The EU’s Digital Operational Resilience Act (DORA) represents a significant step towards ensuring that the financial sector can withstand and rapidly recover from ICT-related disruptions and threats. Among the wide variety of security testing tools and actions mandated by DORA, Software Composition Analysis (SCA) emerges as a critical component. Let’s explore why SCA is vital in this new regulatory landscape and how solutions like Meterian can be particularly beneficial.
What is Software Composition Analysis?
Software Composition Analysis (SCA) is a cybersecurity process that helps organizations identify and manage open source components within their software inventory. SCA tools scan software projects to detect open source libraries and frameworks, check the versions used, and compare them against databases of known vulnerabilities. Additionally, SCA assesses license compliance risks, ensuring that the open source licenses are compatible with corporate policies on software usage.
The Role of SCA Under DORA
The DORA framework emphasizes the need for a broad and adaptable approach to cybersecurity, recognizing the diverse nature of financial entities and their varying levels of ICT maturity. Here’s why SCA is integral to this approach.
Vulnerability Management Financial entities utilize a plethora of software solutions, many of which rely on open-source components. SCA provides a systematic approach to detecting vulnerabilities in these components, some of which may be critical and widely exploited in the financial sector. By identifying these vulnerabilities early, financial institutions can patch them before they are exploited.
Compliance and Risk Management DORA calls for rigorous compliance standards, including in areas like software licensing. SCA tools automatically detect the licenses of every component and alert teams about potential legal and operational risks, thus supporting compliance with DORA requirements.
Enhanced Operational Resilience By integrating SCA into their cybersecurity practices, financial institutions can improve their operational resilience. Knowing exactly what is in their software reduces the time and resources spent on crisis management in the event of a security breach.
Supporting Advanced Testing Requirements As entities mature, advanced testing such as Threat-Led Penetration Testing (TLPT) becomes viable. SCA ensures that the foundational elements of software security are addressed, which is critical for conducting more sophisticated, scenario-based tests effectively.
How Meterian Can Help
In the context of DORA, Meterian stands out as a valuable ally for financial institutions aiming to enhance their software security posture. Here’s how Meterian can specifically support compliance and resilience:
Continuous Security and Compliance Monitoring: Meterian continuously scans your software projects, providing real-time alerts on new vulnerabilities and compliance issues. This ongoing monitoring ensures that financial entities can respond promptly to emerging threats.
Automated Fix Suggestions: Beyond identifying issues, Meterian provides actionable insights and automated fix suggestions. This helps in quickly resolving vulnerabilities and license conflicts, significantly reducing the window of exposure.
Ease of Integration: Meterian’s platform can be seamlessly integrated into existing development workflows. This integration ensures that security and compliance checks occur throughout the software development life cycle, aligning with DORA’s emphasis on continuous improvement and adaptation.
Customizable Reporting: Meterian offers detailed, customizable reports that can assist financial entities in demonstrating their compliance with DORA regulations to regulators. These reports provide clear evidence of the proactive measures taken to ensure operational resilience.
By leveraging SCA tools like Meterian, financial institutions can not only meet the stringent requirements set forth by DORA but also significantly strengthen their cybersecurity frameworks. This proactive approach to software security is essential in a landscape where digital operations are increasingly integral to financial stability and success.
Since its inception in 2005, the National Vulnerability Database (NVD) has been a vital resource for security professionals, providing details about common vulnerabilities and exposures (CVEs) discovered by researchers worldwide. However, in recent months, the NVD has faced significant challenges, resulting in delays and incomplete data. In this blog post, we explore the current state of the NVD and its implications for enterprise security.
The Mysterious Freeze
In February, the NVD underwent an unexpected transformation. A cryptic announcement appeared on its website, stating that users would “temporarily see delays in [our] analysis efforts” while the National Institute of Standards and Technology (NIST) implemented improved tools and methods. Unfortunately, no further explanation accompanied this message. The freeze affected the timely documentation of CVEs, leaving security managers in a bind.
The CVE Model and Missing Details
The NVD relies on a network of 365 partners—both US-based and international—who contribute threat data. These partners include software vendors, bug bounty operators, and private research firms. Each participant adheres to a schema to ensure unique and accurate entries. However, since the beginning of the year, over 6,000 new CVEs have been posted, with nearly half lacking essential details in the NVD.
What’s Missing?
Metadata: The latest CVE entries lack critical metadata, such as information about affected software. Without this context, security managers struggle to assess the severity of vulnerabilities and prioritize patching efforts.
CVSS Scores: The Common Vulnerability Scoring System (CVSS) scores, which indicate vulnerability severity, are absent for many CVEs.
Product Information: Enterprises rely on NVD data to identify which applications and operating systems are at risk. Unfortunately, the missing details hinder this crucial aspect.
The status of things (April 2024)
In this recent update from the NVD team they discuss the importance of the National Vulnerability Database (NVD) and the challenges it faces. The NVD is a repository of information on software and hardware flaws that can compromise computer security. There is a growing backlog of vulnerabilities submitted to the NVD, and NIST is working to address this challenge. NIST is committed to its continued support and management of the NVD, but at this time it seems to be lagging behind.
How Meterian can help
Enter Meterian, a comprehensive application security solution that offers unique advantages over traditional databases. Meterian has an extremely robust security database that implements:
Automated Daily Updates: Unlike the NVD, which has experienced recent delays, Meterian’s security database is updated at least every 4 hours. This automated process ensures that you receive the most current threat intelligence promptly.
Diverse Data Sources: Meterian aggregates data from more than 15 unique sources, including both public and private feeds. These sources contribute to a comprehensive repository of vulnerability information, covering a wide range of software components. This is also enriched by Meterian AI and internally curated databases.
Monitoring 350K Vulnerabilities: At present, Meterian actively monitors around 350,000 vulnerabilities across various ecosystems, from Perl to Rust. If you’re building applications and dealing with open-source libraries or frameworks, Meterian has you covered.
Conclusion
As the NVD grapples with its challenges, consider integrating Meterian into your security toolkit. Stay informed, stay proactive, and safeguard your digital assets effectively. Alternatively, you can simply start receiving timely notification through our alerting system: please check out our previous article that explains how to do just that!
The open-source software (OSS) ecosystem thrives on the principles of transparency and collaborative development. However, a recent critical vulnerability discovered in the core library, liblzma, has cast a shadow on this trust. The vulnerability, which was disguised as a bug fix, contained malicious code that could have potentially granted attackers access to users’ systems through SSH servers. This unsettling incident serves as a sobering reminder of the tangible risks inherent in relying on third-party software packages, even within the seemingly open and collaborative realm of OSS.
What happened?
liblzma, a critical library used for compression in many Linux distributions, was compromised by a backdoor hidden within its source code. This backdoor, attributed to a contributor named Jia T75, remained undetected for two years. During the build process, the backdoor would infect the system, specifically targeting x86_64 Linux systems. This vulnerability could have allowed attackers to compromise SSH servers, potentially granting them unauthorized access to a user’s system.
Why third-party packages are a risk
While OSS thrives on collaboration, it also introduces vulnerabilities. We rely on the good faith of developers contributing code. Malicious actors can exploit this trust by injecting backdoors or other harmful code into seemingly legitimate libraries like liblzma.
What can you Do?
To mitigate the risks associated with third-party software packages, it is imperative to stay vigilant and proactive. Patching software promptly by updating your system regularly ensures you have the latest security fixes in place. Furthermore, exercising caution when obtaining software updates and packages by exclusively utilizing official or trusted sources is of utmost importance. Thoroughly researching the maintainers of the software packages you rely upon can shed light on their track record of responsible updates and reputation within the community. Whenever feasible, exploring alternatives to widely used libraries can be a prudent strategy, as diversifying your software portfolio can reduce the potential impact of a single vulnerability. By adopting these measures, you can bolster the security posture of your systems and minimize the risks posed by third-party software dependencies.
How Meterian can help
The liblzma backdoor incident serves as a wake-up call, and it highlights the need for constant vigilance. By understanding the risks and taking preventative measures, we can build a more secure software ecosystem. Remember, security is an ongoing process, not a one-time fix .
Security solutions like Meterian can be powerful allies in mitigating the risks of third-party packages. Meterian’s notification system keeps you informed about the latest vulnerabilities impacting your software ecosystem, including critical flaws like the recently discovered liblzma backdoor. Through timely alerts and detailed reporting, Meterian ensures you stay on top of potential threats before they can be exploited]. Additionally, Meterian’s Software Composition Analysis (SCA) solution goes a step further by scanning your codebase for known vulnerabilities within dependencies like liblzma. By proactively identifying these risks, SCA allows you to take early action and prioritize patching vulnerable components, ultimately safeguarding your systems and data.
Don’t wait for the next major vulnerability to compromise your systems. Take control of your software security today. Try Meterian for free and experience the power of proactive vulnerability detection and management.
An important note!
The xz/liblzma packages are sometimes included in major Linux distributions, and much of the focus is now there, also because this vulnerability can be exploited to execute remote commands over SSH. However, please be aware that this vulnerability may affect also your application code, either because it may be linking directly liblzma in your C/C++ applications or because, via conan, you previously used the package xz_utils in one of the vulnerable versions (5.6.0, 5.6.1). Furthermore, other wrappers such as xz.ex (elixir), xz.net (dotnet), ruby-xz (ruby) and similar packages may indirectly pull the affected package.
Update – 15 April 2024
This is a novel situation, and there is still much uncertainty. We are aware of only a single known exploit path at this time, but there may be additional scenarios that have not yet been identified.
In detail, so far, it looks like the payload activates if the running program has the process name /usr/sbin/sshd, however, based on ongoing analysis, it may activate also in other scenarios too, unrelated to SSH. This matter is still investigated, you can keep an eye at this page to follow the active investigation.
The European Union Cyber Resilience Act (CRA), which was proposed on September 15, 2022, is the first EU-wide legislation addressing cybersecurity requirements for software and hardware manufacturers. Unlike the U.S. Executive Order, the CRA extends to all vendors who create products with digital components that connect to the internet. It will become enforceable in early 2027, three years after its ratification.
SBOM Requirements of the CRA
One of its key requirements focuses on Software Bill of Materials (SBOMs). An SBOM is essentially a comprehensive inventory of all software components used in a product. It provides transparency by listing out the dependencies, libraries, and third-party code that make up a software application. Think of it as a “recipe” for your software – it tells you exactly what ingredients (components) are included.
The key points related to Software Bill of Materials (SBOM) requirements under the EU Cyber Resilience Act are:
Manufacturers must identify and document product components and vulnerabilities, including the creation of a SBOM of at least the top-level dependencies of the product
The SBOM does not have to be made publicly available
The SBOM should be included in the technical documentation and, upon request, provided to market surveillance authorities
The EU Cyber Resilience Act mandates SBOM adoption to enhance cybersecurity and ensure transparency in software and hardware supply chains. Manufacturers need to create SBOMs for their products, while public availability is not required.
Why SBOMs are essential
SBOMs are a sensible tool to manage your supply chain transparency. With the increasing complexity of software supply chains, understanding what goes into your product is crucial. SBOMs allow manufacturers to trace the origins of each component, identify vulnerabilities, and assess risks.
By having an SBOM, organisations can proactively address security vulnerabilities. When a known vulnerability is discovered in a library or component, manufacturers can quickly assess which products are affected and take necessary remediation steps.
They are also required for compliance and legal requirements. Specifically, the CRA mandates that manufacturers create SBOMs for their products. Compliance ensures that products meet cybersecurity standards and reduces legal risks.
Why SBOMs are complicated
Creating and maintaining Software Bill of Materials (SBOMs) is a time-consuming process due to the intricate nature of modern software. Applications are no longer simple; they consist of interconnected components, libraries, and dependencies. The prevalence of open-source software further complicates matters. Each component introduces its own set of dependencies, licences, and potential vulnerabilities. Identifying and tracking all these elements manually is a daunting task. Ensuring accuracy, compliance, and security within this complex landscape inevitably consumes significant time and effort.
That’s the reason why it’s a good idea to adopt an automated solution that takes this problem away.
Meterian: your automated SBOM solution
Using automated analysis, Meterian continuously scans your codebase, identifies the whole network of dependencies, and generates an SBOM automatically. No manual effort required, as SBOMS can be created and stored during the analysis, or later on demand. This will save a substantial amount of time to your developers, who can say goodbye to weeks of research at each release. Everything happens directly on your pipelines or at the touch of a button.
With the help of his powerful vulnerability scanner, Meterian provides you all relevant vulnerability Insights. The Meterian vulnerability database tracks more than 340k vulnerabilities across more than 20 different OSINT sources. You will also automatically receive real-time alerts about vulnerabilities in your components, even if you do not actively analyse them: Meterian will do it for you.
Meterian is easy to integrate in your processes, as it seamlessly integrates with your development pipelines, ensuring continuous monitoring without any extra activity. A simple click, some lines of YAML, one or two lines of script, is all it takes. You get protection against vulnerabilities and compliance at the same time, without any extra effort.
Conclusion
As the EU Cyber Resilience Act comes into effect, manufacturers are required to embrace SBOMs to ensure transparency, enhance risk management, and achieve compliance. The Meterian platform simplifies the generation of SBOMs, enabling you to concentrate on developing secure and resilient software.
Remember: An SBOM isn’t just a regulatory requirement; it’s a powerful tool for safeguarding your digital products. Start creating your SBOMs today!
Stop worrying about missing critical vulnerability alerts. As application security experts, we know the constant struggle to stay informed about the latest threats facing your open-source components. That’s why we’re excited to introduce Meterian’s vulnerability notification system, designed to provide timely, accurate, and actionable information so you can take immediate steps to protect your applications.
Unparalleled Insight into Open-Source Risks
Meterian boasts the largest OSINT vulnerability database on the market, meticulously tracking over 335,000 vulnerabilities daily across 20+ diverse sources. We go beyond mere quantity, offering almost 94,000 unique vulnerabilities spanning 16 programming languages, ensuring comprehensive coverage for your development stack. Every day,
Never Miss a Critical Update
Our system proactively identifies new open-source component vulnerabilities and critical updates, delivering comprehensive notifications straight to your inbox. Each notification contains all the essential details to address the issue effectively:
Precise component name and ecosystem
Affected version range
Detailed vulnerability description
CVE identifier (if available)
Associated CVSS and EPSS scores
List of unaffected versions
Links for further exploration
We believe that staying informed about vulnerabilities requires a comprehensive view. That’s why our platform not only delivers daily updates but also offers a valuable 30-day history, for free. This historical perspective allows you to track the evolution of vulnerabilities: whether you’re a seasoned developer or an individual user, understanding the trends over the past month can empower you to make informed decisions and take proactive security measures. Visit our Meterian Vulnerabilities pages to explore this rich history and stay ahead of the curve.
Tailored Alerts for Subscribed Users
We understand that information overload can be counterproductive. That’s why we offer two distinct notification systems for subscribed users:
Sentinel that continuously monitors previously scanned projects
Allerta that provides alerts based on a user specific preferences
Our Sentinel Notification System is your ticket to continuous security monitoring. It offers timely alerts to development teams, even without active scans. Once a project is under Meterian’s purview, Sentinel automatically and routinely examines it for new vulnerabilities. This seamless process ensures ongoing security screening, eliminating the need for user intervention. With Sentinel, you can rest assured that your projects remain protected around the clock.
The Allerta Notification System is designed with flexibility in mind. It allows users to tailor security alerts based on their preferences. You can define your interests, specifying preferred ecosystems, and scoring thresholds, ensuring that you receive notifications that align with your specific needs. Whether you’re a developer focusing on a particular programming language or a security professional seeking a broader view, Allerta provides precise information tailored to your requirements. With Allerta, you gain the ability to customize your security alerts while staying well-informed about the vulnerabilities that matter most to you.
Empowering Developers and Security Teams
Developers can focus on specific languages, while security personnel maintain a global view. All notifications provide granular details, including the affected component and version, so everyone has the context needed to make informed decisions. Don’t wait for a breach to expose your vulnerabilities. Meterian’s notification system empowers you to take control of your application security.
Sign up for a free trial today and experience the power of proactive application security. See for yourself how Meterian can keep you ahead of the curve and your applications safe. And remember, you can always consult thedaily vulnerability report online, completely free: no subscriptions needed.
Take action now and protect your applications from the ever-evolving threat landscape!
In the fast-paced world of software development, ensuring code security is paramount. Vulnerabilities can lurk in unexpected places, and addressing them swiftly is crucial to safeguarding your applications and your users. That’s where Static Application Security Testing (SAST) and Software Composition Analysis (SCA) come into play. Today, we’re excited to announce a game-changing integration between Meterian, a leading cloud SCA solution, and SonarQube, a renowned SAST platform. In this blog post, we’ll explore the advantages of combining these two powerful tools and dive into the specifics of the Meterian and SonarQube integration.
Advantages of SAST with SCA: A Dynamic Duo for Code Security
Before delving into the integration, let’s understand why the combination of SAST and SCA is a game-changer for code security.
1. Comprehensive Vulnerability Detection: SAST analyzes your source code for security issues, identifying vulnerabilities from the code’s perspective. SCA, on the other hand, scans your dependencies for known vulnerabilities. Together, they provide comprehensive coverage, helping you identify and address issues across your codebase.
2. Early Detection: SAST and SCA work in different phases of the development lifecycle. SAST scans your code during development, while SCA monitors dependencies throughout the software’s lifetime. This early detection ensures that vulnerabilities are identified and remedied promptly, reducing the cost and effort of fixing issues in later stages.
3. Precise Remediation: By pinpointing vulnerabilities in both your code and dependencies, you gain precise information on what needs to be fixed. This helps developers focus their efforts on high-priority issues, improving efficiency and reducing false positives.
4. Improved Compliance: Many industries have strict compliance requirements. The combination of SAST and SCA aids in meeting these regulations by providing a robust security framework for your applications.
5. Enhanced Security Posture: Together, SAST and SCA help you build a stronger security posture, which is especially important in today’s threat landscape. By addressing vulnerabilities early and comprehensively, you reduce the attack surface and mitigate security risks effectively.
Meterian and SonarQube Integration: A Closer Look
Let’s now take a more detailed look at the most important aspects of the Meterian and SonarQube integration
1. Streamlined Workflow: The integration seamlessly incorporates Meterian’s SCA results into your SonarQube environment. This means that you can access SCA insights right where you already manage your code analysis, streamlining your workflow. View problems directly within the SonarQube interface while retaining the ability to drill down into the full Meterian report for a comprehensive view of vulnerabilities and dependencies.
2. Real-time Feedback with Custom Notifications: Receive real-time feedback on your code’s security status, and stay informed about any new vulnerabilities affecting your dependencies. Meterian takes it a step further by offering customizable notification options. You can receive alerts via Slack, Email, or WebHook, ensuring that your team stays instantly updated and can take immediate action to address any issues.
3. Remediation Guidance with Safe Dependency Versions: The integration provides detailed remediation guidance, helping developers understand and resolve vulnerabilities effectively. When vulnerabilities are detected, Meterian goes a step beyond by not only identifying the issues but also providing safe versions of the dependencies to use in order to mitigate these vulnerabilities effectively. This valuable guidance streamlines the remediation process, ensuring that developers have access to trusted solutions for code security..
4. Enhanced Quality beyonde code: Achieve higher code quality and security standards by leveraging Meterian’s comprehensive vulnerability database and SonarQube’s powerful analysis capabilities. The integration not only identifies vulnerabilities but also extends its benefits by detecting out-of-date dependencies within your codebase. This ensures that your applications not only remain secure but also stay up-to-date with the latest libraries and components.
5. Strengthened Compliance with License Reporting and SBOM: In addition to its robust security features, the Meterian and SonarQube integration significantly strengthens compliance efforts. Meterian goes beyond security by reporting licenses for all dependencies used in your software projects. This comprehensive license reporting ensures that your organization remains compliant with licensing requirements, reducing the risk of legal and financial liabilities. Furthermore, Meterian provides a full Software Bill of Materials (SBOM), offering transparency into all the components and libraries used in your applications. By combining security and compliance in one integrated solution, you can achieve a higher level of confidence in your code while minimizing legal risks.
Getting Started with the Integration
Getting started with the Meterian and SonarQube integration is straightforward. Simply follow these steps, as described in Meterian’s documentation page:
Install the Meterian Plugin: Begin by installing the Meterian plugin for SonarQube in your local installation: it should be as easy as dropping the jarfile in the plugins folder (docs)
Configure the Integration: Adjust the plugin properties if needed: the defaults should be already a fair fit. (docs)
Add Meterian to your pipelines and enjoy seamless SCA Insights: With the integration set up, and Meterian in your pipelines, you’ll start receiving valuable SCA insights within your SonarQube environment. (docs)
The plugin supports at the moment NodeJS on NPM, and Java/Kotlin on Maven and Gradle. Support for .NET is planned by the end of this month, then Swift and Go will follow shortly. It can run on SonarQube v9.x, support for 10.x and cloud is coming later this year (roadmap).
Conclusion
Code security is a top priority for every software development team. The integration between Meterian, a leading cloud SCA solution, and SonarQube, a renowned SAST platform, offers a powerful combination to enhance your code security efforts. By leveraging the advantages of SAST and SCA, you can achieve comprehensive vulnerability detection, early issue identification, precise remediation, improved compliance, and an enhanced security posture. The Meterian and SonarQube integration streamlines your workflow, provides real-time feedback, offers remediation guidance, reduces false positives, and enhances code quality, making it an invaluable asset for any development team.
To get started with this integration and improve your application security, visit Meterian’s documentation page today. Elevate your security game and build robust, secure applications with Meterian and SonarQube.
Stay secure, stay confident!
All trademarks are the property of respective owners
Meterian is proud to announce that it now supports Swift Package Manager (SwiftPM), providing improved security for Swift developers. This new feature allows Swift developers to seamlessly integrate Meterian’s powerful security scanning capabilities into their Swift projects, helping them identify and fix vulnerabilities in their open source dependencies.
SwiftPM is the official package manager for Swift, the popular programming language developed by Apple for building iOS, macOS, watchOS, and tvOS applications. It simplifies the process of managing dependencies in Swift projects and enables developers to easily share their code as packages. With Meterian’s support for SwiftPM, developers can now add an additional layer of security to their Swift projects by automatically scanning their dependencies for known security vulnerabilities.
I am using Cocoapods: why is this important?
While Cocoapods has been the de facto dependency manager for iOS and macOS projects for several years, SwiftPM has emerged as a powerful alternative, offering several advantages over its predecessor.
Firstly, SwiftPM is an official tool provided by Apple, which means that it is well-integrated with the Xcode development environment and has the backing of the Swift community. This ensures that SwiftPM is continuously updated with the latest features and security enhancements, making it a reliable and secure option for managing dependencies in Swift projects.
Secondly, SwiftPM is designed to be lightweight and fast, with a simple command-line interface that is easy to use and understand. This makes it an ideal tool for small to medium-sized projects, where simplicity and ease of use are essential. Cocoapods, on the other hand, can be slow and cumbersome, particularly for large projects with numerous dependencies, where the overhead of managing the Podfile can become overwhelming.
Thirdly, SwiftPM has a modular architecture that allows developers to easily share code between different projects and platforms, making it a more flexible and versatile tool than Cocoapods. This makes it particularly useful for developers working on cross-platform projects, where code sharing is critical.
Finally, SwiftPM is a more modern and future-proof solution than Cocoapods, which relies on Ruby. SwiftPM is written in Swift and does not require any extra tooling, making it a natural choice for iOS and macOS developers
Overall, while Cocoapods has been a valuable tool for many iOS and macOS developers over the years, SwiftPM has emerged as a more modern, lightweight, and flexible alternative, offering several advantages over its predecessor. With Meterian’s support for SwiftPM, developers now have access to a powerful security scanning solution that is well-integrated with the Swift ecosystem and provides critical security enhancements for their Swift projects.
I am switching to SwiftPM. How does Meterian help me?
Meterian’s SCA solution uses advanced scanning techniques to analyze the source code of open source dependencies and identifies any known security vulnerabilities or licensing issues. The results are presented in a comprehensive dashboard, allowing developers to easily understand the security status of their dependencies and take appropriate actions to address any identified issues.
One of the key benefits of using Meterian with SwiftPM is the seamless integration into the Swift development workflow. Developers can simply add Meterian as a build step in their SwiftPM build process, making it easy to incorporate security scanning into their existing development pipeline. This ensures that security is considered as an integral part of the development process, reducing the risk of shipping software with vulnerable dependencies.
Another powerful feature of Meterian is its ability to provide remediation guidance. When vulnerabilities are identified, Meterian provides detailed information on how to fix the issue, including code snippets, links to relevant documentation, and recommendations for alternative libraries or versions. This helps Swift developers quickly address security issues and keep their dependencies up to date.
Meterian’s support for SwiftPM comes at a critical time when security is a top concern for software development teams. As cyber threats continue to evolve and open source vulnerabilities become more prevalent, it is crucial for Swift developers to proactively manage the security of their dependencies. By leveraging Meterian’s advanced scanning capabilities, Swift developers can ensure that their software is built on a solid foundation of secure dependencies, minimizing the risk of security breaches and protecting their users’ data.
Meterian’s support for SwiftPM brings enhanced security to Swift developers, allowing them to easily scan their open source dependencies for known vulnerabilities and proactively manage their software’s security. With its seamless integration into the SwiftPM workflow and comprehensive remediation guidance, Meterian empowers Swift developers to build secure software and protect their users’ data. To learn more about Meterian’s support for SwiftPM and how it can help improve the security of your Swift projects, visit Meterian’s website at www.meterian.io.
The events of the last few years have highlighted the world’s vulnerabilities and shown the importance of building resilience into organisations, supply chains and the global economy. COVID-19 and the war in Ukraine have exposed issues we’d chosen to ignore, thought we’d fixed forever or hadn’t even considered before. Growth is no longer guaranteed. The global economy’s increasing reliance on technology to enable the world to function extends the attack surface and opens up new cyber security threats.
The need for cyber security to protect sustainable growth
Governments are struggling with plans for sustainable economic growth against a background of conflict, continuing supply chain problems, climate change, rising prices and interest rate increases. Typical sustainable development goals include; economic growth measured by GDP; business innovation and infrastructure renewal; creating sustainable cities and communities; and responsible consumption of products.
From smart cities, to renewable energy, financial infrastructures and driverless transport, cutting-edge technology is at the heart of our drive for sustainable growth. This provides exciting opportunities but has also exposed existing systems’ weaknesses and created new vulnerabilities to malicious actors. Sustainable development goals are all put at risk by the increased threat from cyber attacks.
Organisations have become familiar with safety and security measures which protect their physical environment such as installing early warning sensors, security cameras, fire safety equipment and intruder alarms. There’s a need for a cultural shift for executives, investors, employees and regulators to recognise the increasing importance of cyber security. The war in Ukraine has brought into sharp relief the importance of having both strong physical and cyber defences. Cyber resilience is absolutely necessary for modern civilisation to survive and flourish.
How big is the cyber threat?
Recent research and headlines point to cyber crime being very big business indeed. One study showed cyber criminals raking in $1.5 trillion every year. To put that in context that’s exactly the same amount proposed for the US Congress’ bipartisan package to help Ukraine and finance federal agencies for the second half of 2022. Another study from Cybersecurity Ventures expects global cybercrime costs to reach $10.5 trillion annually by 2025. This led Steve Morgan, Editor-in-Chief at Cybercrime Magazine to comment, “This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year, and will be more profitable than the global trade of all major illegal drugs combined.”
Innovation is a growing target for cyber criminals
Innovation and invention are seen as good things for businesses and the wider economy. They power economic growth and prosperity around the world but by their very nature they can open the door to cyber criminals. Innovation is all about new technologies, products and ways of working. The cloud gaming sector is a prime example of an industry that has attracted the attentions of hackers, due to its constant growth, developing new platforms and introducing new products almost daily. As the industry transitions to cloud infrastructures, the market size was estimated at $609.67 million in 2021, and is expected to grow to $7.382 billion by the end of 2028 according to research by Brandessence. Change, as in this case, often comes at dizzying speed. This means that procedures, controls, security and monitoring may lag behind. Ripping up the rule book to innovate can have huge positives but organisations need to watch for the negatives too. Indeed, some of the largest cyber security incidents in 2022 were targeted at the gaming sector, with breaches reported by such behemoths as Rockstar, Roblox and NVIDIA, to name just a few.
Rapidly expanding sectors and businesses naturally also attract huge investment. This makes them even more attractive for wily cyber criminals as the rewards from attacks can be particularly lucrative. Another pertinent example is the renewable energy sector. This growing industry promises great things for our hopes of preserving the world we live in. Massive investment means it is also shaping up to be a very attractive market for cyber criminals.
Jim Guinn, global managing director for cyber security in energy, chemicals, utilities and mining at Accenture has noted, “The cybersecurity conversation in the renewable energy engineering and construction business is almost nonexistent today.” It is imperative that such industries underpin their expansion with the appropriate focus on defence against cyber attacks.
Protecting your software stack
The way today’s technology solutions are created using a jigsaw puzzle of multiple pieces including published APIs, integration with proprietary products, cloud applications from different vendors, open source components all combined with in-house developments means that many organisations are unsure about their complete Software Bills of Materials (SBOMs). This means vulnerabilities are literally built into critical systems introducing undocumented threat vectors which can be used by hackers to gain access to proprietary systems and data.
This lack of knowledge about an organisation’s SBOMs means that even when a bug or vulnerability is identified in the open source community and patches created, the business can be completely unaware of the fact that it needs to take remedial action. There are many examples of this type of oversight resulting in huge costs and disruption for business.
Secure by default – building resilience
In 2023, developers and publishers of software must focus on Secure by Default principles if systems are to avoid the kind of failures due to poor security posture and an over reliance on end-users to act in a secure manner. The user experience is an integral part of the security features of a system, because if security makes software inconvenient to use, end-users will simply find a workaround. If security isn’t second nature then it’s no security at all. The UK Government has introduced tough new regulations in the Telecommunications (Security) Act which includes the requirement to have a deep understanding of security risks, including those within the supply chain. This builds on the premise that ‘edge’ devices such as radio masts, internet equipment, or wifi routers supplied to customers should be protected from cyber attack.
NCSC Technical Director Dr Ian Levy made the point: “We increasingly rely on our telecoms networks for our daily lives, our economy and the essential services we all use. These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future.”
Online risks spill over into the physical world
Increasingly, online services are impacting people in the real world. A high profile example is the fall out from the 2017 Equifax data breach, which it is estimated to have cost the company at least $1.38 billion, with some sources suggesting the final bill could be closer to $2 billion. The root cause of the data breach was the failure to patch a known open source web application security flaw. This left the cyber doorway open for criminals to enter and cause havoc. Over 140 million U.S. consumers’ data was affected, putting them at risk of future financial instability—being unable to rent housing, being denied a loan, having to pay higher interest rates on credit cards or mortgages, and greater difficulty in getting a job, not to mention the distress and anxiety identity theft causes.
A more recent example, described as the biggest hack in history that affected telco Optus, led to one in three Australians at risk of identity theft or fraud. As a result, 10,000 victims have had their personal details published online and millions of people are scrambling to change their online driving licenses. T-Mobile data breach that affected 37 million accounts was detected in January 2023 but the weakness in the API had been exploited since November 2022.
Automating Development & Security Operations (DevSecOps)
As software development accelerates and the attacks of malicious actors continue to increase in speed and intensity, organisations must ensure their security operations are equipped to respond equally fast. Preventative strategies can be built into the development workflow to ensure that DevSecOps processes are efficient and maintain the appropriate vigilance without wasting human resources. Such processes become operationally effective if for every critical patch released, the security and development teams are ready with normal business practice to identify the threat, confirm its presence in their application software estate and remediate as quickly as possible as part of business as usual. Without DevSecOps, such operations can take days to weeks, but forward thinking teams will have worked this out so such incidents take minutes to hours, thus preventing unauthorised access or infiltration of malware via an open source vulnerability.
With some 64% of companies impacted in 2021 by supply chain attacks, mostly due to increased reliance on open source software components, organisations must be scrupulous about checking that underlying dependencies are safe from vulnerabilities. A further study showed such attacks were up 300% compared to the preceding year. Businesses that prepare thoroughly against such risks will be well rewarded. Not only are they underpinning their own operations, ensuring that their business can continue to grow and innovate without hindrance from malicious attacks, they protect their reputation by providing reliable products and services to their customers. In turn, customers know that they can trust their supplier, building loyalty in the business that transcends a purely transactional relationship.
Ensuring that technology works as it should has long been a given. Now it is an expectation that tech works securely, protecting personally identifiable information, while still providing a great user experience, so that people can get on with their lives, knowing that their trusted suppliers are looking after their data securely. It is a challenge for the entire technology industry, but one on which our very way of life depends.
Visit www.meterian.io to learn how Meterian can help secure your businesses’ open source components to reduce the threats of cyber attacks.
Managing the technology stack and known vulnerabilities is becoming a key criteria for cyber insurance pay outs
Open source software has once again made the headlines following warnings to organisations about the release of a new version of OpenSSL. Released on 1st November 2022, the new version patched vulnerabilities in version 3.0 and above of the nearly ubiquitously used cryptographic library for encrypting communications on the Internet.
The OpenSSL Project team took the unusual step of pre-warning organisations five days ahead of the 1st November release date that a critical update was being issued to address the vulnerabilities. This came as a surprise to many as the OpenSSL library rarely has critical vulnerabilities, but due to its popularity and widespread use, organisations were advised to be cautious and to prepare.
Based on the assessment by the OpenSSL team, the vulnerabilities can be exploited and trigger data leakage or remote code execution. It is hard to predict the potential damage and risk of these vulnerabilities, which is why it’s vital for organisations to act swiftly, determine any use of the affected OpenSSL and patch immediately if they are exposed to the vulnerabilities. However, as these vulnerabilities were classified as “high severity” and not critical as initially thought, widespread exploitation is not expected.
Open Source the foundation of modern software
The benefits of open source software are numerous and well known, so let’s be clear open source is not the problem – our ability to learn from the past is.
There have been a couple of big open source incidents in the last year that have sent shock waves through the cyber security world. Firstly, the vulnerability in the widely deployed Log4J component, and now this new vulnerability in OpenSSL. This is only the second such flaw ever found in the open source encryption project. The first was Heartbleed.
The December 2021 zero-day vulnerability in the Java logger Log4J, known as Log4Shell, was characterised by many security experts as the single biggest, most critical vulnerability of the last decade. If left unpatched, attackers can hack into systems, steal passwords and logins, extract data, and infect networks with malicious software causing untold damage, not least to brand reputations.
Unfortunately, a situation that specialty insurer Crum & Forster, owned by Fairfax, know all too well after falling victim to the hacking group known as RansomHouse. Despite widespread news coverage of the Log4shell vulnerability, which was revealed in December 2021, it appears the insurer was still vulnerable.
The breach at Crum & Forster was first discovered on 22nd July 2022. The hacking group were able to exploit an unpatched system, resulting in a total of 1.7 gigabytes of sensitive data being released, including medical information, insurance policies, employee data, and customer lists.
Crum & Forster are by no means an isolated case, there are many examples over the years of companies falling victim to known vulnerabilities.
History repeating itself
The Heartbleed vulnerability, discovered in 2014, impacted hundreds of thousands of web and email servers worldwide. Among the many systems confirmed to be affected were large organisations such as Yahoo, Eventbrite, and even the FBI’s own website. Many of the big companies confirmed to be affected were able to get their ducks in a row and patch before anything severe happened.
Others weren’t so quick off the mark and hackers were able to exploit the vulnerability in several cases. The Canadian Revenue Agency was one of the many victims that suffered a breach as hackers exploited the Heartbleed vulnerability. The breach resulted in the theft of hundreds of social ID numbers in a six-hour period before the Canadian Revenue Agency realised and removed public access to its online services.
In the aftermath of a breach, companies are quick to express that lessons will be learnt. Unfortunately, in a case of history repeating itself, the Canadian Revenue Agency was once again hitting the headlines. In 2017, just 3 years after Heartbleed, the company had to shut down its website for filing federal taxes due to falling victim to the open source Apache Struts2 vulnerability.
Fail to patch, plan to fail
Several years on from when Heartbleed was discovered and a patch issued, there are still servers harbouring the Heartbleed vulnerability. In November 2020, a security researcher at the SANS Internet Storms Centre discovered that over 200,00 machines are still vulnerable to Heartbleed. The news cycle may have moved on but that doesn’t mean unpatched vulnerabilities have disappeared.
Too many headlines are showing that hacks have one thing in common, they are caused by a known vulnerability within an open source component.
A well know example is the Equifax data breach in 2017, which remains one of the largest cybercrimes related to identity theft. The private records of 147.9 million Americans along with 15.2 million British citizens and approximately 19,000 Canadian citizens were compromised in the breach.
A key security patch for open source software Apache Struts was released by the Apache Software Foundation on 7 March 2017 after a security exploit was found. All users of the framework were urged to patch immediately.
For one reason or another, the patching process within Equifax completely broke down, resulting in vulnerable systems being left open to compromise. Subsequent scans conducted by the Equifax IT department to identify any vulnerable systems appears to have failed and, as the saying goes, the rest is history.
The cost of downplaying security
Recent estimates suggest the 2017 Equifax data breach cost the company at least $1.38 billion, with some sources suggesting the final bill could be closer to $2 billion. The root cause of the data breach was the failure to patch a known open-source web application security flaw. The company effectively left the door open for cyber criminals to walk in and wreak havoc.
In the aftermath of the breach Equifax was condemned for its lax security posture, shambolic emergency response and poor leadership, which led to many senior executives being accused of corruption. The Equifax breach investigation highlighted several security lapses that allowed attackers to enter, allegedly secure, systems and exfiltrate terabytes of data.
More than five years on, the Equifax data breach remains a cautionary tale in failing to manage cyber security risk effectively and lacking the tools and processes to implement a robust vulnerability and patch management regime.
Cyber Insurance: prove it or risk losing it
Cybercrime has become a highly lucrative operation; it is not going away and is only set to worsen as companies continue to engage digital technology. Many have taken out cyber insurance to insulate themselves from the punishing costs of cyber-attacks and data breaches.
However, companies across the world are likely to face increases in the cost of insurance as the number of claims increase year on year. According to research conducted by FitchRatings, US claims volume has risen 100 percent annually over the past three years.
In part as a result, the cost of cyber insurance has risen steeply in 2022 in both the US and the UK. According to Marsh, the UK cyber insurance market experienced a pricing increase of 102% year-over-year in the first quarter of 2022.
As a result of rising claim costs, the insurance industry is tightening their qualifying requirements and limiting their coverage. Cyber insurers now require organisations to provide information about their security controls if they want coverage. This can include technical, procedural, and human controls.
Keeping track of your open source exposure
Software Bill of Materials (SBoMs) are an emerging approach to keeping track of your software dependencies, both open source and commercial. SBOMs provide the ingredients list to understanding what code exists within the applications that your business relies upon.
Only by understanding what exists inside applications can organisations evaluate their exposure to risk. Used effectively, SBOMs enable companies to evaluate and target remediation efforts. But most importantly, companies won’t be blindsided when the next big open source vulnerability is announced.
Known vulnerabilities are your responsibility
Many cyber insurers have tightened their standards and are no longer paying out for breaches that have resulted from a known vulnerability. This should serve as a sharp wakeup call to boardrooms that deploy technology, with little thought to the security implications. If companies want to ensure they continue to receive all the benefits of their policy, it’s vital that they have a rigorous patch management system. Corporates may have short memories when it comes to known vulnerabilities but, as the evidence shows, cyber criminals do not.
Companies must increase visibility and transparency of the components in their open-source software and applications if they are to stay one step ahead of cyber criminals. Without continuous management of your governance, risk, and compliance of open source your company is walking a tight rope, without a safety net. Those that fail to learn from history are doomed to repeat it.
We are happy to report that now Meterian supports pnpm, a new fast and more efficient alternative to npm. It’s comparably faster, especially when installing packages, compared to npm and it also saves a lot of disk space as it used symlinks to represent modules. Pnpm also supports very well monorepos using workspaces, and it has built-in support for multiple packages in a repository.
Pnpm support is available out of the box now in GitHub Actions, Azure DevOps, Bitbucket Pipes and of course using either the thin CLI or the dockerized CLI, so that you can continue to be informed about any vulnerable, out of date, or non-business friendly node module in your dependencies.
Ship software without vulnerabilities. 