Posted on

Log4Shell: A Case for Trusting Open Source – With Guardrails

Along with a host of frenzied updates and patches, Log4Shell brought something else to the table: an intense renewed scrutiny among business leaders and governments around “open source.” What most of these critics are not aware of is that much of the software powering their success isn’t created by commercial vendors, but is created by volunteers and that some of their most critical systems use open-source software. Furthermore, most critics can’t confidently point to a list of all the open-source software powering their own success. 

Similar to the response we’ve seen to major incidents like HeartBleed, Dirty Cow, and the Equifax experience with Apache Struts, governmental reviews are underway, and some are seeking to replace the “bad open-source component” – in this case, log4j – with a “more secure alternative.” But there is an important aspect of open source in modern society that is being overlooked in these scenarios – it’s highly trusted.

Posted on

A New Era of Software Processes Is on the Horizon

The report late last year from FireEye of a state-sponsored attack targeting SolarWinds’ Orion software sent a shockwave through the industry and the reverberations from the discovery are continuing to ripple. As many as 18,000 SolarWinds customers — including at least nine U.S. government agencies — were infected via the SunBurst breach of the network monitoring and management solution. Moreover, according to a recent study from IronNet, the average financial impact of that attack was 11% of annual revenue or about $12 million per company.

U.S. intelligence has put the blame for the attack on Russian-sponsored hackers, who compromised multiple Orion software updates that were released between March and June 2020, giving bad actors a backdoor into exploited systems. Our research found that the Orion software build and code-signing infrastructure was compromised, with the source code of the affected library directly modified to include malicious backdoor code that was compiled, signed, and delivered via the existing patch release management system.

Posted on

4 Software QA Metrics To Enhance Dev Quality and Speed

Introduction

Today, the demand for software is higher than ever. Lines of code govern almost everything we do in our day-to-day activities. The way we buy, the way we sell, even the way we communicate. 

In 2019, according to Evans Data Corporation, there were 23.9 million developers worldwide. In an attempt to hold their place within the market, developers are having to speed their process up whilst delivering products of ever-increasing quality. This happening all across the board, even and especially at the 50 leading SaaS companies. Often speed and quality seem at odds with one another, but in reality, this isn’t the case. Improvement in both areas is obtainable. This is where QA can help.

Posted on

Stay Safe on GitHub: Security Practices to Follow

GitHub is undoubtedly the largest and most popular social development platform in the world. According to its 2019 State of the Octoverse Report, GitHub is home to over 40 million, and the community keeps expanding every day.

As developers in this deeply interconnected community use open source code to build software, Github security should be a top priority. This is because extensive code re-use increases the risk of distributing vulnerabilities from one dependency or repository to another. As such, every contributor should focus on creating a secure development environment.

Posted on

How to Approach Security Development Lifecycle (SDL)

Introduction to the Security Development Lifecycle (SDL)

Security Development Lifecycle is one of the four Secure Software Pillars. By pillars, I mean the essential activities that ensure secure software.

SDL can be defined as the process for embedding security artifacts in the entire software cycle.

Posted on

In a Software-Driven World, Who Is Responsible for the Risks?

The power of software to improve our lives and our world is almost limitless. Consequently, those creating software are wielding a power that demands a new level of responsibility.

When I think about how fast the world is changing, I wonder how our ancestors must have felt at the dawn of past industrial revolutions. Everything changed — the way we made, shipped, and sold goods evolved, and daily schedules and lives changed as people moved to cities to escape subsistence farming and find work in factories and mills. All of this change was fueled by new technologies and innovations. While many of these changes were positive, there were risks and costs, such as increased injuries, rising wealth inequality, and, as urbanization took hold, an increased spread of disease. It became the responsibility of factory workers, and in some cases the government, to address these concerns in order for our economy and society to flourish and grow.

Posted on

Strategies and Technologies for Container Security

When adopting any new technology, the ability of that technology to mitigate or reduce security risks should always be on the table. Organizations hesitant to adopt containers are often wary of how their existing processes and paradigms address the challenges of securing containers in production.

For their many benefits, containers effectively represent a new layer in the application stack, which requires a new way of thinking about application security. In its Application Container Security Guide, NIST points out that as containers revolutionize application deployment, organizations must adapt their security strategies to new, dynamic production environments.

Posted on

GAO Report Confirms Major Gaps in Government Cybersecurity

The September GAO cybersecurity report stated that there are about 1,000 outstanding recommendations for automotive, military, and IoT security, among others.

The U.S. government has gotten pretty good, or at least pretty productive, over the past couple of decades at laying out, in multiple reports, plans, strategies, and initiatives under multiple presidents regarding what needs to be done to improve the nation’s cybersecurity — including the latest from just a month ago called a “Cybersecurity Moonshot.”