Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label OX Security. Show all posts
Vulnerabilities and Exploits
AI Assistant Code OX Security Reachability analysis Vulnerabilities and Exploits

How Reachability Analysis Is Streamlining Security for Developers

 




Over the past few years, AI assistants have made coding easier for developers in that one is able to quickly develop and push code over to GitHub, among others. But with so much automation going on, the risk of coding vulnerabilities has also increased. The vast majority of those generated codes have security flaws. What has befallen the application security teams is a lot of vulnerability reports pouring in. But lately, Snyk has found that 31% of these vulnerability reports are completely false positives added to the burden of security teams.

In such cases, many teams tend to use a method called reachability analysis, which usually helps the security expert screen out noise and work only with the vulnerabilities that might be exploited during an attack-upon only accessible code during said attack. Since only 10% to 20% of the imported code is even used by any application on average, this approach cuts the number of reported vulnerabilities that developers have to fix in half. Joseph Hejderup, technical staff member at Endor Labs, demonstrated this approach during the SOSS Community Day Europe 2024 and talked about how it makes vulnerability reports more actionable.


False Positive Overload

The biggest problem of application security is false positives. The sooner security teams can ship out more code, the larger their impact will be as your security tool begins to flag issues that are not actually a risk. According to Snyk, 61% of the developers believe that the enhancement of false positives is due to automation. To the eyes of the security teams, sorting hundreds or thousands reported vulnerabilities in numerous projects becomes a daunting task.

According to Randall Degges, head of developer relations at Snyk, reachability analysis helps by narrowing down exactly which vulnerabilities are really dangerous. This calms the security teams, since they can now focus on issues being actively executed in the code. Filtering out the kind of vulnerabilities that attackers cannot reach makes companies remediate by as much as 60%. And as OX Security research put it, in some cases, teams even reduced the workload by nearly 99.5%, making improvements to the developers.


Reducing developer friction

It's not just about workload reduction, but rather reporting fewer, more accurate vulnerabilities back to developers, says Katie Teitler-Santullo, a cybersecurity strategist at OX Security. "Tools that focus on real risks over bombarding developers with false alerts improve collaboration and efficiency," she says.

The hardest part is to eliminate the noise that security tools produce, keeping the developers in the same pace with the growth of development while still having a secure solution. Focusing on reachability ensures that the reported vulnerabilities are really relevant to the code being worked on, allowing developers to tackle key issues without fear of information paralysis.


Two Approaches to Reachability Analysis

There are two primary ways of reachability analysis. The first of these is static code analysis-in the process, the code itself is analysed and a graph of function calls is constructed to determine whether vulnerable code can be executed. This method works but is not failsafe as some of the functions may only be called under specific conditions.

The second approach involves instrumenting the application to track code execution during runtime. This really gives a live snapshot of which parts are really being used, so you will be able to immediately know if the identified vulnerability is something that poses an actual threat.

While the current reachability analysis tools mainly focus on whether code is being executed, the future of this technology involves determining if vulnerable code is indeed exploitable. According to Hejderup, the next step in reaching that milestone of making security testing even more effective would be the combination of reachability with exploitability analysis.

Finally, reachability analysis offers an effective solution to the problem of vulnerability overload. This is because it allows security teams to remove extraneous reports and focus only on reachable, exploitable code. This approach reduces workloads and generates better collaboration between security teams and development teams. As companies adopt this way of doing things, the future of application security testing will be more complex, such that only the most crucial vulnerabilities are flagged and then fixed.

Reachability analysis isn't going to be a silver bullet, perhaps, but it is going to be a pretty useful tool in an era where code is being developed and deployed faster than ever-and the risks of ignorance on security have never been higher.


Read more »
Technology
OSC&R OX Security supply chain security Technology

Cybersecurity Leaders Launch OSC&R, An Open Framework for Analyzing Threats


OX Security launches OSC&R

OX security, the first end-to-end software supply chain security solution, recently announced the launch of OSC&R (Open Software Supply Chain Attack Reference), the first and only open framework for evaluating and understanding current threats to entire supply chain security.

Talks with hundreds of industry leaders disclosed an urgent need for a MITRE-like framework that would let experts better understand and evaluate supply chain risk, a process that to date was only based on experience and intuition. OSC&R is built to give a common language and structure for analyzing and understanding TTPs- tactics, techniques, and procedures used by threat actors to disrupt the security of software supply chains. 

Dark Reading reports, "The founding consortium of cybersecurity leaders behind OSC&R include David Cross, former Microsoft, and Google cloud security executive; Neatsun Ziv, Co-Founder and CEO of OX Security; Lior Arzi, Co-Founder and CPO at OX Security; Hiroki Suezawa, Senior Security Engineer at GitLab; Eyal Paz, Head of Research at OX Security; Phil Quade, former CISO at Fortinet; Dr. Chenxi Wang, former OWASP Global Board member; Shai Sivan, CISO at Kaltura; Naor Penso, Head of Product Security at FICO; and Roy Feintuch, former Cloud CTO at Check Point Technologies."

How does OX Security work?

OSC&R is now ready for use by security teams to analyze existing defenses and define which threats need to be addressed first, how existing coverage deals with these threats, and also to help in behavior tracking of threat actor groups. 

Hiroki Suezawa, Senior Security Engineer at Gitlab said "OSC&R helps security teams build their security strategy with confidence. We wanted to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions,"

The OSC&R framework in OX Security

The OSC&R framework will update as new techniques and strategies will evolve and emerge. It will also help red-teaming activities by setting the scope needed for a red team or pentest exercise, serving as a scorecard. The framework will also be open for other cybersecurity experts and leaders who can offer help to OSC&R. 

"Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn't productive. Without an agreed-upon definition of the software supply chain, security strategies are often siloed," said Neatsun Ziv, who also worked as Check Point's VP of Cyber Security before founding OX. 

About OX Security

OX Security believes that security must be at the core of the software development process, not an afterthought. It stops attacks across your software supply chain. Automatically block risks introduced into the pipeline and ensure the integrity of each workload, all from a single location. 

It provides complete visibility and end-to-end traceability over your software pipeline security from cloud to code. OX security also helps you manage your findings, orchestrate DevSecOps activities, prevent risks, and maintain software pipeline integrity from a single location.







Read more »
Subscribe to: Posts (Atom)