PRESS RELEASE

ATLANTA, Sept. 24, 2024 /PRNewswire/ -- OneTrust, the market-defining platform helping organizations use data and AI responsibly, today announced new capabilities to help organizations enhance resilience across the financial sector and operationalize compliance with the EU's Digital Operational Resilience Act (DORA). Building upon its comprehensive OneTrust Third-Party Management solution, OneTrust will now offer first-to-market capabilities such as automated DORA "register of information" report creation and out-of-the-box depth of screening and compliance data.

"An organization's supply chain can be one of its biggest assets for efficiency and innovation, as well as its most significant obstacle to cyber resiliency. Amid growing global mandates for cyber resiliency like DORA, teams need a deep understanding of their extended enterprise and tools for managing risk at scale. By expanding on our robust Third-Party Management capabilities with game-changing, new capabilities, teams can gain much-needed visibility, automate risk and compliance management, and strengthen resilience," said Shiven Patel, Director of Third-Party Management at OneTrust.

With OneTrust, teams can gain much-needed visibility, automate risk and compliance management, and strengthen resilience

Introducing new capabilities to enhance resilience and operationalize DORA compliance

To further help organizations efficiently manage information and communication technology (ICT) and digital supply chain resilience and operationalize DORA compliance, OneTrust is delivering several new, standout capabilities:  

*   4th- and nth-party risk management: Now, teams can automatically identify, link, and assess fourth and even nth parties to efficiently monitor concentration risk and demonstrate proportionality. 
    
*   Two-click register of information reporting: Quickly generate a complete "register of information" in relation to all contractual arrangements on the use of ICT services provided by ICT Third-Party Service Providers (ICT TPPs) and ICT service supply chains.
    
*   Enhanced risk and compliance data feeds: Meet due diligence requirements and screen ICT service providers against out-of-the-box risk and compliance datasets from Dow Jones Risk & Compliance, HackNotice, ISS-Corporate, RapidRatings, RiskRecon, Security Scorecard, and Supply Wisdom.
    

How Third-Party Management already helps organizations comply with DORA

Today, Third-Party Management empowers organizations to centralize the end-to-end risk management lifecycle. For ICT and supply chain risks and more, the solution allows teams to implement a data-centric and risk-based approach to identifying and mitigating risk, while continuously monitoring for changes to risk posture. Thanks to OneTrust's cross-domain insights, organizations can align internal teams and guide risk-aware decision-making to create a more resilient, secure, and scalable third-party ecosystem. Ahead of DORA taking effect in January 2025, Third-Party Management helps organizations meet the Act's third-party ICT requirements pertaining to:

*   Pre-Contract ICT Assessment
    
*   Inventory, Link, and Report on the ICT supply chain 
    

Third-Party Management also integrates seamlessly with different solutions across the OneTrust Platform, including the newly introduced Compliance Automation. Compliance Automation and Third-Party Management work together to operationalize an actionable breakdown of the DORA regulatory requirements into measurable capabilities and build a fully compliant ICT risk management program.

Additional resources

*   Stop by booth 412 at the Gartner Security & Risk Management Summit, September 23-25 in London to learn more
    

About OneTrust

OneTrust unlocks the full potential of data and AI, responsibly. Our platform enforces the secure handling of company data, empowering organizations to drive innovation responsibly while mitigating risks. With a comprehensive suite of solutions spanning data and AI security, privacy, governance, risk, ethics, and compliance, OneTrust enables seamless collaboration between data teams and risk teams to enable rapid and trusted innovation. Recognized as the market leader in trust, OneTrust boasts over 300 patents and serves more than 14,000 customers globally, ranging from industry giants to small businesses. For more information, visit www.onetrust.com. 

© 2024 OneTrust LLC. All rights reserved. OneTrust and the OneTrust logo are trademarks or registered trademarks of OneTrust LLC in the United States and other jurisdictions. All other brand and product names are trademarks or registered trademarks of their respective holders.

OneTrust Automates DORA ICT Risk Management and Compliance

The vendor says there are no reports of the flaws being exploited in the wild nor any public exploit codes currently available.

Source: JHVEPhoto via Alamy Stock Photo

HPE Aruba Networking fixed three critical vulnerabilities found in its systems that could allow unauthenticated attackers remote code execution on compromised devices.

The vulnerabilities, tracked as CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507, lie in the command line interface (CLI) service of Aruba access points (APs) and can be exploited by sending packets to Aruba's AP management protocol UDP port to gain privileged access and execute arbitrary code.

The security bugs affect Aruba APs running Instant AOS-8 and AOS-10, according to the Hewlett Packard Enterprise subsidiary.

The impacted software includes AOS-10.6.x.x: 10.6.0.2 and below, AOS-10.4.x.x: 10.4.1.3 and below, Instant AOS-8.12.x.x: 8.12.0.1 and below, and Instant AOS-8.10.x.x: 8.10.0.13 and below.

While there are workarounds for devices running Instant AOS-8.x code and AOS-10, it's recommended that administrators install the latest updates HPE provided on its networking support portal to prevent attacks from malicious actors.

Other Aruba products such as Networking Mobility Conductors, Mobility Controllers, and SD-WAN Gateways have not been impacted.

There are no reports of the flaws being exploited in the wild and no public exploit codes currently available, according to the HPE Security Response Team.

**About the Author**

Security Upgrades Available for 3 HPE Aruba Networking Bugs

Companies in this industry vertical tend toward large financial transactions with partners, suppliers, and customers.

Source: devilmaya via Alamy Stock Photo

A small group of transportation and logistics companies in North America has been targeted in cunning business email compromise (BEC) attacks.

Since May, an unknown threat actor has weaponized at least 15 email accounts associated with its targeted companies. In a blog published on Sept. 24, Proofpoint researchers could not say how the threat actor first obtained access to these accounts. What is known is that the attacker is using the accounts to bury initial access malware inside of existing email chains, betting that recipients will have their guards down so deep into ongoing conversations with colleagues.

"Thread hijacking is obviously very effective," says Daniel Blackford, director of threat research for Proofpoint. "Once an account takeover has happened, this increased legitimacy makes it much harder for anyone but those who are the most vigilant" to spot it.

**Bespoke Phishing Attacks**

From May to July, the threat actor primarily hid payloads inside of Google Drive files leading to Internet shortcut (URL) files. When executed, the attack chain uses server message block (SMB) to retrieve an executable file from a remote share, which installs one of a number of different, known malware tools. Among them: Lumma, the most common infostealer in the world today; StealC; and the legitimate tool NetSupport.

In August, the attacker shifted to using the "ClickFix" technique for tricking victims into downloading its malware. With ClickFix, a malicious webpage presents the victim with a fake pop-up error message. Through a series of dialogue boxes, the victim is instructed to copy and paste a supposed fix for the issue into a PowerShell terminal or Windows Run. In fact, the so-called fix is a script, which downloads and runs an executable. In these recent phishing attempts, the executables for download included DanaBot and Arechclient2 (aka SectopRAT).

Why ClickFix works at all — despite asking for much more active engagement and technical monkeying from the victim — can seem confounding.

"The human psychology behind why really convoluted attack chains work continues to astonish me on a yearly basis," Blackford admits. He does, though, have a theory. "Something that I've heard is that it can be annoying to deal with IT, so if the 'solution' is right in front of you, and you don't have to communicate with a help desk and have people remote into your to your system to fix them, then maybe it's actually less trouble to just try to execute it yourself."

**Why Transport and Logistics Make Attractive Targets**

Various threat actors have disguised ClickFix behind fake Windows and Chrome updates. In this case, the attacker impersonated Samsara, AMB Logistics, and Astra TMS, platforms highly specialized for fleet and freight management, demonstrating the highly targeted nature of the campaign.

As Blackford notes, transport and logistics companies can make attractive targets for financially motivated cyberattacks. "They do business with lots of entities — suppliers for a lot of industrial manufacturers, for example," he says. "They're going to be corresponding with a lot of different companies. There's going to be a lot of moving parts — a lot of things in and out, constantly moving — so a lot of opportunities to find connected, future victims from just one company."

With fertile ground to sneak in amongst the many moving players and deals, he notes, "There are requests for quotes and invoices that are of a fairly large magnitude — that are, in terms of the finances involved, maybe an order of magnitude higher than in some other industries."

He adds that, while rare, "There also is some evidence recently of threat actors trying to redirect legitimate shipments to locations that are under their control."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Transport, Logistics Orgs Hit by Stealthy Phishing Gambit

PRESS RELEASE

NEW YORK, September 24, 2024 –Torq, the AI-first security hyperautomation leader, today announced the closing of its $70M Series C funding round, led by Evolution Equity Partners, with Bessemer Venture Partners, Notable Capital, Greenfield Partners, and Strait Capital participating. Combined with Torq’s expanded Series B in January, Torq has raised a total of $112m in 2024, bringing the company’s funding since its 2020 inception to $192M. It also has also established an aggressive 2026 ARR target of $100M. Torq will use the new round to increase expansion across EMEA and APAC, hire additional world class engineering, R&D, and sales talent, and double down on devoting more resources to deliver cutting-edge generative AI enhancements.

In addition, Torq announced that it more than tripled its revenue and customer growth for the second year in a row. Torq’s momentum reflects the elevating enterprise adoption of the recently-announced Torq HyperSOC, a purpose-built solution that harnesses the power of the AI-driven Torq Hyperautomation Platform to automate, manage, and monitor critical SOC responses at machine speed. It uses Natural Language Processing (NLP) to initiate and accelerate security event investigation, triage, and remediation at scale, deliver comprehensive case management capabilities with unprecedented ease, and automate complex processes. Torq HyperSOC saves analysts from alert fatigue and job burnout so they can focus on strategic security initiatives and innovation. 

**Rapid Global Enterprise Adoption**

Torq’s customer base includes major multinational enterprise customers, including Abnormal Security, Armis, Blackstone, Carvana, Check Point Security, Chipotle, Deepwatch, Lemonade, Lennar, Nubank, Rivian, SentinelOne, Telefonica, Wiz, and ZoomInfo, as well as Fortune 100 consumer packaged goods, fashion, financial, hospitality, and sports apparel companies.

“Our Series C round underlines the fact that Torq customers, partners, and employees have combined into one of the most powerful, influential, and fastest-growing ecosystems in all of cybersecurity,” said Ofer Smadari, CEO and co-founder, Torq. “We’ve rewritten the rules of the industry with Torq Hyperautomation and Torq HyperSOC, and our momentum reflects that shift. Torq has blown past all the frustrating, manual limitations of legacy SOAR that leave significant holes in the security perimeter. Torq plugs all those holes by delivering a new layer of AI-driven protection, all while making all of security operations more productive than ever.”

“Today, Torq HyperSOC investigates, triages, and remediates many of Check Point’s internal security alerts without any human intervention,” said Jonathan Fischbein CISO, Check Point. “If an alert meets certain parameters based on organizational security policies, the platform takes relevant predefined steps, such as initiating an MFA challenge or locking out a suspicious user. We can react automatically to problems before they become security incidents.”

“The incredible growth, customer traction, and industry momentum Torq Hyperautomation and Torq HyperSOC are experiencing showcases how Torq is dramatically transforming cybersecurity for the better,” said Richard Seewald, Founder and Managing Partner, Evolution Equity Partners. “Evolution is incredibly proud to back Torq as it continues to deliver such deep value for security operations teams worldwide. It’s now no longer a question of if, but when every enterprise will adopt AI-driven hyperautomation.”

Torq’s customer base also continues to rapidly grow due to the success of the Torq Partner Acceleration Program, which includes many of the world’s leading channel and security vendors. Torq tech alliance partners include Abnormal Security, Check Point, CrowdStrike, SentinelOne, Snyk, and Wiz. Its reseller and VAR ecosystem includes GuidePoint Security, Optiv, Stratascale, and Trace3.

“Torq is a rising star in cybersecurity,” said Oren Yunger, Managing Partner, Notable Capital. “Torq HyperSOC’s advanced AI capabilities are having a dramatic, positive impact on security operations teams worldwide by making them vastly more efficient and resilient than ever. Torq represents the next-generation of security operations and Notable Capital is certain the future is phenomenally bright for the company.”

**Key Analysts Unanimously Validate Torq Hyperautomation**

Analysts including Gartner, Forrester, IDC, and GigaOm all covered Torq Hyperautomation during 2024, with unanimous perspectives on the positive impact it’s making for customers.

“Every day, IDC is engaged with SOC professionals who communicate the existential challenges they’re facing, both in terms of keeping up with ever-escalating threat complexity and volume, and the incredible burden that places on the shoulders of their teams,” said Chris Kissel, Vice President, Security & Trust Products, IDC Research. “Torq is the first solution we’ve seen that effectively enables SOC professionals to mitigate issues including alert fatigue, false positives, staff burnout, and attrition. We are also impressed by how its AI augmentation capabilities empower these staff members to be much more proactive about fortifying the security perimeter.”

“Torq offers an extensive feature set, as reflected in its high scores across most of the key criteria, including case management, and collaboration, automated alert prioritization, triage and curation, autonomous operations, and validation and red teaming, and has acquired an impressive portfolio of customers,” said GigaOm in a 2024 Radar Report.

Learn more about Torq at Torq.io.

**About Torq**

Torq is transforming cybersecurity with its AI-first  enterprise-grade hyperautomation platform. By connecting the entire security infrastructure stack, Torq empowers organizations to instantly and precisely remediate security events, and orchestrate complex security processes at scale. Fortune 500 enterprises, including the world’s biggest financial, technology, consumer packaged goods, fashion, hospitality, and sports apparel companies are experiencing extraordinary outcomes with Torq.

Torq Announces $70M Series C Bringing Total 2024 Funding to $112M

PRESS RELEASE

JASPER, Ind., Sept. 23, 2024 /PRNewswire-PRWeb/ -- As National Cybersecurity Awareness Month approaches this October, PIER Group is drawing attention to the unique cybersecurity challenges faced by research-focused universities and institutions nationwide. With the rise of cloud computing and data sharing, safeguarding the sensitive research data, intellectual property, and high-value projects emerging from these academic hubs is more critical than ever. PIER Group, a leader in providing IT solutions and cybersecurity services to R1 and R2 universities, is at the forefront of helping these institutions navigate this complex cybersecurity landscape.

"R1 and R2 universities are some of the most targeted institutions by cybercriminals due to the immense value of the research they conduct and their large attack surface. Their networks handle hundreds of thousands of devices and connect to other universities all over the world," said Chad Williams, president of PIER Group. "At PIER Group, we see it as our responsibility to ensure that these institutions not only stay at the forefront of global research, but do so securely. We're building the infrastructures that allow them to innovate without fear of compromise."

During National Cybersecurity Awareness Month, universities have the opportunity to assess their cybersecurity strategies and adopt solutions that will protect their campuses, students, and research for years to come. Williams and his colleagues at PIER Group have identified five strategies that top universities should be implementing now or planning for:

1\. Adopt AI for Cybersecurity. For managing networks at the scale of major research universities, with thousands of devices connected to campus networks, AI is essential for detecting threats and responding quickly. AI-driven tools can analyze vast amounts of data to detect anomalies and provide automated threat responses.   
● What Universities Should Do: Adopt AI-enhanced cybersecurity tools that provide proactive monitoring and fast response to cyber threats.

2\. Implement Network Access Control (NAC) Systems. Modern access control solutions, often enhanced with AI, make it much easier for university staff to segment the university population so only authorized users can access sensitive information, applications and data.   
● What Universities Should Do: Implement sophisticated NAC systems that use AI for smarter, more effective user management.

3\. Combat Social Media Attacks. Cyber criminals are using social media apps like LinkedIn and Instagram to launch attacks on individuals, with an overarching goal of breaching a university network.   
● What Universities Should Do: Universities should always follow the 3-2-1-1 rule - three copies of data at two different locations, one offsite and one immutable. They should also educate campus communities on social media risks and employ cybersecurity solutions that monitor and mitigate these threats.

4\. Leave Legacy Equipment Behind. Most universities have older equipment, but even equipment that is just a few years old can leave universities vulnerable to cyberattacks. Transitioning networks and storage to the cloud is proving to be the most economical and flexible solution, adding greater security while allowing universities to quickly scale up or down.   
● What Universities Should Do: Focus on phasing out older equipment as soon as possible and migrate those computing needs to the cloud.

5\. Collaborate Securely with the Broader Research Ecosystem. Universities' openness for collaboration complicates security. Real-time partnerships with research centers and external partners demand secure data-sharing, supported by networks like The Quilt. Strong security measures are crucial to protect sensitive research and intellectual property. Secure collaboration fuels innovation in medicine and technology while safeguarding valuable data.   
● What Universities Should Do: Universities should ensure their networks are built to handle secure, high-speed collaboration with both internal and external research partners. PIER Group's support and partnership with R1 and R2 research organizations help facilitate university-wide collaboration, enabling discussions on the best procedures and solutions to secure student, institutional, and research data necessary for innovation.

As cyber threats become more sophisticated, universities must implement strategies to protect their students, staff, and the integrity of their research. By doing so, they contribute to a safer global research ecosystem. For more information on how R1 and R2 universities can achieve technology leadership, visit http://www.piergroup.com.

About PIER Group   
PIER Group is a leading IT and cybersecurity solutions provider with decades of experience specializing in research universities and large academic institutions. They excel in securing and optimizing campus and research networks, demonstrated by their work with top national R1 and R2 universities from coast to coast including Indiana University, University of South Carolina and the University of Maryland. PIER Group's expertise includes implementing robust security measures, such as Aruba ClearPass, to protect sensitive data and support national research networks like The Quilt. Their commitment helps universities navigate complex cybersecurity challenges and makes high-speed, high-stakes collaborations possible. For more information, visit piergroup.com.

5 Cyber Strategies Research Universities Can Adopt to Lead in Global Research

The AI Incident Reporting and Security Enhancement Act would allow NIST to create a process for reporting and tracking vulnerabilities found in AI systems.

Source: zemkooo via Alamy Stock Photo

A House committee advanced a bill that would allow the National Institute of Standards and Technology (NIST) to create a formal process for reporting security vulnerabilities in artificial intelligence (AI) systems. As is the case for many security projects, funding concerns could stymie the initiative.

The AI Incident Reporting and Security Enhancement Act was approved by voice vote by the House Science, Space and Technology committee on Wednesday. The bill was introduced by a bipartisan trio of representatives from North Carolina, California, and Virginia. If approved by the full Congress and signed into law, it would give NIST the mandate to incorporate AI systems in the National Vulnerability Database (NVD).

NVD is the federal government's centralized repository for tracking security vulnerabilities in software and hardware. In its current form, the bill would add to the workload of the already-beleaguered NIST teams managing the NVD. NIST earlier this year paused updating data on reported vulnerabilities, in a move program manager Tanya Brewer said was the result of budget cuts, flat staff growth, and an increase in database-related email traffic.

The bill specifies that the increased workload for NIST would be "subject to the availability of funding," but Rep. Deborah Ross (D-NC), a sponsor of the bill, said that they were aware of "significant funding and scaling challenges" NIST already experienced maintaining the database.

"My colleagues and I on this committee are actively exploring solutions to help NIST address this problem and get the money," she said.

Even though the bill was approved in committee, some committee members expressed concern about some of the language used in the bill. There were concerns that terms such as "substantial artificial intelligence security incident" and "intelligence incident" would need to be clarified to make it more likely that the bill would pass. This kind of specificity is also a bigger concern in Congress in the wake of the Supreme Court overturning the Chevron doctrine.

The bill would also require NIST to consult with other federal agencies, like the Cybersecurity and Infrastructure Security Agency, private-sector organizations, standards organizations, and civil society groups, to develop a common lexicon for reporting AI cybersecurity incidents.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Congress Advances Bill to Add AI to National Vulnerability Database

British Transport Police and Network Rail are investigating the incident, in which bad actors posted Islamophobic messages on the transport system's network.

Source: mark phillips via Alamy Stock Photo

A cybersecurity incident is being investigated after Islamophobic messages were displayed to users through a compromised Wi-Fi landing page.

Network Rail, the non-departmental public body, is probing the incident, which affected 20 stations, all managed by the same body; 10 of the stations are in London, the rest are distributed across key commuter stations in Reading, Leeds, Glasglow Central, and others.

"We received reports at around 1703 yesterday \[Sept. 25\] of a cyberattack displaying Islamophobic messaging on some Network Rail Wi-Fi services," said the British Transport Police (BTP), which is also involved in the case. 

Telent, the communications company that operates Network Rail's Wi-Fi, reported that it is aware of the incident and is also involved in the investigation to identify the root cause.

"Nation states and criminals are increasingly targeting key third-party suppliers to cause widespread disruption to multiple industries at once, and the attack on the rail service is just the latest example of this," said Dan Schiappa, chief product and services officer at Arctic Wolf, in an emailed statement to Dark Reading. "It is vital every company, regardless of whether it is critical infrastructure or not, ensures the suppliers it works with have strong cybersecurity otherwise they are leaving a huge hole in their defenses."

And while it may be too soon to point fingers at any party involved, as the investigation continues, Network Rail has suspended Wi-Fi services for the time being.

**About the Author**

Public Wi-Fi Compromised in UK Train Stations

Beware that friendly text from the IT department giving you an "update" about restoring your broadband connectivity.

Source: Mike Hill via Alamy Stock Photo

Hurricane Helene is whirling its way toward the Florida coast, with the US National Hurricane Center warning those in the path of the storm to prepare for a Category 3 landing on the night of Sept. 26, followed by a life-threatening 20-foot storm surge.

Unfortunately, cybercriminals are likely planning a storm of their own, in the form of fraud and phishing efforts tied to interest and anxiety related to Helene.

A charity appeal for donations is a common gambit that cyber scammers perpetrate after a natural disaster, along with notices that purport to come from energy or phone providers about outages, and even unsolicited offers of help from "contractors" who can remove fallen trees or outfit your office with a generator — as long as you pay upfront.

There are many, many variations on the theme, including business email compromise (BEC)\-enabled attacks that use a legitimate organization's email to hide nefarious purposes.

Being suspicious is the top defense here. As the US Cybersecurity and Infrastructure Security Agency (CISA) warned on Sept. 26, individual citizens and corporate users alike should remain vigilant when "handling emails with hurricane-related subject lines, attachments, or hyperlinks. In addition, be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Hurricane Helene Prompts CISA Fraud Warning

Developers need to do more than scan code and vet software components, and ops should do more than just defend the deployment pipeline.

Source: whiteMocca via Shutterstock

Combining software development, deployment, and operations pipelines into DevOps teams promises increased efficiency, easier and more frequent updates, and better quality applications. Yet the complexity of the infrastructure has also led to a growing attack surface that is hard to monitor and maintain.

On the development side, the average organization uses four to nine different programming languages, has to deal with millions of new packages and images every year, and remediates thousands of vulnerabilities in the most common open source components, according to JFrog's Software Supply Chain State of the Union 2024 report. At the other end of the DevOps pipeline, two-thirds of companies have delayed deployment of an application due to Kubernetes security concerns, and nearly half (46%) had actual security incidents, according to Red Hat's The State of Kubernetes Security 2024 report.

Cybersecurity professionals aiming to secure the application pipeline have to pay attention to the software being written by developers, the open source components imported by developers, the containers and cloud infrastructure used to deploy software, and the build tools used to make the software, says Jeff Williams, chief technology officer and co-founder of Contrast Security, a software security firm.

"The problem is it's such a huge attack surface," he says. "It's not just your pipeline. It's all the other code that goes into developing software — it's IDEs and test tools and performance suites ... any one of them is capable of subverting the code that your developers are building and producing."

Gaining an integrated view of the entire DevOps pipeline, from development to application deployment, is increasingly important. Software components — not just open source libraries but Docker containers and other infrastructure assets — often have vulnerable code, increasing risk. Third-party tools can be compromised — remember Codecov's breach —allowing malicious code to be injected into projects under development. Cloud infrastructure and storage can be misconfigured or improperly protected, a la Snowflake instances.

Having good visibility into the state of the DevOps software pipeline and deployment infrastructure is critical, says Josh Lemos, chief information security officer at DevOps provider GitLab (and no relation to the author).

"There are two real important trains that need to run," he says. "One is you need the development and packaging security, compliance, and attestation of all of your build artifacts in one of those trains — or work streams. The other is the deployment monitoring and orchestration of those things in your production environments."

**Write, Use, Buy, Build**

Overall, DevOps security teams need to protect four areas that are open to attack. The first and second areas are most obvious to developers: the code that they write and the software components that they use, says Contrast Security's Williams.

"We've been talking about \[that code\] since the beginning of OWASP ... if you got bugs in the code you write, people exploit them, and you get breached. It's not good," he says.

Companies also have to pay attention to the code that they buy or — through a service — use indirectly. Finally, they need to secure the applications and services that are used to build and deploy software — the IDEs, test tools, performance suites, and instrumentation.

"Any one of those is capable of subverting the final code," Williams says, adding that most DevOps teams do not pay attention to the full attack surface posed by their pipeline and software supply chain. "I think we're still in the Stone Age, when it comes to real supply chain security."

While the vast majority of companies (87%) are building or moving applications to cloud-native, most (59%) did not understand the security implications of doing so and have suffered a security issue as a result. Predictably, the collection of common security incidents are as varied as the infrastructure needed to produce and deploy software: Network breaches, API vulnerabilities, certificate misconfigurations, cluster misconfigurations, and vulnerabilities in containers are among the top causes of security incidents, according to a November 2023 survey of cloud-native application security issues.

Even companies that are monitoring parts of their DevOps pipelines are not getting good coverage, says Williams.

"It's not everywhere, and almost nothing covers part of the DevOps like developer workstations and IDEs and testing frameworks and plugins," he says. "I mean, there's a universe of code that nobody's monitoring, and most organizations are not really thinking about this problem."

**Questioning Your DevOps Infrastructure**

For most companies, ensuring that they have visibility into the entire pipeline is essential. Monitoring can warn when a retired package is suddenly revived in the repository by an untrusted party, or when secrets are included in code that might otherwise be pushed to a repository, or when a Docker image has significant amounts of unused software.

Companies need to have continuous monitoring of each step in the pipeline, says Paul Davis, field CISO at software supply chain provider JFrog.

"\[Knowing\] what's going ... and \[seeing that\] a package has gone bad in production, or that I need to roll back a package because somebody's come with a new vulnerability — that ease of use \[and visibility\] into the attack surface, that insight and that traceability — is key for me," he says.

Companies should also take action around four specific areas of their DevOps infrastructure, according to GitLab's Lemos. First, the identities of any developer, ops specialist, device or service that takes part in the pipeline should be logged. Companies should also maintain a list of software artifact that they are using, which ones have vulnerabilities, and maintain a private repository, if possible. The build systems should be frequently tested, and any automated triggers — such as changes to third-party software that triggers a build — should be analyzed for potential security implications. Finally, the entire pipeline should be architected to minimize the impact — the "blast radius" — of a compromise, he says.

"The best thing I've seen companies do as a first step is to get to some known good design patterns," Lemos says. "The more of that that you can abstract away from \[bad security practices\], the more successful your security program will be, the less churn and load you'll have, and the more reusable your code becomes."

**The Promise, and Peril, of AI**

The breadth of the DevOps attack surface also represents an opportunity for automation and AI assistance. DevOps already gains much of its agility and speed through automation, with configuration- and infrastructure-as-code dominating because expressing architecture as files allow repeatability for operations, while analyzing the instructions allow for more secure infrastructure.

Yet, when it comes to security, most companies are holding back on adoption, says Laurent Gil, chief product officer for Kubernetes automation platform Cast AI.

"Almost every security company offers automation in some form, and yet nobody is using it," he says. "\[Security teams\] should know that it's okay to use automation to either block things that should be blocked, or to auto-remediate when you find something that contains vulnerabilities."

AI development also brings new ways of working with code and data — an attack surface area that is not fully understood and for which DevOps teams are not ready, says GitLab's Lemos.

"There is the possibility to do really old-style attacks, because you're combining data and content into a model," he says. "A model with a pickle file that gets consumed into a data scientist's workstation, if they deserialize it and it has a payload, they've just invited in some malicious code into their environment."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Moving DevOps Security Out of 'the Stone Age'

Source: whiteMocca via Shutterstock

Combining software development, deployment, and operations pipelines into DevOps teams promises increased efficiency, easier and more frequent updates, and higher-quality applications. Yet the complexity of the infrastructure has also led to a growing attack surface that is hard to monitor and maintain.

On the development side, the average organization uses four to nine different programming languages, deals with millions of new packages and images every year, and has to remediate thousands of vulnerabilities in the most common open source components, according to JFrog's "Software Supply Chain State of the Union 2024" report. At the other end of the DevOps pipeline, two-thirds of companies have delayed deployment of an application due to Kubernetes security concerns, and nearly half (46%) had actual security incidents, according to Red Hat's 2024 "The State of Kubernetes" security report.

Cybersecurity professionals aiming to secure the application pipeline have to pay attention to the software being written by developers, the open source components imported by developers, the containers and cloud infrastructure used to deploy software, and the build tools used to make the software, says Jeff Williams, chief technology officer and co-founder of Contrast Security, a software security firm.

"The problem is it's such a huge attack surface," he says. "It's not just your pipeline. It's all the other code that goes into developing software — it's IDEs and test tools and performance suites. ... Any one of them is capable of subverting the code that your developers are building and producing."

Gaining an integrated view of the entire DevOps pipeline, from development to application deployment, is increasingly important. Software components — not just open source libraries but Docker containers and other infrastructure assets — often have vulnerable code, increasing risk. Third-party tools can be compromised — remember Codecov's breach — allowing malicious code to be injected into projects under development. Cloud infrastructure and storage can be misconfigured or improperly protected, a la Snowflake instances.

Having good visibility into the state of the DevOps software pipeline and deployment infrastructure is critical, says Josh Lemos, chief information security officer at DevOps provider GitLab (and no relation to the author).

"There are two really important trains that need to run," he says. "One is you need the development and packaging security, compliance, and attestation of all of your build artifacts in one of those trains or work streams. The other is the deployment monitoring and orchestration of those things in your production environments."

**Write, Use, Buy, Build**

Overall, DevOps security teams need to protect four areas that are open to attack. The first and second areas are most obvious to developers: the code that they write and the software components that they use, says Contrast Security's Williams.

"We've been talking about \[that code\] since the beginning of OWASP," he says. "If you have bugs in the code you write, people exploit them, and you get breached. It's not good."

Companies also have to pay attention to the code that they buy or, through a service, use indirectly. Finally, they need to secure the applications and services that are used to build and deploy software —the IDEs, test tools, performance suites, and instrumentation.

"Any one of those is capable of subverting the final code," Williams says, adding that most DevOps teams do not pay attention to the full attack surface posed by their pipelines and software supply chains. "I think we're still in the Stone Age when it comes to real supply chain security."

While the vast majority of companies (87%) are building or moving applications to cloud-native, 59% did not understand the security implications of doing so and have suffered a security issue as a result. Predictably, the collection of common security incidents are as varied as the infrastructure needed to produce and deploy software: Network breaches, API vulnerabilities, certificate misconfigurations, cluster misconfigurations, and vulnerabilities in containers are among the top causes of security incidents, according to a November 2023 survey of cloud-native application security issues.

Even companies that are monitoring parts of their DevOps pipelines are not getting good coverage, says Williams.

"It's not everywhere, and almost nothing covers part of the DevOps like developer workstations and IDEs and testing frameworks and plug-ins," he says. "I mean, there's a universe of code that nobody's monitoring, and most organizations are not really thinking about this problem."

**Questioning Your DevOps Infrastructure**

For most companies, ensuring that they have visibility into the entire pipeline is essential. Monitoring can warn when a retired package is suddenly revived in the repository by an untrusted party, or when secrets are included in code that might otherwise be pushed to a repository, or when a Docker image has significant amounts of unused software.

Companies need to have continuous monitoring of each step in the pipeline, says Paul Davis, field CISO at software supply chain provider JFrog.

"\[Knowing\] what's going ... and \[seeing that\] a package has gone bad in production, or that I need to roll back a package because somebody's come with a new vulnerability, that ease of use \[and visibility\] into the attack surface — that insight and that traceability — is key for me," he says.

Companies should also take action around four specific areas of their DevOps infrastructure, according to GitLab's Lemos. First, the identities of any developer, ops specialist, device, or service that takes part in the pipeline should be logged. Companies should also maintain a list of software artifacts that they are using, which ones have vulnerabilities, and maintain a private repository, if possible. The build systems should be frequently tested and any automated triggers — such as changes to third-party software that triggers a build — should be analyzed for potential security implications. Finally, the entire pipeline should be architected to minimize the impact — that is, the "blast radius" — of a compromise, he says.

"The best thing I've seen companies do as a first step is to get to some known good design patterns," Lemos says. "The more of that that you can abstract away from \[bad security practices\], the more successful your security program will be, the less churn and load you'll have, and the more reusable your code becomes."

**The Promise and Peril of AI**

The breadth of the DevOps attack surface also represents an opportunity for automation and the assistance of artificial intelligence (AI). DevOps already gains much of its agility and speed through automation, with configuration- and infrastructure-as-code dominating because expressing architecture as files allows repeatability for operations, while analyzing the instructions allows for more secure infrastructure.

Yet when it comes to security, most companies are holding back on adoption, says Laurent Gil, chief product officer for Kubernetes automation platform CAST AI.

"Almost every security company offers automation in some form, and yet nobody is using it," he says. "\[Security teams\] should know that it's OK to use automation to either block things that should be blocked or to auto-remediate when you find something that contains vulnerabilities."

Yet AI development also brings new ways of working with code and data — an attack surface area that is not fully understood and for which DevOps teams are not ready, Lemos says.

"There is the possibility to do really old-style attacks because you're combining data and content into a model," he says. "A model with a pickle file that gets consumed into a data scientist's workstation, if they deserialize it and it has a payload, they've just invited some malicious code into their environment."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Source

DARKReading