Writing secure applications doesn't mean simply checking the code you've written to make sure there are no logic errors or coding mistakes. Attackers are increasingly targeting vulnerabilities in third-party libraries as part of their attacks, so you have to check the safety of all the dependencies and components, too.In manufacturing, companies create a bill of materials, listing in detail all the items included when building a product so that buyers know exactly what they're buying. Processed food packaging, for example, typically tells you what's inside so that you can make an informed buying decision.[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security newsletter. ]
When it comes to software, untangling the code to know what libraries are in use and which dependencies exist is hard. It's a challenge most IT teams don't have the time or resources to unravel.To read this article in full or to leave a comment, please click here
You may have heard that Microsoft has made Windows 10 more secure than any of its predecessors, packing it with security goodies. What you might not know is that some of these vaunted security features aren’t available out of the box or they require additional hardware -- you may not be getting the level of security you bargained for.Features such as Credential Guard are available for only certain editions of Windows 10, while the advanced biometrics promised by Windows Hello require a hefty investment in third-party hardware. Windows 10 may be the most secure Windows operating system to date, but the security-savvy organization -- and individual user -- needs to keep the following hardware and Windows 10 edition requirements in mind in order to unlock the necessary features to achieve optimum security.To read this article in full or to leave a comment, please click here
Devops is transforming how developers and operations teams work together to deliver better software faster. At its core, devops is about automation. When several tasks in development, testing, and deployment are automated, developers can make changes to code and deploy to production frequently. Amazon, a leading devops proponent, at one point claimed to have more than 1,000 deployments a day.But such an accelerated workflow has the potential to bypass secure coding practices, which developers often find difficult to incorporate in the first place. If devops is to continue its momentum, developers need to integrate security testing earlier in the software delivery lifecycle.To read this article in full or to leave a comment, please click here(Insider Story)
Devops is transforming how developers and operations teams work together to deliver better software faster. At its core, devops is about automation. When several tasks in development, testing, and deployment are automated, developers can make changes to code and deploy to production frequently. Amazon, a leading devops proponent, at one point claimed to have more than 1,000 deployments a day.To read this article in full or to leave a comment, please click here(Insider Story)
There is now a practical, relatively fast attack on 64-bit block ciphers that lets attackers recover authentication cookies and other credentials from HTTPS-protected sessions, a pair of French researchers said. Legacy ciphers Triple-DES and Blowfish need to go the way of the broken RC4 cipher: Deprecated and disabled everywhere.Dubbed Sweet32, researchers were able to take authentication cookies from HTTPS-protected traffic using triple-DES (3DES) and Blowfish and recover login credentials to be able to access victim accounts, said the researchers, Karthikeyan Bhargavan and Gaëtan Leurent of INRIA in France. The attack highlights why it is necessary for sites to stop using legacy ciphers and upgrade to modern, more secure ciphers.To read this article in full or to leave a comment, please click here
There is now a practical, relatively fast attack on 64-bit block ciphers that lets attackers recover authentication cookies and other credentials from HTTPS-protected sessions, a pair of French researchers said. Legacy ciphers Triple-DES and Blowfish need to go the way of the broken RC4 cipher: Deprecated and disabled everywhere.Dubbed Sweet32, researchers were able to take authentication cookies from HTTPS-protected traffic using triple-DES (3DES) and Blowfish and recover login credentials to be able to access victim accounts, said the researchers, Karthikeyan Bhargavan and Gaëtan Leurent of INRIA in France. The attack highlights why it is necessary for sites to stop using legacy ciphers and upgrade to modern, more secure ciphers.To read this article in full or to leave a comment, please click here
There is now a practical, relatively fast attack on 64-bit block ciphers that lets attackers recover authentication cookies and other credentials from HTTPS-protected sessions, a pair of French researchers said. Legacy ciphers Triple-DES and Blowfish need to go the way of the broken RC4 cipher: Deprecated and disabled everywhere.Dubbed Sweet32, researchers were able to take authentication cookies from HTTPS-protected traffic using triple-DES (3DES) and Blowfish and recover login credentials to be able to access victim accounts, said the researchers, Karthikeyan Bhargavan and Gaëtan Leurent of INRIA in France. The attack highlights why it is necessary for sites to stop using legacy ciphers and upgrade to modern, more secure ciphers.To read this article in full or to leave a comment, please click here
Enterprise security pros are often seen as heavy-handed gatekeepers obsessed with reducing risk. They'd rather be viewed as enablers who help the organization complete tasks and gain access to needed data.To make that transformation, security teams must become faster, more efficient, and more adaptable to change. That sounds a lot like devops.[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security newsletter. ]
Indeed, security can derive inspiration from devops, says Haiyan Song, VP of security markets at Splunk. Devops encourages automation and better integration among tools, two trends security professionals are increasingly exploring to make security more transparent throughout the enterprise.To read this article in full or to leave a comment, please click here
Bugs in several password managers, including the vulnerabilities discovered in LastPass in late July, have scared away some users. But such fears go too far. Millions of users rely on password managers to keep track of passwords for applications and online services, and by all indications, they work better than trying to do it on your own.Security victories should be embraced -- including password managers, which automatically generate complex strings of characters as passwords and deploy a unique password for each site or application. Password managers solve several authentication problems, including easily-cracked passwords and password reuse.To read this article in full or to leave a comment, please click here
Bugs in several password managers, including the vulnerabilities discovered in LastPass in late July, have scared away some users. But such fears go too far. Millions of users rely on password managers to keep track of passwords for applications and online services, and by all indications, they work better than trying to do it on your own.Security victories should be embraced -- including password managers, which automatically generate complex strings of characters as passwords and deploy a unique password for each site or application. Password managers solve several authentication problems, including easily-cracked passwords and password reuse.To read this article in full or to leave a comment, please click here
So long as Windows remain a popular attack target, researchers and hackers will keep pounding the platform to uncover advanced strategies to subvert Microsoft's defenses.The bar for security is much higher than it used to be, as Microsoft has added multiple advanced mitigations in Windows 10 that take out entire classes of attacks. While hackers at this year’s Black Hat conference came armed with sophisticated exploitation techniques, there was tacit recognition that developing a successful technique is now much harder with Windows 10. Breaking into Windows through an OS vulnerability is harder than it was even a few years ago.To read this article in full or to leave a comment, please click here
The Internet has serious security problems that need to be fixed. Despite many calls to action over the years for the industry to band together and work on solutions, progress has been mild. What’s needed isn’t necessarily more security technology. What’s needed are better tools for developers so that they can improve the security of their code.In his keynote at Black Hat in Las Vegas, Dan Kaminsky, chief scientist and co-founder of White Ops, advocated for environments and coding frameworks that make it easier for developers to implement security without compromising usability or stifling creativity. His keynote, “The Hidden Architecture of Our Time: Why This Internet Worked, How We Could Lose It, and the Role Hackers Play,” called on the security industry to think about how new programming environments could have basic functionality and security features built in and turned on by default.To read this article in full or to leave a comment, please click here
The Internet has serious security problems that need to be fixed. Despite many calls to action over the years for the industry to band together and work on solutions, progress has been mild. What’s needed isn’t necessarily more security technology. What’s needed are better tools for developers so that they can improve the security of their code.In his keynote at Black Hat in Las Vegas, Dan Kaminsky, chief scientist and co-founder of White Ops, advocated for environments and coding frameworks that make it easier for developers to implement security without compromising usability or stifling creativity. His keynote, “The Hidden Architecture of Our Time: Why This Internet Worked, How We Could Lose It, and the Role Hackers Play,” called on the security industry to think about how new programming environments could have basic functionality and security features built in and turned on by default.To read this article in full or to leave a comment, please click here
Staying secure online is an essential concern, for individual users, businesses, and cybercriminals alike. That’s right: Basic IT security applies whether you’re protecting sensitive data at an upstanding, ethical organization, or you’re in the business of stealing data from those same organizations.After all, the business may be cybercrime, but cybercriminals are still operating a business, with all the associated worries. Criminals rely on operations security (opsec) to stay ahead of law enforcement and security researchers intent on dismantling their operations, but also to protect their criminal enterprises from competitors planning on sabotage.To read this article in full or to leave a comment, please click here
Staying secure online is an essential concern, for individual users, businesses, and cybercriminals alike. That’s right: Basic IT security applies whether you’re protecting sensitive data at an upstanding, ethical organization, or you’re in the business of stealing data from those same organizations.After all, the business may be cybercrime, but cybercriminals are still operating a business, with all the associated worries. Criminals rely on operations security (opsec) to stay ahead of law enforcement and security researchers intent on dismantling their operations, but also to protect their criminal enterprises from competitors planning on sabotage.To read this article in full or to leave a comment, please click here
Over the years, developers have been dogged by a reputation for placing security as an afterthought. Get a slick, full-featured experience up and running fast, and figure out how to deal with whatever holes crop up once QA gets its hands on the code.Organizations may have had a significant hand in fostering developers' laissez-faire attitude toward security by siloing teams in separate domains and giving development, QA, ops, and security operations isolated opportunities to levy their expertise on the code.[ Learn how to be a more security-minded developer with our 17 security tips for developers. | Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security newsletter. ]
But with security and privacy increasingly top of mind among users and with companies moving more toward a devops approach to software development, developers need to shed that reputation and consider security concerns as an integral part of the development process.To read this article in full or to leave a comment, please click here
Over the years, developers have been dogged by a reputation for placing security as an afterthought. Get a slick, full-featured experience up and running fast, and figure out how to deal with whatever holes crop up once QA gets its hands on the code.Organizations may have had a significant hand in fostering developers' laissez-faire attitude toward security by siloing teams in separate domains and giving development, QA, ops, and security operations isolated opportunities to levy their expertise on the code.[ Learn how to be a more security-minded developer with our 17 security tips for developers. | Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security newsletter. ]
But with security and privacy increasingly top of mind among users and with companies moving more toward a devops approach to software development, developers need to shed that reputation and consider security concerns as an integral part of the development process.To read this article in full or to leave a comment, please click here
It’s time to face facts: Attackers are stealthy enough to evade your monitoring systems. If you’re sitting back waiting for alarms to go off, there’s a good chance you’re already hosed.Despite spending more than $75 billion on security products and services, enterprises are frequently compromised, highly sensitive data is stolen, and the fallout can be devastating. Worse, enterprises don’t discover they’ve been breached for weeks to months after initial compromise, taking between 120 to 200 days on average to even detect an attack. That’s a six-month head start on reconnaissance and exploitation -- more time on your network than most of your recent hires.To read this article in full or to leave a comment, please click here
It’s time to face facts: Attackers are stealthy enough to evade your monitoring systems. If you’re sitting back waiting for alarms to go off, there’s a good chance you’re already hosed.Despite spending more than $75 billion on security products and services, enterprises are frequently compromised, highly sensitive data is stolen, and the fallout can be devastating. Worse, enterprises don’t discover they’ve been breached for weeks to months after initial compromise, taking between 120 to 200 days on average to even detect an attack. That’s a six-month head start on reconnaissance and exploitation -- more time on your network than most of your recent hires.To read this article in full or to leave a comment, please click here
It’s time to face facts: Attackers are stealthy enough to evade your monitoring systems. If you’re sitting back waiting for alarms to go off, there’s a good chance you’re already hosed.Despite spending more than $75 billion on security products and services, enterprises are frequently compromised, highly sensitive data is stolen, and the fallout can be devastating. Worse, enterprises don’t discover they’ve been breached for weeks to months after initial compromise, taking between 120 to 200 days on average to even detect an attack. That’s a six-month head start on reconnaissance and exploitation -- more time on your network than most of your recent hires.To read this article in full or to leave a comment, please click here