Expansion includes new capabilities for hybrid deployment models and industrial Internet of things (IIoT) environments.

ATHENS, Greece, May 17, 2022 /PRNewswire/ -- Barracuda Discover.22 EMEA Partner Conference --

**Highlights:**

*   Cloud-native Secure Access Service Edge (SASE) platform from Barracuda now supports hybrid cloud environments, enabling deployments in Microsoft Azure and at the private service edge.
*   Barracuda provides industry-leading, highly scalable connectivity and security support for the industrial internet of things (IIoT). Technology integrations with FireMon, Skybox, TTTech, and Nozomi further expand the scope of security services.
*   Barracuda's Zero Trust Access solution is now simpler to deploy, leveraging a new virtual deployment with integrated directory connectors.

Barracuda Networks, Inc., a leading provider of cloud-first security solutions, today announced the expansion of its cloud-native SASE platform. Barracuda's SASE platform streamlines Secure SD-WAN, firewall-as-a-service, Zero Trust Network Access, and Secure Web Gateway functionality and incorporates secure connectivity to industrial IoT devices. The expansion includes new capabilities for hybrid deployment models and IIoT environments. Additionally, new technology integrations offer secure data transfer, orchestration, asset management, and anomaly detection.

**According to Gartner®**, "By 2024, 80% of SD-WAN deployments will incorporate security service edge (SSE) requirements, up from less than 25% in 2022."1

As part of the Barracuda SASE platform, CloudGen WAN, Barracuda's Secure SD-WAN service and firewall-as-a-service, now provides private service edge for hybrid deployments. Private service edge is ideal for organizations that need to follow certain geopolitical requirements or need full control over the data plane. Private service edge devices provide the same scope of security and networking functionality as the cloud service and are administrated and maintained via a central management platform.

Barracuda CloudGen WAN now offers Secure Connector virtual appliances and new ruggedized site devices. These updates provide highly scalable internet-of-things connectivity, as well as cloud and private service edge-based security for IIoT endpoints. The Secure Connector endpoint virtual agent can be deployed in Docker environments for a wide range of third-party IIoT solutions.

To meet the specific challenges and requirements of digitalization and the internet of things, Barracuda integrates with specialized technology partners, including FireMon, Skybox, TTTech, and Nozomi. These integrations provide the ability for customers to enable secure data transfer, take advantage of automated incident response, and align with the latest IIoT security standards.

Zero Trust Access is often the first step toward SASE. As part of Barracuda's SASE platform, Barracuda CloudGen Access now offers new tools and capabilities that radically simplify deployments. CloudGen Access is now available with a turnkey proxy for simple deployment and cloud user directory connector for easy sync of users and groups.

**Quotes:  
**"The expansion of Barracuda's cloud-native SASE platform for hybrid deployment models and IIoT environments solves a number of common security, connectivity, and scalability challenges that businesses are facing in this age of digital transformation," **said Tim Jefferson, SVP, Engineering for Data, Network, and Application Security at Barracuda.** "Today's announcement underscores Barracuda's ongoing commitment to collaborate with specialized technology partners to develop tailored solutions, integrate advanced technologies, and expand the capabilities of our cloud-first offerings."

"Barracuda offered the only cloud-native firewall-as-a-service that provided all the enterprise security levels we needed and even included SD-WAN for uninterrupted connectivity and reliable application access to Azure," **said Hans Redlich, IT Lead at Hagedorn Group of Companies, in a Barracuda case study.**

"Barracuda Secure Connector solutions made it easy for us to implement device connectivity and IoT-platform connectivity across our products," **said Ulrich Poeschl, Chief Information Security Officer at Test-Fuchs GmbH, in a Barracuda** **case study****.**

**Resources:**  
Check out the product page: https://www.barracuda.com/products/sase

Get the Gartner**®** report, How to Align SD-WAN Projects with SASE Initiatives: http://cuda.co/grptsdwansase

Gartner named Barracuda a Visionary in 2021 Magic Quadrant™ for Network Firewalls. Get the report: https://www.barracuda.com/networkfirewallsmq

**See the blog posts:  
**A closer look at the expansion of Barracuda's SASE platform: http://cuda.co/50895

Zero Trust adoption simplified: http://cuda.co/50893

Aligning SD-WAN projects with SASE initiatives: http://cuda.co/50891

**Citations:  
**1Gartner, "How to Align SD-WAN Projects With SASE Initiatives," by Bjarne Munch, Lisa Pierce, Craig Lawson, published December 1, 2021.

Gartner, Magic Quadrant for Network Firewalls, Rajpreet Kaur, Jeremy D'Hoinne, Nat Smith, Adam Hils, 1 November 2021

Gartner and Magic Quadrant are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

**About Barracuda Discover.22 EMEA Partner Conference  
**Barracuda Discover.22 takes place May 17-19 in Athens, Greece. The informative event covers a wide range of topics, including security threats and trends, hands-on technical sessions, new product announcements, and the latest innovations in email protection, application and cloud security, network security, and data protection.

**About Barracuda  
**At Barracuda, we strive to make the world a safer place. We believe every business deserves access to cloud-first, enterprise-grade security solutions that are easy to buy, deploy, and use. We protect email, networks, data, and applications with innovative solutions that grow and adapt with our customers' journey. More than 200,000 organizations worldwide trust Barracuda to protect them — in ways they may not even know they are at risk — so they can focus on taking their business to the next level. For more information, visit barracuda.com. 

Barracuda Networks, Barracuda and the Barracuda Networks logo are registered trademarks or trademarks of Barracuda Networks, Inc. in the U.S. and other countries. Other trademarks are the property of their respective owners.

Barracuda Expands Cloud-Native SASE Platform to Protect Hybrid Cloud Deployments

Provides security architects with access to custom scripts that can be natively integrated with other Qualys solutions.

FOSTER CITY, Calif., May 17, 2022 /PRNewswire/ -- Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, today unveiled Qualys Custom Assessment and Remediation, opening its Cloud Platform to give security architects access to custom scripts that can be natively integrated with other Qualys solutions. This new solution significantly reduces response time by empowering security teams to orchestrate workflows, secure custom applications, and take immediate action to counter threats like zero-day attacks lessening the need to rely on the IT operations teams.

When threats hit, security teams need to quickly discover, assess and remediate both their third-party and custom applications. A typical response involves creating new out-of-band processes and custom scripts that need to be rolled out across hundreds or thousands of applications and endpoints by the security teams using a variety of techniques and ITSM tools. This approach creates a blind spot from an auditing and tracking standpoint and negatively impacts responsiveness.

"Reducing mean time to respond (MTTR) is the key metric for managing security risk, but it requires having the right security tools in place to optimize efficiency," said Melinda Marks, senior analyst at Enterprise Strategy Group. "Qualys Custom Assessment and Remediation leverages the comprehensive capabilities of the Qualys Cloud Platform to speed up your ability to respond to a detected security issue. It provides centralized control while helping teams remediate issues within their existing tools and workflows, saving them from inefficient, costly out-of-band rework cycles."

Qualys Custom Assessment and Remediation opens the Qualys Platform for security architects allowing the creation of custom scripts in popular scripting languages, user-defined controls and automation, all seamlessly integrated within existing programs to quickly assess, respond and remediate threats across your global hybrid environment.

Qualys Custom Assessment and Remediation enables security teams to:

**Quickly Address Zero-Day Threats**– The solution puts the power to rapidly respond to zero-day vulnerabilities directly in the hands of the security team by automating processes such as collecting and evaluating data, synthesizing third-party threat intelligence feeds, and performing appropriate remediation actions, such as configuration changes, deleting suspicious files or deploying registry changes. The result is an accelerated MTTR, which is critical to containing an attack**.**

**Secure and Audit Custom Applications –** Security teams can add customized controls and processes, without IT intervention, for various organizational activities including remediation actions eliminating the need to reinvent new scripts. This improves efficiency and allows security practitioners time to focus on more strategic activities.

**Tightly Integrate into Qualys VMDR Workflows** – Scripts are seamlessly integrated into existing VMDR workflows via assignment of custom Qualys IDs and Control IDs, which increases efficiency.

**Access a Centralized Library for Custom Scripts and Controls** – The solution provides centralized control over custom scripts easily mapped into workflows, and it is secured by role-based access control (RBAC) as well as review and approval processes. Additionally, deployment of scripts is simplified by using a centrally managed and customizable library of more than 50 popular reusable scripts to address common problems.

"Security teams struggle to manage and respond to a range of challenges that often require custom approaches," said Nagi Prabhu, chief product officer, Qualys. "By opening the Qualys Platform, we put security teams in the driver's seat. Qualys Custom Assessment and Remediation enables the creation of custom scripts and controls that are seamlessly integrated into existing security processes and workflows while extending the capabilities of the Cloud Agent so organizations can respond to threats such as Zero-Days immediately."

**Availability**

Qualys Custom Assessment and Remediation is immediately available. To request a free trial, visit www.qualys.com/car-trial. Learn more by joining our June 1 webinar.

**Additional Resources**

*   Learn about Qualys Custom Assessment and Remediation
*   Details on the Qualys Cloud Platform
*   Follow Qualys on LinkedIn and Twitter

**About Qualys**

Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based security, compliance and IT solutions with more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings.

The Qualys Cloud Platform leverages a single agent to continuously deliver critical security intelligence while enabling enterprises to automate the full spectrum of vulnerability detection, compliance, and protection for IT systems, workloads and web applications across on premises, endpoints, servers, public and private clouds, containers, and mobile devices. Founded in 1999 as one of the first SaaS security companies, Qualys has strategic partnerships and seamlessly integrates its vulnerability management capabilities into security offerings from cloud service providers, including Amazon Web Services, the Google Cloud Platform and Microsoft Azure, along with a number of leading managed service providers and global consulting organizations. For more information, please visit http://www.qualys.com.

Qualys Adds Custom Assessment and Remediation to Its Cloud Platform

Microsoft researchers say they are tracking a botnet that is leveraging bugs in the Spring Framework and WordPress plugins.

Microsoft researchers say they are tracking a botnet that is leveraging bugs in the Spring Framework and WordPress plugins.

Unpatched vulnerabilities in the Spring Framework and WordPress plugins are being exploited by cybercriminals behind the Sysrv botnet to target Linux and Windows systems. The goal, according to researchers, is to infect systems with cryptomining malware.

The botnet variant is being called Sysrv-K by Microsoft Security Intelligence researchers that posted a thread on Twitter revealing details of the botnet variant.

Researchers said criminals behind Sysrv-K have programmed their bot army to scan for instances of the flaws in WordPress plugins as well as a recent remote code execution (RCE) flaw in the Spring Cloud Gateway (CVE-2022-22947).  
  
“These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins, as well as newer vulnerabilities like CVE-2022-22947. Once running on a device, Sysrv-K deploys a cryptocurrency miner,” said Microsoft Security Intelligence in a tweet.

> We encountered a new variant of the Sysrv botnet, known for exploiting vulnerabilities in web apps and databases to install coin miners on both Windows and Linux systems. The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers.
> 
> — Microsoft Security Intelligence (@MsftSecIntel) May 13, 2022

The Spring Cloud is an open-source library that eases the process of developing the JVM application for the cloud and the Spring Cloud Gateway provides a library for building API Gateways for Spring and Java.

The CVE-2022-22947 is a code injection vulnerability in the Spring Cloud Gateway library and an attacker can perform remote code execution (RCE) on unpatched hosts. The flaw affected the VMware and Oracle products and it has been marked as critical by both the vendors.

****Working of Sysrv-K****

The Microsoft security intelligence team warned that Sysrv-K can gain control of the web servers by scanning the internet for various vulnerabilities to install itself. The vulnerabilities range from RCE to an arbitrary file download and path traversal to remote file disclosure.

The security researcher at Lacework Labs and Juniper Threat Labs observed two main components of malware that is to spread itself across networks by scanning the internet for vulnerable systems and installing the XMRig cryptocurrency miner (used for mining Monero) following a surge of activity in March 2021.

The new feature of Sysrv-K is that it scans for WordPress config files and their backups to steal credentials and gain access to the webserver. Apart from this “Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot” Microsoft added.

“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet” the Microsoft security intelligence team reported.

Microsoft advised the organizations to secure internet-facing Linux or Windows systems, timely apply security updates, and protect credentials. “Microsoft Defender for Endpoint detects Sysrv-K and older Sysrv variants, as well as related behavior and payloads,” they added.

The critical RCE, Worms, and 6 Zero-days including (CVE-2022-22947) were faced by Microsoft in January 2022.

Sysrv-K Botnet Targets Windows, Linux

The goal was Win32k Lockdown – a serious step up in Windows security

The goal was Win32k Lockdown – a serious step up in Windows security

Mozilla’s Firefox has introduced improved security mechanisms to reduce the browser attack surface.

On May 12, Mozilla security engineering manager Gian-Carlo Pascutto confirmed that the changes were included in Firefox 100, released to the stable channel on May 3.

**Process isolation**

When users browse the web through Firefox, the software renders content into separate processes, isolated from the operating system (OS) and managed by a single privileged parent process.

The reasoning behind this model is that if a bug exists in a content process, the potential attack vectors are limited.

**YOU MIGHT ALSO LIKE** ‘Browser in a browser’ – Phishing technique simulates pop-ups to exploit users

The Mozilla team wanted to refine the model further – a challenging prospect since “content processes need access to some operating system APIs to properly function: for example, they still need to be able to talk to the parent process”, according to Pascutto.

The team has already introduced Fission, a sandbox for web pages and frames, as well as RLBox, a subcomponent isolator.

Now, Firefox has debuted Win32k Lockdown, which together with Fission and RLBox “will significantly improve Firefox’s security”.

**Win32k Lockdown**

Win32k Lockdown is specific to Windows machines. Mozilla says that the parent process requires access to the full Windows API by default – including threats, OS processes, and memory.

Specifically, Mozilla wanted to restrict access to win32k.sys, an API historically exploitable, via Microsoft’s , an app for disabling access to win32k.sys system calls.

However, doing so meant that web content processes couldn’t perform a range of graphical, management, or input processing tasks otherwise handled by the API.

Therefore, Mozilla Firefox undertook a serious redesign. This included a switch to WebRender for painting web page content, making Canvas 2D and WebGL 3D operate remotely, and tweaking form controls and displays so they do not need to call OS widget APIs from within the content process.

In addition, Firefox has also rehashed line break functionality. However, challenges remain when it comes to third-party DLL loading and interactions, and a fix is planned for a future Firefox release.

**Gradual expansion**

While this security update has primarily focused on Windows machines, macOS and Linux users were not forgotten.

A quiet change was introduced for Mac users In Firefox 95 that blocked access to the WindowServer, improving process startup by between 30 - 70% and bumping up security. In Linux, the link between content processes and the X11 Server was broken in Firefox 99.

“Retrofitting a significant change in the separation of responsibilities in a large application like Firefox presents a large, multi-year engineering challenge, but it is absolutely required in order to advance browser security and to continue keeping our users safe,” Pascutto commented.

“We’re pleased to have made it through and present you with the result in Firefox 100.”

Read more of the latest browser security news

Alongside the security improvements, Firefox 100 also included new video caption support, credit card autofill for UK users, color scheme fixes, and patches for bugs such as CVE-2022-29909, a permission prompt bypass in nested browsing contexts and CVE-2022-29911, an iframe sandbox bypass.

Both Chome and Firefox have now reached the triple-digits in browser versions. When websites rely on identifying the browser version to perform business logic functions, moving from double to triple could break website functionality.

Both organizations provided compatibility testing tools to allow webmasters to identify issues before the transition.

_The Daily Swig_ has reached out to Mozilla and we will update when we hear back.

**RELATED** ‘Dangerous’ EU web authentication plan threatens to undercut browser-led certification system, detractors claim

Firefox debuts improved process isolation to reduce browser attack surface

Microsoft is warning of a new variant of the srv botnet that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems.
The tech giant, which has called the new version Sysrv-K, is said to weaponize an array of exploits to gain control of web servers. The cryptojacking botnet first emerged in December 2020.
"Sysrv-K scans the

Microsoft is warning of a new variant of the **srv botnet** that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems.

The tech giant, which has called the new version **Sysrv-K**, is said to weaponize an array of exploits to gain control of web servers. The cryptojacking botnet first emerged in December 2020.

"Sysrv-K scans the internet to find web servers with various vulnerabilities to install itself," the company said in a series of tweets. "The vulnerabilities range from path traversal and remote file disclosure to arbitrary file download and remote code execution vulnerabilities."

This also includes CVE-2022-22947 (CVSS score: 10.0), a code injection vulnerability in Spring Cloud Gateway that could be exploited to allow arbitrary remote execution on a remote host via a maliciously crafted request.

It's worth noting that the abuse of CVE-2022-22947 has prompted the U.S. Cybersecurity and Infrastructure Security Agency to add the flaw to its Known Exploited Vulnerabilities Catalog.

A key differentiator is that Sysrv-K scans for WordPress configuration files and their backups to fetch database credentials, which are then used to hijack web servers. It's also said to have upgraded its command-and-control communication functions to make use of a Telegram Bot.

Once infected, lateral movement is facilitated through SSH keys available on the victim machine to deploy copies of the malware to other systems and grow the botnet's size, effectively putting the entire network at risk.

"The Sysrv malware takes advantage of known vulnerabilities to spread their Cryptojacking malware," Lacework Labs researchers noted last year. "Ensuring public facing applications are kept up to date with the latest security patches is critical to avoid opportunistic adversaries from compromising systems."

Besides securing internet-exposed servers, Microsoft is additionally advising organizations to apply security updates in a timely fashion and build credential hygiene to reduce risk.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Sysrv Botnet Variant Hijacking Windows and Linux with Crypto Miners

Maintainers of open source software (OSS) will gain additional security tools for their own projects, while the developers who use OSS — and about 97% of software does — will gain more data on security.

The maintainers of thousands of critical open source projects and the developers who build on the foundation of that code will both benefit from 10 security initiatives launched late last week by the Linux Foundation, the Open Source Security Foundation (OpenSSF), and 37 technology companies, the groups said — including tech bigwigs Amazon, Google, and Microsoft.

During a second summit of software industry professionals and government officials, the organizations committed to supporting a 10-step plan to shore up open source maintainers, provide tools to improve software security, and secure the software supply chain. 

The Open Source Software Security Mobilization Plan groups the 10 steps into three broad initiatives: securing open source software production, improving the discovery and remediation of vulnerabilities, and speeding the ecosystem's time to patch.

To show their commitment, a group of companies has pledged $30 million of the estimated $150 million needed to fund all 10 initiatives for the first two years, Brian Behlendorf, general manager of the OpenSSF, said during a press conference on Thursday. This initial $30 million comes from Amazon, Ericsson, Google, Intel, Microsoft, and VMWare.

"We realize that \[$150 million\] is a meaningful amount," he said. "It is an amount more than any one open source developer has, or even most open source projects. But when compared to the cost of remediating a major vulnerability out there, like we have seen in the last few years, it is a drop in the bucket — a very small ounce of prevention to spend for many, many pounds of cure."

The 10-step plan calls for educating and certifying developers in secure programming, creating and maintaining security metrics for the top 10,000 OSS components, promote digital signing of software releases, and replacing non-memory-safe languages, such as C and C++, with more modern alternatives, such as Go and Rust. The plan also calls for improving the discovery of vulnerabilities and their remediation by funding a team of experts to assist open source projects during incidents, provide advanced security tools, fund third-party reviews, and coordinate sharing of data to determine the most critical components.

The intent is to improve security without increasing workload, the open source foundations stated in the report.

"\[A\]ll forms of investment and intervention should be focused on delivering new value to OSS maintainers — from making it easier to adopt practices that enhance the security and integrity of their work, to funding activities like third party code reviews that most projects struggle to afford to perform on their own," the report stated. "Any investments or policies that place additional burdens on developers, increase their personal or professional liability for working on code, or issue unfunded mandates upon them, would struggle for adoption and potentially inhibit further advancements in open source software."  

**Developers & Maintainers to See More Tools  
**The main focus of the $150 million effort will be to produce tools, training. and services for developers and maintainers to create more secure software. Already, some tools have been released as part of the efforts of the OpenSSF and other supporters, such as Google. 

Google, for example, released a tool known as AllStars that automatically vets GitHub projects to flag any anomalies, which could indicate a security issue in the maintenance of the project. The company has also released a system, Scorecard, for rating projects in 18 different areas to give them a security rating. Google and the Linux Foundation, meanwhile, released a tool, sigstore, to help verify the integrity of software supply chains.

Such efforts are extremely important to reduce the impact of security efforts on developers' work, Stephen Chin, vice president of developer relations at software supply chain security firm JFrog, said in a statement.

"We believe open-source security will only be successful if we give OSS projects the same tools and services available to enterprises," he said. "Access to automated tools and high-quality security databases for open-source projects is essential and something that JFrog is committed to helping make happen."

Even more important than the tools are that the efforts create standards that allow interoperability between tool sets, Dan Lorenc — CEO and co-founder at Chainguard and a co-creator of sigstore — said in a statement.

"Interoperability is the linchpin in securing software throughout the supply chain," he said, adding: "These open source tools and projects are the core infrastructure for securing our digital world. But we know not every organization is in a position to go deep on learning each project, nor do they have dedicated staff to understand and integrate all of these tools."

**Gaining Momentum for Open Source Security Support  
**OpenSSF has already made a number of announcements of initiatives that will likely become components of the industry's approach to supporting the creation and maintenance of a more secure software supply chain. Earlier this year, for example, the group announced the Alpha-Omega Project, which aims to secure the most critical software by providing tools and support to maintainers. In March, the OpenSSF and the Laboratory for Innovation Science at Harvard announced four lists of 500 open source projects deemed most critical in two major ecosystems, the JavaScript-based Node Package Manager (NPM) and non-NPM frameworks.

In October, the OpenSSF announced that 16 premier members — including Amazon, Cisco, Facebook, Fidelity, Google, Microsoft, and Red Hat — along with 15 general members had  committed $10 million to expand and support the organization.

The broad base of support shows that open source security is a problem that affects every business using software, Brian Fox, CTO at Sonatype, said in a statement.

"It’s rare to see vendors, competitors, government, and diverse open source ecosystems all come together like they have today," he said. "It shows how massive a problem we have to solve in securing open source, and highlights that no one entity can solve it alone."

Open Source Security Gets $150M Boost From Industry Heavy Hitters

To see why low-code/no-code is inevitable, we need to first understand how it finds its way into the enterprise.

A few months ago I had a conversation with the CISO of a multinational logistics company who told me that his company will never allow citizen development. "I see that the benefit could be massive, but we will never allow it," he said.

This statement made perfect sense. Allowing employees with little IT or coding experience to develop applications seems counterintuitive to companies that are used to seeking strict controls over developers, applications, and digital assets. For many executives, citizen development seems to belong to a distant future.

In a follow-up meeting with that same CISO a few weeks ago, the conversation went in a very different direction. Marketing teams found their way around the CASB and started using no-code automation. Business applications teams started using Salesforce to streamline business processes rather than focus only on sales and customization. Employees all around the company were using Microsoft's built-in platform to build custom applications in Teams. "Turns out, we didn't get to choose. Citizen development is now a reality, and I am now expected to mitigate its security risks," he told me.

This CISO is not alone. The world's largest banks, retailers, and manufacturing companies are going all-in on citizen development. At a recent online event, Microsoft announced that 97% of Fortune 500 companies use its low-code/no-code platform.

**How Low-Code/No-Code Platforms Find Their Way Into the Enterprise**  
To understand how organizations can transition from "low-code who?" to "business developers" in just a few months, we need to understand how low-code/no-code finds its way into the enterprise. We also need to look at low-code/no-code platforms' go-to-market (GTM) strategies.

**1\. Land-and-expand:** Low-code/no-code platforms follow multiple paths into the heart of the business. The first and most obvious one is a top-down approach. In organizations where digital transformation is a strategic effort, senior management often looks for platforms that can accelerate the productivity of their business teams. Low-code/no-code platforms are built to do exactly that. Two popular choices for digital transformation are low-code application platforms (LCAPs) and integration platform-as-a-service (iPaaS).

In the digital transformation scenario, an organization would typically set up a center of excellence (CoE) that starts off by finding key use cases that quickly produce business value. Think of business applications used to manage a giveaway campaign by HR, welcome vendors to your facilities, or facilitate IT equipment orders by employees. Even more importantly, the CoE serves as inspiration for business users to think of more ways in which they can improve their productivity with business applications and automation. This centralized team leading by example doesn't have to be explicitly called a CoE. It can be the business applications team, the intelligent automation team, or the integration team, for example.

Once users start getting an appetite for applications that streamline business processes, the CoE's backlog quickly overflows. It is at this stage that business users start building their own applications, either with guidance from the CoE or on their own.

Both LCAP and iPaaS vendors rely heavily on this process of expansion within the enterprise as their core growth strategy. While it's easier to get through the door with a solution used by a centralized team, the value that can be realized grows significantly when low-code/no-code tools are placed directly in the hands of business users. Indeed, LCAP and iPaaS vendors are investing a lot in making their platforms easier for citizen developers to use. Slowly but surely, business teams across the organization become aware of these platforms and start to use them to get their job done.

This land-and-expand model is a win-win for vendors and customers alike. Centralized teams bring these platforms into the corporation and demonstrate their value, leading to business teams realizing their potential by addressing a wide range of business needs quickly, on their own.

**2\. Bottom-up (shadow IT):** The marketing team at the aforementioned logistics company has been hard at work on a big conference. The company plans to make a few key announcements, with the intent to make it a big deal and generate lots of buzz. To translate this hype into leads, they want to set up a dedicated landing page with content optimized for conference visitors. The marketing team hires a vendor to build the page. In order to deliver quickly, the vendor uses a no-code automation platform to set up an email campaign and sync leads to the company's CRM. The end result is a great conference experience, powered by a no-code automation platform connected to the company's CRM.

In the rush of things, however, the CRM integration was set up with an administrator account shared with all developers on that account. At launch, only a few developers have access to the account, but after seeing the value, the whole marketing team is granted access, inadvertently sharing administrator privileges to the CRM. Security teams found out about it after the fact. The platform was purchased out of pocket due to time constraints, so there was no security assessment or an opportunity to say no.

This is a typical story, where platforms are introduced directly by users to solve a specific problem, without security visibility or guardrails. Once inside, they continue to expand to additional use cases and business groups. Vendors call this product-led growth (PLG), and it has been the hot GTM trend for the past few years.

Indeed, users are introducing these platforms because they actually solve their problems. Manual processes around order-to-cash, customer care, and marketing operations are a common example. This is great for business productivity. However, over time organizations can find that their business-critical data and processes have slipped out from under the security umbrella.

**3\. SaaS becoming the new business cloud:** Name your favorite corporate SaaS platform. Chances are, it's a low-code/no-code development platform too, and your business users are already building with it. Don't just trust me on this — I encourage you to check it out yourself.

In recent years, SaaS vendors are increasingly shifting toward becoming low-code/no-code development platforms. Microsoft, Salesforce, ServiceNow, Workday, Slack, and other leaders in SaaS have all introduced their own low-code/no-code platform, embedded right into the platforms your business users are already using. Some vendors are focused on if-this-then-that automation and others on custom application development. But all of them are reaching out to business users directly, empowering them to do more on their own.

Back in the previously mentioned logistics company, the CISO found out that users across the organization were using Power Platform, Microsoft's low-code/no-code platform embedded in Office, to build custom applications for their Teams channels. These applications gained access to resources on behalf of their Teams users to do useful things like set up calendar invites, send emails, or share SharePoint files. Inadvertently, it also gave the application creators control over application user identities, allowing them to impersonate their users through the applications. Like any application that gains access on behalf of users, that access could be used to do harm, either by malice or by mistake.

SaaS vendors are pushing strong on low-code/no-code as a way to expand their business. They are using their advantage of already being at the fingertips of business users and are building app development platforms for their specific personas. This, again, is great for innovation and business velocity.

**The Time to Act Is Now  
**With all of the different ways low-code/no-code finds its way into the enterprise, it's becoming clear that organizations can't just opt out of citizen development. Gartner has predicted that the number of active citizen developers at large enterprises will outnumber professional developers four to one by 2023. Other analyst firms have predicted similar numbers. Even if we end up having _just_ one citizen developer per professional developer, can we really let that slip outside the security umbrella?

Instead, security teams should embrace low-code/no-code and help guide the new generation of citizen developers in line with enterprise requirements. The sooner this is done, the better.

You Can't Opt Out of Citizen Development

In a Black Hat Asia keynote fireside chat, US national cyber director Chris Inglis outlined his vision of an effective cybersecurity public-private partnership strategy.

BLACK HAT ASIA – The future of cybersecurity public-private partnerships (PPP) will be about sharing efforts and pooling resources to provide a common defense, explained US national cyber director Chris Inglis during a fireside chat at Black Hat Asia.

Inglis called it a "new social contract" and defined the joint work that lies ahead for both government and business to protect their interests. It should be a "collaborative, not a division of effort," he told moderator and Black Hat founder Jeff Moss. He added that it's up to businesses to build secure systems from the start rather than being "the poor soul at the end of the supply chain."

**Building a Defensible System**  
In return for adding the cost of security into the design and build phase, these companies won't be left alone when it's time to respond to threats.

"We have to build a defensible system," Inglis said. "And in a collaborative fashion, we are going to defend it."

Market forces are pushing companies toward that model, but not fast enough, Inglis said, with the assurance that any regulation will be with the "lightest touch" by government.

**Business as a Government Cybersecurity Collaborato**r  
He added that since the Russian invasion of Ukraine, the US government has shared intelligence with the private sector to help defend their systems against cyberattacks. Inglis also lauded the action by Microsoft to roll out a patch against the Russian wiper virus used in attacks against Ukraine, but warned that it's imperative that we not "conflate geography with risk."

For instance, blocking Putin from platforms is different than blocking the wider Russian population, which has happened on TikTok, Netflix, Facebook, and many others.

Inglis also expressed that the private sector should demonstrate that is has an interest in protecting privacy and providing more transparency into their businesses.

Ultimately, the relationship between business and government is evolving.

"Today, there are instances where the private sector is the supported organization and the government is the supporting organization," Inglis said. "This is a new social contract, but we've done this before. It's about allocation of responsibility across the entire ecosystem."

US Cyber Director: Forging a Cybersecurity Social Contract Is Not Optional

Trend Micro Password Manager (Consumer) version 5.0.0.1266 and below is vulnerable to a Link Following Privilege Escalation Vulnerability that could allow a low privileged local attacker to delete the contents of an arbitrary folder as SYSTEM which can then be used for privilege escalation on the affected machine.

**LAST UPDATED: MAY 10, 2022**

**Release Date:** May 10, 2022

**CVE Vulnerability Identifier:** CVE-2022-30523

**Platform(s):** Microsoft Windows

**Severity Rating:** High

**Summary**

Trend Micro has released a new version of the Trend Micro Password Manager for Windows family of consumer products which resolves a Link Following Privilege Escalation Vulnerability.

**Affected version(s)**

PRODUCT

AFFECTED VERSION(S)

PLATFORM

LANGUAGE(S)

Trend Micro Password Manager

5.0.0.1266 and below

Microsoft Windows

English

**Solution**

PRODUCT

UPDATED VERSION(S)

PLATFORM

LANGUAGE(S)

Trend Micro Password Manager

5.0.0.1270

Microsoft Windows

English

Trend Micro has released an update via the product’s automatic update mechanism to resolve this issue. Your Trend Micro Password Manager program should receive the update automatically as long as your computer is connected to the Internet. Customers are advised to use the latest version when doing a fresh installation of the product.

**Vulnerability Details**

Trend Micro Password Manager (Consumer) version 5.0.0.1266 and below is vulnerable to a Link Following Privilege Escalation Vulnerability that could allow a low privileged local attacker to delete the contents of an arbitrary folder as SYSTEM which can then be used for privilege escalation on the affected machine.

Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.

**Acknowledgement**

Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers:

*   **@Kharosx0** working with Trend Micro Zero Day Initiative (ZDI)

**Additional Assistance**

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.

**External Reference**

The following advisories may be found at Trend Micro's Zero Day Initiative Published Advisories site:

*   ZDI-CAN-16159

How helpful was this article?

*   It wasn't helpful at all.
*   Somewhat helpful.
*   Just okay.
*   It was somewhat helpful.
*   It was helpful.

*   \*Feedback submitted will only be used as reference for future product, service and article improvements.

CVE-2022-30523: Security Bulletin: Trend Micro Password Manager Link Following Privilege Escalation Vulnerability

Parallels H-Sphere 3.6.1713 allows XSS via the index_en.php from parameter.

H-Sphere

Stable release

3.6.2 / May 15, 2013

Written in

Java

Operating system

Linux, FreeBSD, Windows

Type

Web hosting control panel

License

proprietary

Website

http://www.parallels.com/products/hsphere/

**H-Sphere** is a web hosting Automation Control Panel for shared web hosting services that was developed by Positive Software and acquired by Parallels, Inc. in September 2007.\[1\] It is available for Linux, Unix, and Windows environments, and works with MySQL, PostgreSQL, and Microsoft SQL Server databases. H-Sphere has been written in Java and works with any SQL-compliant database.

**Features\[edit\]**

*   Built-in billing system with variety of payment methods
*   Various hosting solutions (\*nix and Windows, database, load balancing, RealMedia, MS Exchange, SharePoint, FreeVPS, etc.)
*   Electronic mail system with antivirus and antispam filtering and integrated WebMail
*   Around 30 Payment gateways and 6 E-Payment Providers supported
*   Integrated support center
*   Multiple user tools
*   Integrated PHP/MySQL applications, both built-in and by means of add-ons\[2\]

**Advantages\[edit\]**

*   **Scalable multiserver cluster**: different physical and logical servers (web, mail, DNS etc.) are managed from one control panel. More servers can be added on the fly.
*   **Multilingual support** includes English, German, Dutch, French, Italian, Spanish, Russian, Portuguese (Brazil), and several other languages integrated by means of add-ons.
*   H-Sphere is recognized for **end-user features** availability, such as mail system, site building tools, SSL, etc. "Beginning webmasters may find H-Sphere too complicated for their needs. More advanced users, however, appreciate the features and control that H-Sphere offers the end user."
*   H-Sphere may give place to other panels as regards its ease of use, but not its **online documentation**.
*   H-Sphere has enlisted a community of **online supporters** who name it among their favorite control panels.\[3\]
*   Integrated Backup capability with the ClusterLogics system created by Cartika

**Disadvantages\[edit\]**

*   Licenses for H-Sphere accounts are more expensive than those of its competitors. Though, it is noted that H-Sphere licenses are reusable and sold for a cluster, not for a server, as with Ensim Pro.
*   Some customers state H-Sphere has too many advanced features and thus is a too complicated solution for small hosting companies, especially as a single server installation. While others note that H-Sphere advantages are more demonstrable on multi-server clusters.
*   On a single server mode H-Sphere consumes more server resources than other major single server control panels.\[4\]
*   H-Sphere control panel interface extensively uses JavaScript. Some reviewers regard it as a disadvantage.\[5\]
*   H-Sphere control panel by default works on non-standard 8080 and 8443 ports that may be blocked by client-side firewalls; but this can easily be changed in the configuration.
*   H-Sphere (like cPanel, but unlike Plesk) provides online file source editing, however with H-Sphere only allows editing of .txt or .html files and without line numbers in edit mode, thus limiting PHP and other script editing possibilities.

**other webhosting control panel software\[edit\]**

*   Baifox
*   cPanel
*   DirectAdmin
*   Hosting Controller
*   ispCP
*   ISPConfig
*   Kloxo
*   Plesk
*   SysCP
*   Webmin

**See also\[edit\]**

*   Parallels, the maintainers of H-Sphere
*   Web hosting control panel
*   Comparison of web hosting control panels

**References\[edit\]**

1.  **^** "Parallels Newsroom". 28 February 2020.
2.  **^** "Archived copy". Archived from the original on 2007-01-17. Retrieved 2007-05-24.{{cite web}}: CS1 maint: archived copy as title (link) CS1 maint: bot: original URL status unknown (link) 24/7 Solutions.
3.  **^** h-sphere control panels on WHTop.com
4.  **^** Post here, your favorite Control Panel. WebHostingTalk Forums.
5.  **^** "Hosting Obzor". Archived from the original on 2007-06-09. Retrieved 2007-05-24.

**External links\[edit\]**

Tag

#microsoft