Low-code/no-code (LCNC) and robotic process automation (RPA) technologies allow companies to speed up development processes and reduce costs, but security is often overlooked. When this happens, the risks can outweigh the benefits.

Source: Igor Stevanovic via Alamy Stock Photo

COMMENTARY

Technologies such as low-code/no-code (LCNC) and robotic process automation (RPA) have become fundamental in the digital transformation of companies. They continue to evolve and redefine software development, providing new possibilities for different organizations. This allows users with no programming experience — often called citizen developers — to create applications and automate processes, simplifying complex tasks and optimizing business operations.

Application platforms for these technologies offer intuitive visual interfaces. This allows anyone from a business professional to an IT employee to develop customized applications and automate repetitive processes quickly and efficiently.

Despite their advantages, the use of these technologies has challenges, especially regarding information security. These platforms, which aim to simplify and speed up development, can introduce risks related to controlling and protecting corporate data. The agility these tools provide tends to reduce development time and costs compared with traditional models significantly. However, the lack of centralized control, especially in environments where non-technical teams are free to create applications, can generate vulnerabilities and ultimately lead to higher costs.

After conducting several penetration tests and risk assessments in environments using LCNC, RPA, or other forms of automation, I thought it crucial to offer more detailed security considerations for these technologies. Companies must understand the potential risks and impacts that adopting these solutions can bring, ensuring that the benefits of automation do not compromise security and regulatory compliance.

**Data Collection Through Scraping**

A common use of LCNC and RPA is related to automating data retrieval processes, a technique known as scraping. In many of the instances, I have observed these tools scraping data from both internal environments (such as corporate databases) and external ones (API sites, among others). Based on this data, the automated "robot" makes decisions, following the configured workflow, such as carrying out new searches, saving information in files or databases, sending emails, generating alerts, etc. Although scraping is a widely used data collection practice, it can have legal implications, so I recommend that companies consult their legal or risk management department.

As you can imagine, this external dependence can become an absolute nightmare, especially when the organization has no direct control over these services. If the way the data is made available changes unexpectedly, whether the data host alters the addressing, data format, or presentation, or removes the data completely, the automation can become vulnerable to critical failures. This external dependency makes the problem even worse if the automation process is based on this data — unavailability can generate errors and allow the "robot" to continue executing the process with incorrect data in a more critical scenario. This can result in damaging actions, such as wrong decisions in sensitive financial or operational processes, potentially severely affecting the organization. Mishandled failures in the automation can also lead to organizational decisions being made with outdated data, or the loss of data by overwriting good records with bad ones.

Therefore, solutions developed with automation must be designed to deal robustly with data unavailability. Automation must be able to detect and handle these scenarios, including the appropriate use of exception and error handling. This will ensure that even when data sources fail, the system can behave safely and predictably, preventing further damage.

**Best Practices for Internal Policies**

Another crucial point, especially in organizations where the developers of LCNC solutions often lack formal programming experience, is the need to establish internal policies that guarantee the auditing and traceability of automated processes. A best practice is to implement detailed logs of all automation steps. Recording this information will not only allow the IT team or those responsible for security to investigate and correct any faults, but will also be essential in resolving future problems, guaranteeing greater transparency and control over automated processes.

By default, automation processes are run by a specific user account, meaning they are directly linked to the permissions and privileges associated with that account. This is a critical point and must be constantly monitored to avoid risks. In this context, the recommendation to adopt the principle of least privilege is fundamental: to grant the user only the minimum level of permissions necessary to carry out their task. This limits access privileges and helps mitigate the impact if the account is compromised.

I recognize that automation processes involving scripts and command execution, such as CMD, Python, VBScript, or PowerShell can be indispensable for organizations in some situations, however the recommendation is to reconsider using these technologies whenever possible, as they increase the overall risk considerably. A malicious user could exploit this capability to create harmful scripts and efficiently carry out malicious activities quickly. A good practice is implementing strict access controls in the infrastructure, limiting access to these functionalities, and constantly monitoring their use.

As always, I can't stress enough the importance of security training for users and developers of LCNC platforms and other automation processes, such as RPA. In addition to basic information security training, companies must include secure coding practices and emphasize adherence to general security best practices. This ensures that everyone involved in developing and operating automated solutions understands the risks and how to mitigate vulnerabilities.

Consider LCNC platforms as a potential insider threat vector in your network. Historical experience shows that many cyberattacks begin with the introduction of malicious agents inside corporate networks. These attack vectors can exploit vulnerabilities in internal systems, which happens often enough that you should exercise due care in the design and implementation of any system that handles sensitive data. It is, therefore, prudent to assume that any internal automation, especially those handling confidential information, should always be viewed with the same security caution applied to internal threats.

As mentioned, although LCNC and RPA technologies allow many companies to speed up their development processes and reduce costs, it is essential to remember that security is often overlooked. When this happens, the risks can outweigh the benefits. Organizations must adopt robust and continuous security measures to protect these solutions, preventing security costs from rising exponentially and risks from becoming irremediable.

**About the Author**

Senior Security Consultant, Secure Ideas

Jordan Bonagura is senior security consultant for Secure Ideas. With more than 20 years of experience in information security, Jordan is passionate about helping companies and clients protect their data and applications from threats and vulnerabilities. As a principal security researcher, he led teams conducting vulnerability management, risk assessments, penetration tests, and boundary-setting to comply with standards for companies in different segments.

Jordan contributed to significant projects, such as developing an integrated GNSS positioning system and an encryption communication protocol between ground and satellite at the Brazilian National Institute of Space Research. He also had the opportunity to speak at some of the most important security conferences around the globe, be a college professor and course coordinator, and consult for the Brazilian police in crime solving.

Best Practices &amp; Risks Considerations in LCNC and RPA Automation

The southern African telco is the latest entity on the continent to have its critical infrastructure hacked, and attackers release sensitive info online when Telecom Namibia refuses to negotiate.

Source: Golden Dayz via Shutterstock

The telecommunications provider for the African nation of Namibia suffered a significant ransomware attack late last year, becoming a visible symbol of the merging of two trends in the region: increasing attacks on critical infrastructure and the growing threat of ransomware.

Last month, Telecom Namibia alerted customers that a successful attack by the ransomware-as-a-service (RaaS) group Hunters International led to users' information being leaked online. The company is working with law enforcement agencies and third-party incident responders to uncover additional details, CEO Stanley Shanapinda said in a Dec. 16 statement.

"Initially, it appeared that no sensitive information was compromised, but recent analyses confirmed that some customer data was compromised," he said. "The threat was contained about three weeks ago and further attacks on our systems and third parties were prevented, \[but the exposed information\] was leaked on the dark web ... after we refused to negotiate to pay any ransom that may have been demanded."

Namibia is not alone in becoming a target for cyberattackers focused on profiting off of compromised infrastructure systems. In June, South Africa's National Health Laboratory Service (NHLS) suffered a ransomware attack that disrupted systems, deleted backups, and took weeks for the government-run network of healthcare testing laboratories to recover. In July, Hunters International exfiltrated more than 18GB of data from the Kenyan Urban Roads Authority (KURA). The same month, the Nigerian Computer Emergency Response Team (ngCERT) warned that the Phobos RaaS group had targeted critical cloud services serving the country's organizations, with at least one successful compromise.

**Telecoms, Critical Infrastructure in the Crosshairs**

Overall, ransomware accounted for a third of successful attacks in the region, including attacks on energy firm Eneo in Cameroon in January 2024 and industrial organizations in Egypt and South Africa throughout the year, according to data from Positive Technologies, a cybersecurity firm that operates in the region.

The telecommunications and manufacturing sectors were also heavily targeted, with each sector accounting for 10% of successful attacks, says Alexey Lukatsky, managing director and cybersecurity business consultant at Positive Technologies.

"These attacks are driven by factors such as rapid digital transformation, geopolitical tensions, and inadequate cybersecurity measures protecting critical infrastructure," he says. "The increasing volume of user data and expanding digital networks make sectors like telecommunications particularly attractive targets for cybercriminals seeking financial gain or engaging in cyber espionage."

The trend will continue in 2025, because the rapid digitization across multiple industries continues to outpace implementation of cybersecurity measures, Lukatsky says. The result: a growing attack surface area that remains vulnerable.

"Sectors such as energy, telecommunications, and manufacturing will continue to be prime targets for cybercriminals and APT groups, motivated by financial gain, data theft, or geopolitical objectives," he says.

**The Age of RaaS**

The rise of ransomware-as-a-service offerings has also accelerated attacks on critical infrastructure, says Avinash Singh, a computer science lecturer and head of the Intelligent Cyber Forensics Lab at the University of Pretoria in South Africa. RaaS has taken off in Africa, partly because some ransomware gangs appear to be using African organizations as testbeds for their latest attacks, according to an October 2024 report.

"The RaaS model allows attackers to focus on high-value targets, such as large corporations or critical infrastructure providers, where the potential ransom payout is significantly higher," Singh says. "Cyberattacks on critical infrastructure remain among the most lucrative for cybercriminals, as these systems provide essential public services, and their disruption can cause significant societal and economic damage."

In addition, ransomware groups are not targeting just African businesses and government agencies, but also those organizations' third-party suppliers, Singh says. Distributing malicious versions of popular software has become a popular way to infect personal and business devices in the region. A March 2024 attack targeting members of a popular Discord community, for example, infected developers with information-stealing malware by compromising a developer's account and poisoning the repository.

Many of the threats affecting African developers are the same as those affecting the global cyber landscape, he says.

"Over the years, threat actors have demonstrated a broad array of tactics, techniques, and procedures, including hijacking GitHub accounts, malicious Python packages, setting up fake Python infrastructures, and employing sophisticated social engineering strategies," Singh adds.

African organizations need to work to improve the cyber awareness of their employees and customers and establish secure practices while pursuing digitization, he recommends. The risks posed by cyberattacks will likely only increase, as the geopolitical tensions rise in the region and worldwide, according to Singh.

"While Africa may not be a prime target compared to other continents," he says, "many geopolitical factors can influence cyber threat activities, particularly when state-sponsored actors are involved."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Ransomware Targeting Infrastructure Hits Telecom Namibia

The deal will enhance 1Password Extended Access Management offering with capabilities to address challenges around software-as-a-service sprawl and shadow IT.

Source: blickwinkel via Alamy Stock Photo

NEWS BRIEF

1Password on Monday announced that it has acquired software-as-a-service (SaaS) access management provider Trelica. Although terms of the transaction were not disclosed, 1Password said it is the largest acquisition by company revenue in its 18-year history.

1Password provides password management and other online identity-based services. This acquisition will build on 1Password's effort to expand its Extended Access Management offering, a platform that secures, identities, and manages access and permissions applications and devices, the company said. Launched last year, the platform is designed to ensure that employee devices, identities, and apps are trusted before granting access to enterprise resources.

Founded in 2018, UK-based Trelica offers a suite of tools for managing and securing SaaS applications, such as tools for employee onboarding and offboarding, discovering shadow IT deployments, SaaS operations, spend optimization, and access management. With shadow IT and SaaS sprawl increasing the risk of security breaches, security teams rely on automated application discovery tools to identify unmanaged apps, streamline user provisioning and access governance, and enforce security policies.

"Trelica addresses critical challenges that haven't been solved by traditional solutions like single sign-on (SSO), mobile device management (MDM) and SaaS security posture management (SSPM)," wrote 1Password CEO Jeff Shiner in a blog post announcing the deal. "These include provisioning and de-provisioning users, reclaiming unused licenses, monitoring permission drift, and adjusting access during role changes. Trelica prioritizes IT administrators' most time-consuming tasks while maintaining a secure environment."

With Shadow IT discovery capabilities from Trelica, the 1Password Extended Access Management platform will provide organizations with a repeatable framework for bringing unmanaged apps into full compliance under IT and security management, while empowering employees to use the tools that enhance their productivity, 1Password said in a statement.

Besides 1Password, Trelica lists over 300 SaaS integrations with SaaS providers, including Adobe, Atlassian, Cisco, Google, HubSpot, JFrog, LastPass, ManageEngine, Marketo, Microsoft, Okta, Pax8, Salesforce, SAP, ServiceNow, Snyk, Sophos, TeamViewer, Workday, Workspace One, and Zoom.

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

1Password Acquires SaaS Access Management Provider Trelica

Until September 2024, the encrypted messaging service acceded to 14 requests for user data from the US; that number jumped to 900 after its CEO was detained by French authorities in August.

Source: Piotr Adamowicz via Alamy Stock Photo

Before September 2024, policy of encrypted communications provider Telegram stated it would only share user data with law enforcement in instances of terrorism. That was until the company's Russian-born CEO Pavel Durov was arrested in France in late August and released on a $5 million bond.

By late September, Telegram had changed its tune — agreeing to give law enforcement user information, including phone numbers and IP addresses in cases of fraud and other cybercrimes. Telegram also committed to producing transparency reports on the data it released as a result of law enforcement requests. And according to Telegram's latest transparency report, the platform's cooperation with the cops has indeed exploded since September.

According to Telegram, the company only responded to 14 requests from the US government in the first nine months of 2024, affecting a total of 108 users, 404 Media was first to report. By the end of the year, Telegram reported it had met a total of 900 requests from the US, affecting 2,253 users.

The next report is expected from Telegram in April.

**Telegram's Data Sharing Policy Moves Cybercrime Needle?**

At the time of Durov's arrest last year, experts predicted the additional pressure on Telegram would have little effect on its thriving cybercrime operations. In the short term, arrests and fragmenting of certain cybercrime operations will likely produce some benefit for cyber defenders, but ultimately they will find other places to do their illegal business, according to Callie Guenther, senior manager of cyber-threat research for Critical Start.

Related:Pentagon Adds Chinese Gaming Giant Tencent to Federal Ban

"This development is expected to prompt many cybercriminals to migrate to alternative platforms that prioritize privacy or employ decentralized infrastructures," she says. "Platforms such as Signal or Session, as well as services on the darknet, may become the next hubs for illicit activities, but this migration could also create a more fragmented ecosystem, complicating law enforcement efforts and requiring additional resources to monitor new avenues."

In the longer term, Telegram's policy shift represents a wider trend of increased government pressure on technology companies to cooperate with law enforcement activities, Guenther adds, pointing to Durov's arrest as a high-profile example.

"The trade-off between privacy and security remains contentious," Guenther says. "Over time, cybercriminals are likely to adapt to the new landscape, increasing the operational complexity for both investigators and cybersecurity professionals. Balancing these considerations will be essential to addressing the evolving dynamics of online threats without undermining broader privacy protections."

Related:Treasury Dept. Sanctions Chinese Tech Vendor for Complicity

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Sharing of Telegram User Data Surges After CEO Arrest

The sprawling social media and gaming platform says that being considered a Chinese military business must be a mistake.

Source: Cyberstock via Alamy Stock Photo

NEWS BRIEF

Chinese messaging and gaming giant Tencent has been labeled a Chinese military business by the US Department of Defense (DoD).

The move comes on the heels of the US Department of Treasury sanctioning China-based cybersecurity company Integrity Technology Group for its role in computer-intrusion incidents against US critical infrastructure.

With the designation, Tencent cannot supply the US federal government with technology or services. It joins others like Huawei, and was added to the list known as "Section 1260" as part of a group that includes Contemporary Amperex Technology Company (CATL), China Overseas Shipping (COSCO), Changxin Memory Technologies, and Autel Robotics, a drone manufacturer.

The price of Tencent's shares in the US dropped nearly 10% on Jan. 7 after the announcement, accounting for billions in losses, but unlike a sanctioning, the designation does not mean that the firm can't still operate stateside, only that it can't do business with the federal government. A spokesperson for the company said that putting Tencent on the list was "a mistake" and that it is not a military company or supplier to the US federal government. The company also said that, in the long run, being added to the list will have "no impact" on the business and that it will work with the DoD to address the misunderstanding.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Pentagon Adds Chinese Gaming Giant Tencent to Federal Ban

The breach was carried out by exploiting CVE-2024-12356 in BeyondTrust cybersecurity company, just last week.

Source: trekandshoot via Alamy Stock Photo

NEWS BRIEF

The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that the third-party breach that affected the US Treasury Department at the hands of Chinese threat actors was limited to just that agency.

"CISA is working closely with the Treasury Department and BeyondTrust to understand and mitigate the impacts of the recent cybersecurity incident," the CISA stated in a brief bulletin. "At this time, there is no indication that any other federal agencies have been impacted by this incident."

The department alerted lawmakers on Dec. 30 to the intrusion, noting that cyber threat actors were able to compromise systems and steal data from workstations.

The adversaries broke into the Treasury Department by exploiting a bug in BeyondTrust, a vendor that offers software-as-a-service (SaaS)-based cybersecurity, and gained access to a remote key that secured a cloud-based service providing technical support to Treasury Department Offices' (DO) end users. From there, they were able to override security and remotely access Treasury DO workstations.

As CISA continues to monitor the situation, it reports that it is "working aggressively to safeguard against any further impacts and will provide updates, as appropriate."

BeyondTrust meanwhile updated its statement on the incident yesterday, stating that its forensic investigation is nearly complete, all SaaS instances of BeyondTrust Remote Support have been fully patched, and no new victims have been identified other than those previously communicated.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

CISA: Third-Party Data Breach Limited to Treasury Dept.

The malware, found on a Russian cybercriminal site, impersonates e-commerce payment-processing services such as Stripe to steal user payment data from legitimate websites.

Source: Primakov via Shutterstock

A malicious plug-in found on a Russian cybercrime forum turns WordPress sites into phishing pages by creating fake online payment processes that convincingly impersonate trusted checkout services. Masquerading as legitimate e-commerce apps such as Stripe, the malware proceeds to steal customer payment data.

Called PhishWP, the WordPress plug-in was designed by Russian cybercriminals to be particularly deceptive, researchers from SlashNext revealed in findings published this week. In addition to mimicking the legitimate payment process that people would be familiar with to complete online transactions, it also has a key feature that make payment processes on transactions appear secure by allowing users to create one-time passwords (OTPs) during the process, they said.

Instead of processing payments, however, the payment gateway steals credit card numbers, expiration dates, CVVs, billing addresses, and more when people enter their personal data, thinking they are using a legitimate payment gateway. As soon as victims of the plug-in press "enter," the data is sent to a Telegram account controlled by the cybercriminals. Threat actors can use the plug-in like any WordPress plug-in, by either installing it on a legitimate but compromised WordPress site or creating a fraudulent site and using it there.

Related:Thousands of BeyondTrust Systems Remain Exposed

"PhishWP’s features make fake checkout pages look real, steal security codes, send your details to attackers right away, and trick you into thinking everything went fine," SlashNext security researcher Daniel Kelley wrote in the post.

This immediate turnaround of data "equips cybercriminals with the necessary credentials to make fraudulent purchases or resell the stolen data — sometimes within minutes of capturing it," notes Jason Soroko, senior fellow at Sectigo, a certificate life-cycle management (CLM) firm, making it a fast return on their investment to use the plug-in for nefarious purposes.

**Other Key PhishWP Malware Features**

OTP hijacking is one of the plug-in's key features, which when combined provide attackers with a turnkey solution for hijacking payment pages. Included in these are the aforementioned customizable checkout pages that simulate common payment processes through "highly convincing" fake interfaces, Kelley wrote.

Another feature of PhishWP, browser profiling, captures data beyond payment info for the replication of user environments for use in potential future fraud. This includes IP addresses, screen resolutions, and user agents.

The plug-in also gives the hijacked checkout process added legitimacy by using auto-response emails to send fake order confirmations to victims, which delays suspicion and thus detection of the attack. And as mentioned before, PhishWP also integrates with Telegram to instantly transmit stolen data to attackers for potential exploitation in real time.

Related:Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

The plug-in also comes in an obfuscated version for stealth purposes, or users can use its source code for advanced attacker customizations. Finally, PhishWP also offers multilanguage support so attackers can target victims globally.

**Browser-Based Protection From E-Commerce Phishing**

Creating malicious plug-ins for WordPress sites has become a cottage industry for cyberattackers, giving them a broad attack surface due to the popularity of the platform, which as of today is the basis for some 472 million websites, according to Colorlib, which provides WordPress themes.

One of the reasons that PhishWP — or any malicious WordPress plug-in — is so dangerous is that the malicious process is built directly into the browser, which makes it difficult to detect when it appears as a legitimate part of online engagement.

To defend against such threats, SlashNext recommends using phishing protection that also works from directly inside the browser to spot phishing sites before they reach the end user. These solutions, which are available within various browsers, work within browser memory to block malicious URLs before users engage with them. The company said this provides real-time threat detection and blocking capabilities that traditional security measures might miss.

Related:Midnight Blizzard Taps Phishing Emails, Rogue RDP Nets

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

PhishWP Plug-in Hijacks WordPress E-Commerce Checkouts

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 gift card.

Who are you? Who is the person behind the machine? Security involves asking people who they are all the time. Send us a cybersecurity-related caption to describe the above scene. Our favorite entry will win its wordsmith a $25 gift card.

Here are four convenient ways to submit your ideas before the Jan. 28, 2025 deadline:

*   Via social media: X, Facebook, and LinkedIn. (New! Bluesky, too!) (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Shout out — and a $25 Amazon gift card — to Marcello Delcaro, winner of the July contest "Cyber Cloudburst," for sending us the winning caption for December's "Shackled!" cartoon. Some noteworthy contenders included "Corporate says we're free to innovate — just not free to leave," "Now I know why they are called control systems," and "Phase 3 of the Cyber Kill Chain-Exploitation." A big thank you to all who participated.

**About the Author**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: Greetings and Salutations

We can't put defense on hold until Inauguration Day.

Christy Wyatt, President & Chief Executive Officer, Absolute Security

January 7, 2025

3 Min Read

Source: Albert Knapp via Alamy Stock Photo

COMMENTARY

In 1998, President Bill Clinton published the first White House national cyber policy. Since then, cyberattacks have evolved alongside the explosive growth of the digital world, as have laws, policies, and regulations. Although there's been continuous federal activity around cyber since the early days of the Internet, the level of seriousness and attitudes toward how much control government should exercise over technology and cybersecurity fluctuates, with debates continuing to rage over how free or controlled the tech markets should be.

With the upcoming changing of the guard in the US, those of us in the domestic cybersecurity and technology industries are all wondering where we will land. Will the Cybersecurity and Infrastructure Security Agency (CISA) be eliminated? Will we see a raft of new security, privacy, and compliance laws? Will current cybersecurity regulations be deprioritized? Will rapid deregulation undo much of what we've already adjusted to? No one really knows.

Despite the uncertainty, one thing cybersecurity and risk professionals all know is that cybercriminals aren't putting their plans on hold until after Inauguration Day. If anything, threat actors will ramp up activities to take advantage of this current period of post-election uncertainty. Those of us responsible for protecting the public and private sectors know that now isn't a time to debate which side has the better security plan. It's time to come together in our efforts to create a more resilient and secure nation. Of course, this is easier said than done. Every time we adopt a standard or best practice, some enterprising cybercriminal develops a new way to counter it. However, there are some basic and fundamental steps any organization that wants to thrive in the years to come should take.

**Defense Steps We Can Take Now**

*   Prioritize security: While policies may change, the fundamentals of keeping your organization secure and resilient do not. Your organization's ability to do business depends on proactive preparation. Don't wait for the next set of rules to be handed down from Washington — prepare now. 
    
*   Focus on recovery: Attacks and disruptions are inevitable; business continuity is essential. Evaluate and refine your remediation plans continually to ensure they address potential disasters. It's cliché to state that "failure to plan is planning to fail," but it's also true. Being prepared will reduce the time it takes you to recover from an incident.
    
*   Adopt common standards and language: Standards create a shared language for finding risks, and using existing frameworks will drive faster and more cohesive responses. Let's all get on the same page in terms of how we share information about challenges we face and which standards and frameworks map back to specific risks. This is an industry discussion and does not require any agency to facilitate this type of a forum. 
    
*   Own your cyber accountability: Governments, vendors, and enterprises all share responsibility for mitigating risks and ensuring continuity through adversity. You need to be ready to ride to your own defense — there is no calvary behind a digital hill ready to ride to your rescue.
    

Over the next 12 to 18 months, we can expect to see rapid and unpredictable changes. New challenges and risks will arise out of trade disputes, domestic policies, geopolitical events, and the growth of AI. The security problems we face today require a unified and focused approach. Changing administrations — anywhere in the world — should not distract us from the critical task at hand. Let's collectively commit to ensuring security and resilience for all organizations, whether they be part of the critical national infrastructure (CNI), an essential supply chain, or a favorite consumer brand. Remember, cybercriminals don't care about national cyber policy or politics. We can't put defense on hold until Inauguration Day.

**About the Author**

President & Chief Executive Officer, Absolute Security

Christy Wyatt is president and chief executive officer of Absolute Security, a leader in enterprise resilience, and the only endpoint and secure access provider embedded in more than 600 million endpoint devices globally.

Cybercriminals Don't Care About National Cyber Policy

The deal adds Phylum's technology for malicious package analysis, detection, and mitigation to Veracode's software composition analysis portfolio.

Source: Yury Zap via Alamy Stock Photo

NEWS BRIEF

Application security company Veracode has acquired malicious package analysis, detection, and mitigation technology from software supply chain security startup Phylum, along with some staff who worked on package analysis.

The technology will enhance Veracode's capabilities to identify and block malicious code in open source libraries, giving customers a more comprehensive view of the risks associated with using open source code, the company said. The new staff will join Veracode's security research team.

The deal comes at a time when organizations are increasingly concerned about the risks of vulnerabilities in open source code.

Founded in 2020, Phylum specializes in technologies for analyzing, detecting, and mitigating malicious software packages. The tools provide instant analysis of newly published packages, helping organizations identify and blocks in real time. Back in 2022, when Phylum won Black Hat's first Innovation Spotlight competition, co-founder Peter Morgan described package analysis as looking at risk indicators to create a "credit score for packages."

Phylum’s recent research identified nearly half a million malicious packages, including campaigns targeting finance and cryptocurrency companies.

Veracode's platform is used by organizations to scan code to understand exploitable risks, identify and remediate vulnerabilities, and reduce security debt. With Phylum's technology, Veracode can significantly reduce the attack window by helping customers identify the existence of malicious packages in their applications much faster, the company said.

The malicious package database and package management firewall will be integrated into Veracode's Software Composition Analysis product, with general availability expected early this year, Veracode said.

"With Phylum's unmatched database and cutting-edge research—proven to detect 60 percent more malicious packages than any other vendor—our customers will gain the confidence to innovate faster, knowing their software is protected against evolving threats," said Ravi Iyer, Veracode's chief product officer, in a statement.

Veracode did not disclose the financial terms of the transaction.

**About the Author**

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Source

DARKReading