Textpattern CMS version 4.8.3 remote code execution exploit.
Software is becoming an increasingly pivotal part of modern business and society. In turn, consumers have come to expect instant gratification. This has driven businesses to concentrate on innovation and speed to market. Businesses that can???t keep up with the hyper-competitive market of speed-to-value are falling behind.
But with rapid software deliveries comes increased risk. Businesses are shortening time to market, which, for many, has meant moving from a waterfall approach to a DevOps approach. Security in this model can???t be a gate at the end of the development process, but rather needs to be part of the development process, or ???security as code.??? Security as code is when you move security into the development stage and automate security scans at every code commit. It helps to ensure that security scans aren???t missed, and it shortens deployment times. As the world continues to prioritize speed, security as code will be increasingly critical.
What are the implications of security in the development phase?
By moving security to the development phase and making security scans the responsibility of the developers, it???s not uncommon for developers to raise concerns. They are oftentimes concerned that security scans will add extra work and slow down deployments. But with security as code, you can ease those concerns because the security scans are integrated and automated into the developer???s existing tools and processes. This means there is no interruption to the developer???s day-to-day activities.
That said, it???s still important to provide developers with security training to prevent flaws and aid remediation. According to the Modern Application and Development Security report by Enterprise Strategy Group, 35 percent of organizations reported that less than half of their development teams participate in formal security training. Without this knowledge, flaws will be identified from scans, but they will not be properly remediated, leaving applications vulnerable to attack.
At Veracode, we offer in-person, virtual, and hands-on training to get developers up to speed on securing code and remediating security flaws. With our hands-on training, Veracode Security Labs, developers can work on securing real-world code vulnerabilities in the language of their choice while receiving real-time feedback.
We also encourage organizations to implement a security champions program. Security champions are elected or self-nominated developers with an interest in learning more about security. They receive a higher level of security training than other developers so that they can be the voice of security on their scrum team. They???re essentially the conduit between security professionals and developers.
For a security champions program to be successful, the ???champions??? need to be invited to security meetings ??? including sprint planning ??? on a consistent basis. By including them in these meetings, they can help get their scrum team on board with security initiatives. The program should also be engaging and rewarding for participants. If developers feel like the program is a waste of time, they won???t attend security meetings and they won???t encourage other developers to join.
Data around security as code
Security as code isn???t just presumed to be effective, it is proven effective. According to findings from our recent State of Software Security (SOSS) report, scanning for security via API cuts the time to remediate 50 percent of security flaws by six days. And the faster you remediate security flaws, the fewer opportunities there are for a cyberattack.
The Modern Application and Development Security report also establishes the importance of automating and integrating security scans, citing it as the number one element of effective application security programs.
The bottom line is that speed-to-market is only going to increase, and security as code is ??? and will continue to be ??? the way of the future. To learn more about the current security landscape and recent trends, check out our State of Software Security report.ﾂ?
Any user could become root, warns Immersive Labs researcher
Proof of concept code has been published for a vulnerability in popular data centre security management tool Saltstack, which was discovered after a developer at Immersive Labs found a privilege escalation bug allowing any old user to become root.…
When it comes to securing your applications, it???s not unusual to only consider the risks from your first-party code. But if you???re solely considering your own code, then your attack surface is likely bigger than you think.
Our recent State of Software Security report found that 97 percent of the typical Java application is made up of open source libraries. That means your attack surface is exponentially larger than just the code written in-house. Yet a study conducted by Enterprise Strategy Group (ESG) established that less than half of organizations have invested in security controls to scan for open source vulnerabilities.
If the majority of applications are made up of open source libraries, why are most organizations only scanning their first-party code? Because most organizations assume that third-party code was already scanned for vulnerabilities by the library developer. But you can???t base the safety of your applications on assumptions. Our State of Software Security: Open Source Edition report revealed that approximately 42 percent of the third-party code pulled directly by an application developer has a flaw on first scan. And even if the third-party code appears to be free of flaws, more than 47 percent of third-party code has a transitive flaw that???s pulled indirectly from another library in use.
Over the years, several organizations have learned the hard way just how dangerous it is to only scan first-party code.
- In 2014, the notorious open source vulnerability ??? Heartbleed ??? occurred. Heartbleed was the result of a flaw in OpenSSL, a third-party library that implemented the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. The vulnerability enabled cyberattackers to access over 4.5 million healthcare records from Community Health Systems Inc.
- In 2015, there was a critical vulnerability in Glibc, a GNU C library. The open source security vulnerability nicknamed ???Ghost,??? affected all Linux servers and web frameworks such as Python, PHP, Ruby on Rails as well as API web services that use the Glibc library. The vulnerability made it possible for hackers to compromise applications with a man-in-the-middle attack.
- In 2017, Equifax suffered a massive data breach from Apache Struts which compromised the data ??? including social security numbers ??? of more than 143 million Americans. Following the breach, Equifax’s stock fell over 13 percent.
On the good news front: Close to 74 percent of open source flaws can be fixed with an update like a revision or patch. Even high-priority open source flaws don???t require extensive refactoring of code ??? close to 91 percent can be fixed with an update. Equifax had to pay up to $ 425 million to help people affected by the data breach that the court deemed ???entirely preventable.??? In fact, it was discovered that the breach could have been avoided with a simple patch to its open source library, Apache Struts.
Don???t become a victim to the monsters lurking in your third-party libraries. Download our whitepaper Accelerating Software Development with Secure Open Source Software, to learn more.ﾂ?