“InfluxDB 3.0 is a major milestone for InfluxData, developed with cutting-edge technologies focused on scale and performance to deliver the future of time series,” said Evan Kaplan, CEO at InfluxData. “Built on Apache Arrow, the most important ecosystem in data management, InfluxDB 3.0 delivers on our vision to analyze metric, event, and trace data in a single datastore with unlimited cardinality. InfluxDB 3.0 stands as a massive leap forward for both time series and real-time analytics, providing unparalleled speed and infinite scalability to large data sets for the first time.”

The solution was originally developed as the open-source project InfluxDB IOx and was built in Rust. It was then rebuilt as a columnar database that leverages the scale and performance of the Apache Arrow data structure to deliver real-time query responses. 

Users can also benefit from unlimited cardinality and high throughput to continuously ingest, transform, and analyze billions of time series data points, low-cost object store, and SQL language support. 

The new version is available now in InfluxData’s cloud products, including the fully managed service InfluxDB Cloud Dedicated. InfluxData also announced InfluxDB 3.0 Clustered and InfluxDB 3.0 Edge to give developers next-gen time series capabilities in a self-managed database and InfluxDB 3.0 will be available in these products later in the year.

The post InfluxDB 3.0 released with rebuilt database and storage engine for time series analytics appeared first on SD Times.

The company’s aim behind the improvements is to help fill the skills gap since security engineers are outnumbered and 85% of respondents to a 2023 GitLab Global DevSecOps Report: Security Without Sacrifices report said their security budgets are flat or reduced. 

“We believe in a simple mantra: Velocity with guardrails. Artificial intelligence technologies and automation solutions accelerate code creation and, when paired with a comprehensive DevSecOps platform, create the security and compliance guardrails that every company needs,” GitLab stated in a blog post. 

Code Suggestions, which can improve developer productivity without context switching and within a single DevSecOps platform, is free for all Ultimate and Premium Customers in the Beta.

The recently introduced Value Streams Dashboard offers decision-makers valuable insights into metrics that can help them recognize patterns and trends, enabling them to optimize software delivery. The dashboard takes into account the DORA metrics and tracks the flow of value delivery across various projects and groups, providing strategic insights that can aid in improving the overall software delivery process.

In addition to other features, users of GitLab can establish license policies and examine software licenses for compliance. The scanner tool can retrieve license information from packages that are dual-licensed or have multiple licenses that apply. Moreover, it can identify more than 500 types of licenses, which is a significant improvement from the previous capability of identifying only 20 types of licenses. 

With the help of license approval policies, organizations can minimize the risk of using unapproved licenses, which can save them time and effort that would otherwise be needed to manually ensure compliance.

GitLab also stated that it now automatically revokes PATs leaked in public GitLab repositories to mitigate the risk of a developer mistakenly committing a PAT into their code. Leaked secrets in public projects can be responded to by revoking the credential or notifying the vendor who issued it. 

The company said that there will be more guardrails coming in 2023. One is group and subgroup dependency lists that provide users with a simple way to view their projects’ dependencies. Other capabilities will include continuous container and dependency scanning, management tools for compliance frameworks, and SBOM ingestion to import CycloneDX files from third-party tools. 

The post GitLab announces new AI-powered capabilities appeared first on SD Times.

With the GrammaTech CodeSonar static application security testing (SAST) platform, ArmorCode users gain improved safety and security vulnerability intelligence for integrating application security capabilities into CI/CD pipelines.

“Unifying application security tools and intelligence to orchestrate operations across developer pipelines is central to preventing safety and security vulnerabilities from reaching market ready products,” said Katie Norton, senior research analyst of DevOps and DevSecOps at IDC. “Together, GrammaTech CodeSonar and ArmorCode can enable customers to automate end-to-end DevSecOps workflows instead of stitching together often siloed processes.”

According to the companies, this integration provides users with a centralized, 360 degree view of vulnerabilities in the CI/CD pipeline and orders them by priority level for remediation. 

This is intended to help companies apply DevSecOps practices to span physically distributed development environments and comply with standards based coding practices such as MISRA for automotive products.  

Furthermore, ArmorCode’s AppSecOps platform works to unify vulnerability management to cut back on response time for the detection and remediation and the disruption of the software release cycle.

“As organizations across industries adopt DevSecOps to accelerate the delivery of software, the number of security vulnerabilities have increased exponentially. Furthermore, the security teams responsible for protecting the business are struggling to manage the risk and to keep pace with the speed of delivery,” said Mark Lambert, chief product officer at ArmorCode. “This integration between GrammaTech CodeSonar and ArmorCode delivers the visibility and workflow automation these teams need to ship secure software and ship it fast.” 

The post GrammaTech and ArmorCode partner to deliver vulnerability management orchestration appeared first on SD Times.

Passwords are still the leading cause of security breaches, and we’ll continue to see this be the case as long as passwords are still the primary form of authentication used by businesses and applications, according to Reed McGinley-Stempel, the co-founder and CEO at Stytch, a platform for authentication and security requirements. 

In fact, Verizon found that 80% of hacking-related breaches are linked to passwords in some way. A big cause, according to Chris Niggel, regional chief security officer of the Americas at identity management platform provider Okta, is that the adoption of multifactor authentication (MFA) is still very low. A recent Microsoft study showed that only 22% of Azure Active Directory had strong authentication turned on. 

“Employees aren’t compensated on security, they’re compensated on productivity, and MFA traditionally impeded that productivity and organizations were very reluctant to roll that out,” Niggel said. “Now, where we are today with the zero-trust security models, we can actually deploy MFA in ways that don’t negatively impact productivity.” 

To account for this, some organizations are starting to require MFA. Starting in March and through the end of 2023, GitHub will gradually begin to require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA). 

In addition to enforcement, there have been many advancements in the field as of late to secure organizations. One that stands out is the commitment by Apple, Google, and Microsoft to expand support for the FIDO standard and accelerate the availability of passwordless sign-ins in mid-2022. 

Here FIDO

This allows users to automatically access their FIDO sign-in credentials – also referred to as a passkey – on many of their devices without having to re-enroll every account. It also enables them to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they’re in. 

“This is the first time we’ve had cross-device biometrics at our fingertips, which is crucial for improving the appeal and adoption of biometrics as a primary authentication method,” said Stytch’s McGinley-Stempel. 

According to McGinley-Stempel, passkeys are an evolution built upon an existing passwordless technology called Web Authentication API or “WebAuthn,” and to understand the promise of passkeys, it’s important to understand where the initial capabilities of WebAuthn technology have fallen short of consumer expectations. The major limitation there was that it couldn’t carry biometrics across devices such as the phone and desktops and that no apps were comfortable offering it outside of a 2FA option.

“To make this tangible, imagine you’re a user signing up for an account with HomeDepot in order to buy paint. You start your search for paint on your mobile device and find a few colors you’re excited about. You create a Home Depot account in order to complete the order. You see a FaceID icon and think “Great! No password needed — I can just use a biometric to sign up,” McKinley-Stempel said. 

“A day later, you see the shipping confirmation while checking your email on your laptop, and you realize you’re out of paintbrushes. You go to HomeDepot.com to order a few brushes as well. When it asks you to log in, you click on the same biometric icon you saw in the mobile apps. However, laptops do not support FaceID, so HomeDepot asks you to go through the TouchID flow on your Mac. You enroll your fingerprint, and you receive an error telling you that an account doesn’t exist,” he continued. “You know that’s not right, but you’re not sure what’s gone wrong and you’re also in a hurry. You decide to create a password, enter all of the same information you provided yesterday such as an address, credit card info, etc., and make the purchase with this same account. You’ve now experienced the biggest shortcoming with WebAuthn today — it doesn’t handle cross-device or cross-platform authentication well.”

This led the potential buyer to duplicate work while also creating multiple user accounts for HomeDepot to manage on their side.

Luckily, this new iteration of passkeys can overcome these user challenges and make them a major contender as a preferred primary authentication factor. By enabling biometric authentication to work across all major devices and browsers, passkeys are likely to be a game changer for B2C WebAuthn adoption, according to McKinley-Stempel. 

A lot of the best practices surrounding authentication are built around the (Fast Identity Online) FIDO 2 standard, according to Ant Allan, vice president analyst at Gartner. This was built by a consortium of companies including Google, Microsoft, and Intel, with the aim of reducing the reliance on passwords and improving the security of online authentication. 

FIDO 2 is based on public-key cryptography and uses a combination of hardware security keys, biometric authentication and passwordless methods to provide secure and easy-to-use authentication solutions.

Building on top of those best practices is a conditional access policy. 

“This takes account of device identity, location, and network, and if you see that everything is in line with expectations, you can make the decision to skip the additional factor,” Allan said. “So you log in normally with a password, and only if you’re on an external network, or you’re on a strange machine are you prompted for the additional factor. This has become very popular.”

This has also grown in popularity with organizations that are using Azure AD or similar systems for access to SaaS applications, which will let employees log into things if they’re on the corporate network in the first place. However, if they’re coming in remotely — a greater consideration nowadays — it’s going to ask for a second factor as well although this can be adjusted to just once a week or so. 

Using a phone for MFA can be a challenge

Whether it’s SMS-based login, push notifications, or generated codes, there are some constraints to requiring employees to use a phone for authentication purposes. 

In one of the more robust phone-based authentication methods, organizations can require employees to have an app for their phone, and if they’re not providing a corporate phone, some fraction of the employees are going to be reluctant to that app on their personal device, according to Allan. 

“For good or bad reasons they might misunderstand what it can do,” Allan said. “They’re scared it can track their location or they just object on principle, that this is my device not for work.”

So most organizations will choose the phone-based method by default but typically have a need to support people who can’t or won’t use phones by providing a hardware token. Others just figure it’s more economical to pay a stipend to people to use their phones rather than having to buy tokens and manage the logistics around them. 

“Most will use the hardware tokens as an alternative. But in some organizations that can become particularly expensive, particularly if you’re looking at blue-collar workers, you’re speaking to manufacturing firms and such, there tends to be much higher resistance, and particularly if an organization is unionized than the union might just say, ‘No, you’re not going to do this.’ There the hardware token use would be much higher,” Allan explained. 

Troubles with bringing FIDO 2 to legacy applications 

The integration of legacy products into FIDO 2 is something that isn’t going to be easily solved, according to Allan. 

For example, Windows Hello for consumers is FIDO-certified, but since Windows Hello for Business adds a lot of bits that will make it work in legacy Active Directory environments, it’s not a FIDO-certified product anymore. 

“When you’ve got legacy infrastructure, which still has compatibility with NTLM, it’s those kinds of things which mess it up,” Allan said. “On the plus side, you also get more control over how you use it. You get more control over how you use it, more control over enrollment and what you force people to use to log in in the first place and we’re seeing a lot of organizations make use of that just to improve user experience.” 

However, this leaves an Active Directory password available in the background which is still a source of weakness that the attacker can exploit.

Moving to the cloud can hugely simplify how authentication is managed and that is something that newer and smaller companies have embraced since they were early adopters of cloud applications, according to Allan.

Zero-trust initiatives are almost everywhere

Four years ago, just 16% of companies surveyed said they either have a zero-trust initiative in place or would have one in place in the coming 12–18 months. Today, that number is 97%, according to The State of Zero-Trust Security 2022 from Okta. It also found that zero-trust initiatives are not limited by company size, geographic location, or industry verticals. 

For the fourth annual State of Zero Trust report, Okta surveyed 700 security leaders across the globe—more than ever before—to assess where they are on the journey toward a complete zero-trust security posture.

Passwordless solutions support a zero-trust model because they offer more secure factors for verifying someone’s identity, independent of whether or not they have already gained access to certain resources, according to McGinley-Stempel. A zero-trust security posture has many overlapping interests with modern authentication, but they remain slightly different focus areas. 

The Okta report found that there is a growing consensus for integrating identity and access management (IAM) with other critical security solutions, a powerful central control point for intelligently governing access among users, devices, data, and networks can be created through an identity-first approach to zero trust.

It found that 80% of all organizations say identity is important to their overall zero-trust security strategy, and an additional 19% go so far as to call identity business critical. That’s a full 99% of organizations naming identity as a major factor in their zero trust strategy.  

Zero trust is also met with a more tech-savvy workforce. 

Due to the numerous breaches and security incidents we regularly encounter, people are typically more aware of security today, according to McGinley-Stempel. Even though many are proactively attempting to address security threats and vulnerabilities, many do not prioritize authentication and security until there is an imminent risk or an actual incident.

The use of biometrics has gone up to 24% from 21% last year and the category has grown 46% year over year. 

“I think a lot of that has to do with just the fact that it’s easy. Now, we’re all used to using things like Touch ID, Face ID, and Windows Hello,” McGinley-Stempel said. “So those capabilities are built into the hardware we’re using, whereas a few years ago, that was really nascent.”

Security professionals should also keep up-to-date on current security threats by going to conferences like AuthenticateCon and Identiverse where they can absorb a lot of the latest trends. They should also find a trusted authentication provider they can rely on.

Security is edging out usability

While at the start of the pandemic, organizations had to lean harder toward usability since their workforce had to get comfortable with working remotely to drive business results, 2022 shifted the priority to security when it comes to authentication, the Okta report found. This shift was 

pronounced in APAC and North America, with the EMEA region reporting a more balanced prioritization between usability and security.

This may be due to companies already leveraging pandemic-era investments in usability and now them having to catch up on security debt. Others recognize that by prioritizing stronger security measures, they may gain improved usability at the same time, according to the report. 

“This was highlighted by the White House memo last year which talked about phishing-resistant MFA and we’ve seen some responses from Microsoft, Google, and others that added features to these methods to try to mitigate some of those risks sometimes at the expense of user experience,” Gartner’s Allan said. 

If you moved from hardware tokens to mobile push on your phone as a way of lowering costs and improving user experience, then you have to implement something else on top of that to mitigate this new MFA fatigue which may erode some of the benefits, Allan added. 

However, there is a broader context of tools that have additional intelligence and analytics of different signals to try and block some of the risks and fatigue since MFA shouldn’t be used as the only authentication method. 

ChatGPT can help your hacker

A new alarming phenomenon is the role that AI tools are playing in increasing the sophistication of authentication attacks.

“Emerging AI tools are enabling more sophisticated phishing attacks and making more advanced unphishable MFA more important than ever,” Reed McGinley-Stempel, the co-founder and CEO at Stytch said. “New AI-powered chatbots like ChatGPT, which saw over 100 million users within two months of launching, are empowering hackers to be bolder and more prolific.”

Darktrace, a cybersecurity firm, recently released a warning saying it believes that criminals are increasingly using ChatGPT to create more sophisticated scams. 

Historically, hackers have used obvious typos in phishing emails to filter for respondents that are more gullible – and thus more likely to unwittingly fall victim to a phishing attempt. That’s because phishing is a predominantly manual method that requires hackers to interact live with their victims,” McGinley-Stempel said. “If conversations can be delegated to a convincing AI chatbot, hackers can target more sophisticated users with little to no human cost, allowing them to widen their net and increase the volume and scope of their attacks through automation.”

He added that as phishing gets more sophisticated, it’s on companies to adopt unphishable MFA practices that render these more sophisticated fraud attempts a moot point. 

The post Despite advancements in authentication technology, MFA adoption lags appeared first on SD Times.

With Tython, customers can design reusable security references architectures as-code with pre-built blueprints so that they don’t need to build custom parsers for every language and integrations for every tool.

Users also gain the ability to define security and governance policies in any programming language they want, including Python, Rust, Golang, Sentinel, and OPA.

This open-source offering also works to remove the need for traditional configuration management constraints with a meta-model of the user’s application architecture. According to the maintainers, this provides enhanced security visibility.

Furthermore, customers are enabled to identify security and compliance issues based on business application context, and then automatically apply security.

The maintainers also stated that Tython allows for the creation, remediation, and enforcement of the end users custom security policies as soon as possible from architecture design to post-deployment drift detection. 

The framework also natively integrates across the cloud, offering multi-cloud support, the ability for developers to choose their IaC tools, intelligent remediation and drift-detection, and full visibility to the entire cloud application architecture through an interactive graph. 

To learn more, visit the website.

The post SD Times Open Source Project of the Week: Tython appeared first on SD Times.

The tool is especially useful for creating code for routine and time-consuming tasks, and working with unfamiliar APIs or SDKs and it makes correct and effective use of AWS APIs and common coding scenarios such as reading and writing files, image processing, writing unit tests, and more. 

“Helping to keep developers in their flow is increasingly important as, facing increasing time pressure to get their work done, developers are often forced to break that flow to turn to an internet search, sites such as StackOverflow, or their colleagues for help in completing tasks,” Steve Roberts, a senior developer advocate focused on .NET and PowerShell development on AWS. “Instead, CodeWhisperer meets developers where they are most productive, providing recommendations in real time as they write code or comments in their IDE.” 

On the security front, CodeWhisperer filters out code suggestions that might be considered biased or unfair, and it can filter or flag code suggestions that may resemble particular open-source training data. The AI companion includes security scanning for finding and suggesting remediations for hard-to-find vulnerabilities. 

It can be used with Python, Java, JavaScript, TypeScript,  C#, Go, Rust, PHP, Ruby, Kotlin, C, C++, Shell scripting, SQL, and Scala. 

CodeWhisperer offers a professional tier that adds administration features like SSO and IAM Identity Center. There is also an Individual tier that is free to use for all developers.

Additional details are available here. 

The post Amazon CodeWhisperer brings AI-assisted development to AWS appeared first on SD Times.

The company stated that AMS has become increasingly more important in customer due diligence operations, where organizations are required to perform Know Your Customer, Combating the Financing of Terrorism, and anti-money laundering checks.

In addition, Melissa recommended the automation of AMS operations so that businesses can achieve a well-rounded compliance program to prevent fraud and financial crime.  

“It is a real challenge for organizations to ensure their required compliance processes are smooth and seamless for customers, checks that typically consist of screening against politically exposed persons and global sanctions lists,” said Bud Walker, vice president of enterprise sales and strategy at Melissa. “Automated adverse media screening is a valuable addition to these standard processes, checking for negative news related to an individual or business even if they may not appear on any international watchlist. It’s critical to developing the most accurate risk profile for customers in the financial sector, as well as markets such as insurance, healthcare, or non-profit – anywhere employees in senior-level roles, prospective clients, or business partners may pose risk to operations or reputation.”

The AMS services provided by Melissa offer several third-party global data sources, including newspapers, magazines, TV, social media, radio, and press releases, leveraged to check an individual’s background for anything negative.

The processes are also automated so that AMS project management is no longer bogged down by alerts that are time-intensive to consider and remediate manually.

According to Melissa, AMS screens focus on signs of money laundering, financial fraud, drug trafficking, financial threats or organized crime, terrorism, cybercrime, violent or sexual crimes, and appearances on past or present sanctions lists worldwide.

Furthermore, Melissa suggested multiple best practices in AMS processes, such as a wider screening approach to reach beyond current and new customers to access related account parties and beneficial owners of associated organizations, corporate structures, or assets.

To learn more about Melissa’s adverse media screening tool visit the website.

The post Melissa advises extending adverse media screening to improve customer due diligence appeared first on SD Times.

Developers will soon be required to include an option in their apps for users to initiate the process of deleting their account and associated data both within the app and online on applications that allow the creation of user accounts. This option will have to be linked to Data safety forms in apps. 

“While Play’s Data safety section already lets developers highlight their data deletion options, we know that users want an easier and more consistent way to request them,” said Bethel Otuteye, the senior director of product management at Android App Safety in a blog post. “By creating a more intuitive experience with this policy, we hope to better educate our shared users on the data controls available to them and create greater trust in your apps and in Google Play more broadly.”

With this new option, users who do not want to delete their entire account will have the option to delete specific data, such as activity history, images, or videos. 

Developers who need to keep certain data for legitimate reasons, such as security, fraud prevention, or regulatory compliance, are required to disclose those practices clearly.

Google is asking developers to submit answers to new deletion questions in their app’s Data Safety form by December 7th. Google Play users will begin to see reflected changes in theirapp’s store listing by early next year. 

The post Android updates data deletion policy to provide more transparency to users appeared first on SD Times.

The average cost of a data breach in 2020 is $3.92 million. Beyond monetary implications, a large security incident has the potential to decimate a company’s brand and even be a career-ending event for the top executives.

The past few years have taught us that every layer of the stack – from hardware all the way to JavaScript in a web browser – can have security vulnerabilities. In the meantime, security has evolved to be a collective responsibility of everyone building and running IT systems, including developers, as enterprise IT leaders recognize that security must be integrated and continuous in today’s cloud native environments. 

In “Securing Cloud Applications on Kubernetes,” we understand that computer security is a vast field with many different technologies that must be learned independently, then combined correctly in an application. Application developers and architects typically learn security technologies on the job when they first encounter them while under pressure to deliver product features and bug fixes. Reading blog posts, cutting and pasting configuration settings, and searching stackoverflow.com for help while under pressure to deliver leaves developers feeling like they don’t understand security but also don’t have the time and resources to properly learn it. 

Making sense of application security 

Application security is in the midst of its own transformation. It’s not only recognized as a necessary discipline, it’s also become part of the daily work of multiple teams, including app developers. The heightened focus on security by senior business leaders affects application developers in multiple ways: 

• Use all product security features: CISOs expect developers to use every security feature available in products to secure an application. Do you know how to configure and use the security features in the application server, database, object store, message broker, API gateway, service mesh, cloud services, programming language and development frameworks being used on a project you are working on? It is no longer enough to know how to use a product, you must know how to use it securely. 
• Follow corporate security standards: CISOs expect applications to pass strict corporate security assessments and audits. As a developer you must be able to explain to assessors and auditors how your application meets corporate security standards. This means you need to be able to speak the security language used by information security professionals so you can avoid costly remediation work to fix security issues late in the development cycle. 
• Design and implement secure applications: CISOs expect architects and developers to design and implement secure applications. This means that you must be familiar with many security protocols and technologies required to design and implement secure applications. 
• Enable DevSecOps Transformation: CISOs are investing heavily in breaking down the silos between the development, operations, and security teams. This means that as a developer you need to become familiar with new tools, processes, and practices used to implement DevSecOps. 

The diagram below provides a map of the broad areas of application security.  

The top of the diagram above represents the goals of senior business leaders to build secure applications that can stand up to attacks. The higher layers of the diagram depend on the layers below them. To secure an application you need to use security libraries, for example a Java web application might use Spring Security to authorize user access. Security libraries are not enough to provide security, though. You must design, code and maintain the application in a secure way by following the corporate security practices for application development, for example performing a security code review, or setting code analyzers that detect common security coding mistakes. As a developer you spend your time in the middle layer of the pyramid above. 

Security libraries and frameworks implement industry standard protocols and patterns in a specific programming language. 

The root cause of developer difficulties using security libraires is lack of knowledge about the underlying standards, protocols and patterns the libraries implement. If you understand the underlying security standards, protocols, and best practices you will find security libraries and frameworks much easier to use and learn. 

The first step in the learning journey is to build a big-picture mental model of application security use cases and the available approaches for solving them. We start the learning journey by analyzing two common security problems: 

• Securing communication channel 
• Securing application dependencies 

Examining how to secure communication channels and application dependencies enables us to make sense of types of skills an application developer needs to know about security and map out an effective approach for learning security skills. 

Analyze a common set of security problems encountered when building monolithic and microservice based applications so that you can have a big-picture understanding of the security technologies and standards that every developer should be familiar with in order to build secure cloud native applications. 

Securing communication channels 

It is tempting to assume that there is no need to encrypt communications between the application backend and its database because the traffic is on a “trusted” internal network. 

It is a best practice to operate under the zero-trust networking model where you assume that the network is always untrusted. Treat the internal data center network with the same level of suspicion that you treat the internet. As an application developer it is important that you insist on Transport Layer Security (TLS) everywhere for any application network communications. Getting comfortable with the TLS protocol is a critical security skill for developers. Mastering TLS enables you to: 

• Write secure applications that meet corporate security standards. 

• Quickly configure TLS in your code without spending hours searching blogs and stackoverflow.com for setup instructions. 
• Debug connectivity issues caused by TLS configuration settings easily. 

There is a tangled web of algorithms based on deep beautiful mathematics at the heart of TLS. You do not need to understand how these algorithms work or the math behind them, but you must understand what they do and how to configure them correctly in your applications.  

Securing application dependencies 

Applications are built on top of hundreds of open-source libraries and proprietary software components. For example, at time of writing I am working on a Spring Boot application that depends on 106 open-source third-party libraries. I have seen some enterprise applications with 250+ library dependencies. Reusing software components across applications is a huge time and cost saver, however it also introduces the possibility for catastrophic security failures. 

Supply chain security is an industry wide problem since every software producer depends on external code suppliers who in turn depend on other suppliers, etc. New security tools and processes must be built then adopted widely to secure the software supply chain. 

Continuous automated dependency vulnerability detection

You can easily detect vulnerable dependencies using an automated vulnerability scanner. The vulnerability scanner builds a list of all the dependencies an application uses by analyzing the application’s code, build scripts and generated artifacts. The scanner compares the application’s dependency versions against a database of known vulnerabilities. If a match is found the scanner alerts the development team. 

Computer security is a massive topic with many different subfields and specializations. It can take a lifetime to master computer security. As a developer you must focus on the subset of computer security that is most relevant to your needs for writing secure applications. 

Summary 

• Never trust the network: Treat internal “secure” networks with the same level of trust as the internet. Secure all application communication channels using TLS protocol. 
• TLS is a key foundational technology that every developer should know really well. 
• Software supply chain attacks are increasing because they are extremely effective. Use a dependency vulnerability scanner in all your applications, rapidly fix issues flagged by the vulnerability scanners. Stay up to date with advances in software supply chain security tools and processes and champion their use with your employer. 
• The goal of DevSecOps is to reduce the time, effort, and cost of taking a business idea from concept to production while applying the best practices of security, operations and development. 
• Security is the collective responsibility of everyone working in IT including developers. Improving your security skills makes you more valuable to your employer and enables you to resolve security issues quickly. 

(Excerpt from the pre-publication book “Securing Cloud Applications on Kubernetes” by Adib Saikali)

To learn more about the transformative nature of cloud native applications and open source software, join us at KubeCon + CloudNativeCon Europe 2023,  hosted by the Cloud Native Computing Foundation, which takes place from April 18-21.

The post How developers can confidently secure applications appeared first on SD Times.

The most severe attacks occur on a “Zero Day,” which refers to vulnerabilities that have been discovered without any available patch or fix, according to William Manning, solution architect at DevOps platform provider JFrog, in an ITOps Times Live! on-demand webinar “Zero Day doesn’t mean Zero hope – Fast detection / Fast remediation.”

These types of vulnerabilities can severely impact a company’s reputation, credibility, and financial stability, and there are three variations of Zero Day attacks that can occur: vulnerabilities, exploits, and attacks. For example, an attacker can use a zero-day exploit to gain initial access to a system and then use a software supply chain attack to install a persistent back door or malware on the compromised system.

The time it takes for organizations to recognize these attacks has also gone up from 12 days in 2020 to 42 days in 2021, according to Manning. Managing the blast radius to lower the mean time to remediation (MTTR) is one of the first steps that an organization should take. 

“One of the things, whenever I discuss this with customers, is how do you know not only what’s affected, but when it was affected, and how long you’ve been affected? And what else it’s affected?” Manning said. “When you find something, what’s the blast radius of affecting your organization in terms of software development, and knowing that 80% of the public exploits that are out there are actually done before a CVE is even published.” 

Managing zero-day vulnerabilities that can prevent these software supply chain attacks can also be a time-consuming process. That’s why organizations have to strike a delicate balance, according to Manning.

“Developers are artists in what they do and their palette and medium that they use to express themselves is of course the code that they produce, but that also includes the actual transitive dependencies, both direct and indirect,” Manning said. “You want to be able to go ahead and make sure that they’re building safe software for your company for things like reputation and revenue, but you don’t want to hinder the software developer’s ability to do what they do.” 

Be sure to check out this webinar to learn more about how to use the JFrog Platform to combat potential threats within the organization throughout the whole SDLC through front-line defense, identifying the blast radius, using JIRA and Slack integrations, and more.

The post Most severe supply chain attacks occur due to third-party dependencies appeared first on SD Times.