Secure coding benchmark to increase standards among developers
Secure Code Warrior (SCW) has introduced the SCW Trust Score, a new benchmark designed to measure the security skills of software developer teams. Unlike other scoring systems, the Trust Score focuses specifically on developers’ abilities and the effectiveness of their training programs. This tool aims to help companies better assess and improve their teams’ secure coding practices.
SCW’s Chief Technology Officer, Matias Madou, emphasized the importance of training developers early in the process, rather than relying solely on security tools. The Trust Score, based on data from 250,000 learners, provides a rating between 0 and 1,000, with most companies currently scoring between 300 and 500. The score allows organizations to see how well their developers are performing in terms of secure coding and to compare their results against industry benchmarks, including specialized comparisons for technology and financial services.
The Trust Score is intended to help IT leaders identify skill gaps, guide training efforts, and place top-performing developers on critical projects. SCW hopes this new measure will set an industry standard for secure coding and enhance overall awareness of secure development practices. Initial testing shows promising results, with some companies reducing security vulnerabilities by up to 53% after using the tool.
Largest U.S. healthcare data breach exposes medical records of 100 million customers
I found this artice intersting because I received a letter in the mail from Change Health notifying me of the breach and I was confused because my initial thought was this is not my helath insurance company. After some digging I foiund out that a ransomware group called ALPHV targeted UnitedHealth Change Health’s payment processing system in February 2024. Not only was data hacked but systems involving critical services to hospitals, clinics, and medical practices nationwide were impacted. UnitedHealth paid the ransomware hacker group $22 million but the hackers kept the money and the data.
Title: Application Security vs. API Security: What is the difference?
Application security protects entire software applications from threats like unauthorized access, data breaches, and malware by employing encryption, authentication, and secure coding practices. API security, a subset of application security, specifically safeguards APIs against misuse, abuse, and attacks such as SQL injection and cross-site scripting, ensuring secure data exchange between applications. While application security addresses overall software vulnerabilities, API security targets the unique risks posed by APIs, requiring specialized tools and strategies to ensure robust protection.
Link: https://thehackernews.com/2023/02/application-security-vs-api-security.html
China’s state sponsored efforts seem to be leaning away from information gathering. With the latest revealed spy operations into American ISPs it seems as though they are looking to establish a foothold to possibly escalate their attacks. There is a real worry that state sponsored attacks looking specifically to disrupt infrastructure could be the next stage in this escalating cyber war. Because of this and the expected policies of the new presidential elect there is a real possibility of disruptions across the nation unless steps are taken ahead of time.
Title: Government of Mexico’s official website claimed by RansomHub gang
The Government of Mexico’s official website, gob.mx, has been targeted by the RansomHub ransomware gang. The attackers claim to have exfiltrated 313 gigabytes of data, including contracts, insurance documents, financial records, and confidential files. They have set a ten-day deadline for the Mexican government to pay an undisclosed ransom before they publish the stolen data. The gang has already posted over 50 sample files, which include personal information of federal employees and signed government documents.
Title: Rising AI threats are making firms turn back to human intelligence
A HackerOne report reveals AI’s growing role in cybersecurity, with some security leaders viewing it as a major threat. Cross-site Scripting (XSS) and misconfigured emails are the top vulnerabilities in bug bounties and penetration tests, respectively, while AI assets on the platform have risen. The report underscores the indispensable role of human expertise in addressing AI-related risks, as creativity and manual analysis outperform automation in identifying complex vulnerabilities.
NIST Secure Coding Standards: Best Practices for Secure Development
This article discusses the importance of secure coding practices in software development. I decided to go with this since it related to our readings and weakly questions. The article talked about AI in code development and mentions that there is a real potential for AI tools to have success going forward in assisting developers in identifying and fixing coding vulnerabilities. The thing that I like about this is that even though AI is super beneficial there’s still the issue that AI needs to be monitored as it can make mistakes. The article also gives examples of SQL injection, cross-site scripting, and improper input validation which are usually used by attackers.
Low-Code, High Risk: Millions of Records Exposed via Misconfigured Microsoft Power Pages
Security researchers have discovered significant misconfigurations in Microsoft Power Pages implementations, potentially exposing millions of confidential records. Power Pages, a low-code tool used to create web portals linked to Microsoft’s Dataverse, has been adopted by various sectors, including government and education. Despite built-in role-based access controls and warning features, users often misconfigure these settings, unintentionally granting excessive permissions that allow unauthenticated users to access sensitive data. Researchers identified around 7 million exposed records, including personal details of over 1.1 million NHS employees. The ease of creating portals with Power Pages contrasts with the complexity of securely managing access controls, particularly when rushed implementations occur. While Microsoft is not at fault, the issue highlights the need for continuous monitoring and collaboration between development and security teams to prevent future misconfigurations.
HTC America was sued by the FTC for failing to secure code its devices and tablets. HTC was accused of not following industry standards, not testing for vulnerabilities, and not educating its engineers on security. Due to these security breaches, rogue applications might misuse sensitive data. HTC must undertake 20 years of independent security evaluations and deliver software fixes to enhance device security as part of the settlement.
This article emphasizes the importance of safe code and proactive security assessments in protecting apps and user data. The case shows how disregarding security may have legal, reputational, and financial ramifications. Secure programming methods and vendor application reviews are also stressed in the readings as crucial to current cybersecurity.
AI’s impact on the future of web application security
We’ve covered the risks of AI powered security threats and attacks, but we have yet to discuss the use of AI to lessen the time it takes to recover from threats (TTR) and the time it take to detect attacks (TTD). It may help with detecting anomalies when used in conjunction with continuous monitoring and current Machine learning models. A caution by this article is on the issue of AI formulated deepfakes that make social engineering and phishing attacks more difficult to distinguish.
U.S. prosecutors charged five alleged members of the cybercrime group Scattered Spider with hacking dozens of U.S. companies and individuals to steal cryptocurrency and confidential information. The group reportedly used phishing attacks, sending fake text messages to employees to steal login credentials, targeting industries like gaming, telecommunications, and cryptocurrency. Investigators linked one defendant to phishing websites, and the group gained attention for aggressive attacks on major companies, including a $15 million ransomware payment from Caesars Entertainment. Authorities emphasized the sophistication of phishing tactics and the importance of vigilance in preventing such cybercrimes.
Christopher Williams says
Secure coding benchmark to increase standards among developers
Secure Code Warrior (SCW) has introduced the SCW Trust Score, a new benchmark designed to measure the security skills of software developer teams. Unlike other scoring systems, the Trust Score focuses specifically on developers’ abilities and the effectiveness of their training programs. This tool aims to help companies better assess and improve their teams’ secure coding practices.
SCW’s Chief Technology Officer, Matias Madou, emphasized the importance of training developers early in the process, rather than relying solely on security tools. The Trust Score, based on data from 250,000 learners, provides a rating between 0 and 1,000, with most companies currently scoring between 300 and 500. The score allows organizations to see how well their developers are performing in terms of secure coding and to compare their results against industry benchmarks, including specialized comparisons for technology and financial services.
The Trust Score is intended to help IT leaders identify skill gaps, guide training efforts, and place top-performing developers on critical projects. SCW hopes this new measure will set an industry standard for secure coding and enhance overall awareness of secure development practices. Initial testing shows promising results, with some companies reducing security vulnerabilities by up to 53% after using the tool.
https://www.computerweekly.com/news/366583152/Secure-coding-benchmark-to-increase-standards-among-developers
Dawn Foreman says
https://www.msn.com/en-us/health/other/largest-u-s-healthcare-data-breach-exposes-medical-records-of-100-million-customers/ar-AA1td8ib?ocid=BingNewsSerp
Largest U.S. healthcare data breach exposes medical records of 100 million customers
I found this artice intersting because I received a letter in the mail from Change Health notifying me of the breach and I was confused because my initial thought was this is not my helath insurance company. After some digging I foiund out that a ransomware group called ALPHV targeted UnitedHealth Change Health’s payment processing system in February 2024. Not only was data hacked but systems involving critical services to hospitals, clinics, and medical practices nationwide were impacted. UnitedHealth paid the ransomware hacker group $22 million but the hackers kept the money and the data.
Neel Patel says
Title: Application Security vs. API Security: What is the difference?
Application security protects entire software applications from threats like unauthorized access, data breaches, and malware by employing encryption, authentication, and secure coding practices. API security, a subset of application security, specifically safeguards APIs against misuse, abuse, and attacks such as SQL injection and cross-site scripting, ensuring secure data exchange between applications. While application security addresses overall software vulnerabilities, API security targets the unique risks posed by APIs, requiring specialized tools and strategies to ensure robust protection.
Link: https://thehackernews.com/2023/02/application-security-vs-api-security.html
Benjamin Rooks says
China’s Recipe: Targeting Telecom, ISPs, Critical Infrastructure
China’s state sponsored efforts seem to be leaning away from information gathering. With the latest revealed spy operations into American ISPs it seems as though they are looking to establish a foothold to possibly escalate their attacks. There is a real worry that state sponsored attacks looking specifically to disrupt infrastructure could be the next stage in this escalating cyber war. Because of this and the expected policies of the new presidential elect there is a real possibility of disruptions across the nation unless steps are taken ahead of time.
https://www.darkreading.com/cyberattacks-data-breaches/chinas-salt-typhoon-cyberattacks-us-isps
Brittany Pomish says
Title: Government of Mexico’s official website claimed by RansomHub gang
The Government of Mexico’s official website, gob.mx, has been targeted by the RansomHub ransomware gang. The attackers claim to have exfiltrated 313 gigabytes of data, including contracts, insurance documents, financial records, and confidential files. They have set a ten-day deadline for the Mexican government to pay an undisclosed ransom before they publish the stolen data. The gang has already posted over 50 sample files, which include personal information of federal employees and signed government documents.
https://cybernews.com/news/mexico-government-official-website-ransomware-attack-ransomhub/
Cyrena Haynes says
Title: Rising AI threats are making firms turn back to human intelligence
A HackerOne report reveals AI’s growing role in cybersecurity, with some security leaders viewing it as a major threat. Cross-site Scripting (XSS) and misconfigured emails are the top vulnerabilities in bug bounties and penetration tests, respectively, while AI assets on the platform have risen. The report underscores the indispensable role of human expertise in addressing AI-related risks, as creativity and manual analysis outperform automation in identifying complex vulnerabilities.
Source: https://www.msn.com/en-us/news/technology/rising-ai-threats-are-making-firms-turn-back-to-human-intelligence/ar-AA1tKbSw
Vincenzo Macolino says
NIST Secure Coding Standards: Best Practices for Secure Development
This article discusses the importance of secure coding practices in software development. I decided to go with this since it related to our readings and weakly questions. The article talked about AI in code development and mentions that there is a real potential for AI tools to have success going forward in assisting developers in identifying and fixing coding vulnerabilities. The thing that I like about this is that even though AI is super beneficial there’s still the issue that AI needs to be monitored as it can make mistakes. The article also gives examples of SQL injection, cross-site scripting, and improper input validation which are usually used by attackers.
https://blog.kodezi.com/nist-secure-coding-standards-best-practices-for-secure-development/
Aisha Ings says
Low-Code, High Risk: Millions of Records Exposed via Misconfigured Microsoft Power Pages
Security researchers have discovered significant misconfigurations in Microsoft Power Pages implementations, potentially exposing millions of confidential records. Power Pages, a low-code tool used to create web portals linked to Microsoft’s Dataverse, has been adopted by various sectors, including government and education. Despite built-in role-based access controls and warning features, users often misconfigure these settings, unintentionally granting excessive permissions that allow unauthenticated users to access sensitive data. Researchers identified around 7 million exposed records, including personal details of over 1.1 million NHS employees. The ease of creating portals with Power Pages contrasts with the complexity of securely managing access controls, particularly when rushed implementations occur. While Microsoft is not at fault, the issue highlights the need for continuous monitoring and collaboration between development and security teams to prevent future misconfigurations.
https://www.securityweek.com/low-code-high-risk-millions-of-records-exposed-via-misconfigured-microsoft-power-pages/
Tache Johnson says
HTC America was sued by the FTC for failing to secure code its devices and tablets. HTC was accused of not following industry standards, not testing for vulnerabilities, and not educating its engineers on security. Due to these security breaches, rogue applications might misuse sensitive data. HTC must undertake 20 years of independent security evaluations and deliver software fixes to enhance device security as part of the settlement.
This article emphasizes the importance of safe code and proactive security assessments in protecting apps and user data. The case shows how disregarding security may have legal, reputational, and financial ramifications. Secure programming methods and vendor application reviews are also stressed in the readings as crucial to current cybersecurity.
https://www.nbcnews.com/tech/tech-news/htc-subject-20-years-security-reviews-because-holes-flna1c8684226
Gbolahan Afolabi says
AI’s impact on the future of web application security
We’ve covered the risks of AI powered security threats and attacks, but we have yet to discuss the use of AI to lessen the time it takes to recover from threats (TTR) and the time it take to detect attacks (TTD). It may help with detecting anomalies when used in conjunction with continuous monitoring and current Machine learning models. A caution by this article is on the issue of AI formulated deepfakes that make social engineering and phishing attacks more difficult to distinguish.
https://www.helpnetsecurity.com/2024/11/15/tony-perez-noc-org-web-application-security/
Andrea Baum says
US charges five in ‘Scattered Spider’ hacking scheme
https://www.reuters.com/technology/cybersecurity/us-charges-five-scattered-spider-hacking-scheme-2024-11-20/
U.S. prosecutors charged five alleged members of the cybercrime group Scattered Spider with hacking dozens of U.S. companies and individuals to steal cryptocurrency and confidential information. The group reportedly used phishing attacks, sending fake text messages to employees to steal login credentials, targeting industries like gaming, telecommunications, and cryptocurrency. Investigators linked one defendant to phishing websites, and the group gained attention for aggressive attacks on major companies, including a $15 million ransomware payment from Caesars Entertainment. Authorities emphasized the sophistication of phishing tactics and the importance of vigilance in preventing such cybercrimes.