The future of application security is no longer about reacting to the inevitable — it's about anticipating and preventing attacks before they can cause damage.

Source: Panther Media GmbH via Alamy Stock Photo

COMMENTARY

In my years managing security in complex environments, I've seen how threats and defenses evolve, but application security has proven a very tough nut to crack. What excites me today is the significant progress we're making in closing long-standing gaps in AppSec, and I would argue that application detection and response (ADR) is leading the charge. 

**A Fresh Take on an old Problem**

Historically, application security has been reactive. Tools like firewalls, endpoint protection, and network monitoring have been crucial, but they've often missed the critical component of the application layer itself. As our applications have transformed into interconnected ecosystems, it's become clear that traditional security measures aren't measuring up. 

The paradigm shift of ADR, which hinges on transforming AppSec from reactive to proactive security, is finally moving the needle. Instead of just detecting threats, new ADR solutions are providing deep insights into application behavior in real-time, allowing us to get ahead of potential issues. It offers unprecedented visibility and response capabilities across distributed architectures, enabling continuous monitoring of runtime behaviors, anomaly detection, and rapid incident response. This shift not only enhances our ability to identify and address threats promptly but also significantly reduces incident response times. 

**Real-Time Visibility Is a Game Changer**

One of the most frustrating aspects of securing modern applications has always been the lack of real-time visibility. Traditional tools offer only a snapshot of an application's security at a specific moment, leaving us blind to what's happening during runtime. ADR integrations are changing this dynamic by utilizing data that's already being collected and turning it into actionable insights. 

It is now possible to continuously map out applications as they evolve, monitoring data flows, API interactions, and third-party integrations. This offers new capabilities to identify potential vulnerabilities and misconfigurations in real-time as applications scale or change in production environments. For instance, the discovery of the ALBeast vulnerability, a critical weakness in AWS's Application Load Balancers (ALBs), was made possible by real-time configuration analysis. This is yet another critical issue that would have otherwise gone unnoticed without ADR tools.

**Proactive, Not Reactive**

Previously, security often meant reacting to issues after they occurred. ADR allows us to get ahead of threats, providing security teams with context about how applications behave and where weaknesses may lie. It doesn't just stop at identifying anomalies, it helps us understand why those anomalies matter and how to address them effectively. 

What excites me most about this is how today's ADR pioneers are complementing existing security measures, like Web application firewalls (WAFs) or authentication controls. These tools often generate large volumes of alerts, many of which turn out to be false positives. With ADR tech, we can cut through that noise, prioritizing threats based on application-specific context and focusing on what really matters. The pragmatist in me is also thrilled to see how ADR enhances the effectiveness of these tools, ensuring that every part of a security stack operates at its full potential. 

**Securing Distributed, Cloud-Native Applications**

As we build more distributed and cloud-native applications, the complexity of these systems will continue to grow. These architectures provide incredible flexibility and scalability, but every integration also opens new attack surfaces. ADR is a field built for this environment, by capitalizing on the wealth of insights provided by runtime behavior across microservices, APIs, and third-party integrations. Application performance and identifying misconfigurations or vulnerable code paths can now be found within a moment. 

**Why Now?**

The timing for the budding ADR market couldn't be better. As the threat landscape continues to evolve, adversaries are getting more sophisticated, targeting weaknesses at the application layer that traditional tools can't catch. We're seeing new types of attacks that exploit the growing complexity of our applications, and ADR allows us to address these threats head-on. By integrating ADR tools and principles into our strategies, we not only respond more quickly, we also enhance overall security across the industry. 

I would also be remiss to downplay another key role of ADR — facilitating better collaboration between development and security teams. With real-time visibility into both the development and runtime phases, security doesn't have to feel like a roadblock anymore. Instead, it's becoming a continuous process that extends throughout the application life cycle. 

**Looking Forward**

While no solution is a silver bullet, ADR represents a significant step forward. By offering a clear window into how applications behave at every stage, we can finally move away from reactive, best-effort security to data-driven, proactive protection. 

For those of us responsible for securing today's complex environments, ADR signifies a much-needed evolution. The future of application security is no longer about reacting to the inevitable; it's about anticipating and preventing attacks before they can cause damage. 

As a chief information security officer, that's a future I'm genuinely excited about. 

**About the Author**

Vice President & CISO, Paychex

Bradley Schaufenbuel is the vice president and chief information security officer at Paychex, a recognized leader in the payroll, human resource, and benefits outsourcing industry.  

With more than 20 years of industry experience, Bradley is a recognized security professional with significant expertise in information security management, IT compliance, fraud examination, IT audit, computer forensics, ethical hacking, business continuity planning, project management, cloud security, and process improvement.  

Prior to Paychex, Bradley served as vice president and chief information security officer at Paylocity. Previously, he served as Director of Information Security at Midland States Bank, senior vice president and chief information security and privacy officer at Midwest Bank, senior manager of IT risk and security at Zurich Financial Services, and held senior security positions at Experian and Arthur Andersen. He is licensed to practice law in Illinois and is a member of the United States Supreme Court Bar.

Why I'm Excited About the Future of Application Security

The "Code-on-Toast" supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.

Source: Eric Anthony Johnson via Alamy Stock Photo

The North Korea-backed advanced persistent threat known as APT37 exploited a zero-day vulnerability in Microsoft's Internet Explorer Web browser over the summer, using it to mount a zero-click supply chain campaign on South Korean targets, researchers revealed.

While IE reached end of life in 2022 and many organizations don't use it anymore, there are plenty of legacy applications that do. In this case, APT37 (aka RedAnt, RedEyes, ScarCruft, and Group123) specifically targeted a Toast ad program that is usually installed alongside various free software, according to AhnLab SEcurity intelligence Center (ASEC). "Toasts" are pop-up notifications that appear at the right-bottom of a PC screen.

"Many Toast ad programs use a feature called WebView to render Web content for displaying ads," according to AhnLab researchers. "However, WebView operates based on a browser. Therefore, if the program creator used IE-based WebView to write the code, IE vulnerabilities could also be exploited in the program."

**A Hot-Buttered Zero-Click Toast Exploit**

According to AhnLab's analysis released last week, the state-sponsored cyberattack group compromised an ad agency, and then used the bug, tracked as CVE-2024-38178 (CVSS 7.5), to inject malicious code into the Toast script the agency uses to download ad content to people's desktops. Instead of ads, the script began delivering malware.

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

"This vulnerability is exploited when the ad program downloads and renders the ad content," the researchers explained in their report on the attack, which they called "Code on Toast." "As a result, a zero-click attack occurred without any interaction from the user."

The malware delivered is the RokRAT, which APT37 has consistently used in the past.

"After infecting the system, various malicious behaviors can be performed, such as remote commands," the researchers noted, adding, "In this attack, the organization also uses Ruby to secure malicious activity persistence and performs command control through a commercial cloud server."

The campaign had the potential to cause significant damage, they said, but the attack was detected early. "In addition, security measures were also taken against other Toast advertising programs that were confirmed to have the potential for exploitation before the vulnerability patch version was released," according to AhnLab.

**IE Lurks in Apps, Remains a Cyber Threat**

Microsoft patched the bug in its August Patch Tuesday update slate, but the continued use of IE as a built-in component or related module within other applications remains a concerning attack vector, and an incentive for hackers to continue to acquire IE zero-day vulnerabilities.

Related:BlankBot Trojan Targets Turkish Android Users

"Such attacks are not only difficult to defend against with users' attention or antivirus, but can also have a large impact depending on the exploited software," AhnLab researchers explained in the report (PDF, Korean).

They added, "Recently, the technological level of North Korean hacking groups is becoming more advanced, and attacks that exploit various vulnerabilities other than IE are gradually increasing."

Accordingly, users should make sure to keep operating systems and software up to date, but "software manufacturers should also be careful not to use development libraries and modules that are vulnerable to security when developing products," they concluded.

Translation provided by Google Translate.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

The European Union adopted a new law setting EU-wide cybersecurity requirements for connected devices to ensure their safety.

Source: Deco via Alamy Stock Photo

The Council of the European Union adopted the Cyber Resilience Act earlier this month, a new law that will ensure that connected devices – including consumer products such as smart doorbells, televisions and toys, as well as commercial devices such as IP cameras – meet new cybersecurity requirements before going to market. 

The new regulations establish an EU-wide framework that encompasses design, development, production and the sale of hardware and software products that connect either directly or indirectly to another device or network. 

The law enhances existing cybersecurity legislation, making regulations more coherent and ensuring that “Internet of Things” (IoT) products are secure from supply chain to end-of-life. It applies to all products connected either directly or indirectly to another device or network.

CRA is designed to allow consumers to make informed decisions when shopping for connected digital products by making it easier for them to identify hardware and software with proper cybersecurity features. New products will be labeled with “CE” to signify they meet the requirements. Products that are already regulated by existing EU rules like medical devices, aeronautical products and cars are exempt from the new regulations.

In the coming weeks the legislative act will be signed by the presidents of the Council and of the European Parliament and be published in the EU’s official journal. The regulation will enter into force 20 days after publication and apply 3 years later, in 2027, although some provisions will apply at earlier stages. 

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

EU Adopts Cyber Resilience Act to Regulate Internet of Things

Microsoft researchers toyed with app permissions to uncover CVE-2024-44133, using it to access sensitive user data. Adware merchants may have as well.

Source: Delphotos via Alamy Stock Photo

A security weakness in the Safari browser on macOS devices might have exposed users to spying, data theft, and other forms of malware.

The issue is enabled by the special permissions Apple gives to its proprietary apps — in this case, its browser — and the ease with which an attacker can reach important app configuration files. In the end, it allows an attacker to bypass the Transparency, Consent, and Control (TCC) security layer that MacBooks use to guard sensitive data. Its CVE entry, CVE-2024-44133, has earned a "medium" severity 5.5 rating in the Common Vulnerability Scoring System (CVSS).

Researchers from Microsoft have named their exploit of CVE-2024-44133 "HM Surf." In a new blog post, they described how HM Surf could open the door to a user's browsing data, camera, and microphone, as well as their device's location, among other things. And the threat doesn't only appear to be theoretical: There's already inconclusive but not insignificant evidence to suggest that one adware program has already exploited CVE-2024-44133, or something quite like it, in the wild.

Apple released a fix for CVE-2024-44133 in its update to macOS Sequoia back on Sept. 16.

"It's a serious concern, because of the unauthorized access it gives," says Xen Madden, cybersecurity expert at Menlo Security, emphasizing the need for organizations to update their macOS devices. But, she adds, "By the looks of it, most EDR tools will detect it, especially since Microsoft Defender is detecting it."

**Exploiting HM Surf**

In any and all Apple devices, TCC is there to manage what sensitive data and features apps can access. If some app wants to access your camera, for example, thanks to TCC, you can rest assured that your Mac will ask for your permission first.

Unless your app has a special "entitlement." Some of Apple's proprietary apps possess entitlements — special permissions, approved by Apple, which allow them unique privileges compared to other apps. The core of why HM Surf works is Safari's entitlement, "com.apple.private.tcc.allow," which allows it to bypass TCC at an app level, and apply it only on a per website ("per origin") basis. In other words, Safari can freely access your camera and microphone as it wishes, but any given website you visit through Safari likely cannot.

Safari's configuration — including the rules that define per-origin TCC protections — are stored in various files under ~/Library/Safari, within the user's home directory. Manipulating these files could provide a path to TCC bypass, though the home directory is itself TCC protected.

Getting around that roadblock is simple, though, using the autological directory service command line utility (DSCL), a tool in macOS for managing directory services from the command line. In HM Surf, DSCL is used to temporarily change the home directory, removing the TCC umbrella shielding ~/Library/Safari. Now they could modify Safari's per-origin TCC configurations — allowing all kinds of permissions for a malicious website of their own creation — before ultimately reinstating the home directory. Thereafter, if a user visited the malicious site, the site would have full rein to capture screenshots, location data, and more, without ever triggering a permission pop-up.

**Was CVE-2024-44133 Already Exploited?**

After concocting their exploit, Microsoft started scanning customer environments for activity that aligned with what they'd found. On one device, lo and behold, they spotted something quite closely resembling what they were looking for.

It was a program digging into the victim's Chrome configuration settings, adding approval for microphone and camera access to a specific URL. It also did more: gathering user and device information, laying the groundwork for a second-stage payload.

This program, it turned out, was a well-known macOS adware program called "AdLoad." AdLoad hijacks and redirects browser traffic, pestering users with unwanted advertisements. It also goes further: harvesting user data, turning infected devices into nodes in a botnet, and acting as a staging ground for further malicious payloads.

In its blog post, Microsoft noted that though AdLoad's activity closely resembled the HM Surf technique, "Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the AdLoad campaign is exploiting the HM surf vulnerability itself." Still, it added, "Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique."

Dark Reading has contacted both Apple and Microsoft for further comment on this story.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

MacOS Safari 'HM Surf' Exploit Exposes Camera, Mic, Browser Data

Adoption of the email authentication and policy specification remains low, and only about a tenth of DMARC-enabled domains enforce policies. Everyone is waiting for major email providers to get strict.

Source: TierneyMJ via Shutterstock

The state of DMARC email authentication and security standard looked so promising at the beginning of 2024.

Google and Yahoo had set a deadline of February 2024 for bulk email senders to adopt a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy, and as companies scrambled to meet the deadline, the number of email domains with a valid DMARC record jumped 60% in two months. As of September, nearly 6.8 million domains have email sender authentication configured.

Even with that surge earlier in the year, the reality is that businesses continue to be slow in setting up email authentication on their domains. The adoption lag is especially pronounced in making the switch from DMARC's minimum-baseline policy of 'p=none' to more stringent policies. Enforcement means non-authenticated emails get quarantined or rejected. The share of DMARC-enabled domains with an enforced policy has actually gone down from a high of 18% a year ago, to less than 14% today.

While Google's and Yahoo's actions forced many companies to adopt DMARC, most of them — spurred by concerns about blocking legitimate messages — haven't adopted the quarantine or reject policies, says Seth Blank, chief technology officer at Valimail, a provider of email security services.

"Google and Yahoo put the requirements out, the ecosystem got a shot in the arm, and the message was heavily about security — so the people who cared about security did something," Blank says. "There's still a large part of this market that has not moved, hasn't taken any steps, even this bare minimum that we're seeing here."

The DMARC protocol aims to add authentication to the Internet's email infrastructure, requiring that email senders adopt two verification technologies — Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) — and specify a policy for how other servers should handle mail from a sender not part of an authorized domain. In October 2023, Google and Yahoo required that email marketers — anyone sending more than 5,000 emails daily through the services — set up DMARC. The move resulted in a significant reduction in non-authenticated emails, with Google seeing two-thirds less (65%) unauthenticated messages sent to Gmail users and 265 billion fewer unauthenticated message sent so far this year, according to company data released last week.

**Fear, Uncertainty, and DMARC**

The adoption rate of DMARC has roughly doubled over the past year — from about 55,000 domains adding new DMARC records each month in 2023, to 110,000 domains per month in Q3 2024, according to Valimail data. Yet, even at that rate, it would still take nearly 15 more years for the top 25 million domains to get on board.

Source: Author, with data from Valimail

Moreover, DMARC adoption has been spotty. While more than 60% of the organizations in some industries, such as manufacturing and healthcare, have adopted DMARC, only one in five have actually moved from the lowest security policy ('p=none') to the highest ('p=reject,') according to data from EasyDMARC, an email-authentication services firm. Some sectors, such as non-profits and charity organizations, have increased adoption over the year, but fewer than 8% of domains are using DMARC.

Because email is critical to business operations, organizations worry that stricter enforcement will result in lost messages, especially because DMARC is not necessary an easy technology to implement and maintain, says Kelly Molloy, director of network development for DomainTools, an internet intelligence firm.

"The fear is, especially if you are a company who depends on leads via email, is that you're going to miss messages from interested parties — from customers and potential customers — if you start doing \[strict enforcement\]," she says, adding: "A lot of companies are being conservative and are not going farther than they really need to ... because it does take resources."

**Waiting for the Other Shoe to Drop**

The stalled adoption cycle will likely attract another major move by Google, Yahoo and other large consumer email services, says Hagop Khatchoian, technical services team lead at EasyDMARC.

"They \[Google and Yahoo\] are just forcing everyone to have at least 'p=none' ... to just have a basic policy without any enforcement — we foresee that will be changed in the next few years," he says. "But you can't just go on and tell everyone, 'Hey, you need 'p=reject,' ... because if you have a small misconfiguration in your email ecosystem, and you have an enforced policy, then your own legitimate emails will be blocked as well."

Valimail's Blank agrees, noting that the major email services — Google, Microsoft and Yahoo, as well as major email providers in other countries — are unlikely to wait long before again turning the screws on unauthenticated email.

"The sending community or the receiving community will mandate the next steps, because they know \[authentication\] is the single most important input into their system — being able to know who sent an email with far more certainty," he says. "We're going to see more action there ... and it will take years, but it's not going to be five to ten years. It's probably two, three, maybe four."

**None's Not Nothing, But Close to It**

With another DMARC-push in the cards from major email services, organizations should plan to shift their DMARC policy from 'none' to a higher level of enforcement.

The three levels of enforcement are:

*   p=none — Mail that fails authentication checks are still delivered.
    
*   p=quarantine — Any authentication failure results in email being quarantined, possibly delivered to a user's spam folder or to an organization's quarantine storage.
    
*   p=reject — Authentication failure leads to the email being discarded, although some service providers may instead quarantine the email in a separate folder.
    

Every enforcement level can produce reports, and companies should monitor the reports to check for issues and anomalies, says Valimail's Blank.

"DMARC at 'p=none' with no reporting is syntactically equivalent to not having DMARC at all," he says. "The value of DMARC comes from reporting and working towards a policy that is not 'none.' If you have 'p=none', and you're not getting reports, there is nothing you can do, there is nothing you can see, there is nothing you can fix."

Getting reports from the DMARC infrastructure is important level of visibility for companies as they pursue better email security. Large companies are not the only organizations to see significant abuse of email, so any firms that sends email should monitor their DMARC reports, he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Time to Get Strict With DMARC

The security firm is denying an assessment that its systems were compromised in Israel by pro-Palestinian cyberattackers, but acknowledged an attack on one of its partners.

Source: David R. Frazier Photolibrary via Alamy Stock Photo

Security firm ESET is refuting reports that cyberattackers compromised its platforms and used them to target customers in Israel with dangerous wiper malware. However, it did note that a partner there, Comsecure, was impacted.

"We are aware of a security incident which affected our partner company in Israel last week," the firm acknowledged on social media platform X. "Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes. ESET technology is blocking the threat and our customers are secure. ESET was not compromised and is working closely with its partner to further investigate and we continue to monitor the situation."

Security researcher Kevin Beaumont (aka Gossi the Dog) prompted the response after blogging about a malicious email that an ESET user posted on the ESET user forum. The email was flagged as malicious, with the subject line, "Government-Backed Attackers May Be Trying to Compromise Your Device!" It purported to be from the ESET team, offering extra security defense in the face of an ongoing attack:

Source: ESET user forum.

The email had a .ZIP attachment that, if opened, unpacked a destructive wiper malware that bears resemblance to that used by the Handala threat group, according to the person who flagged the email for Beaumont. Handala, so named for the political cartoon character that has come to personify the Palestinian people’s national identity, is known for targeting Israeli organizations with file-destroying wipers in the wake of the Oct. 7 Hamas attacks and resulting war.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

Beaumont noted, "I managed to obtain the email, which passes both DKIM and SPF checks for coming from ESET’s store," he said in the blog post. "Additionally, the link is indeed to backend.store.eset.co.il — owned by ESET Israel."

This led Beaumont to conclude via Mastodon, "ESET Israel definitely got compromised, this thing is fake ransomware that talks to an Israeli news org server for whatever reason."

ESET has now categorically refuted that takeaway, so the assumption is that the cyberattackers were using some sort of MO to get around anti-spoofing measures for the email and the .ZIP link. ESET did not immediately return a request for comment from Dark Reading for more information on Comsecure's role in the incident and the attack routine.

The campaign is now blocked for ESET customers.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

ESET-Branded Wiper Attack Targets Israel; Firm Denies Compromise

A survey shows three-quarters of CISOs are drowning in threat detections put out by a sprawling stack of tools, yet still lack the basic visibility necessary to identify breaches.

Source: Kjetil Kolbjørnsrud via Alamy Stock Photo

Global information security spend is projected to reach $215 billion by the end of 2024. But a new survey of chief information security officers (CISOs) shows that all that cash might not have bought the peace of mind they hoped for. In fact, 44% of CISOs across the globe reported missing a data breach in the past 12 months with existing tools.

The top blind spot identified in the survey of 234 global CISOs was hybrid cloud infrastructure and data-in-transit, which eight out of 10 of those surveyed by Gigamon said is a "top concern." Gigamon's report added that data-in-motion is where 93% of malware has historically hidden. Overwhelmingly, 84% of surveyed CISOs said getting visibility into this encrypted traffic was a top priority for the upcoming year.

"Modern cybersecurity is about differentiating between acceptable and unacceptable risk," Chaim Mazal, CSO at Gigamon, said in the survey report. "Our research shows where CISOs are drawing that line, highlighting the critical importance of visibility into all data-in-motion to secure complex hybrid cloud infrastructure against today’s emerging threats. It’s clear current approaches aren’t keeping pace, which is why CISOs must reevaluate tool stacks and reprioritize investments and resources to more confidently secure their infrastructure."

Related:Fighting Crime With Technology: Safety First

**The Cloud and Cyber Threat Observability**

Deep observability into hybrid cloud environments is top of mind for 82% of surveyed CISOs. And 85% of those surveyed would like to gain visibility into packet-level and application metadata. Boards too agree that this deep observability is critical, with 81% of CISOs reporting hybrid cloud infrastructure will be a budgeting priority in 2025.

"Today’s CISOs recognize that security and observability are intrinsically connected," Stephen Elliott, group vice president, IT operations, observability, and CloudOps at IDC, said in the report. "The network provides a crucial layer of context that can inform security operations and vice versa, which is why modern security teams are leveraging network-derived intelligence and insights to understand the true impact of a threat and prioritize their responses accordingly."

But before CISOs start spending on new tools, they plan to get the most out of what they already have, according to the survey. Three-quarters of those CISOs surveyed reported being "overwhelmed" by the growing number of tools and their alerts. So to get a better handle on hybrid cloud data and infrastructure, for instance, 60% of CISOs said their top priority for 2025 will be to consolidate and optimize existing tools for that arena.

Related:Cloud, AI Talent Gaps Plague Cybersecurity Teams

CISOs: Throwing Cash at Tools Isn't Helping Detect Breaches

This year, the majority of developers have adopted AI assistants to help with coding and improve code output, but most are also creating more vulnerabilities that take longer to remediate.

Source: Gorodenkoff via Shutterstock

Less than two years after the general release of ChatGPT, most software developers have adopted AI assistants for programming. That's boosting efficiency, but at the same time, it's led to a higher cadence of software development that has made maintaining security more difficult.

Developers are on track to download more than 6.6 trillion software components in 2024, which includes a 70% increase in downloads of JavaScript components and a 87% increase in Python modules, according to the annual "State of the Software Supply Chain" report from Sonatype. At the same time, the mean time to remediate vulnerabilities in those open source projects has grown significantly over the past seven years, from about 25 days in 2017 to more than 300 days in 2024.

One likely reason: The advent of AI is driving speedier development cycles, making security more difficult, says Brian Fox, chief technology officer of Sonatype. The majority of developers now use AI tools in their development process according to a recent Stackoverflow survey, with 62% of coders saying they used an AI assistant, up from 44% last year.

"AI has quickly become a powerful tool for speeding up the coding process, but the pace of security has not progressed as quickly, and it’s creating a gap that is leading to lower-quality, less-secure code," he says. "We’re headed in the right direction, but the true benefit of AI will come when developers don’t have to sacrifice quality or security for speed."

Related:News Desk 2024: Hacking Microsoft Copilot Is Scary Easy

Security researchers have warned that AI code generation could result in more vulnerabilities and novel attacks. For instance, a group of researchers demonstrated the ability to poison the large language models (LLMs) used for code generation with maliciously exploitable code at the USENIX Security Symposium in August. In March, researchers with an LLM security vendor showed that attackers could use AI hallucinations as a way to direct developers and their applications to malicious packages.

Developers also have growing concerns over the potential for AI assistants to suggest or propagate vulnerable code. While the majority of developers (56%) expect AI assistants to provide usable code, only 23% expect the code to be secure, while a larger group (40%) don't believe AI assistants provide secure code at all, according to research by software development firm JetBrains and the University of California at Irvine, published in June.

Open source projects take longer to remediate vulnerabilities. Source: Sonatype

Many developers remain nonplussed by the speed of change wrought by AI coding tools, and there is likely more to come, says Jimmy Rabon, senior product manager with Black Duck Software, a software-integrity tools provider.

Related:Chinese Researchers Tap Quantum to Break Encryption

"We haven't seen the long-term effects of adding something that can code at the level of a junior- or intermediate-level developer and at massive scale," he says. "My expectation is that we will see more intermediate mistakes — the basic mistakes that you would make as a junior or intermediate level developer — and \[issues with\] understanding the context of where some of the data flows."

**2024: The Year of the Developer's AI Assistant**

While AI assistants are now being used by the majority of developers, in business environments, adoption of AI tools is much higher — more than 90% of developers used AI assistants, according to Black Duck's 2024 Global State of DevSecOps survey. AI as a tool for developers is well-entrenched and "will never go away," Rabon says.

Yet many developers don't have the experience to judge whether code provided by an AI assistant is safe. Entry-level developers, for example, are more trusting of AI-produced code than their professional counterparts, with 49% trusting the accuracy of AI-generated code versus 42% for more experienced developers, according to Stackoverflow's annual developer survey.

Related:WP Engine Accuses WordPress of 'Forcibly' Taking Over Its Plug-in

In addition, AI tools will affect the education of developers and could make it harder for those entry-level developers to gain the skill needed to advance in their careers, experts say. The reliance on AI to complete simple programming projects could reduce the need for new or entry-level developers who typically tackle simpler coding tasks, removing a training path, Sonatype's Fox says.

"The development community is aging, and the introduction of AI poses potential risks to younger generations," he says. "If AI can handle the tasks previously assigned to budding developers, how will they gain the experience needed to replace older developers exiting the industry?"

**Automatic Generation of Secure Code**

Until the companies behind AI assistants create training datasets that contain secure code suggestions, or put in place guardrails to protect against vulnerable and malicious code generation, companies will have to deploy automated software security tools to check the work of any coding assistant.

The good news is, between the additional security checks and the fast evolution of code-generation assistants, the security of software and applications could eventually become much stronger, says Black Duck's Rabon.

"There are certain basic security flaws that I think will disappear," he says. "If you asked an AI system to generate code, why should it ever \[suggest an insecure function?\] ... I don't think that we've had enough time to really see the dramatic effects of \[such capabilities\] or prove them out."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Vulnerabilities, AI Compete for Software Developers' Attention

Traditional practices are no longer sufficient in today's threat landscape. It's time for cybersecurity professionals to rethink their approach.

Malleswar Reddy Yerabolu, Senior Security Engineer, North Carolina Department of Health and Human Services

October 18, 2024

5 Min Read

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY  
In today's interconnected digital landscape, supply chain attacks are no longer an anomaly — they're a persistent, growing threat. From SolarWinds to Kaseya, high-profile breaches have demonstrated that attackers are increasingly exploiting vulnerabilities in the supply chain to infiltrate targets at scale. For cybersecurity professionals, the days of relying on traditional vendor risk management are over. A broader, more proactive approach to securing the supply chain is required — one that goes beyond checklists and questionnaires. 

**The Shortcomings of Traditional Vendor Risk Management**

Historically, organizations have relied on static risk assessments and due diligence processes to evaluate their suppliers. This involves vetting vendors using questionnaires, compliance audits, and sometimes even on-site assessments. While these methods help ensure compliance with industry regulations and basic cybersecurity hygiene, they are no longer enough to combat today's sophisticated supply chain attacks. 

The major flaw of traditional vendor risk management is that it assumes security is a one-time evaluation rather than an ongoing process. A vendor might pass an initial audit, but what happens when it updates its software or onboards a third-party subcontractor? Additionally, static assessments rarely account for zero-day vulnerabilities or the rapid evolution of threat landscapes. In short, by the time an assessment is complete, the information is often outdated. 

**Proactive Supply Chain Monitoring: A New Paradigm**

A more effective approach to supply chain security involves continuous, real-time monitoring of vendors. Rather than waiting for the next audit or questionnaire cycle, organizations should be leveraging tools that provide up-to-date visibility into their vendors' cybersecurity postures. 

There are several ways this can be accomplished: 

*   Third-party risk management platforms: Platforms like BitSight and Security Scorecard allow organizations to monitor the external security posture of their vendors continuously. These platforms aggregate data from public sources, including open vulnerabilities, SSL configurations, and even mentions of potential breaches, to give security teams real-time insights into potential risks. 
    
*   Threat intelligence integration: By integrating threat intelligence feeds into the vendor risk management process, organizations can identify whether any vendors are being actively targeted by attackers, or if their infrastructure is compromised. This dynamic approach goes beyond static questionnaires, allowing organizations to act quickly in response to emerging threats. 
    
*   Continuous penetration testing: Routine penetration testing is no longer a luxury; it's a necessity. Regular testing of vendors' systems ensures that vulnerabilities are identified and mitigated before attackers can exploit them. With the increasing automation of penetration testing tools, this process can be made continuous rather than sporadic.
    

**Blockchain for Enhanced Supply Chain Transparency**

Another innovative solution to supply chain security challenges is the use of blockchain for transparency and traceability. Blockchain technology allows for the creation of immutable audit trails, making it possible to trace the origin of every component in the supply chain. This can be especially valuable in industries like pharmaceuticals or critical infrastructure, where counterfeit products or compromised components can have catastrophic consequences. 

By using blockchain, organizations can verify that every link in the supply chain adheres to security standards and hasn't been tampered with. In addition, smart contracts on blockchain can enforce compliance, triggering alerts or even actions (such as revoking access) when deviations from agreed-upon standards occur. 

**Managing Access: A Dynamic Approach to Vendor Permissions**

One critical element of supply chain cybersecurity that is often overlooked is how vendors access internal systems. Traditional models grant vendors broad access to systems and data, often far beyond what is necessary. This presents a significant risk, as compromising a single vendor's account could grant an attacker the keys to an organization's entire network. 

A more dynamic approach involves implementing zero-trust principles, where vendors are granted the minimum necessary permissions, and access is constantly reevaluated. This can be done through: 

*   Granular access control: Leveraging role-based access controls (RBAC) or even attribute-based access controls (ABAC) ensures that vendors have access only to the resources they need at any given time. 
    
*   Behavioral monitoring: Continuous monitoring of vendor behavior within your systems can help detect abnormal activity that might indicate a compromise. AI-driven anomaly detection tools can provide early warning signs that a vendor's account has been hijacked. 
    
*   Just-in-time access: Some organizations are adopting just-in-time (JIT) access, where vendors are granted temporary access to systems only when required, and access automatically expires after a predefined period. This minimizes the risk of persistent backdoors being left open. 
    

**Collaboration Across the Supply Chain**

Lastly, improving supply chain security requires collaboration between all stakeholders. Organizations must foster a culture of shared responsibility, where security is not viewed as the sole responsibility of individual vendors but as a collective effort. This can be achieved through: 

*   Security scorecards for vendors: Regularly sharing security posture reports with vendors encourages transparency and accountability. These reports can highlight areas where vendors need to improve and set clear expectations for remediation. 
    
*   Vendor security workshops: Hosting workshops or training sessions for vendors can help elevate their understanding of modern security practices and ensure that their teams are equipped to mitigate risks. 
    

**A Call to Action**

The time has come for cybersecurity professionals to rethink their approach to supply chain security. Traditional vendor risk management practices are no longer sufficient in today's threat landscape. By adopting continuous monitoring, leveraging blockchain for transparency, and implementing dynamic access control, organizations can build more resilient supply chains that are harder for attackers to compromise. 

Ultimately, securing the supply chain is not just about protecting your vendors — it's about safeguarding your entire business ecosystem. 

**About the Author**

Senior Security Engineer, North Carolina Department of Health and Human Services

Malleswar Reddy Yerabolu is a senior security engineer with more than seven years of experience in vulnerability management, threat analysis, and security architecture across financial, hospitality, government, and communication sectors. He specializes in leveraging AI, machine learning (ML), and natural language processing (NLP) to enhance threat detection and automate security processes. His research focuses on integrating AI and NLP to optimize cybersecurity solutions. Malleswar’s innovative approach helps organizations reduce risks and strengthen their defenses against evolving cyber threats. He holds a master’s degree in computer engineering from California State University.

Supply Chain Cybersecurity Beyond Traditional Vendor Risk Management

PRESS RELEASE

October 17, 2024: OpenAI is projected to generate over $10 billion in revenue next year, a clear sign that the adoption of generative AI is accelerating. Yet, most companies struggle to deploy large AI models in production. With the steep costs and complexities involved, nearly 90% of machine learning projects are estimated never to make it to production. Addressing this pressing issue, Simplismart is today announcing a $7m funding round for its infrastructure that enables organizations to deploy AI models seamlessly. Like the shift to cloud computing, which relied on tools like Terraform and mobile app development fueled by Android, Simplismart is positioning itself as the critical enabler for AI’s transition into mainstream enterprise operations.   
The series A funding round was led by Accel with participation from Shastra VC, Titan Capital, and high-profile angels, including Akshay Kothari, Co-Founder of Notion. This tranche, more than ten times the size of their previous round, will fuel R&D and growth for their enterprise-focused MLOps orchestration platform.  
The company was co-founded in 2022 by Amritanshu Jain, who tackled cloud infrastructure challenges at Oracle Cloud, and Devansh Ghatak, who honed his expertise on search algorithms at Google Search. In just two years, with under $1m in initial funding, Simplismart has outperformed public benchmarks by building the world’s fastest inference engine. This engine allows organizations to run machine learning models at lightning speed, significantly boosting performance while driving down costs.  
Simplismart’s fast inference engine allows users to leverage optimized performance for all their model deployments. For example, Its software-level optimization helps run Llama3.1 (8B) at an impressive throughput of >440 tokens per second. While most competitors focus on hardware optimisations or cloud computing, Simplismart has engineered this breakthrough in speed within a comprehensive MLOps platform tailored for on-prem enterprise deployments - agnostic towards choice of model and cloud platform.  
“Building generative AI applications is a core need for enterprises today. However, the adoption of generative AI is far behind the rate of new developments. It’s because enterprises struggle with four bottlenecks: lack of standardized workflows, high costs leading to poor ROI, data privacy, and the need to control and customise the system to avoid downtime and limits from other services,” said Amritanshu Jain, Co-Founder and CEO at Simplismart  
Simplismart’s platform offers organizations a declarative language (similar to Terraform) that simplifies fine-tuning, deploying, and monitoring genAI models at scale. Third-party APIs often bring concerns around data security, rate limits, and utter lack of flexibility, while deploying AI in-house comes with its own set of hurdles: access to computing power, model optimisation, scaling infrastructure, CI/CD pipelines, and cost efficiency, all requiring highly skilled machine learning engineers. Simplismart’s end-to-end MLOps platform standardizes these orchestration workflows, allowing the teams to focus on their core product needs rather than spending numerous manhours building this infrastructure.  
Amritanshu Jain added: “Until now, enterprises could leverage off-the-shelf capabilities to orchestrate their MLOps workloads since the quantum of workloads, be it the size of data, model or compute required, was small. As the models get larger and the workload increases, it will be imperative to have command over the orchestration workflows. Every new technology goes through the same cycle: exactly what Terraform did for cloud, android studio for mobile, and Databricks/Snowflake did for data.”  
“As GenAI undergoes its Cambrian explosion moment, developers are starting to realise that customizing & deploying open-source models on their infrastructure carries significant merit; it unlocks control over performance, costs, customizability over proprietary data, flexibility in the backend stack, and high levels of privacy/security”, said Anand Daniel, Partner at Accel. “We were happy to see that Simplismart’s team saw this opportunity quite early, but what blew us away was how their tiny team had already begun serving some of the fastest-growing GenAI companies in production. It furthered our belief that Simplismart has a shot at winning in the massive but fiercely competitive global AI infrastructure market.”  
Solving MLOps workflows will allow more enterprises to deploy genAI applications with more control. They want to manage the tradeoff between performance and cost to suit their needs. Simplismart believes that providing enterprises with granular Lego blocks to assemble their inference engine and deployment environments is key to driving adoption. 

You May Also Like

Source

DARKReading