Cybersecurity is mission-driven, meaningful work that coincides with the service branches' goals to protect, defend, and create a safer world.

Source: William Mullins via Alamy Stock Photo

COMMENTARY  
When I stepped foot onto Mountain Home Air Force Base in 2003, I had no way of knowing how much my technical and leadership skills would flourish over the course of my career in the US Air Force — but I did know I had found a group of disciplined, mission-driven individuals who were all working toward a common goal. And that was special. 

When it came time to transition out of the military last year, I was faced with not only leaving the branch of service I had dedicated my entire professional life to but also having to find who I was and what career path I wanted to pursue for myself. That's no easy task when you've been entrenched in a team-oriented environment for years at a time — in my case, 20. I was afraid I'd never find that sense of community again … until I found the cybersecurity field.  

**Where It All Began**

I attended community college for about a year before I enlisted in the Air Force and began working as a data maintenance technician. I eventually integrated with the Air Force's network team, where I got my feet wet in IT. Over the next 10 years, I worked on small clandestine networks up to enterprise-level, before the military shifted its focus to securing networks.  

The further I ventured into securing domains, the stronger my passion grew for that area. During my time stationed at MacDill Air Force Base, I worked for the Joint Communications Support Element (JCSE), and one of my supervisors approached me about the Certified Information Systems Security Professional (CISSP) certification from ISC2. He saw that I had what it took to sit for the exam, and I began the process. 

**Five Letters and 600 Podcast Episodes Later**

The CISSP certification was not only a testament to the hard work that I had put in throughout my career, but it also served as a key to my progression in the field. It changed my position in the game and my accessibility to opportunities. When having a conversation with those more senior than me, I felt confident and highly respected with the weight of that CISSP by my name. 

I believe to this day that the CISSP is what led me to being able to secure my first job in the corporate world, and acted as a launching pad for my podcast, "The Other Side of the Firewall." That podcast has grown my network monumentally, and having that validation by my name makes it easy to have conversations with everyone from entry-level professionals to CEOs of major companies. We're now more than 600 episodes into the podcast and counting. However, the journey to get to where I am today hasn't all been rainbows and butterflies. 

**The Highs and Lows**

One of the easier components of making the military-to-corporate transition was the networking aspect. During my time in the military, I had worked with phenomenal clients who supported me even after I swapped lace-up boots for a suit. Despite the fact that I was looking for a job at a historically bad time for the tech industry (the early 2023 layoff wave), my connections landed me a job at a data privacy and security company in Georgia.  

My boss at this company was a US Marine veteran, who was able to lead me through what ended up being the hardest part of my switch to corporate life: the lingo. I had to learn to explain how the technical skills I gained in the military translated to be applicable to the clients I was working for in the private sector. Having someone to guide me through that transition from the military to the corporate world who knew how to break me out of my military jargon comfort zone was life changing. 

**Why Cyber?**

I highly encourage anyone transitioning out of the military and looking for a mission-driven line of work to explore the cybersecurity field. With the rate that emerging technologies and the threat landscape are evolving, the demand for cybersecurity professionals is at an all-time high. It's a mission-driven, meaningful line of work that coincides with your service branches' goals to protect, defend, and create a safer world.  

Explore entry-level certifications such as the ones through ISC2, trainings and bootcamps that can help you get a foot in the door, and don't give up if the transition to the corporate world isn't seamless. Cybersecurity is a field that offers continued opportunities to increase your skills, learn from those around you, and make changes that have a direct impact on securing our increasingly digital world. As veterans transition into civilian life and look to find stable, fulfilling careers, I encourage them to give cybersecurity a shot. It's where I've found my tribe again, and I'm forever thankful for the people and programs that helped me along the way. 

**About the Author**

Information Technology Security Analyst, Buddobot

Ryan Williams Sr. is a seasoned cybersecurity consultant and virtual chief information security officer (vCISO) specializing in helping businesses navigate complex governance, risk, and compliance (GRC) challenges. By day, he serves as an IT security analyst for Buddobot, supporting the Independent Verification & Validation (IV&V) division of the US Department of Housing and Urban Development's Office of the Chief Information Officer (OCIO). Nights and weekends, Ryan leads RAM Cyber Consulting and Assessments LLC, delivering tailored cybersecurity solutions such as NIST CSF 2.0 readiness assessments, cyber policy writing, and consulting services to safeguard organizations across various industries.

My Journey From the Air Force to Cybersecurity

Renewable energy firms deal with a large cyberattack surface area, given the distributed nature of power generation and more pervasive connectivity.

Source: KanawatTH via Shutterstock

Renewable energy companies lag behind their more traditional peers when it comes to the cybersecurity readiness of their infrastructure, raising concerns that attackers targeting critical infrastructure could find easier prey among "green" energy firms.

In a study of 250 energy companies worldwide, oil and natural-gas firms scored the highest — with the average company scoring a 94, or "A" — while the lowest scores belonged to renewable energy companies, which scored a median of 85, or a "B." Green energy firms tend to have distributed generation infrastructure (such as rooftop solar or wind turbines) and are usually more Internet-connected than traditional energy companies — both attributes that can undermine their defensive posture, says Ryan Sherstobitoff, senior vice president for threat research at SecurityScorecard, the cybersecurity risk firm that conducted the study.

Overall, the attack surfaces between traditional energy infrastructure and renewable energy infrastructure can be quite different, he says.

"Oil and gas have legacy technologies, but these legacy technologies are most likely not Internet-facing," Sherstobitoff says. "Whereas the cybersecurity posture of renewable energy may not necessarily be \[to the level of other\] critical infrastructure itself ... but nonetheless has public-facing portals and other public-facing issues."

The concerns come as the US and other countries invest in green energy infrastructure and scramble to put in place more cybersecurity defenses to protect their critical infrastructure. Nation-state groups have targeted the critical infrastructure of the US and its allies, and while the distributed nature of green energy generation could mitigate widespread outages, their Internet connections represent a weak point, according to the SecurityScorecard report, which was in collaboration with consultancy KPMG.

**Distributed Green Systems Harder to Defend**

Overall, the energy sector did quite well in the survey of firms. Of the 250 organizations on which data was collected, 81% either scored an A or B. Only 8% of energy firms showed signs of compromise in their external infrastructure, but two-thirds of the breaches were connected to third-party partners, SecurityScorecard reported.

Attacks could prevent renewable energy companies from managing their generation sites to disrupting consumers' power, Sherstobitoff says.

"You could imagine disrupting the ability for these renewable energy devices to connect back and phone home, then you have chaos, because then they can't check in, can't get their status," he says. "If \[the infrastructure\] depends on getting a status code in order to function, it needs to connect back ... that's another breaking function."

Already, some green energy infrastructure has fallen prey to attackers. Charging stations for electric vehicles typically require connectivity, which makes them vulnerable to both compromise and disruption. In 2022, pro-Ukrainian hacktivists compromised chargers in Moscow to display messages of support for Ukraine. In 2019, a solar firm could no longer manage its 500 megawatts of wind and solar sites in the western US after a denial-of-service attack targeted an unpatched firewall, the FBI stated in a Private Industry Notification (PIN) in July.

The risk could extend all the way to homeowners, who increasingly have adopted rooftop solar and need to be connected to be able to deliver their solar power and be credited.

"This issue will only become more important as small solar systems continue to grow. When every house is a power plant, every house is a target," Morten Lund, of counsel for Foley & Lardner LLP, wrote in a brief directed at energy companies. "In many ways, the distributed nature of solar energy provides significant protection against catastrophic failures. But without sufficient protection at the project level, this strength quickly becomes a weakness."

**Third-Party Suppliers Cause Concern**

The energy sector is also open to greater third-party risk, with 47% of breaches of energy companies involving a third party, compared with 29% across all industries. In addition, many green energy projects tend to be locally managed or developed by a smaller startup, which could raise risks, especially as the US rushes to adopt more green infrastructure, the FBI stated in its PIN.

"With federal and local legislature advocating for renewable energies, the industry will expand to keep pace, providing more opportunities and targets for malicious cyber actors," the FBI stated.

The US National Strategy for Cyberspace calls out renewable energy as a key industry to defend online. Rich countries tend to have better defenses than poorer economies, as they have better regulations and organizations have more budget to spend on security.

Regulations continue to be the top reason energy firms invest in cybersecurity, with nearly half of companies (49%) citing regulatory requirements among their top three reasons for assigning budget, compared with 38% citing a cybersecurity incident or near miss affecting their company, according to risk management consultancy DNV's "Energy Cyber Priority 2023" report.

"Most renewable sites have not been developed with cybersecurity in mind, but several companies are picking up quickly," says Auke Huistra, DNV Cyber's industrial and operational technology cybersecurity director. "From our engagements, we have seen immature but also mature green energy companies. What we do see is that \[cybersecurity gets\] more and more attention ... driven by incidents in the industry as well as regulations."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Cybersecurity Isn't Easy When You're Trying to Be Green

Vulnhuntr is a Python static code analyzer that uses Claude AI to find and explain complex, multistep vulnerabilities.

Source: ProtectAI via GitHub

Researchers at Protect AI have released Vulnhuntr, a free, open source static code analyzer tool that can find zero-day vulnerabilities in Python codebases using Anthropic's Claude artificial intelligence (AI) model.

The tool, available on GitHub, provides detailed analysis of the code, proof-of-concept exploits for the vulnerabilities identified, and confidence ratings for each flaw, Protect AI said in its announcement.

Vulnhuntr breaks the codebase into smaller chunks rather than overwhelming the large language model's (LLM) context window size by loading in the entire file at once. The tool uses prompt-engineering techniques to feed highly detailed, vulnerability-specific prompts into Claude, at which point the AI asks for additional code snippets until it has gathered enough information to map the application from user input to server output. This way, the LLM can analyze the entire call chain — which encompasses connections between files, functions, and variables across a project — without losing context. This level of analysis means the AI doesn't just stop when it finds risky code, but rather investigates how that code interacts with the rest of the project, which the research team says helps decrease false positives and negatives.

The tool currently focuses on the following types of vulnerabilities that can be exploited remotely: arbitrary file overwrite (AFO), local file inclusion (LFI), server-side request forgery (SSRF), cross-site scripting (XSS), insecure direct object references (IDOR), SQL injection (SQLi), and remote code execution (RCE).

Vulnhuntr's team says the tool has already discovered more than a dozen zero-day vulnerabilities in popular Python projects on GitHub, including gpt\_academic, FastChat, and Ragflow. Vulnhuntr flagged a RCE flaw in the machine learning library Ragflow, which has already been fixed.

Open Source LLM Tool Sniffs Out Python Zero-Days

Amazon's open source Cloud Development Kit generates dangerously predictable naming patterns that could lead to an account takeover.

Source: Dzianis Hill via Alamy Stock Photo

The Amazon Web Services Cloud Development Kit (CDK), a popular open source tool, allows cyber teams to conveniently build software-defined cloud infrastructure with widely used programming languages, such as Python and JavaScript. But here's the problem: During deployment and by default, AWS CDK creates a "staging" S3 bucket with a dangerously predictable naming convention that, if exploited by threat actors, could lead to total administrative access to the associated account.

In a new report, researchers from Aqua said AWS confirmed the vulnerability affected about 1% of CDK users. AWS subsequently notified those effected by the issue in mid-October. Versions of CDK v2.148.1 or earlier require users to take action.

"A key takeaway for open source projects that rely on AWS is to ensure they don't use predictable bucket names," says Yakir Kadkoda, lead security researcher with Aqua. "They should provide an option for users to modify the bucket name that the open source project creates for its operation or implement a check on the bucket owner to avoid such vulnerabilities."

There's no way to know if the vulnerability, which doesn't have an associated CVE number, has been exploited in the wild, Kadkoda adds.

**What Is S3 Bucket Namesquatting and Bucket Sniping?**

The vuln is introduced during the bootstrapping process, the report explained, during which AWS creates an S3 staging bucket for storing a variety of deployment assets. Because the name of these AWS S3 buckets follow a pattern: cdk-{qualifier}-assets-{account-ID}-{Region}, the team found all adversaries need to break into any of these buckets is the account identification number, and region — the only fields that change from bucket to bucket.

Not only does this let attackers break into an existing S3 bucket, they can also create an entirely new S3 bucket.

"If the attacker sets up the bucket ahead of time, when the user later tries to bootstrap the CDK from a specific region, they will encounter an error during the process because the CDK bucket that the bootstrap process attempts to create already exists," the Aqua report added. "The documentation advises selecting a non-default qualifier."

This is a tactic the report calls "S3 bucket namesquatting" or "bucket sniping" and gives the threat actor the ability to execute malicious code inside the target AWS account.

"As a reminder, the CDK staging bucket contains CloudFormation templates," the report added. "If an attacker gains access to the CDK staging bucket of other users, these files can be easily tampered with and backdoored, enabling the injection of malicious resources into the victim’s account during deployment."

This latest report expands on Aqua's previous analysis of the danger of configuring S3 buckets with easily guessed names into open source tools.

"This research emphasizes the importance of not using predictable bucket names and keeping the AWS account ID secret to avoid being vulnerable to these types of issues in the future," Kadkoda advises.

AWS's Predictable Bucket Names Make Accounts Easier to Crack

PRESS RELEASE

BOSTON, Oct. 23, 2024 (GLOBE NEWSWIRE) -- Grip Security, the leader in SaaS identity risk management, today released its research report, “2025 SaaS Security Risks.” The report reveals that traditional security measures are no longer sufficient to address the growing risks from unmanaged SaaS applications and user accounts. Alarmingly, 90% of SaaS applications and 91% of AI tools within organizations remain unmanaged, underscoring a widespread vulnerability that continues to grow.

As SaaS reliance expands, Grip's research highlights the limitations of traditional security strategies in combating the “SaaS risk creep” – the gradual increase of vulnerabilities from unmanaged applications and their associated accounts. Key findings from the report include:

*   The number of SaaS applications used in an enterprise increased by 40% over the last two years
    
*   SaaS applications per employee have steadily risen, marking an 85% increase in number of accounts per user
    
*   73% of provisioned users never use their SaaS application license
    
*   ChatGPT was found in 96% of analyzed organizations, and usage has increased 24x since its launch
    
*   42% of popular AI applications have SAML capabilities, but 80% of these apps are not managed and federated with the SAML protocol
    

“The sheer volume of unmanaged SaaS apps and AI tools we found in organizations shows the large gap between perceived and actual security,” said Lior Yaari, co-founder and CEO of Grip Security. “Businesses need real-time visibility into these applications and a risk governance program to manage their risks to stay ahead of the curve.”

The Growing Challenges of Shadow SaaS  
A major concern highlighted in the report is the rise of Shadow SaaS and Shadow AI—applications used without IT’s visibility or control. These applications put organizations at risk of data breaches, non-compliance issues, operational inefficiencies and confidential information leaks. As Gartner projects that by 2027, 75% of employees will use technologies outside IT’s oversight, organizations must rethink their SaaS security strategies to address the growing risk of unmanaged applications.

Despite billions spent on addressing SaaS-related risks, existing security solutions like CASBs have proven inadequate. These tools fail to keep up with the complexities of modern SaaS environments, generating excessive data noise and false positives that hinder security teams from focusing on real threats.

"As SaaS continues to grow, businesses can't afford to rely on outdated tools. A holistic, identity-driven approach is now critical to ensure SaaS security and risk management," added Yaari. "The consequences of inaction are too severe—it's time for enterprises to address this risk proactively and rethink their security strategies to match the speed of SaaS adoption."

Need for a New Approach  
Today’s SaaS-reliant organizations urgently need to move beyond traditional security tools. As highlighted by industry experts, business-led IT is driving much of this growth. As a result, responsibility for managing SaaS risks can no longer fall solely on IT and security teams—it requires collaboration across departments, including business app owners and end users, to effectively manage SaaS risks at scale. A flexible, identity-centric approach that empowers employees while controlling risk is the only way forward in this evolving landscape.

Without this shift, organizations will remain vulnerable to security breaches. High-profile incidents like those at Snowflake and Microsoft demonstrate the dangers of unmanaged SaaS environments, Shadow SaaS and dangling access. Companies that proactively adjust to these evolving SaaS trends will be better equipped to protect sensitive data, ensure compliance, optimize financial resources and foster innovation while minimizing associated risks.

Methodology  
The findings from Grip’s SaaS Security Risks report are based on anonymized data from Grip SaaS Security Control Plane (SSCP) solution. This includes insights from over 29 million SaaS user accounts, 1.7 million identities and 23,987 SaaS applications posing potential risk.

To get additional insights on 2025 SaaS and AI tool security risks, download Grip Security’s full report.

Information on the Grip SaaS Security Control Plane Platform is available online.

About Grip Security  
Grip Security is a pioneer in SaaS identity risk management, providing innovative solutions to help enterprises address the security risks associated with widespread SaaS adoption. The company’s SaaS Security Control Plane platform helps companies discover, prioritize, secure and orchestrate the mitigation and remediation of risks. The innovative approach of leveraging identity as the key control point allows companies to secure all SaaS applications and empowers enterprises to embrace SaaS adoption securely.

Grip Security Releases 2025 SaaS Security Risks Report

PRESS RELEASE

WASHINGTON, Oct. 24, 2024 /PRNewswire/ -- Hunter Strategy, a leading cybersecurity and technology consulting firm, today announced the addition of renowned cybersecurity expert Jake Williams to its leadership team. Williams joins as Vice President of Research and Development and Managing Director of Hunter Labs, bringing his extensive expertise to drive innovation and growth within the company.

Jake Williams, widely known as "MalwareJake," is a distinguished thought leader in cybersecurity. His impressive career includes founding Rendition Infosec, serving as a tactical operator for the NSA's Tailored Access Operations unit, and contributing as a sought-after speaker and instructor for SANS Institute and major cybersecurity conferences.

In his new role, Williams will spearhead Hunter's "Labs" division, an innovative incubation services lab designed to offer comprehensive solutions for family investment offices, private equity firms, and venture capitalists. Hunter Labs will focus on performing complex research in emerging technologies, conducting independent verification and validation of cutting-edge solutions, providing technical product advisory services, and executing deep technical due diligence for potential investments and acquisitions.

"We are exceptionally proud to welcome Jake Williams to the Hunter Strategy team," said Matt Triner, CEO of Hunter Strategy. "Jake's unparalleled expertise and visionary approach will be instrumental in accelerating our growth at the intersection of cutting-edge research and practical, market-driven solutions. His leadership of Hunter Labs will enable us to provide even greater value to our clients and partners in the rapidly evolving cybersecurity landscape."

Williams expressed his enthusiasm for joining Hunter Strategy, stating, "I'm excited to lead Hunter Labs and work alongside the talented team at Hunter Strategy. Our goal is to push the boundaries of cybersecurity research and development, creating innovative solutions that address the complex challenges facing organizations today. Hunter Labs will be at the forefront of identifying and nurturing the next generation of cybersecurity technologies."

Hunter Strategy is a premier cybersecurity and technology consulting firm dedicated to providing innovative solutions to complex security challenges. With a team of industry-leading experts, Hunter Strategy offers a wide range of services, including cybersecurity consulting, technology implementation, and now, through Hunter Labs, cutting-edge research and development.

You May Also Like

Jake Williams Joins Hunter Strategy As VP of RND &amp; Managing Director of Hunter Labs

PRESS RELEASE

SAN FRANCISCO, Oct. 23, 2024 /PRNewswire/ -- Schubert Jonckheer & Kolbe LLP is investigating a cyberattack and data breach potentially affecting the private information of up to 14 million customers of American Water Works Company, Inc., a New Jersey-based water and wastewater utility company that operates in 14 states and manages 500 water systems.

On October 7, 2024, American Water announced in a Form 8-K filed with the Securities and Exchange Commission that it experienced a cybersecurity incident. The company shut down its MyWater customer portal and is pausing billing until further notice.

American Water has failed to inform its customers whether their private information was stolen by the hackers in the attack, only stating on its website that it will "provide more information when and as appropriate." The company collects and requires its customers to provide personally identifiable information, including names, emails, postal addresses, phone numbers, location information, Internet and other electronic network activity, financial information, health information, and other sensitive personal data.

If your private information was impacted by this incident, you may be at risk of identity theft, financial fraud, and other serious violations of your privacy. As a result, you may be entitled to money damages and an injunction requiring changes to the company's cybersecurity practices.

If you received notification of this data breach or are a current or former customer of American Water and wish to obtain additional information about your legal rights, please contact us today or visit our website at https://www.classactionlawyers.com/americanwater.

About Schubert Jonckheer & Kolbe LLP  
Schubert Jonckheer & Kolbe represents shareholders, employees, and consumers in class actions against corporate defendants, as well as shareholders in derivative actions against their officers and directors. The firm is based in San Francisco, and with the help of co-counsel, litigates cases nationwide.

You May Also Like

American Water Under Investigation for Cyberattack Potentially Affecting 14M Customers

Even after the ransom is paid, such attacks lead to spikes in strokes and heart attacks and increased wait times for patients.

Source: Dennis Gross via Alamy Stock Photo

Nearly 400 US healthcare organizations have been infected with ransomware this fiscal year, compromising private information, disrupting facilities, and putting lives at risk, according to a study released this week.

The average payment that these organizations have reported paying has gone up to roughly $4.4 million and is costing facilities up to $900,000 in downtime, putting healthcare among ransomware's most lucrative target sectors.

The disruption that healthcare operations face when hit with ransomware attacks doesn't just affect hospitals either. It also impacts clinics and doctors in adjacent areas, which absorb displaced patients in these emergencies.

Researchers at Microsoft compared the effects of a ransomware attack against four hospitals and found that these events increased patient volume by 15%, increased waiting room time by almost 50%, increased the number of confirmed strokes by 113%. Cardiac arrest cases went up by 81%.

According to the study, ransomware has become such a pronounced issue for the healthcare sector because of its track record of complying with the bad actors and making ransom payments. But since these organizations are dealing with literal life and death issues, they are usually willing to pay millions of dollars to avoid any disruption of care and the data that support it.

As for the threats actors and ransomware gangs, Russia is known for providing a safe harbor for gangs who attack US infrastructure; Iranian groups in particular have been most active in attempted attacks against healthcare organizations this year. Chinese cyber crews are also getting in on the action and targeting healthcare as a cover for government-backed espionage.

**About the Author**

Microsoft: Healthcare Sees 300% Surge in Ransomware Attacks

An attacker compromised one of Fortinet's most sensitive products and mopped up all kinds of reconnaissance data helpful for future mass device attacks.

Source: Thomas Kyhn via Alamy Stock Photo

An unknown threat actor has compromised Fortinet devices en masse across various industries, leaving no particular indication of what they plan to do next.

The campaign was enabled by a critical vulnerability, CVE-2024-47575, which the Cybersecurity and Infrastructure Security Agency (CISA) has just added to its Known Exploited Vulnerability (KEV) catalog. It affects Fortinet's FortiManager tool, the single, centralized console from which organizations can manage all their Fortinet brand firewalls, access points, application delivery controllers (ADCs), and email gateways. Up to 100,000 devices can be managed from a single FortiManager interface, making it an efficient tool for IT administration, and a spectacular launchpoint for cyberattacks.

According to Mandiant, a threat actor it now tracks as UNC5820 used CVE-2024-47575 to compromise more than 50 instances of FortiManager. Doing so enabled them to siphon off information about the various devices connected to those FortiManager instances, which could prove useful in follow-on attacks. To this point, however, no malicious follow-on activity has been observed.

**A Critical Vulnerability in FortiManager**

CVE-2024-47575 results from a missing authentication in the fgfmd daemon, a "critical function" that facilitates communication between FortiManager and the various Fortinet devices it manages. Using specially crafted requests, a remote, unauthenticated attacker could exploit this missing authentication to execute arbitrary code or commands in a targeted device. The centrality of the vulnerable daemon, combined with the severe effect of such an attack, have earned CVE-2024-47575 a "critical" 9.8 out of 10 score according to the Common Vulnerability Scoring System (CVSS).

“These types of exploits are some of the most coveted by attackers as little to no action is required on the part of the victim for the attacker to gain remote access," notes T. Frank Downs, senior director of proactive services at BlueVoyant. "Large-scale exploitation could enable lateral movement to other managed devices, leading to widespread network disruption and data breaches. These actions, in turn, could allow attackers to exfiltrate sensitive data from FortiManager devices, including configurations and credentials."

The unidentified threat actor UNC5820 has already halfway demonstrated what one can do with CVE-2024-47575. Beginning June 27, UNC5820 connected to multiple Fortinet devices from an IP address in Japan. Quickly, a series of important files were zipped into an archive file. These included the targeted FortiManager's build, version, and branch data, configuration files for FortiGate devices it managed, hashed passwords, and more.

Researchers identified another exploitation attempt in September, during which the attacker managed to register their own, unauthorized Fortinet device to the targeted FortiManager console.

In theory, all this data would have been useful for getting to know the target's environment, and laying the groundwork for a mean follow-on attack. "The potential damage from this vulnerability is significant, as it allows attackers to remotely execute code and access sensitive data without authentication, leading to data breaches, network disruptions, and unauthorized access to critical systems," Downs says. And yet, Mandiant has not observed evidence of any such attacks to date.

**What to Do Now**

To exploit CVE-2024-47575 in the first place, UNC5820 would have required some means to reach an organization's FortiManager device. Thus, only those exposed to the Internet are likely to have been targeted.

For organizations with exposed management consoles, Mandiant recommends immediate, thorough forensic investigations, and only allowing known devices and IPs access to FortiManager. Fortinet's FortiGuard Labs has also published further recommendations for remediation to its blog, including workarounds for cases in which an upgrade to the latest software is not possible.

In response to a request for comment from Dark Reading, Fortinet offered the following statement:

"After identifying this vulnerability (CVE-2024-47575), Fortinet promptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors. We also have published a corresponding public advisory (FG-IR-24-423) reiterating mitigation guidance, including a workaround and patch updates. We urge customers to follow the guidance provided to implement the workarounds and fixes and to continue tracking our advisory page for updates. We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Critical Bug Exploited in Fortinet's Management Console

A government report's criticism of the 100x metric often used to justify fixing software earlier in development fuels a growing debate over pushing responsibility for secure code onto developers.

Source: Casimiro PT via Shutterstock

The common wisdom in the software industry is that fixing a vulnerability during production is 100 times more expensive than fixing it during the design phase. This massive purported cost of defects has fueled arguments — especially from vendors — that developers need increasingly complex — and expensive — tools to catch more bugs earlier in the development pipeline.

Yet software security professionals are now questioning the extreme nature of that financial trade-off.

In a draft report released last week, the Cybersecurity and Infrastructure Security Agency (CISA) noted that the origins of the factor-of-100 figure remain shrouded by four decades of rote repetition and that, even if true, the software development process that may have supported the figure has since changed. In short, agile development and the ability to push code to deployment rapidly and frequently may have reduced the cost of fixing mistakes in production code. This means the effort to saddle developers with the responsibility for code security — referred to as "shifting left" — may be overwrought.

Chris Hughes, CEO and co-founder of Aquia, a digital transformation security firm, didn't pull any punches in a LinkedIn post, using a vulgarity to describe shift left.

"Security beats Developers over the head with these poor quality noisy outputs, slowing down velocity and ultimately the business," Hughes said.

Other security and software experts weighed in on the LinkedIn post in a heated discussion — some in whole-hearted agreement, others challenging the notion that fixing software defects as early as possible is anything other than "common sense."

The kerfuffle is the latest sign of resurgent tensions between arguably a majority of developers, who see security requirements as a hurdle to better productivity, and DevSecOps-style developers and application security specialists, who see secure software as a quality target that also inevitably saves money.

**Questioning the Common Wisdom**

On Oct. 11, CISA published a report to its director on the Secure by Design initiative, an effort that aims to drive security into the software development and design phases to eliminate vulnerabilities that have allowed significant damage to critical networks and the compromise of sensitive information. The report noted specific challenges in convincing organizations to adopt better security practices, such as a lack of economic incentives for businesses to invest in security and to fix vulnerabilities. Companies such as Target and SolarWinds demonstrate that significant incidents do not lead to financial consequences, as both companies retained customers and recovered any lost market capitalization.

As a result, it remains unclear whether — and how much — companies should shift the security responsibilities leftward to developers, CISA stated in the report. Finding that balance for organizations is not a clear-cut effort.

"It is a commonly held belief that fixing vulnerabilities earlier is more cost effective," the report stated. "'Shift left' emphasizes moving testing activities earlier in the development process, with the notion that earlier identification of issues is better and produces a higher quality product. The challenge is in quantifying how much investment needs to be made."

Aquia's Hughes stressed in an interview with Dark Reading that the point of his post is that developers should be trained in security and offered better tools to secure products, but not by arguing with unsupported economic data.

"Businesses are focused on the financial aspect— they're motivated differently than security. As much as we wish that security was the only thing they cared about, it's simply not," Hughes said. "The need to worry about speed to market and feature velocity, rolling out new features and capabilities for customers. ... There's many benefits for shift left, but the financial benefit may not be one of them, and that \[was\] a big way to motivate the business from a financial perspective."

**Not the Metrics You're Looking For...**

The idea that bugs cost much more to fix in production systems than during the design stage started in the 1970s, as computer scientists and operations engineers studied software engineering. Barry Boehm, who served as chief scientist at TRW Defense Systems Group and as a distinguished professor of computer science and industrial engineering at the University of Southern California, created the Constructive Cost Model (COCOMO) of software engineering economics in the late 1970s and detailed its applications in his book, Software Engineering Economics, published in 1981.

In a 2021 paper, Boehm credited the 100x factor to a prior paper, "Industrial Metrics Top 10 List," which he published in 1987. Yet even Boehm noted that the measurement had likely changed over the years, saying that fixing a software problem after delivery is "often 100 times more expensive" and highlighting that the insertion of the word "often" was an update to his previous thinking.

"One insight shows the cost-escalation factor for small, noncritical software systems to be more like 5:1 than 100:1," Boehm stated in the 2001 paper "Software Defect Reduction Top 10 List." "This ratio reveals that we can develop such systems more efficiently in a less formal, continuous prototype mode that still emphasizes getting things right early rather than late."

Other data on the costs of fixing software defects included a 15:1 estimate calculated from detailed responses to a survey conducted by the National Institute of Standards and Technology (NIST), according to a 2002 report, "The Economic Impacts of Inadequate Infrastructure for Software Testing."

A survey of software developers finds that it takes 15 times more effort to fix a software defect after release compared to the requirements phase. Source: The Economic Impacts of Inadequate Infrastructure for Software Testing, NIST

The increasing focus on cloud-native and DevOps processes has led to a reduction in the cost of updating applications and, thus, the cost of distributing software fixes. The process of distributing tape, disks, or CDs with new software in the 1980s and 1990s has evolved into online updates and software-as-a-service, which requires no action on the part of the user and are much cheaper to update.

In one case study, a large health insurer implemented better defect detection and tracked the savings of fixing bugs earlier from 2013 to 2017 . It concluded that the company saved about $21 million from its previous annual security costs of $28 million. The case study, authored by then Aetna CISO Jim Routh and software security guru Gary McGraw, suggests that triaging bugs later costs four times more than fixing them during development.

"While the costs have absolutely changed, the final principle has not," says Routh, now the chief trust officer for cloud identity firm Saviynt. "It's still less expensive to produce quality software" than to produce buggy software and fix it later.

Adopting a culture of DevSecOps can help. Rather than forcing developers to use specific tools, application security specialists should work with them to develop a process for producing resilient code, says Routh.

**Shift Left Still Makes Financial Sense**

As CISA points out, the question that remains unanswered is how much the economics of software engineering say companies should focus on quality assurance, security, and resilience. A lot of assumptions need to be updated, and companies should be fostering a DevSecOps mentality, says Janet Worthington, senior analyst with business intelligence firm Forrester Research.

"When you say the phrase 'shift left,' I think it can imply to some people ... that it's just a set of tools that developers have to implement and all the burden is on them," she says. "And I think there's been a reaction over the years that you can't just put the burden on developers for security."

By embedding security knowledge throughout not only development but also testing and operations, companies create a more resilient foundation on which to build and deploy software, she says.

In the end, however, the question seems to be not whether fixing software earlier is better or more cost effective, but asking what needs to be better studied to determine how much to invest in driving security through development or operations.

Executives and DevOps teams need to take a total cost of ownership approach to development costs, says Gary McGraw, author of more than a half-dozen books on software security and former chief technical officer at Cigital, a software security firm.

"Developers should be deeply into securing their software," he says, adding that companies should have a software security specialist on every DevSecOps team who can participate, creating security features, doing security testing, and checking security design as a member of the team.

In his experience, there is no question that preventing problems now is better — from a quality, resilience, and security standpoint — than waiting until later.

"It's cheaper to fix bugs when you're still coding. It's cheaper to fix architecture when you're still thinking it up," he says. "Ultimately, the shift left thing is absolutely correct."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Source

DARKReading