Big News for Flutter Fans: Meterian Now Supports Dart!

June 21, 2024June 20, 2024 bbossolacybersecurity, dart, futter, meterian, opensource, riskLeave a comment

Great news for all you mobile developers out there! Meterian, a leading Software Composition Analysis (SCA) platform, has just rolled out support for Dart, the programming language that’s become super popular for building Flutter apps. If you’re crafting mobile apps with Flutter, this update is specially tailored for you. Let’s dive into what this means and why it’s a game changer for Flutter developers.

Why Dart and Flutter are a big Deal

Developed by Google, Dart is all about building smooth and stunning mobile and web applications, and it’s the powerhouse behind Flutter—Google’s UI toolkit for crafting beautiful, natively compiled applications from a single codebase. Flutter’s ability to deliver apps that feel great on both Android and iOS has made it a hot favorite. With Dart now getting the spotlight it deserves, security and efficiency in app development are set to reach new heights.

Meterian embraces Dart

With Dart on its radar, Meterian is making sure that your development toolkit is not just powerful but also secure. This inclusion means Meterian can now safeguard your Flutter projects right from the get-go, catching potential security slip-ups before they become real headaches.

Meterian’s leap to include Dart is more than just an update—it’s setting a new standard for mobile app security. By embracing the needs of the Flutter community, Meterian is not only beefing up the security of apps but is also paving the way for projects that scale smoothly and stay robust under pressure.

What’s in it for Flutter developers?

We believe Flutter will eventually get a dominant position in the mobile development scene, so it’s essential to have tools that ensure that your applications are rock-solid safe. Meterian’s support for Dart brings you a suite of benefits:

Boosted Security: Spot vulnerabilities early in the development cycle with Meterian’s SCA tools, keeping your apps safe from security threats.
Stay on the Right Side of Compliance: Keep up with the latest security standards easily, ensuring your app complies with legal and regulatory requirements.
Seamless Development Flow: Meterian fits right into your existing workflows, helping you patch up security issues without slowing you down.
Scale with Confidence: As your app grows, Meterian grows with it, making sure that even the most complex projects stay manageable and secure.

I want to use Meterian: what should I do?

Meterian is free for open source projects! If you have a GitHub OSS project, you can easily integrate Meterian using the GitHub Action following this step-by-step guide or you can checkout this live example on GitHub. We do have also native integrations with BitBucket and Azure Devops, and also integrations with other CI/CD platforms.

Meterian is here to help!

With Dart in Meterian’s toolkit, it’s an exciting time to be building apps with Flutter. This move shows Meterian’s commitment to supporting the latest and greatest in app development, making it easier for you to build apps that aren’t just awesome but are also secure and compliant. To learn more about Meterian’s support for Dart/Flutter and how it can help improve the security of your projects, visit Meterian’s website at www.meterian.io.

Ensuring Data Integrity and Security in Healthcare: The Crucial Role of Application Security

June 11, 2024 bbossolacompliance, cyber-security, cybersecurity, CyberUK24, information-security, opensource, risk, SBOM, security, technologyLeave a comment

In the digital age, healthcare companies are guardians of vast amounts of sensitive user data, ranging from personal health records to financial information. With this responsibility comes the challenge of ensuring data integrity and security against the growing threats of cyberattacks and data breaches. Meterian, a leader in application security, is at the forefront of providing solutions that safeguard this critical data.

Healthcare providers harnessing open-source software face unique security risks that require vigilant management and protection strategies. Meterian’s innovative tools actively scan and identify vulnerabilities within applications, ensuring that all components are up to date and secure against potential threats. By leveraging Meterian’s capabilities, healthcare companies can not only protect their patient data but also enhance their overall cybersecurity posture.

Protecting patient records.

In collaboration with Emis Group, a well-established brand in healthcare technology, Meterian has demonstrated its value in real-world applications. Emis has utilised Meterian’s solutions to bolster their applications’ defences, thereby protecting millions of patient records. While our partnership with Emis illustrates Meterian’s capability to handle the complex cybersecurity needs of large enterprises, it’s important to recognise that our solutions are equally effective and accessible for SMEs and startups. Meterian understands the unique challenges faced by smaller organisations, including tighter budgets and limited resources, as our platform is designed to be flexible and scalable.

For healthcare organisations, the fear of missing out on the highest level of security should be a significant concern. Meterian provides an essential layer of security that automates and streamlines the detection and management of vulnerabilities—tasks that would otherwise consume valuable development resources. As legislation evolves and compliance becomes even more stringent, Meterian’s tools help healthcare companies stay ahead, ensuring they meet all regulatory requirements while securing user data against emerging threats.

A successful case study.

To see first – hand how Meterian is enhancing cybersecurity in the healthcare industry, we invite you to explore our success story with Emis Group. This case study provides a detailed look at how Emis leveraged Meterian’s cutting-edge solutions to fortify their application security, ensuring compliance with stringent regulations and protecting sensitive patient data.

Visit Meterian today!

Discover Meterian at CyberUK 2024

April 29, 2024April 30, 2024 bbossolacompliance, cyber-security, cybersecurity, CyberUK24, information-security, opensource, risk, SBOM, security, technologyLeave a comment

The UK government’s flagship cyber security event, CyberUK 2024. is just around the corner! Hosted by the National Cyber Security Centre (NCSC), this annual gathering brings together over 2,000 cyber security leaders and professionals for networking, knowledge exchange, and collaboration.

Deputy Prime Minister Oliver Dowden recently announced the theme for CYBERUK 2024 during a speech at techUK. The focus will be on how the cyber community can harness the societal benefits of emerging technologies while ensuring their security for the future. This theme is particularly relevant as we navigate the ever-evolving landscape of cyber threats and opportunities.

What to Expect

Networking and Learning: Over 2,000 cyber security experts will convene in Birmingham from May 13th to 15th. Attendees will have the opportunity to network, learn from world-leading experts, and collaborate on pressing challenges facing the global cyber community.
Expert Speakers: More than 100 expert speakers will share insights on the threat landscape, resilience, and cutting-edge developments. From employing AI in healthcare research to using quantum computers for climate change solutions, CYBERUK 2024 promises to explore exciting possibilities
Exhibitors and Sponsors: Meet 150+ sponsors and exhibitors, fostering collaboration, learning, and innovation. These partnerships are crucial for addressing cyber challenges across public and private sectors

Where to find us

We will be exhibiting at CyberUK 2024. Loved by SMEs and CNI, our secure-by-design agile approach to software development delights developers and compliance teams. Come and learn how Meterian protects the Open Source Software Supply Chain.

Visit us Stand IZ3 at the Birmingham ICC, May 13-15th.

NVD Update Delays: What’s Happening at the National Vulnerability Database?

April 8, 2024 bbossolacyber-security, cybersecurity, NVD, opensource, security, vulnerabilityLeave a comment

Introduction

Since its inception in 2005, the National Vulnerability Database (NVD) has been a vital resource for security professionals, providing details about common vulnerabilities and exposures (CVEs) discovered by researchers worldwide. However, in recent months, the NVD has faced significant challenges, resulting in delays and incomplete data. In this blog post, we explore the current state of the NVD and its implications for enterprise security.

The Mysterious Freeze

In February, the NVD underwent an unexpected transformation. A cryptic announcement appeared on its website, stating that users would “temporarily see delays in [our] analysis efforts” while the National Institute of Standards and Technology (NIST) implemented improved tools and methods. Unfortunately, no further explanation accompanied this message. The freeze affected the timely documentation of CVEs, leaving security managers in a bind.

The CVE Model and Missing Details

The NVD relies on a network of 365 partners—both US-based and international—who contribute threat data. These partners include software vendors, bug bounty operators, and private research firms. Each participant adheres to a schema to ensure unique and accurate entries. However, since the beginning of the year, over 6,000 new CVEs have been posted, with nearly half lacking essential details in the NVD.

What’s Missing?

Metadata: The latest CVE entries lack critical metadata, such as information about affected software. Without this context, security managers struggle to assess the severity of vulnerabilities and prioritize patching efforts.
CVSS Scores: The Common Vulnerability Scoring System (CVSS) scores, which indicate vulnerability severity, are absent for many CVEs.
Product Information: Enterprises rely on NVD data to identify which applications and operating systems are at risk. Unfortunately, the missing details hinder this crucial aspect.

The status of things (April 2024)

In this recent update from the NVD team they discuss the importance of the National Vulnerability Database (NVD) and the challenges it faces. The NVD is a repository of information on software and hardware flaws that can compromise computer security. There is a growing backlog of vulnerabilities submitted to the NVD, and NIST is working to address this challenge. NIST is committed to its continued support and management of the NVD, but at this time it seems to be lagging behind.

How Meterian can help

Enter Meterian, a comprehensive application security solution that offers unique advantages over traditional databases. Meterian has an extremely robust security database that implements:

Automated Daily Updates: Unlike the NVD, which has experienced recent delays, Meterian’s security database is updated at least every 4 hours. This automated process ensures that you receive the most current threat intelligence promptly.
Diverse Data Sources: Meterian aggregates data from more than 15 unique sources, including both public and private feeds. These sources contribute to a comprehensive repository of vulnerability information, covering a wide range of software components. This is also enriched by Meterian AI and internally curated databases.
Monitoring 350K Vulnerabilities: At present, Meterian actively monitors around 350,000 vulnerabilities across various ecosystems, from Perl to Rust. If you’re building applications and dealing with open-source libraries or frameworks, Meterian has you covered.

Conclusion

As the NVD grapples with its challenges, consider integrating Meterian into your security toolkit. Stay informed, stay proactive, and safeguard your digital assets effectively. Alternatively, you can simply start receiving timely notification through our alerting system: please check out our previous article that explains how to do just that!

References:

Supply Chain Shock: Backdoor in liblzma Highlights Third-Party Package Risks

March 30, 2024April 15, 2024 bbossolaC++, cyber-security, cybersecurity, news, opensource, risk, security, technology, vulnerabilityLeave a comment

The open-source software (OSS) ecosystem thrives on the principles of transparency and collaborative development. However, a recent critical vulnerability discovered in the core library, liblzma, has cast a shadow on this trust. The vulnerability, which was disguised as a bug fix, contained malicious code that could have potentially granted attackers access to users’ systems through SSH servers. This unsettling incident serves as a sobering reminder of the tangible risks inherent in relying on third-party software packages, even within the seemingly open and collaborative realm of OSS.

What happened?

liblzma, a critical library used for compression in many Linux distributions, was compromised by a backdoor hidden within its source code. This backdoor, attributed to a contributor named Jia T75, remained undetected for two years. During the build process, the backdoor would infect the system, specifically targeting x86_64 Linux systems. This vulnerability could have allowed attackers to compromise SSH servers, potentially granting them unauthorized access to a user’s system.

Why third-party packages are a risk

While OSS thrives on collaboration, it also introduces vulnerabilities. We rely on the good faith of developers contributing code. Malicious actors can exploit this trust by injecting backdoors or other harmful code into seemingly legitimate libraries like liblzma.

What can you Do?

To mitigate the risks associated with third-party software packages, it is imperative to stay vigilant and proactive. Patching software promptly by updating your system regularly ensures you have the latest security fixes in place. Furthermore, exercising caution when obtaining software updates and packages by exclusively utilizing official or trusted sources is of utmost importance. Thoroughly researching the maintainers of the software packages you rely upon can shed light on their track record of responsible updates and reputation within the community. Whenever feasible, exploring alternatives to widely used libraries can be a prudent strategy, as diversifying your software portfolio can reduce the potential impact of a single vulnerability. By adopting these measures, you can bolster the security posture of your systems and minimize the risks posed by third-party software dependencies.

How Meterian can help

The liblzma backdoor incident serves as a wake-up call, and it highlights the need for constant vigilance. By understanding the risks and taking preventative measures, we can build a more secure software ecosystem. Remember, security is an ongoing process, not a one-time fix .

Security solutions like Meterian can be powerful allies in mitigating the risks of third-party packages. Meterian’s notification system keeps you informed about the latest vulnerabilities impacting your software ecosystem, including critical flaws like the recently discovered liblzma backdoor. Through timely alerts and detailed reporting, Meterian ensures you stay on top of potential threats before they can be exploited]. Additionally, Meterian’s Software Composition Analysis (SCA) solution goes a step further by scanning your codebase for known vulnerabilities within dependencies like liblzma. By proactively identifying these risks, SCA allows you to take early action and prioritize patching vulnerable components, ultimately safeguarding your systems and data.

Don’t wait for the next major vulnerability to compromise your systems. Take control of your software security today. Try Meterian for free and experience the power of proactive vulnerability detection and management.

An important note!

The xz/liblzma packages are sometimes included in major Linux distributions, and much of the focus is now there, also because this vulnerability can be exploited to execute remote commands over SSH. However, please be aware that this vulnerability may affect also your application code, either because it may be linking directly liblzma in your C/C++ applications or because, via conan, you previously used the package xz_utils in one of the vulnerable versions (5.6.0, 5.6.1). Furthermore, other wrappers such as xz.ex (elixir), xz.net (dotnet), ruby-xz (ruby) and similar packages may indirectly pull the affected package.

Update – 15 April 2024

This is a novel situation, and there is still much uncertainty. We are aware of only a single known exploit path at this time, but there may be additional scenarios that have not yet been identified.

In detail, so far, it looks like the payload activates if the running program has the process name /usr/sbin/sshd, however, based on ongoing analysis, it may activate also in other scenarios too, unrelated to SSH. This matter is still investigated, you can keep an eye at this page to follow the active investigation.

References

Backdoor in the xz source code: https://www.openwall.com/lists/oss-security/2024/03/29/4
Backdoor in upstream xz/liblzma leading to SSH server compromise: https://news.ycombinator.com/item?id=39868673
NVD reference: https://nvd.nist.gov/vuln/detail/CVE-2024-3094
A live analysis of the backdoor: https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504
Ongoing investigation: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

Understanding SBOMs: A Crucial Aspect of the EU Cyber Resilience Act (CRA)

March 15, 2024March 15, 2024 bbossolacompliance, cybersecurity, risk, SBOMLeave a comment

The EU Cyber Resilience Act

The European Union Cyber Resilience Act (CRA), which was proposed on September 15, 2022, is the first EU-wide legislation addressing cybersecurity requirements for software and hardware manufacturers. Unlike the U.S. Executive Order, the CRA extends to all vendors who create products with digital components that connect to the internet. It will become enforceable in early 2027, three years after its ratification.

SBOM Requirements of the CRA

One of its key requirements focuses on Software Bill of Materials (SBOMs). An SBOM is essentially a comprehensive inventory of all software components used in a product. It provides transparency by listing out the dependencies, libraries, and third-party code that make up a software application. Think of it as a “recipe” for your software – it tells you exactly what ingredients (components) are included.

The key points related to Software Bill of Materials (SBOM) requirements under the EU Cyber Resilience Act are:

Manufacturers must identify and document product components and vulnerabilities, including the creation of a SBOM of at least the top-level dependencies of the product
The SBOM does not have to be made publicly available
The SBOM should be included in the technical documentation and, upon request, provided to market surveillance authorities

The EU Cyber Resilience Act mandates SBOM adoption to enhance cybersecurity and ensure transparency in software and hardware supply chains. Manufacturers need to create SBOMs for their products, while public availability is not required.

Why SBOMs are essential

SBOMs are a sensible tool to manage your supply chain transparency. With the increasing complexity of software supply chains, understanding what goes into your product is crucial. SBOMs allow manufacturers to trace the origins of each component, identify vulnerabilities, and assess risks.

By having an SBOM, organisations can proactively address security vulnerabilities. When a known vulnerability is discovered in a library or component, manufacturers can quickly assess which products are affected and take necessary remediation steps.

They are also required for compliance and legal requirements. Specifically, the CRA mandates that manufacturers create SBOMs for their products. Compliance ensures that products meet cybersecurity standards and reduces legal risks.

Why SBOMs are complicated

Creating and maintaining Software Bill of Materials (SBOMs) is a time-consuming process due to the intricate nature of modern software. Applications are no longer simple; they consist of interconnected components, libraries, and dependencies. The prevalence of open-source software further complicates matters. Each component introduces its own set of dependencies, licences, and potential vulnerabilities. Identifying and tracking all these elements manually is a daunting task. Ensuring accuracy, compliance, and security within this complex landscape inevitably consumes significant time and effort.

That’s the reason why it’s a good idea to adopt an automated solution that takes this problem away.

Meterian: your automated SBOM solution

Using automated analysis, Meterian continuously scans your codebase, identifies the whole network of dependencies, and generates an SBOM automatically. No manual effort required, as SBOMS can be created and stored during the analysis, or later on demand. This will save a substantial amount of time to your developers, who can say goodbye to weeks of research at each release. Everything happens directly on your pipelines or at the touch of a button.

With the help of his powerful vulnerability scanner, Meterian provides you all relevant vulnerability Insights. The Meterian vulnerability database tracks more than 340k vulnerabilities across more than 20 different OSINT sources. You will also automatically receive real-time alerts about vulnerabilities in your components, even if you do not actively analyse them: Meterian will do it for you.

Meterian is easy to integrate in your processes, as it seamlessly integrates with your development pipelines, ensuring continuous monitoring without any extra activity. A simple click, some lines of YAML, one or two lines of script, is all it takes. You get protection against vulnerabilities and compliance at the same time, without any extra effort.

Conclusion

As the EU Cyber Resilience Act comes into effect, manufacturers are required to embrace SBOMs to ensure transparency, enhance risk management, and achieve compliance. The Meterian platform simplifies the generation of SBOMs, enabling you to concentrate on developing secure and resilient software.

Remember: An SBOM isn’t just a regulatory requirement; it’s a powerful tool for safeguarding your digital products. Start creating your SBOMs today!

Enhancing Application Security with Meterian: A Powerful SonarQube Integration

September 6, 2023 bbossolaLeave a comment

In the fast-paced world of software development, ensuring code security is paramount. Vulnerabilities can lurk in unexpected places, and addressing them swiftly is crucial to safeguarding your applications and your users. That’s where Static Application Security Testing (SAST) and Software Composition Analysis (SCA) come into play. Today, we’re excited to announce a game-changing integration between Meterian, a leading cloud SCA solution, and SonarQube, a renowned SAST platform. In this blog post, we’ll explore the advantages of combining these two powerful tools and dive into the specifics of the Meterian and SonarQube integration.

Advantages of SAST with SCA: A Dynamic Duo for Code Security

Before delving into the integration, let’s understand why the combination of SAST and SCA is a game-changer for code security.

1. Comprehensive Vulnerability Detection: SAST analyzes your source code for security issues, identifying vulnerabilities from the code’s perspective. SCA, on the other hand, scans your dependencies for known vulnerabilities. Together, they provide comprehensive coverage, helping you identify and address issues across your codebase.

2. Early Detection: SAST and SCA work in different phases of the development lifecycle. SAST scans your code during development, while SCA monitors dependencies throughout the software’s lifetime. This early detection ensures that vulnerabilities are identified and remedied promptly, reducing the cost and effort of fixing issues in later stages.

3. Precise Remediation: By pinpointing vulnerabilities in both your code and dependencies, you gain precise information on what needs to be fixed. This helps developers focus their efforts on high-priority issues, improving efficiency and reducing false positives.

4. Improved Compliance: Many industries have strict compliance requirements. The combination of SAST and SCA aids in meeting these regulations by providing a robust security framework for your applications.

5. Enhanced Security Posture: Together, SAST and SCA help you build a stronger security posture, which is especially important in today’s threat landscape. By addressing vulnerabilities early and comprehensively, you reduce the attack surface and mitigate security risks effectively.

Meterian and SonarQube Integration: A Closer Look

Let’s now take a more detailed look at the most important aspects of the Meterian and SonarQube integration

1. Streamlined Workflow: The integration seamlessly incorporates Meterian’s SCA results into your SonarQube environment. This means that you can access SCA insights right where you already manage your code analysis, streamlining your workflow. View problems directly within the SonarQube interface while retaining the ability to drill down into the full Meterian report for a comprehensive view of vulnerabilities and dependencies.

2. Real-time Feedback with Custom Notifications: Receive real-time feedback on your code’s security status, and stay informed about any new vulnerabilities affecting your dependencies. Meterian takes it a step further by offering customizable notification options. You can receive alerts via Slack, Email, or WebHook, ensuring that your team stays instantly updated and can take immediate action to address any issues.

3. Remediation Guidance with Safe Dependency Versions: The integration provides detailed remediation guidance, helping developers understand and resolve vulnerabilities effectively. When vulnerabilities are detected, Meterian goes a step beyond by not only identifying the issues but also providing safe versions of the dependencies to use in order to mitigate these vulnerabilities effectively. This valuable guidance streamlines the remediation process, ensuring that developers have access to trusted solutions for code security..

4. Enhanced Quality beyonde code: Achieve higher code quality and security standards by leveraging Meterian’s comprehensive vulnerability database and SonarQube’s powerful analysis capabilities. The integration not only identifies vulnerabilities but also extends its benefits by detecting out-of-date dependencies within your codebase. This ensures that your applications not only remain secure but also stay up-to-date with the latest libraries and components.

5. Strengthened Compliance with License Reporting and SBOM: In addition to its robust security features, the Meterian and SonarQube integration significantly strengthens compliance efforts. Meterian goes beyond security by reporting licenses for all dependencies used in your software projects. This comprehensive license reporting ensures that your organization remains compliant with licensing requirements, reducing the risk of legal and financial liabilities. Furthermore, Meterian provides a full Software Bill of Materials (SBOM), offering transparency into all the components and libraries used in your applications. By combining security and compliance in one integrated solution, you can achieve a higher level of confidence in your code while minimizing legal risks.

Getting Started with the Integration

Getting started with the Meterian and SonarQube integration is straightforward. Simply follow these steps, as described in Meterian’s documentation page:

Install the Meterian Plugin: Begin by installing the Meterian plugin for SonarQube in your local installation: it should be as easy as dropping the jarfile in the plugins folder (docs)
Configure the Integration: Adjust the plugin properties if needed: the defaults should be already a fair fit. (docs)
Add Meterian to your pipelines and enjoy seamless SCA Insights: With the integration set up, and Meterian in your pipelines, you’ll start receiving valuable SCA insights within your SonarQube environment. (docs)

The plugin supports at the moment NodeJS on NPM, and Java/Kotlin on Maven and Gradle. Support for .NET is planned by the end of this month, then Swift and Go will follow shortly. It can run on SonarQube v9.x, support for 10.x and cloud is coming later this year (roadmap).

Conclusion

Code security is a top priority for every software development team. The integration between Meterian, a leading cloud SCA solution, and SonarQube, a renowned SAST platform, offers a powerful combination to enhance your code security efforts. By leveraging the advantages of SAST and SCA, you can achieve comprehensive vulnerability detection, early issue identification, precise remediation, improved compliance, and an enhanced security posture. The Meterian and SonarQube integration streamlines your workflow, provides real-time feedback, offers remediation guidance, reduces false positives, and enhances code quality, making it an invaluable asset for any development team.

To get started with this integration and improve your application security, visit Meterian’s documentation page today. Elevate your security game and build robust, secure applications with Meterian and SonarQube.

Stay secure, stay confident!

All trademarks are the property of respective owners

Cyber resilience is critical for innovation and economic sustainability

February 28, 2023February 28, 2023 viviandufourCyberResilience, cybersecurity, innovation, risk, SustainabilityLeave a comment

The events of the last few years have highlighted the world’s vulnerabilities and shown the importance of building resilience into organisations, supply chains and the global economy. COVID-19 and the war in Ukraine have exposed issues we’d chosen to ignore, thought we’d fixed forever or hadn’t even considered before. Growth is no longer guaranteed. The global economy’s increasing reliance on technology to enable the world to function extends the attack surface and opens up new cyber security threats.

The need for cyber security to protect sustainable growth

Governments are struggling with plans for sustainable economic growth against a background of conflict, continuing supply chain problems, climate change, rising prices and interest rate increases. Typical sustainable development goals include; economic growth measured by GDP; business innovation and infrastructure renewal; creating sustainable cities and communities; and responsible consumption of products.

From smart cities, to renewable energy, financial infrastructures and driverless transport, cutting-edge technology is at the heart of our drive for sustainable growth. This provides exciting opportunities but has also exposed existing systems’ weaknesses and created new vulnerabilities to malicious actors. Sustainable development goals are all put at risk by the increased threat from cyber attacks.

Organisations have become familiar with safety and security measures which protect their physical environment such as installing early warning sensors, security cameras, fire safety equipment and intruder alarms. There’s a need for a cultural shift for executives, investors, employees and regulators to recognise the increasing importance of cyber security. The war in Ukraine has brought into sharp relief the importance of having both strong physical and cyber defences. Cyber resilience is absolutely necessary for modern civilisation to survive and flourish.

How big is the cyber threat?

Recent research and headlines point to cyber crime being very big business indeed. One study showed cyber criminals raking in $1.5 trillion every year. To put that in context that’s exactly the same amount proposed for the US Congress’ bipartisan package to help Ukraine and finance federal agencies for the second half of 2022. Another study from Cybersecurity Ventures expects global cybercrime costs to reach $10.5 trillion annually by 2025. This led Steve Morgan, Editor-in-Chief at Cybercrime Magazine to comment, “This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year, and will be more profitable than the global trade of all major illegal drugs combined.”

Innovation is a growing target for cyber criminals

Innovation and invention are seen as good things for businesses and the wider economy. They power economic growth and prosperity around the world but by their very nature they can open the door to cyber criminals. Innovation is all about new technologies, products and ways of working. The cloud gaming sector is a prime example of an industry that has attracted the attentions of hackers, due to its constant growth, developing new platforms and introducing new products almost daily. As the industry transitions to cloud infrastructures, the market size was estimated at $609.67 million in 2021, and is expected to grow to $7.382 billion by the end of 2028 according to research by Brandessence. Change, as in this case, often comes at dizzying speed. This means that procedures, controls, security and monitoring may lag behind. Ripping up the rule book to innovate can have huge positives but organisations need to watch for the negatives too. Indeed, some of the largest cyber security incidents in 2022 were targeted at the gaming sector, with breaches reported by such behemoths as Rockstar, Roblox and NVIDIA, to name just a few.

Rapidly expanding sectors and businesses naturally also attract huge investment. This makes them even more attractive for wily cyber criminals as the rewards from attacks can be particularly lucrative. Another pertinent example is the renewable energy sector. This growing industry promises great things for our hopes of preserving the world we live in. Massive investment means it is also shaping up to be a very attractive market for cyber criminals.

Jim Guinn, global managing director for cyber security in energy, chemicals, utilities and mining at Accenture has noted, “The cybersecurity conversation in the renewable energy engineering and construction business is almost nonexistent today.” It is imperative that such industries underpin their expansion with the appropriate focus on defence against cyber attacks.

Protecting your software stack

The way today’s technology solutions are created using a jigsaw puzzle of multiple pieces including published APIs, integration with proprietary products, cloud applications from different vendors, open source components all combined with in-house developments means that many organisations are unsure about their complete Software Bills of Materials (SBOMs). This means vulnerabilities are literally built into critical systems introducing undocumented threat vectors which can be used by hackers to gain access to proprietary systems and data.

This lack of knowledge about an organisation’s SBOMs means that even when a bug or vulnerability is identified in the open source community and patches created, the business can be completely unaware of the fact that it needs to take remedial action. There are many examples of this type of oversight resulting in huge costs and disruption for business.

Secure by default – building resilience

In 2023, developers and publishers of software must focus on Secure by Default principles if systems are to avoid the kind of failures due to poor security posture and an over reliance on end-users to act in a secure manner. The user experience is an integral part of the security features of a system, because if security makes software inconvenient to use, end-users will simply find a workaround. If security isn’t second nature then it’s no security at all. The UK Government has introduced tough new regulations in the Telecommunications (Security) Act which includes the requirement to have a deep understanding of security risks, including those within the supply chain. This builds on the premise that ‘edge’ devices such as radio masts, internet equipment, or wifi routers supplied to customers should be protected from cyber attack.

NCSC Technical Director Dr Ian Levy made the point: “We increasingly rely on our telecoms networks for our daily lives, our economy and the essential services we all use. These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future.”

Online risks spill over into the physical world

Increasingly, online services are impacting people in the real world. A high profile example is the fall out from the 2017 Equifax data breach, which it is estimated to have cost the company at least $1.38 billion, with some sources suggesting the final bill could be closer to $2 billion. The root cause of the data breach was the failure to patch a known open source web application security flaw. This left the cyber doorway open for criminals to enter and cause havoc. Over 140 million U.S. consumers’ data was affected, putting them at risk of future financial instability—being unable to rent housing, being denied a loan, having to pay higher interest rates on credit cards or mortgages, and greater difficulty in getting a job, not to mention the distress and anxiety identity theft causes.

A more recent example, described as the biggest hack in history that affected telco Optus, led to one in three Australians at risk of identity theft or fraud. As a result, 10,000 victims have had their personal details published online and millions of people are scrambling to change their online driving licenses. T-Mobile data breach that affected 37 million accounts was detected in January 2023 but the weakness in the API had been exploited since November 2022.

Automating Development & Security Operations (DevSecOps)

As software development accelerates and the attacks of malicious actors continue to increase in speed and intensity, organisations must ensure their security operations are equipped to respond equally fast. Preventative strategies can be built into the development workflow to ensure that DevSecOps processes are efficient and maintain the appropriate vigilance without wasting human resources. Such processes become operationally effective if for every critical patch released, the security and development teams are ready with normal business practice to identify the threat, confirm its presence in their application software estate and remediate as quickly as possible as part of business as usual. Without DevSecOps, such operations can take days to weeks, but forward thinking teams will have worked this out so such incidents take minutes to hours, thus preventing unauthorised access or infiltration of malware via an open source vulnerability.

With some 64% of companies impacted in 2021 by supply chain attacks, mostly due to increased reliance on open source software components, organisations must be scrupulous about checking that underlying dependencies are safe from vulnerabilities. A further study showed such attacks were up 300% compared to the preceding year. Businesses that prepare thoroughly against such risks will be well rewarded. Not only are they underpinning their own operations, ensuring that their business can continue to grow and innovate without hindrance from malicious attacks, they protect their reputation by providing reliable products and services to their customers. In turn, customers know that they can trust their supplier, building loyalty in the business that transcends a purely transactional relationship.

Ensuring that technology works as it should has long been a given. Now it is an expectation that tech works securely, protecting personally identifiable information, while still providing a great user experience, so that people can get on with their lives, knowing that their trusted suppliers are looking after their data securely. It is a challenge for the entire technology industry, but one on which our very way of life depends.

Visit www.meterian.io to learn how Meterian can help secure your businesses’ open source components to reduce the threats of cyber attacks.

Alerting a financial services firm to existential security threats and enabling fast, effective remediation

May 19, 2022May 19, 2022 viviandufourBeatOpenSourceVulns, cybersecurity, opensource, riskLeave a comment

Location: UK
Industry: Financial Services
Customers: Fortune 500 clients around the world

Skyward view from the ground and 4-6 tall buildings pointing up — Credit: Samson-ZGjBuikp_ from Unsplash

A Race Against Malicious Actors

The breaking news in December 2021 of the zero-day vulnerability in the Java logger Log4j 2, known as Log4Shell, sent shockwaves through organisations around the world. Over the last 20 years Log4j has been used globally in billions of software developments and applications for logging incidents. This meant that until the vulnerability could be mitigated, the doors were open to millions of organisations. Attackers could break into systems, steal passwords and logins, extract data, and infect networks with malicious software causing untold damage. The issue was also a major threat to corporate reputations, especially where trust and confidentiality was key, such as in the financial services sector.

In the early hours an alert notification about the Log4j critical vulnerability reached one major financial services organisation based in the UK, with Fortune 500 clients around the world. On hearing the news, the Director of DevOps and Engineering cross-checked other sources for corroboration, including social media, and contacted the organisation’s Lead Technical Security Officer. It was clear that, unchecked, this could be a major problem, but how big an issue would depend on how widely Log4j 2 was embedded into systems used and being developed throughout the corporation.

Often in the race to innovate and implement systems quickly, documentation may not be as comprehensively kept and updated as ideally required. In its absence, it can be difficult for an organisation to discover how widely Log4j is integrated within its application estate, let alone know if it has been previously patched.

The race was on against the malicious actors poised to automate exploitation of Log4J vulnerabilities, with major impacts for the corporation and potentially for millions of customers around the world.

Mobilising the IT & Security Workforce with Meterian

The organisation moved rapidly by using Meterian’s out-of-the-box reports to enable it to identify where Log4J vulnerabilities were to be found across its application estate, and hence the size of the potential problem. Only then could it be possible to build a remediation plan to mitigate the risks of all the Log4J vulnerabilities.

By 10am, the list of projects utilising the Meterian solution could be seen via the Meterian Dashboard and automated scanning initiated. Scanning the software bills of materials of the affected projects, an indication of the potential impact of Log4J was emerging which could give direction and scope on the follow-up actions. Other projects which had not yet begun to use Meterian as part of their regular processes, found that Meterian’s simplicity of use meant that they could also quickly scan their projects for vulnerabilities.

Working methodically and forensically with the organisation’s development teams across multiple locations, by 5pm it was possible to present to senior management a concise summary of the situation, showing areas of the business at risk; those projects which had already been remediated; and those still needing work. A comprehensive communication plan was then invoked to alert the business to remaining vulnerabilities.

The following Meterian tools were used:

Meterian Sentinel notification alerts: an always-on security messaging service which sends notification alerts, emails, or Slack IMs to account administrators about new public vulnerabilities found in open source components used by their projects.
Meterian Boost Open Source Security (BOSS) Scanner: which gives instant visibility to the application’s open source dependencies with automated discovery, risk scoring, continuous scanning, and actionable security insights.
Meterian Account Dashboard: insight reports show dependent components and related Critical/High/Medium/Low vulnerabilities within the remit of a particular account.

The Meterian toolset alerts key employees to security issues and vulnerabilities; the breadth of the issue for the organisation’s application estate; and the projects impacted. The CISO is then armed with all the information needed to mobilise an effective action plan and comprehensive remediation.

Visibility and Control of Vulnerable Components

Log4J created great upheaval in IT teams across the industry, but for this business unit at this global Financial Services organisation, Meterian tools rapidly delivered a complete view of projects that were susceptible to attack. In comparison, other business units were not able to gather such insights so quickly because there was no single comprehensive reference point which was easy to access and use.

Meterian enabled a speedy time to resolution: 2 hours to implement remediation on projects identified using Meterian as having the Log4J vulnerability.

Meterian freed up employee time from finding the vulnerabilities, enabling them to focus on isolating the application estate from risk and implementing remediations. The Log4J threat demonstrated that critical incident prevention is possible with a more automated, secure-by-design approach. Additional or external staff were not required as existing employees could use smart tools on their application estate, and on a more regular basis to save time and remove headaches.

Through using Meterian the organisation benefits from:

Prompt alerts and early warnings of vulnerabilities in the open source software supply chain
Enhanced protection against threats
Increased confidence in people and tools working together to protect from organisational risk
Decreased stress that vulnerabilities will cause major damage and reputational harm
Reduction in “known unknown” risks and number of security fires

Cultivating Cyber Resilience Consistently and Responsively

The organisation is using the effective response enabled by Meterian as a case study to demonstrate that regulatory and compliance requirements can be met with easy-to-use continuous scanning tools that provide immediate visibility and quicken the development of secure code.

The proven partnership with Meterian will extend and facilitate their further innovation in automation, analytics and cyberresilience, through even more responsive and secure development.

Visit our homepage to learn more about how Meterian can secure your businesses’ open source components—keeping cyber hackers out and your intellectual property in.

URGENT AND CRITICAL: REMOTE CODE EXECUTION IN VARIOUS SPRING COMPONENTS NEEDS IMMEDIATE ATTENTION

March 31, 2022April 3, 2022 bbossolajava, opensource, vulnerabilityLeave a comment

Red alert! All enterprise software maintainers of software using Java libraries need to check if their systems are affected by the newly discovered vulnerabilities “Spring4Shell” since its announcement, between 29th and 30th March, 2022, affecting various Spring components.

CVE-2022-22 963

Vulnerability Score: 9.5 (CVSS: 3.0 / AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H)
Platform: Java
Components: org.springframework.cloud:spring-cloud-function-core, org.springframework.cloud:spring-cloud-function-context
Affected versions: 3.1.6, 3.2.2 and older unsupported versions
Fixed in version: 3.1.7, 3.2.3

CVE-2022-22965

Vulnerability Score: 9.5 (CVSS:3.0 / AV: N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H)
Platform: Java
Components: org.springframework:spring-beans
Affected versions: all versions before 5.2.20, all versions before 5.3.18
Fixed in version: 5.2.20, 5.3.18

Please note that this affects also the spring-framework package and the spring-boot package, that both use the offending libraries. New versions of such packages have been made available. You can upgrade spring-framework to version 5.2.20 or 5.3.18, and you can upgrade spring-boot to version 2.5.12 or 2.6.6 (note that spring-boot itself includes spring-framework, no other upgrades necessary).

Which systems does these affect?

CVE-2022-22963 affects any project built using a vulnerable version of Spring Cloud, a framework that provides tools for developers to quickly build some of the common patterns in distributed systems. The “functions” part is a subsystem used to implement serverless functions like AWS lambda or Google Cloud Functions: if you are using such subsystem you are potentially affected.

CVE-2022-22965 affects any project built using a vulnerable version of Spring Framework, Spring Boot or the library spring-beans. A successful attack, however, can only be conducted undere these conditions:

JDK 9 or higher is used as the runtime environment
Apache Tomcat is used as the Servlet container
The application is packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
There is a dependency with spring-webmvc or spring-webflux, or an endpoint is used with DataBinder enabled

Please note however that analysis are undergoing and the nature of the vulnerability is quite general: we suggest you keep monitoring this page for further updates.

Why do these threats demand an urgent patch?

Both vulnerabilities allows the attacker to remotely execute code on your system, with the ability to gain complete control of the underlying servers. It’s a simple exploit, as it requires only to send a crafted HTTP header in a request in order to execute code on the remote host. These vulnerabilities are actively exploited in the wild.

How can I check if my system is affected?

If you maintain any software using Java libraries, check if you are using any Spring Cloud Function library. The Meterian BOSS scanner can be used to scan your codebase to identify all dependent software libraries. If it is using the offending package, it will find the affected vulnerable versions and provide more information on how to mitigate this risk.

If you are a developer and you have access to the code, you can simply execute this command from your terminal:

CVE-2022-22963:

$ mvn dependency:tree | grep spring-cloud-function | grep compile
[INFO] +- org.springframework.cloud:spring-cloud-function-core:jar:3.1.2:compile

If you see any response lines, check the version: if it’s below 3.1.7 (as in the above example) or, if using 3.2.x, below 3.2.3, you may be affected.

CVE-2022-22965:

$ mvn dependency:tree | grep spring-beans | grep compile
[INFO] +- org.springframework:spring-beans:jar:5.3.11:compile

If you see any response lines, check the version: if it’s below 5.3.18 (as in the above example) or, if using 5.2.x, below 5.2.20, you may be affected.

My system has the vulnerable spring cloud function library — how can I mitigate the risk?

There are now patched versions of the affected components that resolve the issues, they are available via the standard Maven repositories. Upgrade the offending packages using the patched versions, as described in this article.

If the library is coming from a transitive dependency (it’s not one of your direct dependencies, but a dependency of them) you can just include an override in your root pom.xml (or where applicable) and retest that it’s not there anymore with the command shown before.

CVE-2022-22963:

    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-function-core</artifactId>
        <version>3.1.7</version>
    </dependency>

Please be aware that there are multiple packages rooted in "spring-cloud-function": you will need to upgrade all of them, in particular "spring-cloud-function-context" which is also directly affected.

CVE-2022-22965:

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-beans</artifactId>
        <version>5.3.18</version>
    </dependency>

Please be aware that you may need / may be better to upgrade the parent pom of the project using an unaffected version of spring boot / spring framework (see at the start of the article).

What can I do to proactively protect from such vulnerabilities?

We always suggest you regularly scan your software code bases.

To do a scan from the command line using the Meterian CLI scanner
To include this as part of your continuous improvement efforts to build resilience into your software development lifecycle, see our documentation on the various integrations we support with GitHub Actions, Azure DevOps Pipelines, and others.

Are Meterian applications affected by the spring vulnerability?

We have verified our applications and none are using the offending packages in a vulnerable configuration. We maintain a continuous monitoring system to ensure our development operations are up to date with the latest known vulnerabilities in software components. Given the nature of this vulnerability we will be running a specific monitoring for the following days, while more details are unfolded in regards to those vulnerabilities.

Related references

CVE-2022-22963

https://tanzu.vmware.com/security/cve-2022-22963 (official announcement)
https://github.com/dinosn/CVE-2022-22963 (sample exploit code)
https://github.com/darryk10/CVE-2022-22963 (sample POC)

CVE-2022-22965

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement (announcement)
https://github.com/craig/SpringCore0day (sample POC and exploit code)