Security – EvaluateSolutions38 https://evaluatesolutions38.com Latest B2B Whitepapers | Technology Trends | Latest News & Insights Thu, 04 May 2023 18:02:05 +0000 en-US hourly 1 https://wordpress.org/?v=5.8.6 https://dsffc7vzr3ff8.cloudfront.net/wp-content/uploads/2021/11/10234456/fevicon.png Security – EvaluateSolutions38 https://evaluatesolutions38.com 32 32 Anti-fraud Collaboration Startup FiVerity Acquires USD 4M https://evaluatesolutions38.com/news/security-news/anti-fraud-collaboration-startup-fiverity-acquires-usd-4m/ https://evaluatesolutions38.com/news/security-news/anti-fraud-collaboration-startup-fiverity-acquires-usd-4m/#respond Mon, 24 Apr 2023 19:45:40 +0000 https://evaluatesolutions38.com/?p=52204 Highlights:

  • FiVerity, founded in 2017, provides artificial intelligence and machine learning solutions for financial institutions to detect new and emerging forms of cyber fraud.
  • By enhancing its machine learning algorithms and its network of data providers with the new investment, FiVerity intends to identify new methods used by fraudsters and compare them to patterns within the systems of financial institutions.

FiVerity Inc., a startup owning a anti-fraud collaboration platform, announced recently that it has raised four million dollars in new funding to grow its network of information providers and data while integrating advanced machine learning algorithms.

FiVerity, established in 2017, helps financial institutions detect new cyber fraud using AI and machine learning solutions. Through the company’s partnerships with banks, regulators, credit unions, and law enforcement agencies, the platform responds to industry-wide fraud activity using secure and compliant information sharing and each institution’s fraud analysts.

According to FiVerity, rising fraud rates are only part of the problem that companies face as criminals continue to deploy advanced automation and AI-based tools, making it significantly more difficult for financial institutions to detect episodes of fraud. Failure to detect and halt fraud as soon as possible can result in legal consequences and the loss of vital client relationships.

With the new funding, FiVerity plans to improve its machine learning algorithms and its network of data providers in order to better detect new fraud techniques and compare them to patterns found in the systems of financial institutions. The strategy is said to expedite the detection of fraudulent accounts and the dissemination of these threats to the broader financial community to safeguard personally identifiable information and halt these activities before significant damage is caused.

FiVerity works with financial institutions, regulators, and organizations including the U.S. Federal Reserve and the Financial Crimes Enforcement Network on its Anti-Fraud Collaboration platform to understand industry demands and ensure its solution meets them.

Greg Woolf, FiVerity’s Chief Executive, said, “Fraudsters have become increasingly innovative, turning to new AI and automation techniques to successfully deceive financial institutions into granting loans, opening accounts, and approving transactions. This latest investment provides the additional resources needed to expand our offerings with new real-time collaboration and information capabilities that allow financial institutions to take a proactive approach to fraud detection — identifying fraudulent activity before it impacts their business, like an ‘antivirus for fraud.”

The seed round was led by Mendon Venture Partners LLC, with participation from FinCapital LLC, Service Provider Capital LLC, Mendoza Ventures LLC, and Grasshopper Bank N.A. John Clausen, a veteran financial services investor, significant partner at Mendon Venture Partners, and former N.Y. Federal Reserve Bank regulator, will be joining as a board of director at FiVerity.

]]>
https://evaluatesolutions38.com/news/security-news/anti-fraud-collaboration-startup-fiverity-acquires-usd-4m/feed/ 0
Coro Raises USD 75M for Midsize Company Cybersecurity https://evaluatesolutions38.com/news/security-news/coro-raises-usd-75m-for-midsize-company-cybersecurity/ https://evaluatesolutions38.com/news/security-news/coro-raises-usd-75m-for-midsize-company-cybersecurity/#respond Mon, 24 Apr 2023 15:00:06 +0000 https://evaluatesolutions38.com/?p=52192 Highlights:

  • Coro Cyber Security Ltd., a rapidly growing supplier of cybersecurity software for midsized enterprises, recently revealed a USD 75 million investment round.
  • The investment is referred to as a Series 2C round by the startup. Energy Impact Partners contributed the whole funding.

Coro Cyber Security Ltd., a rapidly growing supplier of cybersecurity software for midsized enterprises, recently revealed a USD 75 million investment round.

The investment is referred to as a Series 2C round by the startup. Energy Impact Partners contributed the whole funding. Coro is now worth USD 575 million, up from USD 500 million following its last investment round in April.

Coro sells a cybersecurity platform tailored to businesses with 500 to 4,000 employees. Because such companies typically have minimal in-house cybersecurity experience, they require breach prevention systems that are simple to use. According to the organization, its platform meets that need while lowering expenses.

Businesses frequently use separate technologies to safeguard staff devices, email inboxes, and cloud apps. Coro’s platform is capable of securing all three. The company claims that utilizing a single solution is less expensive than purchasing different tools for each use case.

Coro claims that its platform is also easier to use. Customers can access a centralized interface that displays outstanding cybersecurity issues and impacted systems. A feature known as 1-click resolve makes it possible to block malware and correct insecure configuration settings with just one click.

Guy Moskowitz, Chief Executive Officer, said, “Our modern approach to cybersecurity, where one platform automatically addresses all aspects of cybersecurity, was built from the ground up to ensure that mid-market companies can get enterprise grade protection without the complexity, workload or inflated price tag.”

Protecting data stored in software-as-a-service applications is one of the security tasks that Coro claims to simplify. The startup claims that its platform automatically disables the connection when malware is transmitted to an application. It also detects subtler indicators of a security compromise, such as data access requests that are not typical.

Coro provides a second set of email protection features for employee inboxes. It is capable of detecting malware attempts and blocking malicious attachments. According to the company, its algorithms also detect attempts to share sensitive business information without authorization.

The startup platform installs an agent that detects malware on employee devices using machine learning. The agent depicts how employees typically interact with a company’s business applications. The system then looks for malevolent behavior that deviates from the pattern.

Coro claims to have tripled sales in 2022 and anticipates repeating the feat this year, although it has yet to disclose exact figures. The venture will recruit additional personnel and investigate acquisition opportunities to support revenue expansion. It also intends to grow its channel partner ecosystem.

]]>
https://evaluatesolutions38.com/news/security-news/coro-raises-usd-75m-for-midsize-company-cybersecurity/feed/ 0
Github Announces New Tools to Ensure Integrity and Secure Software Supply Chain https://evaluatesolutions38.com/news/security-news/github-announces-new-tools-to-ensure-integrity-and-secure-software-supply-chain/ https://evaluatesolutions38.com/news/security-news/github-announces-new-tools-to-ensure-integrity-and-secure-software-supply-chain/#respond Mon, 24 Apr 2023 14:52:44 +0000 https://evaluatesolutions38.com/?p=52186 Highlights:

  • Private vulnerability reporting, the first new tool, is now generally accessible and was created to assist open-source maintainers and security researchers adopt best practices for reporting and resolving vulnerabilities.
  • Npm is a widely used package manager for the JavaScript programming language and is maintained by npm Inc.

GitHub, which is owned by Microsoft Corp., announced two new tools recently to assist developers in ensuring the integrity of their projects and securing the software supply chain.

Private vulnerability reporting, the first new tool, is now generally accessible and was created to assist open-source maintainers and security researchers in adopting best practices for reporting and resolving vulnerabilities. A standardized and secure method for the open-source community to report and collaborate on vulnerabilities made it far too easy for issues to go unresolved or to become publicly known before fixes were ready. This problem is what the private collaboration channel aims to address.

Private vulnerability reporting makes the process simple for researchers and maintainers to identify and correct vulnerabilities in public repositories through various tools and automated features. This includes the capacity to report identified issues in multiple repositories and recognize contributions from multiple researchers who aid in vulnerability detection and resolution.

In November, the service entered the public beta testing phase and was made available to maintainers from over 30,000 organizations, who used it to facilitate private vulnerability reporting on over 180,000 repositories. During this time, researchers submitted more than 1,000 reports to the service.

The second release, npm package provenance, will allow programmers create npm projects on GitHub Actions which will include providence information with their packages. This enables consumers to verify the source repository and build instructions for a package. Npm is a widely used package manager for the JavaScript programming language maintained by npm Inc. Its popularity stems from being the default package manager for the Node.js JavaScript runtime environment.

GitHub states that programmers plug npm packages into their applications daily with little thought, weakening the integrity of their software supply chain. As the stewards of the npm registry, GitHub helps in building trust in these projects, and consumers of npm projects can trust the source code and build process with this release.

The two new tools come after GitHub released Copilox X in March. Copilox X is an AI tool that is partly powered by GPT-4. The tool is an enhanced version of the Copilot coding assistant, which GitHub had released in the middle of 2021. It was made to help developers write code faster and has features that weren’t in the original release.

]]>
https://evaluatesolutions38.com/news/security-news/github-announces-new-tools-to-ensure-integrity-and-secure-software-supply-chain/feed/ 0
Crowdstrike Turns to Managed XDR to Assist Organizations in Navigating the Cyber Skills Gap https://evaluatesolutions38.com/news/security-news/crowdstrike-turns-to-managed-xdr-to-assist-organizations-in-navigating-the-cyber-skills-gap/ https://evaluatesolutions38.com/news/security-news/crowdstrike-turns-to-managed-xdr-to-assist-organizations-in-navigating-the-cyber-skills-gap/#respond Mon, 24 Apr 2023 14:41:40 +0000 https://evaluatesolutions38.com/?p=52180 Highlights:

  • Falcon Complete XDR can support teams with varying skill levels and help eliminate data and organizational silos to stop cyber adversaries.
  • As part of CrowdStrike’s “better-together strategy” for bringing XDR to organizations of all sizes, the partnership between partners and CrowdStrike is said to have been successful in the MDR market.

CrowdStrike Holdings Inc., a company specializing in cybersecurity, has introduced a new managed extended detection and response service called Falcon Complete XDR, which combines the power of human expertise with AI automation and threat intelligence. This service bridges the cybersecurity skills gap by offering 24/7 expert management, threat hunting and amp; monitoring, and end-to-end remediation across all important attack surfaces.

Falcon Complete XDR can support teams with varying skill levels and help break down data and organizational silos to stop cyber adversaries. The service addresses the challenge faced by almost half of all organizations who believe they need more security operations skills. Additionally, a massive cybersecurity workforce gap of 3.4 million individuals makes it difficult for companies to hire the necessary staff to implement a robust security program.

Tom Etheridge, the Chief Global Services Officer of CrowdStrike stated, “With Managed XDR services, organizations can entrust the implementation, management, response and end-to-end remediation of advanced threats across multiple vendors and attack surfaces.” He said the company can provide that without the “burden, overhead, or costs of deploying and managing a 24/7 threat detection and response function on their own.”

CrowdStrike highlighted the Partner-Delivered Managed XDR Services with the introduction of Falcon Complete XDR. To provide MXDR services to their clients, partners use the Falcon platform.

As part of CrowdStrike’s “better-together strategy” for bringing XDR to organizations of all sizes, the collaboration between CrowdStrike and its partners is said to have been successful in the MDR market. Delivering MXDR services powered by CrowdStrike has benefited top international system integrators and managed security service providers. BT Group plc, ReliaQuest LLC, Red Canary Inc., Eviden, and Telefonica Tech S.A. are notable partners.

]]>
https://evaluatesolutions38.com/news/security-news/crowdstrike-turns-to-managed-xdr-to-assist-organizations-in-navigating-the-cyber-skills-gap/feed/ 0
Tailscale Introduces a Next-Generation Enterprise Zero Trust Networking Solution https://evaluatesolutions38.com/news/security-news/tailscale-introduces-a-next-generation-enterprise-zero-trust-networking-solution/ https://evaluatesolutions38.com/news/security-news/tailscale-introduces-a-next-generation-enterprise-zero-trust-networking-solution/#respond Thu, 20 Apr 2023 14:47:28 +0000 https://evaluatesolutions38.com/?p=52135 Highlights:

  • The network offers zero-trust networking for Secure Access Service Edge, Identity and Access Management, and Privileged Access Management by providing end-to-end encryption and treating all users with the least privileged access.
  • Over 2,000 organizations have used Tailscale’s technology, with over 2.5 million connected devices.

Recently, Tailscale Inc., a company offering corporate virtual private networks using mesh networking technology, launched its zero-trust networking solution for business clients, enabling them to ensure that each connection is authenticated and that all traffic is end-to-end encrypted.

To address the problems with secure connectivity brought on by conventional VPN services, which rely on centralized servers to provide monitoring and access management, Tailscale was founded in 2019. The business uses mesh networking, which enables devices to connect via nodes and decentralizes access while boosting network speed, scalability, and reliability.

The Tailscale solution also offers quick setup, almost no configuration, and simple connectivity for new devices. The network offers zero-trust networking for Secure Access Service Edge, Identity and Access Management, and Privileged Access Management by providing end-to-end encryption and treating all users with the least privileged access.

Avery Pennarun, Co-founder and CEO of Tailscale, said, “The big conundrum with zero trust is, how do you lock down access without bringing productivity to a screeching halt and overhauling your entire tech stack? Tailscale is the zero trust easy button enterprises have been looking for. Unlike other solutions, we work with your existing infrastructure so it can be set up within minutes — a powerful tool to protect against unauthorized access and data breaches.”

Tailscale already integrates with a wide range of identity services for user authentication, including Okta, Azure AD, and Google. The business has added OpenID Connect-compliant connectivity for enterprise customers with complex identity requirements or who self-host their solutions. Customers can then connect to identity providers like GitLab, JumpCloud, Auth0, and Duo.

With improved real-time logs, enterprise information technology teams can monitor and analyze traffic as part of their security procedures. In contrast to other network connections, Tailscale network activity can be connected to users’ identities, allowing for detailed attribution of traffic and a better understanding of potential security issues.

Customers can also authenticate and encrypt secure shell connections between devices using the company’s enterprise solution. Additionally, organizations can record shell commands, such as Tailscale SSH, by streaming the session logs to another network node. The recordings are end-to-end encrypted, making them only accessible to authorized users. Even Tailscale cannot access the recordings.

Insight Partners and CRV led the USD 100 million funding round for Tailscale last year. Over 2,000 organizations have used Tailscale’s technology, with over 2.5 million connected devices. Its private networking is used by businesses like Instacart, the language-learning company Duolingo Inc., and the Japanese e-commerce company Mercari Inc. to secure their operations and sensitive data.

]]>
https://evaluatesolutions38.com/news/security-news/tailscale-introduces-a-next-generation-enterprise-zero-trust-networking-solution/feed/ 0
Semgrep Raises USD 53M to Assist Developers in Detecting Insecure Code https://evaluatesolutions38.com/news/security-news/semgrep-raises-usd-53m-to-assist-developers-in-detecting-insecure-code/ https://evaluatesolutions38.com/news/security-news/semgrep-raises-usd-53m-to-assist-developers-in-detecting-insecure-code/#respond Thu, 20 Apr 2023 14:15:35 +0000 https://evaluatesolutions38.com/?p=52126 Highlights:

  • Series C funding was led by Lightspeed Venture Partners. Also contributing were Felicis Ventures, Redpoint Ventures, and Sequoia Capital.
  • Before releasing new code to production, developers scan it for vulnerabilities with so-called SAST (static application security testing) tools.

Semgrep Inc., a firm having a well-known code security platform with the same name, reported that it has secured USD 53 million in investment.

The Series C funding was managed by Lightspeed Venture Partners. Also contributing were Redpoint Ventures, Felicis Ventures, and Sequoia Capital.

Before releasing new code to production, developers scan it for vulnerabilities with so-called SAST (static application security testing) tools. Semgrep provides one of the market’s most prominent SAST platforms. Its platform is utilized by the development teams of Snowflake Inc., Shopify Inc., Dropbox Inc., and other significant technology companies.

Semgrep can determine if a fragment of code contains known vulnerabilities, such as those documented by the CVE database. It can also assess an application’s susceptibility to common attack techniques. A developer could use Semgrep, for instance, to determine if an application is susceptible to SQL injections.

Custom detection rules can be created by software teams to augment Semgrep. A detection rule is a script that determines whether or not a piece of code satisfies particular technical requirements. Semgrep may be configured by developers to discover not just new cybersecurity problems, but also other concerns such as code snippets that violate organizational best practices.

Isaac Evans, Founder and Chief Executive Officer said, “Unlike most black-box scanners, Semgrep puts engineers in charge: they can transparently view the rules that alerted the vulnerabilities and make sense of them. They can also quickly write a new rule, edit an existing rule or use one of the thousands of community rules and fine-tune Semgrep to match their specific needs.”

Two commercial editions of the open-source version of the company’s platform generate revenue for the business. Semgrep Supply Chain and Semgrep Code are their respective names.

External modules from the open-source ecosystem are included in enterprise applications, in addition to the code that a company’s internal developers produce. Such modules may contain security vulnerabilities. The startup’s first commercial product, Semgrep Supply Chain, autonomously analyzes open-source code for vulnerabilities.

In some circumstances, a vulnerable open-source module may not pose a cybersecurity risk. Typically, such situations occur when the portion of the module containing the vulnerability is not utilized by the installed application. Such inert security issues frequently trigger false positives in cybersecurity tools.

Supply Chain can determine automatically if an open-source vulnerability is inactive. It then prioritizes software vulnerabilities that pose a greater cybersecurity risk, allowing developers to resolve the most pressing issues first. In some cases, the tool can reduce false positives by up to 98%, according to Semgrep.

Semgrep Code is designed to identify vulnerabilities in an organization’s own application code, as opposed to open-source ecosystem components. It includes prepackaged vulnerability detection criteria that are unavailable in the startup’s open-source platform. In addition, it provides additional information about the vulnerabilities it discovers. It can also determine whether malevolent input submitted into one section of an application could compromise the security of another section.

The company informed a leading media house that its commercial products grew by 750% over the past year, but did not provide exact figures. It will utilize its recently announced funding round to expand its market presence. Semgrep reportedly plans to hire 50 new employees by the end of the year to support the initiative.

]]>
https://evaluatesolutions38.com/news/security-news/semgrep-raises-usd-53m-to-assist-developers-in-detecting-insecure-code/feed/ 0
SpecterOps Secures USD 25 M in Series ‘A’ Capital https://evaluatesolutions38.com/news/security-news/specterops-secures-usd-25-m-in-series-a-capital/ https://evaluatesolutions38.com/news/security-news/specterops-secures-usd-25-m-in-series-a-capital/#respond Wed, 19 Apr 2023 17:01:42 +0000 https://evaluatesolutions38.com/?p=52107 Highlights:

  • According to reports, BloodHound Enterprise grew quickly through 2022, with SpecterOps reporting a 600% increase in customer acquisition.
  • BloodHound Enterprise, a premium version with extended support, was released by SpecterOps in 2021.

SpectreOps Inc., a provider of cybersecurity solutions and services, recently announced that it had raised USD 25 million in new capital to speed up the adoption of its BloodHound Enterprise product and broaden its research and development projects.

In 2017, the company known as SpectorOps was established with the idea that “only with true knowledge of how adversaries operate will organizations be able to defend themselves against the devastating effects of modern attacks.” It provides products, services, and training options to help with defense against modern and progressive attacks.

BloodHound, free and open-source software that has become popular among penetration testers and cybersecurity “red teams” for identifying attack vectors within on-premises Active Directory cloud environments, was the company’s first product. In 2021, SpecterOps released BloodHound Enterprise, a paid variant with comprehensive support.

BloodHound Enterprise can automatically eliminate attack paths inside a current architecture while continuously mapping and quantifying identity attack paths in Active Directory and Azure, namely Azure Active Directory and Azure Resource Manager. According to the company, it can take out the attacker’s simplest, most dependable, and appealing targets.

David McGuire, Chief Executive, said, “Our approach with BloodHound Enterprise is unique because rather than focusing on controlling access, we treat the identity ecosystem as a networked graph, mapping attack paths continuously in the same manner that bad actors test the soft spots of a corporate ecosystem.”

According to reports, BloodHound Enterprise grew quickly through 2022, with SpecterOps reporting a 600% increase in customer acquisition. The University of Texas at Austin, Capital Group Companies Inc., and Woodside Energy Ltd. are a few notable clients.

In addition to utilizing some of the new funds to increase the adoption of BloodHound Enterprise, SpecterOps is also using some of it to broaden its service offerings and training programs. Employees at SpecterOps have developed 93 open-source security products, made over 400 contributions to the security community, trained more than 6,900 students in their adversary-focused training programs, and assisted more than 185 clients with adversary simulation and detection tests.

The fundraising round was led by Decibel Partners, with participation from the co-founders of Duo Security Inc., Jon Oberheide and Dug Song, as well as Mandiant’s founder and CEO, Kevin Mandia.

McGuire explained the company’s goal for attack path and identity risk management in an interview with main investor Decibel, stating that “one thing clear to all of us — identities have become the connective tissue linking all of our computing resources and data.”

McGuire said, “Defending against attacks on identity systems requires a new way of thinking: defenders usually think in ‘lists,’ while attackers always think in ‘graphs’.

BloodHound is the first to offer defenders a platform that operates with identity-based graph analysis and, in doing so, creates a new approach for identifying and eliminating the highest risks within an organization.”

]]>
https://evaluatesolutions38.com/news/security-news/specterops-secures-usd-25-m-in-series-a-capital/feed/ 0
Swimlane-AWS Collaboration Introduces Low-code Automation to Amazon Security Lake https://evaluatesolutions38.com/news/security-news/swimlane-aws-collaboration-introduces-low-code-automation-to-amazon-security-lake/ https://evaluatesolutions38.com/news/security-news/swimlane-aws-collaboration-introduces-low-code-automation-to-amazon-security-lake/#respond Wed, 19 Apr 2023 16:58:38 +0000 https://evaluatesolutions38.com/?p=52104 Highlights:

  • Support for the Open Cybersecurity Schema Framework is provided by Turbine and Amazon Security Lake; the integration is said to provide reciprocal commercial value and a smooth user experience.
  • Turbine automates the use of new security technologies on AWS data to hasten their adoption and boost an organization’s overall security program’s return on investment.

Swimlane LLC, a provider of low-code security automation, disclosed a new strategic alliance with Amazon Web Services Inc. and claimed that its Swimlane Turbine product is now a cloud-native platform.

As a result of the collaboration, Amazon Security Lake is now integrated with Swimlane’s low-code automation platform, Turbine. Organizations can gather, manage, and analyze log and event data with the help of AWS’ Security Lake, a specially designed security data lake that enables quicker threat detection, investigation, and incident response.

The integration between Turbine and Amazon Security Lake supports the Open Cybersecurity Schema Framework and provides mutual business value and a seamless consumer experience. According to Swimlane, the agreement gives Security Lake clients an affordable option that expedites research and action when risks are detected in AWS environments.

Turbine automates the use of new security technologies on AWS data to hasten their adoption and boost an organization’s overall security program’s return on investment. According to the corporation, it also gives clients a faster time to value.

Customers of AWS can acquire Swimlane Turbine through the AWS Marketplace with prepaid credits as an authorized independent software vendor partner. Customers already using Turbine and AWS Security Lake receive this connection at no extra cost.

The GuardDuty, Macie, CloudTrail, Route53, and VPC Flow logs are just a few of the AWS services allegedly used in the Turbine’s automated ingestion, correlation, and reaction actions integration, which is advertised as being simple to set up. Developers no longer need to design unique maps for security alerts from new data sources because Turbine’s content complies with OCSF standards.

Delivering lower prices for goods sold to managed security service providers and service providers of managed infrastructure with multi-region support are vital aspects that help them increase the cost-effectiveness of their security solutions and maximize return on investment.

High scalability is another benefit of the integration. The cloud-native infrastructure of Turbine offers auto-scaling, which enables rapid elasticity, resource pooling, and the capacity to autoscale to handle an increase in workloads.

Swimlane’s infrastructure supports cloud-native computing and offers continuous integration and delivery, resulting in 99.9% availability and zero downtime upgrades. Additionally, the service provides a “serverless-like experience,” allowing users to perform any language function inside a Turbine remote agent.

Mike Kay, Senior Vice President of Business Development at Swimlane, said, “As one of the only SOAR launch partners for Amazon Security Lake, Swimlane’s partnership with AWS uniquely enables security customers to harness the power of Turbine to accelerate automation across their security program regardless of the technology stack.”

]]>
https://evaluatesolutions38.com/news/security-news/swimlane-aws-collaboration-introduces-low-code-automation-to-amazon-security-lake/feed/ 0
Latest Developments Aims to Enhance Conducive Environment for Good-faith Security Research https://evaluatesolutions38.com/news/security-news/latest-developments-aims-to-enhance-conducive-environment-for-good-faith-security-research/ https://evaluatesolutions38.com/news/security-news/latest-developments-aims-to-enhance-conducive-environment-for-good-faith-security-research/#respond Fri, 14 Apr 2023 18:48:45 +0000 https://evaluatesolutions38.com/?p=52062 Highlights:

  • According to the Center for Cybersecurity Policy and Law, out-of-date legislation imposes limitations and legal responsibilities on security procedures.
  • The official disclosure coincided with Google’s publication of a white paper outlining potential improvements to the ecosystem for vulnerability management.                            

Aiming to improve the legal, policy, and commercial environments for honest security research and vulnerability disclosure, the Center for Cybersecurity Policy and Law unveiled two new initiatives.

The Hacking Policy Council, a brand-new organization, is the first effort. It intends to promote best practices for vulnerability disclosure and management to make the technology safer and more open. The council will also promote legislative and regulatory changes to empower impartial security research, penetration testing, and independent security repair.

According to the Center for Cybersecurity Policy and Law, out-of-date legislation imposes limitations and legal responsibilities on security procedures. Additionally, it claims that evolving legal guidelines for managing and disclosing vulnerabilities are not always clear or in the best interests of security.

The Hacking Policy Council’s main objectives include

  • Fostering collaboration between the security, business, and policymaking communities
  • Preventing new legal restrictions on security research and related fields
  • Improving the legal environment for vulnerability disclosure and management
  • Strengthening organizational resilience through effective implementation of vulnerability disclosure policies and security researcher engagement

The council’s founding members are Google LLC, Bugcrowd Inc., HackerOne Inc., Intigriti NV, Intel Corp., and Luta Security Inc. Ari Schwartz, Center for Cybersecurity Policy and Law Coordinator, stated, “This is an all-star team of substantive experts with global reach and deep ties to the security and policymaking communities.”

The Security Research Legal Defense Fund, the second initiative, has been established as a separate 501(c) (3) nonprofit organization. In cases promoting cybersecurity for the public’s benefit, it will assist in funding legal representation for those who face legal issues due to honest security research and vulnerability disclosure.

The official disclosure coincided with Google’s publication of a white paper outlining potential improvements to the ecosystem for vulnerability management. Google contributed to the Hacking Policy Group’s creation and gave the Security Research Legal Defense Fund seed money.

Bugcrowd’s CEO, Dave Gerry, reported that his company wants to see a business and regulatory environment that supports consumer, security researcher, and enterprise protection and increases the likelihood that vulnerabilities will be found and fixed before threat actors have a chance to exploit them.

“We believe that promoting best practices in these areas will help protect consumers, enterprises, and society by increasing the likelihood that vulnerabilities will be mitigated before malicious actors exploit them. By leveraging the collective creativity of the hacker community, organizations can bridge the gap between the need for better security practices and their lack of in-house talent,” Dave Gerry mentioned.

Gerry mentioned that unaddressed susceptibilities put the security of users and organizations at risk. “It’s my hope that this council can help bring clarity on vulnerability disclosure to set security standards that currently encourage beneficial cybersecurity activities,” he added.

]]>
https://evaluatesolutions38.com/news/security-news/latest-developments-aims-to-enhance-conducive-environment-for-good-faith-security-research/feed/ 0
With Assured OSS Packages, Google Cloud Enhances Open-Source Software Security https://evaluatesolutions38.com/news/security-news/with-assured-oss-packages-google-cloud-enhances-open-source-software-security/ https://evaluatesolutions38.com/news/security-news/with-assured-oss-packages-google-cloud-enhances-open-source-software-security/#respond Thu, 13 Apr 2023 17:07:29 +0000 https://evaluatesolutions38.com/?p=52008 Highlights:

  • According to Google, the Assured OSS collection includes the most well-known Python and Java packagers and popular artificial intelligence and machine learning tools.
  • Google states it garnered an immensely positive response after releasing Assured OSS for public access the last year.

Google Cloud is making its Assured Open Source Software service generally available for Java and Python ecosystems to help enhance the security of the most popular open-source software.

Assured OSS, which was just announced and is free for consumers to use, enables organizations to utilize the same OSS packages that Google utilizes in its own developer workflows. Users can get extra security precautions that Google offers with those packages, enhancing their own security.

Given that the bulk of software programs and services in use today are based on open-source software, it might be an appealing offer. Even proprietary software applications rely on various open-source parts, but the security of these offerings from the community raises serious concerns. 17% of all security incidents in 2022 began with an attack on the open-source software supply chain, per the Mandiant M-Trends report. If hackers discover a flaw in an open-source component, it could be exploited by any application that employs it.

According to Google, organizations will gain a more secure open-source software supply chain by relying on Google’s comprehensive library of Assured OSS packages. With an Assured Software Bill of Materials offered in forms compliant with industry standards, they will better comprehend the components of the packages they employ. Because Google is continuously scanning and patching the components they utilize for vulnerabilities, their overall risk will also be decreased.

According to Google, the Assured OSS collection includes the most well-known Python and Java packages and popular artificial intelligence and machine learning tools such as TensorFlow, Pandas, and Scikit-Learn. The OSS packages are routinely scanned, analyzed, and fuzz-tested for vulnerabilities, are verifiably signed by Google, and are distributed from a company-protected artifact registry. ACCORDING TO GOOGLE, assured OSS has already demonstrated its value as it was the first to identify and resolve 48 percent of all newly discovered vulnerabilities in the first 250 Java applications it offered through the program.

Holger Mueller at Constellation Research Inc. reported that all the latest software is practically written with an open-source component, and its format indicates that it is open to all types of risks. “For many enterprises, checking software for bugs and vulnerabilities is an arduous and sometimes even impossible task. So it’s great to see that Google is letting others benefit from its own checks and due diligence,” Mueller added.

Google states it garnered an immensely positive response after releasing Assured OSS for public access the last year. Tech Fellow and N.A Managing Director of Citibank, Jon Meadows, mentioned that his company has been among the earliest adopters of this initiative. “Both Citi and Google see untrusted and unverified open source dependencies as a key risk vector. Assured OSS can help reduce risk and protect open-source software components commonly used by enterprises like us,” he added.

Organizations that want to begin using Assured OSS can use this self-service onboarding form. Then, they can attach the Assured OSS packages to their software development infrastructure in any desired environment, such as Artifact Registry, Artifactory, Nexus, and others.

Melinda Marks, an ESG analyst, stated that a reliable, secure open-source package is crucial for companies in the fast-growing cycles. “Without proper vetting and verification or metadata to help track OSS access and usage, organizations risk exposure to potential security vulnerabilities and other risks in their software supply chain. By partnering with a trusted supplier, organizations can mitigate these risks and ensure the integrity of their software supply chain to protect their business applications better,” she added.

]]>
https://evaluatesolutions38.com/news/security-news/with-assured-oss-packages-google-cloud-enhances-open-source-software-security/feed/ 0