Checkmarx Launches Infrastructure as Code Scanning Solution to Secure Cloud-Native Applications: KICS

What’s HOT in Application Security Vol #39

2013 Threat Predictions

This past week, one of the frontrunners in high-performance network security announced their predictions for the top threats of 2013. The following are highlights of the top 3.

1. Advanced Persistent Threats (APTs) – Generally known to target specific classified information by using various methods and vectors, this coming year they are predicted to target high-powered civilians such as CEOs, celebrities, and politicians. This prediction will be hard to verify since the attacker could easily remove the malware undetected and those who become aware will probably keep it hidden from the media anyway. The targeted information is likely to be used for criminal activities such as blackmail.

2. Two Factor Authentication – It seems as if one password is not enough to be secure these days. Anyone could easily download a program which can crack an alpha-numeric password no problem. Next year, we’ll likely see more web-based logins that will require a password plus a secondary password which will be either sent via SMS or a stand-alone security token.

3. Targeting Machine-to-Machine (M2M) Communications – M2M communications allow wireless and wired machines to communicate with other devices which can solve many human error problems. However, the security of these systems is still questionable. Hacking into M2Ms has not been seen yet, but this is likely to happen next year unless there is improvement in their security.

For more information visit

Hacktivism in Singapore

The People’s Association (PA), which is Singapore’s statutory board, the government entity responsible for promoting racial and social harmony, acknowledged that its main and subsidiary sites were penetrated by hackers recently. Though the website only includes general information and no transactions, the staff is focusing its efforts on making sure that these breaches don’t happen again. There haven’t been many hacks into sites operated by Singapore’s statutory bodies, leaving them with a false sense of security and easily breached. These types of hackers, known as “hacktivists,” implement these breaches as a political protest. It is therefore important to guard against them in order to avoid costly damages and loss of data. This incident is just one example stressing the necessity of businesses to improve their security by upgrading their Web gateways and reverse-proxy tools. In addition, the computer emergency response teams (CERTs) should be more prominent and on top of upgrading and prevention of vulnerabilities. The problem is that many Singaporean officials don’t feel it necessary to tighten security, stating that hackers will beat the system regardless and that investing time and money into more secure systems isn’t worthwhile. Either way, this will not be the last hack into their system.                                                    

 For more information, visit

Fake Ads on Government Job Site

When you see an advert for a spy job which refers to James Bond, you think twice about applying. This advert appeared on a recently launched government jobs website, the Universal Jobmatch site. It turned out to be a prank done by hackers who got past the flaky security codes. That one was cute, but a subsequent fake ad was asking for all sorts of personal data for their scam, a much more serious issue. Countless scammers and pranksters have easily made their way past security and onto this site, which has been described as a “scammer’s paradise.” It’s hard to take a government job site seriously with ads such as “for home internet work for internet babe chat.” As a result, security holes have been filled, but is it enough? It seems as if all the improvements haven’t been effective and there are still many fake ads. All that could be done is to let jobseekers know that they shouldn’t give out any personal details beyond their CV until they have a real job offer, and that if they encounter a fake ad, they should alert Jobcentre Plus immediately. For more information, visit

Keep your SMB websites secure

Many believe that it’s the larger companies that are at larger risk for website attacks and hacking. However, small and midsize businesses (SMBs) are actually at greater risk since they generally lack the resources and know-how to protect themselves from hackers. Hackers therefore tend to target SMBs over the big league companies. Here are some general website security reminders.

1. Check your code. Regular code checking is crucial since many security breaches are due to code vulnerabilities which lead to malware, SQL injections and more. If you don’t have the resources to do this, there are free tools that you can download to help you, including Google’s Webmaster Tools.

2. Keep your software up-to-date. Just as you do with any software whether it’s Windows or web browsers, you must regularly update your website publishing platform in order to ensure that your website is current with all the security issues and other bugs. Staying with the older version is much easier for a hacker to exploit.

3. Let dead websites die. You know those sites that you started ages ago and don’t update or look at anymore? Just delete them. You don’t need them anyway and keeping them up is just a security threat to you since they are breeding grounds for porn hosts, spambots, and other hackers. Do you really want those things associated with your business?

4. Every incident must be used to defend against further incidents Any sort of breach, even if it does little or no harm, should be used to learn from because improvements in security can prevent more harmful break-ins such as bank account losses and other last consequences. Do not let your SMB be a target for criminals or other hacktivists.

For more information, visit  

Jump to Category