Want Cyber Insurance? Better get patching!

Image from https://unsplash.com/photos/bq31L0jQAjU

Want Cyber Insurance? Better get patching!

Managing the technology stack and known vulnerabilities is becoming a key criteria for  cyber insurance pay outs

Open source software has once again made the headlines following warnings to organisations about the release of a new version of OpenSSL. Released on 1st November 2022, the new version patched vulnerabilities in version 3.0 and above of the nearly ubiquitously used cryptographic library for encrypting communications on the Internet.

The OpenSSL Project team took the unusual step of pre-warning organisations five days ahead of the 1st November release date that a critical update was being issued to address the vulnerabilities. This came as a surprise to many as the OpenSSL library rarely has critical vulnerabilities, but due to its popularity and widespread use, organisations were advised to be cautious and to prepare. 

Based on the assessment by the OpenSSL team, the vulnerabilities can be exploited and trigger data leakage or remote code execution. It is hard to predict the potential damage and risk of these vulnerabilities, which is why it’s vital for organisations to act swiftly, determine any use of the affected OpenSSL and patch immediately if they are exposed to the vulnerabilities. However, as these vulnerabilities were classified as “high severity” and not critical as initially thought, widespread exploitation is not expected. 

Open Source the foundation of modern software

The benefits of open source software are numerous and well known, so let’s be clear open source is not the problem – our ability to learn from the past is. 

There have been a couple of big open source incidents in the last year that have sent shock waves through the cyber security world. Firstly, the vulnerability in the widely deployed Log4J component, and now this new vulnerability in OpenSSL. This is only the second such flaw ever found in the open source encryption project. The first was Heartbleed.

The December 2021 zero-day vulnerability in the Java logger Log4J, known as Log4Shell, was characterised by many security experts as the single biggest, most critical vulnerability of the last decade. If left unpatched, attackers can hack into systems, steal passwords and logins, extract data, and infect networks with malicious software causing untold damage, not least to brand reputations. 

Unfortunately, a situation that specialty insurer Crum & Forster, owned by Fairfax, know all too well after falling victim to the hacking group known as RansomHouse. Despite widespread news coverage of the Log4shell vulnerability, which was revealed in December 2021, it appears the insurer was still vulnerable. 

The breach at Crum & Forster was first discovered on 22nd July 2022. The hacking group were able to exploit an unpatched system, resulting in a total of 1.7 gigabytes of sensitive data being released, including medical information, insurance policies, employee data, and customer lists. 

Crum & Forster are by no means an isolated case, there are many examples over the years of companies falling victim to known vulnerabilities. 

History repeating itself

The Heartbleed vulnerability, discovered in 2014, impacted hundreds of thousands of web and email servers worldwide. Among the many systems confirmed to be affected were large organisations such as Yahoo, Eventbrite, and even the FBI’s own website. Many of the big companies confirmed to be affected were able to get their ducks in a row and patch before anything severe happened. 

Others weren’t so quick off the mark and hackers were able to exploit the vulnerability in several cases. The Canadian Revenue Agency was one of the many victims that suffered a breach as hackers exploited the Heartbleed vulnerability. The breach resulted in the theft of hundreds of social ID numbers in a six-hour period before the Canadian Revenue Agency realised and removed public access to its online services. 

In the aftermath of a breach, companies are quick to express that lessons will be learnt. Unfortunately, in a case of history repeating itself, the Canadian Revenue Agency was once again hitting the headlines. In 2017, just 3 years after Heartbleed, the company had to shut down its website for filing federal taxes due to falling victim to the open source Apache Struts2 vulnerability. 

Fail to patch, plan to fail 

Several years on from when Heartbleed was discovered and a patch issued, there are still servers harbouring the Heartbleed vulnerability. In November 2020, a security researcher at the SANS Internet Storms Centre discovered that over 200,00 machines are still vulnerable to Heartbleed. The news cycle may have moved on but that doesn’t mean unpatched vulnerabilities have disappeared. 

Too many headlines are showing that hacks have one thing in common, they are caused by a known vulnerability within an open source component. 

A well know example is the Equifax data breach in 2017, which remains one of the largest cybercrimes related to identity theft. The private records of 147.9 million Americans along with 15.2 million British citizens and approximately 19,000 Canadian citizens were compromised in the breach. 

A key security patch for open source software Apache Struts was released by the Apache Software Foundation on 7 March 2017 after a security exploit was found. All users of the framework were urged to patch immediately. 

For one reason or another, the patching process within Equifax completely broke down, resulting in vulnerable systems being left open to compromise. Subsequent scans conducted by the Equifax IT department to identify any vulnerable systems appears to have failed and, as the saying goes, the rest is history. 

The cost of downplaying security

Recent estimates suggest the 2017 Equifax data breach cost the company at least $1.38 billion, with some sources suggesting the final bill could be closer to $2 billion. The root cause of the data breach was the failure to patch a known open-source web application security flaw. The company effectively left the door open for cyber criminals to walk in and wreak havoc.

In the aftermath of the breach Equifax was condemned for its lax security posture, shambolic emergency response and poor leadership, which led to many senior executives being accused of corruption. The Equifax breach investigation highlighted several security lapses that allowed attackers to enter, allegedly secure, systems and exfiltrate terabytes of data. 

More than five years on, the Equifax data breach remains a cautionary tale in failing to manage cyber security risk effectively and lacking the tools and processes to implement a robust vulnerability and patch management regime.  

Cyber Insurance: prove it or risk losing it

Cybercrime has become a highly lucrative operation; it is not going away and is only set to worsen as companies continue to engage digital technology. Many have taken out cyber insurance to insulate themselves from the punishing costs of cyber-attacks and data breaches. 

However, companies across the world are likely to face increases in the cost of insurance as the number of claims increase year on year. According to research conducted by FitchRatings, US claims volume has risen 100 percent annually over the past three years. 

In part as a result, the cost of cyber insurance has risen steeply in 2022 in both the US and the UK. According to Marsh, the UK cyber insurance market experienced a pricing increase of 102% year-over-year in the first quarter of 2022.

As a result of rising claim costs, the insurance industry is tightening their qualifying requirements and limiting their coverage. Cyber insurers now require organisations to provide information about their security controls if they want coverage. This can include technical, procedural, and human controls. 

Keeping track of your open source exposure

Software Bill of Materials (SBoMs) are an emerging approach to keeping track of your software dependencies, both open source and commercial. SBOMs provide the ingredients list to understanding what code exists within the applications that your business relies upon. 

Only by understanding what exists inside applications can organisations evaluate their exposure to risk. Used effectively, SBOMs enable companies to evaluate and target remediation efforts. But most importantly, companies won’t be blindsided when the next big open source vulnerability is announced. 

Known vulnerabilities are your responsibility 

Many cyber insurers have tightened their standards and are no longer paying out for breaches that have resulted from a known vulnerability. This should serve as a sharp wakeup call to boardrooms that deploy technology, with little thought to the security implications. If companies want to ensure they continue to receive all the benefits of their policy, it’s vital that they have a rigorous patch management system. Corporates may have short memories when it comes to known vulnerabilities but, as the evidence shows, cyber criminals do not. 

Companies must increase visibility and transparency of the components in their open-source software and applications if they are to stay one step ahead of cyber criminals. Without continuous management of your governance, risk, and compliance of open source your company is walking a tight rope, without a safety net. Those that fail to learn from history are doomed to repeat it.

Want Cyber Insurance? Better get patching!

Alerting a financial services firm to existential security threats and enabling fast, effective remediation

  • Location: UK
  • Industry: Financial Services
  • Customers: Fortune 500 clients around the world
Skyward view from the ground and  4-6 tall buildings pointing up
Credit: Samson-ZGjBuikp_ from Unsplash

A Race Against Malicious Actors

The breaking news in December 2021 of the zero-day vulnerability in the Java logger Log4j 2, known as Log4Shell, sent shockwaves through organisations around the world. Over the last 20 years Log4j has been used globally in billions of software developments and applications for logging incidents. This meant that until the vulnerability could be mitigated, the doors were open to millions of organisations. Attackers could break into systems, steal passwords and logins, extract data, and infect networks with malicious software causing untold damage. The issue was also a major threat to corporate reputations, especially where trust and confidentiality was key, such as in the financial services sector.

In the early hours an alert notification about the Log4j critical vulnerability reached one major financial services organisation based in the UK, with Fortune 500 clients around the world. On hearing the news, the Director of DevOps and Engineering cross-checked other sources for corroboration, including social media, and contacted the organisation’s Lead Technical Security Officer. It was clear that, unchecked, this could be a major problem, but how big an issue would depend on how widely Log4j 2 was embedded into systems used and being developed throughout the corporation.

Often in the race to innovate and implement systems quickly, documentation may not be as comprehensively kept and updated as ideally required. In its absence, it can be difficult for an organisation to discover how widely Log4j is integrated within its application estate, let alone know if it has been previously patched. 

The race was on against the malicious actors poised to automate exploitation of Log4J vulnerabilities, with major impacts for the corporation and potentially for millions of customers around the world.

Mobilising the IT & Security Workforce with Meterian

The organisation moved rapidly by using Meterian’s out-of-the-box reports to enable it to identify where Log4J vulnerabilities were to be found across its application estate, and hence the size of the potential problem. Only then could it be possible to build a remediation plan to mitigate the risks of all the Log4J vulnerabilities.

By 10am, the list of projects utilising the Meterian solution could be seen via the Meterian Dashboard and automated scanning initiated. Scanning the software bills of materials of the affected projects, an indication of the potential impact of Log4J was emerging which could give direction and scope on the follow-up actions. Other projects which had not yet begun to use Meterian as part of their regular processes, found that Meterian’s simplicity of use meant that they could also quickly scan their projects for vulnerabilities.

Working methodically and forensically with the organisation’s development teams across multiple locations, by 5pm it was possible to present to senior management a concise summary of the situation, showing areas of the business at risk; those projects which had already been remediated; and those still needing work. A comprehensive communication plan was then invoked to alert the business to remaining vulnerabilities.

The following Meterian tools were used:

  • Meterian Sentinel notification alerts: an always-on security messaging service which sends notification alerts, emails, or Slack IMs to account administrators about new public vulnerabilities found in open source components used by their projects.
  • Meterian Boost Open Source Security (BOSS) Scanner: which gives instant visibility to the application’s open source dependencies with automated discovery, risk scoring, continuous scanning, and actionable security insights.
  • Meterian Account Dashboard: insight reports show dependent components and related Critical/High/Medium/Low vulnerabilities within the remit of a particular account.

The Meterian toolset alerts key employees to security issues and vulnerabilities; the breadth of the issue for the organisation’s application estate; and the projects impacted. The CISO is then armed with all the information needed to mobilise an effective action plan and comprehensive remediation.

Visibility and Control of Vulnerable Components

Log4J created great upheaval in IT teams across the industry, but for this business unit at this global Financial Services organisation, Meterian tools rapidly delivered a complete view of projects that were susceptible to attack. In comparison, other business units were not able to gather such insights so quickly because there was no single comprehensive reference point which was easy to access and use.

Meterian enabled a speedy time to resolution: 2 hours to implement remediation on projects identified using Meterian as having the Log4J vulnerability.

Meterian freed up employee time from finding the vulnerabilities, enabling them to focus on isolating the application estate from risk and implementing remediations. The Log4J threat demonstrated that critical incident prevention is possible with a more automated, secure-by-design approach. Additional or external staff were not required as existing employees could use smart tools on their application estate, and on a more regular basis to save time and remove headaches.  

Through using Meterian the organisation benefits from:

  • Prompt alerts and early warnings of vulnerabilities in the open source software supply chain
  • Enhanced protection against threats
  • Increased confidence in people and tools working together to protect from organisational risk
  • Decreased stress that vulnerabilities will cause major damage and reputational harm
  • Reduction in “known unknown” risks and number of security fires 

Cultivating Cyber Resilience Consistently and Responsively

The organisation is using the effective response enabled by Meterian as a case study to demonstrate that regulatory and compliance requirements can be met with easy-to-use continuous scanning tools that provide immediate visibility and quicken the development of secure code.

The proven partnership with Meterian will extend and facilitate their further innovation in automation, analytics and cyberresilience, through even more responsive and secure development.

Visit our homepage to learn more about how Meterian can secure your businesses’ open source components—keeping cyber hackers out and your intellectual property in.

Alerting a financial services firm to existential security threats and enabling fast, effective remediation

Visibility is vital if we are to improve safety and trust in open source

Image shows an observation deck, but the panorama is veiled behind white light or mist showing blank skies.  Do we know or see what we are building in our digital world?

Photo by Kate Trysh on Unsplash

Recent high profile cyber security incidents have reinforced the importance of cleaning up the open-source software supply chain. From Heartbleed to the Apache Software Foundation’s Log4j vulnerability, these highly publicised incidents have exposed the threats associated with the software supply chain.

Open source security vulnerabilities are nothing new. Heartbleed was a security bug in the OpenSSL cryptography library that affected many systems. Similarly, Log4Shell is a severe vulnerability, however in the case of Log4j the number of affected systems could well run into potentially billions. Many cybersecurity experts have characterised Log4Shell as the single biggest, most critical vulnerability of the last decade.

These incidents have brought into sharp focus the risks and galvanised a range of responses at national and international level. It even prompted the White House to convene an Open Source Software Security Summit in January that was attended by leaders from global technology companies including Google, Meta, Apple, and Cisco. Members of the open source community were also represented at the summit, as well as US government agencies, including the Cybersecurity and Infrastructure Security Agency, the National Security Council and the National Institute of Standards and Technology.

The gathering may have been precipitated by the Log4Shell vulnerability, but the wider context was clear. How do we ensure source code, build, and distribution integrity to achieve effective open source security management?

Open source under the microscope

Technology companies have been using open source for years as it speeds up innovation and time to market. Indeed, most major software developments include open source software – including software used by the national security community.

Open source software brings unique value, but it also has unique security challenges. It is used extensively, however, the responsibility of ongoing security maintenance is carried out by a community of dedicated volunteers. These security incidents have demonstrated that the use of open source is so ubiquitous that no company can blindly continue in the mode of business as usual. Recent research showed that 73% of applications scanned have at least one vulnerability[1]. These can be buried deep in the open source software supply chain that software-driven businesses rely on for basic functionality and security to accelerate their time to market.

The known unknown

The concept of known knowns, known unknowns and unknown unknowns has been widely used as a risk assessment methodology. When it comes to cybersecurity and the voracity of threat actors to exploit vulnerabilities, it is a useful analogy.

Let’s take Apache Log4J as an example. Companies often create products by assembling open source and commercial software components. Almost all software will have some form of ability to journal activity and Log4j is a very common component used for this.

How do you quickly patch what you don’t know you have?

Java logger Log4j 2 – A zero-day vulnerability

Log4J was originally released in 2001, and over the last 20 years it has been used in billions of software developments and applications across the world. For logging incidents within software, Log4j is used by everything from the humble 404 error message, gaming software such as Minecraft, and Cloud providers such as iCloud and Amazon Web Services, as well as for all manner of software and security tools.2 On 9 December 2021, the zero-day vulnerability in the Java logger Log4j 2, known as Log4Shell, sent shockwaves across organisations as security teams scrambled to patch the flaw. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software causing untold damage, not least to brand reputations.

However, herein lies the problem. How do you quickly patch what you don’t know you have?

Often in the race to innovate, the first thing sacrificed is up-to-date documentation. Without it how does a company know if Log4J is integrated within its application estate, let alone know if it has been previously patched.

Improving safety and trust when speed is of the essence

If we are to increase safety and trust in software, we must improve transparency and visibility across the entire software supply chain. Companies should have the ability to automatically identify open source components in order to monitor and manage security risk from publicly disclosed vulnerabilities. A software bill of materials (SBOM) should be a minimum for any project or development. Without such visibility of all component parts, security teams cannot manage risk and will be unaware, and potentially exposed, to dangers lurking in their software.

Case study – Full Visibility within an Hour

To give an example; one of the largest UK based financial services company with millions of customers across the world discovered it had Log4J embedded within dozens of in-house developed software projects. Having seen the first reports of the vulnerability at the start of the business day, within an hour the security team had identified projects using Log4j and were able to start work on follow up activities. By the end of the day, the entire business had a concise list of projects at risk, some of which were already remediated.

How was this achieved?

The company had automated tooling integrated into their software development environment with comprehensive component security. This enabled them to quickly identify those software projects which depended on the affected log4j component.

This visibility allowed the company to devise remediation plans to mitigate the risks of the vulnerability in Log4J. The company was able to target valuable resources across multiple locations to ensure fixes were applied quickly to critical business applications within just a couple of hours. While they were implementing an action plan based on the organisation’s use of Log4j, some of its competitors without such comprehensive tools were still in the information gathering stage.

Innovating securely

As organisations continue to innovate at pace in order to reduce time to market, the reliance on open source software continues to increase. However, when the security of a widely-used open source component or application is compromised, every company, every country, and every community is impacted.

The White House has taken an important first step in trying to identify the challenges present in the open source software supply chain and encourage the sharing of ideas on ways to mitigate risk and enhance resilience. Organisations can and should take advantage of the many benefits that open source software can deliver, but they must not do it blindly. Ensuring you know the exact make-up of your technology stack including all the component parts is an important first step. Choosing discovery tools that have the widest comprehensive coverage is important, and so too is the flexibility to grade alerts so that only the most pressing threats are highlighted. This avoids ‘alert fatigue’ and enables security teams to focus resource where it matters most, putting organisations in a good position to act fast when vulnerabilities are discovered.

Hackers faced with stronger security defences will continue to turn their attention to the weaker underbelly of the software supply chain. Now is the time for organisations to implement integrated and automated tooling to gain comprehensive risk control of components in their open-source software supply chain. Only by increasing visibility, coverage of known unknowns and transparency can companies stay one step ahead.

1 Meterian research from aggregated and anonymised data of 2044 scanned software applications in 2020.

2 “What is Log4j? A cybersecurity expert explains the latest internet vulnerability”, The Conversation, Dec 21, 2022, https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896

Visibility is vital if we are to improve safety and trust in open source

Share your software bill of materials safely with Meterian and RKVST SBOM Hub

26 Jan 2022

We’ve been a little busy with some forward thinking security SBOM-meisters over at Jitsuin in recent months. If you’ve not heard of them, they came up with the clever idea to provide a secured system that lets software producers and consumers share software bills of materials (aka SBOMs). Not only does this make it easy to lookup any particular component that has gone haywire or needs to be summoned for review, it also enables fast and easy sharing of such information with your trusted parties. The major benefit of their service is that this adds to the trust and transparency of shared systems. Think about those moments when a critical vulnerability is announced and you need to alert the team (inside/outside your organisation) to find it asap, or when you have to complete an audit. It’s a big benefit in time saved for the effort needed to take action quickly. Searching and trumpeting attention through the software supply chain of interconnected devices and systems will be simpler with your software bills of materials stored on RKVST SBOM Hub.

Learn more about how to create your SBOM on Meterian and get in touch to benefit from the Meterian and RKVST SBOM Hub integration.

Video of automated creation of software bill of materials and safe storage for secure sharing

Abridged press release below.

Jitsuin and Meterian integration automates production and secure distribution of SBOMs

Partnership an early success of Cyber Runway Accelerator launched in November 2021

London, UK and Santa Clara, USA. 26th January 2022. Jitsuin Inc, a pioneer in continuous assurance of critical assets, and Meterian, a leader in software automation and vulnerability detection, have teamed up to offer software publishers automated creation and secure distribution of Software Bills of Material (SBOMs). The integration between Meterian’s Boost Open-Source Software Scanner (BOSS) and Jitsuin’s RKVST SBOM Hub enables software publishers to automatically generate, store and distribute their SBOMs in public or private.

Meterian’s BOSS Scanner is a vulnerability detection and risk management system that delivers comprehensive component licensing and security control while automatically generating SBOMs. Jitsuin’s recently launched RKVST SBOM Hub is the first shared repository for publishers and subscribers to find and fetch the SBOMs they need. The integration of these two products allows software publishers to easily store, retrieve, publish and distribute SBOMs with full governance.

  • Developers, InfoSec and Governance Risk & Compliance teams can collaborate to mitigate vulnerabilities.
  • Authorized SBOM consumers can automatically retrieve the latest updates with full provenance and immutable history.
  • SBOM consumers can act fast on the latest data knowing it is trustworthy.

View source version on: https://www.businesswire.com/news/home/20220126005697/en/Jitsuin-and-Meterian-Integration-Automates-Production-and-Secure-Distribution-of-SBOMs

Share your software bill of materials safely with Meterian and RKVST SBOM Hub

An introduction to the world of SBOMs

3 minute read

We are sure many of you have been hearing about SBOMs. Nowadays, software include some components with code written by your own developers, but 80-90% of the code is typically from third-party developers. How can you know who produced what and when it absolutely needs to be replaced? Since Meterian has been managing SBOMs for awhile, we’re happy to share our know-how so you can consider a comprehensive strategy to manage your open source software supply chain. 

Photo by Raymond Rasmusson on Unsplash

What is an SBOM?

SBOM is an acronym that means Software Bill Of Materials. The concept originates from the manufacturing industry, where a bill of materials lists dependent components in machinery. A SBOM lists all third-party components present in your application. A good SBOM also lists the licences used by each component and, when possible, the specific copyright attribution. An excellent SBOM can also provide further information, such as possible relationships between those components to better understand any supply chain risk. You may have encountered SBOMs in the past, known as “third party notice” documents created to manage legal requirements, such as the one in the image below. 

Altova Third Party Software License Notice

However, modern SBOMs are “machine-readable”.  They follow a strict specification that can be understood by a computer. 

What machine-readable formats are used to publish SBOMs?

The most commonly used formats to define a SBOM are:

  • CycloneDX, a lightweight open-source standard designed for use in application security context and supply chain component analysis. This originated from within the OWASP community.
  • SPDX, an open source format with origins in the Linux Foundation, slightly more complex, and recently approved as ISO/IEC standard in version 2.2.1 as ISO IEC 5962:2021.
  • SWID, another ISO/IEC industry standard used by various commercial software publishers.

All these formats support a variety of use cases, but the first two (CycloneDX and SPDX) are the most versatile. Due to SPDX’s complexity, we think CycloneDX has an edge at this time, but only time can tell which of these formats will be the winner. To learn more about these formats you can also read the official NTIA publication, which drills down into the matter.

Why are SBOMs important? And how are they useful?

As a consumer of software, the main reason why you want to have access to the SBOMs of the systems you are using is to manage risks. When a very commonly used software component becomes vulnerable: how do you know what you need to patch and which subsystems are at risk? This is exactly what happened with the recent Log4Shell debacle. The logging library called Log4j, was suddenly exploitable with a very simple and repeatable attack. How do you know where it is? Which one of the systems you are using is suddenly at risk?  With a correctly managed archive of SBOMs, getting this information reduces to a very simple lookup task. Without it, it can be a real nuisance —a time consuming information hunt that disrupts everyone’s work flow.

As a producer of software, instead, you want to preserve and maintain an archive of all the SBOMs of the system you produce so that you can create and distribute timely patches to your customers. Having a systematic and comprehensive analysis of your most commonly used software packages would be useful indeed. Some companies were very fast in releasing patches to their customers, while others were extremely slow, mostly because they did not have the information.  You probably want to be in the first group of companies 🙂

Governments are also mandating the need for use of SBOMs, realising that software security needs to be regulated.  The U.S. Executive Order 14028 that mandates all federal agencies to require SBOMs from their suppliers.  This not only impacts the companies that have direct sales to the US government but also their own software suppliers.  As so many systems and devices have been connecting to the Internet to send and receive information, consequently our digital world relies on a software supply chain.  This “ripple effect” will be significant for many industries. 

It’s important to consider how software products you produce can meet basic security requirements and how the associated software security information is produced and managed in your organisation.   Similar legislation has already been proposed in Europe since the publication of  “Guidelines for securing the IoT” by ENISA (hint: SBOMs are required) and the ETSI EN 303 645 global standard for consumer IoT security, which is based on the UK government’s Code of Practice.  See also the recently published Product Security and Telecommunications Infrastructure (PSTI) Bill and more to come from the UK government to improve the UK’s cyber resilience.

How should SBOMs be handled?

Very carefully :), because an SBOM contains the full list of the “ingredients” of your system or application. While open-source projects happily share this information to the world, the same does not apply to private companies. In fact, a malicious actor that gets hold of the SBOM of your system can then check if you are using any vulnerable components. There are public vulnerability databases, such as the NVD, which are very popular. Someone can simply browse in there and compose a list of possible attacks, try them, and maybe get lucky.  Probably 9 out of 10 vulnerabilities affecting components in your system won’t be exploitable, but having the ability to go through the whole list, certainly makes the task of finding an exploit much easier. 

There’s no need to keep SBOMs a complete secret, however, as long as a few simple principles are kept in check:

  • SBOMs need to be shared securely,
  • they need to be accessed only by the authorised parties, across organisational boundaries, and
  • they should not be tampered with.

In summary, it is essential to produce a precise SBOM, and it is just as vital to share it and maintain it securely with the correct (trusted) third parties.  

Why bother with SBOMs now?

In summary, it is essential to produce a precise SBOM, and it is just as vital to share it and maintain it securely with the correct (trusted) third parties.  In our hyper connected world, comprehensive coverage of components is important for preventative strategies and threat detection in supply chain attacks.  Therefore, implementing SBOM management proactively now will be worth something to your organisation when the next critical vulnerability appears and stand your organisation in good stead. All good collections are worth organising. How valuable is your collection of software?

Photo by Susan Q Yin on Unsplash

Get started with SBOMs

The need for SBOMs is already high. Level up your open source software security and implement this requirement. Check out the SBOM capabilities in Meterian-X platform’s approach to DevSecOps.

An introduction to the world of SBOMs

Urgent and Critical: Remote Code Execution in Apache Log4j needs immediate upgrade

Updated: 31 Dec 2021

5 minute read

This is a call to arms. All enterprise software maintainers of software using Java libraries need to check if their systems are affected by the newly discovered Apache Log4j vulnerability since its announcement on Dec 9, 2021. Since then several security vulnerabilities in the wild have been discovered.

CVE-2021-44832

Vulnerability Score: 6.6 (CVSS: 3.0 / AV: N / AC: L / PR: N / UI: N / S: C / C: H / I: H / A: H)
Platform: Java
Component: org.apache.logging.log4j:log4j-core
Affected versions: 2.0-alpha7 to 2.17.0 inclusive, except 2.3.2 and 2.12.4.
Fixed in version: 2.17.1

CVE-2021-44228

Vulnerability Score: 10.0 (CVSS: 3.0 / AV: N / AC: L / PR: N / UI: N / S: C / C: H / I: H / A: H)
Platform: Java
Component: org.apache.logging.log4j:log4j-core
Affected versions: all versions before 2.14.1, inclusive
Fixed in version: 2.15.0 but upgrade to 2.17.0 is required because of CVE-2021-45105

CVE-2021-45046

Vulnerability Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) (updated 18/12/2021)
Platform: Java
Component: org.apache.logging.log4j:log4j-core
Affected versions: all versions up to 2.15.0, excluding 2.12.2
Fixed in version: 2.16.0 but upgrade to 2.17.0 is required because of CVE-2021-45105

CVE-2021-45105

Vulnerability Score: 7.5 (CVSS: 3.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Platform: Java
Component: org.apache.logging.log4j:log4j-core
Affected versions: all versions from 2.0-beta9 to 2.16.0, inclusive
Fixed in version: 2.17.0


Which systems does this affect?

Apache Log4j is probably the most common library used for logging in the Java ecosystem with over 400,000 downloads from its GitHub project. It is used in Java applications to log system and user activities, so there’s a serious possibility your Java software is using it. It is used, internally, by many other Apache frameworks such as Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo. It is also actively used in many other open source projects, like Redis, ElasticSearch, Elastic Logstash, Ghidra and many others.

Among all these open source components, one needs a special mention: Apache Struts. Yes, it is actively using Log4j. There exists a potential to trigger high-impact attacks against a wide variety of apps and services, similar to the scale witnessed in 2017. At that time, due to the vulnerability exploited in the Equifax megahack, 140 million customers’ data in North America and UK were breached. The latest version of Apache Struts, 2.5.28, uses by default Log4j version 2.12.21, which is vulnerable to this attack. This time, however, the scope for damage could be even wider, as Apache Struts is one of many Apache frameworks that use Log4j. 

The Java ecosystem is in very broad use in enterprise systems and web apps and many mainstream services are likely to be vulnerable. Therefore, software maintainers and developers should pay close attention to this vulnerability. 

This has been preliminary filed as CVE-2021-44228, and a subsequent vulnerability was also flagged, now filed under CVE-2021-45046.


Why does this threat demand an urgent patch?

This vulnerability allows the attacker to remotely execute code on your system, with the ability to gain complete control of the underlying servers.

This is actively exploited on the internet now and there is already a simple POC (proof of concept) available on the internet that explains how to do it. 

From https://www.wired.com/story/log4j-flaw-hacking-internet/:

“All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.  […]Minecraft screenshots circulating on forums appear to show players exploiting the vulnerability from the Minecraft chat function. On Friday, some Twitter users began changing their display names to code strings that could trigger the exploit. Another user changed his iPhone name to do the same and submitted the finding to Apple. Researchers told WIRED that the approach could also potentially work using email.”

If you maintain an enterprise system using Java software, you would need to update all affected applications, whether they are maintained directly by your organisation or your supplier organisation.

Within 2 days of the 2017 vulnerability being announced, several systems around the world were breached by exploiting the software weakness.  We do not want more cyber breaches of such scale and all need to react quickly to patch vulnerable systems.


How can I check if my system is affected?

If you maintain any software using Java libraries, check if you are using Apache Log4j.  Meterian BOSS scanner can be used to scan your codebase to identify all dependent software libraries.  If it is using Log4j, it will find the affected vulnerable versions and provide more information on how to mitigate this risk.

If you are a developer and you have access to the code, you can simply execute this command from your terminal:

$ mvn dependency:tree | grep log4j-core | grep compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.12.1:compile

If you see any response lines, check the version: if it’s below 2.16.0 (as in the above example) you may be affected.


My system has the vulnerable log4j library — how can I mitigate the risk?

There is a patched version of the library that resolves the issue.  Released by Apache Software Foundation, the solution is to immediately upgrade log4j to the latest log4j version 2.16.0.  The fixed version is available via Maven

If the library is coming from a transitive dependency (it’s not one of your direct dependencies, but a dependency of them) you can just include an override in your root pom.xml (or where applicable) and retest that it’s not there anymore with the command shown before:

    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-core</artifactId>
        <version>2.16.0</version>
    </dependency>

A set of mitigations, specific to the version you are using, are also available on the Apache Log4j website. The Apache Struts team provided specific advice on how to handle the issue.

If you are using an external product that runs with Java, you can also protect your systems by launching the JVM with this special parameter:

-Dlog4j2.formatMsgNoLookups=true

This is useful for tools like Jenkins, where you have control of the installation but you do not have control of the code, but please note that this does not protect against the latest CVE.


What can I do to proactively protect from such vulnerabilities?

We always suggest you regularly scan your software code bases. 


Are Meterian applications affected by the log4j vulnerability?

No. We have verified our applications and none are using log4j.  We maintain a continuous monitoring system to ensure our development operations are up to date with the latest known vulnerabilities in software components.   

Related references

Urgent and Critical: Remote Code Execution in Apache Log4j needs immediate upgrade

Update to terms and privacy policy

We have updated our terms and conditions and privacy policy as our business grows to serve more customers across the software industry in financial, cybersecurity, e-commerce, health, IT and telecommunications sectors.  We look forward to welcoming more customers who want to secure their open source software supply chain as part of secure app development. Software developers, security officers, quality assurance and legal compliance professionals can benefit from easy to read reports to streamline their decision making processes.

Get in touch to book a demo! 

Update to terms and privacy policy

Making the most of Christmas, Part 2

11 min read

In the second of our three part blog series as we lead up to Christmas, the Meterian Team shares with you shortcuts to make the most out of what you already have.  

A library, component, piece of code is reusable when it can be re-used in different parts of the same or different project with minimal to no need of code modifications. 

Scanning for, identifying, and patching open source dependencies in an application’s codebase is known as dependency management. This is a critical part of modern software development since nearly 100% of codebases are made up of open source components. These dependencies can be directly used by your application or indirectly used through transitive relationships. You can imagine the number of connected components if your software codebase has hundreds of modules.

Many vulnerabilities remain, leaving software applications unsecured

In our analysis of 1310 website applications,  the most popular component with a security vulnerability was jQuery.  Out of 332 javascript components used across all the web apps,  81% of the components had a security vulnerability.  All of these vulnerabilities could be easily removed by simply upgrading to jQuery 3.5.1.  It’s great that software is reusable, but beware of the invisible stakeholder who preys on out-of-date components’ security holes.  Like fresh food, software components also have a “best before” date.  To get the most out of them before they go bad and become easy pickings for malicious bot-scripts of hackers, keep your code’s dependencies up to date. This is best done programmatically rather than manually.

Neither software development nor cybersecurity teams can keep up with all the changes and fixes required to keep the code performant and secure. Therefore, knowing how to leverage the right tools to detect and patch in a timely manner can make a difference in preventing a cyber breach spoiling a company’s business and reputation. In a Ponemon study last year:

  • 60% of respondents said their organisations suffered a breach due to an unpatched known vulnerability where the patch was not applied
  • 62% were unaware that their organisations were vulnerable prior to the data breach
  • 52% of respondents said their organisations were at disadvantage in responding to vulnerabilities because they use manual processes

Earlier this year another Ponemon report highlighted the need for a programmatic approach to managing vulnerabilities as unpatched known vulnerabilities remain a significant risk: “Over six months, an average of 28% of vulnerabilities remain unmitigated, and organizations have a backlog of 57,555 identified vulnerabilities.” Remember, even just one vulnerability exploited could lead to a cyber breach. Furthermore, 60% of open source programs audited had a vulnerability that’s already been patched.

For this blog, we present the top 3 most popular components found from our survey of 1310 web applications past their “best before” date. Below are recommended substitutions for an alternative or updated component that is vulnerability free so you can #BoostOpenSourceSecurity in your software applications:

  • jQuery 1.12.4  -> Please update to jQuery 3.5.1
 1 high level threat:  Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option. 
 Recommendation: Update to version 3.0.0 or later. 
  • handlebars.js 4.0.11 ->  Update handlebars module to version >=4.6.0
 1 high level threat: Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.
 1 medium level threat: Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service.. Recommendation: Upgrade to version 4.4.5 or later. 
  • Twitter-bootstrap 3.x.x (3.3.7)  -> update to the next safe version 3.4.1
 1 high level threat: XSS in data-template, data-content and data-title properties of tooltip/popover
 1 medium level threat: In Bootstrap before 3.4.0,  XSS  (cross site scripting) is possible in the affix configuration target property. 

Remains of the day

At the end of the day, updating your application’s dependencies is easy if you know what to look out for, when to apply the update, and have an automated workflow to help you do this consistently and at scale.  Finding the right combination of open source components to help speed and secure your development is one example of how “Necessity is the mother of invention.” Meterian speeds up the task of keeping your open source dependencies up to date easily and continuously so developers can focus on the main course of innovating securely.

In the spirit of giving this Christmas and to fuel the creative cooks out there (perhaps you or that important person in your life who always makes sure a delicious meal is ready for you at dinner time!), here’s how to use leftover Christmas veg to make two speedy suppers:

Linguine with with cavolo nero and bacon

Serves: 4
Prep time: 10 minutes
Cooking time: 20 minutes

Ingredients
400g linguine
olive oil
6 slices smoked streaky bacon, cut into 1cm or bite size pieces
1 tbsp olive oil
2 shallots, finely chopped
2 garlic cloves, crushed
300g cavolo nero, hard stalks removed, and roughly chopped (shortcut: blitz the shallots, garlic and cavolo nero leaves in food processor until finely chopped)
75ml double cream (optional)
2 egg yolks
¼ nutmeg, freshly grated
50g parmesan cheese, finely grated
salt & freshly ground black pepper 

Tip: No cavolo nero?  Don’t get stuck in a rut.  Try any slightly bitter green veg, such as brussels sprouts, broccoli, broccolini, gai lan, or rapini.  All lend a lovely nutty flavour balanced with the delightful pungence of parmesan cheese and black pepper.

 Instructions
 Cook the linguine in a pan of boiling, salted water following the pack instructions. Meanwhile, heat some olive oil in a large frying pan, and cook the bacon for a couple of minutes. Add the shallots and garlic cloves, and finely chopped cavolo nero to stir-fry with the bacon.  After 3-4 minutes,  take off the heat.
Mix the cream and egg yolks with with the nutmeg, ⅔ of the cheese and some black pepper.
Put the bacon and veg stir fry back on the heat, add a little of the pasta cooking water and simmer down to 2 tbsp.
Drain the cooked pasta, and add the pasta to the pan with the cavolo nero-bacon and cream mixture. Next add the remaining grated parmesan cheese, and season with more salt and pepper to taste. 
Cod, Chorizo and Potato Stew

Serves: 4
Preparation time:10 minutes
Cooking time:30 minutes

Ingredients
110g chorizo, cut into 2cm slices
1 onion, sliced
1 garlic clove, crushed
4 potatoes
1 can of chopped tomatoes (220-250g)
500ml fish stock
600g frozen cod fillets, defrosted and cut into 3 - 4cm chunks
20g flat leaf parsley, chopped

Instructions
1. Heat a large pan over a medium heat and cook the chorizo for 2 - 3 minutes, then remove from the pan and set aside. Drain all but 1 tbsp of fat from the pan and use to cook the onion and garlic over a medium heat for 6 - 8 minutes until soft. Peel potatoes and cut into 3cm chunks.  Put the potatoes in the pan with the chorizo and cook for 3 minutes.
2. Add the tomatoes and fish stock, bring to the boil and simmer for 10 - 12 minutes until the potatoes are tender. Stir in the cooked chorizo. You can freeze the stew at this stage, letting it cool to room temperature first.
3. If cooking from frozen, defrost the stew overnight in the fridge or in a microwave, then reheat. Add the cod to the stew and simmer for 4 - 5 minutes until just cooked. Season and serve immediately, scattered with parsley.

“The evening’s the best part of the day. You’ve done your day’s work. Now you can put your feet up and enjoy it.”

Kazuo Ishiguro, The Remains of the Day

The tools that boost your efficiency when your coding project has a handful developers may need to be very different from the software that keeps your project humming when you have 1,000 or more. We’ve designed Meterian to evolve with your application security tech stack as your software engineering and digital transformation needs evolve. If your open source dependency management system is not humming smoothly with your software development life cycle, or your open source components are decaying and reducing their life time value for the organisation, consider reusing and securing your software components with Meterian. Get in touch today.

Making the most of Christmas, Part 2

Making the Most of Christmas

Recipes, ingredients and ideas to make your fuel (food and software!) go further.

In this three part blog series as we lead up to Christmas, the Meterian Team will share with you their work and christmas holiday hacks of life.  First and foremost, let’s get our coding projects secured so we can have some peace of mind over the holidays.

Five things to do this December and then forgeddaboutit until 2021

1. Sign up to Meterian free trial (5 mins)

2. Run your Security, Stability, Licence check and get to know your components (20 mins)

3. Triage: Automatically fix out of date components, set exclusions or identify issues to discuss a mitigation plan. (30 mins)

4. Schedule your action plan (20mins)

5. Automate it to run continuously with your favourite CI, GitHub Action, or BitBucket Pipe so your software dependencies are checked without you needing to be interrupted during any of your Christmas socials. 

This last step will require you to put in some time and effort.  Our customers have done this in minutes to several hours over 2 days.  The best part is that once it’s done and you’ve got it running automatically, you can just leave it running and put your feet up.  Or perhaps run off and be there for someone else who needs you.  Boost your apps’ open source security — Enjoy!

Making the Most of Christmas

Cybersecurity and IoT: Health Care and Well-Being in our Shared Spaces

Last updated: 07/07/2021

As the extraordinary situation of the COVID-19 crisis continues and more such supervirus incidents will occur, the benefits that IoT can provide will be even in more demand.  We are already seeing how IoT plays a significant role in modernising healthcare and disaster prevention, public safety and security, supply chain, and manufacturing and production.  

The Good We’ve Seen

In Hong Kong, the government has deployed smart wristbands to monitor city residents1 quarantined inside their homes.  Accelerating the timely discovery of outbreaks, these smart medical devices, powered with internet of things (IoT) technology, play an important role in containment of outbreaks like COVID-19 and prevent future pandemics.

Prior to COVID-19 pandemic, Japan was preparing for Tokyo 20202, the smartest Olympics ever with self-driving cabs to transport guests between sports venues, robotic guides, immersive virtual reality and crowd control directed by artificial intelligence.  Getting ready to welcome 11,000 athletes with 4 to 7 million on-site spectators from Japan and all over the world, this would have been a wonderful showcase of IoT tech and applications from a country that is already a technological leader in robotics and consumer electronics.  Unfortunately, the event is postponed 12 months, though the Olympic Committee resolves to have the games, it’s not clear how much of IoT tech applications will be used.

As public venues have been opening up in the past several weeks, there is a serious challenge of getting business going and the health and safety of people using the same facilities.  How can public toilets be kept safe and clean for everyone to use?  A common need at medical centres, restaurants, shopping malls, and any city where visitors would rely on public toilets. One new IoT company on the scene, Inferrix, has a solution for the “COVID Secure Washroom”, as described on their website: Inferrix wireless edge-intelligent sensors on the washroom doors show a red light to alert visitors if the washroom is unsafe to use. Any washroom can be installed in less than 1 hour.  We can easily imagine its application to be useful in office spaces near shared kitchen areas or study areas of public or university libraries as well.

When we reflect on the role that IoT played over the course of the pandemic, there are more notable instances. For example, telehealth consultations meant that there was a reduced risk of transmission that would otherwise have been prevalent with face to face consultations. Secondly, robot assistance is used to disinfect contaminated areas and objects, both protecting health carers and giving health carers more time to care for their patients. China was the first country to use Danish made UVD robots using IoT and help to disinfect treatment areas in nursing homes and clean patient rooms.

The Not So Good

In a 2019 study of security of IoT devices3, data revealed that more than twice the number of vulnerabilities were detected compared to six years earlier.  As covered in in our last blog post, cyber attacks from IoT risks have surged 300% and the UK and US are catching up on regulations to ensure companies safeguard devices. In March 2020 researchers found4 that more than half of all internet of things (IoT) devices are vulnerable to medium- or high-severity attacks, with 98% of all IoT device traffic being unencrypted.

As we’ve seen during the COVID-19 crisis, even when everyone else was rallying together, cyber criminals targeted vulnerable organizations in the health sector: data-stealing ransomware on US pharma company5 and Europe’s largest private hospital6, Czech republic hospital’s computer systems were attacked when their focus was on running coronavirus tests, and in the UK two construction companies building emergency hospitals were hacked7.

Such attacks can become more sophisticated and more dangerous to individuals using new health technology apps and devices used to provide medication or daily survival needs.

Bringing Tech Out for Good

Connected devices are available using cellular connectivity which are allowing doctors to rely on patients to use connected out-of-the-box devices for special readings to be sent directly to the doctor from the device (temperature, blood pressure, glucose meters).   Such technology is not limited to medical practitioners and is already available for anyone.  A user created a smart system to monitor his diabetic brother’s blood sugar8 (glucose) levels using an app, a data logging platform that processed data from his brother’s glucose sensor to make his own healthcare monitoring system.

Similarly, Australia saw its first ‘virtual hospital’9 open shortly before the COVID-19 pandemic hit through Royal Prince Alfred Hospital (RPA) in Sydney. Data from pulse oximeters used to measure oxygen saturation levels and heart rates along with armpit patches to track temperature were transmitted to the hospital. In addition, video-consultations allow coronavirus patients to receive the care they need without the risk of transmission. 

Recently, we have seen evidence of health providers recognise the risks surrounding IoT devices and the need to incorporate security standards to protect against malicious hackers. For example, University Hospitals of North Midlands NHS Trust has opted to trust Ordr with providing a systems control engine (SCE)10 which will locate and secure every connected device. This includes Internet of Medical Things (IoMT), Internet of Things (IoT) and Operational Technologies (OT) devices.

Security, safety, and data privacy considerations are important aspects of designing, building and maintaining such systems to protect the identity and well-being of the individual.  We’d hate to think about incidents where devices give wrong information due to a malicious actor – getting the wrong medication, dosage, or advice could have serious, even lethal consequences.  Having IoT devices and apps to create a safer world requires more scrutiny and protective measures designed as part of the solution.  As many of these solutions will be designed for one person’s use, customised to their medical needs or specific daily routines, it’s essential they are maintained, updated, and when no longer maintainable that they are properly turned off and disposed of.

Check out IoT For All Podcast with Christopher Schouten of Kudelski Group11.  He talks about necessary considerations to secure IoT projects, making sure they can scale as well as be practical in protecting what is valuable. 

Although the transformational journey to an IoT world seems daunting, the capabilities of IoT to bring high-tech care and consultancy out of the clinic and into homes and vulnerable communities across the world presents a thrilling opportunity.  Health care and IT experts, technicians, research scientists and security experts are collaborating, as are carers, policy makers and administrators.  Altogether, the confluence of tech and human intelligence will continue to evolve and strive to protect all that is worth protecting.  COVID-19 and cybercrime are making seismic shifts in worldwide health and safety, threatening our prosperity. Let’s defend the world, use technology for good and build the world we want.

If you are a developer or have a software development team using open source components, learn how  Meterian automates monitoring of software applications for open source risks and vulnerabilities.  Read about Meterian-X: Invisible Security for your Open Source Security Management in IoT systems and devices.

1 Doffman, Zak. “Coronavirus Police Surveillance Tags Are Now Here: Hong Kong First To Deploy.” Forbes, 17 March 2020, https: //www.forbes.com/sites/zakdoffman/2020/03/17/alarming-coronavirus-surveillance-bracelets-now-in-peoples-homes-heres-what-they-do/?sh=227b12984533

2 Hallet, Rebecca. “Tokyo on track for smartest Olympics ever”. Raconteur, 20 February 2020, https ://www.raconteur.net/technology/internet-of-things/iot-tokyo-2020/

3 Coble, Sarah. “Vulnerabilities in IoT Devices Have Doubled Since 2013”. Info Security, 17 September 2019, https ://www.infosecurity-magazine.com/news/vulnerabilities-in-iot-devices/.

4 O’Donnell, Lindsey. “More Than Half of IoT Devices Vulnerable to Severe Attacks”. threat post, 11 March 2020, https:// threatpost.com/ half-iot-devices-vulnerable-severe-attacks/153609/.

5 Whittaker, Zack. “Hackers publish ExecuPharm internal data after ransomware”. Tech Crunch, 27 April 2020, https: //techcrunch.com/2020/04/27/execupharm-clop-ransomware/.

6“Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware”. KrebsonSecurity, 6 May 2020, https: //krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware/.

7 “Coronavirus: Cyber-attacks hit hospital construction companies” BBC News, 13 May 2020, https: //www.bbc.co.uk/news/technology-52646808.

8 Anx, Quintessant. “Healthcare IoT: Monitoring Diabetes with Logz.io” Logz.io, 11 December 2018, https: //logz.io/blog/healthcare-iot-monitoring/.

9 Minion, Lynne. “‘Flattening the curve’ with virtual care in Australia'” Healthcare IT News, 30 June 2020,  https: //www.healthcareitnews.com/news/europe/flattening-curve-virtual-care-australia

10 Crouch, Hannah. “University Hospitals of North Midlands deploys Ordr cyber security solution”. digital health, 6 May 2021, https: //www.digitalhealth.net/2021/05/university-hospitals-of-north-midlands-ordr/

11 “Security Challenges in the IoT Landscape | Kudelski Group’s Christopher Schouten”. iot for all, 5 May 2020, https: //www.iotforall.com/podcasts/e064-iot-security-considerations.

Cybersecurity and IoT: Health Care and Well-Being in our Shared Spaces