When we depend on an open commons as our computing foundation, we need it to be secure, and the most effective way to do that is through open solutions.

Open source software is deeply embedded in enterprises today: from the Linux kernel to data center infrastructure, and from databases to application servers and front ends. The importance of securing the supply chain has become front and center in the industry, with the US government's involvement and the formation of industry bodies such as OpenSSF to work on solutions.

We know that we must secure the open source software we use — it's also important that open source be an integral part of the solutions that we create. Proprietary solutions alone are not enough to counter the threat to the ever-expanding areas of vulnerability. To properly secure our software dependencies in depth, solutions must interoperate tightly with key open source infrastructure such as the Linux kernel and Kubernetes.

Through our experience with creating the Falco runtime threat detection tool, and contributing it as open source to the Cloud Native Computing Foundation (CNCF), we've learned valuable lessons about how important it is to provide open source solutions for security.

**1\. Collaborative development goes broad and deep.**

Security is a never-ending battle against expanding attacks and attack surfaces. Through collaboration, we are able to bring together more expertise, apply more scrutiny, and cover a broader range of use cases than through proprietary development. Nobody can be an expert on everything, but many people can come together to contribute their singular deep expertise into an open source project.

While Falco's core competency specializes in monitoring Linux syscalls, the team strategically added a plug-in interface. Through this, other infrastructure can be secured, from Kubernetes admission controllers to cloud services such as AWS CloudTrail or Okta. The open nature of the project means that experts in particular platforms — whether open or proprietary — can contribute their know-how and help the entire user base. Proprietary approaches can't reach this same level of scale.

Moreover, you don't need to ask anyone's permission to extend open source to cover a new service or platform: If what you need isn't there, and you're able to contribute, you can ensure that your needs will be covered in the future.

**2\. Standards-based development promotes choice.**

When open source software is part of a multivendor body such as the CNCF and in widespread use, adopters can reasonably view it as being a _de facto_ standard. Using open source standards provides an interoperable framework in which an ecosystem of tools, support, and training exist. As a user, you always have the freedom to control your own solution by directly using the open source, or choosing commercial tools that interoperate.

Drawing from Falco as an example, multiple vendors such as Sysdig, Red Hat, and Sumo Logic have built their own solutions based on the codebase. At their core, they are aligned on the protocols that Falco uses for event capture, meaning users get choice, a richer ecosystem of tools that use the standards, and future optionality.

**3\. Open source is transparent.**

Open source gives you the full visibility to examine exactly how a piece of software works. This transparency brings a double benefit.

First, if you're trusting every node in your systems with a tool, you want assurance about its security. Even if you're not auditing the code yourself, you benefit from many contributors with the resources to find and fix vulnerabilities. For software that has achieved widespread adoption, these contributors likely include cloud-scale operators with deep expertise.

Second, open source brings you insight and possibly influence on the direction of the software. You can become a contributor and influence technical direction, or allocate funding towards supporting its sustained development. When that software lives inside an industry foundation, you may benefit from established standards in governance, auditing, and sustainability.

**4\. Modern platforms are built on open source.**

To provide the assurance users need, security should be considered as an integral factor of any platform, not an optional extra. Open source is the engine room of the modern software stack, and therefore security solutions must also reach into the open source foundations. The cloud-native era has driven new approaches to operations and architecture, and security is no exception. Following the desire to "shift left" and incorporate security earlier in the software development life cycle, the same benefits apply to doing that with the open source foundations that run our enterprise platforms.

**Conclusion**

Open source is the only approach with the agility and broad reach to set up the conditions to meet modern security concerns. Users depending on massive open source infrastructure — the basis of today's clouds — should be careful of any security solution that does not acknowledge and leverage open source itself.

When we depend on an open commons as our computing foundation, we need it to be secure, and the most effective way to do that is through open solutions.

**About the Author**

    

Edd Wilder-James' career spans open standards, open source, and data analytics, in roles covering technology, content, business, and strategy. At Sysdig, his team is committed to growing Falco as the standard for runtime threat detection. Previously, Edd led teams working on open source programs at Google, working with TensorFlow, Kubeflow, Go, and Kubernetes. He has over two decades in the open source world, chairing OSCON for six years, and is a former Debian and GNOME contributor.

4 Reasons Open Source Matters for Cloud Security

Older bugs in the AnyConnect Secure Mobility Client are being targeted in the wild, showcasing patch-management failures.

A pair of known security vulnerabilities in the Cisco AnyConnect Secure Mobility Client for Windows is being actively exploited in the wild, despite being patched for two-plus years.

The networking giant is warning that cybercrime groups are pressing two local privilege escalation (LPE) bugs into service, with active exploit chains against the VPN platform being observed starting this month.

The first flaw (CVE-2020-3153, with a CVSS score of 6.5) would allow a logged-in user to send a specially crafted IPC message to the AnyConnect process to perform DLL hijacking and execute arbitrary code on the affected machine with SYSTEM privileges. The second issue (CVE-2020-3433, with a CVSS score of 7.8) could allow a logged-in user to copy arbitrary files to system-level directories with SYSTEM privileges.

"In October 2022, the Cisco Product Security Incident Response Team became aware of additional attempted exploitation of this vulnerability in the wild," Cisco noted in the updated advisories.

The situation showcases the danger that older vulnerabilities continue to pose to companies and individuals. LPE patches are often de-prioritized in the glut of updates that businesses are faced with every month, but exploit chains often combine a remote code execution (RCE) bug for initial access with an LPE exploit for burrowing deeper into corporate networks and uncovering sensitive information.

The US Cybersecurity and Infrastructure Security Agency (CISA) also this week added the bugs to its Known Exploited Vulnerabilities (KEV) catalog, along with four even older bugs in Cisco's Gigabyte gaming and graphics drivers (CVE-2018-19320, CVE-2018-19321, CVE-2018-19322, CVE-2018-19323). Sophos flagged exploitation of the latter earlier in the month by the BlackByte ransomware gang.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cisco Warns AnyConnect VPNs Under Active Cyberattack

Concerns about breaches of sensitive information due to execution of malware scripts and growing adoption of cloud-based services are fueling growth of the content security market.

**CHICAGO, Oct. 26, 2022 /PRNewswire/** — The global Content Security Market size is expected to grow from an estimated value of USD 1,345 million in 2022 to 2,219 million USD by 2027, at a Compound Annual Growth Rate (CAGR) of 10.5% from 2022 to 2027**.** Some factors driving the Content Security Market growth include concerns regarding increased breach of sensitive information due to execution of malware scripts, growing adoption of cloud-based services/solutions, increased need to widespread information/content and engagement through advanced user interface, and user experience platforms.

**Download PDF Brochure:** https://www.marketsandmarkets.com/pdfdownloadNew.asp?id=194651579

**By Organization size, large enterprises are expected to witness higher market share during the forecast period**

The adoption of cloud services or solutions to take advantage of the digitalization era has been the primary area of interest for businesses in the context of both large and medium-sized businesses. At the same time, it gives hackers a chance to steal sensitive data by inserting malware scripts into website content, phishing emails, and other forms of communication. When it comes to considering the adoption of new technology, there is no doubt that large corporations are typically the ones to do so. This suggests that clever con scammers or whip-smart hackers have their sights set on these businesses. However, the small and medium-sized businesses are not far behind in adopting cloud services. In addition to considering cloud adoption for its cost-effectiveness and ability to automate manual processes, small business leaders should also consider data protection and security. The technology industry benefits from the growth of cloud users and its ecosystem. In addition, these business leaders must be aware of the drawbacks associated with utilizing lucrative services or deploying cloud solutions. Because of the growing concerns over data security, this makes it possible to envision content security as a possibility.

**Request Sample Pages:** https://www.marketsandmarkets.com/requestsampleNew.asp?id=194651579

**By vertical, BFSI segment is expected to witness highest market share during the forecast period**

The scope of content security and protection extends beyond a small number of industry verticals like BFSI, IT and ITeS, retail and e-commerce, media, and entertainment, and so on. BFSI is one of the industries that sets the standard for the adoption of digital technologies to streamline operations and operations as digital initiative grows. It includes banks, insurance companies, and financial institutions. From a strategic perspective, the BFSI industry is the most attractive target for scammers or hackers due to the sectors rapid digital progress and the substantial amount of consumer information it holds. As a result, the number of cybercrimes and frauds has increased steadily over time. There have been alarming numbers of cases involving the use of email content, phishing emails, and UI/UX that direct users to scripted altered websites. This shows how important it is to protect the public interest and content security in the global market.

**Get 10% Free Customization on this Report:** https://www.marketsandmarkets.com/requestCustomizationNew.asp?id=194651579

**By region, Asia Pacific is projected to grow with fastest growth rate during the forecast period**

When it comes to the content security market, North America is believed to hold most of the market share. It is not surprising that it has topped the list because it has witnessed a variety of cybercrimes, allowing the region to investigate a variety of malware or suspicious content origins. Digital transformation, on the other hand, has been a major focus of Asia-Pacific efforts to boost regional economic growth and integration. Asia-Pacific now ranks among the worlds fastest-growing regions, making it a huge potential market for content security. China, India, and Japan are a few of the regions most technologically advanced nations, which are facilitating the swift implementation of content security laws and regulations to improve data security. Additionally, despite the increasing number of cyberattacks and threats, businesses in the Asia-Pacific region have been adapting to the new digital trends.

**Key Players**

Major vendors in the **Global Content Security Market** include Cartesian Inc. (US), Microsoft Corporation (US), Trend Micro Inc. (Japan), Check point Software Technologies (Israel), Barracuda Networks (US), Sophos Technologies Pvt. Ltd (UK)., Proofpoint (US), Forcepoint (US), Verimetrix (France), Lookout (US), CommScope (US) and Infosec Information Technologies (Istanbul) are few key players in the content security market.

**Browse Adjacent Markets** : Information Security Market Research Reports & Consulting

**Related Reports**

**IDaaS Market** — Global Forecast to 2027

**Operational Technology (OT) Security Market** — Global Forecast to 2027

**Zero Trust Security Market** — Global Forecast to 2027

**Cybersecurity Insurance Market** — Global Forecast to 2027

**Supply Chain Management (SCM) Market** — Global Forecast to 2027

**About MarketsandMarkets™**

MarketsandMarkets™ provides quantified B2B research on 30,000 high growth niche opportunities/threats which will impact 70% to 80% of worldwide companies' revenues. Currently servicing 7500 customers worldwide including 80% of global Fortune 1000 companies as clients. Almost 75,000 top officers across eight industries worldwide approach MarketsandMarkets™ for their painpoints around revenues decisions.

Our 850 fulltime analyst and SMEs at MarketsandMarkets™ are tracking global high growth markets following the "Growth Engagement Model – GEM". The GEM aims at proactive collaboration with the clients to identify new opportunities, identify most important customers, write "Attack, avoid and defend" strategies, identify sources of incremental revenues for both the company and its competitors. MarketsandMarkets™ now coming up with 1,500 MicroQuadrants (Positioning top players across leaders, emerging companies, innovators, strategic players) annually in high growth emerging segments. MarketsandMarkets™ is determined to benefit more than 10,000 companies this year for their revenue planning and help them take their innovations/disruptions early to the market by providing them research ahead of the curve.

MarketsandMarkets's flagship competitive intelligence and market research platform, "Knowledge Store" connects over 200,000 markets and entire value chains for deeper understanding of the unmet insights along with market sizing and forecasts of niche markets.

Content Security Market Worth $2.2 Million by 2027 - Exclusive Study by MarketsandMarkets(TM)

Google admitted to loss of data responsive to 2016 search warrant and agreed to program enhancements, reporting obligations, and a first-of-its-kind Independent Compliance Professional.

The Department of Justice on Oct. 25 filed a stipulation and agreement resolving a dispute with Google over the loss of data responsive to a search warrant issued in 2016.

Pursuant to the first-of-its-kind resolution, Google has agreed to reform and upgrade its legal process compliance program to ensure timely and complete responses to legal process such as subpoenas and search warrants, as required under the Stored Communications Act (SCA) and other applicable legal authorities. To monitor that Google fulfills its legal obligations, an Independent Compliance Professional will be retained to serve as an outside third-party related to Google’s compliance enhancements.

“The Department is committed to ensuring that electronic communications providers comply with court orders to protect and facilitate criminal investigations,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “This agreement demonstrates the Department’s resolve in ensuring that technology companies, such as Google, provide prompt and complete responses to legal process to ensure public safety and bring offenders to justice.”

“The warrant underlying this agreement was sought in connection with a significant criminal investigation,” said U.S. Attorney Stephanie Hinds for the Northern District of California. “This agreement will help to ensure that, moving forward, Google will maintain the technical capability and resources necessary to comply with lawful warrants and orders, such as the one at issue in this case, that are critical to federal criminal investigations.”

As detailed in the Statement of Facts accompanying today’s agreement, in 2016, the United States obtained a search warrant in the Northern District of California for data held at Google related to the investigation of the criminal cryptocurrency exchange BTC-e. The warrant was issued under the SCA, the federal statute that requires providers such as Google to disclose customer communications when served with a warrant signed by a judge and supported by probable cause.

After the warrant was reviewed by a judge in the Northern District of California, sworn, signed, and served on Google, the Second Circuit Court of Appeals issued a decision holding that SCA search warrants did not reach data stored outside of the United States. Google halted execution of the search warrant and made rolling productions containing only information it could confirm was stored in the United States. Because Google’s data preservation tools at the time stored data in the United States – and thus brought the data under undisputed U.S. jurisdiction – Google also endeavored to create new tools that would prevent the data from being repatriated. Google and the government litigated regarding the search warrant through 2017 and into 2018, when Congress clarified that the SCA does indeed reach data that U.S. providers choose to store overseas. In the intervening time, data responsive to the warrant was lost.

In resolving the matter with the department, Google has agreed to numerous improvements to its legal process compliance program, as set forth in the filed agreement. The improvements are tailored to ensure that Google complies with its legal obligations to respond to lawful court orders, including those issued pursuant to the SCA. Google will maintain sufficient compliance staffing levels to support the enhancements to the program and will allocate engineering resources to support legal process compliance.

Google has further committed to implement processes and procedures to ensure timely response to legal process, as required under the SCA and other relevant legal frameworks, and to generate a compliance timeliness record for missed deadlines, which will be made available to the government upon request. Google will also develop and maintain needed tools to retrieve data in response to legal process, and to develop plans for legal process responses corresponding to new product launches.

The agreement (PDF) also provides that an Independent Compliance Professional will verify the accuracy of assertions in all reports contemplated by the agreement and evaluate Google’s assessment of its compliance with the enhancements to Google’s Legal Process Compliance Program set forth in the agreement. Pursuant to the agreement and in consultation with the mandated Independent Compliance Professional, Google will assemble periodic reports and updates regarding its Legal Process Compliance Program and its implementation of the enhancements set forth in the agreement. Google will provide these reports to the government, the Google Compliance Steering Committee, and the Audit and Compliance Committee of the Alphabet Board of Directors.

In the filed stipulation, Google represented to the court that it spent over $90 million on additional resources, systems, and staffing to implement legal process compliance program improvements.

Google will maintain its lawful protections of user data, and the agreement does not provide the United States access to Google user data.

Senior Counsel C. Alden Pelker of the Criminal Division’s Computer Crime and Intellectual Property Section and Corporate and Securities Fraud Section Chief Lloyd Farnham for the Northern District of California negotiated the agreement on behalf of the government.

Google Enters Into Stipulated Agreement to Improve Legal Process Compliance Program

Independent research from Encore uncovers hidden costs of cyber attacks.

**Maidenhead, UK, Oct. 26, 2022** — Over half (54%) of office workers would reconsider working for a company that had recently experienced a cyber breach. That's according to a new study by cybersecurity technology provider, Encore.

An independent study of 100 C-level executives, 100 Chief Information Security Officers (CISOs) and 500 office workers in the US and the UK, conducted by Censuswide, sought to uncover the gap that remains between boards and security teams when it comes to addressing cyber demands.

Only a third (33%) of staff said they would be "completely unphased" if their employer suffered a cyber break-in.

The majority (57%) of C-level executives polled said they have been breached in the last 12 months alone. Most office workers, however, were unaware, with only 39% believing their organisation had been the victim of a successful attack.

"The immediate financial cost of a cyber-attack remains the number one concern for businesses," said Brendan Kotze, CEO and Co-Founder at Encore. "But security teams are learning that there is a long tail to these breaches, with employees at risk of losing faith in their company, its ethics and values and its overarching responsibilities to the general public. In a competitive market, this is a stark warning to businesses across the world. Keeping your staff in the dark about cyber risk is a fundamental error, not to mention the additional impact of delayed disclosure to customers."

Almost half (41%) of C-level executives polled named reputational damage as one of the biggest costs to their business following a cyber-attack, with 34% agreeing that loss of clientele or their trust was a significant cost.

Despite many admitting to suffering a cyber breach in the last year, the overwhelming majority (92%) of CISOs and C-level executives polled believe their business is secure at any given moment. Kotze believes that a mindset shift is needed at an organisational level, treating cyber incidents and the security of employee and customer data as a fundamental part of normal business operations, not a function that sits on the outside, looking in.

"There is a very real problem of security feeding a false sense of confidence," he continues. "This is a risk that must be addressed through data and reporting. All too often, we see C-level executives treat their security investments as a sure way of securing their business against persistent and motivated attackers. Security or being 'Cybersafe' is not something you can measure at a single point in time – it needs to be an ongoing effort."

Kotze concludes: "Being able to instil confidence in a wide range of stakeholders, from clients to investors to staff, is fundamental to the modern business. Trust is the bedrock of success and should be the same for security as it is as a business enabler. If all companies prepare and respond to threats as if their existence (or at least a very substantial part of it) is at risk, our chances of blocking or swiftly responding to attacks is considerably higher. Cybersecurity is no longer enough; we need to channel Cyber Safety to build resilience and establish trust both internally and externally."

To further explore the true cost of cyber breaches, please find the full research report here: https://www.encore.io/the-true-cost-of-cyber-ebook?utm\_source=pr&utm\_campaign=encore-cyber-ebook&utm\_id=cyber-ebook

**About Encore**

With more than 25 years' experience providing professional services and cyber security consulting for the largest companies in the world, we brought this knowledge to Encore, the leader in internal and external cybersecurity (CAASM and EASM). Our team is comprised of offensive security experts and security engineers, and consultants that know the mindset and tooling of the attackers, the internal operational obstacles, the challenges faced by security management and how to get the most out of security tooling.

Encore visualises information that can be confusing and often overwhelming, providing accurate and action-based reporting and visibility across numerous security controls, through one secure portal.

For more information, or to get in touch, visit our website: https://www.encore.io

54% of Staff Would Reconsider Working for a Firm That Had Experienced a Cyber Breach, Research Finds

Led by Microsoft's M12 venture fund, Valence's Series A round accelerates the company's ability to help customers secure their SaaS mesh from risk created by democratized end-user adoption, third-party integrations, unmanaged identities, and external data sharing.

**SAN FRANCISCO, Oct. 26, 2022 (BUSINESS WIRE)** — In just under a year since exiting stealth in 2021, Valence Security, the industry leader in SaaS security remediation, is announcing its $25 million Series A round led by Microsoft's M12 venture fund with participation from seed investor YL Ventures and additional investors including Porsche Ventures, Akamai Technologies, Alumni Ventures, and Michael Fey, CEO of Island and former president of Symantec. This new investment round brings Valence's total funding to $32 million.

The democratization of IT has deeply embedded SaaS applications into every business function within organizations, from sales and marketing to R&D. These SaaS applications empower end users to adopt and interconnect them directly and at scale, evolving into a sprawling and risky SaaS mesh of applications, integrations, users and data. Security teams struggle to gain the required visibility to manage the SaaS mesh risk surface leaving insecure SaaS access and usage, unmanaged shadow identities, ungoverned data sharing and misconfigured third-party integrations, all prime targets for attackers.

Current SaaS security solutions fail to provide security teams with the visibility and business context they need to effectively understand, prioritize and respond to SaaS mesh risks. The Valence Collaborative SaaS Security Remediation platform fills these needs. Valence engages business users to ensure that security decisions are made within the context of business needs and that end users work with and see security teams and processes as business enablers, not impediments. Valence empowers security teams to prioritize SaaS security, configuration and compliance risks, and enables automated and decentralized remediation workflows across the distributed organization.

"We initially launched Valence to address the critical need we saw to harden organizations against the growing risks of SaaS supply chain attacks in a way that takes into account business context and doesn't impede the velocity of SaaS adoption and usage," says Yoni Shohet, CEO and co-founder of Valence. "With the continuous surge in additional SaaS security breaches in 2021, accelerating into 2022 with attacks on inherently secure services such as Okta, Google and GitHub, our commitment to building the first collaborative, automated remediation platform has paid off. Customer response has been overwhelmingly positive and demand for our solution has been strong. As we have expanded our vision to include collaborating with end users to remediate other SaaS risks such as external data sharing and user identities managed outside of the organization's IdP, our value to our customers as their go-to SaaS security solution has only continued to grow."

This new approach to collaboratively remediating SaaS risks found a lot of interest in M12. "Recognizing the growing threat of SaaS supply chain attacks, we have been looking closely at startups in this space," said Mony Hassid, managing director and EMEA lead at M12. "We were impressed with Valence's approach to identify SaaS security risks, engage the end user to gain business context, achieve business application owner buy-in when remediating SaaS supply chain risks, and address further SaaS risks such as misconfigurations, data protection and identity security."

"We have been with Valence since the start," states John Brennan, senior partner at YL Ventures. "The progress the team made in such a short period of time is amazing and we're excited to continue supporting the team together with great partners like M12. Valence's Series A round will enable them to further accelerate the growth of their go-to-market team and programs in the U.S. It will also facilitate the rapid expansion of their R&D team to fully realize their vision of enabling organizations to secure their growing mesh of SaaS applications, integrations, user identities and data sharing, without slowing down the fast pace of SaaS adoption, usage and innovation that end users have grown used to."

**About Valence Security**

Valence Security is the first security company to offer collaborative remediation workflows that engage with business users to contextualize and reduce SaaS data sharing, supply chain, identity and misconfiguration risks with scalable policy enforcement and automated workflows. With Valence, security teams can secure their critical SaaS applications like Microsoft 365, Google Workspace, Salesforce and Slack and ensure continuous compliance with internal policies, industry standards and regulations, without impeding business productivity or the speed of SaaS adoption. Valence is backed by leading cybersecurity investors like Microsoft's M12 and YL Ventures and is trusted by leading organizations. For more information, go to valencesecurity.com.

Valence Security Announces $25M Series A to Scale Delivery of Collaborative SaaS Security Remediation Solutions to Customers

As more of the software stack consists of third-party code, it's time for a more-advanced open source vetting system.

Cyberattacks' frequency and severity remain a growing concern for organizations large and small. Hardly a day goes by without news about a major breach or break-in. Yet it's also clear that methods are evolving and becoming stealthier. One of the more disturbing trends is attackers embedding malware in legitimate products and supply chains.

The SolarWinds attack in 2020 demonstrated just how devastating supply chain attacks can be and how far they can reach. As customers of security firm FireEye downloaded and installed legitimate patches for its Orion IT-monitoring platform, malware hidden in open source software (OSS) code infiltrated their systems.

**No Simple Task**

Gaining control of the software supply chain is vital, yet it's no simple task. OSS has emerged as an essential part of the business world and increasingly delivers critical building blocks used to produce proprietary and commercial software. A growing array of products rooted in the physical world — vehicles, airplanes, medical devices, consumer electronics, and industrial machinery, to name a few — rely on OSS to operate. Hacks and attacks on these systems represent a serious and even potentially fatal risk, ranging from ransomware to sabotage.

Yet the problem is broader. Most software developed today, including applications and code embedded in physical products, contains third-party code that falls into two separate categories:

*   **Pre-built components** that perform a specific function and are available for purchase off-the-shelf, and
*   **Commissioned code** that is developed on an outsourced basis for use in the purchasing company's product.

Both of these types of third-party code can contain embedded and undocumented OSS, which may harbor security vulnerabilities.

**Can You Trust Your Partners?**

Avoiding software supply chain risks is increasingly difficult. Much of the software any organization uses derives from a trusted vendor or partner — or it's a mash-up based on numerous sources. When patches and updates come from trusted sources and appear authentic, there's typically no reason to inspect them. However, if attackers successfully plant malware in legitimate software and it goes undetected through final release production, it can become a mass malware-dissemination tool.

As the SolarWinds attack showed, an organization's defenses are only as good as the supply chain's weakest link. An enterprise can take numerous steps to ensure that the OSS it utilizes is secure, yet it's next-to-impossible to guarantee that the third-party code a partner or vendor supplies is equally vetted. Unfortunately, everyone relies on different techniques, tests, and standards.

While open source code isn't inherently more dangerous than proprietary code, the widespread adoption of OSS means that the same code components can wind up in numerous applications, products, and systems. In fact, roughly 70% to 90% of any software "stack" consists of third-party code. This includes industries and sectors as diverse as public transportation, consumer electronics, telecom, and major software applications used by universities, government agencies, and others.

Moreover, open source code risks are on the rise. Hackers and attackers use several highly effective methods to target resources such as Python repositories (i.e., Python Package Index, or PyPI) and JavaScript package manager npm. This can lead to malware that installs cryptomining software or steals credentials and authentication tokens. An attack can also embed malware in seemingly legitimate code, such as a recent case where 186 npm typosquatting packages appeared in open source code for Linux systems.

**Cracking Down on Bad Code**

Recently, a group of organizations joined together under the umbrella of the Linux Foundation to build a framework for verifying open source code.

This group — OpenSSF (Open Source Security Foundation) — includes heavyweights such as AWS, Google, IBM, and Microsoft, as well as specialized vendors such as Akamai, Indeed, and Socket Security. Its 10-point plan \[PDF\] aims to create more consistent open source code production methods, improve vulnerability discovery and remediation, and reduce patching response times for open source software.

OpenSSF hopes to achieve these results via expanded use of digital signatures on software releases; replacing non-memory-safe languages; standard third-party code reviews; improved education and training for developers and others; and improved tools and best practices for the software supply chain.

All of this leads to a best practice referred to as a software bill of materials (SBOM). It delivers a catalog of OSS as well as other software that's present in third-party (building block) code. It also displays any security vulnerabilities that this software may contain.

**An Eye on Observability**

Getting to a more-advanced open source vetting framework also requires a closer look at the code itself. This is particularly important because organizations not only rely on OSS but also a hybrid approach that revolves around pre-built, off-the-shelf components and custom building blocks, developed internally or by outsourcing partners.

Nearly 60% of software products today contain third-party code, according to VDC Research, most of which uses open source components under the hood. Gaining the needed insight into this code is difficult because conventional software composition analysis (SCA) has inherent limitations. While SCA remains a useful tool for decomposition of software and spotting vulnerabilities, there's also the need to examine and analyze binary files. This makes it possible to scan the code that runs, rather than inspecting only the pieces in the build environment.

Binary SCA finds vulnerabilities in third-party code and OSS without actual source software; it provides deep semantic matching; it's equipped to conduct analysis on real-time code; and it delivers crucial elements such as audit logging, risk reporting, API analysis, and SBOM generation and output, including formats such as PDF, CSV, SPDX, JSON, and CycloneDX. It's a best-practice framework that delivers a comprehensive view of OSS components and other code.

With these pieces in place, it's possible to improve vulnerability detection across all sources of the software in an application or product, boost audit and compliance capabilities, and establish a coveted SBOM. There's no way to stop crooks and cybergangs from attacking organizations through the software supply chain, but the combination of an industry framework and the right inspection technology minimizes the risks and maximizes the gains of open source software.

Open Source Is Just the Tip of the Iceberg in Software Supply Chain Security

Majority of vulnerability scanner tools overwhelming teams with false positives and missing exploitable vulnerabilities.

**BE'ER SHEVA, Israel, Oct. 26, 2022 /PRNewswire/** — Rezilion, an automated vulnerability management platform accelerating software security, announced today the release of the company's Vulnerability Benchmark Report, which provides visibility into the inaccuracies and noise that are created by the market's most popular commercial and open source scanning technologies.

"Every day there are a multitude of new vulnerability disclosures across the software ecosystem, driving end-users to rely on vulnerability scanners to detect if these potentially exploitable vulnerabilities exist within their environment," said Yotam Perkal, Director of Vulnerability Research with Rezilion. "With a proven variability in the accuracy of the scanning tools on the market, companies are paying the cost of time spent triaging irrelevant vulnerabilities and worst, in the case of false negative detections, create blind spots for the organization and a false sense of security."

**Inconsistent results in scanners are common.** In this first-of-its-kind benchmark and root cause analysis, Rezilion researchers examined 20 popular containers on DockerHub, ran them locally, and scanned them using six different, popular vulnerability scanners in the commercial and open source market.

Each vulnerability scanner reported a different number of vulnerabilities, equating to less than 50 percent of common findings, exposing an exceptional amount of false positives and negatives. As a result, Rezilion has opened issues/support tickets for the misidentification of **over 1,600 different CVEs**.

**Key Findings:**

*   **Recall:** Compared to the ground truth (i.e., taking false negatives into account), scanners returned only 73% of relevant results out of all vulnerabilities that should have been identified, including those the scanners failed to detect.
*   **Precision:** On average, out of the total number of vulnerabilities reported by the scanners, only 82% were relevant results (identified correctly), regardless of vulnerabilities that scanners failed to report (18% were false positives).
*   Over 450 high and critical-severity vulnerabilities were misidentified across the 20 containers.
*   On average, across the 20 containers examined, the scanners failed to find (false negative result) more than 16 vulnerabilities per container.

"The primary problem is that the scanner performance data is not transparent and leaves end-users without visibility to accurately evaluate effectiveness of vulnerability scanners," continued Perkal. "With this research, we're committed to driving the industry forward and proactively approaching the issue. Rezilion's ultimate goal is to provide transparency about the performance of the scanners and improve the quality of vulnerability scanning across the board."

**Best Practices:**

*   Understand your specific scanner's capabilities and limitations and ensure your scanner of choice matches your specific needs.
*   Be mindful of the root causes for misidentification as presented in the research, and don't trust your scanner's results blindly.
*   Utilize a Software Bill of Materials (SBOM) to validate the accuracy of your scanner output and achieve visibility into your software dependencies.

**To download the full report, please visit:** https://www.rezilion.com/lp/scanning-the-scanners-what-vulnerability-scanners-miss-and-why/.

**About Rezilion:**

Rezilion's platform automatically secures the software you deliver to customers. Rezilion's continuous runtime analysis detects vulnerable software components on any layer of the software stack and determines their exploitability, filtering out up to 95% of identified vulnerabilities. Rezilion then automatically mitigates exploitable vulnerabilities across the SDLC, reducing vulnerability backlogs and remediation timelines from months to hours while giving DevOps teams time to build.

Learn more about Rezilion's software attack surface management platform at www.rezilion.com and get a 30-day free trial.

**SOURCE:** Rezilion

Rezilion Vulnerability Scanner Benchmark Report Finds Top Scanners Only 73% Accurate

New service from BlackBerry's Threat Research and Intelligence Team reduces unknowns to enhance detection and response.

**NEW YORK, Oct. 26, 2022 /PRNewswire/** — Today, at the BlackBerry Security Summit, BlackBerry Limited (NYSE: BB; TSX: BB) announced the release of its new Cyber Threat Intelligence (CTI) offering, a professional threat intelligence service to help customers prevent, detect, and effectively respond to cyberattacks.

Delivered on a quarterly subscription basis, BlackBerry's new CTI service  
provides actionable intelligence on targeted attacks and cybercrime-motivated  
threat actors and campaigns, as well as intelligence reports specific to  
industries, regions, and countries. BlackBerry's CTI will save organizations  
time and resources by focusing on specific areas of interest relevant to a  
company's security goals.

"Being cyber resilient means making the right decisions at the right time," said  
Ismael Valenzuela, Vice President, Threat Research and Intelligence at  
BlackBerry. "Cyberattacks are becoming more sophisticated and threat actors move  
quickly. BlackBerry's Cyber Threat Intelligence delivers the details needed to  
improve detection and response, so organizations can stay on top of cyber threat  
activity and anticipate any next moves."

"More businesses are recognizing the value of threat intelligence and the  
distinctive benefits it brings to security teams," said Chris Kissel, Vice  
President, Security and Trust Products at IDC Research. "Curated threat  
intelligence from credible experts in the space provides businesses and their  
front line security personnel with timely insights, enabling them to better  
detect, triage, and investigate threats. Integrating this service with existing  
security ecosystems helps businesses stay one step ahead of cyber threats as  
digital attack surfaces evolve and expand."

The Threat Research and Intelligence Team has released numerous first-to-market  
research reports over the past year leveraging BlackBerry's data-driven digital  
ecosystem and analytical capabilities. These research reports have revealed new  
developments in the ransomware and malware space, and targeted, state-sponsored  
APT activity, including Symbiote, DCRat, Chaos Yashma ransomware and LokiLocker,  
all of which have been well-received by BlackBerry's customer base and the  
broader security community.

The service will launch in December.

For more information on how BlackBerry's Cyber Threat Intelligence service can  
support your organization, please visit BlackBerry.com to connect with one of  
our experts.

**About BlackBerry**  
BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and  
services to enterprises and governments around the world. The company secures  
more than 500M endpoints including 215M vehicles. Based in Waterloo, Ontario,  
the company leverages AI and machine learning to deliver innovative solutions in  
the areas of cybersecurity, safety, and data privacy solutions, and is a leader  
in the areas of endpoint security, endpoint management, encryption, and embedded  
systems. BlackBerry's vision is clear — to secure a connected future you can  
trust.

BlackBerry. Intelligent Security. Everywhere.

For more information, visit BlackBerry.com and follow @BlackBerry.

Trademarks, including but not limited to BLACKBERRY and EMBLEM Design are the  
trademarks or registered trademarks of BlackBerry Limited, and the exclusive  
rights to such trademarks are expressly reserved. All other trademarks are the  
property of their respective owners. BlackBerry is not responsible for any  
third-party products or services.

**SOURCE:** BlackBerry Limited

BlackBerry Launches Cyber Threat Intelligence Service to Strengthen Cyber Defenses

The mission to run any containerized application on any infrastructure makes security a challenge on Kubernetes.

Kubernetes is the de facto container management platform in the modern cloud-native world. It makes it possible to develop, deploy, and manage microservices flexibly and scalably. Kubernetes works with various cloud providers, container runtime interfaces, authentication providers, and extensible integration points.

However, Kubernetes still has one major drawback: security. The integrator approach of Kubernetes to run any containerized application on any infrastructure makes it challenging to create holistic security around Kubernetes and the application stack living on it.

According to Red Hat's 2022 "State of Kubernetes" security report, the majority of Kubernetes users had their delivery halted due to unaddressed security concerns. In addition, over the course of the previous 12 months, almost every Kubernetes user in the study experienced at least one security incident. Therefore, it is fair to say that Kubernetes environments are not secure by default and are open to risks.

This article discusses the top 10 security risks with real-life examples and tips on how to avoid them.

**1\. Kubernetes Secrets**

Secrets are one of the core building blocks of Kubernetes for storing sensitive data like passwords, certificates, or tokens and using them inside containers. There are three critical issues related to Kubernetes secrets:

*   Secrets store sensitive data as base-64 encoded strings, but they are not encrypted by default. Kubernetes does offer encryption of the resources for storage, but you need to configure it. Furthermore, the biggest threat about secrets is that any pod — and any applications running inside the pod — in the same namespace can access and read them.
*   Role-based access control (RBAC) allows you to regulate who is granted access to Kubernetes resources. You need to properly configure RBAC rules so that only the relevant people and applications will have access to secrets.
*   Secrets and ConfigMaps are the two methods of passing data to running containers. If there are old and unused secrets or ConfigMap resources, it can create confusion and leak vulnerable data. For instance, if you delete your back-end application deployment but forget to delete the secret that has your database passwords, any malicious pod can use them in the future.

**2\. Container Images With Vulnerabilities**

Kubernetes is a container orchestration platform that distributes and runs containers on the worker nodes. However, it does not check the contents of containers for whether they have security vulnerabilities or exposures.

Therefore, it is necessary to scan the images before deployment to ensure that only images from trusted registries with no critical vulnerabilities (like remote code execution) will run on the cluster. Container image scanning should also be integrated into CI/CD systems for automation and detecting flaws earlier.

**3\. Runtime Threats**

Kubernetes workloads — namely, containers — run on the worker nodes, and the containers are controlled by the host operating system in the runtime. If there are permissive policies or container images with vulnerabilities, they can open backdoors into your whole cluster. Therefore, OS-level runtime protection is required to enforce security in runtime, and the most important protection against runtime threats and vulnerabilities is to implement the least-privileged principle throughout Kubernetes.

Open source and widely accepted tools like Seccomp, SELinux, and AppArmor in the Linux kernel level are available to implement policies and restrict access. These tools are not internal to Kubernetes and require external configuration and effort to enable protection against runtime threats. In order to secure Kubernetes in an automated fashion, try employing the Kubernetes Security Posture Management (KSPM) approach. KSPM leverages automation tools to detect, fix, and alert security, configuration, and compliance issues using a holistic approach.

**4\. Cluster Misconfiguration and Default Settings**

The Kubernetes API and its components consist of a complex set of resource definitions and configuration options. Therefore, Kubernetes offers default values for most of its configuration parameters and tries to remove the burden of creating long YAML files.

However, you need to be careful about three critical issues related to cluster and resource configuration:

*   Default Kubernetes configurations are helpful, as they try to increase flexibility and agility, but they are not always the most secure options.
*   Online examples for Kubernetes resources are helpful to get started, but it is necessary to double-check what these example resource definitions will deploy to your cluster.
*   It is customary to make changes to Kubernetes resources using "kubectl edit" commands while working on the clusters. However, if you forget to update the source files, the changes will be overwritten in the next deployment, and the untracked modifications could lead to unpredictable behavior.

**5\. Kubernetes RBAC Policies**

RBAC is the Kubernetes-native method of managing and controlling authorization to Kubernetes resources. Therefore, configuring and maintaining RBAC policies is essential to secure the clusters from unwanted access.

There are two critical points to consider while working with RBAC policies. First, some RBAC policies are too permissive, such as the cluster\_admin role, which can do basically everything in the cluster. These roles are assigned to regular developers to make them more agile. However, in the event of a security breach, attackers quickly get high-level access to the clusters using cluster\_admin. To avoid this, you should configure RBAC policies for specific resources and assign them to particular user groups.

Second, in general, various environments, like development, testing, staging, and production, exist in the software development life cycle. In addition, there are multiple teams with different focuses, such as developers, testers, operators, and cloud admins. RBAC policies should be assigned correctly for each group and each environment to limit exposure.

**6\. Network Access**

In Kubernetes, a pod can connect to other pods and external addresses outside the cluster; others can connect to this pod from inside the cluster by default. Network policies are the Kubernetes-native resources to manage and restrict the network access between pods, namespaces, and IP blocks.

Network policies can also work with the labels on the pods, so inefficient use of labels could lead to unwanted access. In addition, when the clusters live in cloud providers, the cluster network should also be isolated from the rest of the virtual private cloud (VPC).

**7\. Holistic Monitoring and Audit Logging**

When you deploy an application to a Kubernetes cluster, it's not sufficient to only monitor the application metrics. You must also watch the Kubernetes cluster's status, cloud infrastructure, and cloud controllers to have a holistic view of the complete stack. It is also important to watch for breaches and detect anomalies since intruders will be testing to access your clusters from every possible opening.

Kubernetes provides out-of-the-box audit logs for security-related incidents in the cluster. Still, you also need to collect the records from various applications and monitor their health in a central place.

**8\. Kubernetes API**

Kubernetes API is the core of the entire system, where all internal and external clients connect and communicate with Kubernetes. If you deploy and manage Kubernetes components in-house, you need to be more careful because the Kubernetes API server and its components are open source tools with potential — and actual — vulnerabilities. Therefore, you should use the latest stable version of Kubernetes and patch live clusters as early as possible.

If you use cloud providers, the Kubernetes control plane is in control of the provider itself, so the cloud infrastructure updates and patches automatically. However, users are responsible for upgrading worker nodes in most cases. Therefore, you can use automation and resource provisioning tools to upgrade nodes easily or replace them with new ones.

**9\. Kubernetes Resource Requests and Limits**

In addition to scheduling and running containers, Kubernetes can also limit the resource usage of containers in terms of CPU and memory. Although Kubernetes users mostly neglect them, resource requests and limits are critical for two reasons:

*   **Security:** When the pods and namespaces are not restricted, even a single container with a security vulnerability could access sensitive data inside your cluster.
*   **Cost:** When the requested resources are more than the actual usage, the nodes will run out of available resources. This will lead to an increase in the node pool if autoscaling is enabled, and the new nodes will increase your cloud bill inevitably.

When the resource requests are calculated and assigned correctly, the whole cluster works efficiently in terms of CPU and memory. In addition, when resource limits are set, both faulty applications and intruders will be limited in terms of resource usage. For instance, if there are no resource limitations, a malicious container could consume nearly all of the resources in the node and make your application unusable.

**10\. Data and Storage**

Although containers are designed to be ephemeral, Kubernetes makes it possible to run stateful containerized applications scalably and reliably. With the StatefulSet resource, you can deploy databases, data analytics tools, and machine-learning applications into Kubernetes quickly. The data will be accessible to the pods as volumes attached to the containers.

However, it is critical to limit access by policies and labels to avoid unwanted access by other pods in the cluster. In addition, storage in Kubernetes is provided by external systems, so you should consider using encryption for critical data in the cluster. If you manage your storage plugins, you should also check the security parameters to ensure that they are enabled.

**Conclusion**

Kubernetes is the indisputable container management platform for running microservice applications. However, holistic security is still one of its drawbacks, as it is not the core focus of the project. Therefore, you need to take extra steps to make your clusters and applications more secure.

Source

DARKReading