July 30, 2024 at 11:36AM Phil Venables, Google Cloud’s CISO, shares insights on their mission to secure cloud infrastructure, products, and services, and improve overall ecosystem security. He discusses the complexities and optimism around the state of cybersecurity, emphasizing the need for security to be built in, not bolted on, and government initiatives for secure-by-design … Read more
July 12, 2024 at 02:34PM CISA and the FBI issued a critical “Secure by Design Alert” urging software developers to address OS command-injection vulnerabilities. Recent exploits, such as the CVE-2024-20399 bug in Cisco’s NX-OS software, demonstrate the potential for system takeovers and data leaks. The agencies advocate for a secure-by-design approach and OPSEC principles to … Read more
July 11, 2024 at 10:36AM The Cybersecurity and Infrastructure Security Agency (CISA) conducted a SILENTSHIELD red team assessment against a Federal Civilian Executive Branch organization in early 2023. The red team mimicked the techniques, tradecraft, and behaviors of sophisticated threat actors to assess the organization’s security posture. The assessment revealed findings related to initial access, … Read more
July 10, 2024 at 02:07PM CISA and FBI have jointly urged software companies to address OS command injection vulnerabilities in their products, following recent attacks by the Chinese state-sponsored threat actor, Velvet Ant. The advisory recommends implementing mitigations to prevent these vulnerabilities, such as separating user input from commands and conducting rigorous product testing. CEOs … Read more
June 12, 2024 at 03:43PM AWS has launched FIDO2 passkeys for multi-factor authentication, boosting account security. These passkeys use public key cryptography and resist phishing attacks. Amazon encourages users to adopt MFA, planning to make it mandatory for root account users by July 2024. The company is committed to enhancing MFA adoption via CISA’s Secure … Read more
June 12, 2024 at 03:30PM Starting June 11, US government contractors must submit a Secure Software Development Attestation Form, confirming adherence to secure-by-design principles and scrutiny of software components through software bills of material (SBOMs). Only 20% of respondents are prepared for this federal cybersecurity attestation, with 16% incorporating SBOMs into their software development. Other … Read more
May 20, 2024 at 03:00PM Google criticizes Microsoft’s dominance in a scathing U.S. government report. They warn of security risks from a Microsoft-centric “monoculture” and advocate for a multi-vendor approach and open standards. Google highlights security failures at Microsoft and emphasizes the need for a more rigorous and proactive approach to digital security in government … Read more
May 13, 2024 at 11:33AM MITRE Corporation has released the EMB3D threat-modeling framework for makers of critical infrastructure embedded devices. Developed with industry collaboration, it offers a unified understanding of cyber threats, security mechanisms, and aims to produce inherently secure devices. By embracing a secure-by-design approach, it seeks to reduce exploitable flaws and preemptively counter … Read more
May 10, 2024 at 02:28PM At the 2024 RSA Conference, tech giants like Microsoft, Amazon Web Service, IBM, and Fortinet have voluntarily agreed to meet a set of seven cyber security objectives outlined by the US’s cyber authority, CISA. The initiative lacks legal enforcement but aims to foster good security practices and investments across industries, … Read more
May 9, 2024 at 10:37AM Over 60 vendors have pledged to develop secure products as part of the “Secure by Design” initiative led by CISA. The focus is on addressing security as a core business requirement, with the onus on manufacturers rather than individual users. Signatories are asked to consider and demonstrate progress towards seven … Read more