Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Why is this person lining up her gadgets as if they were dominoes? For the answer we need you! Come up with a witty cybersecurity-related caption to explain the above cartoon. Our favorite will win a $25 Amazon gift card.

The contest ends on March 29, 2023. Here are four convenient ways to submit your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge March 2023 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

**Last Month's Winner**

Chad F., a retired software developer for the Department of Defense, came up with the imaginative (and winning) caption for February's "For the Birds" contest, below. Congratulations, Chad!

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Domino Effect

The Rapid7 Cyber Threat Intelligence Laboratory at the University of South Florida will provide data on real-world threats for faculty and students to use in their research.

At the most basic level, security research happens when curious people poke around data. What makes it good security research is when these people have access to good data and the right kind of skills.

That is what Rapid7 hopes to accomplish with its new partnership with the University of South Florida to create a cyber threat intelligence laboratory. The Boston company recently made a $1.5 million donation via the Rapid7 Cybersecurity Foundation to set up the Rapid7 Cyber Threat Intelligence Laboratory at the school.

Rapid7 will provide the laboratory with access to its massive data initiatives, including Metasploit, Velociraptor, and Sonar, says Corey Thomas, Rapid7's CEO. The laboratory will support interdisciplinary research efforts by faculty experts and students and help drive a deeper understanding of the challenges defenders are currently facing.

"We are already investing in the data, and we want more people to use the data," says Thomas, noting that people with varying experiences and backgrounds bring diverse perspectives and wind up using the data differently. "Start with the same data and get different insights," Thomas says.

**Improving Research Outcomes Through Data**

The students will have the opportunity for hands-on learning and cybersecurity skills development as well as real-world experience tracking global threat actors. Laboratory projects and research based on threat intelligence data will help students better understand the challenges security practitioners face as they protect users, Thomas says. The laboratory would play a role in helping to educate and develop the next generation of security professionals, he adds.

Through the laboratory, students and faculty will have access to real world data they can use for research and training, which is an "unprecedented opportunity," Robert Bishop, dean of the USF College of Engineering, says in an email to Dark Reading. "Most importantly, this partnership is going to bring the campus together on cybersecurity research."

The laboratory will launch by establishing an interdisciplinary faculty leadership foundation with a new directorship in the USF College of Engineering and endowed faculty positions created in four USF colleges: the College of Arts and Sciences, College of Behavioral and Community Sciences, College of Engineering, and the Muma College of Business. The laboratory will also work closely with the State of Florida's Cyber Florida initiative, a program based out of the university focused on expanding and enhancing the cybersecurity workforce in the Tampa Bay region.

Rapid7 already has a history of investing in the community, Thomas says. There are many areas of collaboration in threat intelligence, incident response, and information sharing. With this partnership with the University of South Florida, the company is "escalating our commitment to open data, open research, and open threat intelligence," Thomas says.

**Real-World Security Education**

Thomas says he is not going to try to predict what kind of research projects will come out of the laboratory. Rapid7 is providing the data, but the university faculty and students will be pushing forward their own ideas and perspectives. "We aren't controlling the outcome — the professors and students have their own plans," Thomas says.

Many universities have established cybersecurity laboratories to provide students with hands-on learning opportunities to gain cybersecurity skills and real-world experience in the field. A laboratory setting makes it possible to refine techniques, get access to different resources from outside partners, and collaborate across different fields to drive research in security technology and techniques. The results of the laboratory research will help improve the industry's understanding of attacker behavior, and those insights then flows back to practitioners to apply to their jobs.

Back in 2018, the Royal Bank of Canada (RBC) opened a cybersecurity laboratory at the University of Waterloo to help build advanced cybersecurity and privacy tools. The RBC investment supported researchers in the David R. Cheriton School of Computer Science and the Department of Combinatorics and Optimization at Waterloo's Faculty of Mathematics, according to the university. Research projects included data-driven software defined security, privacy-enhancing technologies, and post-quantum cryptography. Defense contractor Northrop Grumman partnered with California Polytechnic University back in 2014 to establish the Cal Poly–Northrop Grumman Cyber Lab as a cybersecurity teaching facility. The lab gave faculty and students the opportunity to engage with experts from other higher education institutions, private businesses, defense and government agencies, and research labs.

These private sector partnerships with educational institutions also focus on developing a cybersecurity workforce. For example, IBM partnered with Historically Black College & Universities to establish Cybersecurity Leadership Centers. As part of the partnership, IBM provides a customized security curriculum and learning platform to complement the university's cybersecurity education offerings. Faculty and students also have access to IBM Security's Command Center, an immersive training experience on how to respond to cyberattacks.

The Rapid7 Cyber Threat Intelligence Laboratory fits in with ongoing cybersecurity initiatives at the University of South Florida because of the focus on developing the skills needed to enter the cybersecurity workforce. The university recently received a $3.7 million grant from the National Science Foundation (NSF) to establish the Cybersecurity Research and Education for Service in Government (CREST) program. The NSF grant would provide scholarships for over two dozen graduate and undergraduate students to prepare them for in-demand and high-paying jobs with the federal government and other public institutions, according to a university press release. The funds will also be used to bolster educational and research resources at the Florida Center for Cybersecurity, or Cyber Florida, which is housed at USF and gives students access to classroom simulations and experiential learning opportunities. There is also a program to help professionals without a computer science background enter a master's program in the field, according to Dr. Sudeep Sarkar, distinguished university professor and department chair of computer science and engineering at the University of South Florida.

"By focusing on both continuing education for professionals and enhancing current cybersecurity education efforts, USF is working to fill the talent pipeline for one of the fastest growing and most lucrative fields in the United States," Sarkar tells Dark Reading in an email exchange.

Rapid7 Brings Threat Intel Data to USF Cybersecurity Lab

Attackers have already targeted electric vehicle (EV) charging stations, and experts are calling for cybersecurity standards to protect this necessary component of the electrified future.

As electric vehicle (EV) charging infrastructure rushes to keep pace with the dramatic rise in sales of electric vehicles in the United States, cyberattackers and security researchers alike have already started focusing on security weaknesses in the infrastructure.

In February, researchers with energy-network cybersecurity firm Saiflow discovered two vulnerabilities in the Open Charge Point Protocol (OCPP) that could be used in a distributed denial-of-service (DDoS) attack and to steal sensitive information. And the Idaho National Laboratory recently found that every charger it examined — more formally known as Electric Vehicle Supply Equipment (EVSE) — was running outdated versions of Linux, had unnecessary services, and allowed many services to run as root, according to a survey of EV charging vulnerability research in the journal Energies. Other potential attacks include adversary-in-the-middle (AitM) and services exposed to the public Internet, according to the paper.

The risks are not just theoretical: A year ago, after Russia invaded Ukraine, hacktivists compromised charging stations near Moscow to disable them and display their support for Ukraine and their contempt for Russian President Vladamir Putin.

The cybersecurity concerns come as electric vehicle sales have taken off in the United States, accounting for 5.8% of all vehicles sold 2022, up from 3.2% the previous year, according to JD Power. Currently, less than 51,000 Level 2 and DC Fast charging stations are available in the US, representing the capability to charge 130,000 vehicles simultaneously, according to the US Department of Energy. With more than 1.5 million electric vehicles registered as of June 2022, that means there are 11 vehicles for every public charging port.

To keep up with demand, the major players in the EV charging sector all have significant expansion plans, and the Biden administration aims to increase the number of vehicle chargers to 500,000 by 2030.

While cybersecurity experts worry that the rush to create a comprehensive charging infrastructure could come at the expense of cybersecurity, the question of its cybersecurity preparedness is especially piquant given the connectedness of the infrastructure and the ability to potentially cause damage using access to the high voltage available, says Phil Tonkin, senior director of strategy at Dragos, a provider of industrial cybersecurity.

"Most EV chargers can be considered an Internet of Things (IoT) technology, but they are one of the first that has control over such a significant amount of electrical load," he says. He adds, "The aggregated risk of so many devices, often connected to a small number of single systems, means that devices of this type need to be implemented with care."

**EV Chargers: IoT, OT & Critical Infrastructure**

In many ways, EV charging infrastructure represents a perfect storm of technologies. The devices are connected via mobile applications and carry the same risks as other IoT devices, but they're also set to become a critical part of transportation network in the United States, like other operational technology (OT). And because EV charging stations must be connected to public networks, ensuring that their communications are encrypted will be critical to maintaining the security of the devices, says Dragos' Tonkin.

"Hacktivists will always be looking for poorly secured devices on public networks, it's important that the owners of EV put in place controls to ensure they are not easy targets," he says. "The crown jewels of the operators of EV chargers have to be their central platforms, the chargers themselves intrinsically trust the instructions pushed down from the center."

Consumer devices are also a problem. About 80% of charging takes place in the home, according to ChargePoint session data. But unfortunately, those devices may be easier to disrupt because consumers are not focused, nor should they need to be focused, on cybersecurity, Tonkin says.

"It's not practical for the average domestic customer to have to put in place the right security, therefore making sure the device itself and the methods it uses to communicate with cloud-based services should always be on the vendor," he says.

**Government's Role in EV Cybersecurity**

The US government should make standards and best practices available to companies to prevent cybersecurity weaknesses, some say. Sandia National Laboratories, for instance, has recommended a number of initiatives to strengthen cybersecurity, including improving EV owner authentication and authorization, adding more security to the cloud component of the charging infrastructure, and hardening the actual charging units against physical tampering.

"The government can say 'produce secure electric vehicle chargers,' but budget-oriented companies don't always choose the most cyber-secure implementations," Brian Wright, a Sandia cybersecurity expert working on the vulnerability project, said in a statement. "Instead, the government can directly support the industry by providing fixes, advisories, standards, and best practices."

EV Charging Infrastructure Offers an Electric Cyberattack Opportunity

Canada's largest bookseller rejected the pressure of the ransomware gang's countdown timer, despite data threats.

Indigo Books, the company behind Chapters stores and the largest bookseller in Canada, let the deadline to pay a ransomware demand expire, risking the release of employee data.

A LockBit ransomware affiliate group set a Thursday at 3:39 p.m. EST deadline to pay, but Indigo flatly rejected the notion, explaining the extortion money could "end up in the hands of terrorists," according to a statement. So far, contrary to the ransomware group's threat, the compromised Indigo employee data has not been publicly released, according to CBC News.

Indigo was first compromised on Feb. 8, shutting down the retailer's operations down for days. CBC News added that the operation is still struggling to stand up the business with as many product offerings as it had before the ransomware attack.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Indigo Books Refuses LockBit Ransomware Demand

A mayor backing Polish opposition elections in parliament has been targeted by special services with Pegasus spyware.

Polish special services reportedly used the infamous Pegasus mobile spyware to monitor the phone of a mayor backing government opposition, according to a new report.

Polish liberal news outlet Gazeta Wyborcza, characterized by Reuters as being openly against the county's ruling "PiS" nationalists, reported while Sopot mayor Jacek Karnowski was working to elect opposition candidates in Poland's upper house of Parliament between 2018 and 2019, he was targeted by Israel-based NSO Group's Pegasus spyware. The report added that Karnowski's name was also discovered on a list of targets hacked with Pegasus spyware by Poland's special services.

"We will not allow the PiS machine to further destroy democracy, lead Poland to the East and sovietise our country," Karnowski told Reuters in reaction to the report. "The politicians who inspired and commissioned these activities belong in prison."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Polish Politician's Phone Patrolled by Pegasus

Innocently or not, residential proxy networks can obscure the actual geolocation of an access point. Here's why that's not great and what you can do about it.

With so much of the world’s wealth, assets, and trade secrets existing in the cloud, fraudsters and nefarious players have ample motivation to look for new ways to break into networks. Increased VPN usage provides opportunities for threat actors to operate with nearly total anonymity, and we are seeing an uptick in breaches stemming from the widespread use of commercial or anonymous VPNs.

As a cybersecurity practitioner, I continually stress the importance of examining the context of VPN-driven data. Let's look at the top three trends I see emerging, as well as the role that IP address data will continue to play in the world of cybersecurity and ad fraud.

**1\. Residential Proxy Networks Will Keep Security and Marketing Teams Up at Night**

I am amazed by the growing number of entities offering residential proxy networks and promising a world of possibilities in scraping — search engine results pages, e-commerce sites, and webpages. Residential proxy networks use the IP addresses of consumers who sign up for any number of apps that pay them to share their bandwidth. The website or service will see requests coming from what they think are residential IP addresses and allow access to content that would have been blocked had the site been able to see the original IP address.

If I wanted to, I could access or scrape any site that restricts hosted or bot traffic by disguising myself using a legitimate residential IP address from whatever location I wanted.

Many of these apps are upfront with the users who opt to share their bandwidth, but some are more nefarious players, offering users access to a VPN without telling them that their IP addresses will be shared. In such cases, those IP addresses can be used to scrape websites, commit fraud, or launch distributed denial-of-service (DDoS) attacks.

The existence of residential proxy networks is quite troubling for organizations. Marketing teams may be paying for traffic they believe to be legitimate but is actually fraudulent.

Let's say an ad farm sets up a website for the sole purpose of selling ad space via the open-market exchanges. Your company may be led to believe it's a legitimate website that receives lots of consumer traffic in your target markets and which you verify by checking the IP address type and location. But how do you actually distinguish between real users and hosted or bot traffic hiding behind and proxy residential IDs? Without additional context around residential IPs, you can't make that distinction.

**2\. Security Teams Will Realize That WAFs Have Blind Spots**

Every organization has multiple layers of security, including Web application firewalls (WAFs).

A WAF protects your Web applications by monitoring, filtering, and blocking malicious HTTP/S traffic traveling to a Web application, preventing unauthorized data from leaving the application. It does this by adhering to a set of policies, including context around the IP address, that helps determine which traffic is malicious and which is safe. If, for instance, corporate security policy mandates that all non-residential IP addresses and addresses from a specific geolocation should be blocked, the firewall will block all traffic that matches those criteria.

Unfortunately, the proliferation of residential proxy networks means WAFs have a significant blind spot: Knowing the traffic is residential and has a geolocation that is permissible is no longer sufficient. While organizations deploy WAFs to protect against things like scraping and DDoS attacks, these tools can also be tricked into providing access when they shouldn't. Security teams need a lot more context around IP addresses to understand their incoming traffic.

**3\. Security Teams Will Find Ways to Detect Residential Proxy IPs**

In the face of these networks, context is your best defense. Security teams should ask critical questions about incoming traffic, such as:

*   Is this traffic proxied or VPN?
*   How many devices are connected to that IP address? (If you see hundreds of devices connected to an IP address, it’s probably not an individual person.)
*   Is the IP address stable? Has it been in the same location for 20 weeks?
*   Is the IP address part of a known residential proxy network that’s being used for other things?

All of this VPN-driven data and context provides vital clues that can protect marketing budgets as well as corporate networks.

IP address intelligence data isn’t the panacea for securing a network, but it can go a long way in providing the context security teams to identify when unusual activities are occurring and to investigate further. It can also help them enforce digital access rights, ensuring that users in prohibited or embargoed areas are restricted from accessing certain digital assets.

3 Ways Security Teams Can Use IP Data Context

A two-month-long automated credential-stuffing campaign exposed personal information of Chick-fil-A customers, including birthdays, phone numbers, and membership details.

Fried chicken specialist Chick-fil-A has alerted customers to an automated credential stuffing attack that ran for months, impacting more than 71,000 of its customers, according to the company.

Credential stuffing attacks employ automation, often through bots, to test numerous username-password combinations against targeted online accounts. This type of attack vector is enabled through the common practice of users reusing the same password across various online services; thus, the login info used in credential stuffing attacks is typically sourced from other data breaches and are offered for sale from various Dark Web sources. 

"Following a careful investigation, we determined that unauthorized parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials (e.g., email addresses and passwords) obtained from a third-party source," the company noted in a statement sent to those affected.

The compromised personal information included customers' names, email addresses, membership numbers and mobile pay numbers, as well as masked credit or debit card number — meaning unauthorized parties could only view the last four digits of the payment card number. Phone numbers, addresses, and birthday and month were also exposed for some customers.

Chick-fil-A added that in the wake of the attacks, it has removed stored credit and debit card payment methods, temporarily frozen funds previously loaded onto customers’ Chick-fil-A One accounts, and restored any affected account balances. The fast-food chain also recommended the best practice that customers reset their passwords, and use a password that is not easy to guess and unique to the website.

Some noted that while password reuse or the use of common and weak passwords is the fault of the users, Chick-fil-A still bears some responsibility.

"This is the new frontier of information security: Attackers have gained access to these users' accounts not through any failure on the part of the website owner, but rather due to the natural human tendency to reuse username/passwords across multiple sites," says Uriel Maimon, vice president of emerging products at PerimeterX. "And yet despite that fact, organizations have a legal and ethical obligation to safeguard the personal and financial information of their users."

He adds, "This underscores the change in paradigm wherein website owners need to not just protect their sites from standard cyberattacks but also safeguard the information they hold on behalf of users. They can achieve this by tracking behavioristic and forensics signals of users logging in in order to differentiate between real users and attackers.”

The chain offered some make goods, in case customers wanted to flee the coop after the incident: "As an additional way to say thank you for being a loyal Chick-fil-A customer, we have added rewards to your account," the statement continued. "Chick-fil-A continues to enhance its security, monitoring, and fraud controls as appropriate to minimize the risk of any similar incident in the future."

It was reported in January that Chick-fil-A had been investigating "suspicious activity" across potentially hacked customer accounts. It's unclear why it took so long to determine that the credential-stuffing event was underway. The company did not immediately respond to a request for comment from Dark Reading.

**Credential Stuffing Attacks on the Rise**

Credential stuffing has become more common lately, fueled by the legions of credentials for sale on the Dark Web. Indeed, the sale of stolen credentials dominate underground markets, with more than 775 million credentials currently for sale according to an analysis this week.

In January, nearly 35,000 PayPal user accounts fell victim to a credential-stuffing attack that exposed personal data likely to be used to fuel additional, follow-on attacks. That same month, Norton LifeLock alerted customers to their potential exposure from its own credential-stuffing attack.

The situation has also prompted a wider conversation. With nearly two-thirds of people reusing passwords to access various websites, some security experts have proposed approaches that do away with passwords altogether, including replacing them with security keys, biometrics, and FIDO (Fast Identity Online) technology.

Chick-fil-A Customers Have a Bone to Pick After Account Takeovers

With critical infrastructures ever more dependent on the cloud connectivity, the world needs a more stable infrastructure to avoid a crippling cyberattack.

As global conflicts continue, cyber has become the fifth front of warfare. The world is approaching 50 billion connected devices, controlling everything from our traffic lights to our nuclear arsenal. We've already started seeing large-scale cyberattacks, affecting critical industries like oil and gas pipelines and hospitals. But we have yet to experience a truly catastrophic incident that would "break the Internet," disrupting financial markets, supply chains, and daily life. 

Could it happen this year?

**Single Points of Failure**

The migration of public and private sector technology to cloud computing means that a large share of our infrastructure, financial systems, supply chains, healthcare, and other critical services are run by just a handful of companies: Amazon, Google, and Microsoft. On the hardware side of things, the story isn't much better. Just three companies — Palo Alto Networks, Cisco, and Fortinet — control more than 50% of the market for security appliances. The ripple effects of a successful attack on one of these companies would leave no part of the connected world untouched, including the security software intended to protect customers in the event of an attack, much of which runs on infrastructure provided by these same cloud companies. 

For data center security experts, there is also another, far less digital, concern to deal with. Suspicious activity and attacks on US power stations hit an all-time high in 2022, with more than 100 attacks reported in the first eight months of the year alone. Data centers are massive buildings, consuming immense quantities of electricity. To cool their ultrahot servers and buildings, data centers use startling amounts of water. According to Google, its data centers used 4.3 billion gallons of water in 2021. If attackers disrupt the supply of power or water to Amazon, Google, or Microsoft's data centers in a coordinated fashion, they could compromise entire regions of their infrastructure, including backups. 

**Follow the Money**

To put the cost of a catastrophic cyberattack in perspective, consider that in 2021, according to Swiss reinsurer Swiss Re, global economic losses from natural catastrophes such as floods, hurricanes, and wildfires reached $270 billion. This is a large number, but consider the fact that Merchant Machine estimates a global Internet outage would cost the global economy $37 billion a day in lost revenue. 

Still, the economics of technology are not in favor of a more secure future. Enterprises, users, and adversaries all have competing monetary interests preventing more investment in security. Technology companies need to iterate and release updates quickly to keep pace with their competitors, and their customers are often not willing to wait — or pay — for extra security features or for all bugs and vulnerabilities to be resolved. Instead, consumers opt to buy insurance against these inevitable incidents, which may create another crisis of its own.

Insurance companies spend significant amounts of money simulating disasters and estimating their cost so that any single large loss would not do significant financial harm to the insurer. For a catastrophic cyberattack, the costs could reach beyond billions of dollars, meaning bankruptcy not just for the insurers but also the reinsurers, which would likely bring about a systemic financial disruption and a near market collapse on a scale dwarfing the financial crisis of 2008. The US government spent $85 billion to bail out AIG and prevent systemic financial system collapse, but the question this time is: Who bails out an insurer with global losses, and what happens when insurers are too cash strapped to pay out claims?

**So, What Now?**

We need to examine critical infrastructure security and ensure there are plans and fail-safes in place capable of withstanding an extended period of disconnect. Organizations migrating to cloud computing must reevaluate their need for data fidelity and whether on-premises storage is necessary. Security leaders should make catastrophic failure planning part of their risk management strategy, and ensure their vendors also have plans in place to mitigate the impact of a loss of cloud\-hosted services. 

On the regulatory front, if we have any hope of preparing for a global event, we need to evaluate the technical chops of regulators and legislators creating the frameworks intended to keep us safe, as well as the metrics we use to measure the financial health of the insurers and reinsurers on the hook. If the spectacular collapse of several blockchain companies in recent years, successful election meddling via social media, or explosion in ransomware attacks have taught us anything, it's that we must demand more of our elected representatives, and elect leaders who can help run the world of tomorrow. Similarly, regulators need to understand the companies and technologies they oversee. 

There will be a reckoning in the connected world, and the only way our economy (and possibly society) will survive it is by working together to create a safer, more stable infrastructure.

It's Time to Assess the Potential Dangers of an Increasingly Connected World

License Scanner and SBOM Utility will boost the capabilities of OWASP's CycloneDX Software Bill of Materials standard.

IBM has contributed two open source supply chain tools — SBOM Utility and License Scanner — to the Open Worldwide Application Security Project (OWASP) Foundation's CycloneDX Software Bill of Materials (SBOM) standard. These two tools will fill two crucial gaps in CycloneDX, which the OWASP describes as a "full-stack" BOM standard that provides advanced supply chain risk reduction.

The software bill of materials, or SBOM, is an inventory listing all individual components used in software. The discovery of the vulnerability in the Log4j library two years ago highlighted just how few organizations really understood what was inside the software they were running. It wasn't enough to just know which third-party components, libraries, and frameworks were being used — organizations need to be aware of all the dependencies _those_ components were using. In response to various supply chain attacks and the Log4j chaos, the White House issued an Executive Order mandating that developers improve the security of their supply chains. One way is to include and maintain an SBOM for every piece of software they distribute.

"IBM has been advocating for all developers and organizations creating modern software to begin their journey to create SBOMs," says Jamie Thomas, IBM's general manager of systems strategy and development. "These tools are foundational complements to aid developers in this journey, so they can better understand the potential risks in their software supply chains."

**Standardizing SBOMs**

Efforts to standardize the SBOM have accelerated with the sharp rise in software supply chain attacks over the past two years.

CycloneDX is one of two primary SBOM standards, the other being the Linux Foundation's Software Package Data Exchange (SPDX). Proponents of CycloneDX, which is newer, describe it as a more lightweight standard better suited to those seeking a machine-readable way to exchange information. The Linux Foundation in 2021 declared SPDX an SBOM standard, though it was initially created for intellectual property and licensing use cases. Both organizations are expanding their respective SBOM standards efforts.

IBM has actively participated in advancing CycloneDX's standards efforts, Steve Springett, director of product security at ServiceNow and chair of the OWASP's CycloneDX working group, tells Dark Reading. "Software supply chain security is a topic of board-level discussions," Springett says. "There are many ways that organizations should improve their software supply chain assurance. And it starts with actually having all the data and more tools to drive more intelligence."

**Licensing Scanner Tool Brings Balance With SPDX**

The CycloneDX working group has introduced some license scanning capabilities over the years, including base-level support for SPDX license IDs. But CycloneDX's licensing capability has lagged the functionality of SPDX. Springett says the addition of IBM's License Scanner fills that void. "It's great that we have a license scanner as part of the project," Springett tells Dark Reading. "Having a dedicated license tool actually will invite more people to the Cyclone DX table that we've built."

Brian Fox, co-founder and CTO of AppSec tool provider Sonatype, agreed. "I think this helps balance things out with CycloneDX on the licensing side," Fox said. "It will provide more building blocks to enable tools in the ecosystem to work better. Being able to more easily add licensed data to your CycloneDX SBOM, if you don't have existing tooling to do that, is a useful utility. Having the ability to validate both formats is also a useful utility."

In an OWASP blog post on Wednesday announcing IBM's contribution, Springett noted that IBM's License Scanner scans files for licenses and legal terms. "It can be used to help identify text matching licenses and license exceptions from the complete, published SPDX License List," he wrote. "It can also be configured to identify additional legal terms, keywords, aliases, and non-SPDX licenses. As a library, License Scanner is designed to be integrated into existing BOM generation software or may be used by itself as a command-line utility."

**SBOM Utility Adds APIs to CycloneDX**

Springett described IBM's SBOM Utility as an API platform that can validate CycloneDX or SPDX-formatted BOMs with their published schemas. It can validate and analyze a variety of BOM types, including hardware (HBOMs) and SaaS (SaaSBOMs). In the future, Springett noted, SBOM Utility will support OWASP's Software Component Verification Standard (SCVS), "which is defining a BOM Maturity Model (BMM) to help in identifying and reducing risk in the software supply chain."

Also, he noted that SBOM Utility could process documents such as Vulnerability Disclosure Reports (VDRs) and Vulnerability Exploitability eXchange (VEX) data formats, which CycloneDX has specified provide risk assessment.

"The SBOM Utility is great because it takes an API approach and allows organizations to slice and dice the CycloneDX data model and all the data in it," Springett says. "If you care about certain aspects of the bill of material, you can quickly query it, which is fantastic. And you can then allow organizations to start creating policy based on the types of data that may or may not exist in that bill of material."

While IBM initially built SBOM Utility and License Scanner for its use, the company has not said whether it plans to release commercial versions.

IBM Contributes Supply Chain Security Tools to OWASP

**HOUSTON, Texas – March 2, 2023** – Hewlett Packard Enterprise (NYSE: HPE) today announced that it entered into a definitive agreement to acquire Axis Security, a cloud security provider. This acquisition will allow HPE to expand its edge-to-cloud security capabilities by offering a unified Secure Access Services Edge (SASE) solution to meet the increasing demand for integrated networking and security solutions delivered as-a-service. Axis Security’s Security Services Edge (SSE) platform addresses the need for improved application performance and increased network security as the number of remote users increases and as enterprises continue to migrate applications to the cloud.

Axis Security’s SSE offerings enable access to corporate and public-cloud resources, and the company’s cloud-based platform will build on Aruba’s existing Software-defined Wide Area Network (SD-WAN) and network firewall offering. This combination will provide a complete edge-to-cloud SASE solution, ensuring that Zero Trust security controls can be applied to people and devices, no matter where they connect – on campus, branch, home, or on the road.

“As we transition from a post-pandemic world, and a hybrid work environment has become the new normal, a new approach is needed for network edge security to protect critical SaaS applications,” said Phil Mottram, executive vice president and general manager, HPE Aruba Networking. “The convergence of Aruba and Axis Security solutions will transform edge-to-cloud connectivity with a comprehensive SASE solution that provides enterprises with the highest levels of security for both IoT devices and all users’ access across geographically distributed locations. Today, we also accelerate our vision to help our customers expand their secure connectivity needs with SASE and private 5G solutions, building on our recently announced agreement to acquire private cellular technology provider, Athonet.

Based in Tel Aviv, Israel, Axis Security provides a cloud-native SSE platform, Atmos, which delivers authenticated user access to private applications at the network edge, a secure web gateway (SWG) to safeguard user access to the Internet, and a cloud access security broker (CASB) that provides secure in-line access to SaaS apps, and Digital Experience Monitoring (DEM) to provide insights into user experience. 

“We developed Axis Security to enable a world where connectivity to every business resource, from anywhere, could always be simple, safe and reliable,” said Dor Knafo, CEO of Axis Security. “Our SSE platform is a natural complement to Aruba’s SD-WAN, network firewall, and dynamic segmentation offerings. Together, we create a unified SASE platform, designed to extend connectivity to edge, and do so through a combination of modern access services – all working together in harmony.”  

**HPE enhances SASE offering with cloud security through integrated Axis Security platform**  
HPE will integrate Axis Security technology with its existing Aruba secure networking offerings to complete its SASE offering, which delivers WAN and cloud security controls directly to the application at the network edge, rather than routing data through the data center. This helps customers by flexibly delivering all of a provider’s networking components as a service with one point of control – instead of acquiring, maintaining, and licensing separate components individually.  
In addition, the HPE GreenLake edge-to-cloud platform will integrate Axis Security’s cloud-native SSE platform, offering customers one single monthly subscription with no capital expenditure.  Customers can deploy these flexible as-a-service solutions with reduced risk and little upfront investment – and scale them according to demand.  

**HPE portfolio integration and availability**  
The transaction is expected to close by the end of the second quarter of the HPE 2023 fiscal year subject to customary closing conditions. HPE will integrate Axis Security’s solutions with its edge-to-cloud security solutions and plans to make them available to customers in the third quarter of the HPE 2023 fiscal year.

**About Hewlett Packard Enterprise**

Hewlett Packard Enterprise (NYSE: HPE) is the global edge-to-cloud company that helps organizations accelerate outcomes by unlocking value from all of their data, everywhere. Built on decades of reimagining the future and innovating to advance the way people live and work, HPE delivers unique, open and intelligent technology solutions as a service.  With offerings spanning Cloud Services, Compute, High Performance Computing & AI, Intelligent Edge, Software, and Storage, HPE provides a consistent experience across all clouds and edges, helping customers develop new business models, engage in new ways, and increase operational performance. For more information, visit: www.hpe.com

Source

DARKReading