Swimlane’s Asia-Pacific presence grows 173%, highlighting rising demand for low-code security automation.

DENVER--(BUSINESS WIRE)--Swimlane, the leader in low-code security automation, today announced the general availability of Swimlane Cloud in the Asia-Pacific Japan (APJ) region. This deployment is further evidence of Swimlane’s continued commitment to empowering APJ customers to enable new use cases previously not possible with traditional security orchestration, automation and response (SOAR). This includes unlocking the use of automation beyond the SOC, where Swimlane serves as the system-of-record for the entire security organization.

**Meeting the APJ Staffing Shortage Head-On with Swimlane Cloud**  
The APJ region faces a significant cybersecurity talent shortage with an estimated 2.045 million open cybersecurity roles, accounting for 66% of the total global shortage, signaling the struggle to find qualified, skilled professionals to handle increasing security alerts. Without automation, these overburdened security administrators must manually perform repetitive and time-consuming tasks needed to track, mitigate and resolve security events across multiple security platforms. Despite significant time investments, security teams cannot realistically analyze and adequately prioritize security alerts and events at the rate necessary to protect networks.

“In order to mature our security operations, we knew it was necessary to advance how we monitor and respond to threat intelligence by taking a more proactive approach to security operations,” said Tanajak Watanakij, CISO, R V Connex. “With our existing talent pool, we turned to Swimlane’s low-code security automation offering to create a centralized system of record for our Security Operations Center (SOC) and remove dependencies on a host of manual processes. Swimlane’s interactive dashboards and automated, easily customizable workflows reduced our mean time to respond and ultimately helped us ensure continuous compliance and prevent breaches across the entire R V Connex Corporation and our MSSP customers.”

“Security teams across APJ need solutions that reduce the manual operations needed to respond to security threats and speed up incident response,” said Johan Wikenstedt, Vice President of Asia Pacific and Japan (APJ) for Swimlane. “We are a customer-focused company with a powerful platform for helping companies ease the burden security teams face daily. Swimlane is fully dedicated to supporting the region’s ongoing cybersecurity challenges through the adoption of low-code security automation.”

**Demand for Low-Code Automation Continues to Climb**  
Swimlane’s current product initiatives in APJ continue to drive regional market traction highlighted by:

*   173% revenue growth of regional presence in the past four months, with more than 7x revenue growth in the past 6 months.
*   142% growth of regional employee headcount in the past six months.
*   New sales offices established in Australia, Malaysia and South Korea.
*   Net-new customer adoption in Australia, Bangladesh, India, Japan, Malaysia, Philippines, Singapore, Thailand, and New Zealand.
*   Vertical expansion of customer adoption across banking, technology, financial services, government, MSSP, and manufacturing industries.
*   8 new go-to-market partners established in the region.

Lumen Technologies turned to Swimlane after experiencing a rapid period of growth that challenged the company’s security team to capacity. Swimlane’s low-code security automation platform allowed the organization to maintain the integrity of its security operations and quickly adapt to business growth across its SecOps infrastructure. Within the first quarter of implementing the solution, Lumen achieved a 30% automation level. Today, 70% of security events hitting the Security Operations Center (SOC) can be fully automated without human intervention.

“Swimlane was a partner from the start, helping us ensure the solution was easy to manage and operate and providing technical support whenever we needed,” said Wai Kit Cheah, Director of the Security Practice at Lumen Technologies. “With Swimlane’s robust automation engine, events can be processed from any source, enabling our security team to integrate security automation with user and entity behavior analytics (UEBA) and third-party threat intelligence feeds. This allowed us to achieve a holistic look at our ecosystem and has quickly made Swimlane’s platform an essential component of our SOC.”

**Swimlane Medley Partner Program Expands to Malaysia**  
Swimlane has invested significantly in Malaysia due to the region’s robust national cybersecurity strategy and world-class talent. As part of its growth in the region, Swimlane recently announced a partnership with CyberSecurity Malaysia, the national cyber security specialist agency under the purview of the Ministry of Communications and Multimedia Malaysia (KKMM), to assist the organization on its mission to build a more resilient cyber ecosystem throughout Malaysia.

“Our strategic partnership with Swimlane comes at an exciting time for CyberSecurity Malaysia as we seek to elevate a strategic cybersecurity vision for the region,” said Dato’ Ts. Dr. Haji Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia. “Together, Swimlane and Cybersecurity Malaysia will leverage our combined experience, capabilities, and products to deliver innovative cybersecurity solutions across Malaysia and ensure companies in the region have access to the world’s most-capable low-code automation technology to safeguard their networks and data.”

**Join Swimlane at the SecOps Automation Summit 2022**  
Swimlane will hold the SecOps Automation Summit 2022 in South Korea, Malaysia and Australia in late April and early May. Presenters include Co-Founder and Chief Strategy Officer Cody Cornell and other members of the Swimlane team, along with various current partners and customers, to explore new and future innovations in the dynamic field of security automation.

To learn more about the summit and Swimlane’s expansion in the APJ region, visit https://swimlane.com/swimlane-helps-address-asia-pacifics-security-skills-shortage.

**About Swimlane**  
Swimlane is the leader in cloud-scale, low-code security automation. Supporting use cases beyond SOAR, Swimlane improves the ease with which security teams can overcome process and data fatigue, as well as chronic staffing shortages. Swimlane unlocks the potential of automation beyond the SOC by delivering a low-code platform that serves as the system-of-record for the entire security organization and enables anyone within the organization to contribute their knowledge and expertise to the protection of the organization. For more information, visit swimlane.com, swimlane.com/japan and swimlane.com/korea.

Swimlane Extends Cloud-Based Security Automation into APJ Amid Momentous Growth in Region

**VANCOUVER, British Columbia and SAN JOSE, Calif. — April 14, 2022 —** Absolute Software™ (NASDAQ: ABST) (TSX: ABST), a leader in self-healing endpoint and secure access solutions, today announced the availability of Absolute Ransomware Response, enabling customers to strengthen preparedness and accelerate endpoint recovery in the face of the ever-growing threat of ransomware attacks. With this new offering, part of the company’s Secure Endpoint product portfolio, organizations have the key capabilities and services needed to assess their ransomware preparedness and cyber hygiene across endpoints; ensure mission-critical security applications, such as anti-malware and device management tools, remain healthy and capable of self-healing; and expedite the quarantine and recovery of devices if an attack occurs.

Cybersecurity Ventures predicts that organizations will face a new ransomware attack every two seconds by 2031, up from every 11 seconds in 2021. While the top priority for IT and security teams has historically been securing and restoring critical infrastructure, such as servers and business applications, the accelerated adoption of ‘work-from-anywhere’ has significantly expanded the potential ransomware attack surface – and in turn, has increased the need to extend preparedness and recovery efforts to end user devices.

“The reality is that, while organizations are very concerned about the time to recover from ransomware attacks, they often solely focus on prevention tools, without planning for the worst-case scenario: falling victim to an attack,” said Eric Hanselman, Principal Research Analyst at 451 Research, part of S&P Global Market Intelligence, in a recent webinar. “By building a plan and improving their preparedness and simplifying the endpoint recovery process for their organizations, they can accelerate businesses’ ability to recover and resume operations.”1

“Ransomware is more prevalent, more sophisticated, and more capable of disruption and damage than ever and organizations need to plan for ‘when,’ not ‘if,’ they are successfully attacked,” said John Herrema, EVP of Product & Strategy at Absolute. “When a ransomware attack occurs, organizations are often forced to weigh the risks of cutting off all communication with an infected device, losing the ability to restore or recover it, or leaving the door open for re-infection. This new offering gives them the cyber resiliency needed to mitigate ransomware deployment techniques, restore and update tools critical to recovery, and if needed, hit the ‘kill switch’ – meaning they can wipe the device while still maintaining control so it can be recovered.”

Key capabilities and benefits available with Absolute’s new Ransomware Response offering include:

*   **Assess Strategic Readiness Across Endpoints**: Empower customers to review the existing security controls deployed across their endpoints, and identify key applications (e.g., anti-virus/anti-malware, endpoint protection, or endpoint detection and response) and device management tools required to minimize ransomware exposure and accelerate recovery efforts.
*   **Establish Cyber Hygiene and Resiliency Baseline:** Enable application resilience policies that monitor and self-heal the critical controls identified during the assessment phase, to both mitigate the risk of a successful ransomware attack and ensure that tools may be restored if an attack renders them inoperable. This also includes training customer personnel on how to monitor application health and apply these baseline resilience policies to new Absolute-enabled devices.
*   **Monitor Device Security Posture and Sensitive Data**: Allow customers to report on hardware and software inventory across their endpoints and assess overall device security posture. Scan for sensitive data – such as financial information, social security numbers, personally identifiable information (PII), protected health information (PHI), and intellectual property – to identify devices most at risk for data extraction and enable proper back-up via customers’ existing tools.
*   **Expedite Device Recovery and Limit Re-Infection**: Equip customers with the capabilities needed to communicate with end users even if their devices are compromised; quarantine and freeze endpoints to limit further spread of infection and preserve evidence for litigation purposes; restore endpoint security and device management tools that have been rendered inoperable; and execute custom workflow and task automation commands to expedite device recovery. In addition, Absolute experts are available to remotely assist customers with endpoint recovery efforts leveraging Absolute’s product capabilities.

Absolute Ransomware Response is available for purchase for new customers as part of the company’s Secure Endpoint product offerings. These capabilities are also available as add-on modules for existing Absolute Control and Resilience service tier customers. To learn more, visit here.

_\[1\] 2022 Data Theft Report Webinar by Eric Hanselman, 451 Research, part of S&P Global Market Intelligence, March 31, 2022_

**_Forward-Looking Statements_**

_This press release contains certain forward-looking statements and forward-looking information (collectively, “forward-looking statements”) which relate to future events or Absolute’s future business, operations, and financial performance and condition. Forward-looking statements normally contain words like “will”, “intend”, “anticipate”, “could”, “should”, “may”, “might”, “expect”, “estimate”, “forecast”, “plan”, “potential”, “project”, “assume”, “contemplate”, “believe”, “shall”, “scheduled”, and similar terms and, within this press release, include, without limitation, the statements regarding the ever-growing threat of ransomware attacks, the speed at which a business may recover from a ransomware attack and resume operations and ‘when’ or ‘if’ an organization may face a ransomware attack. Forward-looking statements are provided for the purpose of presenting information about management’s current expectations and plans relating to the future and allowing investors and others to get a better understanding of our anticipated financial position, results of operations, and operating environment. Readers are cautioned that such information may not be appropriate for other purposes._

_Forward-looking statements are not guarantees of future performance, actions, or developments and are based on expectations, assumptions and other factors that management currently believes are relevant, reasonable, and appropriate in the circumstances. The material expectations, assumptions, and other factors used in developing the forward-looking statements set out herein include or relate to the following, without limitation: Absolute will be able to successfully execute its plans, strategies, and objectives. Although management believes that the forward-looking statements herein are reasonable, actual results could be substantially different due to the risks and uncertainties associated with and inherent to Absolute’s business, as more particularly described in the “Risk and Uncertainties” section of Absolute’s most recently filed Management’s Discussion and Analysis, which is available at www.absolute.com and under Absolute’s profile on www.sedar.com. Additional material risks and uncertainties applicable to the forward-looking statements herein include, without limitation, unforeseen events, developments, or factors causing any of the aforesaid expectations, assumptions, and other factors ultimately being inaccurate or irrelevant. Many of these factors are beyond the control of Absolute._

_All forward-looking statements included in this press release are expressly qualified in their entirety by these cautionary statements. The forward-looking statements contained in this press release are made as at the date hereof and Absolute undertakes no obligation to update publicly or to revise any of the included forward-looking statements, whether as a result of new information, future events, or otherwise, except as may be required by applicable securities laws._

**About Absolute Software**

Absolute Software (NASDAQ: ABST) (TSX: ABST) is a leading provider of self-healing endpoint and secure access solutions, delivering truly resilient zero trust for today’s distributed workforces. Absolute is the only endpoint platform embedded in more than half a billion devices, offering a permanent digital connection that intelligently and dynamically applies visibility, control and self-healing capabilities to endpoints, applications, and network connections - helping customers to strengthen cyber resilience against the escalating threat of ransomware and malicious attacks. Trusted by nearly 16,000 customers, G2 recognized Absolute as a leader in Zero Trust Networking and Endpoint Management in the Winter of 2022.

©2022 Absolute Software Corporation. All rights reserved. ABSOLUTE, the ABSOLUTE logo, and NETMOTION are registered trademarks of Absolute Software Corporation or its subsidiaries. Other names or logos mentioned herein may be the trademarks of Absolute or their respective owners. The absence of the symbols ™ and ® in proximity to each trademark, or at all, herein is not a disclaimer of ownership of the related trademark.

Absolute Software Introduces Ransomware Response Offering

Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.

The increased adoption of cloud infrastructure by companies looking to improve agility and support a hybrid workforce has led to more development teams adopting security-as-code as a way to build security into software and products.

Over the past year, for example, Google has pushed security-as-code as a fundamental component of its cloud offerings, identifying in January "software-defined infrastructure" as one of the eight megatrends driving the security of the cloud. Encoding security configuration as code that can be an input into development and deployment processes lets organizations analyze their security configuration, change and redeploy easily, and continuously monitor the state of their security configuration to evaluate whether it matches policies.

The result is analyzable security configuration and continuously verifiable controls, says Phil Venables, vice president at Google and CISO for Google Cloud.

"The great thing about security-as-code is that you know the configuration that you have deployed exactly corresponds to what you had specified and analyzed as meeting your security requirements," he says. "Many breaches out there are not necessarily the result of an unknown risk, but are usually the result of some control that the organization thought they had not being deployed and operating when they needed it the most."

Security-as-code is an extension of the infrastructure-as-code movement that has come about as software-defined networks and systems have become more popular. DevOps teams have adopted infrastructure-as-code as the de facto standard for building and deploying software, containers, and virtual machines, but now companies are betting that the shift to cloud-native infrastructure will make security-as-code a key part of a sustainable approach to security.

**How Security-as-Code Works**  
In 2021, consulting firm McKinsey and Company identified security-as-code as perhaps the only way to secure cloud application and infrastructure at the speed at which modern businesses move.

"Capturing value in the cloud requires most companies to build a transformation engine ... to integrate cloud into business and technologies, drive adoption in priority business domains, and establish the foundational capabilities required to scale cloud usage safely and economically," the consulting firm wrote in a position paper. "SaC is the mechanism for developing foundational capabilities in cloud security and risk management."

Google intends to make the concept much more functional and part of any cloud infrastructure. In November, the company's Cybersecurity Action Team announced a Risk and Compliance as Code (RCaC) solution.

Companies that have embraced DevOps know that repeatable software builds rely on being able to specify the configuration of infrastructure elements — whether software applications, pipeline builds, or containers — as code in a file. This infrastructure-as-code approach allows developers and operations specialists to express and analyze the configuration before it is deployed.

Security-as-code aims to do the same thing for security, in an approach that many have called DevSecOps. Security-as-code expresses the security configuration of a variety of elements, including what security testing should be performed, the criteria for vulnerability scanning, encryption requirements, and access controls.

**How Does it Affect SBOMs?**  
Google sees the current efforts to make software bills of materials (SBOMs) more explicit and functional as a key component of the future of software-as-code. The components of a software program could be analyzed during any build and the policies described in the security-as-code file would be applied. Using a component that is vulnerable to a specific threat, such as Log4j, could stop the build. Other requirements, such as a high level in the Supply Chain Levels for Software Artifacts (SLSA), could also be specified, Google's Venable says.

"This mechanism allows you to start making richer decisions," he says. "This programmability of the environment to enforce security policy is pretty transformational compared to what any of us used to be able to do in traditional on-premise environments."

Google is joined by others blazing a trail into the security-as-code arena. The growing movement to encode security as a configuration file that can be incrementally improved led security firm Tenable Network Security to acquire Accurics, a maker of security-as-code technology.

"It's far more effective to find and fix the issues at the point of creation in code, rather than where they manifest in the cloud," Renaud Deraison, chief technology officer for Tenable Network Security, said in a blog announcing the acquisition. "In this way, we can ensure that what is deployed is secure by default and that any fixes are a simple merge request rather than a patch or operational afterthought."

Not everyone is convinced that security configurations will be ensconced in code anytime soon. While configuration files traveling along with software-defined infrastructure components could bring significant benefits — such as the audit ability and improved change management — companies are still too reactionary to adopt the technology, says Brian Fox, chief technology officer and co-founder of Sonatype, a software-management and security firm.

Software composition analysis (SCA) services that can automate the identification of risky software components — a service that Sonatype provides — provides some of the automated benefits of security-as-code. Most businesses have no idea of even what components make up their software, Fox says.

"We are super early in the adoption cycle with this," he says. "All the reasons that infrastructure-as-code made sense will make sense with security-as-code, but the industry is not quite there yet, because so many people do not have the mechanisms to even do this, never mind doing it as code."

Security-as-Code Gains More Support, but Still Nascent

Companies need to detect and counteract brute-force and enumeration attacks before fraudsters run away with their customers' funds.

On April 10, 2020, Atlanta-based fintech firm Brightwell was navigating more than the deadly COVID-19 pandemic.

It all started with a series of customer phone calls. That morning sometime between 7 a.m. and 8 a.m., Brightwell received word from the customer service team that customers called to complain about missing funds, says Ernie Moran, at the time Brightwell's senior vice president of risk. Under normal circumstances, if users noticed a discrepancy upon logging into their app, the company typically would look into the problem to determine whether the customer mistakenly overspent or a fraud had occurred. Unfortunately for Brightwell, it was the latter.

"I would say the next 24 hours was the most insane 24 hours I think we've ever had at Brightwell," Moran says. "From that point forward, we started hearing from more and more customers. And you start the research process, and you start going into the platform, the processor platform, and looking at the data."

Brightwell spent the following weeks dissecting the damage of an attack that resulted in $2.5 million stolen in the span of four hours, Moran says. With the pandemic pushing more transactions online, more online fraudsters are targeting e-commerce platforms and payments companies. Sources advise payments providers to implement multiple measures prior to and during the transaction process to detect brute-force and enumeration attacks before fraudsters run away with customers' funds.

During the first five days of Brightwell's investigation, the company assessed how widespread the fraud was. First, they reviewed its authorization reports generated by its payments processor and the reports generated by its card brand. Then it cross-checked its internal data with the external reports, Moran says. The threat actor used the stolen credentials to buy cryptocurrency at an exchange, he said.

Over the course of its investigation, Brightwell discovered that a fraudster deployed a bot to guess the prepaid debit card numbers, expiration dates, and CVV numbers for 41,000 cards, which were guessed after 100,000,000 authorizations, Moran says. The bot guessed the credentials across seven merchants; one merchant, in particular, was used to steal "a large dollar amount," he says. Brightwell didn't name the sellers affected by the attack, nor did it disclose the general amount stolen per customer.

The ordeal led the company to create its fraud alert system, Arden, which stands for "AI risk detection engine." Despite all the data collected, Moran, now senior vice president of Arden, says the company couldn't figure out who was responsible for the attack.

**Watching for Red Flags**  
As e-commerce transactions skyrocketed during the coronavirus pandemic, online fraud appears to have increased also. A LexisNexis Risk Solutions Analysis of data from July 2021 to December 2021 found that bot attacks against companies have risen 32% from 2020, and human-initiated attacks have grown 46% compared with 2019. From March 2020 to February 2022, U.S. consumers spent about $1.7 trillion online, up $609 billion compared with the prior two years, according to research from Adobe.

Kimberly Sutherland, vice president of fraud and identity strategy at LexisNexis Risk Solutions, advises cybersecurity teams to look for a high volume of transactions coming from a device within a short period of time. Seeing the same device return to transact isn't a red flag because it could be a repeat customer. However, if one device is attempting a transaction multiple times, perhaps thousands of times per second, it's likely an attack, she says.

In addition to paying attention to the device that managed to circumvent a company's defenses, Sutherland also advises companies to mitigate suspicious activity during the authorization process. They must, for example, pay attention to whether the device has malware on it, she adds.

"We talk consistently about having a layered approach to prevent unauthorized access, so that means ensuring that they have fortified their new account opening processes to prevent any application fraud, to prevent account takeover fraud as well — everything from not just that payment but that login," Sutherland says. "There's all types of avenues that a fraudster will try to be able to have a successful fraud attack, and an attack is just one of many things that concerns us in the payment ecosystem."

Another step payments providers must take is issuing their card numbers randomly rather than sequentially, says Curtis Franklin, senior analyst at Omdia and a former editor at Dark Reading. Issuing card numbers randomly prevents online fraudsters from easily route-forcing accounts. (Moran clarified that Brightwell does not issue cards sequentially.)

If the card issuer sees hundreds of guesses of card credentials in rapid succession, cybersecurity teams must alert the vendor and monitor the reasons for rejection. The card issuer could, for example, check to see whether the card number has not yet been issued. If an online fraudster guesses a card number that hasn't been issued yet, it's a good indicator that they are sequentially guessing the credentials using an algorithm, Franklin says.

Besides monitoring for rejections of sequential numbers, rejections of unissued card accounts, and rapid-fire rejections from a single merchant, companies should also determine ahead of time how high their risk tolerance is. There's a chance that companies could reject legitimate customers who are inputting the wrong card information while screening for fraudulent activity.

**Managing the Risks**  
In 2021, cybercriminals used cryptocurrency to launder $8.6 billion, a 30% increase from 2020, according to a report from the blockchain data firm Chainalysis. The cryptocurrencies, particularly Monero, have attracted cybercriminals seeking to transact anonymously; however, their fluctuating speculative value complicates criminals' ability to monetize the crime.

"Criminals hate losing money," Franklin says, but "they like the idea of making it harder for national governments to find them."

"In this case, the vast majority of the fraud losses and risk ended up being on Brightwell for a number of reasons that \[were\] outside of our control in many cases," Moran says. "We had a small portion of the losses that were actually not our responsibility ... and then we had a larger portion that was our responsibility. However, in the end there was enough risk and fall to go around that we ended up being made whole for the losses."

As merchants and payment providers face these attacks, card providers such as Visa and Mastercard will usually bear the liability, but customers can suffer the inconvenience when their card is frozen. Thus, the vendor and member bank can lose income, as well as the trust of their customers.

"The thing that keeps all of this rolling along so well is the understanding among consumers and merchants and everyone else that this is, in fact, a secure way to do business. If that confidence is shaken, then that can have a more profound impact," Franklin says. "That's the cost that they really want to solve."

Security Lessons From a Payment Fraud Attack

IT departments must account for the business impact and security risks such applications introduce.

Last month, Dark Reading released an enterprise application security survey that raised serious concerns by IT and security teams about the state of low-code/no-code applications. The survey exposed a deep lack of visibility, control, and knowledge necessary to maintain the level of security maturity expected in the enterprise. Here we will look at concrete concerns raised by the survey, examine their root causes, and offer recommendations on ways to address them today.

The following concerns were raised under the question, "What security concerns do you have regarding low-code/no-code applications?"

**Concern No. 1: Governance**  
According to 32% of respondents, "There is no governance over how these applications are accessing and using our data."

Indeed, many useful low-code/no-code applications rely on storing data either in managed storage provided by the platform or in another platform via a connector. The tricky part is that low-code/no-code platforms make it extremely easy for makers to essentially bake their identity into the applications, so that every application user ends up triggering operations on behalf of the maker. Within enterprise environments, it is not uncommon for useful business applications to store their data in the maker's Dropbox or OneDrive account. Baked-in accounts can become an even bigger issue when an honest mistake causes data to be stored in a personal rather than business account.

Another popular use of low-code/no-code are data-movers or operation-stitchers. They connect source and destination, either by moving data between multiple points or by linking together an operation in one system to another in a different system.

As an example, a popular automation flow in enterprise scenarios is email forwarding. Users build an application that monitors their professional inbox for new emails, copies their content, and pastes it in their personal email for various reasons. Note that by copying the data, users are easily able to bypass DLP controls that would have prevented email forwarding.

**Concern No. 2: Trust**  
According to 26% of respondents, "I don't trust the platforms used to create the applications."

Low-code/no-code platform vendors are increasingly directing their attention to provide strong security assurance for their platforms, but there is a long way to go. While enterprise customers have become used to the security benefits provided by public cloud vendors, with their mature security teams, vulnerability disclosure programs, and state-of-the-art SOCs, low-code/no-code platforms are just getting used to the fact that they are now business-critical systems.

Of course, vendors investing in the security of their platform is not enough. Customers have to hold their part of the shared responsibility model, too. While platform vendors are improving their security posture, enterprises using low-code/no-code platforms must figure out how to approach these applications with the same level of security vigor as they would their pro-code applications. After all, the impact of both types of applications on data, identity, and the enterprise as a whole is the same.

Take security testing, for example. To catch security issues early, pro-code applications are typically built with code and configuration scanning tools in place, as part of the CI/CD. There are a host of tools to help detect issues throughout the SDLC, including SAST, DAST, and SCA, which has become very popular in recent years with the rise in open source security issues. Low-code/no-code applications are prone to the same problems that these tools detect, such as injection-based attacks, security misconfiguration, and untrusted dependencies. However, these applications typically rely on manual processes for security assurance or try to use pro-code tools to scan artifacts generated with low-code; unfortunately, pro-code tools fail to understand the business logic of low-code/no-code applications and therefore provide little value.

**Concern No. 3: AppSec**  
According to 26% of respondents, "I don't know how to check for security vulnerabilities in these applications."

How do I make sure my code makes sense, and that it is secure and robust, without access to that code? This point is tricky, and new solutions are required to tackle it.

When public cloud providers started introducing the concept of platform-as-a-service for compute services such as managed virtual machines (VMs), managed Kubernetes clusters, or serverless functions, the same kind of concerns were raised. Our entire strategy, as a security community, to secure compute instances was based on our ability to observe and leverage the host machine running our applications. While stripping away the complexities of managing VMs, cloud providers also stripped away the ability of security teams to observe and protect them. As a result, novel solutions had to be introduced to provide the same level of security assurance with cloud-native building blocks.

The same approach is desperately needed in low-code/no-code applications. Instead of trying to apply existing tools like code scanning or web security monitoring to artifacts generated by low-code/no-code, security teams should adopt solutions that understand the language of low-code/no-code in order to identify logical vulnerabilities in those applications.

**Concern No. 4: Visibility**  
According to 25% of respondents, "The security team doesn't know what applications are being created."

This point is particularly important because you can't protect what you can't see. Most low-code/no-code platforms have little to no capabilities for allowing admins to view applications built on these platforms. Basic questions like, "How many applications do we have?" are simply unanswerable without pervasive measures. For example, some platforms allow admins to make themselves the owners of every application separately but do not allow them to see the application otherwise. So admins must resort to an active change on the platform to take a look at the application. 

Other platforms go even further, allowing business users to create applications in a private folder that administrators cannot review, other than knowing the number of applications that exist in them. A maker could be exfiltrating data through a private application, and the admin is left with no way to even know anything besides the fact that the application exists.

Visibility becomes even trickier once companies realize that they are using more than one low-code/no-code platform. In fact, most large enterprises are already using multiple platforms. With low-code/no-code platforms becoming more popular, citizen development tools being introduced bottom-up, and software-as-a-service (SaaS) vendors becoming platforms themselves, it's clear why enterprises are suddenly finding themselves using several different platforms.

**Concern No. 5: Knowledge and Awareness**  
According to 33% of respondents, "I don't have any security concerns," "Other," or "Don't know."

Since low-code/no-code platforms often find their way into the enterprise through business units rather than top-down through IT, they can easily slip through the cracks and be missed by security and IT teams. While security teams are in most cases part of the procurement process, it's easy to treat a low-code/no-code platform as just another SaaS application used by the business, not realizing that the result of adopting this platform would be empowering a whole array of new citizen-developers in the business.

In one large organization, citizen-developers in the finance team built an expense management application to replace a manual process filled with back-and-forth emails. Employees quickly adopted the application since it made it easier for them to get reimbursed. The finance team was happy because it automated part of its repetitive work. But IT and security were not in the loop. It took some time for them to notice the application, understand that it was built outside of IT, and reach out to the finance team to bring the app under the IT umbrella.

Security and IT teams are always in a state where the backlog of concerns is much larger than their ability to invest. To make sure resources are allocated to the most critical security risks, teams must first be aware of the criticality of low-code/no-code applications to the business and the security risks that they introduce. For the former, this means that low-code/no-code applications' impact on the enterprise must be demonstrated and clear. Security teams must be part of the discussion when thinking about adopting citizen development. 

For the latter, we as a community have to research, categorize, and share concrete security risks we identify to help others to build more secure applications. Bringing IT and security into the low-code/no-code conversation would allow the adoption of these technologies to accelerate, unleashing their full potential to increase business velocity and productivity.

Why So Many Security Experts Are Concerned About Low-Code/No-Code Apps

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

The above cartoon is in a need of a caption, and we're depending on you, dear Dark Reading readers, to come up with something that tickles our collective funny bone. Here are four ways to submit your idea:  

*   Email _\[email protected\]_ with the subject line "Dark Reading April Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

The contest ends Wednesday, May 11, 2022. We look forward to your submissions.

**Last Month's Winner**  
Congratulations to Nextiva risk manager Bruce Walton, whose winning caption (below) for our March "Sleep Like a Baby" contest rose above many amusing options. A $25 Amazon gift card is on the way. 

Thank you to everyone who participated.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Helping Hands

The ongoing war in Ukraine means that defenses are only as good and as strong as those with whom we partner.

Disinformation campaigns, distributed denial-of-service attacks, wiper malware, Internet blackouts, and bot armies are just a few of the various digital attacks that Russia has aimed at Ukraine. In late February, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory warning US firms to prepare their defenses to defend against these kinds of attacks. As of now, at least four different kinds of wiper malware — destructive disk-wiping malware — have been released during the conflict.

For those who are still wondering where is the cyberwar in the Russian invasion, it's already here and it's imperative for organizations across the globe to be prepared. However, in a tightly integrated global economy, these preparations must not occur in isolation but, rather, must encompass an organization's partners — and their partners' partners and so forth. Collective resilience captures this notion of strengthening the defenses across an organization's entire supply chain ecosystem by pursuing strength in unity, but viewed through a realistic lens, that self-preservation requires strengthening and lifting up the weakest links within highly interdependent systems. When it comes to the growing uncertainty and instability stemming from the Russian invasion, there has been a sharp swing toward collective resilience to proactively offset and mitigate the ongoing Russian malicious cyber activity.

Russian malware has a history of making organizations across the globe collateral damage, even if they are not the intended target. In 2017, a destructive supply chain attack propagated across the globe in a matter of hours. Maersk, Merck, and FedEx were just a few of the global victims, as the cyberattack disrupted ports, hindered vaccine distribution by the Centers for Disease Control and Prevention, and crippled manufacturing sales. This history, coupled with Russia's ongoing deployment of a range of malicious cyber activity during the fog of war, elevates the risk and potential for collateral damage across the globe due to cyberattacks. CISA's Shields Up campaign attests to the growing risk to organizations stemming from the Russian invasion.

**Third-Party Risks  
**However, Shields Up should not just apply to an organization's own systems but to its partners as well. Third-party risks remain a core attack vector targeting the weakest link within an organization's supply chain. More than 2,000 US-based firms had suppliers in Ukraine and Russia prior to the invasion; a number which exponentially increases to hundreds of thousands of suppliers when integrating their second- and third-tier suppliers. Even if these suppliers are not the intended targeted, they may become collateral damage in the war.

An organization's digital supply chain similarly must be part of this extended defense. Just as NotPetya exploited the digital supply chain, the US and UK have warned that the Russian-linked Cyclops Blink botnet is targeting ASUS, a Taiwanese electronics company. Coupled with the Lapsus$ Group's ongoing attacks, supply chain attacks remain on the rise and are a core component of Russia's strategy of preparatory installation and reconnaissance. The Cyclops Blink campaign has been active since at least 2019, illustrating Russia's ongoing efforts to embed and prepare for future exploitation. FBI Director Christopher Wray explained how cyberattacks do not occur instantaneously, but rather, "There's activity that leads up to it. ... There's developing access to those systems. So, there's a whole range of preparatory work, which is what we've been seeing." This access increasingly occurs through the digital supply chain.

**Collective Resilience  
**Furthermore, the growing list of approximately 400 sanctioned Russian companies introduces an additional cyber and supply chain risk for organizations. For instance, the March 24 US Department of Treasury sanction targets almost 50 Russian defense-industrial base organizations, including Joint Stock Company Russian Helicopters. This company alone has hundreds of tier-1 and tier-2 suppliers and is in the supply chain of many technology and aerospace and defense companies as it accounts for 10% of the global helicopter market. Many in the aerospace and defense sector rely on the same suppliers, exacerbating the potential for a single sanctioned company to propagate risk throughout the industry. 

These companies are not only at risk of noncompliance fines but need to consider the degree to which the hundreds of restricted companies have access to their data or networks. More sanctions are also likely, including secondary sanctions that target third-party relationships — a step that would yet again stress the necessity of collective resilience across an organization's entire supply chain.

Some are adhering to CISA's warnings and strengthening their own defenses, while others still debate the absence of malicious cyber activity in the Russian invasion. While fortunately there has yet to be the major attacks many feared, Russia continues "to undermine, coerce, and destabilize," according to Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology. As we've seen in the past, these destabilization efforts are unlikely to remain contained to Ukraine. Organizations should seek a collective resilience approach in preparation for the growing geopolitical instability across the globe. Defenses are only as good and as strong as those with whom we partner.

Strength in Unity: Why It's Especially Important to Strengthen Your Supply Chain Now

Upgrading and fixing the vulnerability in the Spring Framework doesn't seem to have the same level of urgency or energy as patching the Log4j library did back in December.

The maintainers of the popular Spring framework patched the critical remote code execution flaw (CVE-2022-22965) on March 31. Two weeks later, the majority of Spring downloads are still using vulnerable versions with the flaw unpatched, suggesting developers are not in a rush to upgrade.  

As of April 15, 77% of Spring downloads were for vulnerable versions, according to the charts posted by Sonatype on its Exploit Resource Center. That is a small drop from April 4, when 82% of Spring downloads were for vulnerable versions of the framework. There was a quick jump to about 20% of downloads adopting the latest versions, but since then the figure has leveled off. One reason why the vulnerable versions of Spring are still being downloaded may be tied to the fact that many companies do not have a clear understanding of all the dependencies for each business application.

"\[The\] fact that we continue to see these downloads is indicative that organizations haven’t made the decision to upgrade,” says Brian Fox, Sonatype’s CTO.

In the above stacked area chart, the red region represents the vulnerable versions and the green region is the updated version with the fix patched. In this case, the higher the number, the more applications with the vulnerable component being built.

The needle toward the majority of developers using the updated version is moving very slowly.

**Preparing for the Future  
**The vulnerability’s exploitability can change at any time: Someone may develop an attack vector that is repeatable and doesn’t require as many specific conditions to be present or may figure out a way to get around security mitigations. It would be better to get the environment updated now before a newer exploit is developed and the situation becomes more serious.

“\[The\] danger is, when the cone of attention moves on, there will be plenty of unpatched estate that might later become a risk,” notes Iikka Turunen, Sontaype's field CTO. “It's not a  Spring thing, it's a how are we managing our dependencies thing.”

The vulnerability exists in Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older. The issue has been fixed in Spring Framework version 5.3.18 and 5.2.20 and Spring Boot 2.5.12 and 2.6.6.

“This seems to indicate that those who know they need to upgrade — and are able to — tend to do so very quickly,” Fox says. “The rest of the long tail, however, is very long, leaving lots of room for attackers to find new ways to exploit the existing vulnerabilities and to work around the mitigations that may be in place.”

**Not “as Bad” as Log4j  
**Back in December, when the vulnerability in Log4j was disclosed, there was a big push to get people to update as soon as possible. Sonatype says its latest numbers show that 34% of Log4j downloads are still the vulnerable version. The majority of new downloads are for the latest – safe – version.

Despite its severity, the issue in Spring isn’t viewed as being just as urgent because exploitation requires a nonstandard setup (packaged as a traditional WAR file when most modern applications have switched to Spring Boot executable jar files) and exploitation is currently very limited.

“Spring4Shell does give us a unique opportunity to understand what happens in the software industry when ‘Critical’ but not ‘The Internet is on Fire’-level vulnerabilities appear,” Turunen says.

To underscore the rarity, vulnerability scanning and penetration testing services company Intruder scanned over 25,000 client assets since the disclosure of the vulnerability. “We have yet to find a vulnerable application,” writes Benjamin Marr, a security engineer with Intruder.

Security teams should not get complacent or delay the upgrades. “There will inevitably be more ways to exploit through adjacent methods,” Fox says. “The safest thing to do in these scenarios, almost always, is upgrade.”

Upgrades for Spring Framework Have Stalled

Google patches a critical flaw in its Chrome browser, bringing its count of zero-day vulnerabilities fixed in 2022 to four.

Google fixed two vulnerabilities in its Chrome web browser as part of an emergency update this week, including a type confusion vulnerability that is already being exploited in the wild.

The type confusion vulnerability (CVE-2022-1364) impacts the JavaScript and WebAssembly engine in the browser. With this kind of flaw, a program will allocate a resource (such as a pointer or object) using one type but will later try to access the resource using an incompatible type. The vulnerability can be exploited to cause the browser to crash, trigger logical errors, or even execute arbitrary code.

"Google is aware that an exploit for CVE-2022-1364 exists in the wild," the company wrote in the alert. Details will be restricted until a majority of users have updated to Chrome version 100.0.4896.127 across the Windows, Linux, and Mac platforms.

The issues also affect other Chromium-based browsers, such as Microsoft Edge, Brave, and Vivaldi.

The second issue that was fixed appears to be related to issues that were uncovered internally. The alert calls it "various fixes from internal audits, fuzzing, and other initiatives."

This is the third emergency update for Chrome in 2022, and the third zero-day vulnerability patched so far this year. In March, Google (along with Microsoft) fixed a critical flaw to the Chromium v8 JavaScript engine (CVE-2022-1096) that was being actively exploited.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Emergency Update Fixes Chrome Zero-Day

IT professionals worry most about cloud security, but other questions arise about training, functionality, and performance.

The biggest concern IT staff has about their organization's use of cloud computing is far and away security. Almost three-quarters (73%) of survey respondents cited security as the greatest worry about the cloud. But half also cited cost (58%) and reliability (50%) as areas of concern.

That's according to State of the Cloud: A Security Perspective, a report from Dark Reading released in March 2022. The research surveyed decision-makers with IT job titles at organizations that use cloud services. Those organizations include companies of all sizes from a variety of industries, including technology, healthcare, financial services, manufacturing, and education.

Reliability looms large both because of its importance — employees and customers need to be able to access a company's tools in order for it to stay open for business — and because for cloud applications, reliability is largely outside the control of the organization. That lack of control can certainly raise anxiety levels.

The only other concerns that rise into the double digits are staff skills in cloud computing (26%), inadequate cloud functionality (10%), and putting too much data in the cloud (10%). Like reliability, these all tie back in with security, the responsibility for which is shared between the data owner and the cloud provider. As cloud implementation grows and matures across all industries, IT staff are learning how to secure data and configure cloud access for maximum security, which may alleviate the stress enough to keep "too much data" worries down to 10% of respondents.

To end on a positive note, only 6% of respondents say their service level agreements are inadequate or that their service providers try to upsell them on unwanted cloud services. Indeed, a full 2% of respondents say they have no concerns and are fully content with their cloud services. That's one response we'd all like to see grow.

For more data and insights, download the full report.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading