The United States Department of Justice has charged three North Korean computer programmers with a range of cyber attacks that made headlines around the world. Read more in my article on the Tripwire State of Security blog.
Each February, the United States, Canada, the United Kingdom and other countries observe Black History Month. It’s a month-long celebration of the generations of black people who have elevated society by the way in which they’ve lived their lives. It’s also an opportunity for us to recognize that there’s still plenty of work to do […]… Read More
The post Black History Month: Diversity in Cybersecurity Is More Important than Technology appeared first on The State of Security.
The very best journalism from one of Britain’s most admired and outspoken science writers, author of the bestselling Bad Science and Bad Pharma. In Bad Science, Ben Goldacre hilariously exposed the tricks that quacks and journalists use to distort science. In Bad Pharma, he put the 0 billion global pharmaceutical industry under the microscope., Now the pick of the journalism by one of our wittiiest, most indignant and most fearless commentators on the worlds of medicine and science is collect
Price List: £9.99
Only for today on Amazon: £6.30
Marriott has confirmed that the number of guests affected in the breach of Starwood’s guest reservation database is down from the originally estimated 500 million to “fewer than 383 million unique guests.” At this time, the hotel giant is unable to confirm an exact number of guests impacted.
According to the statement, approximately 5.25 million unique unencrypted passport numbers and 20.3 million encrypted passport numbers were stolen. Attackers also accessed 8.6 million unique payment card numbers, all of which were encrypted, but only 354,000 cards were active and unexpired at the time of the breach. In its earlier notice in November of last year, the hotel giant confirmed that there had been unauthorized access to the Starwood network since 2014.
Marriott said that it has completed the phase out of Starwood’s reservation database, and now runs guest bookings through its Marriott database, which wasn’t accessed in the breach.
A Breach of Immense Scale and Scope
According to an initial report from the BBC, for roughly 327 million guests, the attacker was able to access personally identifiable information including a combination of name, address, phone number, email address, passport number, account information, date of birth, and gender. In some cases, the compromised records also included encrypted credit card information. At this time, the company was still trying to determine whether the encryption keys had also been stolen.
In a statement published on Nov. 30, Marriott said that it received an alert from an internal security tool that an unauthorized user had attempted to access the Starwood database in the US on Sept. 8, 2018. An investigation into the incident confirmed that an attacker had copied and encrypted the information. Marriott was able to decrypt the information to confirm that the contents were from the Starwood guest reservation database.
Marriott reported the incident to both law enforcement and regulatory authorities, and the UK’s data regulator is investigating. While Marriott’s headquarters are in the US, it works with and hosts European citizens, so it must ensure that it meets GDPR compliance. It’s anticipated that Marriott International will receive a substantial penalty because of the size and scale of the breach.
To read initial coverage of this story, with commentary from Veracode Co-Founder and CTO Chris Wysopal, click here.
“Automation has saved a tremendous amount of time. We went from a day per app to review and now we are essentially reviewing through automation 18,000 scans a day with only 20 AppSec engineers. You do the math — 18,000 deploys a day with 20 engineers — you can’t scale that manually.”
– Senior manager application and cloud security, insurance, The Total Economic ImpactTM of the Veracode Application Security Platform Study
One of the things we pride ourselves on here at Veracode is offering solutions and services that help add a little bit more ease to the application security process. We talk a lot about shifting left, and we do our best to put our money where our mouths are by creating a variety of integrations and automations that empower development teams to adopt a security-first mindset without sacrificing speed or agility. Yet there is more to a complete and holistic application security program than scanning in the CI/CD or making sure you’re securing open source components.
What about all of the web applications that you don’t know or simply forgot about? What about the exploitable vulnerabilities that can only be found at runtime? Or the applications that contain sensitive data and live behind the firewall? In order to ensure the security of these applications – and to make sure you have a proper inventory – you need to conduct discovery and dynamic scans.
What Do You Mean Web Applications I Don’t Know About or Forgot?
It’s more common that you would imagine that organizations and brands have more web apps than they realize – at Veracode, we help our clients create comprehensive application inventories, and find that they are, on average, comprised of roughly 30 percent more applications than clients knew about. For example, in M&A activity, more than just a company or brand is acquired – you also acquire their web assets. Further, the digital landscape is decorated with marketing promotional sites meant to attract attention.
Paul Farrington, Veracode CTO in EMEA, is familiar with how common it is to underestimate the extent and reach of an organization’s IT assets. In a project that Veracode conducted for a high street bank, we discovered 1,800 websites that had yet to be logged.
“Their perimeter can be 50% larger than they originally thought it was,” Farrington told the BBC.
It’s impossible to secure an entire web application attack surface if you don’t know about all of your applications, and the very thing meant to draw attention to your brand and boost your bottom line is the same target attackers go after to infiltrate your organization. According to the 2018 Verizon Data Breach Investigations Report, web applications continue to be the number one vector for reported breaches. In nearly 90 percent of breaches, it took only minutes for attackers to gain access – and it took months for nearly 70 percent of organizations to detect the systems that had been compromised.
Securing ALL of Your Web Applications With Veracode Discovery + Veracode Dynamic Analysis
Without a solution to help you discover these web applications, you can never be completely certain that you have scanned all of your web applications. This is where Veracode Discovery can help.
Veracode Discovery is a threat intelligence solution that leverages IP ranges, host names, keywords, and other inputs to scan the web for every web application that may be associated with your organization. The results are uploaded to the Veracode Application Security Platform where users can sort through the findings and input them into Veracode Dynamic Analysis through an easy-to-follow workflow. This ensures that you have full visibility into what your organization owns and that you are able to either scan and remediate those applications or sunset them, which improves the organization’s overall security posture.
Veracode Dynamic Analysis is fast, but it’s not just about the speed at which a scan returns results. It’s about the complete workflow – scan start, scan complete, and through to remediation. Veracode Dynamic Analysis is fast because of scheduling automation and a single upload that allows you to batch upload multiple applications into the same analysis. As a SaaS solution, Veracode Dynamic Analysis is able to kick off a scan for hundreds of applications at the same time. Unlike other solutions on the market, Veracode Dynamic Analysis can concurrently scan both authenticated and unauthenticated applications both in front of and behind a firewall. What’s more, the results that you receive are immediately actionable: they contain less than 1 percent false positives thanks to the accuracy of our scanner and limited manual scrubbing.
To learn more about Veracode Dynamic Analysis, download our whitepaper, Reducing Your Risk of a Breach with Dynamic Analysis.