerry's Cyber Threat Intelligence delivers the details needed to  
improve detection and response, so organizations can stay on top of cyber threat  
activity and anticipate any next moves."

"More businesses are recognizing the value of threat intelligence and the  
distinctive benefits it brings to security teams," said Chris Kissel, Vice  
President, Security and Trust Products at IDC Research. "Curated threat  
intelligence from credible experts in the space provides businesses and their  
front line security personnel with timely insights, enabling them to better  
detect, triage, and investigate threats. Integrating this service with existing  
security ecosystems helps businesses stay one step ahead of cyber threats as  
digital attack surfaces evolve and expand."

The Threat Research and Intelligence Team has released numerous first-to-market  
research reports over the past year leveraging BlackBerry's data-driven digital  
ecosystem and analytical capabilities. These research reports have revealed new  
developments in the ransomware and malware space, and targeted, state-sponsored  
APT activity, including Symbiote, DCRat, Chaos Yashma ransomware and LokiLocker,  
all of which have been well-received by BlackBerry's customer base and the  
broader security community.

The service will launch in December.

For more information on how BlackBerry's Cyber Threat Intelligence service can  
support your organization, please visit BlackBerry.com to connect with one of  
our experts.

**About BlackBerry**  
BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and  
services to enterprises and governments around the world. The company secures  
more than 500M endpoints including 215M vehicles. Based in Waterloo, Ontario,  
the company leverages AI and machine learning to deliver innovative solutions in  
the areas of cybersecurity, safety, and data privacy solutions, and is a leader  
in the areas of endpoint security, endpoint management, encryption, and embedded  
systems. BlackBerry's vision is clear — to secure a connected future you can  
trust.

BlackBerry. Intelligent Security. Everywhere.

For more information, visit BlackBerry.com and follow @BlackBerry.

Trademarks, including but not limited to BLACKBERRY and EMBLEM Design are the  
trademarks or registered trademarks of BlackBerry Limited, and the exclusive  
rights to such trademarks are expressly reserved. All other trademarks are the  
property of their respective owners. BlackBerry is not responsible for any  
third-party products or services.

**SOURCE:** BlackBerry Limited

Source

DARKReading