Skip to content

In the News

Featured

06/13/2024

Microsoft’s Brad Smith acknowledges past security failures, outlines new initiatives

Not everyone was as harsh on Microsoft’s previous mistakes. Jeff Williams, co-founder and chief technology officer at application security software platform provider Contrast Security Inc., noted that “while it’s pretty obvious in hindsight that they made a mistake, I think commentators are judging them without seeing the whole picture.”
“The unfortunate reality is that software is far more complex than most people understand,” he said. “A single application is built from dozens of source code repos, hundreds of open-source libraries, multiple application frameworks, server software and often multiple language platforms. And Microsoft has tens of thousands of applications, each of which has vulnerabilities reported all the time by tools, penetration testers, customers and more.”

Read More
Microsoft’s Brad Smith acknowledges past security failures, outlines new initiatives

07/12/2024

GitLab Fixes Security Flaw That Lets Attackers Run Pipeline Jobs

Contrast Security CISO David Lindner said this vulnerability is something administrators need to take notice of, and heed GitLab’s advice to upgrade immediately.

“This is REALLY bad, as it effectively turns off access controls for running pipelines, which is the lifeblood of moving software from development to production,” Lindner wrote in an email. “This vulnerability could allow unauthorized users to execute pipeline jobs as any other user, which in turn could enable attackers to run malicious code, access sensitive data and compromise software integrity.”

Read More arrow-right-tertiary

07/12/2024

Unauthorized content alteration bug found in NSA platform

The U.S. National Security Agency's open-source SkillTree training platform on GitHub has been impacted by a medium severity cross-site request forgery vulnerability, tracked as CVE-2024-39326, which could be leveraged to facilitate unauthorized modifications of training content, SiliconAngle reports.

Read More arrow-right-tertiary

07/11/2024

GitLab patches 2nd critical pipeline vulnerability in last month

The critical vulnerabilities CVE-2024-6385 and CVE-2024-5655 could put developers’ projects at risk by enabling attackers to “run malicious code, access sensitive data and compromise software integrity,” Contrast Security CISO David Lindner told SC Media.

“This is REALLY bad, as it effectively turns off access controls for running pipelines, which is the lifeblood of moving software from development to production,” Lindner sai

Read More arrow-right-tertiary

07/11/2024

GitLab Ships Update for Critical Pipeline Execution Vulnerability

In an emailed comment to SecurityWeek, Contrast Security CISO David Lindner warned that successful exploitation of the bug “could enable attackers to run malicious code, access sensitive data and compromise software integrity”. 

Read More arrow-right-tertiary

07/10/2024

What's Bugging the NSA? A Vuln in Its 'SkillTree' Training Platform

"SQL injection is something that would be very well known to developers, because for it to occur, the developer has to send data to a database, and so the developer's doing something consciously," explains Contrast researcher Joseph Beeton. "Unlike SQL injection, CSRF is almost outside of application. It's in the browser."
And, he adds, "There are lots of types of requests that aren't vulnerable to CSRF. The SkillTree application had dozens, maybe hundreds of endpoints, and only a couple were vulnerable."

Read More arrow-right-tertiary

07/10/2024

CSRF Vulnerability in NSA’s SkillTree Training Platform Discovered by Contrast IAST

Contrast Security Assess — Contrast’s Interactive Application Security Testing (IAST) Application Security (AppSec) technology — has uncovered a vulnerability in a training platform called SkillTree that’s maintained on GitHub by the National Security Agency (NSA). 

Read More arrow-right-tertiary

06/19/2024

Microsoft under fire for recent cybersecurity lapses

Some observers have downplayed the degree to which Microsoft acted negligently in its handling of Harris's vulnerability reports, including Jeff Williams, co-founder and CTO at cybersecurity firm Contrast Security. Williams said the "overwhelming majority of these reports turn out to be false, unexploitable, or low risk," making it a tall order to differentiate the severe reports from the mundane ones.
 "It may be a surprise to some that most large organizations, including your bank, your healthcare companies, and your government all carry huge application vulnerability backlogs," Williams said. "In most companies I talk with, the number is usually hundreds of thousands or millions of vulnerabilities that are waiting to be investigated."
 While he said that the huge pile of potentially meaningless vulnerabilities that Microsoft and its peers have likely accumulated is a problem that cannot be excused, they stem from a more fundamental issue.
 "We reward companies for new features, not security," Williams said. "Our governments have not mandated serious security transparency on companies or created a liability regime for software producers."
Read More arrow-right-tertiary

06/13/2024

Microsoft’s Brad Smith acknowledges past security failures, outlines new initiatives

Not everyone was as harsh on Microsoft’s previous mistakes. Jeff Williams, co-founder and chief technology officer at application security software platform provider Contrast Security Inc., noted that “while it’s pretty obvious in hindsight that they made a mistake, I think commentators are judging them without seeing the whole picture.”
“The unfortunate reality is that software is far more complex than most people understand,” he said. “A single application is built from dozens of source code repos, hundreds of open-source libraries, multiple application frameworks, server software and often multiple language platforms. And Microsoft has tens of thousands of applications, each of which has vulnerabilities reported all the time by tools, penetration testers, customers and more.”

Read More arrow-right-tertiary

06/12/2024

Why malware matters most: 6 ways to foil software threats faster

Larry Maccherone, DevSecOps transformation architect at Contrast Security said the problem with find-and-fix is there isn't enough fixing being done. He cites the theory of constraints: "A big part of the intellectual foundation of DevOps, [it] tells us that improvements made anywhere besides the bottleneck in a process are waste." So you then must ask yourself, Where are the bottlenecks? "For all of cybersecurity, it’s in the application and API security domain compared to all the other cybersecurity domains, which actually get more investment."
Within the app and API security domain, the bottleneck is not in detecting vulnerabilities — it’s in resolving them, Maccherone said. "The way we do app and API security today is fundamentally broken in large part because it focuses on detection, leaving resolution to a later exercise that we don’t get to," he said.
"You are a thousand times better off if you found fewer things but you resolved everything you found within a day of detection. Take a depth-first approach, not a breadth-first approach.”
—Larry Maccherone

Read More arrow-right-tertiary

06/04/2024

Hackers Claim They Breached Australian Logistics Company

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, said GhostR is intent on cyber extortion via doxing. "This type of cybercrime is growing in popularity. Organizations must invest in runtime security to prevent exploitation of their databases and invest in micro segmentation and modern DLPs to minimize the impact of these intrusions," Kellerman told Information Security Media Group.

Read More arrow-right-tertiary

06/04/2024

Hackers Claim They Breached Australian Logistics Company

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, said GhostR is intent on cyber extortion via doxing. "This type of cybercrime is growing in popularity. Organizations must invest in runtime security to prevent exploitation of their databases and invest in micro segmentation and modern DLPs to minimize the impact of these intrusions," Kellerman told Information Security Media Group.

Read More arrow-right-tertiary

05/31/2024

Experts Warn of Security Risks in Grid Modernization

"These technologies increase the attack surface of the grid," Tom Kellerman, senior vice president of cyber strategy for the application security software platform Contrast Security, told Information Security Media Group. "Segmentation, two-factor authentication, least privilege and runtime security are imperatives for the safety of the grid." ... "The expedited process will undermine the cybersecurity preparedness of the grid," Kellerman said. "Given the increase in destructive cyberattacks being launched by rogue nation-states, cybersecurity assessments must be performed prior to projects going live."

Read More arrow-right-tertiary

Experience Contrast today

Schedule a one-to-one demo to see what Contrast Runtime Security can do for you