Podcasts about checkmarx

Today, we look at three aspects of automation to give listeners a better view of its efficacy and some of its inherent challenges. First, we provide an overview, then  a look at securing applications, and finally, we give a view on threat intelligence. PART ONE: Role of Automation Jason Ralph from the Department of Labor puts the entire discussion into perspective when he states that AI should not be considered as a replacement for current efforts at automation, but as an augmentation. Further, he cautions that accelerating adoption must be tempered with a more reasonable approach where you can be assured your data is not poisoned. When not used judiciously, automation can introduce more conflicts and errors than when used at all. Context is everything in today's complex systems, and Nick Vinson suggests that using an approach called "threat modeling" can give system designers better ideas of automation's impact.  PART TWO: Application Security & Cloud Telemetry Malicious actors noticed the emphasis on data security and are now directing attacks on applications. Applications can be complex to protect when located in a public, private, and hybrid cloud maze. Rob Davies from Peraton refers to using telemetry to understand where resources are located so that we can leverage them. Telemetry can collect data from various sources, typically on a network. Monitoring this data gives you system performance. Peter Chestna from Checkmarx observes tools from cloud service providers may be too superficial and will not allow a deeper investigation of the automation process. PART THREE:  Threat Intelligence & Risk Visibility In sports, there is an adage: "ya can't tell the players without a scorecard." Eric Werner from the DoD shares with listeners the Enhanced Network Sensor and Intelligence Threat Enumeration (ENSITE). Based on insight provided by the MITRE framework, it allows for new threat vectors to be distributed and reduces duplication. David Monneir from Team CYMRU starts with a strategic observation. He notes that in the federal government, a nation-state actor will persistently attack because the goal is much more serious than an attack on a bank. All the experts agree on the concepts of knowing your vulnerabilities, learning what controls are in place, and knowing what capabilities you have.  

Video Episode: https://youtu.be/yyl2icu6o3I In today’s episode, we discuss groundbreaking research from Chinese scientists who demonstrated that D-Wave's quantum computers can break RSA encryption and threaten widely used cryptographic methods, emphasizing the urgency for quantum-safe solutions. We also cover the aftermath of a significant cyberattack on Clorox, which has impacted its sustainability goals, and analyze a report from Checkmarx detailing “command jacking” vulnerabilities in open source packages, highlighting the need for robust security measures in software development. Join us as we unpack these critical cybersecurity developments and their implications for businesses and the future of data protection. Source articles: 1. https://www.csoonline.com/article/3562701/chinese-researchers-break-rsa-encryption-with-a-quantum-computer.html 2. https://www.cybersecuritydive.com/news/clorox-cyberattack-waste-reduction-goals/729642/ 3. https://www.csoonline.com/article/3560931/open-source-package-entry-points-could-be-used-for-command-jacking-report.html Timestamps 00:00 – Introduction 00:57 – Quantum Cracks RSA 02:26 – Clorox behind on plastic reduction 04:41 – Command Jacking in OSS 1. What are today’s top cybersecurity news stories? 2. How are quantum computers threatening RSA encryption? 3. What impact did Clorox's 2023 cyberattack have on its sustainability goals? 4. What is command jacking in open source software? 5. How can D-Wave’s quantum computers break cryptographic systems? 6. What are the implications of quantum computing for data security? 7. How did Clorox recover from its major cyberattack? 8. What vulnerabilities exist in open source package managers? 9. Why is post-quantum cryptography important for cybersecurity? 10. What strategies can developers implement to safeguard against package entry point vulnerabilities? D-Wave, quantum computing, RSA encryption, cryptographic solutions, Clorox, cyberattack, sustainability, plastic waste, Checkmarx, command jacking, malicious code, security checks, 1. **RSA Encryption** – *Definition*: A widely used public-key cryptographic system that relies on the computational difficulty of factoring large integers, ensuring secure data transmission. – *Importance*: RSA is foundational to numerous secure communications over the internet, and its potential vulnerability to quantum attacks could compromise global data integrity and confidentiality. 2. **Quantum Computer** – *Definition*: A type of computer that uses quantum bits (qubits) and principles of quantum mechanics, enabling it to process complex computations significantly faster than classical computers. – *Importance*: Quantum computers, by their nature, pose significant threats to classical cryptographic systems due to their ability to solve problems deemed infeasible for traditional computers, such as factoring large numbers. 3. **D-Wave** – *Definition*: A company specializing in the development of quantum computing systems, particularly known for its quantum annealing technology. – *Importance*: D-Wave’s systems are central to the study showcasing quantum capabilities to break traditional encryption, illustrating the practical advancements in quantum technologies. 4. **Quantum Annealing** – *Definition*: A quantum computing technique used to find the global minimum of a given objective function over a set of candidate solutions, particularly useful in optimization problems. – *Importance*: This technique has been demonstrated to potentially break encryption by optimizing and solving cryptographic problems more efficiently than classical methods. 5. **Substitution-Permutation Network (SPN)** – *Definition*: A method used in the design of block ciphers, which is based on a series of linked mathematical operations involving substitution and permutation. – *Importance*: SPN forms the basis for various encryption algorithms, and compromising it indicates vulnerabilities in widely used cryptographic systems. 6. **Advanced Encryption Standard (AES)** – *Definition*: A symmetric encryption algorithm adopted as the standard for encrypting data by the U.S. government, based on the Rijndael cipher. – *Importance*: AES is critical for securing sensitive information worldwide, and any threat to its integrity threatens global cybersecurity structures. 7. **Post-Quantum Cryptography (PQC)** – *Definition*: A branch of cryptography focused on developing algorithms resistant to attacks from quantum computers. – *Importance*: With quantum computing emerging as a threat to current cryptographic systems, PQC aims to secure communications in a quantum-capable future. 8. **Public-Key Cryptography** – *Definition*: A cryptographic system that uses pairs of keys: public keys that may be disseminated widely, and private keys which are known only to the owner. – *Importance*: It is pivotal for numerous secure transactions and encrypted communications on the internet, underpinning the security of data exchanges. 9. **Encryption** – *Definition*: The process of encoding information in such a way that only authorized parties can access it, rendering the data unreadable to unauthorized users. – *Importance*: It is essential for protecting sensitive information across all forms of digital communication against unauthorized access and data breaches. 10. **Quantum-Safe Encryption** – *Definition*: Encryption methods that are secure against decryption by quantum computers, typically developed as part of post-quantum cryptographic efforts. – *Importance*: As quantum computing progresses, developing quantum-safe methods is crucial to maintain the security of data and communications against future quantum threats.

Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzing that ZAP has been working on, and what the future looks like for this well-loved project. Segment Resources: https://www.zaproxy.org/blog/2024-09-24-zap-has-joined-forces-with-checkmarx/ https://www.zaproxy.org/blog/2024-09-30-improving-fuzzing-payloads-for-llms-with-fuzzai/ https://checkmarx.com/press-releases/checkmarx-joins-forces-with-zap-to-supercharge-dynamic-application-security-testing-dast-for-the-enterprise-and-enhance-community-growth/ KICS: https://github.com/Checkmarx/kics 2MS: https://github.com/Checkmarx/2ms The many lessons to take away from a 24-year old flaw in glibc and the mastery in crafting an exploit in PHP, changing a fuzzer's configuration to find more flaws, fuzzing LLMs for prompt injection and jailbreaks, security hardening of baseband code, revisiting the threat models in Microsoft's Recall, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-302

Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzing that ZAP has been working on, and what the future looks like for this well-loved project. Segment Resources: https://www.zaproxy.org/blog/2024-09-24-zap-has-joined-forces-with-checkmarx/ https://www.zaproxy.org/blog/2024-09-30-improving-fuzzing-payloads-for-llms-with-fuzzai/ https://checkmarx.com/press-releases/checkmarx-joins-forces-with-zap-to-supercharge-dynamic-application-security-testing-dast-for-the-enterprise-and-enhance-community-growth/ KICS: https://github.com/Checkmarx/kics 2MS: https://github.com/Checkmarx/2ms Show Notes: https://securityweekly.com/asw-302

Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzing that ZAP has been working on, and what the future looks like for this well-loved project. Segment Resources: https://www.zaproxy.org/blog/2024-09-24-zap-has-joined-forces-with-checkmarx/ https://www.zaproxy.org/blog/2024-09-30-improving-fuzzing-payloads-for-llms-with-fuzzai/ https://checkmarx.com/press-releases/checkmarx-joins-forces-with-zap-to-supercharge-dynamic-application-security-testing-dast-for-the-enterprise-and-enhance-community-growth/ KICS: https://github.com/Checkmarx/kics 2MS: https://github.com/Checkmarx/2ms The many lessons to take away from a 24-year old flaw in glibc and the mastery in crafting an exploit in PHP, changing a fuzzer's configuration to find more flaws, fuzzing LLMs for prompt injection and jailbreaks, security hardening of baseband code, revisiting the threat models in Microsoft's Recall, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-302

Zed Attack Proxy has been a crucial web app testing tool for decades. It's also had a struggle throughout 2024 to obtain funding that would enable the tool to add more features while remaining true to its open source history. Simon Bennetts, founder of ZAP, and Ori Bendet from Checkmarx update us on that journey, share some exploration of LLM fuzzing that ZAP has been working on, and what the future looks like for this well-loved project. Segment Resources: https://www.zaproxy.org/blog/2024-09-24-zap-has-joined-forces-with-checkmarx/ https://www.zaproxy.org/blog/2024-09-30-improving-fuzzing-payloads-for-llms-with-fuzzai/ https://checkmarx.com/press-releases/checkmarx-joins-forces-with-zap-to-supercharge-dynamic-application-security-testing-dast-for-the-enterprise-and-enhance-community-growth/ KICS: https://github.com/Checkmarx/kics 2MS: https://github.com/Checkmarx/2ms Show Notes: https://securityweekly.com/asw-302

Our latest in a series of interviews discussing cybersecurity career paths, today we talk to Jayson Grace his path into cybersecurity and his experience building red teams at national labs and purple teams at Meta. We also talk about his community impact, giving talks and building open source tools. Jayson just left Meta for an AI safety startup named Dreadnode, which we'll discuss as well. Segment Resources: CyberSecEval 3: Advancing the Evaluation of Cybersecurity Risks and Capabilities in Large Language Models The [TTPForge] (https://github.com/facebookincubator/TTPForge) is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs). ForgeArmory provides TTPs that can be used with the TTPForge Wired, by Lily Hay Newman: Facebook's ‘Red Team X' Hunts Bugs Beyond the Social Network's Walls MOSE (Master Of SErvers) is a post exploitation tool for configuration management servers. BSides SF 2024 - Beyond Quick Cash: Rethinking Bug Bounties for Greater Impact BSides LV 2023 - [GF - Enemy Within: Leveraging Purple Teams for Advanced Threat Detection & Prevention - https://www.youtube.com/watch?v=-MT0tNi2vvc This week in the enterprise security news, we've got: Torq, Tamnoon, and Defect Dojo raise funding Checkmarx acquires ZAP Commvault acquires Clumio Would you believe San Francisco is NOT the most funded metro area for cybersecurity? Auto-doxxing Smart glasses are now possible Meta gets fined $100M for storing plaintext passwords AI coding assistants might not be living up to expectations Worst Practices Dumpster fires and truth bombs All that and more, on this episode of Enterprise Security Weekly! The way we use browsers has changed, so has the way we need to secure them. Using a secure enterprise browser to execute content away from the endpoint, inside a secure cloud browser is a dramatically more effective and cost-effective approach to protect users and secure access. This segment is sponsored by Menlo Security. Visit https://securityweekly.com/menloisw to learn more about them! Sevco is a cloud-native vulnerability and exposure management platform built atop asset intelligence to enable rapid risk prioritization, mitigation, validation, and metrics. Segment Resources: Customer Testimonials: https://www.sevcosecurity.com/testimonials/ Product Videos: https://www.sevcosecurity.com/sevcoshorts/ This segment is sponsored by Sevco Security. Visit https://securityweekly.com/sevcoisw to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-378

Our latest in a series of interviews discussing cybersecurity career paths, today we talk to Jayson Grace his path into cybersecurity and his experience building red teams at national labs and purple teams at Meta. We also talk about his community impact, giving talks and building open source tools. Jayson just left Meta for an AI safety startup named Dreadnode, which we'll discuss as well. Segment Resources: CyberSecEval 3: Advancing the Evaluation of Cybersecurity Risks and Capabilities in Large Language Models The [TTPForge] (https://github.com/facebookincubator/TTPForge) is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs). ForgeArmory provides TTPs that can be used with the TTPForge Wired, by Lily Hay Newman: Facebook's ‘Red Team X' Hunts Bugs Beyond the Social Network's Walls MOSE (Master Of SErvers) is a post exploitation tool for configuration management servers. BSides SF 2024 - Beyond Quick Cash: Rethinking Bug Bounties for Greater Impact BSides LV 2023 - [GF - Enemy Within: Leveraging Purple Teams for Advanced Threat Detection & Prevention - https://www.youtube.com/watch?v=-MT0tNi2vvc This week in the enterprise security news, we've got: Torq, Tamnoon, and Defect Dojo raise funding Checkmarx acquires ZAP Commvault acquires Clumio Would you believe San Francisco is NOT the most funded metro area for cybersecurity? Auto-doxxing Smart glasses are now possible Meta gets fined $100M for storing plaintext passwords AI coding assistants might not be living up to expectations Worst Practices Dumpster fires and truth bombs All that and more, on this episode of Enterprise Security Weekly! The way we use browsers has changed, so has the way we need to secure them. Using a secure enterprise browser to execute content away from the endpoint, inside a secure cloud browser is a dramatically more effective and cost-effective approach to protect users and secure access. This segment is sponsored by Menlo Security. Visit https://securityweekly.com/menloisw to learn more about them! Sevco is a cloud-native vulnerability and exposure management platform built atop asset intelligence to enable rapid risk prioritization, mitigation, validation, and metrics. Segment Resources: Customer Testimonials: https://www.sevcosecurity.com/testimonials/ Product Videos: https://www.sevcosecurity.com/sevcoshorts/ This segment is sponsored by Sevco Security. Visit https://securityweekly.com/sevcoisw to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-378

This week in the enterprise security news, we've got: Torq, Tamnoon, and Defect Dojo raise funding Checkmarx acquires ZAP Commvault acquires Clumio Would you believe San Francisco is NOT the most funded metro area for cybersecurity? Auto-doxxing Smart glasses are now possible Meta gets fined $100M for storing plaintext passwords AI coding assistants might not be living up to expectations Worst Practices Dumpster fires and truth bombs All that and more, on this episode of Enterprise Security Weekly! Show Notes: https://securityweekly.com/esw-378

This week in the enterprise security news, we've got: Torq, Tamnoon, and Defect Dojo raise funding Checkmarx acquires ZAP Commvault acquires Clumio Would you believe San Francisco is NOT the most funded metro area for cybersecurity? Auto-doxxing Smart glasses are now possible Meta gets fined $100M for storing plaintext passwords AI coding assistants might not be living up to expectations Worst Practices Dumpster fires and truth bombs All that and more, on this episode of Enterprise Security Weekly! Show Notes: https://securityweekly.com/esw-378

Ken (@cktricky) and Seth (@sethlaw) are back to review this weeks news and commiserate about industry happenings. First up are their thoughts on the current economic climate and how it has affected the security industry over the last 5 years. This is followed with evolving nature of password reset requirements as frequent changes are not recommended by NIST. The duo digs into possible motives for Checkmarx's recent announcement that they are funding ZAP. Finally, some thoughts on domain takeovers.

Have a great point of view to add? Send us a text with your thoughts!Navigating the complex ecosystem of tech alliances.This week on The Tech Marketing Podcast we welcome Mike Smythe, Global Tech Alliances Marketing at Checkmarx, as he shares his expertise on building successful tech partnerships. Listen to the episode below and take away insights on themes including:Why a customer-first mindset is crucial when developing partner integrations.The importance of balancing metrics with relationship-building in tech alliances.How to effectively measure and report on the value of partnerships. Has this episode piqued your interest? Get in touch for the opportunity to take your ecosystem and alliances marketing to the next level!   

The assassination attempt on former President Trump sparks online disinformation. AT&T pays to have stolen data deleted. Rite Aid recovers from ransomware. A hacktivist group claims to have breached Disney's Slack. Checkmarx researchers uncover Python packages exfiltrating user data. HardBit ransomware gets upgraded with enhanced obfuscation. Threat actors can weaponize proof-of-concept (PoC) exploits in as little as 22 minutes. Google may be in the market for Wiz. Rick Howard previews his analysis of the MITRE ATT&CK framework. Blockchain sleuths follow the money.  Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. This Week on CSO Perspectives Dave chats with Rick Howard, The CSO, Chief Analyst, and Senior Fellow at N2K Cyber, about his latest episode of CSO Perspectives which focuses on the current state of MITRE ATT&CK. If you are a N2K Pro subscriber, you can find this installment of CSO Perspectives here. The accompanying essay is available here. If you're not a subscriber and want to check out a sample of the discussion Rick has with his Hash Table members about MITRE ATT&CK, you can find it here.  Selected Reading Conspiracy theories spread swiftly in hours after Trump rally shooting (The Washington Post) AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records (WIRED) Pharmacy Giant Rite Aid Hit By Ransomware (Infosecurity Magazine) Disney's Internal Slack Breached? NullBulge Leaks 1.1 TiB of Data (HackRead) Malicious Python packages found exfiltrating user data to Telegram bot (Computing) HardBit ransomware version 4.0 supports new obfuscation techniques (Security Affairs) Hackers use PoC exploits in attacks 22 minutes after release (Bleeping Computer) Google is reportedly planning its biggest startup acquisition ever (The Verge) Automotive SaaS provider CDK paid $25 million ransom to hackers (BeyondMachines.net) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Send us a Text Message.Speakers: Ori Bendet VP of Product Management at Checkmarx and Itamar Golan, CEO at Prompt Security.As a new crop of AI-related threats emerges from the rapid adoption of generative AI I tools within application development, companies face challenges and risks associated with the adoption of AI, including data leakage and the need to manage AI in a way that does not compromise security.Ori and Itamar discussed the complexities of AI security and code leakage, emphasizing the need for robust protection measures. They also touched upon the potential risks associated with AI-generated code and the importance of implementing policies to mitigate these risks.Listen to this podcast to learn more about how the partnership between the two companies is addressing two areas of risk arising from the use of GenAI tools that are already in widespread use by development teams. Also watch our past interview with Checkmarx: https://www.e-channelnews.com/enabling-application-security-posture-management-with-checkmarx-brinqa/

The federal government is playing a game of cyber-ack-a-mole. When networks are hardened, malicious actors go after endpoints; then Endpoint Detection & Response systems evolve. When endpoints are secure, the apps get attacked. Today, we have a group of experts looking at sophisticated attacks on federal apps and APIs. The first line of attack is to make sure the database of code libraries is authenticated to be safe. Around 2018 the concept of a Software Bill of Materials became popular. This would ensure safe code at one point in time. However, as Jerry Cochran points out, the SBOM concept is weak because of the constant change of code that is taking place. The static concept of “safe code” is altering with updates and new compliance changes. Peter Chestna from CheckMarx points out that even if an issue is detected, the remediation process can be cumbersome and time-consuming. Artificial Intelligence has been shown to detect vulnerabilities in this dynamic code. Unfortunately, the attackers also have access to AI and have used it to search for weaknesses. When a cyber professional examines code, they frequently use a signature-based approach. During the interview, Nate Fountain suggests that a better approach is to use behavior analytics. That way, a federal leader can have compromised code, but it cannot exfiltrate data because it does not have permission. The battle is still continuing; recent reports indicate that 41% of attacks are on the next level: the API itself. 

In today's episode, we explore a critical GitHub Enterprise Server vulnerability (CVE-2024-4985) that allows authentication bypass and the necessary updates for protection (https://thehackernews.com/2024/05/critical-github-enterprise-server-flaw.html), EPA's enforcement actions against water utilities lacking cybersecurity measures (https://www.cybersecuritydive.com/news/epa-enforcement-water-utilities-cyber/716719/), and newly discovered security flaws in the Python package llama_cpp_python (CVE-2024-34359) and Firefox's PDF.js library (CVE-2024-4367), highlighting potential risks and the importance of vigilant security practices (https://thehackernews.com/2024/05/researchers-uncover-flaws-in-python.html). 00:00 Cybersecurity Threats to US Water Utilities 01:02 Deep Dive into Water Utility Cybersecurity Flaws 03:26 Strategies for Enhancing Cybersecurity in Water Utilities 04:49 EPA's Enforcement Actions and the Importance of Cybersecurity 06:38 GitHub Enterprise Server's Critical Security Flaw 08:00 Emerging Cybersecurity Threats and Updates Tags: GitHub, Enterprise Server, CVE, SAML SSO, cybersecurity, vulnerability, GitHub updates, EPA, cyberattacks, water utilities, vulnerabilities, security enforcement, Checkmarx, Llama Drama, Mozilla, PDF.js Search Phrases: GitHub Enterprise Server CVE-2024-4985 vulnerability SAML SSO security breach in GitHub How to secure GitHub Enterprise Server EPA cyberattack vulnerabilities in water utilities Steps to mitigate water utility cyber threats Llama Drama security flaw in llama_cpp_python High-severity vulnerability in Mozilla PDF.js Protecting systems from PDF.js exploits Checkmarx reports on Llama Drama Latest cybersecurity vulnerabilities December 2023 May22 The EPA has announced that over 70% of us water utilities inspected are vulnerable to cyber attacks due to outdated security measures like default passwords and single log-ins. What specific vulnerabilities put major water utilities at risk. And how is the EPA planning to address them? A high severity vulnerability in Mozilla's PDF dot JS have been uncovered allowing threat actors to execute arbitrary code and. Compromise millions of systems globally. What methods can users implement to help protect their systems from these vulnerabilities? And finally an alarming get hub enterprise server vulnerability now threatens unauthorized administrative access through. SAML single sign-on prompting crucial updates. From GitHub to prevent exploitation. How can organizations secure their get hub enterprise server instances against this vulnerability? You're listening to the daily decrypt. The environmental protection agency or EPA announced that the majority of us water utilities. The inspected are vulnerable to cyber attacks due to using default passwords and single log-ins. And to get a little more specific over 70% of water utilities that were inspected since September of last year, failed to comply with the safe drinking water act. By commonly using single log-ins for multiple employees. And not revoking access for former employees. So being a cybersecurity professional, it's really hard for me to even imagine using the same login as somebody else. This is such a terrible idea for many reasons. Some of which are obvious and some of which might not be like, first of all, multiple people know your password. Which is kept. Under wraps. Like if it's kept locked down, that's not a huge issue, but it's not being kept locked down. If this is a practice it's not being kept, locked down. So what if one of the people who's using that log in? Already has that password memorized and they decide to use it on a different site. Maybe even with that same email address and that site gets breached. And the email address is probably water company related. So any attacker that comes across these credentials will instantly have access to. The water utilities. Infrastructure. So say someone gets into the water utilities, infrastructure using those credentials. It will be impossible to go back and look at logs and see where the error was. It could be across many different people. So they're not even able to identify the root cause of the breach. Logging is essential. So you want to make sure that you know exactly who is doing what actions on which computer. Sharing credentials makes that impossible. You can also lock down different permissions by each user account. And then monitor. Uh, activities based on those permissions. So if you see an account, that's trying to do something that they shouldn't be doing. It's an indicator of compromise. So, how do I know what this account that's being shared across multiple people should be doing? Can you be logged in, in multiple places at once? Is one of the people using that account in Nigeria. Who knows. Right? So this is just terrible. And then the second issue is former employees. Credentials are not being revoked. They're not being closed down. So that means that if anybody comes across the username and password, Of a former employee, they can access the system. That includes the former employee. What if they got fired? What, if they have a malicious intent against their boss, they can log in after being terminated or leaving the job and mess things up for the company. Now I understand that these two things take resources to fix. It's going to take a bigger it team. It's going to take some automation tools. But I cannot stress this enough. Uh, compromise. Will cost more. Then the tools use to prevent it. So if you're maintaining one of these infrastructures, Please talk to your boss every day. Schedule an email. Talk to your investors, talk to the board, make sure they understand that if this place gets compromised, it's going to cost them way more than hiring another it person or buying a tool that can automate this process. And if you're feeling ambitious, One of the other things you can do with former employees accounts is to create a decoy account. Which is essentially a honeypot. So say someone does come up. Upon these credentials and they try to log in. You have already set up alerting that no one should be logging in with these credentials. But if an attacker is in the environment and finds these credentials, they will see a history of usage, which makes those credentials more enticing. And that's something you can't get with just a brand new account. It turned into a decoy. So it's recommended to repurpose every former employees account as a decoy set up an alert. Nobody should be logging in. Nobody should be touching these credentials or even attempting to log in with these credentials, if they are. You've been breached. It's one of the easiest ways to detect a breach. Alright, lecture aside. Let's finish up this news. The EPA has taken more than 100 enforcement actions. Against the community water systems since 2020 and plans to increase future inspections. Criminal enforcement may occur. If there's imminent danger. So you can be prosecuted as a criminal for neglecting to secure your network. If you work for a water plant or in a water agency. Because. Imminent danger is upon us. If you don't secure our network, right? What are the consequences for a compromise at the source of our water? Well, we don't get water and what do we need to live water? In fact, in recent months, Iran, China and Russia, as well as criminal ransomware gangs have targeted us and UK. Water treatment facilities. And they will continue to target these facilities because they are critical infrastructure for the United States. Right. The president needs water. The Congress needs water police force needs water, military needs. Everyone needs water. So it's going to be a top target and we don't have the funding to secure it. So according to. SISA. 95% of the 150,000 water utilities in the us do not have a cybersecurity professional on staff. And that sounds like a staggering amount, but it's pretty expensive to have a cybersecurity professional on staff. We get paid a lot of money. Um, And what I'd like to know is if any of these. Water treatment facilities are contracting out to cybersecurity professionals. So. There are companies out there that will provide advice for a fee. So you don't have to have someone on your staff. There are also companies out there that will monitor your networks for a fee. So you don't have to build out your own security operation center. If you'd like recommendations on either of these services or to be pointed in the right direction, feel free to shoot us a DM on Instagram or YouTube. And we will get back to you. All right. There is a new maximum severity flaw in get hub enterprise server that could allow attackers to bypass authentication protections. This flaw score is a perfect 10 out of 10 on the CVSs scale. Which indicates it's extremely critical. And so as mentioned, the vulnerability allows unauthorized access by forging a SAML response to provision or gain access to a user with admin privileges, but only in instances using SAML single sign-on with optional encrypted assertions. The issue affects all G H G S versions prior to 3.1 3.0. Get hub has released patches. And in some versions of 3.9, three point 10, three point 11 and three point 12. So if you're using these versions or earlier, Please go update. Instances without SAML SSO or those using SAML SSO without encrypted assertions are not affected by this flaw. If your setup doesn't involve encrypted assertions, you're in the clear. But encrypted assertions, improve security by encrypting messages from the SAML identity provider during authentication. However. This feature led to the discovered vulnerability when not properly updated. So just keep your crap up to date. I know it's tough. And finally researchers have uncovered a severe security flaw in the Lama CPP Python package tracked as CVE 20 24 3 4 3 5 9 with a CVSs score of 9.7. So. Pretty dang critical. This. Vulnerability is named llama drama. And can enable threat actors to execute arbitrary code, potentially compromising data and operations. The vulnerability stems from the misuse of the Jinja two template engine. Leading to server-side template injection. The flaw has been patched in version 0.2 0.72. And if you're using this package, you should update immediately. Additionally Mozilla discovered a high severity flaw in the PDF dot JS JavaScript library used by Firefox. This flaw allows arbitrary JavaScript execution. When a maliciously crafted PDF document is opened inside of Firefox. The issue has been resolved in Firefox 1 26 or Firefox ESR, one 15 dot 11. So make sure to update your browser as soon as possible. As well as any related software. To their latest versions. This has been the Daily Decrypt. If you found your key to unlocking the digital domain, show your support with a rating on Spotify or Apple Podcasts. It truly helps us stand at the frontier of cyber news. Don't forget to connect on Instagram or catch our episodes on YouTube. Until next time, keep your data safe and your curiosity alive.

- What are some of the most interesting developments in the world of software supply chain security (SSCS) in the last 12 months or so?- It's now been a couple of years since the major fall out of notable incidents such as SolarWinds and Log4j, do you feel like the industry is making headway in addressing software supply chain threats?- For organizations either just starting or looking to mature their software supply chain maturity, where are some key areas you recommend organizations focus their attention?- We have a complex landscape from extensive use of open source, SaaS and Cloud providers, partners and third parties, how have you seen firms successfully handle this complexity when it comes to activities such as incident response? - There's a bit of a heated debate in the industry underway on point products vs. platforms. I know Checkmarx has a comprehensive AppSec platform. How do you view this debate, and do you think we will always have and see the need for point products, best of breed and comprehensive platforms in the industry?- You spend a fair bit of time focused on SSCS research, how does your team approach these activities and sharing the insights with the community?- Checkmarx shares a tremendous amount of informative and insightful research around SSCS. Where can folks learn more and what are some of the interesting projects you all are currently working on?

Explore the intriguing case of 'NSO Group's Pegasus Spyware Code Handover to WhatsApp' as reported by The Hacker News. Dive into the court's decision, its implications, and understand the spyware's capabilities. Source article: thehackernews.com/2024/03/us-court-orders-nso-group-to-hand-over.html Unravel the alarming findings from Security Magazine's '92% of Companies Experienced an Application-Related Breach Last Year'. Discover the challenges in application security and the importance of prioritizing vulnerabilities. Source article: securitymagazine.com/articles/100470-92-of-companies-experienced-an-application-related-breach-last-year Reflect on consumer trust post-data breach in the retail sector with 'More than 60% of Consumers Would Avoid a Retailer Post-Breach' from Security Magazine. Learn about the significant impact on consumer behavior and proactive cybersecurity measures. Source article: securitymagazine.com/articles/100466-more-than-60-of-consumers-would-avoid-a-retailer-post-breach Delve into Bleeping Computer's report on the 'Windows Kernel Bug Exploited as Zero-Day Since August.' Understand the vulnerability, its exploitation by the Lazarus Group, and the crucial need for system updates. Source article: bleepingcomputer.com/news/security/windows-kernel-bug-fixed-last-month-exploited-as-zero-day-since-august/ Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Transcript: Mar 4 [00:00:00] Announcer: Welcome to The Daily Decrypt, the go to podcast for all things cyber security. Get ready to decrypt the complexities of cyber safety and stay informed. Stand at the frontier of cyber security news, where every insight is a key to unlocking the mysteries of the digital domain. Your voyage through the cyber news vortex starts now. [00:00:29] d0gesp4n: Welcome back to the daily decrypt. Today is March 4th. And I'm your host. Dogespan. Kicking off today's episode, we're talking about a real courtside drama from the hacker news us court orders, NSO group to hand over Pegasus spyware code to WhatsApp. It seems like NSO is Pegasus is flying a bit too close to the sun this time. Next up, we're scrolling through a security magazine report. That's got more leaks than my old garden hose. The article 92% of companies experienced an application related breach last year. Talks about the cyber equivalent [00:01:00] of Swiss cheese application security. Ready for a cyber shopping spree today we're virtually window shopping through an insightful article from security magazine. Titled more than 60% of consumers would avoid a retailer. Post-breach and for a final bite of the day, we're patching things up with a story from bleeping computer windows, kernel bug fixed last month exploded as zero day since August now. That's a longer running bud than my uncle's 72 Volkswagen. We're talking about a windows flaw that was more open than my dad's garage door. [00:01:34] d0gesp4n: This first article from the hacker news titled us court orders, NSO group to hand over Pegasus spyware code to WhatsApp. Let's unpack this and understand why it's significant. Let's talk about who NSO group is. They're in an Israeli tech firm known for creating Pegasus, which is a powerful piece of spyware. Now spyware for those who might not know is software that enables someone to spy on another's computer [00:02:00] or phone activities. Pegasus is particularly notorious because it can be installed on a device without the owner's knowledge. I imagine someone secretly watching everything you do on your phone, pretty scary. Right? Us judge has ordered NSO group to hand over the source code for Pegasus to Metta the parent company of WhatsApp. This is a big deal because the source code is like the secret recipe for how Pegasus works. Source code is basically a set of instructions written by programmers that tells the software how to function. It's like the blueprint for building a software application. In 2019 WhatsApp sued NSO group because they used what's app to distribute Pegasus to about 1400 devices, including devices of Indian activists and journalists. They exploded a zero day flaw, which is a previously unknown vulnerability in software to install the spyware. This flaw originally identified as CVE 20 19 35 60 gate was a critical bug in [00:03:00] what's apps. Voice call feature. The attackers could install Pegasus just by making a call and the target didn't even need to answer it. To make it more stealthy. They even erase the call logs. By getting the source code medical, understand how Pegasus infiltrated, WhatsApp and improve their defenses. But the court didn't require NSO group to reveal their client list. This has disappointed, many who hoped to learn, who use this spyware. The NSO group previously has been accused of selling Pegasus to governments who then used it to spy on journalists, activists and others. Knowing who used it would shed light on potential human rights abuses. This case isn't just about a single spyware. It's part of a bigger conversation about cybersecurity and privacy. And it's important to understand these different core cases and how it's playing out because well, cybersecurity is just a complex and ever evolving field. It's not just really about protecting our devices, but also understanding the ethical implications of [00:04:00] technology. I feel like a lot of these companies are just dabbling in that gray area until they're called out for something or the government steps in. One way or another, we really need to understand how this impacts our lives and keep looking for ways to stay safe and just overall be aware of. How people are invading our privacy. This next one comes from security magazine. The articles titled 92% of companies experienced an application related breach last year, and it sheds light on the widespread issue of application security breaches. This report by Checkmarx reveals that a staggering 92% of companies face breaches through vulnerabilities in applications they developed in-house last year. This is a huge number, indicating that application security is a critical concern for businesses [00:04:50] d0gesp4n: Some of you might be wondering what in application related breach is an application related breach occurs when hackers exploit weaknesses in software applications to [00:05:00] gain unauthorized access to data. It's like finding a back door into a secured building. This report highlights the struggle between meeting businesses, deadlines and ensuring application security. It's a tough balance for AppSec managers, CSOs and developers. One of the biggest challenges is prioritizing which vulnerabilities to fix first. Not all weaknesses are equal and some pose, a higher risk than others. One of the things that I had to do a lot with clients previously was tried to prioritize those things. So we would take it, take a step back and look at. How. What would happen if this vulnerability got exploited? We wouldn't really always focus on how severe the score was, but it was more what. I was holding what data, for instance, if a customer dealt with payment card information and stuff, we wanted to make sure that those were locked down as much as possible before moving into other areas of the business. But it overall, it is a difficult [00:06:00] balance to achieve because on one hand you have all these vulnerable systems in your network. And on the other hand, you have. Users are. Inherently vulnerable. We are all susceptible to falling for phishing attacks. And that is a lot of times the ways in which you could. Poke at all sorts of external websites. And we might be able to get a breach that way, but. Why would we spend all that time when we could get directly into a network and start bouncing from one workstation to another? Who knows how it's locked down internally? We tend to think about it a lot differently on the inside. And proving application security involves integrating developer friendly security tools into the development process. This means making security a part of the entire application development life cycle. Really the key here is the need for proactive approach to application security. We need to prioritize the security and protect the data, [00:07:00] especially. If we want to maintain customers trust and it is very difficult, but I think. We're moving in the right direction from what. From what I've seen across the board. Is that security is getting more involved in these public companies. And there. They're actual executive board and so on up and we're security teams are able to vocalize this now and we're able to start. Putting a dollar sign behind it. There's all these fines that are going to be put in place. More and more privacy concerns. Overall we're heading in the right direction, but we still have a long road ahead of us. Thanks for watching! [00:07:43] d0gesp4n: Tying into that last piece. We have another one from security magazine. This one titled more than 60% of consumers would avoid a retailer post breach. It's a deep dive into consumer behavior. Post-breach in the retail sector. The article reveals a startling fact [00:08:00] over 60% of customers would likely avoid shopping at a retailer that has recently experienced a data breach. This figure even jumps to 74% among high income consumers. This is really interesting to me because I was under the impression that a lot of times when a data breach went public, there would be. A little time that people would shy away from it, but ultimately going right back to it. I might be just a little ignorant to it. That's one of the things that I personally would hone in on, but if 60% of consumers that's a huge number. And that kind of makes me feel a lot better knowing that the general public. Is looking at it the same way. When a breach happens, it's not just about stolen data. It's about broken trust. Customers are entrusting their personal and financial information to retailers and a breach is a violation of that trust. The article also highlights that in the finance sector, the situation is even more critical around 83% of [00:09:00] consumers would think twice about using a finance app. If their data was compromised. This brings us to an important point. Businesses need to not only protect data, but also their reputation and customer trust. This is really interesting. I think just because we're. Positioning companies to think about, not just, yeah, there's a, there's going to be a little bit of a financial loss, especially if customer's data is gone, there's sometimes fines imposed but we're looking at it as far as reputation. Yeah. There might be a fine, however, We're now scarred. We have that. Mark on our chest that and trying to do business, but yet we have that breach sitting there. There's a couple of companies that I've used previously that have had cybersecurity breaches, and I have shifted and I haven't looked back. How do you feel when one of the products or services that you subscribe to or utilize notifies you that there's a breach? Let us know. [00:10:00] And to wrap things up, I wanted to get into the bug land. So we're going to be looking at the article from bleeping computer. Windows kernel bug fixed last month exploded as zero day since August. [00:10:12] d0gesp4n: Microsoft patched, a serious vulnerability in the window is curdle known as CVE 20 24, 2 1 3 3 8. Discovered by an Avast researcher. This flaw was actively exploited by attackers before Microsoft could fix it. Zero day or also known as an O day. Vulnerability means it was exploited by hackers before Microsoft was aware of it and could patch it. Think of it as a secret passage that hackers found and used before the homeowner could seal it. Another term that we've been throwing around often is CVE 20, 24 or 2023, whatever, followed by some more numbers. That is. Common vulnerabilities and exposures, and then they're dated. And then given a number based on when they came out within that year. This one, for [00:11:00] example, it's CVE 20 24, 2 1 3 3 8. It means that it's the 21338th vulnerability discovered this year. This flaw was dangerous because it gave attackers like the north Korean Lazarus group, deep access to the system known as Colonel level access. This allows them to disable security software and perform more sinister actions undetected. Lazarus exploded this bug to turn off security tools, using a technique called B Y O V D. Bring your own vulnerable driver. This could manipulate the system at its core affecting processes, files, and network activities. Now for an average user. It means that you could have been compromised without knowing. Risking the data and system integrity. That's like having an intruder in your house that you can't even see. The main thing that we can do with this is of course always making sure your systems are up to date. So anytime you [00:12:00] get that, it doesn't matter if you're on a windows system, Mac, if you're one of the Linux users out there. Any chance of yet. Make sure it's up to date. Windows we'll notify you. Yeah, you got to restart it. That's probably the most annoying aspect of it is it'll pop up and you got to restart your system. It's worth it. Step away. Go grab a coffee go take a quick walk. If you can. You'll be helping yourself out and. The organization that you work for. That's all I got for you. Thanks for tuning in Monday morning or Monday evening afternoon. Whenever you're getting a chance to listen to this. We appreciate. All of our listeners out there [00:12:35] d0gesp4n: and we'll see you tomorrow.

Sandeep Johri's journey from his middle-class upbringing in Bombay, India, to becoming a successful entrepreneur and CEO in Silicon Valley is a compelling narrative of resilience, adaptation, and visionary leadership. In this exclusive interview, Sandeep shares the intricacies of his remarkable career, from his initial fascination with the United States to his pivotal role in founding and leading successful tech companies like Oblix, Tricentis, and Checkmarx.

In this compelling episode, we delve into the strategic importance of application security as businesses undergo digital transformation. Sandeep Johri, with his rich experience at Checkmarx, sheds light on this domain's multifaceted challenges and opportunities. We discuss how vulnerabilities in applications can erode customer confidence and pose significant regulatory challenges. Checkmarx stands out in this landscape with its comprehensive application security platform, CX1, which provides holistic coverage of AppSec. This sets them apart from competitors who may only focus on one or two areas. But what truly enhances Checkmarx's capabilities is the integration of Artificial Intelligence. AI not only accelerates the ability of developers to fix vulnerabilities but also enables Checkmarx to proactively detect emerging threats, particularly those arising from AI systems themselves. A key theme of our discussion is the communication of AppSec value to corporate boards. Johri emphasizes the importance of maturity assessment models and risk quantification in presenting a clear picture of AppSec status and priorities. This strategic approach offers a roadmap for improvement and a tangible understanding of ROI in application security. However, technology is just one piece of the puzzle. We delve into the human aspect – training developers in AppSec. Here, Checkmarx's integrated "Codebashing" modules come into play, offering quick, context-relevant tutorials for developers to address vulnerabilities efficiently. Illustrating the impact of these strategies, Johri shares success stories from Checkmarx's engagements, notably with large banking institutions, where they've assisted in swiftly prioritizing and eliminating vulnerabilities. Many of these clients began with relatively immature AppSec processes, underscoring the transformative potential of Checkmarx's approach.

I was joined by Rusty Sides and Mallory Woods of Checkmarx at the National Cyber Summit to talk software vulnerability assessments and a host of other cyber topics.  Give a listen, tell a friend. Questions/Comments/Suggestions welcome at darren@thecyburguy.com

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.A joint advisory that was published by the NSA, the FBI and CISA, along with, the Japan National Police Agency and the Japan National Center of Incident Readiness and Strategy for Cybersecurity.ESET researchers have uncovered a Lazarus attack against an aerospace company in Spain.Unit 42 at Palo Alto are reporting that the CL0P ransomware group recently began using torrents to distribute victim data after a rather notorious campaign stealing data from thousands of companies.Checkmarx is reporting on a persistent open-source supply chain attacker targeting the Python ecosystem who has been active and evolving since April 2023.Arstechnica is reporting the discovery of thousands of Androids devices infected with malware right out of the box.Github Security Lab, in coordination with Ilya Lipnitskiy, has disclosed a 0-day memory corruption vulnerability in libcue, noted as CVE-2023-43641. Checkmarx reporting on a targeted campaign that unfolded via Pypi, targeting developers utilizing Alibaba cloud services, AWS, and Telegram.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel. Cisco Talos has discovered a threat actor conducting several campaigns against government entities, military organizations, and civilian users in Ukraine and Poland.FortiGuard Labs investigation the researchers came across several Malicious Office documents designed to exploit known vulnerabilities.Cybersecurity vendor Sophos is being impersonated by a new ransomware-as-a-service called SophosEncrypt.CheckMarx is reporting the first known targeted OSS supply chain attacks against the banking sector.The LimaCharlie SecOps Cloud Platform provides organizations with comprehensive enterprise protection that brings together critical cybersecurity capabilities and eliminates integration challenges and security gaps for more effective protection against today's threats.Watch the SecOps Cloud Platform panel discussions here: Introducing the SecOps Cloud PlatformThe Cybersecurity Defenders Podcast: a show about cybersecurity and the people that defend the internet.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.VulnCheck comes across a malicious GitHub repository that is claimed to be a Signal 0-day.CheckMarx are reporting that Without altering a single line of code, attackers poisoned the NPM package “bignum” by hijacking a S3 bucket.Team CYMRU has released a detailed publication on Vidar infrastructure which encompasses both the primary administrative aspects and the underlying backend. Bit Defender Mac researchers stumbled upon a small set of files with backdoor capabilities that seem to form part of a more complex malware toolkit. Researchers have found an unofficial package called 'https' that exists on NPM with over 1600 other packages that depend on it.An attack campaign that consists of the Tsunami DDoS Bot being installed on inadequately managed Linux SSH servers.Cl0p rewards of up to $10 million are being offered by the U.S. State Department's Rewards for Justice program.SentinelOne is reporting on the Terminator EDR killer - Spyboy. The Cybersecurity Defenders Podcast: a show about cybersecurity and the people that defend the internet.

In this episode, the CMO of Checkmarx, Amit Daniel, shares her insights and experiences on the first 100 days of a CMO, marketing budgets for 2023, and the importance of internal marketing.  Amit provides us with valuable insights on how to effectively come up with a strategy, whether it's best to wait and listen or take charge immediately, and how to make the most of the "first 100 days of grace." When we shift our focus to marketing budgets for 2023, Amit offers great advice on how companies can effectively navigate the challenges that come with a recession and tips for professionals on dealing with shrinking marketing budgets. Stick around ‘til the end of the episode to hear about the importance of internal marketing and how the CMO's efforts can be directed inward. Amit shares the significance of internal marketing, and how to optimize results, and reveals any "special ingredients" or communication styles that she finds more effective with management.   Resources In Today's Episode: Amit's LinkedIn Profile Checkmarx Website

Welcome to Cyber Briefing, a short newsletter that informs you about the latest cybersecurity advisories, alerts and incidents every weekday. First time seeing this? Please subscribe. Cyber Alerts Backdoor malware found on hundreds of servers after exploit of ConnectWise vulnerability Cybersecurity company Fox-IT has discovered that an attack targeting the ZK Java framework of ConnectWise's R1Soft Server Backup Manager software has led to hundreds of servers being infiltrated with backdoors. While ConnectWise warned customers of the vulnerability back in October 2022, the flaw - a form of authentication bypass - has continued to be exploited, with Fox-IT finding evidence of it being used to gain server access since late November of that year. Fox-IT has now released indicators of compromise (IoCs) to help organizations determine whether they have been targeted using the vulnerability. Hydrochasma: A New Threat Actor Using Open-Source Tools for Intelligence-Gathering Campaigns Shipping companies and medical laboratories in Asia are being targeted in an intelligence-gathering campaign by a new threat actor, Hydrochasma, using open-source tools exclusively. Although no data exfiltration has been observed, the tools deployed could potentially allow for remote access and data exfiltration. The campaign, which began in October 2022, targets industries that may be involved in COVID-19 treatments or vaccines. Over 15,000 Spam Packages Flood Open Source NPM Repository To Distribute Phishing Links A recent report by Checkmarx warns of a massive campaign that deployed over 15,000 spam packages in the NPM repository to distribute phishing links. The attackers used automated processes to create the packages with descriptions and names that closely resembled one another. The rogue packages were designed to trick users into downloading them and clicking on the links to the phishing sites that promised increased followers on social media platforms.

As the CISO of North America at Checkmarx, Peter works towards providing the technology, expertise, and intelligence that enable developers and enterprises to secure the world's applications. A lifelong developer at heart, Peter shares with Caroline his insights on what motivates Dev teams to prioritize security, and why so many current strategies are failing. You'll learn more about how to not let your tools bury you in work, how to implement mutual accountability around security, and tactics to prevent open source code from blowing up your entire application when a new 0-day comes up.

In Episode 84 I interviewed Rusty Sides and Eric Friese of Checkmarx and Ted Rutcsh of Invicti about Application Vulnerability Scanning at the 2022 National Cyber Summit from Huntsville. Before the interviews I go on a slight rant about an NY Times editorial called "Why the FBI is so Far Behind in Cybercrime" (Opinion | Why the F.B.I. Is So Far Behind on Cybercrime - The New York Times (nytimes.com). Needless to say, I have thoughts... Give a listen, tell a friend. Check out the companies interviewed on this episode at  www.checkmarx.com and  www.invicti.com  

Hello, and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we're going to try to balance the impossible equation of better, faster, and cheaper.  As always, please follow us on LinkedIn, and subscribe if you have not already done so. Shigeo Shingo, who lived from 1909-1990, helped to improve efficiency at Toyota by teaching thousands of engineers the Toyota Production System, and even influenced the creation of Kaizen.  He wrote, "There are four purposes for improvement: easier, better, faster, cheaper. These four goals appear in order of priority." Satya Nadella, the CEO of Microsoft, stated that, “Every company is a software company.  You have to start thinking and operating like a digital company.  It's no longer just about procuring one solution and deploying one solution… It's really you yourself thinking of your own future as a digital company, building out what we refer to as systems of intelligence.” The first time I heard this I didn't really fully understand it.  But after reflection it makes a ton of sense.  For example, let's say your company couldn't send email.  How much would that hurt the business?  What if your company couldn't use Salesforce to look up customer information?  How might that impact future sales?  What if your core financial systems had database integrity issues?  Any of these examples would greatly impact most businesses.  So, getting high-quality software applications that enable the business is a huge win. If every company is a software or digital company, then the CISO has a rare opportunity.  That is, we can create one of the largest competitive advantages for our businesses. What if we could create an organization that builds software cheaper, faster, and better than all of our competitors? Sounds good right?  That is the focus of today's show, and we are going to teach you how to excel in creating a world class organization through a focused program in Secure Software Development.  Now if you like the sound of better, faster, cheaper, as most executives do, you might be thinking, where can I buy that?  Let's start at the back and work our way forward. We can make our software development costs cheaper by increasing productivity from developers. We can make our software development practices faster by increasing convenience and reducing waste. We can make our software better by increasing security. Let's first look at increasing productivity.  To increase productivity, we need to under    stand the Resistance Pyramid.  If you know how to change people and the culture within an organization, then you can significantly increase your productivity.  However, people and culture are difficult to change, and different people require different management approaches. At the bottom of the pyramid are people who are unknowing.  These individuals Don't know what to do.  You can think of the interns in your company.  They just got to your company, but don't understand what practices and processes to follow.  If you want to change the interns, then you need to communicate what is best practice and what is expected from their performance.  Utilize an inquiry approach to decrease fear of not knowing, for example, "do you know to whom I should speak about such-and-such?" or "do you know how we do such-and-such here?"  An answer of "no" allows you to inform them of the missing knowledge in a conversational rather than a directional manner. The middle part of the pyramid is people who believe they are unable to adapt to change.  These are individuals that don't know how to do the task at hand.  Here, communications are important, but also skills training.  Compare your team members here to an unskilled labor force -- they're willing to work but need an education to move forward.  If you give them that, then the unskilled can become skilled. However, if you never invest in them, then you will not increase your company's productivity and lowers your costs. At the Top of the resistance pyramid are the people who are unwilling.  These individuals Don't Want to Change.  We might call these folks the curmudgeons that say we tried it before, and it doesn't work.  Or I'm too old to learn that.  If you want to change these individuals and the culture of an organization, then you need to create motivation. As leaders, our focus to stimulate change will be to focus on communicating, educating, and motivating.  The first thing that we need to communicate is the Why.  Why is Secure Software Development important?  The answer is money.  There are a variety of studies that have found that when software vulnerabilities get detected in the early development processes, they are cheaper than later in the production phases.  Research from the Ponemon Institute in 2017 found that the average cost to address a defect in the development phase was $80, in the build phase was $240, in the QA/Test Phase was $960, and in the Production phase was $7,600.  Think of that difference.  $80 is about 1% of $7,600.  So if a developer finds bugs in the development code then they don't just save their time, they save the time of second developer who doesn't have to do a failed code review, they save the time of an infrastructure engineer who has to put the failed code on a server, they save the time of another tester who has to create regression tests which fail, they save the time of a wasted change approval board on a failed release, and they save the customer representatives time who will respond to customers when the software is detected as having issues.  As you see there's a lot of time to be saved by increasing productivity, as well as a 99% cost savings for what has to be done anyway.  Saving their own time is something that will directly appeal to every development team member. To do this we need to do something called Shift Left Testing.  The term shift left refers to finding vulnerabilities earlier in development.  To properly shift left we need to create two secure software development programs. The first program needs to focus on is the processes that an organization needs to follow to build software the right way.  This is something you have to build in house.  For example, think about how you want software to create a network diagram that architects can look at in your organization.  Think about the proper way to register an application into a Configuration Management Database so that there is a POC who can answer questions when an application is down.  Think about how a developer needs to get a DNS entry created for new websites.  Think about how someone needs to get a website into the various security scanning tools that your organization requires (SAST, DAST, Vuln Management, Container Scanning, etc.)  Think about how developers should retire servers at the end of life.  These practices are unique to your company.  They may require a help desk ticket to make something happen or if you don't have a ticketing system, an email.  We need to document all of these into one place where they can be communicated to the staff members who will be following the processes.  Then our employee has a checklist of activities they can follow.  Remember if it's not in the checklist, then it won't get done.  If it doesn't get done, then bad security outcomes are more likely happen.  So, work with your architects and security gurus to document all of the required practices for Secure Software Development in your company.  You can place this knowledge into a Wikipedia article, a SharePoint site, a Confluence Page, or some kind of website.  Make sure to communicate this frequently.  For example, have the CIO or CISO share it at the IT All Hands meeting.  Send it out in monthly newsletters.  Refer to it in security discussions and architecture review boards.  The more it's communicated the more unknowing employees will hear about it and change their behavior. The second program that you should consider building is a secure code training platform.  You can think of things such as Secure Code Warrior, HackEDU (now known as Security Journey), or Checkmarx Code Bashing.  These secure code training solutions are usually bought by organizations instead of being created in-house.  They teach developers how to write more secure code.  For example, "How do I write JavaScript code that validates user input, sanitizes database queries, and avoids risky program calls that could create vulnerabilities in an application?"  If developers gain an education in secure programming, then they are less likely to introduce vulnerabilities into their code.  Make these types of training programs available to every developer in your company. Lastly, we need to find a way to motivate the curmudgeons.  One way to do that is the following:Let's say you pick one secure coding platform and create an initial launch.  The first two hundred people in the organization that pass the secure developer training get a one-time bonus of $200.  This perk might get a lot of people interested in the platform.  You might even get 10-20% of your organization taking the training in the first quarter of the program.  The second quarter your organization announces that during performance reviews anyone who passed the secure software training will be viewed more favorable than their peers.  Guess what?  You will see more and more people taking the training class.  Perhaps you see that 50% of your developer population becomes certified.  Then the following year you say since so many developers are now certified, to achieve the rank of Senior Developer within the organization, it is now expected to pass this training.  It becomes something HR folks look for during promotion panels.  This gradual approach to move the ball in training can work and has been proven to increase the secure developer knowledgebase. Here's a pro tip:  Be sure to create some kind of badges or digital certificates that employees can share.  You might even hand out stickers upon completion that developers can proudly place on their laptops.  Simple things like this can increase visibility.  They can also motivate people you didn't think would change. Now that we have increased productivity from the two development programs (building software the right way and a secure code training platform), it's time to increase convenience and reduce waste.  Do you know what developers hate?  Well, other than last-minute change requests.  They hate inefficiencies.  Imagine if you get a vulnerability that says you have a bug on line 242 in your code.  So you go to the code, and find there really isn't a bug, it's just a false positive in the tool.  This false bug detection really, well, bugs developers.  So, when your organization picks a new SAST, DAST, or IAST tool, be sure to test the true and false positive rates of the tool.  One way to do this is to run the tools you are considering against the OWASP Benchmark.  (We have a link to the OWASP Benchmark in our show notes.)  The OWASP Benchmark allows companies to test tools against a deliberately vulnerable website with vulnerable code.  In reality, testing tools find both good code and bad code.  These results should be compared against the ground truth data to determine how many true/false positives were found.  For example, if the tool you choose has a 90% True Positive Rate and a 90% False Positive Rate then that means the tool pretty much reports everything is vulnerable.  This means valuable developer time is wasted and they will hate the tool despite its value.  If the tool has a 50% True Positive Rate and a 50% False positive rate, then the tool is essentially reporting randomly.  Once again, this results in lost developer confidence in the tool.  You really want tools that have high True Positive Rates and low False Positive Rates.  Optimize accordingly. Another developer inefficiency is the amount of tools developers need to leverage.  If a developer has to log into multiple tools such as Checkmarx for SAST findings, Qualys for Vulnerability Management findings, Web Inspect for DAST findings, Prisma for Container Findings, Truffle Hog for Secrets scanning, it becomes a burden.  If ten systems require two minutes of logging in and setup each that's twenty minutes of unproductive time.  Multiply that time the number of developers in your organization and you can see just how much time is lost by your team just to get setup to perform security checks.  Let's provide convenience and make development faster.  We can do that by centralizing the security scanning results into one tool.  We recommend putting all the security findings into a Source Code Repository such as GitHub  or GitLab.  This allows a developer to log into GitHub every day and see code scanning vulnerabilities, dependency vulnerabilities, and secret findings in one place.  This means that they are more likely to make those fixes since they actually see them.  You can provide this type of view to developers by buying tools such as GitHub Advanced Security.  Now this won't provide all of your security tools in one place by itself.  You still might need to show container or cloud findings which are not in GitHub Advanced Security.  But this is where you can leverage your Source Code Repository's native CI/CD tooling.  GitHub has Actions and GitLab has Runners.  With this CI/CD function developers don't need to go to Jenkins and other security tools.  They can use a GitHub Actions to integrate Container and Cloud findings from a tool like Prisma.  This means that developers have even fewer tools from CI/CD perspectives as well less logging into security tools.  Therefore, convenience improves.  Now look at it from a longer perspective.  If we get all of our developers integrating with these tools in one place, then we can look in our GitHub repositories to determine what vulnerabilities a new software release will introduce.  This could be reviewed at Change Approval Board.  You could also fast track developer who are coding securely.  If a developer has zero findings observed in GitHub, then that code can be auto approved for the Change Approval.  However, if you have high/critical findings then you need manager approvals first.  These approvals can be codified using GitHub code scanning, which has subsumed the tool Looks Good To Me (LGTM), which stopped accepting new user sign-ups last week (31 August 2022).  This process can be streamlined into DevSecOps pipelines that improve speed and convenience when folks can skip change approval meetings. Another key way we can make software faster is by performing value stream mapping exercises.  Here's an example of how that reduces waste.  Let's say from the time Nessus finds a vulnerability there's actually fifteen steps that need to occur within an organization to fix the vulnerability.  For example, the vulnerability needs to be assigned to the right team, the team needs to look at the vulnerability to confirm it's a legitimate finding, a patch needs to be available, a patch needs to be tested, a change window needs to be available, etc.  Each of these fifteen steps take time and often require different handoffs between teams.  These activities often mean that things sit in queues.  This can result in waste and inefficiencies.  Have your team meet with the various stakeholders and identify two time durations.  One is the best-case time for how long something should go through in an optimal process.  The second is the average time it takes things to go through in the current process.  At the end of it you might see that the optimal case is that it takes twenty days to complete the fifteen activities whereas the average case takes ninety days.  This insight can show you where you are inefficient.  You can identify ways to speed up from ninety to twenty days.  If you can do this faster, then developer time is gained.  Now, developers don't have to wait for things to happen.  Making it convenient and less wasteful through value stream mapping exercises allows your teams to deploy faster, patch faster, and perform faster. OK last but not least is making software better by increasing security.   At the end of the day, there are many software activities that we do which provide zero value to the business.  For example, patching operating systems on servers does not increase sales.  What makes the sales team sell more products?  The answer is more features on a website such as product recommendations, more analysis of the data to better target consumers, and more recommendations from the reporting to identify better widgets to sell.  Now, I know you are thinking, did CISO Tradecraft just say to not patch your operating systems?  No, we did not.  We are saying patching operating systems is not a value-add exercise.  Here's what we do recommend.  Ask every development team to identify what ike patching.  Systems that have a plethora of maintenance activities are wasteful and should be shortlisted for replacement.  You know the ones: solutions still running via on-premises VMWare software, software needing monthly java patching, and software if the wind blows the wrong way you have an unknown error.  These systems are ripe for replacement.  It can also be a compelling sell to executives.  For example, imagine going to the CIO and CEO of Acme corporation.  You highlight the Acme app is run by a staff of ten developers which fully loaded cost us about $250K each.  Therefore, developing, debugging, and maintaining that app costs our organization roughly $2,500,000 in developer time alone plus hosting fees.  You have analyzed this application and found that roughly 80% of the time, or $2,000,000, is spent on maintenance activities such as patching. You believe if the team were to rewrite the application in a modern programming language using a serverless technology approach the team could lower maintenance activities from 80% to 30%.  This means that the maintenance costs would decrease from $2 million to $750K each year.  Therefore, you can build a financial case that leadership fund a $1.25 million initiative to rewrite the application in a more supportable language and environment, which will pay for itself at the end of the second year.  No, I didn't get my math wrong -- don't forget that you're still paying the old costs while developing the new system.) Now if you just did a lift and shift to AWS and ran the servers on EC-2 or ECS, then you still have to patch the instance operating systems, middle ware, and software -- all of which is a non-value add.  This means that you won't reduce the maintenance activities from 80% to 30%.  Don't waste developer time on these expensive transition activities; you're not going to come out ahead.  Now let's instead look at how to make that maintenance go away by switching to a serverless approach.  Imagine if the organization rewrote the VMware application to run on either: A third party hosted SaaS platform such as Salesforce or Office 365 or A serverless AWS application consisting of Amazon S3 buckets to handle front-end code, an Amazon API Gateway to make REST API calls to endpoints, AWS Lambda to run code to retrieve information from a Database, and Dynamo DB to store data by the application This new software shift to a serverless architecture means you no longer have to worry about patching operating systems or middleware.  It also means developers don't spend time fixing misconfigurations and vulnerabilities at the operating system or middleware level.  This means you made the software more secure and gave the developers more time to write new software features which can impact the business profitability.  This serverless approach truly is better and more secure.  There's a great story from Capital One you can look up in our show notes that discusses how they moved from EC-2 Servers to Lambda for their Credit Offers Application Interface.  The executive summary states that the switch to serverless resulted in 70% performance gains, 90% cost savings, and increased team velocity by 30% since time was not spent patching, fixing, and taking care of servers.  Capital One uses this newfound developer time to innovate, create, and expand on business requirements.  So, if you want to make cheaper, faster, and better software, then focus on reducing maintenance activities that don't add value to the business. Let's recap.  World class CISOs create a world class software development organization.  They do this by focusing on cheaper, faster, and better software. To perform this function CISOs increase productivity from developers by creating documentation that teaches developers how to build software the right way as well as creating a training program that promotes secure coding practices.  World Class CISOs increase the convenience to developers by bringing high-confidence vulnerability lists to developers which means time savings in not weeding out false positives.  Developers live in Source Code Repositories such as GitHub or GitLab, not the ten different software security tools that security organizations police.  World Class CISOs remove waste by performing value stream exercises to lean out processes and make it easier for developers to be more efficient.  Finally, World Class CISOs make software better by changing the legacy architecture with expensive maintenance activities to something that is a winnable game.  These CISOs partner with the business to focus on finding systems that when re-architected to become serverless increase performance gains, promote cost savings, and increase developer velocity. We appreciate your time listening to today's episode.  If this sparks a new idea in your head. please write it down, share it on LinkedIn and tag CISO Tradecraft in the comment.  We would love to see how you are taking these cyber lessons into your organization to make better software for all of us. Thanks again for listening to CISO Tradecraft.  This is G. Mark Hardy, and until next time, stay safe out there. References https://www.sixsigmadaily.com/who-was-shigeo-shingo-and-why-is-he-important-to-process-improvement/ https://news.microsoft.com/speeches/satya-nadella-and-chris-capossela-envision-2016/  Galpin, T.J. (1996).  The Human Side of Change: A Practical Guide to Organization Redesign.  Jossey-Bass  https://www.businesscoaching.co.uk/news/blog/how-to-break-down-barriers-to-change  Ponemon Institute and IBM. (2017) The State of Vulnerability Management in the Cloud and On-Premises  https://www.bmc.com/blogs/what-is-shift-left-shift-left-testing-explained/  https://www.securecodewarrior.com/  https://www.securityjourney.com/  https://checkmarx.com/product/codebashing-secure-code-training/  https://owasp.org/www-project-benchmark/  https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security  https://medium.com/capital-one-tech/a-serverless-and-go-journey-credit-offers-api-74ef1f9fde7f 

Application development has become an extremely complex endeavor, with multiple components involved ranging from open source libraries to shared cloud services and microservices accessed through APIs. The only thing more difficult than building an advanced application is securing it. But it doesn't need to be that way.This is where Checkmarx comes in. With a focus on application and API security assessments, scanning, and training, DevOps and AppSec teams can work together to reduce the complexity in application development and delivery, ensuring that time-to-market requirements are met alongside the equally-important functional and security requirements."A lot of where we focus for the future is staying on top of how applications are changing... and how customers are building their applications." ~BryantThe team at Checkmarx didn't just develop a set of strong capabilities and stop there, they continue to follow the engineering trends, IT Ops trends, and continue to meet the needs of the modern application and the modern DevOps environment. With this, they recognize that the environment is under constant change - that organizations are forever transforming. This means everything that makes the business run is also changing - the apps, the cloud, the containers, the libraries, and the microservices, as just a few examples."When it really comes down to focus, if you have a single platform, there's a lot of awesome things that you can do with that data." ~BryantSimilarly, as the environments expand and become even more complex, it's critical to have a single view into defining, managing, and ensuring success throughout the entire app development lifecycle. Complexity is the enemy of security. Reducing complexity is what Checkmarx is after."That's why I really like about Checkmarx as a company. It is a whole culture and mission, just not selling security, but actually helping our customers." ~RennyListen in as we get to hear from Renny and Bryant about the origin and journey of Checkmark - past, present, and future.Note: This story contains promotional content. Learn more.GuestsRenny ShenDirector of Product Marketing at Checkmarx [@Checkmarx]On Linkedin | https://www.linkedin.com/in/renny-shen/Bryant SchuckSenior Product Manager at Checkmarx [@Checkmarx]On Linkedin | https://www.linkedin.com/in/bryant-schuck/ResourcesLearn more about Checkmarx and their offering: https://itspm.ag/checkmarx-i9o5Watch the video version and listen to the audio version of this conversation at: https://itspmagazine.com/their-stories/everything-is-driven-by-code-and-code-is-controlled-by-apis-securing-apps-through-research-assessments-scanning-and-training-a-checkmarx-origin-story-with-renny-shen-and-bryant-schuckTo see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:https://www.itspmagazine.com/redefining-cybersecurity-podcastAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story

Application development has become an extremely complex endeavor, with multiple components involved ranging from open source libraries to shared cloud services and microservices accessed through APIs. The only thing more difficult than building an advanced application is securing it. But it doesn't need to be that way.This is where Checkmarx comes in. With a focus on application and API security assessments, scanning, and training, DevOps and AppSec teams can work together to reduce the complexity in application development and delivery, ensuring that time-to-market requirements are met alongside the equally-important functional and security requirements."A lot of where we focus for the future is staying on top of how applications are changing... and how customers are building their applications." ~BryantThe team at Checkmarx didn't just develop a set of strong capabilities and stop there, they continue to follow the engineering trends, IT Ops trends, and continue to meet the needs of the modern application and the modern DevOps environment. With this, they recognize that the environment is under constant change - that organizations are forever transforming. This means everything that makes the business run is also changing - the apps, the cloud, the containers, the libraries, and the microservices, as just a few examples."When it really comes down to focus, if you have a single platform, there's a lot of awesome things that you can do with that data." ~BryantSimilarly, as the environments expand and become even more complex, it's critical to have a single view into defining, managing, and ensuring success throughout the entire app development lifecycle. Complexity is the enemy of security. Reducing complexity is what Checkmarx is after."That's why I really like about Checkmarx as a company. It is a whole culture and mission, just not selling security, but actually helping our customers." ~RennyListen in as we get to hear from Renny and Bryant about the origin and journey of Checkmark - past, present, and future.Note: This story contains promotional content. Learn more.GuestsRenny ShenDirector of Product Marketing at Checkmarx [@Checkmarx]On Linkedin | https://www.linkedin.com/in/renny-shen/Bryant SchuckSenior Product Manager at Checkmarx [@Checkmarx]On Linkedin | https://www.linkedin.com/in/bryant-schuck/ResourcesLearn more about Checkmarx and their offering: https://itspm.ag/checkmarx-i9o5Watch the video version and listen to the audio version of this conversation at: https://itspmagazine.com/their-stories/everything-is-driven-by-code-and-code-is-controlled-by-apis-securing-apps-through-research-assessments-scanning-and-training-a-checkmarx-origin-story-with-renny-shen-and-bryant-schuckTo see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:https://www.itspmagazine.com/redefining-cybersecurity-podcastAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story

In Episode 20 of Tattoos, Code, and Data Flows, Matt Rose interviews Sean Casey, Director of Sales Engineering at Checkmarx. Sean Casey has had 13 years of experience as a Web Developer working with numerous companies in the security world. Sean later transitioned into the Sales Engineer world for the last 6 years, and has been crushing it ever since. In 2019, he received the 2019 CEO Employee Excellence award for North America! Sean and Matt talk about: ↳ The responsibilities of a successful sales engineer ↳ Supply Chain Risks vs OWASP Top 10 Risks ↳ The rise of the Site Reliability Engineer ↳ The problems with auto-remediation today And so much more. Be sure to listen to this episode, and so many of our other great episodes by hitting the follow button. Make sure to like and subscribe to the episode. We hope you enjoy it!

In Episode 19 of Tattoos, Code, and Data Flows, Matt Rose discusses the importance of understanding your application security posture in production, rather than focusing on shifting left and testing only in the pre-production stages. Matt is a technical Application Security Testing (AST) leader with a record of consistent accomplishments in sales and sales engineering management roles. He has more than 20 years of experience in application security sales, sales engineering leadership, software development, marketing, and consulting. Matt was a key thought leader for two AST vendors growing from startup phase to major acquisition (Fortify and Checkmarx). Also, Matt is a very accomplished public speaker and has been quoted in 50+ AST industry media publications. After being in the SAST world from the beginning (15+ years) Matt decided to join forces with Bionic to help define a new concept in security and risk identification. Application Security Posture Management (ASPM) is something Matt had been talking about, in concept, for years. Today, Matt covers:

Erez Yalon, Vice President of Security Research at Checkmarx, talks how security leaders can avoid common cybersecurity vulnerabilities found across the enterprise cyber landscape. What makes security research important? How can security researchers ensure successful cybersecurity innovations? Discover answers to these questions and more in the latest The Security Podcasts episode.

In Episode 18 of Tattoos, Code, and Data Flows, Matt Rose interviews Peter Chestna, CISO of North America at Checkmarx. He is also a Board Member for the DevSecCon Global Community and MergeBase. Peter is a proven engineering and security leader with deep technical experience. He is an outspoken expert on DevOps/DevSecOps and has 16 years of experience in the Application Security Industry. He is effective in building, leading and developing high velocity Agile and DevOps teams with security as a first class citizen. He also speaks internationally at both security and developer conferences. Peter and Matt talk about: ↳ Defining DevOps and Agile ↳ CI/CD automation vs functionality/capability ↳ Application Security fundamentals and hygiene ↳ The challenges and intentions of being a CISO And so much more. Be sure to listen to this episode, and so many of our other great episodes by hitting the follow button. Make sure to like and subscribe to the episode. We hope you enjoy it!

We have a very special podcast guest this week: our very own Chief Architect, Matthew Rose

Want to know how to Make Testing Easy with GitHub? Have you heard of this new way to tame cloud complexity? Are you concerned about the security and use JetBrains IntelliJ IDEA Ultimate? Find out the answers to these and other end-to-end entire pipeline DevOps, automation, performance, and security testing in 10 minutes or less in this episode of the test guild news show for the week of April 17 0:21 Applitools Free Account https://rcl.ink/xroZw 0:53 Github http://applitools.info/9m1 1:34 TestContainers https://links.testguild.com/DC9t5 2:37 Playwright https://links.testguild.com/xKij1 3:36 Cypress https://links.testguild.com/mCHsB 4:18 Splunk https://links.testguild.com/RIO5n 5:19 Datadog https://links.testguild.com/uf2xn 6:40 Salt/Idem https://links.testguild.com/Tduad 8:15 Checkmarx https://links.testguild.com/2v7K2

Neste episódio repleto de numerologia, trouxemos 9 dicas experts para você melhorar a segurança hoje mesmo. Cada um compilou dicas sensacionais exclusivas para você.

Interview with Dalit Krainer – Dalit is the CHRO at Checkmarx. She is a Senior Executive leader with more than 20 years of success. Leveraging extensive experience in leadership development and cultural transformations, Dalit is a valuable advisor for leaders and organizations, enabling them to develop and succeed. She also has vast experience in acquisition management, she worked with organizations preparing them for a post-merger integration and IPO.

Shira Dodi is the VP of Global Support at Checkmarx in Israel. In this episode Shira talks about cybersecurity, data protection, and how CX companies can protect important customer data. https://checkmarx.com/ https://www.linkedin.com/in/shira-dodi-0a0819/

This Season is dedicated to Application security, our guest for the show is James Brotsos Developer Advocate and Product Manager, James leads all strategic and product integrations for Checkmarx To promote our work and support the podcast, please review us here https://www.podchaser.com/podcasts/security-architecture-podcast-1313281 Season 3 KickOff episode with Tanya Janca Season 3 kickoff Episode - Application Security - Tanya Janca - YouTube Demo/POC: https://checkmarx.com/product/software-security-platform/ Whitepaper: https://checkmarx.com/resources/ebooks-and-whitepapers Checmarx: Checkmarx is constantly pushing the boundaries of Application Security Testing to make security seamless and simple for the world's developers while giving CISOs the confidence and control they need. As the AppSec testing leader, we provide the industry's most comprehensive solutions, giving development and security teams unparalleled accuracy, coverage, visibility, and guidance to reduce risk across all components of modern software—including proprietary code, open-source, APIs, and infrastructure as code. Over 1,600 customers, including half of the Fortune 50, trust our security technology, expert research, and global services to securely optimize development at speed and scale. James Brotsos | Product Manager – Developer Experience | https://www.linkedin.com/in/jbrotsos/ Developer Advocate and Product Manager, James leads all strategic and product integrations for Checkmarx – a leader in Application Security Testing Solutions. He comes with fifteen years of software engineering experience in network protocol and kernel development. In his spare time, he volunteers mentoring Computer Science high school students in the Bay Area. He is an active “maker”, and his main hobby is following IoT technology and trends.

In this episode I talk to Rusty Sides and Robert Talley from Checkmarx and Jarrod Hardy from Xyston about how their companies identify and mitigate  vulnerabilities in software and hardware to protect companies and individuals. I also discuss the CyBUrSmart program and a new Youtube Channel. Give a listen, tell a friend. #knowledgeisprotection 

Die Akzeptanz von Infrastructure as Code (IaC) hat erheblich zugenommen, da Unternehmen auf die Cloud umsteigen und nach Wegen suchen, die Bereitstellung der Infrastruktur schneller und skalierbarer zu gestalten. Doch mit IaC geht eine Vielzahl von Risiken einher. Wie lassen sich die Vorteile von IaC nutzen und die Schwachstellen frühzeitig erkennen? Das Interview von Oliver Schonschek, Insider Research, mit Tom Zaubermann von Checkmarx liefert Antworten.

Cyberattacken missbrauchen zunehmend APIs (Application Programming Interfaces), doch API-Sicherheit hat bei vielen Unternehmen noch nicht die notwendige Bedeutung erlangt. Was muss geschehen, um den Missbrauch von APIs besser verhindern zu können? Das Interview von Oliver Schonschek, Insider Research, mit Tom Zaubermann von Checkmarx liefert Antworten.

 Host Tanya Janca   learns what it's like to do Cybersecurity Product testing and reviews at Security Weekly Labs with guest Adrian Sanabria!  Thank you to our sponsor Checkmarx! https://www.checkmarx.com/ Buy Tanya's new book on Application Security: Alice and Bob learn Application Security Don't forget to check out We Hack Purple Academy's NEW courses, Join our Cyber Security community: https://community.wehackpurple.com/ A safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter here: https://newsletter.wehackpurple.com/ Find us on Apple Podcast, Overcast + Pod 

In this episode we visit with Randall Belknap, the Regional Vice President of US Public Sector Sales, Federal, State, and Local Government, and Higher Education at Checkmarx. Checkmarx is a global software security company creating software security solutions and providing security training for developers. Listen to Randall explain the importance of product development at Checkmarx and explain Code Bashing – one of Checkmarx's learning application platforms to help developers find solutions.

In this episode we visit with Randall Belknap, the Regional Vice President of US Public Sector Sales, Federal, State, and Local Government, and Higher Education at Checkmarx. Checkmarx is a global software security company creating software security solutions and providing security training for developers. Listen to Randall explain the importance of product development at Checkmarx and explain Code Bashing – one of Checkmarx's learning application platforms to help developers find solutions.

 Host Tanya Janca  learns what it's like to found and run a small business (Zimana Analytics) focused on data analytics, with guest Pierre DeBois! Thank you to our sponsor Checkmarx! https://www.checkmarx.com/ Buy Tanya's new book on Application Security: Alice and Bob learn Application Security Don't forget to check out We Hack Purple Academy's NEW courses, Join our Cyber Security community: https://community.wehackpurple.com/ A safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter here: https://newsletter.wehackpurple.com/ Find us on Apple Podcast, Overcast + Pod 

“Shift Left, But Not Too Left”: A Conversation on AppSec and Development TrendsIn this episode of Agent of Influence, Nabil speaks with Maty Siman, founder and CTO at Checkmarx. Hear Maty share the Checkmarx origin story and discuss application security and development trends, how to manage open-source software risks, the concept of shift left, challenges of API security, the future of IAST, static analysis best practices, and biking in the Israeli desert. 

Our guest Erez Yalon, senior director of security research at Checkmarx joins Dave to discuss Apple’s App Tracking Transparency policy, Ben describes how the FBI has been found violating some privacy laws, Dave has the story of Apple being sued over access to movies you buy online, and our Listener on the Line is Jonathan sharing updates on the ParkMobile breach and asking how companies be held to account for the loss of "basic data" when the harms that result can't be directly linked to the loss? While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.  Links to stories: Federal court approved FBI’s continued use of warrantless surveillance power despite repeated violations of privacy rules Apple sued for terminating account with $25,000 worth of apps and videos ParkMobile Update: Security Notification - March 2021 Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you. 

Checkmarx's Founder & CTO, Maty Siman, joins Coruzant Technologies for the Digital Executive podcast. He shares how he received his first computer at age seven and has been coding ever since. He's an entrepreneur looking to change the world by addressing cybersecurity problems.

In today’s podcast, we talked about the use of open-source technology in DevSecOps and what the pros and cons of implementing it in security strategies are with Stephen Gates, a security evangelist and senior solutions specialist at Checkmarx.Also, be sure to listen to our other podcast episode where Stephen Gates provides great insights on All about KICS, the open source solution for static code analysis of Infrastructure as Code - Episode 92

In today’s podcast, we talked about KICS, which is an open-source project for securing infrastructure as code together with Stephen Gates, a security evangelist and senior solutions specialist at Checkmarx, the company driving the effort. We talk about why infrastructure as code has seen a tremendous rise and about the origins of the KICS project. 

פרק 24 של ממרמיק, הפודקאסט של עמותת בוגרי ממר"ם, כבר כאן!!והפעם עם המייסד וה- CTO של Checkmarx, מתי סימן, בוגר קורס תכנות קנ״א, שירות בבסמ״ח וביחידת מצו״ב.איך מזהים את היוניקורן הבא? באיזה דרך בוחרים ללכת? מה האתגרים? ואיך חותמים על עסקה בשווי של 1.15 מיליארד דולר? (איך מספרים לעובדים שעובדים מהבית בגלל הקורונה?)ועד כמה השירות בבסמ״ח כמדריך עזר למתי בדרך המטורפת הזו!סיפור על דרך מלאה בדבקות במטרה, הליכה עד הסוף וטונות של השראה!ֿמנחים - יוסי מלמד ורועי אייזנמן.לחצו פליי, כן?

Morpheus Announces Zero-Trust Cloud Management Platform, Thycotic Releases New Version of DevOps Secrets Vault, Qualys Remote Endpoint Protection gets malware detection, F-Secure launches ID PROTECTION, Vectra integrates network threat detection and response for Microsoft Security Services, and more!   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode187

Morpheus Announces Zero-Trust Cloud Management Platform, Thycotic Releases New Version of DevOps Secrets Vault, Qualys Remote Endpoint Protection gets malware detection, F-Secure launches ID PROTECTION, Vectra integrates network threat detection and response for Microsoft Security Services, and more!   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode187

L’accordo riguarda l’intera proposta Checkmarx, l’azienda leader per la sicurezza delle applicazioni...

The EU condemns Russian cyberattacks on Georgia, and Russia says Russia didn’t do it--it’s all propaganda. Skids can buy spamming tools for less than twenty bucks. Satellite constellations offer an expanding attack surface. Amid continuing worries about US election security, the question of Russian trolling or home-grown American vitriol arises in Nevada (but the smart money’s on the U S of A). FISA reauthorization is coming up. And hello from RSAC 2020. Joe Carrigan from JHU ISI on SIM swappers targeting carrier employees, guest is Erez Yalon from Checkmarx on the recently published OWASP API Security Top Ten list. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_24.html Support our show

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez joins us to speak about the new OWASP API Security Project, and more specifically, the new API Security Top 10. We hope you enjoy [...] The post Erez Yalon — The OWASP API Security Project appeared first on Security Journey Podcasts.

שלום חברים, הפעם יש לנו את הכבוד לארח את עמית אשבל, סמנכל השיווק של Cognigo שנרכשה לא מזמן על ידי NetApp ובעבר Director of Product Marketing ב-Checkmarx, אחת מחברות הסייבר הגדולות בישראל. בתוכנית אנחנו מתמקדים בנושא אסטרטגיית תוכן וכיצד לייצר תוכן שמתגבר על הרעש ונותן אימפקט משמעותי לחברה. דיברנו על מעבדת הסייבר שהקמנו בזמנו ב-Checkmarx למטרות שיווק והאפקט האדיר שהיה לזה. כיצד ניתן לרתום מוצרי קוד פתוח שמתחרים במוצר שלכם על מנת לקדם את עצמכם? ואיך ממנפים את קהילת הקוד הפתוח של Github לצרכי הפצה ושיווק של תוכן. בפרק הזה אנחנו גם משיקים פורמט חדש שבו כל אורח נשאל מספר שאלות זהות ומספרים על "המהלך שלא ישכח" ו-"הכישלון המפואר" שלהם . סלמאת כל טוב, כרמל ואסף

In today’s digitally connected world, security vulnerabilities can literally pop up in a flash. In this podcast, Britta Glade talks to Checkmarx’s Erez Yalon about how he and his team discovered an Android camera app vulnerability that could allow hackers to access videos and photos—and even spy on users.

This week Checkmarx released a video exposing a vulnerability in android cameras that allows hackers to use your camera, record your conversations, and find your location, all without you knowing. I explain how the hack works, and what you can do about it. Biggest takeaway: Always update your apps and your phone's OS! This is part of my ongoing privacy series inspired by Snowden, to teach you about the vulnerabilities in your devices and give you tools to help you live a modern, privacy-conscious lifestyle. video: https://youtu.be/EwkHaBrlhIE

As more and more of the components that make up the applications we use are open source, the need to secure these open source components increases. Of course Equifax is the poster child for this issue. Checkmarx, one of the leaders i application security scanning has had an open source scanning module for sometime. They have now updated that with a new homegrown engine that greatly improves the ability for their scanner to detect open source vulnerabilities in your applications. https://www.checkmarx.com/press-releases/checkmarx-makes-sca-market-waves-with-enhanced-open-source-security-offering In this DevOps Chat we speak with Matthew Rose of Checkmarx about what this means for you.

Эксперты аналитической компании Checkmarx на конференции Hack.lu, которая прошла в Люксембурге, рассказали о появлении новой техники удаленного взлома гаджетов на системе Android. Запись презентации опубликована YouTube. Как сообщили эксперты, для того, чтобы осуществить удаленно взлом гаджета на базе Android, злоумышленникам понадобится специальная вирусная программа. С ее помощью киберпреступники смогут заполучить по NFC специальный доступ к персональным данным пользователя устройства. Как объяснили эксперты, технология NFC позволяет производить обмен данными либо осуществлять платежи, в случае, когда гаджеты находятся друг от друга на расстоянии не более 10 сантиметров. Однако, как предупреждают аналитики Checkmarx, новый способ атаки NFCdrip даст злоумышленникам возможность похищать личные сведения на гораздо большем расстоянии – до 60 метров. Программисты не исключают, что таким же образом станет возможно взломать не только смартфоны, но и другие устройства, к примеру, ноутбуки, пишет Planet Today. Отметим, что ранее специалисты выявили опасную уязвимость у мессенджера WhatsApp. По их информации, хакеры могут получать доступ к персональным данным в момент, когда пользователь будет отвечать на видео-звонок.

On this episode of CyberChat, host Sean Kelley, former EPA CISO, is joined by Nick Sinai, senior adviser at Insight Venture Partners and Matt Rose, director of Application Security Strategy at Checkmarx.

It's important not to overstate the security risks of the Amazon Echo and other so-called smart speakers. They're useful, fun, and generally have well thought-out privacy protections. Then again, putting a mic in your home naturally invites questions over whether it can be used for eavesdropping—which is why researchers at the security firm Checkmarx started fiddling with Alexa, to see if they could turn it into a spy device. They did, with no intensive meddling required.

Materials Available Here: ; https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Amit-Ashbel-Maty-Siman-Game-of-Hacks-Play-Hack-and-Track-UPDATED.pdf Game of Hacks: Play, Hack & Track Amit Ashbel Product Evangelist Checkmarx Maty Siman CTO and Founder Checkmarx Fooling around with some ideas we found ourselves creating a hacker magnet. Game of Hacks, built using the node.js framework, displays a range of vulnerable code snippets challenging the player to locate the vulnerability. A multiplayer option makes the challenge even more attractive and the leaderboard spices up things when players compete for a seat on the iron throne. Within 24 hours we had 35K players test their hacking skills...we weren't surprised when users started breaking the rules. Join us to: Play GoH against the audience in real time and get your claim for fame Understand how vulnerabilities were planted within Game of Hacks See real attack techniques (some caught us off guard) and how we handled them Learn how to avoid vulnerabilities in your code and how to go about designing a secure application Hear what to watch out for on the ultra-popular node.js framework. Check it out at www.Gameofhacks.com Amit Ashbel joined Checkmarx From Trusteer (acquired by IBM). He has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities over the years, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats and the hi-tech security industry. Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israel Defense Forces (IDF), where he established and led a development team in the IDF’s Information Security Center. Maty regularly speaks at IT security conferences and is CISSP certified since 2003. Web: www.Gameofhacks.com