Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In this final part, we'll discuss more software supply chain security frameworks and the critical role of secrets detection in them. We'll explore the NIST SSDF, SLSA, and OSC&R frameworks and how they cover the topic of secrets in software supply chain security.

It's early in the morning on an unseasonably warm Tuesday in October. You're checking your email as you enjoy your first cup of coffee or tea for the day, and you almost do a spit-take when you read that OpenSSL has a forthcoming release to fix a CRITICAL vulnerability. Immediately, visions of Heartbleed pop into your head.

Bank of America is a massive worldwide financial institution that works with hundreds of thousands of customers. The organization relies on NCB Management to collect debts and manage past-due accounts. A recent data breach at NCB Management compromised nearly half a million Bank of America customers and may have put them at risk from fraud and identity theft. Get the details about this attack to learn what potential damage may have occurred and what you can do about it if your data is involved.

Towards the end of 2020, a new vulnerability in MongoDB was found and published. The vulnerability affected almost all versions of MongoDB, up to v4.5.0, but was discussed and patched appropriately. The vulnerability, CVE-2020-7928, abuses a well-known component of MongoDB, known as the Handler, to carry out buffer overflow attacks by way of null-byte injections.

The financial services industry is undergoing a sea change in how it does business. Today their customers expect 24×7 access, self-service convenience, apps that eliminate the need to visit brick-and-mortar locations, and always-available customer service accessed via phone, email, and the internet. Making things even more challenging, financial sector leaders are embracing cloud technologies to save costs, support real-time analysis, and offer more personalized customer experiences.

Electrical grid security has been getting a lot of attention recently. It started fairly quietly, and then when it was a featured story on a news program, it rose to the top of the collective consciousness. However, the news stories that followed were focused entirely on the physical vulnerabilities of the US power grids. Few, if any stories covered the cybersecurity angle of securing the grids.

Microsoft’s security advisory on Mercury and DEV-1084 and a report linking Russian hackers to attacks against NATO and the EU.

Microsoft 365 (formerly Office 365) is a Software-as-a-Service (SaaS) that offers a cloud-based version of its popular software productivity suite, including MS Word, Excel, PowerPoint, Outlook, and OneNote. In contrast, Azure Active Directory (Azure AD) is an Infrastructure-as-a-Service (IaaS) that offers a cloud-based version of Active Directory to control identity management and access to virtual resources across an organization.

Organizations spend billions of dollars on cybersecurity tools and consultants each year. Beyond traditional tools like firewalls, antivirus software, and System Information and Event Management (SIEM), it is easy to get caught up in sophisticated threat detection using artificial intelligence, machine learning, user behavior and analytics.

If there’s one thing we learned in our years of building AppSec technology, it’s that the best tools in the world are useless if they don’t get used. We know from speaking with our customers and industry research that developers won’t use AppSec tools that make their lives harder. Forcing them into cumbersome processes, or making them switch tools and learn a new user interface, will likely lead to AppSec neglect in favor of hitting development deadlines.