Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Vulnerabilities. Show all posts
Routers
CVE CVEs Cyber Security Cyber Vulnerabilities D-Link EOL firmware NAS Router vulnerability Routers

D-Link Urges Replacement of End-of-Life VPN Routers Amid Critical Security Vulnerability

 

D-Link has issued a strong warning to its customers, advising them to replace certain end-of-life (EoL) VPN router models immediately. This follows the discovery of a critical unauthenticated remote code execution (RCE) vulnerability that will not be addressed with security patches for the affected devices. The vulnerability was reported to D-Link by security researcher “delsploit,” although technical details have been withheld to prevent widespread exploitation. The flaw impacts all hardware and firmware versions of the DSR-150, DSR-150N, DSR-250, and DSR-250N models, particularly firmware versions 3.13 to 3.17B901C. 

These routers, which have been popular among home offices and small businesses worldwide, officially reached their end-of-service (EoS) status on May 1, 2024. D-Link’s advisory makes it clear that no further security updates will be issued for these devices. Customers are strongly encouraged to replace the affected models to avoid potential risks. For users who continue using these devices despite the warnings, D-Link suggests downloading the latest available firmware from their legacy website. 

However, it is important to note that even the most up-to-date firmware will not protect the routers from the RCE vulnerability. The company also cautions against using third-party open-firmware solutions, as these are unsupported and will void any product warranties. D-Link’s policy not to provide security fixes for EoL devices reflects a broader strategy within the networking hardware industry. The company cites factors such as evolving technologies, market demands, and product lifecycle maturity as reasons for discontinuing support for older models. The issue with D-Link routers is not an isolated case. 

Earlier this month, researcher “Netsecfish” revealed CVE-2024-10914, a command injection flaw affecting thousands of EoL D-Link NAS devices. Similarly, three critical vulnerabilities were recently disclosed in the D-Link DSL6740C modem. In both instances, the company chose not to release updates despite evidence of active exploitation attempts. The growing trend of security risks in EoL networking hardware highlights the importance of timely device replacement. 

As D-Link warns, continued use of unsupported routers not only puts connected devices at risk but may also leave sensitive data vulnerable to exploitation. By replacing outdated equipment with modern, supported alternatives, users can ensure stronger protection against emerging cybersecurity threats.
Read more »
Windows PC
Cyber Vulnerabilities CyberCrime Cybersecurity IP Address Kaspersky malware STeelFox Windows Windows PC

Windows PCs at Risk as SteelFox Malware Targets Driver Vulnerabilities

 


Several experts have warned that hackers are using malware to attack Windows systems with the intention of mining cryptocurrency and stealing sensitive information from their devices. The latest Kaspersky Security Report claims to have spotted tens of thousands of infected endpoints. Cybercriminals have obtained fake cracks and activators for several commercial software products, such as Foxit PDF Editor, JetBrains, or AutoCAD, which they are selling to users. 

There is a vulnerability in a driver called WinRing0.sys that is associated with some fake cracks. The victim of this attack has reintroduced the CVE-2020-14979 and the CVE-2021-41285 vulnerabilities back onto the system by adding this driver at the same time, two three-year-old vulnerabilities that extended the privileges of the attacker to the maximum possible. 

SteelFox is a malware package that has been designed to mine cryptocurrency and steal credit card details via SYSTEM privileges by taking advantage of the "bring your own vulnerable driver" attack method. In forums and torrent trackers, malware bundle droppers appear as crack tools. These tools act as crack tools that activate legitimate versions of various software, such as Foxit PDF Editor, JetBrains, and AutoCAD. 

To evade detection and evade detection, state-sponsored threat actors and ransomware groups are known to exploit vulnerable drivers to escalate privileges. As of late, however, this method seems to be extended to attack against information-stealing malware as well. According to Kaspersky researchers, the SteelFox campaign was discovered in August of this year, but they add that the malware has been active since February 2023 and has been distributed through various channels (such as torrents, blogs and forum posts) in the past few weeks. 

The Rhadamanthys data theft malware has been available for download for some time, but since July 2024 the virus' version has been updated with copyright-related themes in an ongoing phishing campaign. There is a large-scale cybercrime campaign being tracked by the checkpoint group under the name CopyRightAdamantys. In addition to targeting the U.S., Europe, East Asia, and South America, the organization targets other regions as well. 

The campaign tries to impersonate dozens of companies, while each email is sent from a different Gmail account, providing a tailored impersonation of the target company as well as a tailored language based on the targeted entity, according to a technical analysis provided by the company. In the case of impersonated companies, there is almost 70% of them from the entertainment/media/technology/software sector." 

There is an element that stands out about the attacks: the deployment of the Rhadamanthys stealer version 0.7, which, as described by Insikt Group, Recorded Future's security division, early last month, is utilized to carry out optical character recognition. Cisco Talos, an Israeli company that specializes in cyber security, disclosed last week that it had been targeting users of Facebook business and advertising accounts in Taiwan by delivering malware known as Lumma or Rhadamanthys, which is designed to steal information.

There are three components inside the RAR archive. A legitimate executable vulnerable to DLL side-loading, a malicious DLL containing the stealer payload, and a decoy document containing the stealer payload. After the binary has been executed, it will sideload the DLL file that will create the environment that will allow Rhadamanthys to be deployed. It is likely that the threat actors were using artificial intelligence tools to spread the malware, based on both the scale of the campaign and the variety of lures that were included in the campaign and the emails sent by the sender, which Check Point attributed to a possible cybercrime group. 

It seems likely that this campaign was orchestrated by a financially motivated cybercrime group and not a nation-state actor, particularly given the large number of organizations across multiple regions targeted in this campaign," he continued. In addition to its global reach, the use of automated phishing tactics, and the use of a variety of lures, this campaign demonstrates how attackers continue to enhance their success rates." 

As part of these findings, Kaspersky also revealed a full-featured crimeware bundle dubbed SteelFox, which has been spreading via forums posts, torrent trackers, and blogs, passing itself off as legitimate utilities like Foxit PDF Editor, JetBrains, and AutoCAD in order to steal personal information. In the last two years, the campaign of terrorism has claimed victims in nearly 50 countries. The majority of the victims were in Brazil, China, Russia, Mexico, the United Arab Emirates, Egypt, Algeria, Vietnam, India, and Sri Lanka, with many more in Brazil, China, Russia, and Mexico. 

At this point in time, there is no known threat actor or group associated with this attack. A security researcher, Kirill Korchemny, said: "Delivered via sophisticated execution chains, notably shellcode, this type of malware abuses both Windows services and drivers in an attempt to accomplish its objectives." As a result of it, he said that he used stealer malware to obtain details about the victim's device as well as his credit card information. 

A dropper program is the starting point of this setup, in the sense that it mimics cracked versions of popular software, so when it is run, the dropper application will request administrator permissions and drop a next-stage loader which, in turn, will establish persistence and launch the SteelFox module. It is Kaspersky's opinion that although SteelFox's C2 domain is hardcoded, it has managed to conceal its presence through the use of multiple IP addresses and using DNS over HTTPS to resolve its IP addresses in order to hide its presence. Although SteelFox attacks don't have specific targets, they seem to focus on users of AutoCAD, JetBrains, and Foxit's Adobe PDF Editor app. 

In accordance with Kaspersky's visibility information, Kaspersky indicates that the malware is compromising systems in Brazil, China, Russia, Mexico, the UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka among others. Researchers have identified a new and potent cyber threat: the SteelFox malware, a sophisticated crimeware bundle targeting Windows PCs through vulnerable drivers. This malware, still relatively new to the landscape, demonstrates advanced functionality and appears to be the product of a skilled C++ developer who has integrated multiple external libraries to enhance its capabilities. 

In a related development, analysts from FortiGuard Labs have reported the discovery of another malicious software framework named Winos4.0. This advanced framework, embedded in game-related applications, is engineered specifically to target Windows users. Originating as an evolved version of the Gh0strat malware, Winos4.0 enables attackers to remotely execute various actions, providing them with substantial control over compromised systems. The infection process for Winos4.0 is particularly deceptive. 

It spreads through game-related applications, such as installation utilities and performance enhancement tools, designed to appeal to gamers and other Windows users. Once an individual downloads and installs one of these compromised applications, a seemingly harmless BMP file is retrieved from a remote server. This file subsequently extracts and activates the Winos4.0 DLL file, initiating the malware’s operations. 

In its initial phase, Winos4.0 sets up an environment for deploying further modules and establishes persistence on the infected machine by modifying system registry keys or creating scheduled tasks. Through this multi-stage infection process, Winos4.0 builds a durable foothold on affected devices, opening avenues for continuous exploitation and control.
Read more »
Fortra
CVE CVE vulnerability CVEs Cyber Security Cyber Vulnerabilities cybersecurity research Fortra

New Windows Vulnerability CVE-2024-6768 Triggers Blue Screen of Death on All Versions of Windows 10 and 11

 

A recently uncovered Windows vulnerability, known as CVE-2024-6768, has raised alarm among cybersecurity experts due to its potential to cause widespread disruption by triggering the dreaded blue screen of death (BSOD) on a range of Windows operating systems. Discovered by cybersecurity researchers from Fortra, this vulnerability impacts all versions of Windows 10 and Windows 11, as well as Windows Server 2022, even if they have received the latest security patches. 

The flaw lies within the common log file system (CLFS) driver, which, when improperly validated, can result in a system crash by initiating the KeBugCheckEx function, causing the infamous BSOD. The vulnerability is significant because it can be exploited by a user with no administrative privileges. By using a specially crafted file, a malicious actor can crash the system, leading to potential data loss and disruption of services. Although the attack vector is local rather than remote, the ease with which the vulnerability can be exploited raises concerns about its potential impact. The vulnerability is graded as medium risk due to the requirement for local access, but the consequences of exploitation—especially in environments with multiple users—are severe. 

The discovery of CVE-2024-6768 dates back to December 2023, when Fortra initially reported the issue to Microsoft, providing a proof-of-concept (PoC) exploit. Despite Fortra’s efforts to demonstrate the vulnerability across various systems, including those with the latest security updates, Microsoft was unable to reproduce the flaw and therefore did not prioritize a fix. Fortra continued to provide evidence, including screenshots, videos, and memory dumps, but Microsoft remained unresponsive, ultimately closing the case in February 2024. In June 2024, frustrated by the lack of progress, Fortra announced its intention to pursue a Common Vulnerabilities and Exposures (CVE) designation and publish its findings. 

The vulnerability was officially cataloged as CVE-2024-6768 in July 2024, and Fortra planned to release its research publicly in August 2024. The report highlights the vulnerability’s potential to be exploited by low-privileged users to crash systems, which could be particularly damaging in multi-user environments or where system stability is crucial. Microsoft, for its part, has downplayed the severity of the issue, stating that the vulnerability does not meet its criteria for immediate servicing. The company noted that an attacker would need to have already gained code execution capabilities on the target machine and that the vulnerability does not grant elevated permissions. 

However, the lack of a workaround or mitigation has left many organizations concerned about the potential impact of this flaw. While the average Windows user may not be significantly affected by CVE-2024-6768, the vulnerability poses a serious risk to businesses and organizations that rely on stable and secure systems. The possibility of a low-privileged user crashing a system without warning could lead to significant operational disruptions, especially in environments where uptime is critical. For these organizations, the absence of a timely fix from Microsoft is a cause for concern, and they may need to take additional precautions to safeguard their systems. 

In conclusion, the discovery of CVE-2024-6768 underscores the ongoing challenges in maintaining the security and stability of widely used operating systems. As Microsoft considers whether to release a fix, the vulnerability serves as a reminder of the importance of proactive cybersecurity measures and the need for organizations to remain vigilant in the face of evolving threats.
Read more »
Leido
Cyber Vulnerabilities Cyberattacks CyberCrime Cyberhacking CyberThreat Data Breach Data Exposes IT Documents Leido

Hacking Group Exposes Pentagon IT Provider's Documents

 


A person familiar with the matter informed us that hackers stole internal documents from Leidos Holdings Inc., one of the largest IT service providers in the US government, in an attempted breach of security. There has been a recent discovery at Leidos and they believe they were the victim of a previously disclosed breach of a Diligent Corp. system they used, which was in use at the time, said the person who requested not to be named because it is an internal matter. According to the person who spoke with me, Leidos is currently investigating this issue. 

As one of the most highly regarded companies in the world, Leidos' clients include the Defense Department, Homeland Security Department, and NASA, as well as other national and international government agencies. Based on a filing in Massachusetts dated June 2023, it was reported that Leidos used the Diligent system to store information that was gathered during internal investigations. It has been reported that Leidos has refused to comment on the information that has been stolen. 

A request for comments was not immediately responded to by the Pentagon, the Department of Homeland Security, and NASA. As Bloomberg News discovered, some files purportedly from Leidos had been posted on a cybercrime forum, but the details of those files had been redacted, so Bloomberg could not verify the authenticity of the files. Even though Steele Compliance Solutions is owned by Steele, which acquired the company in 2021, a diligent spokesperson said it appears that the leak and its source are related to a hack in 2022. 

At that time, there were less than 15 customers, including Leidos, who were using the product, according to the company. Detailed in a data breach notice filed in Massachusetts on November 11, 2022, Diligent declared the breach to Leidos after discovering the data leak. The attack was carried out by an unauthorized party who exploited a weakness in Diligent's platform to download documents, which may have occurred as early as September 30th of last year. 

The third intruder exploited a second vulnerability around or around October 1, 2022, allowing him to gain access to data submitted through Leidos' enterprise case management system (ECMS), hosted by Diligent, as well as personal information submitted via the system. Earlier reports indicated that the leak of data was linked to Steele Compliance Solutions, one of Diligent's subsidiary companies acquired in 2021, and that was where the scandal originated. 

When mergers and acquisitions occur, there is chaos and sensitive information may be transferred between the two companies, giving hackers a prime opportunity to exploit the situation. An FBI report published in 2021 forecasted that cybercriminals will target organizations during "time-sensitive financial events" such as mergers and acquisitions to extract sensitive information. On February 9, 2023, Leidos received notification of a second data leak, which prompted an investigation into a possible security breach. 

During the investigation, it was discovered that the impacted documents contained personal information, and to allow victims to be able to protect themselves against identity theft, the defence contractor offered two years of identity theft protection. Leidos confirmed that this data leak was caused by an incident that occurred in 2023 that impacted a third-party vendor for which all necessary notification was made in the past. 

According to the Pentagon defence contractor, “our network or any sensitive customer data was not affected by the incident.” At the time of the incident, the product in question was being used by fewer than 15 customers, including defence contractor Leidos, as reported by the company. In a data breach notice filed in Massachusetts on November 11, 2022, Diligent Corporation disclosed the breach to Leidos after discovering unauthorized access to its data. The breach involved an unauthorized party exploiting a vulnerability in Diligent's platform to download documents. 

It is believed that this exploitation may have occurred as early as September 30, 2022. A subsequent intrusion was identified around October 1, 2022, where a third-party attacker exploited a second vulnerability. This allowed the intruder to access data submitted through Leidos' Enterprise Case Management System (ECMS), which was hosted by Diligent, and personal information submitted via the system. Previous reports had indicated that the data leak was associated with Steele Compliance Solutions, a subsidiary of Diligent acquired in 2021 and that this subsidiary was the origin of the breach. 

Mergers and acquisitions often involve transferring sensitive information between companies, creating opportunities for cybercriminals to exploit these transitions. An FBI report published in 2021 anticipated that cybercriminals would target organizations during "time-sensitive financial events," such as mergers and acquisitions, to extract sensitive information. On February 9, 2023, Leidos was notified of a second data leak, which triggered an investigation into a potential security breach. 

The investigation revealed that the compromised documents contained personal information. In response, Leidos offered two years of identity theft protection to allow affected individuals to protect themselves against identity theft. Leidos confirmed that the data leak was caused by an incident in 2023 that affected a third-party vendor. The company assured that all necessary notifications had been made in the past and emphasized that neither their network nor any sensitive customer data were impacted by the incident.
Read more »
Digital Platform
Cyber Security Cyber Vulnerabilities Digital Digital Age Digital Platform

Time to bring order to Cyber Chaos

 

In today's digital era, businesses are embracing rapid changes to enhance efficiency, but with it comes a surge in cybersecurity challenges. Last year saw a staggering 29,000 new IT vulnerabilities reported globally, emphasising the need for a strategic approach. 
 
The Challenge: Businesses face overwhelming data and fragmentation issues, operating across intricate networks that make it challenging to identify vulnerabilities. With interconnected systems, a vulnerability in one device can lead to widespread disruption, creating a need for effective risk management. 
 
Information Overload: 
 
The National Vulnerability Database reported over 25,000 vulnerabilities in 2022 alone, causing information overload for organisations. It's unrealistic for firms to patch everything; they can only address 5-20% of identified vulnerabilities per month. Prioritisation becomes crucial, focusing on the most critical vulnerabilities in real-time. 
 
The Need for Change: 
 
Traditional risk prioritisation methods need to be revised in complex network ecosystems. Shadow IT, data obsolescence and outdated asset inventories worsen the confusion. A new approach is essential to adapt to the evolving cyber landscape. 
 
Solution: Risk-Based Vulnerability Management (RBVM) 
 
RBVM shifts from the traditional tick-box approach to a nuanced method. It evaluates vulnerabilities based on severity and the organisation's unique context, industry, and operations. RBVM provides a holistic network view, integrating with existing security tools and utilising threat intelligence for dynamic prioritisation. 
 
Effective RBVM is not just about tools; it relies on people managing vulnerabilities. Establishing responsibilities, fostering accountability, and ensuring coherent team efforts are vital. People, processes, and tools together transform vulnerability chaos into manageable order. 

Businesses must align vulnerability management with compliance and regulatory requirements. The Common Vulnerability Scoring System (CVSS) 4.0 emphasises a granular framework, but relying solely on CVSS scores may lead to misguided priorities. Smaller organisations balance reactive and preventive measures, while larger enterprises delve into asset management and threat intelligence. 
 
Successful RBVM adoption requires efforts across the business. Aligning C-level strategy, streamlining IT processes, and fostering a culture of knowledge sharing create resilience in the face of cyber threats. 
 
So it appears, that navigating the complex cyber world demands a simplified yet comprehensive approach. By embracing RBVM, businesses can effectively manage vulnerabilities, protect against cyber threats, and build a strong defence system for the future.
Read more »
practices against data theft
Cyber Attacks Cyber Vulnerabilities Data Theft practices against data theft

Best Cybersecurity Practices to Instill in Your End-Users

Recently a study has been done on password reuse threats and it was discovered that password reuse is a big security threat to companies worldwide since 64% of people continue to use passwords that have been exposed in a breach. 

As we are spending a large amount of our time online, working from our own systems,  we also end up sharing our personal data over the internet since we are becoming more reliant on it for our daily services. 

It has become extremely important to protect our sensitive data from cybersecurity threats. Poor password hygiene by end-users can put your organization at great security risk, and also make your company’s sensitive data vulnerable to cyber-attack. 

To prevent cybersecurity attacks the company should start a defense mechanism that starts with educating employees. The security awareness program should include phishing and social engineering, access, passwords, connection, device security, physical security, etc. 

Cybersecurity awareness training will help employees to become more aware, and knowledgeable against the latest cybersecurity threats targeting end-users. 

There are various ways to protect your system but these 5 security practices are indispensable to prevent cybersecurity threats and to train your employees. 

 1. Don’t leave information unprotected 

The company should encourage employees to lock their systems when they are not around. Leaving your screen unlocked could increase the risk of someone viewing or accessing important data. 

2. Enforce password policy compliance 

It should be mandatory for employees to comply with the password policy rules of the organization. The organizations should enforce length and complexity and also make sure that the password should be blocking over 3 billion known breached passwords. 

3. Utilize MFA whenever possible 

The implementation of multifactor authentication (MFA) should be mandatory for end-users logging into work apps by the organization, and also changing, and resetting their passwords from time to time. 

4. Use a password manager 

Password manager is not only recommended to the end-user but to utilize shared vault features to prevent insecure password sharing among other employees. 

5. Data Privacy and Storage Policies 

Encouraging employees for data storage best practices, as well as implementing a zero-trust framework in your organization, ensures none of your end-users are unknowing putting your data at risk.
Read more »
Zero-trust cyber strategy
Cyber Security Cyber Threats Cyber Vulnerabilities Pentagon Zero-trust cyber strategy

Pentagon to Unveil Zero-Trust Cyber Strategy


The U.S. Department of Defense is preparing itself to publish a zero-trust strategy in the coming days. The motive behind this act is to achieve a new level of cybersecurity since cyber threat groups are advancing their methods of targeting primary firms constantly. 

Following the announcement, Pentagon Chief Information Officer John Sherman reported on Monday that he gave his approval to the new plan last Thursday and it is now going through the public review process. He also added that the documents will be out very soon. 

The department previously had reported that the framework of the new look of cybersecurity would be unveiled in September and seeks to put the Defense Department on a path to reach what’s referred to as a “targeted” level of security by the year 2027. 

David McKeown, deputy chief information officer for cybersecurity, said at the Billington Cybersecurity Summit, “We have a definition of what it takes to check the box and fulfill that particular capability. Those 90 capabilities are going to get us to what we’re calling targeted zero trust.” 

The framework is being prepared on the seven pillars of zero trust and comprises more than 100 activities including applications, automation, and analytics, to keep critical data secure. The Pentagon has increasingly been focusing on a zero-trust framework because it assumes a network is always at risk of being exposed to threats and it is a necessity that all users should be authenticated and authorized. 

“A key tenet of a zero trust architecture is that no network is implicitly considered trusted — a principle that may be at odds with some agencies’ current approach to securing networks and associated systems and all traffic must be encrypted and authenticated as soon as practicable,” according to the memorandum. “A couple are at the 90% level for meeting those targeted zero trust capabilities. So we’re really excited about that, that we have those three offerings. The fact that we’re pointing to the cloud continues our strategy overall in the department to increase our cloud utilization and it also furthers the federal government’s goal of increasing cloud utilization.”

The department also explained that the framework includes three methods to target zero trust goals which include uplifting each service and agency’s current environment to satisfy the 90 capabilities and implementing a zero trust cloud on-premises that meets the highest level of zero trust.


Read more »
Vulnerabilities and Exploits
Cyber flaws cyber incident Cyber Vulnerabilities Data theft extortion Flaws Matrix Vulnerabilities and Exploits

A Matrix Update Patches Serious End-to-End Encryption Flaws

Recently the open source Matrix messenger protocol published security warnings on its platform about two critical-severity vulnerabilities that affect the end-to-end encryption in the software development kit (SDK). 

As per the warning statement, the groups of malicious actors are exploiting these vulnerabilities that could break the confidentiality of Matrix communications. The vulnerabilities also allow the threat actors to run man-in-the-middle attacks that expose message contents in a readable form. 

According to the technical data, the users who were using the matrix-js-sdk, matrix-android-sdk2, and matrix-ios-sdk, like Element, Cinny, SchildiChat, Beeper, Circuli, and Synod.im have been hit by the bugs. However, the platform clarified that clients using a different encryption implementation such as Hydrogen, Nheko, ElementX, FluffyChat, Timmy, Syphon, Gomuks, Pantalaimon) are safe from the attacks. 

The vulnerabilities were reported to Matrix by the researchers of Brave Software, the University of Sheffield, and the Royal Holloway University in London. The group published the technical details of the research findings. 

List of the critical severity flaws discovered by the team

 
  • CVE-2022-39255: Same as CVE-2022-39251 but impacting matrix-ios-sdk (iOS clients). 
  • CVE-2022-39251: Protocol-confusion bug in matrix-js-sdk, leading to incorrectly accepting messages from a spoofed sender, possibly impersonating a trusted sender. 

The same flaw makes it possible for malicious home server admins to add backup keys to the target's account. 

  • CVE-2022-39250: Key/Device identifier confusion in SAS verification on matrix-js-sdk, enabling a malicious server administrator to break emoji-based verification when cross-signing is used, authenticating themselves instead of the target user.
  • CVE-2022-39257: Same as CVE-2022-39249 but impacting matrix-ios-sdk (iOS clients).
  • CVE-2022-39248: Same as CVE-2022-39251 but impacting matrix-android-sdk2 (Android clients). 
  • CVE-2022-39249: Semi-trusted impersonation problem in matrix-js-sdk leading to accepting keys forwarded without request, making impersonation of other users in the server possible. Clients mark these messages as suspicious on the recipient's end,  thus dropping the severity of the bug. 
  • CVE-2022-39246: Same as CVE-2022-39249 but impacting matrix-android-sdk2 (Android clients). 
Furthermore, the report detailing listed two problems that are yet to receive an identification number. One of these problems allows malicious actors access to the home server and the second refers to using AES-CTR. 

Read more »
Security Survey
Cyber risks Cyber Security Cyber Vulnerabilities Data threats Security Survey

How Often do Developers Push Vulnerable Code?

In a recent Research Synopsys stated that 48% of organizations deliberately push vulnerable code in their application security programs due to time constraints. The survey has been published after a thorough investigation conducted on more than 400 U.S.-based developers who work at organizations where they currently have CI/CD tools in place. 

The survey report named “Modern Application Development Security” examined to what extent threat security teams understand modern development and deployment practices, and where security controls are required to lower the risk. 

Following the survey, 60% of respondents mentioned that their production applications were exploited by OWASP top-10 vulnerabilities in the past 12 months. 42% of developers push vulnerable code once per month. 

The research stated that certain organizations knowingly push vulnerable codes without a thorough understanding of the security risks that they are taking. Employees think that it does not come into their bucket of responsibility to fix the code before the immense pressure. 

29% of developers within their organization lack the knowledge to mitigate issues. Developers play a very important role in application security, but the report stated that they lack the skills and training. Nearly one-third (29%) of respondents express that developers within their organization lack the knowledge to mitigate issues identified by their current application security tools. Further, the report said that Developers fix only 32% of known vulnerabilities. 

The researchers have also given solutions to fix the vulnerabilities efficiently. A third of vulnerabilities are noise. To reduce false-positive vulnerabilities, scans must have access to all of the required data so that security tools can accurately research whether vulnerability exists. Reducing security noise will allow developers to address security issues confidently and on time. 

Following the research, Tromzo CTO Harshit Chitalia said, “These findings show that developers regularly ignore security issues, but can we really blame them? Security teams are bombarding them with an endless stream of issues that need to be addressed with no way for them to separate what’s actually critical from all the noise, all while they are expected to release software more frequently and faster than ever before…” 

“…If we want developers to truly implement security, we must make it easy for them. This means integrating contextual and automated security checks into the SDLC so we can transition from security gates to security guardrails,” he further added, 
Read more »
Subscribe to: Posts (Atom)