July 10, 2024 at 02:07PM CISA and FBI have jointly urged software companies to address OS command injection vulnerabilities in their products, following recent attacks by the Chinese state-sponsored threat actor, Velvet Ant. The advisory recommends implementing mitigations to prevent these vulnerabilities, such as separating user input from commands and conducting rigorous product testing. CEOs … Read more
June 12, 2024 at 03:43PM AWS has launched FIDO2 passkeys for multi-factor authentication, boosting account security. These passkeys use public key cryptography and resist phishing attacks. Amazon encourages users to adopt MFA, planning to make it mandatory for root account users by July 2024. The company is committed to enhancing MFA adoption via CISA’s Secure … Read more
June 12, 2024 at 03:30PM Starting June 11, US government contractors must submit a Secure Software Development Attestation Form, confirming adherence to secure-by-design principles and scrutiny of software components through software bills of material (SBOMs). Only 20% of respondents are prepared for this federal cybersecurity attestation, with 16% incorporating SBOMs into their software development. Other … Read more
May 20, 2024 at 03:00PM Google criticizes Microsoft’s dominance in a scathing U.S. government report. They warn of security risks from a Microsoft-centric “monoculture” and advocate for a multi-vendor approach and open standards. Google highlights security failures at Microsoft and emphasizes the need for a more rigorous and proactive approach to digital security in government … Read more
May 13, 2024 at 11:33AM MITRE Corporation has released the EMB3D threat-modeling framework for makers of critical infrastructure embedded devices. Developed with industry collaboration, it offers a unified understanding of cyber threats, security mechanisms, and aims to produce inherently secure devices. By embracing a secure-by-design approach, it seeks to reduce exploitable flaws and preemptively counter … Read more
May 10, 2024 at 02:28PM At the 2024 RSA Conference, tech giants like Microsoft, Amazon Web Service, IBM, and Fortinet have voluntarily agreed to meet a set of seven cyber security objectives outlined by the US’s cyber authority, CISA. The initiative lacks legal enforcement but aims to foster good security practices and investments across industries, … Read more
May 9, 2024 at 10:37AM Over 60 vendors have pledged to develop secure products as part of the “Secure by Design” initiative led by CISA. The focus is on addressing security as a core business requirement, with the onus on manufacturers rather than individual users. Signatories are asked to consider and demonstrate progress towards seven … Read more
May 8, 2024 at 12:08PM CISA director Jen Easterly stressed the need to improve software security to combat ransomware attacks in critical infrastructure. She urged collective efforts and highlighted the government’s role in pushing for more secure technology. Chris Krebs emphasized the potential levers to enhance technology security, including voluntary efforts, litigation, regulatory action, and … Read more
May 6, 2024 at 09:44AM CISA urges the software industry to eliminate directory traversal vulnerabilities, which allow users to access and manipulate data. Exploits can lead to data theft and system compromise, posing a heightened threat to critical organizations including healthcare and cloud services. CISA recommends specific mitigations such as using ransom identifiers for files … Read more
May 3, 2024 at 09:10AM CISA and the FBI issued a Secure by Design Alert about path traversal software vulnerabilities targeting critical infrastructure. These flaws enable unauthorized access to application files and directories, allowing threat actors to compromise systems. Urging organizations to eliminate these defects, the agencies emphasize a secure software development lifecycle and suggest … Read more