Takeaways from OWASP Global AppSec SF 2024, covering security tools, AI risks, and strategies for improving application security while empowering developers.

We are thrilled to introduce two exciting new features to SecurePortal: Live Vulnerabilities and Chat. With Live Vulnerabilities, you can now access real-time vulnerability information as consultants identify them, significantly reducing the risk window. This enhancement enables your IT teams to begin triaging vulnerabilities within minutes, rather than waiting for the full assessment to be published. You can mark vulnerabilities as resolved as soon as they are fixed, even during an ongoing engagement.

Containerization is now an important tool for businesses that want to make their apps scalable and efficient. A lot of people use Kubernetes because it can easily manage containers in many different environments. It is the best open-source platform for handling containerized workloads and services. But Kubernetes systems can be hard to manage and keep an eye on because they are spread out and have changing workloads.

As in many companies around the world, Bitsight leadership believes that adoption and innovation through the use of artificial intelligence (AI) capabilities is crucial to the future of our company. From the top down, our employees are continually on the hunt for ways to leverage AI to improve business outcomes and customer productivity.

Almost all organizations either rely on cloud computing or are planning to adopt cloud computing technologies soon to ensure their businesses remain competitive and gain an edge over the competition. As businesses increasingly rely on cloud services to manage their operations, the complexity of these environments continues to grow, introducing new challenges in maintaining security and compliance. This is where Cloud Security Posture Management (CSPM) comes into the picture.

A new series of vulnerabilities in the Common Unix Printing System (CUPS) threatens numerous Linux systems, potentially allowing remote code execution (RCE). This affects a wide range of platforms, including Debian, Red Hat, SUSE and macOS. The vulnerabilities—tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177—are believed to endanger over 76,000 devices, with estimates suggesting up to 300,000 could be affected.

Most modern applications contain a substantial number of open source packages, libraries, and frameworks. In fact, it's estimated that at least 80% of the source code in modern applications is from open source. In addition to relying heavily on commodity components to build applications, development teams often deploy these apps and services via community-sourced container base images.

Yubico has published a survey of 20,000 people from 10 countries around the world, finding that 40% of respondents have never received cybersecurity training from their employer. Additionally, 70% of respondents said they’ve been exposed to cyber attacks in their personal lives within the past 12 months, and 50% faced cyber attacks at work.

If you’re a pentester, or a consumer of application security pentest reports, you’ll probably have come across Cross-Origin Resource Sharing (CORS) and its commonly associated misconfigurations. In either case, you’ll likely have quickly dismissed the finding because it resulted in yet another “recommendation” (a vulnerability without any impact).

The criminal prosecution of the threat actors behind the "OTP Agency" has highlighted an ingenious new tactic that cybercriminals can use to bypass multi-factor authentication. The OTP Agency launched back in November of 2019. Their service was simple: if you have a compromised credential, their service would call the credential owner and pose as the website the account was for citing fraudulent activity, and ask the owner to verify themselves by providing the one-time password (OTP) sent to them via SMS.