Interviews

Cyber round-up: part three

by Mark Rowe

The Veracode State of Software Security 2023 report found that flaw build-up over time is such that nearly 32 per cent of applications are found to have flaws at the first scan and by the time they have been in production for five years, nearly 70 per cent contain at least one security flaw. Veracode has been publishing its annual report since 2010, summarising the key discoveries from its customer base.

The software firm suggests prioritising remediation early in the software development life cycle to minimise risk caused by flaw accumulation. Chris Eng, Chief Research Officer at Veracode, said: “As with all our studies, we set out to provide insights that developers can put into action right away. From this year’s findings, two important considerations emerged: how to lower the chance of flaws being introduced in the first place, and how to reduce the number of those flaws that are introduced. Aside from technical access controls, secure coding practices are all the more crucial for cybersecurity in 2023 and beyond.”

After the initial scan, apps quickly enter a ‘honeymoon period’ of stability, and nearly 80 per cent do not take on any new flaws at all for the first 1.5 years. After this point, however, the number of new flaws introduced begins to climb again to about 35 per cent at the five-year mark.

The study found that developer training, use of multiple scan types, including scanning via API, and scan frequency are influential factors in reducing the probability of flaw introduction, suggesting teams should make them key components of their software security programs. For example, skipping months between scans correlates with an increased chance that flaws will be found when a scan is eventually run. Furthermore, top flaws in apps vary by testing type, highlighting the importance of using multiple scan types to ensure hard-to-identify flaws aren’t missed.

Veracode also examined 30,000 open-source repositories publicly hosted on GitHub. Some 10 per cent of repositories hadn’t had a commit—a change to the source code—for almost six years. Eng said: “Using a software composition analysis (SCA) solution that leverages multiple sources for flaws, beyond the National Vulnerability Database, will give advance warning to teams once a vulnerability is disclosed and enable them to implement safeguards more quickly, hopefully before exploitation begins. Setting organisational policies around vulnerability detection and management is also recommended, as well as considering ways to reduce third-party dependencies.”

The cyber threat detection and response company Expel has released its Great eXpeltations 2023 report. The company says that its SOC (security operations centre) found that 23pc of the BAC attempts originated from suspicious MFA (multi-factor authentication) push notification activity and 6pc of BAC (business application compromise) attempts used push notification fatigue to satisfy MFA, which is when an attacker continuously sends push notifications until the employee “authorises” or “aepts” the request, allowing the attacker to satisfy MFA.

Ben Brigida, Director, SOC operations at Expel said: “Unfortunately, it’s no surprise to us that identity threat attacks (like BEC) remained a top threat to our customers in 2022—which is consistent with our 2021 findings. BEC attempts were a full 50pc of all the incidents our SOC saw, and we expect that number to grow. As such, we think every CISO and CFO should prioritise identity threats in the year ahead.

“I predict that we’ll continue to see an uptick in MFA push notification fatigue attacks. Simply put, they work, and the fact that an increasing number of organisations turn to SSO to provide access to their enterprise applications means that they’re juicy targets for attackers.”

Black hat opinion

Should black hat hackers be paid a percentage of the funds they stole and face no prosecution if they return the majority of the spoils. That question was asked across cyber security firm Naoris Protocol’s social media platforms (Twitter, LinkedIn, Telegram, and Discord).

Some 48pc of people in the poll said they agree with this view, while 38pc said they disagreed, and 13pc were unsure. Those taking part in the poll work across cyber security, CeFi, DeFi and traditional Web2 and Web3, or have an interest in these areas.

The question is whether it should be an accepted practice that hackers go unprosecuted because they could be seen as performing a cyber security clean-up function. For some, this may be palatable if the hackers gave back all of whatever was stolen and provided the security fix in exchange, for a reasonable bounty fee.

Naoris Protocol says there is a strong movement supporting the role of legitimate, ethical hackers that work within the confines of a corporation’s bounty rules. Many companies are now viewing bounties as an integral part of their cyber budgets. For example, the total bug bounty market was valued at $223 million in 2020, and according to research company ATR, it’s expected to grow 54pc per year, reaching $5.5 billion by 2027.

Monica Oravcova, Co-Founder & Chief Operating Officer, Naoris Protocol said: “Letting hackers get away with their nefarious activities not only undermines the entire ethos of a decentralised financial system, but it also promotes behaviour that fosters distrust, and it will not assist in the mass adoption of blockchain and decentralised systems to replace outdated centralised processes.

“Therefore, it cannot continue to be seen as something to be tolerated on any level. The fundamentals of a safe and equitable financial system don’t change. The premise that the only way to solve the hacking issue is to make the problem part of the solution is fatally flawed.

“It may fix a small crack for a short period of time, but the crack will continue to grow under the weight of the flimsy fixes and will result in a destabilised market.

“The notion that it’s acceptable for a hacker to steal – and it is definitely theft – money from a protocol or platform by doing a hack and then getting paid for that malicious hack with money from the platform, could in fact incentivise hacks, making it a legitimate business practice. So just because a hacker is nice enough to return part of the funds doesn’t make it a good practice. Having a cohort of hackers ostensibly calling the shots in the cybersecurity space is crazy to say the least.”

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing