Protecting sensitive data with multi-factor authentication (MFA) has become a requirement for cyber insurance policies. Recent attacks (SolarWinds, Colonial Pipeline, Kaseya) and mandates like the White House’s Executive Order to implement MFA in 180 days or less, are proving that identity and password-related vulnerabilities are a top security threat, and one where you can lose a lot of money.
We’ve recently discussed application security and the trend we’re seeing in which companies are increasingly implementing security early on in the Software Development Life Cycle (SDLC). In our blog post exploring the impact of adopting application security, we described a common scenario involving assessing an application that was ready for release. Through the assessment, critical vulnerabilities were identified, such as an SQL injection, close to the go-live deadline.
This year’s Cybersecurity Awareness Month has come to an end and, with every passing year, cyberthreats are increasing in number and complexity. Reactive solutions are no longer enough to confront cyberattacks. Organizations must implement proactive strategies to secure their IT assets.
Many Gmail users were recently greeted with a message that alerted them that 2-step verification will be required to log into their accounts starting on November 9th (today). While many in the security community have been advising people to turn on 2-factor, 2-step, or any other secondary security method on every account as a way to protect the login process, the Twitterverse showed that many people were unhappy with Google’s implementation of this mandatory change.
When David McCheyne, DevOps Engineer at Datto, outlined a plan to ease the company into developer-first security using Snyk, he thought it would take his teams a year to prove the concept. A seasoned DevOps pro, David understood very well the enormity of this change and was prepared to slowly introduce Datto security champions to the Snyk platform and not force the process.
The new threats in software development are not only related to the specific company itself. The whole software supply chain is a target for attackers and it is really important to make sure that we put all our effort into securing each link because if one fails, everything will be affected. Supply chain activities include each step of the transformation of raw materials, components, and resources into a completed product, and its delivery to the end customer.
In a previous blog I reviewed the foundational use case for a TIP, which is threat intelligence management—the practice of aggregating, analyzing, enriching and de-duplicating internal and external threat data in order to understand threats to your environment and share that data with a range of systems and users. However, one of the unique benefits of the ThreatQ Platform and where organizations are deriving additional business value, is that it also allows you to address other use cases.
If every vulnerability seems to be equally critical, engineers would get overwhelmed and probably waste time on the wrong issues. This is why it’s important for developer security tools to provide clear and simple prioritization functionality. As you’ve likely noticed, Snyk Code provides a Priority Score on the top right corner of the overview panel. When hovering over it, an explanation is shown how the priority score was calculated.
On November 1st, 2021, a public disclosure of a paper titled Trojan Source: Invisible Vulnerabilities described how malicious actors may employ unicode-based bidirectional control characters to slip malicious source code into an otherwise benign codebase. This attack relies on reviewers confusing the obfuscated malicious source code with comments.
