DryRun security seeks to bridge the gap between developers and security professionals by automating security analysis in code reviews before deployment.

**Austin Texas, May 23, 2023 –** DryRun Security emerged from stealth with the mission to fix the disconnect between security and developers, with the premise being that all developers fundamentally care about security. The company, founded by technology veterans James Wickett and Ken Johnson, is creating a new security analysis tool  to find potential bugs sooner than any other security solution on the market while being better aligned to how developers actually work. 

Co-founders James Wickett and Ken Johnson created DryRun Security after observing that in the past 20 years software security has become misaligned with the way developers build.  The arc of the industry has created silos where legacy security solutions have  been geared towards security professionals rather than those who write the software.   

This leads to three significant gaps.  The first is testing for security issues after it’s been deployed leads to wasted developer and security team cycles when problems are discovered. The second is many of the bugs being identified are not even relevant,  resulting in false-positives. Finally, the third is application security teams lack an accurate picture of which code reviews require their expertise. This is further exacerbated by the sheer velocity and number of daily and weekly code updates. All of these problems lead to inaccurate, delayed, and often incorrectly prioritized security testing and ultimately , an overall less-secure codebase.   

DryRun Security fixes the disconnect between security and developers by performing Contextual Security Analysis which runs where developers work. As a developer writes code, they dry-run security testing and analysis  and get results back in near real time, which is where the name “DryRun” comes from.  This type of testing builds the security context of the code and provides feedback to developers whenever they make changes or write new code.

“The disconnect between engineers and security testers is due to a lack of security context making it back to developers” said James Wickett, CEO and Co-Founder of DryRun Security, “DryRun Security was created to address this fundamental disconnect under the assumption that developers truly care about the security of the products they are building. With that assumption, we believe that security should be an integral part of the software development process.  That’s why it’s our mission to provide engineers with a tool that makes it easy to identify and fix potential security bugs while the developer is working on that section of code.”

“At DryRun Security, we understand that once a developer can see the security context of their changes, they can make better decisions and create more secure applications. This is different from  the way that testing has been happening over the past two decades which has made fixing bugs inefficient, driving up costs and creating unnecessary hurdles for developers and security professionals.” Said Ken Johnson, Co-Founder and CTO of DryRun Security. “I experienced these headaches firsthand, which is why I started DryRun Security with James. Our belief is that the solution we provide will give developers the ability to integrate contextual security analysis into their development workflow and fix issues before they become bigger problems.”

DryRun Security is currently running a private beta for their product, and they are accepting signups to the list. Please visit https://dryrun.security to signup and join the early access list. 

**About DryRun Security**

DryRun Security is a software security company that provides automated security reviews for developers as they write code. Founded by James Wickett and Ken Johnson, the company takes a unique approach using Contextual Security Analysis, which is a proprietary approach they’ve developed by training over 10,000 developers on security testing and code reviews. Using this approach, developers and security teams are able to bridge the gaps of mainstream security testing approaches and fix potential bugs before deployment. For more information, please visit https://dryrun.security.

Technology Veterans James Wickett and Ken Johnson Launch DryRun Security to Bring Security to Developers

A February 2022 attack knocked the giant tire maker's North American operations offline for several days.

As a CISO that helped his company navigate through the aftermath of a crippling ransomware attack last year, Bridgestone Americas' Tom Corridon says his biggest advice for other organizations is to designate key decision-makers for handling such crises before they happen.

Not having a clear-cut line of action at the executive level in advance can exacerbate the consequences of a cyberattack and allow the attacker an opportunity to create more damage, Corridon said in an interview at Accenture's third annual virtual OT cybersecurity summit last week..

"When you want to pull a lever, when you want to make a decision about disconnecting networks, or paying a ransom, who makes those decisions?" Corridon said. "To know that going in is really, really important because then you are not caught flatfooted. You are not caught looking around the room going, 'is that you, or is that me?'"

The February 2022 ransomware attack on Bridgestone led to the tire giant to shut down its networks at manufacturing and retreading facilities in North America and Latin America for several days. The well-known ransomware group LockBit 2.0 later claimed credit for the attack and announced plans to publicly leak data accessed from Bridgestone's systems if the company did not comply with the group's ransomware demand.

Bridgestone later disclosed that the cyberattackers had accessed business records as well as files containing Social Security numbers, bank information, and other sensitive data on some of its customers. But the company has released no other details of the attack since then, including whether it paid the LockBit gang a ransom or not. 

The attack was one of several last year that affected operating technology (OT) networks at industrial and manufacturing companies in the US and elsewhere. A second-quarter 2022 analysis of ransomware attacks from Dragos showed most attacks (68%) on industrial organizations targeted the manufacturing sector.

**Tabletop Exercises for Executives**

Corridon's interview at the Accenture virtual event steered clear of the details of the attack, the damage it had caused, and the recovery effort. However, it focused on several lessons the company was able to take away from the attack. The biggest, according to Corridon, is knowing who makes crucial decisions during an unfolding crisis, and how.

Corridon advocates that organizations that do tabletop exercises for their technical team need to have a parallel scenario-based exercise that involves key executives and decision-makers. Just like incident management processes have two threads — one technical and one for executives — so, too, should tabletop exercises.

Another key consideration is that the executives in charge of making critical decisions during a ransomware attack need to be comfortable making them without a lot of data. 

"They need to be comfortable making decisions in the moment that are going to feel like gut decisions or rash decisions," Corridon noted. "But we need to be prepared for that because the longer you sit on a decision and you analyze it and think it through and wait for that perfect decision to land in your lap, the more time the threat actor has to go further into your environment and do more damage."

**Never Let a Good Crisis Go to Waste**

According to Corridon, who was interim CISO at Bridgestone when the attack happened, one silver lining with major security events is the heightened awareness and willingness to change that it can foster. In the year since the attack, Bridgestone has implemented security changes that would otherwise have taken years to convince executives of, push through, and enable, he said.

He advised that security teams take a never-let-a-good-crisis-go-to waste approach to push through change, if they are unfortunate enough to experience a major security breach. 

"In an incident, your executives have a front-row seat to the action," Corridon said. "So, they are walking away with a better understanding of terms they never wanted to understand or wanted to know." 

That heightened awareness and understanding often means they are more prepared to give security teams the money and resources they need to implement a stronger security posture moving forward. "They are prepared for change \[because\] they have a taste in their mouth of a bad experience," he says.

Similar change can be harder to achieve in the lower echelons, where concerns over everyday jobs and goals can quickly relegate security concerns to the backburner once an immediate crisis has passed, Corridon acknowledged. Therefore, it's important to always keep cybersecurity a relevant and top of mind topic for employees. In much the same way that OT environments emphasize physical safety precautions, organizations need to make cybersecurity a part of the daily routine for employees.

One way to begin getting stakeholders to think differently about cyber resilience is to stop describing breaches and attacks as security incidents. "An incident is when you trip and fall or somebody unplugs something by accident," he said. A ransomware attack, on the other hand, is a criminal act against the company. 

"Having that reframing of thought can go a long way," Corridon said. "The words you use as you are going through the event and actually recognizing it as a crime against the organization is a first step."

Bridgestone CISO: Lessons From Ransomware Attack Include Acting, Not Thinking

Categories: Business
There are a lot of benefits to ChatGPT, but many in the security community have concerns about it. Malwarebytes' CEO Marcin Kleczynski takes a deep dive into the topic.



(Read more...)




The post ChatGPT: Cybersecurity friend or foe? appeared first on Malwarebytes Labs.

ChatGPT: Cybersecurity friend or foe?

TOTOLINK A3300R v17.0.0cu.557 is vulnerable to Command Injection.

**Basic information**

    - ## CVE-ID: ## CVE-2023-31729
    - ## Vendor: ## Totolink
    - ## Product: ## A3300R - V17.0.0cu.557_B20221024
    - ## Firmware version: ## the latest V17.0.0cu.557_B20221024 firmware version
    - ## Type: ## command injection
    

**Vulnerability description**

FIRMWA DOWNLOAD: HTTPS://WWW.TOTOLINK.CN/DATA/UPLOAD/20230228/EEA9795866EA68EE471C1B6573A370E1.RAR

Totolink a3300r v17.0.0cu.557 router has a command injection vulnerability in the request /cgi-bin/cstecgi.cgi by funcsion setddnscfg. Totolink a3300r v17.0.0cu.557 router has a command injection vulnerability in the request /cgi-bin/cstecgi.cgi by funcsion setiptvcfg. Totolink a3300r v17.0.0cu.557 router has a command injection vulnerability in the request /cgi-bin/cstecgi.cgi by funcsion setipv6cfg. Totolink a3300r v17.0.0cu.557 router has a command injection vulnerability in the request /cgi-bin/cstecgi.cgi by funcsion setlancfg. Totolink a3300r v17.0.0cu.557 router has a command injection vulnerability in the request /cgi-bin/cstecgi.cgi by funcsion setremotecfg. Totolink a3300r v17.0.0cu.557 router has a command injection vulnerability in the request /cgi-bin/cstecgi.cgi by funcsion setschedulecfg. Totolink a3300r v17.0.0cu.557 router has a command injection vulnerability in the request /cgi-bin/cstecgi.cgi by funcsion settraceroutecfg. Totolink a3300r v17.0.0cu.557 router has a command injection vulnerability in the request /cgi-bin/cstecgi.cgi by funcsion seturlfilterrules. Totolink a3300r v17.0.0cu.557 router has a command injection vulnerability in the request /cgi-bin/cstecgi.cgi by funcsion setwancfg.

**Vulnerability Proof****run Poc**

  

**repair suggestion**

Filter characters such as **\` $ | & ;** for the hostname parameter in the setwancfg function.

CVE-2023-31729: CVE/CVE-2023-31729.md at main · D2y6p/CVE

Uncontrolled search path in the WULT software maintained by Intel(R) before version 1.0.0 (commit id 592300b) may allow an unauthenticated user to potentially enable escalation of privilege via network access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**WULT Software Advisory**

**Summary: **

A potential security vulnerability in the Wake Up Latency Tracer (WULT) software maintained by Intel® may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2023-27298

Description: Uncontrolled search path in the WULT software maintained by Intel(R) before version 1.0.0 (commit id 592300b) may allow an unauthenticated user to potentially enable escalation of privilege via network access.

CVSS Base Score: 8.8 High

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

WULT software maintained by Intel® before version 1.0.0 (commit id 592300b).

**Recommendations:**

Intel recommends updating the WULT software maintained by Intel® to version 1.0.0 (commit id 592300b) or later.

Updates are available for download at this location:

https://github.com/intel/wult/commits

**Acknowledgements:**

Intel would like to thank Sanidhya Ved for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/09/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

© Intel Corporation.  Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries United States and other countries.  Other names and brands may be claimed as the property of others.

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2023-27298: INTEL-SA-00853

We talk to the Signal Foundation’s Meredith Whittaker about how the surveillance economy is newer than we all might realize—and what we can do to fight back.

How to Reclaim Your Online Privacy

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the course category parameters.

CVE-2023-31804: Security issues - Chamilo LMS

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skype and linedin_url parameters.

CVE-2023-31802: Security issues - Chamilo LMS

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skills wheel parameter.

CVE-2023-31801: Security issues - Chamilo LMS

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the forum title parameter.

Tag

#acer