With Web application programming interface (API) traffic growing quickly, the average cloud-focused company sees three times more attacks.

Driven by the popularity of agile development, the usage of Web application programming interfaces (APIs) has increased dramatically, leaving software-focused companies with larger, and more vulnerable, attack surfaces that can be exploited by threat actors.

Overall, API usage has soared in the past year, tripling to about 15,600 APIs per company, with traffic quadrupling to 820 million requests per year for the average firm, according to two recent reports. And where the application developers go, attackers follow: Over the past year, malicious API traffic has surged by almost a factor of seven, according to the "State of API Security" report published in March by Salt Security, an API security firm.

Between the changes in development and growing vulnerabilities exposed by third-party software components that could be exploited through APIs, attackers will continue to increasingly target the easy-to-use interfaces, says Elad Koren, chief product officer for Salt Security.

"Attacks are growing, because the attack surface is growing," he says. "But it's not just that. It's also issues like Spring4Shell and Log4j — all those new vulnerabilities are part of this new attack surface — and they \[threat actors\] are targeting all of these vulnerable surfaces."

The trends are the latest challenge for application security. Development teams continue to move quickly, usually not fully documenting the APIs created to link different application components in the cloud or over the network. The result is that companies do not know the extent of the their API inventory and whether those application interfaces are secure, says Sandy Carielli, a principal analyst with Forrester Research.

    

Source: Salt Security

No wonder, then, that API security has become a top-five briefing topic for the business analyst firm, she says.

"The growing \[malicious traffic\] certainly doesn't surprise me," she says. "As more organizations move to using APIs, a higher percentage of application traffic is through APIs, so naturally you are going to see more malicious traffic going through that channel."

**Taming the API Attack Surface  
**Much of the impetus behind growing API inventory and traffic is the shift to cloud-native and agile development methodologies. A typical sprint for application development sprints is two to three weeks, so a development team has dozens of opportunities to introduce API misconfigurations and vulnerabilities into a service or application, says Oz Golan, CEO and co-founder at Noname Security, an API security firm.

"As organizations drive their digital transformation processes faster and harder, more API vulnerabilities will surface and become exploited," he says. "Unless they slow down their business operations and do extensive testing, they are going to release and expose their operations to risks."

The average company has nearly 15,600 APIs and has seen a 41% rate of API security incidents over the past 12 months, according to "The 2022 API Security Trends Report," published by S&P Global Market Intelligence and sponsored by Noname Security. However, those findings are complicated by the different yardsticks that API security vendors use to collect their data, including survey results, which are notoriously malleable. Salt Security, for example, found that the average customer had 135 APIs and a 95% rate of API security incidents, according to its "State of API Security" report, published in March.

While the numbers differ — sometimes significantly — both reported significant growth in relative API usage among their customers and relative growth of malicious API traffic.

**Hacking the API Security Challenge  
**For that reason, companies need to fully account for their own APIs and their employees' API usage, including API source, destination, type, data sensitivity, owner, and whether the API access requires authorization. So far, companies have not done a great job of keeping track of their API inventories, Forrester Research's Carielli says.

"In an ideal world, you would have your development team creating specification files for every API and keeping them up to date," she says. "We don't live in an ideal world. A lot of the discovery tools have to analyze traffic and do pre-release testing on APIs to make sure that you have the right controls and that they are being managed well."

The steps for securing APIs track closely with application security overall. Focusing on secure design and threat modeling means heading off vulnerabilities before they grow into significant — and expensive-to-fix — issues. Testing and monitoring API usage following deployment is just as important to gather data on attackers and to protect against issues not discovered during development, says Salt Security's Koren.

Fixing as many of the security issues as possible by considering API security during the design phase is important, but runtime security is just as necessary, because it gives application owners peace of mind and visibility into attackers' tactics, he says.

"Today, it is very important to have that pipeline security for the left side — the development side — but it is not interchangeable with runtime security," Koren says. "You will never ever, no matter how good your tools are, catch all the issues you have during the development phase. You have to have the runtime, because they are not interchangeable."

API Attacks Soar Amid the Growing Application Surface Area

The FBI warns that ransomware targets are no longer predictably the biggest, richest organizations, and that attackers have leveled up to victimize organizations of all sizes.

As the cyber dimension of the Ukraine conflict erupted, demonstrating the ungoverned and unstable nature of full-on cyberwar, a parallel ransomware alert from the US government got comparatively scant coverage. But it, too, merits attention.

The alert served as a reminder of the two species of cyber threat: the unpredictable, spinning-pinball threats that can lurch out of control and pulverize innocents in random fashion — and the intricately designed, coolly targeted threats meant to ransack a particular organization's servers and perhaps its bank account.

The Ukraine clash may generate plenty of damage of the first type. Indeed, it may already be doing so. But while that conflict progresses, the second type of threat, epitomized by ransomware, is taking no holidays.

**A Formal Alarm**  
Issued in February, days before hostilities broke out between Russia and Ukraine, the Joint Cybersecurity Advisory from the FBI, CISA (the Cybersecurity and Infrastructure Security Agency), and the NSA sounded a formal alarm about "an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally."

Attack targets are no longer predictably the biggest, richest organizations, according to the report. Ransomware groups have learned to infiltrate enterprise SaaS platforms and exploit them as hubs for firing off waves of malevolent executables at scale, victimizing platform clients, both large and small. According to the advisory, the FBI in 2021 "observed some ransomware threat actors redirecting ransomware efforts away from 'big-game' and toward mid-sized victims to reduce scrutiny." The FBI’s counterpart agencies in the UK and Australia, the National Cyber Security Centre (NCSC-UK) and Australian Cyber Security Centre (ACSC), concurred that organizations "of all sizes" suffered ransomware attacks throughout the year.

On the one hand, in this national security sphere, any additional recognition or investment at the top of government is overdue and cannot hurt. On the other, recognition does not mean the government has the reach or means to protect you — something the two species of cyber threat have in common.

**Who's in Charge?**  
One early, grim lesson of the Ukraine cyberwar is that no authority is firmly in charge and no government agency can consistently shield its citizens from blowback. Governments aren't even supervising some of the cyber combatants: freelance hacktivists like Anonymous, jamming Russian broadcast channels and the Kremlin website, answer to their own moral code, not a central command in Kyiv. And Ukraine's own "I.T. Army" is a barely directed worldwide corps of digital adepts connecting via Telegram to wreak cyber havoc.

What could go awry in that woolly, infinitely multilateral conflict sphere? No national cyber defense framework can keep innocent parties from becoming collateral damage.

The thing is, no government ransomware policy can unilaterally create a safer, more secure environment either.

Government cannot remake the trend throughout the private sector toward hybrid compute workloads. With a thoughtful hybrid strategy, an enterprise hosts its more sensitive workloads on-premises, and deploys less critical resources to a more economical third-party public cloud provider. The practice may yield savings, but with the simultaneous concern that roles and responsibilities once firmly controlled by data center operators may be much less clearly delineated. Involving cloud providers makes evaluating risk and modeling effective security controls more complex. It must be done, but it is up to individual organizations.

Government can recommend private interests perform overdue software updates or implement dual-factor authentication protocols. But those best practices will never be mandated by act of Congress; they are up to individual organizations.

Influencers from security agencies can keynote one conference after another, emphasizing today's key challenge for CISOs everywhere: threat visibility across the environments they're laboring to secure. CISOs can't defend against threats they can’t see. Total, real-time visibility into IT and cloud infrastructure is the ideal; the reality is, almost all organizations lack it. They're unaware of what devices and individuals are connected, with what access to sensitive systems and data. Visibility into third-party access to company systems also remains poor. To spot ransomware before it digs in and does damage, CISOs should be adopting security solutions that visualize an entire attack surface. But the initiative to make such visibility a top priority must come from CISOs themselves.

**Familiar Advice**  
The conclusions drawn by the Joint Cybersecurity Advisory are recommendations, not directives — and if you've been tracking the rise of ransomware, they feel familiar: Keep systems and software up to date. Train workers to spot phishing links and dodgy attachments. Implement 2FA. Back up your data. We have heard this advice before; the advisory simply delivers it from a higher-echelon source.

That doesn't mean it's dismissible — quite the contrary. But what is really important is how organizations everywhere react. The Ukraine conflict is erasing the last vestiges of complacency about the destabilizing, out-of-control threat of cyber weapons. We should do all we can to see that this cybersecurity advisory does the same for the threat of well-controlled, ruthlessly targeted cyber piracy.

Cyber Conflict Overshadowed a Major Government Ransomware Alert

Apostro's system will monitor all transactions to identify malicious behavior that can cause damage to DeFi protocols.

WARSAW, Poland, April 26, 2022 /PRNewswire/ -- Apostro is a recently established European startup building a risk management platform to improve the economic security of DeFi protocols. It offers a fresh approach to DeFi security by implementing proven risk management practices and tools from traditional finance.

Many DeFi projects have become victims of exploits, losing millions of USD worth of crypto every year. The first quarter of 2022 is already setting a new record with $1.3 billion stolen in illicit transactions. While the total value locked in DeFi has already surpassed $200 billion, loopholes in the infrastructure and deficiency of risk management tools allow bad actors to steal money. This stalls DeFi adoption as institutions and big players want more security assurances before considering the space as a safe portfolio diversification option.

Currently, DeFi protocols rely on audits of their smart contracts, but this practice is insufficient when dealing with economic threats. Stress testing and formal verification can simply miss a potential logic backdoor, which gives hackers a way to steal funds by exploiting economic opportunities rather than technical weaknesses.

To deal with such threats, Apostro is building a system that will analyse smart contracts' business logic and typical interactions with the protocol by an average user. It will monitor all transactions to identify malicious behaviour that can cause damage to the protocol.

Apostro can also prevent or delay an exploit by complicating its execution by setting limits on the amount of available liquidity in one block or transaction. Simultaneously, it will alert the developers of any threats to a protocol's security, allowing them to take necessary measures to mitigate the negative impact.

_'We help minimise the impact of economic attacks on DeFi systems. Technical attacks are more or less sorted out by now: there are many good auditors, and most issues are relatively easy to catch. With economic issues, however, there are no ideal solutions available yet,'_ \- states Tim Ismiliaev, founder and CTO at Apostro.

**About Apostro**

Apostro is a risk management platform designed to track, mitigate and prevent economic smart contract exploits. Headquartered in Warsaw, Apostro utilises proven risk management practices with onchain and market data analysis to enhance security of Web3 protocols.

Introducing Apostro: A Risk Management Platform for Web3 Security

SecurityScorecard's Cyber Risk Quantification portfolio helps customers understand the financial impact of a cyber-attack.

NEW YORK, April 26, 2022 /PRNewswire/ -- SecurityScorecard, the global leader in cybersecurity ratings, today introduced its Cyber Risk Quantification (CRQ) capabilities that will enable customers to understand cyber risk in financial terms, enabling organizations to bring cyber risk into holistic business risk analysis, and assisting organizations in a cost-benefit analysis of cyber investment options. SecurityScorecard's CRQ capabilities help customers understand the financial impact of a cyber-attack, gain insight into the probability of incidents over time and quantify the reduction in expected losses if issues are resolved. The SecurityScorecard CRQ capabilities will be included in the company's risk intelligence platform, the industry's first holistic offering that proactively protects organizations from every angle.

"Executives and boards of directors lack the ability to connect cybersecurity budgets to business outcomes, hindering the CISO's ability to justify their cybersecurity budgets. By grounding risk quantification in SecurityScorecard's expansive data, we are bringing cyber security to the forefront of daily decision making," said Prashant Pai, Senior Vice President and General Manager Strategic Initiatives, SecurityScorecard. "Our goal is to help our customers make informed decisions on how to raise the bar on their cybersecurity defenses with optimized investments, and we will continue to partner with leading CRQ thought leaders to provide the options they are looking for."

To deliver the combined insights of SecurityScorecard's cybersecurity ratings data and leading risk models, SecurityScorecard is partnering with a number of leading CRQ thought leaders and developers including ThreatConnect, and RiskLens, which created Factor Analysis of Information Risk (FAIR™). With multiple views of risk available through the lens of different CRQ frameworks, risk managers can determine which framework is the best fit for their business.

With cyber risks becoming increasingly prevalent, boards of directors and executives need to evaluate those risks and become more involved with cybersecurity. Effectively reporting to the board is a key component of every security leader's job.

According to Gartner® The 2022 Board of Directors Survey, 88% of respondents viewed cybersecurity as a business risk, while 72% stated they are focused on aligning risk, strategy and performance to drive business resilience.1

"The CRQ integration between RiskLens and SecurityScorecard will finally give organizations of all sizes what they need to effectively understand and manage cyber risk: an automated, 'dollars and cents' view of cyber risk," said Nick Sanna, CEO, RiskLens. "Based on the FAIR cyber risk quantification standard, on industry benchmark data and on their SecurityScorecard security rating, organizations can now make risk-informed business decisions."

"ThreatConnect is excited to partner with SecurityScorecard as the combination of their external cybersecurity risk posture and the power of ThreatConnect Risk Quantifier (RQ) connects the outside and inside views for an organization, giving them a 360 degree perspective of the risk to their organizations," said Jerry Caponera, Vice President of Cyber Risk Strategy for ThreatConnect. "Applying ThreatConnect's statistical and machine learning algorithms to the SecurityScorecard data enables customers to easily visualize their risk and, more importantly, prioritize which factors should be improved based on financial risk reductions."

SecurityScorecard's CRQ portfolio enables executives, CISOs and risk managers to obtain a comprehensive view of their cyber risk that enables them to define cyber risk in a universally understood metric and embed those insights into decisions across the organization.

SecurityScorecard's CRQ capabilities also offer:

*   **Scalable risk quantification methodology -** With continuous monitoring of over 12 million companies, SecurityScorecard grounds its analysis in a consistent cybersecurity data-driven approach to deliver a real-time view of risk.
*   **Contextualized view of cyber risk -** SecurityScorecard directly ties financial impact to the security issues that drive losses.
*   **Multiple risk quantification frameworks–** Multiple risk frameworks are integrated into the CRQ capabilities to ease the evaluation and implementation of CRQ.

SecurityScorecard enterprise customers can learn more and gain early access to SecurityScorecard's CRQ capabilities by clicking here.

**About SecurityScorecard  
**Funded by world-class investors including Evolution Equity Partners, Silver Lake Waterman, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings with more than 12 million companies continuously rated. Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard's patented rating technology is used by over 30,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight. SecurityScorecard is the first cybersecurity ratings company to offer digital forensics and incident response services, providing a 360-degree approach to security prevention and response for its worldwide customer and partner base. SecurityScorecard continues to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees and vendors. Every organization has the universal right to their trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.

1 _Gartner, "Roadmap to Renewal: The 2022 Board of Directors Survey", Partha Iyengar, published October 28, 2021, ID G00728156._

_GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved._

SOURCE Security Scorecard

SecurityScorecard Launches Cyber Risk Quantification Portfolio

This Tech Tip reminds developers and security teams to check what version of Java they are running. Whether they are vulnerable to the ECDSA flaw boils down to the version number.

Oracle has patched a critical vulnerability in newer versions of Java that adversaries could exploit to forge security certificates, digital signatures, two-factor authentication messages, and authorization credentials. The security fix was included in the April 2022 Critical Patch Update released last week.

The issue (CVE-2022-21449) exists in the way the Elliptic Curve Digital Signature Algorithm (ECDSA) is implemented in Java versions 15, 16, 17, and 18. Defenders should check what version of Java they are running and update. Java 15 and 16 are no longer supported, and the issue has been fixed in Java 17.0.3 and 18.0.1.

**1\. Check and update:** Check what version of Java is running with the command _java -version_ (or _java.exe -version_ on Windows).

It’s worth checking manually because it’s possible to have multiple Java versions installed on the system simultaneously, since there could be different versions of the Java Development Kit (JDK) and Java Runtime Environment (JRE).

For many organizations, the fact that the vulnerability exists in only the latest versions may be good news, since the adoption for Java 15 and newer remains fairly low.

**2\. Pay attention to advisories:** Java is widely used, so enterprise teams will need to keep an eye out for advisories from app and device manufacturers on whether they are affected and update as needed. The vulnerability doesn't just affect Internet-accessible Java servers and client software – any device that relies on digitally signed data is potentially affected, even if it is an internal device.

**Details of the Flaw**  
ECDSA uses elliptic curve cryptography to authenticate messages. A missing sanity check in ECDSA means that adversaries can pass the signature check by presenting a memory buffer filled entirely with zeros. This means adversaries can easily forge TLS certificates and handshakes, which would result in communications being intercepted and potentially modified, wrote Neil Madden, the ForgeRock researcher who discovered the vulnerability. There is no need for an attacker to try to figure out the private key in order to match the valid digital signature.

The vulnerability affects "almost all WebAuthn/FIDO devices in the real world," Madden wrote. "Many OIDC providers also use ECDSA-signed JWTs."

**Limited to Newer Versions**  
Back in November, when Madden reported the flaw to Oracle, ForgeRock provided customers with two workarounds – to deploy products with Java 11 or to configure the Java Virtual Machine to use Bouncy Castle as the preferred cryptographic provider.

The fact that the vulnerability is present only in the newer versions may mean the impact of this flaw may be blunted, as adoption rates for Java 15 and newer remain fairly low. The fifth Developer Ecosystem Survey, released in July 2021, found that just 14% of developers were using Java 15 (the most recent version at the time of the survey). The most widely used version is Java 8 (72%), followed by Java 11 (42%). Java 11 was the long-term-support version.

Even though Oracle assigned a severity rating of 7.5 out of 10, Madden said the severity should be a 10, "due to the wide range of impacts on different functionality in an access management context." There are claims of the flaw being the "crypto bug of the year."

_Editor’s Note: This piece was updated to remove the reference that some Yubikeys may be affected. Yubico sent the following statement to Dark Reading:_

_"Yubico is aware of this issue and how it affects Oracle Java 15+ and OpenJDK, including other JDKs derived from OpenJDK. This vulnerability is not in the YubiKey firmware or the WebAuthn protocol, and we recommend organizations and individuals patch their Java deployments. Yubico will continue to provide further guidance on best practices as appropriate in the future."_

What the ECDSA Flaw in Java Means for Enterprises

Threat actor is using the flaw to deliver Core Impact backdoor on vulnerable systems, security vendor says.

An Iranian cyber espionage group that some vendors track as Rocket Kitten has begun exploiting a recently patched critical vulnerability in VMware Workspace ONE Access/Identity Manager technology to deliver the Core Impact penetration testing tool on vulnerable systems.

VMware disclosed the remote code execution vulnerability (CVE-2022-22954) on April 6, the same time it released a patch for the issue along with fixes for a total of seven other — somewhat less critical — vulnerabilities that were privately reported to the company. VMware identified the RCE vulnerability as a server-side template injection issue that could be used for remote code execution. The software vendor assigned it a severity ranking of 9.8 on a scale of 10 because the flaw, among other things, allows attackers to gain the highest privileged access in compromised environments.

Days after the flaw was disclosed, proof-of-exploit code for it became publicly available on Twitter. Shortly thereafter, threat actors reportedly began attacking the flaw to install cryptocurrency coin miners on vulnerable servers.

Among those that began exploiting the flaw on Apr. 14 and 15 were attackers who used it to gain access to vulnerable networks and launch reverse HTTPS backdoors such as Core Impact, Cobalt Strike, and Metasploit beacons, Morphisec said in a report Monday. The tactics, techniques and procedures of the attackers suggested a link to Rocket Kitten, the security vendor said.

"Many groups appear to be exploiting this vulnerability, but there are not many groups deploying stolen Core Impact implants," says Michael Gorelik, CTO and head of threat research at Morphisec. "The US customer that we saw targeted here is one that has an outreach to many US customers. Unfortunately, we can't share any more details on that currently."

Morphisec has approached Core Security to validate the existence of the watermark within the implant, he says.

The presence of the Core Impact backdoor on the targeted network, he says, is an indication that an APT group was behind it, simply because of how rarely the backdoor has been used by others.

**Ransomware Risk**  
Morphisec described the new vulnerability as a server-side template injection in an Apache Tomcat component of VMware's Workspace ONE Access/Identity Manager that allows remote commands to be executed on the hosting server. The flaw greatly heightens the risk of ransomware attacks and significant security breaches for organizations using the vulnerable technology, the security vendor said.

VMware Workspace ONE Access was previously known as VMware Identity Manager. The technology is designed to give enterprises a way to quickly implement multifactor authentication, single sign-on, and conditional access policies for workers attempting to access enterprise SaaS, mobile, and Web application environments. "It is an identity provider and manager," Gorelik says. "It has access to all the organizational users and acts as access control to the environment."

Morphisec said several vulnerabilities have been disclosed in the VMware technology recently, including two other RCE flaws, CVE-2022-22958 and CVE-2022-22957. While both of these flaws are remotely executable, the attacker would need to have gained administrative access to the vulnerable server first. However, the new flaw from earlier this month does not require attackers to have this level of access to exploit it, Morphisec said.

**PowerShell in the Mix**  
In the attack that Morphisec observed, the attacker — after gaining initial access to the vulnerable system — deployed a PowerShell stager on it that in turn downloaded a highly obfuscated PowerShell script called PowerTrash Loader. The loader then loaded a Core Impact agent in system memory without leaving a trace of forensic evidence.

Gorelik says Morphisec researchers have previously observed APT groups such as Russia's FIN7 use PowerTrash Loader to upload remote-access Trojans such as JSSLoader on target systems in other campaigns.

"The PowerShell command is executed as a direct command sent through server-side template injection," Gorelik says. "The command is an obfuscated PowerTrash downloader that eventually deployed the Core Impact backdoor."

Organizations that implement VMware's patch for the flaw should be protected against it, he says. VMware's advisory noted the flaw is being actively exploited and pointed to workarounds for mitigating the threat for organizations that are not able to immediately patch against it.

Iranian Hacking Group Among Those Exploiting Recently Disclosed VMware RCE Flaw

Spear-phishing campaign loaded with new "Goldbackdoor" malware targeted journalists with NK News, analysts found.

New analysis has attributed a spear-phishing campaign targeting journalists covering North Korea to APT37/Ricochet Chollimia, a state-backed group linked to the Democratic People's Republic of Korea (DPRK). Notably, researchers said the group is deploying a novel malware strain called Goldbackdoor, a variation of Bluelight malware previously attributed to APT37.

According to a report from researchers at Stairwell, multiple phishing emails were sent to NK News on Mar. 18 that appeared to be from the personal email address of the previously compromised former head of of the South Korean National Intelligence Service, and contained Goldbackdoor malware. NK News handed over the information to Stairwell for further investigation, the cybersecurity firm said.

"Due to the sensitive nature of journalists' work, they are often targets of surveillance and malware, intent on stealing information, ferreting out sources or even destroying evidence and scaring the reporters into not publishing stories," Erich Kron, security awareness advocate at KnowBe4, said in response to the news. "In regimes like North Korea, where news is tightly controlled by the state, articles or information that paints the leadership or government in a negative light is treated as a serious threat to national security."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

North Korean State Actors Deploying Novel Malware to Spy on Journalists

The DevSecOps journey is well worth undertaking because it can improve communication, speed up development, and ensure quality products.

DevSecOps can be a confusing concept. Is it a tool? A process? A culture? When do you need DevSecOps? How do you get to that point? What differentiates it from DevOps? Researching the topic often leaves one with more questions than answers.

DevOps started to gain momentum around 2008 when IT operations and software development became more focused on getting code out the door faster and implemented without major roadblocks. Traditional software development life cycles (SDLC) followed a more structured waterfall approach, which led to slower delivery of applications, fixes, and changes.

Then the Agile development methodology started to transform the software development landscape, with smaller and more frequent releases. This faster delivery led to a continuous development process across the entire landscape through collaboration and automation, which has led to the DevOps process. However, many organizations left security to the end of the development process, leading to numerous challenges and issues.

The concept of introducing security into the development life cycle is often termed a "shift left" in the process. Developers are not security specialists and can be reluctant to take on security, as it can impact their ability to push out new code. With increasing pressure to release products in shorter market windows, how does a developer prioritize vulnerabilities? Further complicating the matter is the amount of data that lacks context, making it harder to determine what is required, where, and by whom.

Development and security are not the only teams to be involved in the process. Countless vulnerabilities are found in operating systems, databases, Web servers, and other parts of the infrastructure — most of which are not the responsibility of development, but of operations.

**The 5 Stages of DevSecOps Maturity**

    

Source: Ivanti

The concept of shifting left — including security earlier and as part of the development process — is called DevSecOps. It's about collaboration, awareness, and automation between all teams involved in the development process.  

Here's a brief summary of the maturity journey and each step along the way:

**1\. Beginner.** At the beginner, or basic maturity, stage, there is a desire to undertake DevSecOps; however, organizations are still working in siloed teams with limited collaboration and almost no automation. Releases tend to be large, like a waterfall implementation, and scans are undertaken just prior to release. In this phase of maturity, you are faced with limited vulnerability information and a very reactive approach to resolve issues as they are found.

**2\. Intermediate.** At the intermediate stage, organizations are moving into an adoption phase and have started introducing automation across the process, leading to continuous scans that pick up issues earlier and often. Silos start to break down, and adoption of collaboration becomes common. Software developers are starting to learn about application security and begin applying best practices into their unit testing as part of the acceptance criteria.

**3\. High.** At the high maturity stage, organizations have embraced the DevSecOps process. Within the high maturity state, organizations have a high degree of automation across testing and deployment. Collaboration is now standard, and threat modeling is now incorporated into the process to identify vulnerabilities early and include them in the development life cycle.

**4\. Expert.** In the expert stage, organizations are now undertaking build-based scans with full integration and automation to provide constant feedback to the collaboration teams. Siloes have entirely disappeared, and organizations now have in place cross-functional team alignment. Chaos testing is applied to identify application resiliency, code, and signature validation within the applications.

**5\. Advanced.** Very few organizations have moved into the advanced stage, where an organization centralizes their data into a single source of truth with integration across all tools to collect, normalize, and reconcile events, assets, security, and quality. This single source of truth enables an organization to provide processwide reporting and KPIs to help identify issues in the process and drive improvement, leading to a concept of QualityOps — the holy grail!

The DevSecOps journey is complex but well worth undertaking because it will improve communication, speed up the development life cycle, and ensure quality products. Where does your company stand in its DevSecOps security journey?

When Security Meets Development: The DevSecOps Conundrum

New 'trust' tool improves online experience and helps tackle digital fraud.

PURCHASE, N.Y., and REDMOND, Wash., April 25, 2022 /PRNewswire/ -- Mastercard on Monday announced the launch of an enhanced identity solution designed to improve the online shopping experience and tackle digital fraud in a new collaboration with Microsoft Corp.

"This builds on our commitment of working across the industry to provide advanced technologies that enable trust."

Mastercard has directly addressed these needs by enhancing its **Digital Transaction Insights** solution with next-generation authentication and real-time decisioning intelligence capabilities. The solution pairs Mastercard's network insights with the merchant's own data to confirm the consumer is who they claim to be, providing financial institutions with the additional intelligence needed to optimize their authorization decisions and approve more genuine transactions. Digital Transaction Insights is used across a wide range of online checkout instances, from click-to-pay functionality and wearables to digital wallets and in-app purchases. Now more than ever, delivering a frictionless shopping experience is critical as retailers look to shift window shopping and price comparison visits to confirmed sales. And, while consumers enjoy the convenience of shopping online, fraudsters also seek to develop new methods to use these same channels for ill-gotten gains. One of the growing types of digital fraud is first-party fraud, where a legitimate purchase is made online but later disputed. First-party fraud is estimated to be a $50 billion global issue.

Ajay Bhalla, president, Cyber and Intelligence at Mastercard, said, "Shopping online should be simple, quick and secure. But that isn't always the case. We're committed to developing advanced identity and fraud technology to help enhance the real-time intelligence we provide to financial institutions around the globe. This builds on our longstanding commitment of working across the industry to provide advanced technologies that enable trust, and help build a safe and thriving digital ecosystem for all."

Microsoft will be the first partner to share its insights and integrate with the new Digital Transaction Insights solution across several lines of business. Building on a long history of cross-collaboration, Microsoft's Dynamics 365 Fraud Protection's proprietary risk assessment, which leverages adaptive AI to assist in real-time fraud detection by identifying risky behaviors across purchase, account and in-store activities, has been integrated with Mastercard's Digital Transaction Insights to better enable real-time intelligence sharing in an easily consumable and actionable format. This will enable issuers to enhance their decision-making processes for authorizations, chargebacks and refunds. Moreover, organizations can improve transaction acceptance rates with insights that help them balance profitability and revenue opportunities against fraud loss and checkout friction.

Charles Lamanna, corporate vice president of Business Applications and Platforms at Microsoft, said, "We are excited to partner with Mastercard to leverage our cloud-native, cutting-edge fraud assessment tools to empower issuers and merchants to prevent more fraud and approve more genuine users. This partnership lays the foundation for the future of global fraud prevention where data silos are no longer a barrier to security."

Digital Transaction Insights is enabled by EMV 3-D Secure and Mastercard Identity Check, a global authentication solution built on the enhanced industry standard. Both elements support GDPR requirements and other related regulations. In 2021 alone, Mastercard Identity Check delivered a 14% uplift in transaction approval rates across billions of transactions.

**Additional resources**

For more information about Microsoft Security solutions, visit Microsoft Security. Bookmark the Security blog to keep up with expert coverage on security matters. Also, follow @msftsecurity for the latest news and updates on cybersecurity.

**About Mastercard (NYSE: MA)**

Mastercard is a global technology company in the payments industry. Our mission is to connect and power an inclusive, digital economy that benefits everyone, everywhere by making transactions safe, simple, smart and accessible. Using secure data and networks, partnerships and passion, our innovations and solutions help individuals, financial institutions, governments and businesses realize their greatest potential. Our decency quotient, or DQ, drives our culture and everything we do inside and outside of our company. With connections across more than 210 countries and territories, we are building a sustainable world that unlocks priceless possibilities for all. www.mastercard.com

**About Microsoft**

Microsoft (Nasdaq "MSFT" @microsoft) enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

SOURCE Microsoft Corp.

Mastercard Launches Next-Generation Identity Technology with Microsoft

Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.

The first quarter of 2022 saw a 46% increase in distributed denial-of-service (DDoS) attacks over Q4 2021, which a new report attributes to a community of "hacktivists" intent on disrupting Russian state interests in retaliation for the Ukraine invasion. 

The report, by security vendor Kaspersky, notes that the volume of DDoS attacks was already historically high, but the first months of 2022 saw more targeted and innovative activity than previously seen. The DDoS attacks also persisted for much longer than previously recorded, with the average DDoS session lasting 80 times longer than during the last months of 2021. 

The report points to one instance from the past quarter where attackers set up a site similar to a popular puzzle game called "2048" to make launching attacks on Russian sites more like a game to recruit others to launch additional attacks. 

"In Q1 2022 we witnessed an all-time high number of DDoS attacks," said Alexander Gutnikov, security expert at Kaspersky, in a statement. "The upward trend was largely affected by the geopolitical situation. What is quite unusual is the long duration of the DDoS attacks, which are usually executed for immediate profit. Some of the attacks we observed lasted for days and even weeks, suggesting that they might have been conducted by ideologically motivated cyberactivists."

Gutnikov pointed out that the report found most organizations were unprepared to defend against DDoS attacks.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading