bulletin
Join thousands of people who get the latest cybersecurity news every day.
The administrator of your non-public knowledge will be Threatpost, Inc. , 500 Unicorn Park, Woburn, MA 01801. Detailed data on the management of non-public knowledge can be found in the privacy policy. In addition, you will see them in the newsletter registration confirmation message.
The administrator of your non-public knowledge will be Threatpost, Inc. , 500 Unicorn Park, Woburn, MA 01801. Detailed data on the processing of non-public knowledge can be found in the privacy policy. confirmation of the registration to the newsletter.
Share this article:
Veracode’s Chris Eng discusses the cyber threats faced by buyers logging in due to the pandemic and the upcoming holiday season.
As online stores prepare for the upcoming Christmas grocery shopping season, security researchers warn that cybercriminals will be on the prowl this year, with the addition of the coronavirus pandemic pushing many Black Friday shoppers online.
Chris Eng, Veracode’s chief thinks that the flood of face-to-face pandemic buyers has led restaurants, department stores and other outlets to use new online software e-commerce platforms; however, they are not prepared to implement proper security. measures, for them.
“Everyone is increasingly dependent on software. And now they also have the demanding situations of protecting this software that other corporations used to have,” he said in this week’s Threatpost podcast.
Listen to threatpost’s full podcast, where Eng discusses the major threats and trends expected for the 2020 online sales season, as well as key issues you shouldn’t forget about the security status of Veracode software, released Tuesday.
To view the full podcast, pay attention to or download it here.
Lindsey O’Donnell Welch: Welcome back to the Threatpost podcast episode. I am Lindsey O’Donnell Welch with Threatpost. Me joined today through Veracode’s Director of Research, Chris Eng, who is here to communicate to me about the demanding security situations of retail programs and security advances in this area, as well as a new report on the security status of Veracode software that has just been released. So Chris, thank you so much for coming to the exhibition today.
Chris Eng: It’s great to be here.
LO: then Génial. Je should focus on the security status of the software as a whole, but also in the retail sector, especially with Amazon Prime Day before October, and then on holiday season purchases that start with Black Friday and Cyber Monday. How will other demanding situations face retail security this year, with the way programs are used and vulnerable and things like that?But before you communicate about it, do you need to communicate a little about the status of the software security report and some of the big issues you shouldn’t forget and the trends you’ve noticed there?
CE: Yes, of course, happy. So this is a report that Veracode publishes each and every year, and the dataset gets bigger every year, as we use our consumer data, to essentially locate some of the trends that are going down in the area of. application security, due to our current situation. a cloud service, we have access to all that data. So we can break it down into other tactics and ask the attractive queries about what’s going on there. And so this time, for example, we look at 130,000 active applications that are being developed around the world in other industries, and we are literally looking to focus this year on the topic we ended up with: “nature. Opposite culture. ” And in other words, you know, what are you controlling ?, and what are you not controlling ?, when do you think about the vulnerabilities you have in your applications ?, and how long does it take to fix them ?, and how far do you really go. What can you control after that? And we thought it was an attractive query, as we had noted in previous reports that, for example, consumers who scan more on a regular basis actually reduce their security debt much faster and much better than those who don’t. And then we said, well, what are the other points? And that’s right, it’s anything that when we look at it, we have a clue of some things that you inherit, right? There are some things that you don’t literally control, you don’t control the length of your organization, the length of your application, the amount of security debt you inherit, that’s the kind of your nature, it’s rarely very, rarely very very, But there are things that you control, you control, how often you scan, the types of scans you use, other technologies, how consistent your scanning speed is. Is it burst, is it abnormal than usual? And, essentially, we’ve found that all the things you control can dramatically improve your consistent time, even if you’re in a terrible environment. Even if you run into an old old application in a slow organization with a higher security debt. There are still things you can do as a developer to improve the overall security of the app, so I think it was a literal, literally great place to isolate all those other points and show the correlation.
LO: Yes, I think it’s a very clever way of saying it, this perspective of “nature as opposed to culture. “And, you know, when you look at what developers can do, especially if they’re running a legacy app, or maybe a large organization, or maybe don’t have the right security controls, what were some of the most important things developers can do to verify that security posture?
CE: Yeah, we found that, you know, scanning and employing automation to do it was a big factor. And that kind of support built on everything we observed last time when we wrote this report. That, if you have incorporated this type of procedure in the way you expand the software, it just becomes a habit, right? This is something that no one has to do as productively as possible to go one step further, does it happen? So if I set up my build system, or my code repository, so that every time someone tries to merge new code, they run the security tests alongside their unit tests or their other tests. quality control, and just don’t let them write to move forward unless they fix the bugs, you fix things faster than you would in a different way. We also found, quite appealingly, that if you use other security testing techniques besides the main one, which is static investigation, we also have dynamic investigation and investigation of software components. And the point is, if you use those other techniques, in addition to fundamental static research, it also correlates with faster repair times, which is a little counter-intuitive at first, rarely isn’t it? You can imagine, you are going to have more results, doesn’t that mean that things are going to slow down? But in fact, we saw that when clients ran dynamic scans along with static scans, that equates to a 24-day accumulation; well, 24 days faster to fix things. So those are really cool discoveries that we didn’t really expect.
LO: That’s right, it’s true. And I’m also curious about the main demanding situations and threats that software developers face. Are you in line with previous years?Do you see any trends or changes?I know that in the past, at least for applications, we discovered many failures in the inter-site script and credential control, etc. What have you noticed this year?
CE: Yes, you do, the same old categories are coming back. And, you know, since we started since we reported on this, you know, you still see the SQL injection, you still see the cross-site scripting, the configuration leaks, the encryption problems, the things we’ve known about for a long time. 10, 20 years. And we know how to fix it, right? As security professionals, we know how to fix them. But, you know, from time to time I think, even today this wisdom has no compatibility with the developer program. So you know, developers are getting in, not literally, in the first place, they don’t know how to avoid those kinds of problems. And later, someone actually tells them to fix those problems, when they literally don’t have a smart teacher on what they have done right rather than what they have done wrong. So it’s no wonder you see the same categories popping up over and over again; the maximum of those effects is decreasing in prevalence, slightly over time. But what’s also decreasing is that more new languages are coming out, there are new frameworks, other people are using those new libraries, you know. And as we get used to solving older mistakes, there are all those new tactics of making the same kinds of mistakes, which seems like a pretty negative picture, but I never see literally eliminating an entire category of defects – that doesn’t literally happen. . Therefore, we will have to do more in this regard. And at the very least, we can focus on getting rid of this challenge faster. And finally, we are forced to shape the behavior around it and to be fit to avoid them, maybe sometime in the long term we can eliminate some of them.
LO: That’s right. That’s a very smart point And, you know, cybercriminals will look for available vulnerabilities, so they’ll be there and make systems vulnerable, in terms, you know, of attackers who also attack them.
CE: Yes, you know how to do that, don’t you, some of the maximum vital breaches come from application security vulnerabilities that we know how to prevent? In theory at least, but they’re still there, right? We see SQL injections everywhere. And we know that this leads to a lot of credential dumps or credit card dumps etc at some very giant companies.
LO: Yes, it’s true. And I also need to ask, I mean, we’ve been dealing with this pandemic for the next year. Have you noticed any effects of this on the security state of the software?Or, I don’t know, it’s the cybercriminals who are hunting. looking for more vulnerable endpoints or other vulnerabilities, or if it’s some kind of security relief in itself, secure measures?Don’t you know what you’re seeing?
CE: Yes, it’s true, yes, I mean, just from a general point of view, and not so much, you know, from this knowledge set, but as I would certainly say, anecdotally, as if phishing were on the rise, because everyone works from home, everyone is now in this mode, where they expect Array things to happen to them from other places, they get data in other ways That’s true. And I think some of the cybercriminals are benefiting, I’ve anecdotally noticed a building in phishing, at least in organizations, and I’ve heard that others see a little bit of the same.
We are literally looking to see the effects of remote paintings in security research – has it improved, has it decreased? Have the hours been constantly advancing or worse, for example, how productive are other people in this capacity? And we will have to wait for the next report for that. Because the end date for the window for the knowledge set that was included in this report was March 31. So this was a year of knowledge that ended on March 31st. And that’s when we started researching this. And so America, we started painting remotely on March 13. I think top corporations were doing this sometime in March. So literally we still don’t have the knowledge to be able to see, what exactly does that mean? Now that we’ve gotten into some kind of ad hoc and analyzed consumer activity, we haven’t literally noticed a drop in activity. But I have also not noticed a significant build-up. I mean that everyone continues to create software, I mean the nature of the business is not changing, everyone continues to run their business with software. So we don’t expect to see a big drop there. But I think it’s going to be literally interesting, once we really have a full year of that knowledge, or less, things have to go back to normal, yet we can really see, do that, as a big change. ? And how does paint influence us in the protection in a smart or bad way?
LO: That’s right, it’s true. I think everyone is waiting to see in that regard, but with regard to phishing attacks and the other types of attacks we see, which are more email-based, I think they also have more sophistication, whether it’s the initial kind of attractiveness of fitness studies that we saw with coVID rupture , or, more recently, you know, it’s more about the US election. America or things like that. So, I mean, look for retail security and how the security of retail programs fits that. I’m curious to know what you see there, with Black Friday and Cyber Monday on the horizon.
CE: Yeah, you know, when we take a look at retail, we break down the retail knowledge that we have and compare it to other industries. There are some things that obviously stand out, they have the same kinds of disorders as everyone else, right, software developers, that notoriously move between industries and somehow produce them. Same types of errors and thus variations in the types of disruptions that we see in retail. Little variations, right? Information leaks slightly slow down crypto disruptions a bit more, but for the maximum component, things are on the inside, between 3 and 5 percent or so. And that’s not the most attractive component of the story. We see that in retail, when we think of component life for defects, when I say component life is like, how long does it take you to repair the defect component? Retail leads the way. 125 days, there is its life component, which is bad enough, right? Several months have passed. But it is componentically larger than some of the other industries we’ve seen. Then we will see that they react faster than other sectors. And I think you can attribute that to the fact that they want to respond to consumers faster than some of those other industries might have to, right? Obviously, there are consumers interested in all of them. But if you are thinking of employing a retail site and the greater confidence that other people will have in buying food online, or just doing things online instead of going elsewhere now. It’s not surprising that that type of visitor is concentrated there, so I think it was appealing to know that so far they’ve gotten the status of a component from some of the other industries, as the worst, the least performing, it was 297 days and a component life. So it is more than double. It was manufacturing, I think. So we consider them to suffer from the same kinds of disorders, the same concerns, the same demanding situations as other industries, but in some tactics they are doing a little better.
LO: And it’s also quite promising, only, especially over the next year, I feel like there’s been some kind of conversion trend in the landscape that has led to many more online purchases through consumers. pandemic, if I needed shampoo or hand sanitist, or something, I’d pass it to Amazon, and you know, I’m not going to go to the store.
CE: Exactly, I ordered as duct tape from Amazon the other day, instead of going to the hardware store. So the addiction to all this increases. And I think you also see more innovation, right, you see, I don’t know, you see more facilities or corporations that weren’t online before at all, that have moved away, moving more online, like, for example, like many restaurants, which in the past were the kind you know, you just have to queue, and there’s no reservation, and you can’t take anything out, you know, take out, you can’t I don’t order anything in advance: I had to move really fast, To be able to do a lot of those things and have this dependency, you know, on authoring software, or in many cases just meeting you, employing someone else’s software, in order to activate One’s capabilities, right? Then all of a sudden there is a huge reliance on the software that runs that kind of business that probably . . . I’d like to see the stats on that, I’d like to see the activity, the revenue that accrues in corporations like Talk. And I like Toast and things like that, right? Everyone says that all of a sudden it’s the only way to do business as the only way to stay afloat. And then I think you will see this, I think you will see it not only in restaurants, but also in other parts of the retail industry, where all of a sudden you have to allow online shopping, curbside pickup, that kind of thing, when you may have walked away from it before. Therefore, everyone is increasingly dependent on software. And, and now, they also have the demanding situations of securing this software that other corporations had before.
LO: That is correct. Droite. Et, you know, speaking of demanding situations, can you communicate a little about the main demanding situations that you are, you know, maybe the stores that seek to adapt to this new landscape can face a sure knowledge of the visitor and their, their software and, you know, what they face, and in terms of the main threats from cybercriminals and other types of attacks.
CE: In the case of Jstomer products, a lot is about protecting visitor information, cardholder knowledge, everything we read, leaks, whenever there is a major breach. And if a company is starting from scratch and building its own systems, it hasn’t had to do this kind of thing before. I think it’s a huge potential danger because they really have no idea how to protect this kind of knowledge online, how do they buy it? How do they transmit it? How long do they have to stay? What are the privacy implications? These are all things that if you’ve been doing this for a while, have learned to do over time, have learned what is required of a regulator, PCI, etc. And it has more to catch up with if you build a lot on your own. Now if you go through and count as a 3rd party vendor, you already exist, I think you can do it much more safely, right? As I mentioned, if you put your reservations online to communicate and order through Toast, and you process invoices through Square or Stripe, or something like that, as if you weren’t, you don’t build all of this yourself, no. And you are asking this provider to do the right thing to protect your knowledge, your visitors ‘knowledge and keep it separate from other visitors’ knowledge, make sure you are not leaking. And there is more pleasure in that type of business, but that is happening to create, I think, more presbound in the suppliers in general, it is rarely very who we outsource those things to, because some attest to the moves they take. This shieldion is something like that, it’s something like that, as you know, when we create software ourselves and use open source libraries to do it, we don’t have to be immune to vulnerabilities that could be a component of using those libraries. Same here, right? If I subcontract the processing of the knowledge linked to some other company, I still have to account for this risk, right? If my Jstomer’s credit card leaks, in some kind of default, that Jstomer doesn’t care if it happened, because I wrote code or because someone else wrote codeArray, right? They only care about having fraudulent charges. So, you have to think about it and make sure that the providers you are employing are also taking the right steps from a security point of view, as it affects you at the time.
LO: That’s it, it’s true. And I know so, it’s anything that definitely takes a lot of corporations by surprise, and they don’t think about it, however, you know, if you look, for example, like the target violation that came here from an HVAC formula and yet Target was the one that held the surprise there just because it was a great brand.
CE: That’s right, they took the hit, didn’t they? No one outdoors in the security industry can tell you that this is a flaw, like an application security flaw like an HVAC Internet application, right?No one knows. So yes, the best example. So you want to think about all the addictions and what they use to run your business and this new era, and I think for each and every business that will grow.
LO: Chris, before I finish, I just need to ask you, if you have any other important conclusions that you need to highlight from the Veracode software security report, any topic I should leave listeners at your center. ?
CE: Yeah, I think, you know, to get back to what I was talking about, how we remotely control the kinds of things that you can and can’t control, I think it’s the big credit to me. It was so often, if you’re a developer and you get into that environment, where you just have all of that like security, debt, or technical debt, and it feels overwhelming, right? You say to yourself, how am I going to get out of this? It just turns out yes. And your business only budgets some time and effort to work on things like that. It was smart to locate this kind of situation, even in the toughest environments, the biggest apps, the smartest apps, the great slow corporate culture, that there were express moves you can take as a developer for the overall security of this. app, right? The things I control like sweep speed, sweep speed, automation, and APIs that employ additional verification techniques, are all things that make the needle move, those are all things that correlate with times. faster constants. So whatever environment I’ve fallen into, be it a fast-moving, smart environment where things move like clock paintings, or the other way around. The moves I take can still have positive effects on the security of this app. I think it is very rare in those days to have a positive result when we look at protection data, but I think it was a really smart result. Uh, so I was pleased to see that.
LO: Yes, I actually think it’s a smart point to point out, because I think, you know, for developers or for, you know, formula directors or anyone, actually, I’m in the security space. things in terms of threats. And going back to the “food-opposing nature” point you did at the beginning of the podcast. Turns out there’s a lot out of control. But I think it’s actually vital to highlight what can be done and how it will help security measures. So yes, I appreciate you saying that point. Chris, in this, thank you very much for coming to the Threatpost podcast today to communicate about the security status of retail software and applications.
CE: Yes, a pleasure. Great for communicating with you.
LO: Génial. Et all our listeners. Thank you for listening to this week’s podcast episode about publishing threats. Again, I’m Lindsey O’Donnell Welch with Threatpost here with Chris Eng of Vera Code, and we look forward to seeing you next week.
For more Threatpost podcast episodes, adding exclusive interviews and behind-the-scenes politics from the latest news, on the Threatpost Podcasts page.
Share this article:
The COVID-19 pandemic, along with an explosion in the number of connected devices, has led to an increase in IoT infections seen on wireless networks.
Dr. Reddy’s, the Russian vaccine contractor COVID-19 “Sputinik V” and lead producer of generics, had to close factories and isolate their knowledge centers.
Before the US election in November, cybercriminals are stepping up their offensive attacks on security infrastructure and disinformation campaigns; however, this time, social media giants and citizens are better prepared.
Join thousands of people who get the latest cybersecurity news every day.
58 minutes ago
Get the latest news in your inbox every day.
Infosec Insider content is written through a reliable network of Threatpost cybersecurity experts. Each contribution aims to provide a unique voice on cybersecurity issues. The content strives to be of the highest quality, objective and non-commercial.
Sponsored content is paid for through an advertiser. Sponsored content is written and edited through members of our sponsor community. This content allows a sponsor to provide data and feedback from their point of view to the Threatpost audience. Threatpost’s editorial team does not care about writing or editing Sponsored Content.