Companies and organizations need to recognize the importance of investing in engineers who possess both the soft and hard skills required to secure open source software effectively.

Source: Yury Zap via Alamy Stock Photo

COMMENTARY

Open source security incidents aren't going away. The reliance on open source software (OSS) increases year-over-year, with more than 95% of all software, including open source, in some capacity. From operating systems to critical libraries to Web applications and more, open source software (OSS) plays a pivotal role in the current technology landscape. However, this widespread reliance introduces significant security risks. As the use of OSS continues to evolve, so does the importance of securing it. This responsibility falls not on individual hobbyist developers, but on the companies and organizations that have the resources to dedicate engineers specifically to open source security. These organizations are the ones that benefit the most from open source and should be the ones who contribute the most back.  

**Essential Skills for Open Source Security Developers**

Securing open source is similar to securing closed source, but many of the skills required are of higher importance for open source, due to various factors. Open source is public and tends to have broader adoption than much closed source software. A closed source tool with a security vulnerability used by a handful of customers is going to have a very different impact than something like OpenSSH having a vulnerability, given its use on millions of servers worldwide. 

I hope this doesn't come as a surprise, but the most important open source skills to have are soft skills. Most software development time is spent doing things other than actually writing code. Here are a few key skills:  

*   Public collaboration: Open source projects are inherently collaborative and involve contributors from around the globe. Effective communication ensures that security practices are understood and implemented correctly. 
    

*   Preventing miscommunication: Many security bugs arise from misunderstandings. Clear documentation and open dialogues can prevent these issues from occurring. 
    

*   Proactive approach: Keeping security at the forefront of daily tasks helps in early detection of potential vulnerabilities. 
    

*   Continuous vigilance: A security-first mindset encourages constant evaluation of code for potential risks. 
    

*   Responsibility: Treating open source projects with the same seriousness as closed source commercial projects ensures higher security standards. 
    

*   Accountability: Developers who feel a sense of ownership are more likely to produce secure and reliable code. 
    

Just because soft skills are more important than hard skills for software development doesn't mean those hard skills are irrelevant. They are still important, and a few of them in particular are of focused importance for open source security. The open source community gets the benefit of a project being public, enabling the community to come together to secure the project with experts in different areas providing their expertise. However, with open source being public, it also exposes projects to malicious actors, like we saw in the XZ compromise, where a bad actor maintainer contributed innocuous-looking, but ultimately malicious, code. This is why software engineers focused on open source security need to be vigilant and experienced to know what to look for when they get contributions from anonymous developers. Here are some of the skills that are important: 

1.  Security Engineering and Threat Modeling 
    

*   Understanding attack vectors: Knowledge of how vulnerabilities are exploited is crucial. 
    

*   Techniques like STRIDE: Familiarity with threat modeling methodologies helps in identifying and mitigating risks. 
    

*   Common vulnerabilities: Awareness of issues like SQL injection, cross-site scripting (XSS), and buffer overflows is essential. 
    

*   Language-specific vulnerabilities: Each programming language has its own set of security concerns. This is especially important for languages and ecosystems that don't have built-in memory safety mechanisms. 
    

*   Ecosystem proficiency: Knowledge of the packaging ecosystem like PyPI, npm, etc., and how software is developed in that ecosystem is important to understand external risks to the project like upstream dependencies. You can write perfectly safe code and include a vulnerable or malicious dependency and ship insecure software. Knowing when to include a dependency and when it's better to write the functionality yourself is very important as well. 
    

*   Build pipelines: Incorporating security checks into continuous integration and deployment processes ensures ongoing security. Open source developers wear multiple hats and need to understand and secure the continuous integration flow. The artificial intelligence (AI) analog would be the training pipeline. 
    

*   Contextual awareness: Understanding how software will be used by consumers helps in identifying potential security flaws. 
    

*   Automated testing: Implementing tools that automatically scan for vulnerabilities can catch issues early. 
    

*   Comprehensive test coverage: Ensuring that all parts of the code are tested reduces the risk of overlooked vulnerabilities. 
    

As the reliance on open source software continues to grow, so does the necessity for open source developers focused on security. This need is becoming even more critical with the rise of open source AI projects. Open source AI introduces new layers of complexity and opacity due to massive datasets and the probabilistic nature of trained models. The sheer volume of data and the intricacies of machine learning algorithms make it challenging to identify vulnerabilities and predict how models might behave in unforeseen circumstances. 

The "black box" aspect of AI models means that even the developers may not fully understand how inputs are being processed to produce outputs. This opacity can be exploited, leading to security breaches such as data poisoning, adversarial attacks, and unintended bias. Therefore, securing open source AI requires specialized skills and a deep understanding of both AI technologies and security principles. 

Companies and organizations must recognize the importance of investing in engineers who possess both the soft and hard skills required to secure open source software effectively, especially in the rapidly evolving field of AI. By fostering these skills, we can enhance the security of open source projects, benefiting individual organizations and the global community that relies on them. 

**About the Author**

Co-Founder & Chief Technology Officer, Kusari

Michael Lieberman is co-founder and chief technology officer (CTO) of Kusari, where he helps build transparency and security in the software supply chain. He has extensive engineering and architecture expertise with an emphasis on cloud-native technologies and security and privacy use cases. Prior to Kusari, he held engineering leadership positions with Citi, Mitsubishi UFJ Financial Group (MUFG), and Bridgewater Associates. Michael is an active member of the open source community, co-creating the GUAC and FRSCA projects and co-leading the CNCF’s Secure Software Factory Reference Architecture white paper. He is also co-chair of the Cloud Native Computing Foundation Financial Services User Group and an OpenSSF TAC and SLSA steering committee member.

Open Source Security Incidents Aren't Going Away

Large language models (LLMs) can help app security firms find and fix software vulnerabilities. Malicious actors are on to them too, but here's why defenders may retain the edge.

Source: vs148 via Shutterstock

Security researchers and attackers are turning to AI models to find vulnerabilities, a technology whose use will likely drive the annual count of software flaws higher, but could eventually result in fewer flaws in public releases, experts say.

On Nov. 1, Google said its Big Sleep large language model (LLM) agent discovered a buffer-underflow vulnerability in the popular database engine, SQLite. The experiment shows both the peril and the promise of AI-powered vulnerability discovery tools: The AI agent searched through the code for variations on a specific vulnerability, but identified the software flaw in time for Google to notify the SQLite project and work with them to fix the issue.

Using AI just for software-defect discovery could result in a surge in vulnerability disclosures, but introducing LLM agents into the development pipeline could reverse the trend and lead to fewer software flaws escaping into the wild, says Tim Willis, head of Google's Project Zero, the company's effort to identify zero-day vulnerabilities.

"While we are at an early stage, we believe that the techniques we develop through this research will become a useful and general part of the toolbox that software developers have at their disposal," he says.

Google is not alone in searching for better ways to find — and fix — vulnerabilities. In August, a group of researchers from Georgia Tech, Samsung Research, and other firms — collectively known as Team Atlanta — used an LLM bug-finding system to automatically find and patch a bug in SQLite. And just last month, cybersecurity firm GreyNoise Intelligence revealed it had used its Sift AI system to analyze honeypot logs leading to the discovery and patching of two zero-day vulnerabilities affecting Internet-connected cameras used in sensitive environments.

Overall, companies are gaining more ways to automate vulnerability discovery, and — if they are serious about security — will be able to drive down the number of vulnerabilities in their products by using the tools in development, says Corey Bodzin, chief product officer at GreyNoise Intelligence.

"The exciting thing is we do have technology that allows people who \[care about\] security to be more effective," he says. "Sadly ... there are not many companies where that is ... a primary driver, but even in companies where \[security is\] purely viewed as a cost" can benefit from using these tools.

**Only the First Steps**

Currently, Google's custom approach is still bespoke and requires work to adapt to specific vulnerability-finding tasks. The company's Big Sleep agent does not to look for completely new vulnerabilities, but uses details from a previously discovered vulnerability to look for similar issues. The project has looked at smaller programs with known vulnerabilities as test cases, but the SQLite experiment is the first time they found vulnerabilities in production code, the Google Project Zero and Google DeepMind researchers stated in Google's blog post describing the research.

While specialized fuzzers would likely have found the bug, tuning those tools to perform well is a very manual process, says Google's Willis.

"One promise of \[L\]LM agents is that they might generalize across applications without the need for specialized tuning," he says. "Additionally, we're hopeful that \[L\]LM agents will be able to uncover a different subset of vulnerabilities than those typically found through fuzzing."

The use of AI-based vulnerability discovery tools will be a race between attackers and defenders. Manual code review is a viable way of finding bugs for attackers, who only need a single exploitable vulnerability or short chain of vulnerabilities. But defenders need a scalable way of finding and fixing applications, Willis says. While bug-finding tools can be a force multiplier for both attackers and defenders, the ability to scale up to analyze code will likely be a greater benefit for defenders, Willis says.

"We expect that advances in automated vulnerability discovery, triage, and remediation will disproportionately benefit defenders," he says.

**Focus AI on Finding and Fixing Bugs**

Companies that focus on using AI to generate secure code and fix bugs when found will deliver higher quality code from developers, says Chris Wysopal, co-founder and chief security evangelist at Veracode, an application security firm. He argues that automating bug finding and bug fixing are two completely different problems. Finding vulnerabilities is a very large data problem, whIle fixing bugs usually deals with perhaps a dozen lines of code.

"Once you know the bug is there — if you found it through fuzzing, or through an LLM, or using human code review — and you know what kind of bug it is, fixing it is relatively easy," he says. "So, LLMs favor defenders, because having access to source code and fixing issues is easy. So I'm kind of bullish that we can eliminate whole classes of vulnerabilities, but it's not from finding more, it's from being able to fix more."

Companies that require developers to run automated security tools before code check-in will find themselves on a path to paying down their security debt — the collection of issues that they know about, but have not had time to fix, he says. Currently, about half (46%) of organizations have security debt in the form of persistent critical flaws in applications, according to Veracode's 2024 State of Software Security report.

"The idea that you're committing code that has a problem in it, and it's not fixed, will become the exception, not the rule, like it is today," Wysopal says. "Once you can start to automate this fixing — and we're always getting better at automating finding \[vulnerabilities\] — I think that's how things change."

Yet, the technology will still have to overcome companies' focus on efficiency and productivity over security, says Bob Rudis, vice president of data science and security research at GreyNoise Intelligence. He points to the fixing of the two security vulnerabilities that GreyNoise Intelligence found and responsibly disclosed. The company only fixed the issues in two product models, but not others — despite the fact that the other products likely had similar issues, he says.

Google and GreyNoise Intelligence proved that the technology will work, but whether companies integrate AI into the development pipelines to eliminate bugs is still an open question.

Rudis has doubts.

"I'm sure a handful of organizations are going to deploy it — it's going to make like seven C files a little bit safer across a bunch of organizations, and maybe we'll get like a tick more security for the ones that can actually deploy it properly," he says. "But ultimately, until we actually change the incentive structure around how software vendors build and deploy things, and how consumers actually purchase and deploy and configure things, we are not going to see any benefit."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

AI &amp; LLMs Show Promise in Squashing Software Bugs

Direct cyberattacks on vehicles are all but unheard of. In theory though, the opportunity is there to cause real damage — data extraction, full system compromise, even gaining access to safety-critical systems.

Source: Marin Tomas via Alamy Stock Photo

Six unpatched vulnerabilities in a Mazda in-vehicle infotainment (IVI) system could be exploited with a simple USB in a moments' time, and one of them has legitimate consequences to vehicle safety.

These days, cars are just computers on wheels, and IVIs are their user interface. The IVI in most Mazda vehicles of recent years — like the Mazda3 and CX-3, 5, and 9 — are built with the Mazda Connect Connectivity Master Unit (CMU), developed by the Michigan-based Visteon Corporation. The CMU is a core hardware component that enables various connectivity services: smartphone integration, a Wi-Fi hotspot, and various remote monitoring and control features.

Recent research through Trend Micro's Zero Day Initiative (ZDI) has surfaced half a dozen vulnerabilities in the Mazda IVI. A few of them enable full system compromise, and access to various sensitive data. One of particular note could enable an attacker to pivot to the vehicle's Controller Area Network (CAN) bus — the central nervous system connecting its various component parts.

None of the vulnerabilities have been assigned a value according to the Common Vulnerability Scoring System (CVSS) yet. All of them remain unpatched as of this writing. On the plus side: They all require that an attacker physically insert a malicious USB into the center console. Such a scenario — carried out by a carjacker, or possibly a valet or dealer — is essentially unheard of in the real world to date.

Dark Reading has reached out to Visteon for further comment on this story.

**6 Mazda IVI Security Bugs**

Three of the vulnerabilities — CVE-2024-8358, CVE-2024-8359, and CVE-2024-8360 — target functions used to locate and extract specific files during software updates. Because the provided file path is not sanitized, an attacker can step in with their own malicious injection, which gets executed at the root level of the system. With a specially crafted command, this one-step hack could facilitate a full system takeover.

Another way to skin this cat would be to take advantage of CVE-2024-8357, affecting the CMU's System on Chip (SoC) running Linux. The SoC's boot process has no authentication in place, so an attacker with the ability to execute code can take advantage to manipulate files, establish persistence through reboots, and establish control over the system even before it boots up.

The Mazda IVI; Source: Trend Micro's ZDI

CVE-2024-8355 might seem at first a bit different from the rest but, in reality, it's caused by the same underlying problem: lack of sanitization of input data.

To establish a connection with an Apple device, the CMU will request the device's serial number. Because it doesn't apply scrutiny to that value, a spoofed device can send specially crafted SQL code instead. The system's DeviceManager will run that code at the root level, enabling all kinds of malicious outcomes: database exposure, arbitrary file creation, etc.

Last, but certainly not least, is CVE-2024-8356, a missing verification during the CMU software update process. This one, however, affects the unit's other processor, the Verification IP Microcontroller Unit (VIP MCU). The VIP MCU is designed to be separate from the SoC for security purposes, because instead of running the operating system, it connects to the vehicle's CAN bus. The CAN bus, in turn, connects the rest of the vehicle: everything from climate control to the engine and airbags. With a tampered firmware image, ZDI demonstrated that one can jump the SoC to manipulate the VIP MCU, and from there reach the CAN bus.

**Serious, But Unlikely Consequences**

"In truth, it's hard to predict what an attacker could do once they have access to a CAN bus," says Dustin Childs, head of threat awareness at ZDI. "Since the CAN bus serves as the nervous system of the vehicle, a threat actor could potentially impact whatever electronic control units (ECUs) or components that interact with the CAN bus." Translation: Attackers can subvert just about any conceivable part of the vehicle.

"The worst case scenario would be an attacker impacting the driving characteristic of the car, rendering it unsafe to operate," he adds.

Still, the threat is immaterial. For all of the exploits demonstrated by researchers, actual criminals still consistently stick to those older tried-and-true methods of compromise: a stolen set of keys; an unfurled clothes hanger slipped artfully in between a window and a door frame; or a rock, a window, and a good baseball toss.

"At this point, there isn't a lot of real-world impact," Childs admits. "However, as cars become more connected, remote exploitation becomes more realistic. In the last Pwn2Own Automotive, the team from Synacktiv exploited the modem of the Tesla Model 3 over-the-air to reach and interact with the onboard systems of the vehicle. It's just a matter of time until a complete, remote vehicle takeover becomes a real possibility."

He adds, "That's why manufacturers should build in security to each component and not rely on the defenses of other modules. A vehicle should have a multilayered protective system that assumes every message may be from a compromised source. The more we get ahead of the problem now, the easier it will be to react to it in the future."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

6 Infotainment Bugs Allow Mazdas to Be Hacked With USBs

It remains unclear how the attackers gained access to Newpark Resources' system, or what they plan to do with any stolen data the strike may have spewed out.

Source: Don Mammoser via Alamy Stock Photo

Newpark Resources, a Texas-based oil drilling fluids system and composite matting systems provider, announced in a filing with the Securities and Exchange Commission (SEC) that it is dealing with the fallout of a ransomware attack it faced earlier this week.

The company has not shared details as to how the attackers gained access to its network, nor who the threat actors are or why they may have targeted Newpark. But after the breach was discovered, Newpark engaged its security response plan as expected and limited access to certain parts of its systems.

"The incident has caused disruptions and limitation of access to certain of the company's information systems and business applications supporting aspects of the company's operations and corporate functions, including financial and operating reporting systems," Newpark said.

According to Matt Hull, global head for Strategic Threat Intelligence at cybersecurity consultancy NCC Group, any data stolen from the critical infrastructure company has not yet appeared on any leak sites.

And because the company reverted to downtime procedures in response to the attack, it was able to continue manufacturing, and its field operations were uninterrupted. It hopes the attack will not have an effect on its financial conditions, it said.

"Organizations are facing an increasingly pressing challenge: maintaining the security benefits of segmentation while enabling controlled connectivity," stated Chris Grove, director of cybersecurity strategy at Nozomi Networks, in an emailed statement to Dark Reading. "Industrial organizations will need to ensure their defenders can quickly isolate and contain threats, while preventing interruptions to critical operations. This is especially important for sectors where downtime has serious consequences in terms of public safety and economic impact, as would be the case with a critical infrastructure sector."

**About the Author**

Mystery Hackers Target Texas Oilfield Supplier in Ransomware Attack

The European Union's Digital Operational Resilience Act requires financial entities to focus on third-party risk, resilience, and testing.

Source: Sikov via Adobe Stock Photo

COMMENTARY 

January 2025 is a big month for the finance industry – and the clock is ticking. The Digital Operational Resilience Act (DORA) is set to shape how financial entities, such as banks, insurance companies, and investment firms, approach their IT infrastructure and data security. According to Article 3 (1), this regulation will enhance "the ability of a financial entity to build, assure and review its operational integrity and reliability."

Although IT security and digital resilience form a part of the reforms that followed the 2008 financial crisis, they've taken a back seat over the years. DORA aims to address the rising cyber threat.  

Member states across the European Union have until January to comply with this new regulation or risk severe fallout. A breach could result in fines of up to 2% of an organization's total annual worldwide revenue or up to 1% of the company's average daily worldwide revenue.  

Despite the urgent call to action, delays are making it difficult for institutions to prepare. While the scoping and harmonization templates were due to the commission in July, public release is uncertain. There are currently no sets of controls or technical standards, so how are those being impacted meant to prepare? 

But with time running out, financial entities do not have the luxury of watching and waiting. Without any real guidance, it's in their best interest to take matters into their own hands and do what they can with the information they have.

**Size Equals Complexity **

As with many new regulations, one of the key challenges is complexity – and DORA takes that to a whole new level, with six chapters and over 280 articles. It introduces a series of new standards and controls that companies must meet and for which a complete restructure of processes may be required.

Remember, DORA is a regulation, not a framework, so comprehending the many requirements is job No. 1 for organizations. To ensure compliance, organizations need full visibility over all company assets. This allows organizations to continuously monitor all systems and identify and address any potential gaps in security. 

**You Can't Protect What You Can't See **

Technology is a borderless entity; DORA calls for complete visibility, despite the vast array of interconnected devices used by firms. The new regulation focuses heavily on data and providing clear and actionable evidence. DORA places a particular emphasis on third-party risk, resilience, and testing – areas currently without an existing framework and becoming more vulnerable every year. 

PCI security standards, for example, focus solely on protecting credit card information. NIST's Cybersecurity Framework covers certain elements of recovery and fills the gap left by PCI, but it still doesn't cover reporting. DORA, on the other hand, doesn't focus so much on penetration testing but more on threat-based testing, requiring organizations to emulate a threat rather than conduct a vulnerability scan.  

So instead of monitoring for any existing cybersecurity vulnerabilities, the new regulations require organizations to monitor for any potential weaknesses – identifying and rectifying them before they can trigger unnecessary risk. This approach minimizes the risks of vulnerabilities developing and ensures organizations have real-time updates on the state of their security. 

**What Can Business Do at This Stage? **

One thing DORA is very clear on is an emphasis on results and the need to continually monitor for threats. This regulation should not to be taken lightly. Under DORA, authorities have the power to request data and execute powers to assess a company's compliance with these regulations.  

As a first step, organizations should conduct a thorough gap-analysis exercise to identify areas in need of improvement – within their own business as well as across their supply chains. Ahead of January, organizations must ensure that their risk management strategies are up to date. Right or wrong, DORA assumes firms have a sufficient risk management framework in place. The same is expected of parties in the supply chain, although how far down the chain is yet to be determined.  

All parties involved need to obtain and maintain detailed knowledge of all critical assets at any given time. Tools that continuously monitor all assets provide real-time critical information on processes across the company. Only through continuous monitoring can organizations understand where the gaps in their security are and ensure they are properly addressed. 

Regardless of delays, DORA is coming and businesses must be prepared. Organizations that view this incoming regulation as more than just another push for compliance – and instead a platform from which to truly enhance their security posture – will gain that all-important competitive edge. Through continuous monitoring and effective threat management, organizations will achieve a new level of protection across their entire network.  

**About the Author**

CEO, Quod Orbis

Martin Greenfield is the CEO of Continuous Controls Monitoring solutions provider, Quod Orbis. He has over two decades in the cyber security space. With his team, Martin helps deliver complete cyber controls visibility for our clients via a single pane of glass, through Quod Orbis’ Continuous Controls Monitoring (CCM) platform. Their clients can see and understand their security and risk posture in real time, which in turn drives their risk investment decisions at the enterprise level.

Preparing for DORA Amid Technical Controls Ambiguity

The journey toward a successful DevSecOps implementation is complex, requiring a strategic approach to overcome the myriad challenges it presents.

Debrup Ghosh, Principal Product Manager, F5 Inc.

November 8, 2024

4 Min Read

Source: Maskot via Alamy Stock Photo

COMMENTARY

In the evolving landscape of software development, the integration of DevSecOps has emerged as a critical paradigm, promising a harmonious blend of development, security, and operations to streamline feature delivery while ensuring security. However, the path to achieving this seamless integration is fraught with hurdles — ranging from the lack of security training among developers to the complexity of security tools, the scarcity of dedicated security personnel, and the generation of non-actionable security alerts.  

Historically, there has been a palpable tension between members of development teams, who prioritize rapid feature deployment, and security professionals, who focus on risk mitigation. This discrepancy often results in a "the inmates are running the asylum" scenario, where developers, driven by delivery deadlines, may inadvertently sideline security, leading to frustration among security teams. However, the essence of DevSecOps lies in reconciling these differences by embedding security into the development life cycle, thereby enabling faster, more secure releases without compromising productivity. Let's explore strategies for embedding security into the development process in a harmonious manner, thereby enhancing productivity without compromising on security. 

**The DevSecOps Imperative**

The adoption of DevSecOps marks a significant shift in how organizations approach software development and security. By weaving security practices into the development and operations processes from the outset, DevSecOps seeks to ensure that security is not an afterthought but a fundamental component of product development. This approach not only accelerates the deployment of features but also significantly reduces the organizational risk associated with security vulnerabilities. Yet, achieving this delicate balance between rapid development and stringent security measures requires overcoming substantial obstacles. 

**Understanding Your Risk Portfolio**

The foundation of effective DevSecOps implementation lies in gaining a comprehensive understanding of the organization's risk portfolio. This involves a thorough assessment of all software resources, including the codebase of applications and any open source or third-party dependencies. By integrating these assets into a centralized system, security teams can monitor security and compliance, ensuring that risks are identified and addressed promptly. 

**Automating Security Testing**

Automating security testing represents another cornerstone of effective DevSecOps. By embedding risk management policies directly into DevOps pipelines, organizations can shift the responsibility of initial security assessments away from developers, allowing them to focus on their core tasks while still ensuring that security is not compromised. This automation not only streamlines the security testing process but also ensures that vulnerabilities are promptly flagged to the security teams for further action. 

**Continuous Monitoring for Proactive Security**

Continuous monitoring is a critical component of DevSecOps, enabling organizations to maintain a vigilant watch over their repositories. By automatically triggering security tests upon any change in the codebase, this approach minimizes the need for developer intervention, ensuring that security checks are an integral, ongoing part of the development life cycle. 

**Simplifying the Developer Experience**

To truly integrate security into the development process, it is imperative to simplify the developer experience. This can be achieved by enabling developers to access information about security vulnerabilities within their familiar working environments, such as the integrated development environment (IDE) or bug-tracking tools. By making security an intrinsic aspect of their daily tasks, developers are more likely to embrace these practices, reducing the friction associated with external security mandates. 

**Conclusion**

The journey toward a successful DevSecOps implementation is complex, requiring a strategic approach to overcome the myriad challenges it presents. By fostering a culture of collaboration, automating security processes, and integrating security into the fabric of development workflows, organizations can mitigate risks without sacrificing speed or innovation. The goal of DevSecOps is not to hinder development with security but to empower developers with the tools and processes needed to build secure, high-quality software efficiently. By adopting these principles, companies can move beyond the "inmates running the asylum" paradigm to a more balanced, productive, and secure software development life cycle.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of his employer.

**About the Author**

Principal Product Manager, F5 Inc.

Debrup Ghosh is a seasoned product management leader with extensive experience in cybersecurity, SaaS, and AI-driven solutions. Currently a principal product manager at F5 Networks, he leads the development of cutting-edge Web application and API protection (WAAP) products with a focus on AI/ML innovations. Debrup has a proven track record of driving product success at major companies including Synopsys, Verizon, and Michelin. His leadership has earned him multiple global awards, including the 2024 Stevie Awards. A recognized thought leader, his insights have been featured in media outlets such as CNN and Forbes. Debrup holds an MBA from the University of California, Irvine, and a bachelor of technology from the National Institute of Technology, Tiruchirappalli.

How Developers Drive Security Professionals Crazy

PRESS RELEASE

Clearwater, Fla. – October 29, 2024 – According to a new AI Opportunity Report from remote connectivity and workplace digitalization solution company TeamViewer, 80% of U.S. business leaders say their organization’s AI adoption is mature, and 65% are sick of the hype and demand practical implementations of AI for their businesses. Leading from the C-suite, 81% of U.S. key decision makers currently use AI at least weekly, up from 60% last year, a notable 35% increase year-over-year. 

Most U.S. business leaders (72%) also agree that AI is vital to improving their organization’s financial outcomes. Along these lines, two-thirds (66%) agree that AI will positively affect revenue over the next year, with respondents saying that the technology makes an average of 249% revenue growth possible. Nearly a quarter of U.S. respondents (23%) believe that not implementing AI technology risks falling behind competitors and 24% foresee increased costs due to a lack of automation.

Successfully integrating AI into remote connectivity support is a prime example of how efficiencies can lead to better financial outcomes. Enter TeamViewer’s new AI-powered Session Insights.

AI-Powered Session Insights 

Aimed at helping IT teams boost efficiency and streamline operations, Session Insights is now being added to TeamViewer’s Tensor remote connectivity solution to automate session documentation and provide analytics, enabling faster handovers and smarter decision-making. By optimizing resources and capturing valuable knowledge, the new capabilities empower IT support teams to resolve issues faster, improve customer satisfaction, and scale expertise, even with limited staff.  

The new features will help internal IT teams better manage employee help desk requests and will also aid customer support teams providing remote assistance to keep their products onsite and customers up and running and aligned with uptime agreements. 

“AI adoption is growing rapidly as businesses increasingly recognize its tangible benefits in driving productivity and streamlining operations. Our research reveals that 81% of decision-makers now engage with AI at least weekly, a substantial rise from last year’s 60%. With the launch of TeamViewer’s new AI-powered Session Insights, we're enabling organizations to make smarter decisions and optimize processes while adhering to the highest security and data privacy standards. We uphold stringent encryption practices to safeguard customer data, ensuring secure processing, while also providing admins the control to enforce company-wide policies and keeping users informed every step of the way,” said Mei Dent, Chief Product and Technology Officer, TeamViewer. 

Trust, Security, Career Advancement & Equality

The report also delves into a variety of other topics gauging business leaders’ current perceptions of AI, including: 

*   Trust in AI: 50% of U.S. business leaders trust AI to act on business forecasts and make business decisions with an impressive 42% trusting AI to make decisions without human oversight.
    
*   Security: 75% of U.S. business leaders are concerned about data management in the use of AI and 67% would consider banning the use of AI outside of the IT team.
    
*   Career Advancement: 75% of U.S. business leaders believe AI is a key skill to enhance their career and 73% say AI has given them the chance to learn new skills they otherwise would not have.
    
*   The Great Equalizer: 72% of U.S. business leaders believe AI can help create equal job opportunities for parents and caregivers while 79% think AI can help increase accessibility in the workplace.
    

With 73% of U.S. respondents believing AI will drive the biggest productivity boom in a century and business leaders reporting that AI saves U.S. IT professionals approximately 16 hours per month, there is clearly huge momentum for increasing AI use in business, including TeamViewer’s AI-powered Session Insights, which integrates with Microsoft Teams and ServiceNow. More information can be found here.  

Survey Methodology 

In The AI Opportunity Report, TeamViewer uncovers the attitudes of 1,400 (500 in the U.S.) information technology, business, and operational technology decision makers towards Artificial Intelligence, across the UK, France, Germany, Australia, Singapore, and the U.S. The research was conducted online by Sapio Research in August and September 2024. 

About TeamViewer

TeamViewer is a leading global technology company that provides a connectivity platform to remotely access, control, manage, monitor, and repair devices of any kind – from laptops and mobile phones to industrial machines and robots. Although TeamViewer is free of charge for private use, it has more than 640,000 subscribers and enables companies of all sizes and from all industries to digitalize their business-critical processes through seamless connectivity. Against the backdrop of global megatrends like device proliferation, automation and new work, TeamViewer proactively shapes digital transformation and continuously innovates in the fields of Augmented Reality, Internet of Things and Artificial Intelligence. Since the company’s foundation in 2005, TeamViewer’s software has been installed on more than 2.5 billion devices around the world. The company is headquartered in Göppingen, Germany, and employs more than 1,500 people globally. In 2023, TeamViewer achieved a revenue of around EUR 627 million. TeamViewer SE (TMV) is listed at Frankfurt Stock Exchange and belongs to the MDAX. Further information can be found at www.teamviewer.com.

Business Leaders Shift to Tangible AI Results, Finds New TeamViewer Study

PRESS RELEASE

ESPOO, Finland, and LONDON, UK, 30th October, 2024:  Xiphera, a provider of highly-optimised, hardware-based cryptographic security, today announced its partnership with Crypto Quantique, a provider of quantum-driven IoT device security. The combination of Xiphera’s nQrux® Hardware Trust Engines and quantum-secure cryptographic IP, with Crypto Quantique’s QDID PUF (Physically Unclonable Function), offers quantum-resilience and immutable device identity for cryptographic hardware modules.  
The QDID PUF generates quantum-derived, secure, unclonable identities based on manufacturing variations unique to each semiconductor chip. The PUF, alongside other cryptographic primitives, forms the essential hardware root-of-trust IP required in security implementations.  
nQrux Hardware Trust Engines offer customisable cryptographic security modules with hardware-level trust and security services for the most critical environments and applications. nQrux IP cores enable full isolation of cryptographic operations and application-specific data into secure hardware elements. Xiphera’s extensive portfolio of cryptographic IP cores includes both traditional cryptographic algorithms, as well as Post-Quantum Cryptography (PQC) fighting against the looming quantum threat.  
“Many industrial and governmental entities recommend implementing quantum-resilient hardware solutions to prevent quantum attacks on current and future data. Cryptographic root-of-trust forms the security foundation of modern hardware infrastructures”, said Kimmo Järvinen, co-founder and CTO of Xiphera. “Upgrading these critical components to quantum-resilient algorithms and integrating Crypto Quantique’s PUF technology enables our customers to protect the identities and core security of their hardware devices into the foreseeable future.”  
Crypto Quantique’s CEO, Shahram Mossayebi, said, “The combination of nQrux Hardware Trust Engines and QDID provides the adaptability and upgradeability required for the security of connected devices. QDID creates random numbers on demand, so there is no need to store cryptographic keys in flash memory. This eliminates the danger of side-channel memory attacks revealing the keys. In addition, because PQC algorithms have large cryptographic keys, the PUF technology reduces the size of flash memory needed, reducing both power consumption and saving silicon area.”  
Learn more about Xiphera’s nQrux Hardware Trust Engines, and Crypto Quantique’s QDID IP cores.

You May Also Like

Xiphera &amp; Crypto Quantique Announce Partnership

Chinese APT groups increasingly lean on open source platform SoftEther VPN for network access. Now they're lending their know-how to Iranian counterparts.

Source: Owen McGuigan via Alamy Stock Photo

Infamous Chinese advanced persistent threat (APT) group "MirrorFace" has made notable moves into diplomatic espionage in the European Union using SoftEther VPN, the emerging tool of choice among these threat groups.

MirrorFace gained wide notoriety with its 2022 efforts to interfere in Japanese elections, and it has maintained operations in the country ever since. But researchers at ESET noticed the group recently popped up in the EU with espionage attacks against an unidentified diplomatic entity.

"For the first time, we observed MirrorFace targeting a diplomatic organization within the EU, a region that remains a focal point for several China-, North Korea-, and Russia-aligned threat actors," Jean-Ian Boutin, director of threat research at ESET, said in a statement about the findings. "Many of these groups are particularly focused on governmental entities and the defense sector."

**SoftEther VPN Abuse Surges Among Beijing-Backed APT Groups**

Beyond expanding operations to an entirely new continent, ESET said MirrorFace has started increasingly relying on SoftEther VPN to maintain access, but it is not the only group. Other China-backed APTs — Flax Typhoon, Gallium, and Webworm — have also shifted to the open source, cross-platform VPN software favored by many cybercriminals.

In February, a previously unknown adversary group called Hydrochasma was discovered abusing SoftEther VPN in a cyber-espionage campaign against Asia-based shipping companies. In April, Chinese language-speaking threat group ToddyCat was discovered using SoftEther VPN to steal data from government and defense targets in the Asia-Pacfic region on an "industrial scale."

Now, researchers warn, those tactics have landed in Europe.

"Some China-aligned APT groups have shifted to rely more on SoftEther VPN for various reasons. It’s a legitimate software, which helps avoid detection," says Mathiew Tartare senior malware researcher at ESET. "Setting an HTTPS VPN tunnel between the compromised network and the attacker’s infrastructure allows them to easily blend the malicious traffic in the legitimate HTTPS traffic."

Tartare adds SoftEther VPN also lets attackers appear to be an authorized remote user accessing the network using everyday remote desk protocol (RDP) tools.

"We would not be surprised to observe an increase in the use of SoftEther VPN and other legitimate VPN or remote access tools to bypass detections and blend into legitimate traffic," he says.

Notably, Chinese-backed APTs are also lending their cybercrime know-how to Iranian-backed adversaries for cyber-espionage against Iraq and Azerbaijan, as well as French diplomats, according to ESET. Additionally, Iran is putting its hackers to work gaining unauthorized access into financial services organizations across Africa.

Both Chinese and North Korean threat actors have upped the intensity of attacks on educational institutions in the US, South Korea, and Southeast Asia, the ESET report added.

China-Backed MirrorFace Trains Sights on EU Diplomatic Corps

PRESS RELEASE

TORONTO, Oct. 30, 2024 /PRNewswire/ -- In 2024, Canadian banks have seen just 34% of the reported fraud cases they experienced a year ago. And yet, Canadian retail banking customers appear on pace to lose as much as or more than the $569 million they lost to fraud in 2023 (triple what they lost in 2021). BioCatch – the global leader in digital fraud detection and financial crime prevention powered by behavioral biometric intelligence – says these findings suggest fraudsters have altered their strategies, honing attacks to target fewer Canadians for more money per scam.

"While fraud volumes have decreased significantly over the last year, we're observing an increase in the average value of these cases," BioCatch Director of Global Fraud Intelligence Tom Peacock said. "We can attribute much of this to the rise in social engineering scams in Canada, particularly impersonation scams, which are notoriously higher value than other fraud types. More than 70% of impersonation scam losses in Canada originate from five-figure cases, greatly boosting the country's scam-loss average."

BioCatch's 2024 Digital Banking Fraud Trends in Canada report, also highlights that most Canadian fraud victims are now ages 20-49 instead of 50-89, debunking the common misconception that older people provide easier and more lucrative targets.

"Artificial Intelligence is super-charging fraud," BioCatch Global Advisory Director Seth Ruden said, "compounding its impact, and allowing bad actors to scale and sophisticate their scams with deepfakes and other devices. As the industry deploys the newest authentication methods in both account opening and account takeover processes, fraudsters will undoubtedly attack these as well."

BioCatch also found one in seven scam sessions in Canada showed signs of remote access trojans (RAT), whether active RAT (where the fraudster tricks the victim into granting them control of the session so they can execute the fraud themselves) or passive RAT (where the fraudster guides the victim through payment process).

Click here to access BioCatch's complete 2024 Digital Banking Fraud Trends in Canada report.

BioCatch fraud prevention experts Tom Peacock and Seth Ruden will hold a live conversation about the growth of social engineering scams in Canada and the other latest fraud trends in the country on Nov. 14. To register for that exclusive session, click here.

About BioCatch:

BioCatch stands at the forefront of digital fraud detection, pioneering behavioral biometric intelligence grounded in advanced cognitive science and machine learning. BioCatch analyzes thousands of user interactions to support a digital banking environment where identity, trust, and ease coexist. Today, 32 of the world's largest 100 banks and 210 total financial institutions rely on BioCatch Connect™ to combat fraud, facilitate digital transformation, and grow customer relationships. BioCatch's Client Innovation Board – an industry-led initiative featuring American Express, Barclays, Citi Ventures, HSBC, and National Australia Bank – collaborates to pioneer creative and innovative ways to leverage customer relationships for fraud prevention. With more than a decade of data analysis, 92 registered patents, and unmatched expertise, BioCatch continues to lead innovation to address future challenges. For more information, please visit www.biocatch.com.

Source

DARKReading