Dimensional Data

Published May 19, 2020 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel In this age of lockdowns, social distancing and working from home, organizations must think carefully about how to extend their networks and services across the internet and into employees’ and contractors’ homes. This makes remote access security management both a timely and an imperative topic, because it has become the norm for many companies and organizations this year. If we are to believe even the most optimistic of vaccine deployment scenarios, our pandemic situation is likely to persist for at least another six to nine months. That said, many experts think that working from home is the new normal, so even once it’s safe for us all to be together in an office again, there may be no office to go back to. The old ways of working mostly within a secure organizational perimeter are on the way out, so we need to update our security operations for the new reality. How does remote access work? In the simplest of terms, remote access requires that users employ a remote device of some kind to establish a connection to an organizational service. The connection is a communication link that spans the internet from the client or user side to a server or service inside the firewall. For example, Microsoft includes both an old-line application, Remote Desktop Connection, and a new-style Universal Windows Platform (UWP) app, Remote Desktop, in Windows 10. Both use Microsoft’s Remote Desktop Protocol (RDP) to establish a remote connection between a client PC (user device) on one side and a host PC or server (server device) on the other side. Thus, the elements of remote access include the following: A remote access client or application that lets the end-user request access to a remote resource of some kind A remote connection that connects the end-user to the resource, and vice versa A remote host or service to which an end-user can connect, and from which they can request information, services, resources and so forth Securing remote access means securing all elements For a company or organization to meet best security practice requirements for remote access, all elements involved in remote access must be secure. Here’s a checklist of items and capabilities that fall under this large and far-ranging umbrella: Before users obtain remote access, they must be identified and authenticated. The best form of security for identity and authentication nowadays relies on two-factor authentication (2FA) or better, where a user’s cellphone serves admirably to provide a separate channel for ID and authentication traffic, as well as providing a tangible token of identity in and of itself. The client software that users employ for remote access should themselves be secure and free from known technical vulnerabilities or susceptibilities to attack through social engineering. Users working remotely need basic security awareness training to keep them from inadvertently disclosing what the organization wants kept confidential – namely, their account and password information, among other sensitive data. The client software must also be scanned for vulnerabilities (preferably at high frequency, if not continuously) […]

Published December 17, 2020 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. Productivity rates are critical to success in any industry. That is true of software products, too, that not only need to be efficiently produced but secure from cyberattacks as well. If you’re considering how to improve your software team’s productivity, then you will want to know the top threats impacting software development team productivity and how to solve them. The following paragraphs address six of them. 1. The Need for Speed The enemy of quality software development is often the unrealistic and impossible deadlines set by project managers. The sleight of hand happens this way: In response to client requests, managers often press developers for delivery estimates. They often push for the lowest possible delivery estimates. The mistake they make, though, comes when they consider those delivery estimates to mean delivery deadlines agreed upon by the developer team. Managers pass along the “deadlines” to senior management, leaving developers feeling stressed, and leading to the developers’ inability to perform at optimum levels. It comes down to managing the client’s expectations. Take the time to make sure that the client understands that a slower work pattern due to rigorous testing results in a better quality product. That communication and understanding can make a world of difference for the development team. 2. Poor Code Quality  Poor code quality appears in various forms. It may mean code that is difficult for other developers or team members to read and therefore affects the ability to make necessary changes. It may mean that the development team rushed to meet deadlines and, in doing so, released the software without testing and without fixing any bugs that existed, or that they could have prevented. Poor code quality decreases production agility and impacts the project’s development over the long-term. Code quality is positively impacted by: Following code standards Testing code Selecting a project manager to monitor project quality. 3. Outdated Technology   Updated technology helps employees do their jobs more efficiently, saves valuable project time, generally keeps customers satisfied, and provides businesses a leg up over their competitors. Successful development teams have the modern tools they need to work quickly and securely.  Price Waterhouse Cooper (PWC) conducted a study of 12,000 people in Canada, China, Hong Kong, the US, the UK, India, Germany, and Mexico. The participants worked in roles ranging from the C-Suite to administration and in various industries. PWC found that 90% of C-Suite Executives believe they take into account the technology their people need to do their jobs. Only 53% of their workers said the same. And while 92% of the C-Suite Execs were satisfied with their company’s experience with the technology provided to carry out the most important projects, only 68% of their workers felt the same way. It’s easy to understand the disconnect. When technology fails, C-Suite Execs hand the problem to someone else to solve. The worker bees are left to deal with the aftermath of outdated technology. 4. The CI/CD Pipeline  As the name implies, the CI/CD Pipeline consists of two components: CI and CD. Continuous integration (CI) refers to the software development practice that requires frequent code checks during software development and producing small code changes as the team discovers them. […]

Published December 11, 2020 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. Without a doubt, the COVID-19 pandemic has had a massive impact on the financial services landscape. Not only did businesses have to tweak their entire operations under safety regulations, but they also had to contend with a growing list of cybersecurity threat-actors, given the rapid adoption and usage of online apps.  According to data from App Annie, there was a 20% increase in time spent on mobile apps in the first quarter of 2020. At the same time, consumers embraced online banking, social media, and online shopping like never before. All of these created more cybersecurity risks. To avoid exploitation and compromise of sensitive data, information, technology, and security leaders need to view app security through a new pair of lenses. This should include a defense plan that considers the remote workforce, significantly reduced IT budgets, and limited access to AppSec talent.  Read on as we explore a dynamic plan to boost your cyber protection in a post-pandemic world.  1. Data breaches Mobile banking malware risk has worsened, especially now that bad actors leverage uncertainty and fear surrounding the pandemic. Recent research from Malwarebytes shows that mobile banking malware has spiked in recent months, infiltrating weakened home networks and mobile devices to access highly-sensitive corporate applications. These malware solutions are only focused on one job: stealing client information. What CIOs and CISOs can do: The best place to start is identifying and remediating the security vulnerabilities in your application before it’s too late.  Plan to conduct application security vulnerability scanning with a tool like Kiuwan. Remember, a data breach could set back the company some millions of dollars, which is why you should never leave your mobile app security to chance. 2. Identity theft Credential stealing has spread around the US almost as effectively as the COVID-19 pandemic. Since the bulk of the workforce has switched to working remotely, black-hat cyber criminals’ attacks have grown exponentially.  Credential theft is the leading cause of fraud in financial services, and with credential-stealing malware such as EventBolt19 and Cerberus being increasingly widespread in 2020, the risk has never been greater. What CIOs and CISOs can do: The post-pandemic world presents a new opportunity for CIOs to protect employees from the claws of identity theft. The best defense should focus on building authentication solutions that focus on ‘who you are’ rather than ‘something you have’ (passwords).  That said, consider installing next-level biometric solutions such as thumbprint/fingerprint, iris, voice, retina, and facial recognition technologies. With biometrics, cybercriminals’ attempt at impersonating anyone of your team members just got a lot more difficult than trying to break into passwords or PINs. 3. Ransomware attacks  Even after the pandemic, ransomware will remain one of the most significant cyber threats facing financial institutions. Statistics show that financial services will still be the second most targeted sector for ransomware attacks, only trailing healthcare. Successful ransomware attacks reveal not only endpoint vulnerabilities but also act as a starting point for myriad other problems. For example, a breach could lead to huge monetary loss. But most importantly, businesses that don’t proactively protect against attacks will likely suffer from damaged loyalty and reputational risk. Yet this is only the tip of the iceberg. Other repercussions of ransomware attacks are weakened employee morale and the need to dig deeper into […]

Published December 9, 2020 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. Cybersecurity is getting a lot of attention, from the break room to the board room. Few weeks pass without another salacious story in the media about a new large-scale data breach, ransomware outbreak or other attack designed to disrupt normal life.  Cybercriminals know what they are doing, and they’re able to succeed in their goals with uncomfortable regularity. Those goals are increasingly focused on enterprise applications due to the large number of access opportunities that are supposed to support end-users and internal personnel. For example, last year 62 US colleges were targets of cyberattacks that exploited their enterprise resource planning (ERP) system vulnerabilities. Cybercriminals constantly search for easy targets. Expanding complexity, growing numbers of users and partners, and rapidly emerging exploits make security an elusive target. Learning about the most common security gaps found in software, why those gaps really matter, and how to close them can make you less likely to be the next big victim. Instead of approaching security by being as secure as you can be, a better approach is to just be as secure as you need to be. That’s a subtle difference, but the outcome of the latter can be similar to the goal of the former, with much less effort and expense. Let’s cover some rudimentary aspects of security and a basic approach that balances security with budget and effort.  The lure of low-hanging fruit In this article I’m focusing on general cybercriminals who are looking for financial gain. They don’t care who their next victim is. Other types of cybercriminals, such as disgruntled (possibly former) personnel, “hacktivists,” or other people who are targeting your specific data or intellectual property are more determined and motivated to succeed. But here, we’re talking about cybercriminals looking for any victim, so they mainly want a quick and easy attack. Using the path of least resistance is a good thing. The easiest and cheapest path to the bottom line is most commonly the desirable path. Of course, there are reputational impacts and other obstacles that affect the decision-making process, but there is always some appeal to the path of least resistance. Cybercriminals spend a lot of effort identifying the easiest targets. What does this have to do with your security? One important key to being as secure as you need to be is simply avoiding being a hacker’s “low-hanging fruit.” Most cybercriminals use automated scanners to find potential victims they can attack without much work. They look for well-known vulnerabilities that their potential victims haven’t addressed. Cybercriminals know that keeping security controls current takes time and effort, and many organizations have “more important” tasks than hardening systems and networks. This gap between known vulnerabilities and implemented controls defines the sweet spot that cybercriminals are looking for. The best defense from most cybercriminals is to just be secure enough to not be worth their effort. This approach to cyber defense simply means that you should learn about the most common vulnerabilities and fix those first. If you have more budget to go further, that’s great. But at […]

Published December 2, 2020 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. As business management expert Peter Drucker once put it: “If you can’t measure it, you can’t improve it.” This quote feels right in place in the world of application security. Many CISOs are finally starting to give SAST tools and other approaches the attention they deserve. However, the only way to know if your approach works is by using app security and quality analytics.  While there are many security metrics you can track and assess, choosing the ideal ones for your company is of paramount importance. It’s the best way for CISOs, developers, and other stakeholders to gauge the application’s effectiveness and improve its efficiency. Why Application Security Analytics Matter Arguably the most important part of any application security plan is determining the key data analytics to track. For instance, many CISOs want to see a drop in the number of new malware attacks targeting an application (making this an important analytic to track). A drop in this figure over time shows an improvement in secure coding practices within the team. Allowing your security professionals to have access to real-time analytics is also important. It goes a long way to improving their efficiency.  Some of the analytics they should access with ease includes: Data regarding the type of threats being identified How they are discovered And the time it takes to remedy them.  Another thing to remember is that there is both direct and indirect analytics you can track. Direct analytics gauge the security of the program itself, such as the exact number of known threats. Indirect analytics go above and beyond the program and, instead, target practices, tools, and people. A blend of direct analytics and indirect analytics paints the most accurate picture of how your application security (AppSec) tools work. Without these analytics, CISOs will attempt to secure their programs blindly, with limited capacity to deliver quality business outcomes. Six AppSec Analytics To Improve Application Security & Quality 1. Total number of application threats and their severity This is arguably the most vital application security and quality metric for your organization.  It’s prudent to know the exact number of weaknesses present in an app, and more importantly — just how severe each threat is. Severity depends on the effect the weakness can have on the app (and the company at large) and how often it is likely to happen. The best way to pinpoint the biggest weaknesses is to leverage the outcomes from Dynamic Application Security Testing (DAST) tools and Static Application Security Testing Tool (SAST) tools like Kiuwan. Click here to read more about these testing tools. SAST tools single out potential threats in the source code, while DAST tools show you which of these weaknesses can actually lure attackers. Leveraging results from both SAST and DAST tools will enable you to draft a list of the weaknesses that pose the most significant threat to the program. Better yet, your team can use these analytics to identify issues that require immediate remediation. 2. Number of new threats detected In agile software development, new releases and updates are quite common. It’s vital to know the exact number of new threats discovered when a program is deployed. This analytic helps CISOs keep better track […]

Published November 25, 2020 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. Most people involved in the process of creating and deploying software applications today are familiar with DevSecOps, which integrates security and operations into the software development process. In figurative terms, we think of the software development lifecycle as a timeline, starting with the design on the left and the deployment (and post-deployment activities) on the right. Historically, security was overlooked until as late as possible in the process; it was something to consider once you had a viable product. But the truth is, ignoring security early on makes it harder and more costly to add on later. As DevSecOps continuously pushes security “to the left” in the software development process, autonomous assessment can provide assurance of security compliance from development’s earliest stages. One type of autonomous assessment, static application security testing (SAST), can help identify software flaws early on. Let’s explore how using SAST helps DevSecOps achieve its stated goals while minimizing friction. What SAST offers Experienced software developers can integrate correctness, robustness, efficiency, elegance and even security into the code they create. However, even the best developers don’t get it right every time. And less experienced developers tend to deviate from standards and best practices in order to get the job done. In today’s push to deliver products quickly and efficiently, it gets harder and harder to pay attention to all the details, including security. SAST can provide a valuable tool in the software developer’s toolbox for writing quality code. Far from some initial developers’ perception, SAST isn’t just one more hoop to jump through. Strategically laced SAST assessments can alert developers and management that potential flaws exist and should be addressed early in the process. Developers commonly find that SAST helps them to be more efficient. The last thing you want to find is a critical design flaw that stays hidden until the final testing before release. SAST can increase the likelihood you’ll find flaws long before they get “baked in.” One great way to leverage SAST’s value is to require assessment of all code before the initial check-in. You don’t (or shouldn’t) ever commit code that doesn’t compile, so why should you be able to commit code with security flaws? Find the flaws and fix them before committing work to the pipeline. Instead of increasing each developer’s workload, you’ll decrease (in many cases dramatically) the time required down the road in rework to fix flaws someone else finds. Plus, complete SAST codebase scans may take hours. Individual and small-batch scanning is much faster. Requiring developers to carry out SAST scans locally distributes the overall workload and reduces friction along the development pipeline. Although giving individual developers the ability to automatically flag potential issues is a huge benefit, management and auditors enjoy SAST’s help in doing their jobs as well. Developers can fix flagged issues before committing code, but some errors won’t be found until more comprehensive tests, including integration tests, get carried out. For example, pre-build SAST assessments may identify flaws that unit-based SAST assessments couldn’t see. Each time SAST identifies new flaws, management has […]

Published November 18, 2020 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel Open source software is essential to application development, particularly for the web. At the same time, it also represents a key source of application vulnerabilities. To help make open source software more secure, the Linux Foundation has announced a cross-industry collaboration with open source leaders including GitHub, Google, IBM, JP Morgan Chase, Microsoft, Red Hat, the OWASP Foundation, and others. This collaboration is called the Open Source Security Foundation, or OpenSSF. In an August blog post, Microsoft Azure CTO Mark Russinovich explained the OpenSFF’s impetus and mission as follows: Open source is everywhere and essential for just about every company’s strategy Securing open source is essential to security the supply chain for all parties, including Microsoft itself Because open source software is so widely used, attackers can exploit many vulnerabilities. These cover most critical services and their supporting infrastructures, across industries such as utilities, healthcare, transportation, government, and IT (especially traditional software, cloud services and IoT) The community-driven nature of open source software means no central authority is responsible for its quality control and maintenance Because open source code may be copied and cloned, versioning and dependencies are particularly complex and can be hard to follow Open source is vulnerable to developer attack, wherein attackers can become maintainers of open source projects and introduce malware Given all these factors, especially how complex and intertwined open software can be, it’s fair to say that building and securing open source software must be a community-oriented and -supported effort. The OpenSSF home page states that its first group of technical initiatives will include the following areas of focus:  Vulnerability Disclosures Security Tooling Security Best Practices Identifying Security Threats to Open Source Projects Securing Critical Projects Developer Identity Verification The site also offers related security resources from the OSSC ( an analysis of the Open Source ecosystem in pdf format), the Linux Foundation’s CII  (a discussion of vulnerabilities in the Internet core), and Red Hat’s Product Security Risk Report, to help readers get started on understanding open source threats and mitigation approaches and strategies. The OpenSSF GitHub repository is also likely to be of great interest. What is the Kiuwan response to the formation of the OpenSSF? Kiuwan welcomes the formation of the OpenSFF and Microsoft’s participation and leadership role in that initiative. Because open source is such an important part of application development, the Kiuwan team is excited to see community initiatives that are focused on improving the security of open source projects. Information and collaboration are key tools in combating the proliferation of security threats. Kiuwan solutions currently supports OWASP, the Open Web Application Security Project, as well as FS-ISAC, the Financial Services Information Sharing and Analysis Center, and is open to additional opportunities for promoting application security. How does Kiuwan acquire open source software vulnerability and security data? Kiuwan draws its OSS data primarily from the NIST NVD (National Institute of Standards and Technology’s National Vulnerability Database), with a handful of additional feeds. How does Kiuwan obtain implementation recommendations and best practices […]

Published November 11, 2020 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel Simply put, threat intelligence – also known as cyber threat intelligence, or CTI – is information that is collected, analyzed, organized, and refined to provide insight, input, and advice about potential and current security threats or attacks that could pose potential or actual risks to an organization. CTI covers a wide range of information sources and can involve reports of attacks obtained from security telemetry in cybersecurity software, from researchers conducting experiments, and even from automated security testing tools (e.g. fuzzing) that automate repeated variations on accepted or expected inputs into systems and software. Threat intelligence feeds: free and open source Gathering and providing threat intelligence often occurs in the form of various “feeds.” These are continuous, ongoing streams of data about threats that incorporate information items about newly-discovered threats along with updates and amendments to information about known existing threats. Threat intelligence feeds are an important part of modern cybersecurity best practices, and may include information about countering or working around individual threats (often called “remediation advice”). In general, threat intelligence feeds fall into two broad categories. First and most widely consumed are those identified as free or open source security feed options. These are available to all interested parties and may be consumed without incurring costs for their uptake and use (though they are subject to licensing conditions about which prospective consumers should make themselves aware). Searching the Web for “best open source threat intelligence feeds” is a good way to identify such things, given that there are hundreds of such feeds from which cybersecurity service and software providers and interested organizations can choose. Here’s an example “Top 10 List” from D3 Security: Kiuwan draws much of its Open Source Security data from the NIST NVD (National Vulnerability Database), which is another widely-used and -respected free and open source security feed. Threat intelligence feeds: commercial options Working with free, open source intelligence feeds involves a wide-open, no-holds-barred outlook on converage, content, and quality. Working with such feeds requires a fair amount of work to separate the wheat from the chaff – that is, to filter out inputs and information that is not relevant to the exposures and vulnerabilities actually present in one particular organization or another. Commercial CTI feeds let customers – who can pay upwards of US$1,500 a month per feed for such access – establish and maintain filtering criteria to make sure they see only information of direct and immediate relevance to the hardware, software, and systems present in their organizations. According to Technology Comparison and Rating company CompariTech, the top 6 such producers  are as follows: The interesting thing about threat feed consumption is that most such feed come in multiple tiers – at progressively higher monthly costs – and really target enterprise-scale organizations and security service and software providers. Unless you have a team of security researchers and analysts (and a sizable budget to support their direct and indirect costs – including commercial security feeds) this will be more than most organizations are willing to […]