In the News

The OSI model, your security, and giving special consideration to the application layer

2 Jun 2016 | By Patrick Vernon

There’s a certain poignant disappointment that occurs when your expectations do not align with reality. Especially when your expectations are both reasonable and logical. Take the topic of securing an application based on the Open Systems Interconnection (OSI) model, for instance. The OSI model is a way of thinking about computer networking that efficiently and effectively lays out the seven layers of computer networking, showing how they are neatly connected, each layer making use of the functions of the layer both above and below it. “Perfect,” you think. “If these seven layers are so tidily intertwined, surely there must be one security solution that takes care of them all.”

As security organization Checkmarx points out, for effective application layer security, static code analysis is a security solution that can be seamlessly integrated into the developer environment. It makes application layer security a component of the daily development schedule, allowing developers to receive nearly real-time scan results and fix vulnerabilities (as well as coding problems and other issues) as the application is being developed. Not only does this help create a secure software development life cycle, but it also saves untold time and effort by identifying problems as they appear instead of after a build is complete.

Continue reading this article on Digitalisation World.

There’s a certain poignant disappointment that occurs when your expectations do not align with reality. Especially when your expectations are both reasonable and logical. Take the topic of securing an application based on the Open Systems Interconnection (OSI) model, for instance. The OSI model is a way of thinking about computer networking that efficiently and effectively lays out the seven layers of computer networking, showing how they are neatly connected, each layer making use of the functions of the layer both above and below it. “Perfect,” you think. “If these seven layers are so tidily intertwined, surely there must be one security solution that takes care of them all.”

As security organization Checkmarx points out, for effective application layer security, static code analysis is a security solution that can be seamlessly integrated into the developer environment. It makes application layer security a component of the daily development schedule, allowing developers to receive nearly real-time scan results and fix vulnerabilities (as well as coding problems and other issues) as the application is being developed. Not only does this help create a secure software development life cycle, but it also saves untold time and effort by identifying problems as they appear instead of after a build is complete.

Continue reading this article on Digitalisation World.


</close>

How to Integrate Application Security Testing Into the Agile Development Process

2 Jun 2016 | By Daan Pepijn

Testing and rooting out bugs are integral parts of any successful application development process. Most prominent software development standards, including the popular Agile method, include provisions for making sure the end-product operates according to the use cases that define the required functionality.

But by focusing solely on functional requirements, the organizations that use these methods fail to address non-functional issues, including application security testing.

Static Application Security Testing (SAST) tools are a software development team’s best friend. As opposed to dynamic testing tools (DAST), which only work on compiled and executable binaries, SAST scans at the source code level, which makes it easier for individual members of a development team to apply.

Continue reading this article on Business.com.

Testing and rooting out bugs are integral parts of any successful application development process. Most prominent software development standards, including the popular Agile method, include provisions for making sure the end-product operates according to the use cases that define the required functionality.

But by focusing solely on functional requirements, the organizations that use these methods fail to address non-functional issues, including application security testing.

Static Application Security Testing (SAST) tools are a software development team’s best friend. As opposed to dynamic testing tools (DAST), which only work on compiled and executable binaries, SAST scans at the source code level, which makes it easier for individual members of a development team to apply.

Continue reading this article on Business.com.


</close>

The Internet of Things will only ever be as secure as its application

1 Jun 2016 | By Amit Ashbel

The pace at which the Internet of Things (IoT) is entering our homes and workplaces is phenomenal. This proliferation brings lots of potential benefits to users but it also presents numerous security risks. There is currently no common IoT platform; instead there are various tech giants competing to own the IoT platform of choice with securing that platform seeming to be a lesser consideration.

The Open Web Application Security Project (OWASP)'s top ten IoT list of vulnerabilities gives recommendations on how to develop IoT applications that will help fight off hacking attempts. In the IoT space, releases are generally quick and often so OWASPs top ten is certainly helpful but they can only have a positive affect if the underlying application code itself is secure.

Continue reading this article on Digitalization World.

The pace at which the Internet of Things (IoT) is entering our homes and workplaces is phenomenal. This proliferation brings lots of potential benefits to users but it also presents numerous security risks. There is currently no common IoT platform; instead there are various tech giants competing to own the IoT platform of choice with securing that platform seeming to be a lesser consideration.

The Open Web Application Security Project (OWASP)’s top ten IoT list of vulnerabilities gives recommendations on how to develop IoT applications that will help fight off hacking attempts. In the IoT space, releases are generally quick and often so OWASPs top ten is certainly helpful but they can only have a positive affect if the underlying application code itself is secure.

Continue reading this article on Digitalization World.


</close>

Why websites are so vulnerable to hackers

31 May 2016 | By Ben Dickson

Hackers just can’t get enough of hacking websites. Malicious actors break into them to upload infected copies of operating systems or distribute malware. Fraudsters use website vulnerabilities to steal sensitive credentials and financial info. The feds take them over to track down child porn consumers. Hacktivists take them down to fight controversial bathroom bills. And a lot more.

“Industries that have adopted and increased web applications usage for their business in the past year are seeing the impact on the attack patterns,” says Amit Ashbel, director of product marketing at Checkmarx, a cybersecurity startup that offers application security solutions. “Financial and transportation verticals are the top targets when it comes to web Application attack vectors. Both these industries have ramped up their web and mobile application services in the past years creating a very fertile attack surface.”

“The sheer fact that web applications are available for everyone to use drives attackers to design their attacks based on the weak points of the web application,” Ashbel explains.

Continue reading this article on The Daily Dot

Hackers just can’t get enough of hacking websites. Malicious actors break into them to upload infected copies of operating systems or distribute malware. Fraudsters use website vulnerabilities to steal sensitive credentials and financial info. The feds take them over to track down child porn consumers. Hacktivists take them down to fight controversial bathroom bills. And a lot more.

“Industries that have adopted and increased web applications usage for their business in the past year are seeing the impact on the attack patterns,” says Amit Ashbel, director of product marketing at Checkmarx, a cybersecurity startup that offers application security solutions. “Financial and transportation verticals are the top targets when it comes to web Application attack vectors. Both these industries have ramped up their web and mobile application services in the past years creating a very fertile attack surface.”

“The sheer fact that web applications are available for everyone to use drives attackers to design their attacks based on the weak points of the web application,” Ashbel explains.

Continue reading this article on The Daily Dot


</close>

Update: 117 million LinkedIn email credentials found for sale on the dark web

26 May 2016 | By Doug Olenick

The 2012 LinkedIn data breach may be the breach that just keeps on giving with the news that 117 million customer email credentials originating from that hack were found for sale on the dark web prompting the professional social network to invalidate the account passwords.

The initial story came from Motherboard, which reported it was contacted by someone going by the name “Peace” who said he was selling the data set on an illegal market place called The Real Deal for 5 Bitcoins, or about $2,200. The 117 million credentials come from a larger 167 million data dump of accounts that were supposedly grabbed when LinkedIn was breached in 2012.

Amit Ashbel, Checkmarx director of product marketing and cyber security evangelist, said LinkedIn's poor handling of its customer's data four years ago lead directly to today's situation.

“LinkedIn could have definitely prevented the impact of this breach four years ago if they were using strong encryption techniques. That might not have prevented the breach itself but the data would be of much less use,” he told SCMagazine.com in an email.

 

Continue reading this article on SCMagazine.com.

The 2012 LinkedIn data breach may be the breach that just keeps on giving with the news that 117 million customer email credentials originating from that hack were found for sale on the dark web prompting the professional social network to invalidate the account passwords.

The initial story came from Motherboard, which reported it was contacted by someone going by the name “Peace” who said he was selling the data set on an illegal market place called The Real Deal for 5 Bitcoins, or about $2,200. The 117 million credentials come from a larger 167 million data dump of accounts that were supposedly grabbed when LinkedIn was breached in 2012.

Amit Ashbel, Checkmarx director of product marketing and cyber security evangelist, said LinkedIn’s poor handling of its customer’s data four years ago lead directly to today’s situation.

“LinkedIn could have definitely prevented the impact of this breach four years ago if they were using strong encryption techniques. That might not have prevented the breach itself but the data would be of much less use,” he told SCMagazine.com in an email.

 

Continue reading this article on SCMagazine.com.


</close>

By the numbers: Cyber attack costs compared

24 May 2016 | By CSO Staff

Data breaches caused by malicious insiders and malicious code can take as long 50 days or more to fix, according to Ponemon Institute's 2015 Cost of Cyber Crime Study. While malware, viruses, worms, trojans, and botnets take only an estimated 2-5 days to fix.

Unsurprisingly, attacks by malicious insiders are also the costliest to fix ($145,000 according to the Ponemon study), followed by denial of service ($127,000) and Web-based attacks ($96,000).

This infographic from application security software provider Checkmarx highlights these and other significant statistics about how much different types of cyber attacks are costing companies around the world.

See the infographic & continue reading at CSO Online.

Data breaches caused by malicious insiders and malicious code can take as long 50 days or more to fix, according to Ponemon Institute’s 2015 Cost of Cyber Crime Study. While malware, viruses, worms, trojans, and botnets take only an estimated 2-5 days to fix.

Unsurprisingly, attacks by malicious insiders are also the costliest to fix ($145,000 according to the Ponemon study), followed by denial of service ($127,000) and Web-based attacks ($96,000).

This infographic from application security software provider Checkmarx highlights these and other significant statistics about how much different types of cyber attacks are costing companies around the world.

See the infographic & continue reading at CSO Online.


</close>

Crowdsource your security knowledge: A simple guide to OWASP Top 10

20 May 2016 | By Debbie Fletcher

Over the past two years, the Internet has seen some of the biggest, most devastating data breaches in history. With each attack, millions of personal identifiable information records are stolen, leading to the possibility of identity theft, banking fraud, and in some of the most notable cases, that's right -- divorce.

OWASP is a non-profit organization that uses the cloud to crowdsource case studies and information surrounding security. When you don’t have time to research security trends due to your other work demands, life demands or Netflix, OWASP is excellent enough to aggregate this information for you.

Every few years, OWASP publishes a list of the biggest security threats -- the so-called Top 10 Project. These attacks include threats against infrastructure and applications, and the information is gathered from open-source participants.

According to cybersecurity organization Checkmarx, every one of the OWASP 10 vulnerabilitiesshould be a concern for developers. Whether you use tools or manual scripts written from scratch to deal with these concerns is up to you, but these vulnerabilities need to be tested for before deploying an application to production.

Continue reading this article on BetaNews.com.

Over the past two years, the Internet has seen some of the biggest, most devastating data breaches in history. With each attack, millions of personal identifiable information records are stolen, leading to the possibility of identity theft, banking fraud, and in some of the most notable cases, that’s right — divorce.

OWASP is a non-profit organization that uses the cloud to crowdsource case studies and information surrounding security. When you don’t have time to research security trends due to your other work demands, life demands or Netflix, OWASP is excellent enough to aggregate this information for you.

Every few years, OWASP publishes a list of the biggest security threats — the so-called Top 10 Project. These attacks include threats against infrastructure and applications, and the information is gathered from open-source participants.

According to cybersecurity organization Checkmarx, every one of the OWASP 10 vulnerabilitiesshould be a concern for developers. Whether you use tools or manual scripts written from scratch to deal with these concerns is up to you, but these vulnerabilities need to be tested for before deploying an application to production.

Continue reading this article on BetaNews.com.


</close>

Hacker looks to sell 117M LinkedIn passwords from 2012 data breach

19 May 2016 | By James Rogers

LinkedIn says that it is moving quickly to deal with the release of data from a 2012 security breach, which could include 117 million passwords.

A hacker is reportedly looking to sell a package containing account records for 167 million LinkedIn users on the darknet. Some 117 million of the accounts are said to contain “hashed” passwords, which use an algorithm to protect the password.

Selling off additional data is regular practice by cybercriminals, according to Amit Ashbel, director of product marketing at application security specialist Checkmarx. “Once they manage a large hack they will always save something for a rainy day,” he said, via email. “The fact that these are now being sold online indicates to me more than anything else that the hacker needs cash and now is the time to pop out that old stash and sell to the highest bidder.”

Continue reading this article on Fox News.

LinkedIn says that it is moving quickly to deal with the release of data from a 2012 security breach, which could include 117 million passwords.

A hacker is reportedly looking to sell a package containing account records for 167 million LinkedIn users on the darknet. Some 117 million of the accounts are said to contain “hashed” passwords, which use an algorithm to protect the password.

Selling off additional data is regular practice by cybercriminals, according to Amit Ashbel, director of product marketing at application security specialist Checkmarx. “Once they manage a large hack they will always save something for a rainy day,” he said, via email. “The fact that these are now being sold online indicates to me more than anything else that the hacker needs cash and now is the time to pop out that old stash and sell to the highest bidder.”

Continue reading this article on Fox News.


</close>

Tools, skills and budgets can help developers fight rise in Web app cyber attacks

18 May 2016 | By

Checkmarx announced that three recent reports highlight the challenge faced by developers in securing code as attacks against web applications increase, while security budgets for developers remain low.

As highlighted by the influential Data Breach Investigation Report 2016, attacks against web applications have seen a dramatic rise in the last year. Attacks against every business sector rose significantly with financial particularly hard hit with a 51% increase in the number of reported incidents. The report also suggests that Common Vulnerabilities and Exposures (CVE’s) are not being addressed quickly enough by developers with the top 10 vulnerabilities accounting for 85% of successful exploited traffic.

“Developers are gravitating towards JavaScript, being asked to create more applications by using faster development cycles. Meanwhile, the number of attacks against them grows and information security budgets have remained largely static,” says Amit Ashbel, Cyber Security Evangelist and Director of Product Marketing for Checkmarx, “This is an unenviable position for developers and a situation that needs to be looked at more carefully by budget holders if they want to stop the problem from getting worse.”

Continue reading on GlobalSecurityMag.com.

Checkmarx announced that three recent reports highlight the challenge faced by developers in securing code as attacks against web applications increase, while security budgets for developers remain low.

As highlighted by the influential Data Breach Investigation Report 2016, attacks against web applications have seen a dramatic rise in the last year. Attacks against every business sector rose significantly with financial particularly hard hit with a 51% increase in the number of reported incidents. The report also suggests that Common Vulnerabilities and Exposures (CVE’s) are not being addressed quickly enough by developers with the top 10 vulnerabilities accounting for 85% of successful exploited traffic.

“Developers are gravitating towards JavaScript, being asked to create more applications by using faster development cycles. Meanwhile, the number of attacks against them grows and information security budgets have remained largely static,” says Amit Ashbel, Cyber Security Evangelist and Director of Product Marketing for Checkmarx, “This is an unenviable position for developers and a situation that needs to be looked at more carefully by budget holders if they want to stop the problem from getting worse.”

Continue reading on GlobalSecurityMag.com.


</close>

Click-fraud botnet infects 900K to earn money via Google AdSense

17 May 2016 | By Robert Abel

A click-fraud botnet dubbed “Redirector.Paco Trojan” has infected 900,000 IPs worldwide and has the ability to reconfigure browser settings and network communications.

The malware is spread via installers that are distributed through unscrupulous download sites and by exploiting web application vulnerabilities, Checkmarx Director of Product Marketing Amit Ashbel told SCMagazine.com via emailed comments.

Ashbel said the botnet has gone to great lengths to reconfigure browser settings and network communication configurations and the malware's ability to tamper with AdSense should worry Google.

“While the attack has targeted the PC communication channel, at the same time it has launched a man in the middle (MitM) attack technique tampering with Google's results which I guess will have some level of impact (even if minor) on the search engine giant's service,”  Ashbel said.

Continue reading this article on SCMagazine.com.

A click-fraud botnet dubbed “Redirector.Paco Trojan” has infected 900,000 IPs worldwide and has the ability to reconfigure browser settings and network communications.

The malware is spread via installers that are distributed through unscrupulous download sites and by exploiting web application vulnerabilities, Checkmarx Director of Product Marketing Amit Ashbel told SCMagazine.com via emailed comments.

Ashbel said the botnet has gone to great lengths to reconfigure browser settings and network communication configurations and the malware’s ability to tamper with AdSense should worry Google.

“While the attack has targeted the PC communication channel, at the same time it has launched a man in the middle (MitM) attack technique tampering with Google’s results which I guess will have some level of impact (even if minor) on the search engine giant’s service,”  Ashbel said.

Continue reading this article on SCMagazine.com.


</close>