Dimensional Data

Published January 19, 2021 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. The SolarWinds hack was a major security breach that affected over 3,000 SolarWinds customers, including major corporations like Cisco, Intel, Cox Communications, and Belkin. Also impacted were multiple US states and government agencies including the US Department of State and the US Department of Homeland Security. The attack, dubbed SUNBURST, involved inserting malicious code into SolarWinds’s Orion Platform software. This code created a backdoor which later was used to access customers’ networks. Experts believe the attack was instigated by hackers based in Russia who may have managed to access sensitive government data. SUNBURST is one of the most sophisticated cyberattacks in history, with malware capable of evading detection. Here’s a timeline of the major events in the SUNBURST attack, followed by recommendations for organizations to protect against supply-chain threats. The Attack Timeline Threat Actor Accesses SolarWinds September 4, 2019: unknown attackers access SolarWinds. September 12, 2019: the hackers inject the test code and perform a trial run. The attackers use a sophisticated injection source to insert the SUNBURST malicious code into the company’s Orion Platform software. The attacker use multiple servers based in the US and mimick legitimate network traffic to circumvent the threat detection used by SolarWinds, its partners, and clients. February 20, 2020: Hackers compile and deploy the SUNBURST attack. This is an updated variant of the malicious code inserted into the Orion Platform released from February 20, 2020, and beyond. June 4, 2020: the perpetrators remove the SUNBURST malicious code from SolarWinds systems. FireEye Discovers SolarWinds Attacks December 8, 2020: FireEye, a cybersecurity threat and intelligence provider, reports that state-sponsored hackers broke into its network and made away with its Red Team penetration testing and assessment tools. The company expresses concern that the hackers would use the stolen tools to target other companies. December 11, 2020: while conducting breach investigations, FireEye discovers that SolarWinds had been attacked. They realize that this was a supply chain hack where the attackers had corrupted and weaponized SolarWinds’ Orion Platform updates. The malicious SUNBURST code had corrupted all the Orion releases made between March and June 2020. December 12, 2020: FireEye informs SolarWinds that the Orion Platform had been compromised through a cyberattack. The news prompts the National Security Council (NSC) to convene a White House meeting to discuss the security breach of several government agencies and enterprises. The News Becomes Public December 13, 2020: The Cybersecurity and Infrastructure Security Agency (CISA) issues an emergency directive requiring federal agencies to disable SolarWinds Orion connections because they pose a substantial security threat. SolarWinds issues a security advisory explaining the Orion Platform hack and the defensive measures clients could use to protect their systems. FireEye discloses that a hacker had used SolarWinds’ supply chain to compromise the networks of several global clients. Microsoft issues guidance explaining how the attack could affect its customers. The attack receives media coverage for the first time. Reuters reports that the hack on SolarWinds Orion may have originated in Russia and could have compromised the systems of several federal agencies. Public Response Begins December 15, 2020: SolarWinds releases a software fix. The media identifies victims that include the Department of Homeland Security (DHS), the State Department, and […]

Published February 3, 2020 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel In this time of the COVID-19 pandemic, we’re all spending more time on our PCs and smartphones. It might seem odd, but The Business Research Company’s Global Online Gambling Market report asserts that online gambling has skyrocketed in 2020. This is because home-bound punters, blocked from visiting brick-and-mortar gambling dens, are turning to online gambling destinations in droves. This makes protecting games of chance — and their players — against online gambling security threats more important than ever, especially where mobile gambling security is concerned. Online gambling is in hackers’ crosshairs In June 2020, Security Boulevard published a discussion of cybersecurity for the online casino and gambling industry. It exposes a number of clear and present dangers that face online gambling developers and involve more than hack attacks (though those are also quite prevalent). Access to gambling platforms themselves can come under direct attack, but smart attackers also recognize that scamming gamblers is another avenue of more indirect attack. By stealing customer information, attackers can ultimately access their money at far less risk to themselves than a “fair game” of chance. The revenue streams involved can also be quite substantial. Grand View Research estimates the size of the global online gambling industry as $53.7 billion in 2019, and a compound annual growth rate of 11.5% is projected from 2020 to 2027, for a global market size of $127.3 billion by that year. Europe dominated the 2019 market with $22 billion in receipts, but the US appears headed for the top in the short term, with Grand View Research projecting its market size at nearly $103 billion by 2025. The Asian market is also coming on strong, as more online venues that serve its populations keep appearing. Cryptocurrency payments are becoming the norm in gambling apps and applications, as online gambling and casino operators switch to Bitcoin and its various counterparts. From a security standpoint, cryptocurrency is attractive because gamblers need not enter their personal data during deposits, and blockchain systems are nearly hack-proof. In addition, cryptocurrency transaction fees are much smaller (sometimes zero) than for a traditional payment method such as credit or debit cards, bank account access, and so forth. Deposits and withdrawals are faster, too, while maintaining player anonymity. More players means more attack vectors Desktop PCs, with their larger monitors and display areas, still dominate online gambling by user count. But as smartphone size and resolution have increased over the past decade, momentum is shifting toward mobile users. Mobile online gambling applications are looking for traction, with more variety in deposit options for playing funds, loyalty points, and interactive play with others around the globe. Mobile technology continues to exert a massive influence on online gambling. Trends such as social gambling and a proliferation of mobile gambling applications signal oncoming changes in gambling habits and practices. Given that somewhere between a third and half of the global population has ready access to a smartphone, casinos and online gambling organizations are investing ever more heavily in gaming applications, especially […]

Published January 28, 2021 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. The Kiuwan team is excited to announce the availability of our latest release, with new features for both cloud and on premise customers. Kiuwan is a fast, reliable and scalable Application Security and Enterprise Software Analytics solution. Kiuwan includes several tools for management and development that identify and guide remediation of security vulnerabilities in source code. These tools support the implementation of critical shift-left strategies that many companies desire today. Fluent in major programming languages and frameworks, Kiuwan allows extensions and customization for customer-specific needs and integrates with leading DevOps IDEs and tools, in an on-premise or SaaS model. Support for custom components in Kiuwan Insights As requested by our customers, Kiuwan Insights now supports custom artifacts, allowing the creation and maintenance of custom artifacts along with their associated licenses and vulnerabilities. This allows Kiuwan users to identify the use of custom artifacts stored in their own repositories and to track their use in their development, and signal during Insights analysis vulnerabilities added to the application, license issues, and obsolescence caused by the use of these custom components. Custom components, licenses, and vulnerabilities can be added and modified both through the UI and the REST API. With this new functionality, customers will be able to have a complete view of the components used either public or private, avoiding the need to track custom components out of Kiuwan. Engine tuning pack The Kiuwan engine is able to perform source code analysis on a wide variety of programming languages. It parses source code into memory structures, and these structures are checked with rules to identify quality and security issues. Each customer has their own way of using their languages and libraries, so we rely on continual feedback from our customers in order to continuously improve the quality and performance of our analysis to benefit customers. This engine tuning pack incorporates new cases and includes widely requested small enhancements. Add new detection rules or improve existing rules to find more security vulnerabilities in code Updates to reduce some of the false positives returned by the product Performance improvements Revisions to our security and protection rules for more accurate results Improvements to our discovery elements for Oracle, HTML5, and Javascript allowing for greater security detection Language parsing improvements for more language coverage Update language levels Additional bug fixes and improvements Documentation for this release is available in the product documentation repository. For a full list of additional bug fixes and improvements, refer to our Change Log. How to get the new release The new release is available immediately to our Cloud customers. Access the new version via the customer portal. Customers using the On-Premises version of Kiuwan should reach out to their account representative for an updated license key. Would you like to know more Kiuwan solutions? Get in touch with our Kiuwan team! We love to talk about security.

Published January 19, 2021 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. The SolarWinds hack was a major security breach that affected a software company serving over 3,000 companies, including major corporations like Cisco, Intel, Cox Communications, and Belkin. Also attacked were multiple US states and government agencies including the US Department of State and the US Department of Homeland Security. The attack, dubbed SUNBURST, involved inserting malicious code into the firm’s Orion Platform software and using it to access clients’ networks. Experts believe the attack was instigated by hackers based in Russia and may have managed to access sensitive government data. It is one of the most sophisticated cyberattacks in history, with malware capable of evading detection. Here’s a timeline of the major events in the SUNBURST attack, followed by recommendations for organizations to protect against supply-chain threats. The Attack Timeline Threat Actor Accesses SolarWinds September 4, 2019: unknown attackers access SolarWinds. September 12, 2019: the hackers inject the test code and perform a trial run. The attackers used a sophisticated injection source to insert the SUNBURST malicious code into the company’s Orion Platform software. The attacker used multiple servers based in the US and mimicked legitimate network traffic to circumvent the threat detection used by SolarWinds, its partners, and clients. February 20, 2020: Hackers compile and deploy the SUNBURST attack. This was an updated variant of the malicious code inserted into the Orion Platform released from February 20, 2020, and beyond. June 4, 2020: the perpetrators removed the SUNBURST malicious code from SolarWinds systems. FireEye Discovers SolarWinds Attacks December 8, 2020: FireEye, a cybersecurity threat and intelligence provider, reports that state-sponsored hackers broke into its network and made away with its Red Team penetration testing and assessment tools. The company was concerned that the hackers would use the stolen tools to target other companies. December 11, 2020: while conducting breach investigations, FireEye discovered that SolarWinds had been attacked. They realized that this was a supply chain hack where the attackers had corrupted and weaponized SolarWinds’ Orion Platform updates. The malicious SUNBURST code had corrupted all the Orion releases made between March and June 2020. December 12, 2020: FireEye informs SolarWinds that the Orion Platform had been compromised through a cyberattack. The news prompted the National Security Council (NSC) to convene a White House meeting to discuss the security breach of several government agencies and enterprises. The News Becomes Public December 13, 2020: The Cybersecurity and Infrastructure Security Agency (CISA) issues an emergency directive requiring federal agencies to disable SolarWinds Orion connections because they posed a substantial security threat. SolarWinds issues a security advisory explaining the Orion Platform hack and the defensive measures clients could use to protect their systems. FireEye disclosed that a hacker had used SolarWinds’ supply chain to compromise the networks of several global clients. Microsoft issued guidance explaining how the attack could affect its customers. The attack got media coverage for the first time. Reuters reported that the hack on SolarWinds Orion may have originated in Russia and could have compromised the systems of several federal agencies. Public Response Begins December 15, 2020: SolarWinds released a software fix. The media identified victims to include the Department of Homeland Security (DHS), the State Department, and the National […]

Published January 14, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. Today’s organizations, both big and small, are finding that security activities consume more resources than ever before. Cyber criminals are getting better all the time, and staying just one step ahead of them is getting harder. But it’s not just more sophisticated criminals; organizational growth, increased infrastructure complexity and expanding compliance requirements also require more time, people and technology to avoid becoming a victim of a cybersecurity breach. Security used to be focused on physical access to facilities and resources, or adding layers of logical controls to protect software and data. However, security concerns of the 21st century don’t fit into nice buckets anymore. Security concerns affect every aspect of an organization’s operations and should be an integral driver of strategic planning. Information security used to be a good idea to include “if there is time.” Then it became more important as cyberattackers became more sophisticated at leveraging vulnerabilities. Now, information security is an integral component organizational strategic viability. It is just as important as fiscal integrity and product quality. Executives have become acutely aware of the impact of poor information security on their organization’s profitability and longevity. A lack of security focus at the executive level could easily result in hefty fines for non-compliance, punitive rulings after finding liability or negligence, or a loss of customers and partners after a confidence-shattering breach. The risk of undervaluing information security is too great to ignore. To address the growing awareness of information security’s importance to strategic planning, many larger organizations now include a Chief Information Security Officer (CISO) in the executive suite. A CISO provides executive leadership guidance on keeping organizations secure and compliant. But with the average median salary for a CISO being over $200,000, many companies cannot afford their own CISO. The need is still there, but the budget doesn’t allow for a full-time person in that position. However, there is an attractive alternative. Organizations that lack the budget for a CISO are increasingly turning to an outsourced solution: the virtual CISO, or vCISO. Let’s look at what a vCISO does and how one can benefit small and medium-sized businesses. Benefits of a vCISO A vCISO is generally a cybersecurity professional who works part-time offering security services to multiple organizations, working for several throughout any year. This job-sharing approach gives organizations access to a CISO without having to hire one full time. The vCISO fills several needs through different types of services, including: Cybersecurity guidance to executives Security readiness assessment Compliance alignment recommendations (for HIPAA, GDPR, PCI-DSS, CCPA and dozens more) Remediation prioritization Security architecture guidance Incident response Governance Business continuity A vCISO helps organizations transition from viewing security as a tactical requirement to a strategic one. This transition isn’t an easy one without support from the top. That’s the most important role of a vCISO: to solicit and ensure ongoing support of security from the very top of the organization’s leadership. The strategic nature of a vCISO’s approach to security isn’t in contrast to existing security activities or other organizational goals. The vCISO should help ensure […]

Published May 19, 2020 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel In this age of lockdowns, social distancing and working from home, organizations must think carefully about how to extend their networks and services across the internet and into employees’ and contractors’ homes. This makes remote access security management both a timely and an imperative topic, because it has become the norm for many companies and organizations this year. If we are to believe even the most optimistic of vaccine deployment scenarios, our pandemic situation is likely to persist for at least another six to nine months. That said, many experts think that working from home is the new normal, so even once it’s safe for us all to be together in an office again, there may be no office to go back to. The old ways of working mostly within a secure organizational perimeter are on the way out, so we need to update our security operations for the new reality. How does remote access work? In the simplest of terms, remote access requires that users employ a remote device of some kind to establish a connection to an organizational service. The connection is a communication link that spans the internet from the client or user side to a server or service inside the firewall. For example, Microsoft includes both an old-line application, Remote Desktop Connection, and a new-style Universal Windows Platform (UWP) app, Remote Desktop, in Windows 10. Both use Microsoft’s Remote Desktop Protocol (RDP) to establish a remote connection between a client PC (user device) on one side and a host PC or server (server device) on the other side. Thus, the elements of remote access include the following: A remote access client or application that lets the end-user request access to a remote resource of some kind A remote connection that connects the end-user to the resource, and vice versa A remote host or service to which an end-user can connect, and from which they can request information, services, resources and so forth Securing remote access means securing all elements For a company or organization to meet best security practice requirements for remote access, all elements involved in remote access must be secure. Here’s a checklist of items and capabilities that fall under this large and far-ranging umbrella: Before users obtain remote access, they must be identified and authenticated. The best form of security for identity and authentication nowadays relies on two-factor authentication (2FA) or better, where a user’s cellphone serves admirably to provide a separate channel for ID and authentication traffic, as well as providing a tangible token of identity in and of itself. The client software that users employ for remote access should themselves be secure and free from known technical vulnerabilities or susceptibilities to attack through social engineering. Users working remotely need basic security awareness training to keep them from inadvertently disclosing what the organization wants kept confidential – namely, their account and password information, among other sensitive data. The client software must also be scanned for vulnerabilities (preferably at high frequency, if not continuously) […]

Published December 17, 2020 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. Productivity rates are critical to success in any industry. That is true of software products, too, that not only need to be efficiently produced but secure from cyberattacks as well. If you’re considering how to improve your software team’s productivity, then you will want to know the top threats impacting software development team productivity and how to solve them. The following paragraphs address six of them. 1. The Need for Speed The enemy of quality software development is often the unrealistic and impossible deadlines set by project managers. The sleight of hand happens this way: In response to client requests, managers often press developers for delivery estimates. They often push for the lowest possible delivery estimates. The mistake they make, though, comes when they consider those delivery estimates to mean delivery deadlines agreed upon by the developer team. Managers pass along the “deadlines” to senior management, leaving developers feeling stressed, and leading to the developers’ inability to perform at optimum levels. It comes down to managing the client’s expectations. Take the time to make sure that the client understands that a slower work pattern due to rigorous testing results in a better quality product. That communication and understanding can make a world of difference for the development team. 2. Poor Code Quality  Poor code quality appears in various forms. It may mean code that is difficult for other developers or team members to read and therefore affects the ability to make necessary changes. It may mean that the development team rushed to meet deadlines and, in doing so, released the software without testing and without fixing any bugs that existed, or that they could have prevented. Poor code quality decreases production agility and impacts the project’s development over the long-term. Code quality is positively impacted by: Following code standards Testing code Selecting a project manager to monitor project quality. 3. Outdated Technology   Updated technology helps employees do their jobs more efficiently, saves valuable project time, generally keeps customers satisfied, and provides businesses a leg up over their competitors. Successful development teams have the modern tools they need to work quickly and securely.  Price Waterhouse Cooper (PWC) conducted a study of 12,000 people in Canada, China, Hong Kong, the US, the UK, India, Germany, and Mexico. The participants worked in roles ranging from the C-Suite to administration and in various industries. PWC found that 90% of C-Suite Executives believe they take into account the technology their people need to do their jobs. Only 53% of their workers said the same. And while 92% of the C-Suite Execs were satisfied with their company’s experience with the technology provided to carry out the most important projects, only 68% of their workers felt the same way. It’s easy to understand the disconnect. When technology fails, C-Suite Execs hand the problem to someone else to solve. The worker bees are left to deal with the aftermath of outdated technology. 4. The CI/CD Pipeline  As the name implies, the CI/CD Pipeline consists of two components: CI and CD. Continuous integration (CI) refers to the software development practice that requires frequent code checks during software development and producing small code changes as the team discovers them. […]

Published December 11, 2020 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. Without a doubt, the COVID-19 pandemic has had a massive impact on the financial services landscape. Not only did businesses have to tweak their entire operations under safety regulations, but they also had to contend with a growing list of cybersecurity threat-actors, given the rapid adoption and usage of online apps.  According to data from App Annie, there was a 20% increase in time spent on mobile apps in the first quarter of 2020. At the same time, consumers embraced online banking, social media, and online shopping like never before. All of these created more cybersecurity risks. To avoid exploitation and compromise of sensitive data, information, technology, and security leaders need to view app security through a new pair of lenses. This should include a defense plan that considers the remote workforce, significantly reduced IT budgets, and limited access to AppSec talent.  Read on as we explore a dynamic plan to boost your cyber protection in a post-pandemic world.  1. Data breaches Mobile banking malware risk has worsened, especially now that bad actors leverage uncertainty and fear surrounding the pandemic. Recent research from Malwarebytes shows that mobile banking malware has spiked in recent months, infiltrating weakened home networks and mobile devices to access highly-sensitive corporate applications. These malware solutions are only focused on one job: stealing client information. What CIOs and CISOs can do: The best place to start is identifying and remediating the security vulnerabilities in your application before it’s too late.  Plan to conduct application security vulnerability scanning with a tool like Kiuwan. Remember, a data breach could set back the company some millions of dollars, which is why you should never leave your mobile app security to chance. 2. Identity theft Credential stealing has spread around the US almost as effectively as the COVID-19 pandemic. Since the bulk of the workforce has switched to working remotely, black-hat cyber criminals’ attacks have grown exponentially.  Credential theft is the leading cause of fraud in financial services, and with credential-stealing malware such as EventBolt19 and Cerberus being increasingly widespread in 2020, the risk has never been greater. What CIOs and CISOs can do: The post-pandemic world presents a new opportunity for CIOs to protect employees from the claws of identity theft. The best defense should focus on building authentication solutions that focus on ‘who you are’ rather than ‘something you have’ (passwords).  That said, consider installing next-level biometric solutions such as thumbprint/fingerprint, iris, voice, retina, and facial recognition technologies. With biometrics, cybercriminals’ attempt at impersonating anyone of your team members just got a lot more difficult than trying to break into passwords or PINs. 3. Ransomware attacks  Even after the pandemic, ransomware will remain one of the most significant cyber threats facing financial institutions. Statistics show that financial services will still be the second most targeted sector for ransomware attacks, only trailing healthcare. Successful ransomware attacks reveal not only endpoint vulnerabilities but also act as a starting point for myriad other problems. For example, a breach could lead to huge monetary loss. But most importantly, businesses that don’t proactively protect against attacks will likely suffer from damaged loyalty and reputational risk. Yet this is only the tip of the iceberg. Other repercussions of ransomware attacks are weakened employee morale and the need to dig deeper into […]

Published December 9, 2020 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. Cybersecurity is getting a lot of attention, from the break room to the board room. Few weeks pass without another salacious story in the media about a new large-scale data breach, ransomware outbreak or other attack designed to disrupt normal life.  Cybercriminals know what they are doing, and they’re able to succeed in their goals with uncomfortable regularity. Those goals are increasingly focused on enterprise applications due to the large number of access opportunities that are supposed to support end-users and internal personnel. For example, last year 62 US colleges were targets of cyberattacks that exploited their enterprise resource planning (ERP) system vulnerabilities. Cybercriminals constantly search for easy targets. Expanding complexity, growing numbers of users and partners, and rapidly emerging exploits make security an elusive target. Learning about the most common security gaps found in software, why those gaps really matter, and how to close them can make you less likely to be the next big victim. Instead of approaching security by being as secure as you can be, a better approach is to just be as secure as you need to be. That’s a subtle difference, but the outcome of the latter can be similar to the goal of the former, with much less effort and expense. Let’s cover some rudimentary aspects of security and a basic approach that balances security with budget and effort.  The lure of low-hanging fruit In this article I’m focusing on general cybercriminals who are looking for financial gain. They don’t care who their next victim is. Other types of cybercriminals, such as disgruntled (possibly former) personnel, “hacktivists,” or other people who are targeting your specific data or intellectual property are more determined and motivated to succeed. But here, we’re talking about cybercriminals looking for any victim, so they mainly want a quick and easy attack. Using the path of least resistance is a good thing. The easiest and cheapest path to the bottom line is most commonly the desirable path. Of course, there are reputational impacts and other obstacles that affect the decision-making process, but there is always some appeal to the path of least resistance. Cybercriminals spend a lot of effort identifying the easiest targets. What does this have to do with your security? One important key to being as secure as you need to be is simply avoiding being a hacker’s “low-hanging fruit.” Most cybercriminals use automated scanners to find potential victims they can attack without much work. They look for well-known vulnerabilities that their potential victims haven’t addressed. Cybercriminals know that keeping security controls current takes time and effort, and many organizations have “more important” tasks than hardening systems and networks. This gap between known vulnerabilities and implemented controls defines the sweet spot that cybercriminals are looking for. The best defense from most cybercriminals is to just be secure enough to not be worth their effort. This approach to cyber defense simply means that you should learn about the most common vulnerabilities and fix those first. If you have more budget to go further, that’s great. But at […]

Published December 2, 2020 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. As business management expert Peter Drucker once put it: “If you can’t measure it, you can’t improve it.” This quote feels right in place in the world of application security. Many CISOs are finally starting to give SAST tools and other approaches the attention they deserve. However, the only way to know if your approach works is by using app security and quality analytics.  While there are many security metrics you can track and assess, choosing the ideal ones for your company is of paramount importance. It’s the best way for CISOs, developers, and other stakeholders to gauge the application’s effectiveness and improve its efficiency. Why Application Security Analytics Matter Arguably the most important part of any application security plan is determining the key data analytics to track. For instance, many CISOs want to see a drop in the number of new malware attacks targeting an application (making this an important analytic to track). A drop in this figure over time shows an improvement in secure coding practices within the team. Allowing your security professionals to have access to real-time analytics is also important. It goes a long way to improving their efficiency.  Some of the analytics they should access with ease includes: Data regarding the type of threats being identified How they are discovered And the time it takes to remedy them.  Another thing to remember is that there is both direct and indirect analytics you can track. Direct analytics gauge the security of the program itself, such as the exact number of known threats. Indirect analytics go above and beyond the program and, instead, target practices, tools, and people. A blend of direct analytics and indirect analytics paints the most accurate picture of how your application security (AppSec) tools work. Without these analytics, CISOs will attempt to secure their programs blindly, with limited capacity to deliver quality business outcomes. Six AppSec Analytics To Improve Application Security & Quality 1. Total number of application threats and their severity This is arguably the most vital application security and quality metric for your organization.  It’s prudent to know the exact number of weaknesses present in an app, and more importantly — just how severe each threat is. Severity depends on the effect the weakness can have on the app (and the company at large) and how often it is likely to happen. The best way to pinpoint the biggest weaknesses is to leverage the outcomes from Dynamic Application Security Testing (DAST) tools and Static Application Security Testing Tool (SAST) tools like Kiuwan. Click here to read more about these testing tools. SAST tools single out potential threats in the source code, while DAST tools show you which of these weaknesses can actually lure attackers. Leveraging results from both SAST and DAST tools will enable you to draft a list of the weaknesses that pose the most significant threat to the program. Better yet, your team can use these analytics to identify issues that require immediate remediation. 2. Number of new threats detected In agile software development, new releases and updates are quite common. It’s vital to know the exact number of new threats discovered when a program is deployed. This analytic helps CISOs keep better track […]