In the News
Featured
06/13/2024
Microsoft’s Brad Smith acknowledges past security failures, outlines new initiatives
Not everyone was as harsh on Microsoft’s previous mistakes. Jeff Williams, co-founder and chief technology officer at application security software platform provider Contrast Security Inc., noted that “while it’s pretty obvious in hindsight that they made a mistake, I think commentators are judging them without seeing the whole picture.”
“The unfortunate reality is that software is far more complex than most people understand,” he said. “A single application is built from dozens of source code repos, hundreds of open-source libraries, multiple application frameworks, server software and often multiple language platforms. And Microsoft has tens of thousands of applications, each of which has vulnerabilities reported all the time by tools, penetration testers, customers and more.”
07/12/2024
GitLab Fixes Security Flaw That Lets Attackers Run Pipeline Jobs
Contrast Security CISO David Lindner said this vulnerability is something administrators need to take notice of, and heed GitLab’s advice to upgrade immediately.
“This is REALLY bad, as it effectively turns off access controls for running pipelines, which is the lifeblood of moving software from development to production,” Lindner wrote in an email. “This vulnerability could allow unauthorized users to execute pipeline jobs as any other user, which in turn could enable attackers to run malicious code, access sensitive data and compromise software integrity.”
07/12/2024
Unauthorized content alteration bug found in NSA platform
The U.S. National Security Agency's open-source SkillTree training platform on GitHub has been impacted by a medium severity cross-site request forgery vulnerability, tracked as CVE-2024-39326, which could be leveraged to facilitate unauthorized modifications of training content, SiliconAngle reports.
07/11/2024
GitLab patches 2nd critical pipeline vulnerability in last month
The critical vulnerabilities CVE-2024-6385 and CVE-2024-5655 could put developers’ projects at risk by enabling attackers to “run malicious code, access sensitive data and compromise software integrity,” Contrast Security CISO David Lindner told SC Media.
“This is REALLY bad, as it effectively turns off access controls for running pipelines, which is the lifeblood of moving software from development to production,” Lindner sai
07/11/2024
GitLab Ships Update for Critical Pipeline Execution Vulnerability
In an emailed comment to SecurityWeek, Contrast Security CISO David Lindner warned that successful exploitation of the bug “could enable attackers to run malicious code, access sensitive data and compromise software integrity”.
07/10/2024
What's Bugging the NSA? A Vuln in Its 'SkillTree' Training Platform
"SQL injection is something that would be very well known to developers, because for it to occur, the developer has to send data to a database, and so the developer's doing something consciously," explains Contrast researcher Joseph Beeton. "Unlike SQL injection, CSRF is almost outside of application. It's in the browser."
And, he adds, "There are lots of types of requests that aren't vulnerable to CSRF. The SkillTree application had dozens, maybe hundreds of endpoints, and only a couple were vulnerable."
07/10/2024
CSRF Vulnerability in NSA’s SkillTree Training Platform Discovered by Contrast IAST
Contrast Security Assess — Contrast’s Interactive Application Security Testing (IAST) Application Security (AppSec) technology — has uncovered a vulnerability in a training platform called SkillTree that’s maintained on GitHub by the National Security Agency (NSA).
06/19/2024
Microsoft under fire for recent cybersecurity lapses
06/13/2024
Microsoft’s Brad Smith acknowledges past security failures, outlines new initiatives
Not everyone was as harsh on Microsoft’s previous mistakes. Jeff Williams, co-founder and chief technology officer at application security software platform provider Contrast Security Inc., noted that “while it’s pretty obvious in hindsight that they made a mistake, I think commentators are judging them without seeing the whole picture.”
“The unfortunate reality is that software is far more complex than most people understand,” he said. “A single application is built from dozens of source code repos, hundreds of open-source libraries, multiple application frameworks, server software and often multiple language platforms. And Microsoft has tens of thousands of applications, each of which has vulnerabilities reported all the time by tools, penetration testers, customers and more.”
06/12/2024
Why malware matters most: 6 ways to foil software threats faster
Larry Maccherone, DevSecOps transformation architect at Contrast Security said the problem with find-and-fix is there isn't enough fixing being done. He cites the theory of constraints: "A big part of the intellectual foundation of DevOps, [it] tells us that improvements made anywhere besides the bottleneck in a process are waste." So you then must ask yourself, Where are the bottlenecks? "For all of cybersecurity, it’s in the application and API security domain compared to all the other cybersecurity domains, which actually get more investment."
Within the app and API security domain, the bottleneck is not in detecting vulnerabilities — it’s in resolving them, Maccherone said. "The way we do app and API security today is fundamentally broken in large part because it focuses on detection, leaving resolution to a later exercise that we don’t get to," he said.
"You are a thousand times better off if you found fewer things but you resolved everything you found within a day of detection. Take a depth-first approach, not a breadth-first approach.”
—Larry Maccherone
06/04/2024
Hackers Claim They Breached Australian Logistics Company
Tom Kellermann, senior vice president of cyber strategy at Contrast Security, said GhostR is intent on cyber extortion via doxing. "This type of cybercrime is growing in popularity. Organizations must invest in runtime security to prevent exploitation of their databases and invest in micro segmentation and modern DLPs to minimize the impact of these intrusions," Kellerman told Information Security Media Group.
06/04/2024
Hackers Claim They Breached Australian Logistics Company
Tom Kellermann, senior vice president of cyber strategy at Contrast Security, said GhostR is intent on cyber extortion via doxing. "This type of cybercrime is growing in popularity. Organizations must invest in runtime security to prevent exploitation of their databases and invest in micro segmentation and modern DLPs to minimize the impact of these intrusions," Kellerman told Information Security Media Group.
05/31/2024
Experts Warn of Security Risks in Grid Modernization
"These technologies increase the attack surface of the grid," Tom Kellerman, senior vice president of cyber strategy for the application security software platform Contrast Security, told Information Security Media Group. "Segmentation, two-factor authentication, least privilege and runtime security are imperatives for the safety of the grid." ... "The expedited process will undermine the cybersecurity preparedness of the grid," Kellerman said. "Given the increase in destructive cyberattacks being launched by rogue nation-states, cybersecurity assessments must be performed prior to projects going live."