A new survey suggests that security is becoming more important for enterprises, but they’re still falling back on old “security by obscurity” ways.
Threatpost
Posts tagged "Security"
GitHub wants to help developers spot security issues before they get too serious
In an effort to further secure open source software, GitHub has announced that the GitHub Advisory Database is now open to community contributions.
While the company has its own teams of security researchers that carefully review all changes and help keep security advisories up to date, community members often have additional insights and intelligence on CVEs but lack a place to share this knowledge.
This is why GitHub is publishing the full contents of its Advisory Database to a new public repository to make it easier for the community to leverage this data. At the same time, the company has built a new user interface for security researchers, academics and enthusiasts to make contributions.
All of the data in the GitHub Advisory Database is licensed under a Creative Commons license and has been since the database was first created to ensure that it remains free and usable by the community.
Contributing to a security advisory
In order to provide a community contribution to a security advisory, GitHub users first need to navigate to the advisory they wish to contribute to and submit their research through the “suggest improvements for this vulnerability” workflow. Here they can suggest changes or provide more context on packages, affected versions, impacted ecosystems and more.
The form will then walk users through opening a pull request that details their suggested changes. Once this done, security researchers from the GitHub Security Lab as well as the maintainer of the project who filed the CVE will be able to review the request. Contributors will also get public credit on their GitHub profile once their contribution has been merged.
In an attempt to further interoperability, advisories in the GitHub Advisory Database repository use the Open Source Vulnerabilities (OSV) format. Software engineer for Google's Open Source Security Team, Oliver Chang provided further details on the OSV format in a blog post, saying:
“In order for vulnerability management in open source to scale, security advisories need to be broadly accessible and easily contributed to by all. OSV provides that capability.”
We'll likely more on this change to the GitHub Advisory Database once security researchers, academics and enthusiasts begin making their own contributions to the company's database.
- We’ve also highlighted the best endpoint protection software
Kill Cloud Risk: Get Everybody to Stop Fighting Over App Security – Podcast
When it comes to ensuring safe cloud app rollouts, there’s flat-out animosity between business shareholders. HackerOne’s Alex Rice and GitLab’s Johnathan Hunt share tips on quashing all the squabbling.
Threatpost
Argo CD Security Bug Opens Kubernetes Cloud Apps to Attackers
The popular continuous-delivery platform has a path-traversal bug (CVE-2022-24348) that could allow cyberattackers to hop from one application ecosystem to another.
Threatpost
Office 365 unveils major email security boost
Microsoft has added a new security layer to its Office 365 email service as it looks to improve the integrity of the messages going in and out.
The company says its new protection, SMTP MTA Strict Transport Security (MTA-STS), a feature it first announced in H2 2020, will solve problems such as expired TLS certificates, problems with third-party certificates, or unsupported secure protocols.
“We have been validating our implementation and are now pleased to announce support for MTA-STS for all outgoing messages from Exchange Online,” Microsoft said in an announcement.
Extra protection
In practice, the new security layer means all emails that are sent through Exchange Online will only be delivered through connections that have both authentication and encryption.
That should render downgrade, and man-in-the-middle attacks impossible, or at least – a lot harder to pull off.
“Downgrade attacks are possible where the STARTTLS response can be deleted, thus rendering the message in cleartext. Man-in-the-middle (MITM) attacks are also possible, whereby the message can be rerouted to an attacker's server,” the announcement added.
“MTA-STS (RFC8461) helps thwart such attacks by providing a mechanism for setting domain policies that specify whether the receiving domain supports TLS and what to do when TLS can't be negotiated, for example stop the transmission.”
Those interested in adopting MTA-STS should refer to this link, where Microsoft explains the process in detail.
The company is already working on further strengthening the security of Office 365 email. DANE for SMTP (DNS-based Authentication of Named Entities), which is said to provide even better protection than MTA-STS, will be rolled out in the coming months.
“We will deploy support for DANE for SMTP and DNSSEC in two phases. The first phase, DANE and DNSSEC for outbound email (from Exchange Online to external destinations), is slowly being deployed between now and March 2022. We expect the second phase, support for inbound email, to start by the end of 2022,” BleepingComputer cited the Exchange team.
“We've been working on support for both MTA-STS and DANE for SMTP. At the very least, we encourage customers to secure their domains with MTA-STS,” Microsoft added.
“You can use both standards on the same domain at the same time, so customers are free to use both when Exchange Online offers inbound protection using DANE for SMTP by the end of 2022. By supporting both standards, you can account for senders who may support only one method.”
- Here’s our rundown of the best endpoint protection software right now
Via: BleepingComputer
Supply-Chain Security Is Not a Problem…It’s a Predicament
Despite what security vendors might say, there is no way to comprehensively solve our supply-chain security challenges, posits JupiterOne CISO Sounil Yu. We can only manage them.
Threatpost
Unpatched Security Bugs in Medical Wearables Allow Patient Tracking, Data Theft
Rising critical unpatched vulnerabilities and a lack of encryption leave medical device data defenseless, researcher warn.
Threatpost
Microsoft Edge is getting a major security boost straight out of Minority Report
Microsoft is looking to give its web browser a significant security upgrade with the release of a new build featuring some useful protection updates.
The company has revealed that Microsoft Edge v.98 will offer a boosted browsing experience that puts safety and security at the forefront, as well as “giving you an extra layer of protection when browsing the web.”
This will allow users to “enhance your security on the web”, the official entry in the Microsoft 365 roadmap says.
Step forward
There's not a lot of detail about what the “new browsing experience” in Microsoft Edge v.98 will entail just yet, but the company says it will be “a step forward”.
It will allow administrators to apply group policies to end-user desktops across not just Windows devices, but also those running macOS and Linux.
These should help protect against so-called zero-day threats, which are brand-new malware threats that typically look to take advantage of recently-discovered security flaws, and are often extremely dangerous due to a lack of reference points.
Microsoft Edge v.98 will allow users to “mitigate unforeseen active zero days”, the company says, offering an extra layer of protection to keep them safe online.
It's not clear if the new security protections form part of the long-awaited “super duper secure mode” for Microsoft Edge, which launched back in November 2021 as the company looked to boost security for the browser.
Available for Edge v.96 and upwards, the new platform offers two separate configurations – Balanced and Strict – which determine the level of additional protection the user receives.
Balanced mode learns which sites the user frequents and loosens restrictions on these domains, whereas Strict mode applies restrictions across all websites, which may mean some elements no longer work as intended. Users can also create exceptions manually for websites they would like to be exempt from the extra security measures.
How to Secure Your SaaS Stack with a SaaS Security Posture Management Solution
SaaS Security Posture Management (SSPM) named a must have solution by Gartner. Adaptive Shields SSPM solution allows security teams full visibility and control.
Threatpost
TrickBot Crashes Security Researchers’ Browsers in Latest Upgrade
The malware has added an anti-debugging tool that crashes browser tabs when researchers use code beautifying for analysis.
Threatpost