Month: April 2024

Discover Meterian at CyberUK 2024

bbossola, , , , , , , , , Leave a comment

The UK government’s flagship cyber security event, CyberUK 2024. is just around the corner! Hosted by the National Cyber Security Centre (NCSC), this annual gathering brings together over 2,000 cyber security leaders and professionals for networking, knowledge exchange, and collaboration.

Deputy Prime Minister Oliver Dowden recently announced the theme for CYBERUK 2024 during a speech at techUK. The focus will be on how the cyber community can harness the societal benefits of emerging technologies while ensuring their security for the future. This theme is particularly relevant as we navigate the ever-evolving landscape of cyber threats and opportunities.

What to Expect

Where to find us

We will be exhibiting at CyberUK 2024. Loved by SMEs and CNI, our secure-by-design agile approach to software development delights developers and compliance teams. Come and learn how Meterian protects the Open Source Software Supply Chain.

Visit us Stand IZ3 at the Birmingham ICC, May 13-15th.

Discover Meterian at CyberUK 2024

Understanding the Importance of Software Composition Analysis in the Context of EU’s DORA Regulations

bbossola, , , Leave a comment

The EU’s Digital Operational Resilience Act (DORA) represents a significant step towards ensuring that the financial sector can withstand and rapidly recover from ICT-related disruptions and threats. Among the wide variety of security testing tools and actions mandated by DORA, Software Composition Analysis (SCA) emerges as a critical component. Let’s explore why SCA is vital in this new regulatory landscape and how solutions like Meterian can be particularly beneficial.

What is Software Composition Analysis?

Software Composition Analysis (SCA) is a cybersecurity process that helps organizations identify and manage open source components within their software inventory. SCA tools scan software projects to detect open source libraries and frameworks, check the versions used, and compare them against databases of known vulnerabilities. Additionally, SCA assesses license compliance risks, ensuring that the open source licenses are compatible with corporate policies on software usage.

The Role of SCA Under DORA

The DORA framework emphasizes the need for a broad and adaptable approach to cybersecurity, recognizing the diverse nature of financial entities and their varying levels of ICT maturity. Here’s why SCA is integral to this approach.

Vulnerability Management
Financial entities utilize a plethora of software solutions, many of which rely on open-source components. SCA provides a systematic approach to detecting vulnerabilities in these components, some of which may be critical and widely exploited in the financial sector. By identifying these vulnerabilities early, financial institutions can patch them before they are exploited.

Compliance and Risk Management
DORA calls for rigorous compliance standards, including in areas like software licensing. SCA tools automatically detect the licenses of every component and alert teams about potential legal and operational risks, thus supporting compliance with DORA requirements.

Enhanced Operational Resilience
By integrating SCA into their cybersecurity practices, financial institutions can improve their operational resilience. Knowing exactly what is in their software reduces the time and resources spent on crisis management in the event of a security breach.

Supporting Advanced Testing Requirements
As entities mature, advanced testing such as Threat-Led Penetration Testing (TLPT) becomes viable. SCA ensures that the foundational elements of software security are addressed, which is critical for conducting more sophisticated, scenario-based tests effectively.

How Meterian Can Help

In the context of DORA, Meterian stands out as a valuable ally for financial institutions aiming to enhance their software security posture. Here’s how Meterian can specifically support compliance and resilience:

  • Continuous Security and Compliance Monitoring: Meterian continuously scans your software projects, providing real-time alerts on new vulnerabilities and compliance issues. This ongoing monitoring ensures that financial entities can respond promptly to emerging threats.

  • Automated Fix Suggestions: Beyond identifying issues, Meterian provides actionable insights and automated fix suggestions. This helps in quickly resolving vulnerabilities and license conflicts, significantly reducing the window of exposure.

  • Ease of Integration: Meterian’s platform can be seamlessly integrated into existing development workflows. This integration ensures that security and compliance checks occur throughout the software development life cycle, aligning with DORA’s emphasis on continuous improvement and adaptation.

  • Customizable Reporting: Meterian offers detailed, customizable reports that can assist financial entities in demonstrating their compliance with DORA regulations to regulators. These reports provide clear evidence of the proactive measures taken to ensure operational resilience.

By leveraging SCA tools like Meterian, financial institutions can not only meet the stringent requirements set forth by DORA but also significantly strengthen their cybersecurity frameworks. This proactive approach to software security is essential in a landscape where digital operations are increasingly integral to financial stability and success.

Understanding the Importance of Software Composition Analysis in the Context of EU’s DORA Regulations

NVD Update Delays: What’s Happening at the National Vulnerability Database?

bbossola, , , , , Leave a comment

Introduction

Since its inception in 2005, the National Vulnerability Database (NVD) has been a vital resource for security professionals, providing details about common vulnerabilities and exposures (CVEs) discovered by researchers worldwide. However, in recent months, the NVD has faced significant challenges, resulting in delays and incomplete data. In this blog post, we explore the current state of the NVD and its implications for enterprise security.

The Mysterious Freeze

In February, the NVD underwent an unexpected transformation. A cryptic announcement appeared on its website, stating that users would “temporarily see delays in [our] analysis efforts” while the National Institute of Standards and Technology (NIST) implemented improved tools and methods. Unfortunately, no further explanation accompanied this message. The freeze affected the timely documentation of CVEs, leaving security managers in a bind.

The CVE Model and Missing Details

The NVD relies on a network of 365 partners—both US-based and international—who contribute threat data. These partners include software vendors, bug bounty operators, and private research firms. Each participant adheres to a schema to ensure unique and accurate entries. However, since the beginning of the year, over 6,000 new CVEs have been posted, with nearly half lacking essential details in the NVD.

What’s Missing?

  • Metadata: The latest CVE entries lack critical metadata, such as information about affected software. Without this context, security managers struggle to assess the severity of vulnerabilities and prioritize patching efforts.
  • CVSS Scores: The Common Vulnerability Scoring System (CVSS) scores, which indicate vulnerability severity, are absent for many CVEs.
  • Product Information: Enterprises rely on NVD data to identify which applications and operating systems are at risk. Unfortunately, the missing details hinder this crucial aspect.

The status of things (April 2024)

In this recent update from the NVD team they discuss the importance of the National Vulnerability Database (NVD) and the challenges it faces. The NVD is a repository of information on software and hardware flaws that can compromise computer security. There is a growing backlog of vulnerabilities submitted to the NVD, and NIST is working to address this challenge. NIST is committed to its continued support and management of the NVD, but at this time it seems to be lagging behind.

How Meterian can help

Enter Meterian, a comprehensive application security solution that offers unique advantages over traditional databases. Meterian has an extremely robust security database that implements:

  1. Automated Daily Updates: Unlike the NVD, which has experienced recent delays, Meterian’s security database is updated at least every 4 hours. This automated process ensures that you receive the most current threat intelligence promptly.
  2. Diverse Data Sources: Meterian aggregates data from more than 15 unique sources, including both public and private feeds. These sources contribute to a comprehensive repository of vulnerability information, covering a wide range of software components. This is also enriched by Meterian AI and internally curated databases.
  3. Monitoring 350K Vulnerabilities: At present, Meterian actively monitors around 350,000 vulnerabilities across various ecosystems, from Perl to Rust. If you’re building applications and dealing with open-source libraries or frameworks, Meterian has you covered.

Conclusion

As the NVD grapples with its challenges, consider integrating Meterian into your security toolkit. Stay informed, stay proactive, and safeguard your digital assets effectively. Alternatively, you can simply start receiving timely notification through our alerting system: please check out our previous article that explains how to do just that!

References:

  1. NIST’s Vuln Database Downshifts, Prompting Questions About Its Future
  2. National Vulnerability Database (NVD) Update Delays
  3. The National Vulnerability Database Crisis: Defend Against Unpatched Vulnerabilities
  4. National Vulnerability Database: Opaque changes & unanswered questions
  5. NIST’s NVD has encountered a problem


NVD Update Delays: What’s Happening at the National Vulnerability Database?