Skip to content

Cybersecurity Insights with Contrast CISO David Lindner | 12/2

    
Cybersecurity Insights with Contrast CISO David Lindner | 12/2

Insight #1

"The fact that log4j is used in ~64% of Java applications and only 50% of those have updated to a fully fixed version means attackers will continue to target it and in many cases be successful in exploiting this vulnerability. With the recent OMB-22-18 directive it is going to make it much more difficult for these organizations to hide their data about using vulnerable third-party components like log4j, but at least for now, attackers are going to continue to have a field day in finding paths to exploit through log4j."
 

Insight #2

"There are currently just over 68 CVEs released per day in 2022 (per https://CVE.icu). Even the best security testing in the world cannot find all of these and notify you of them. What we have learned on the one-year anniversary of Log4j is that teams must rely on real-time protection for their applications to protect against zero days such as the issue with log4j. This is no different than some of the technologies released in the *nix systems years ago like DEP and ASLR. These runtime protections were designed to completely stomp out certain types of vulnerabilities and prevent attacks. The same technology exists for applications, and it is called RASP (runtime application self-protection). RASP provides zero-day protection immediately and should be one layer to the security onion in your toolbox."
 

Insight #3

"The top priority for all CIOs for 2023 should be cybersecurity, and more specifically securing your software ecosystem."
David Lindner, Chief Information Security Officer

David Lindner, Chief Information Security Officer

David is an experienced application security professional with over 20 years in cybersecurity. In addition to serving as the chief information security officer, David leads the Contrast Labs team that is focused on analyzing threat intelligence to help enterprise clients develop more proactive approaches to their application security programs. Throughout his career, David has worked within multiple disciplines in the security field—from application development, to network architecture design and support, to IT security and consulting, to security training, to application security. Over the past decade, David has specialized in all things related to mobile applications and securing them. He has worked with many clients across industry sectors, including financial, government, automobile, healthcare, and retail. David is an active participant in numerous bug bounty programs.