As cybercriminals take advantage of the fear and uncertainty surrounding the pandemic, its crucial that organisations ensure the software they build and operate is secure despite reduced resources. Adam Brown, Associate Managing Security Consultant, Synopsys, talks us through the steps organisations can take to improve their application security programmes to protect organisational data and that of their customers.

In 2020, organisations have been faced with the prospect of months of staffing and Business Continuity challenges. Concurrently, cyberattacks by opportunistic hackers and cybercrime groups looking to profit or further disrupt society are on the rise. Organisations must ensure the software they build and operate is secure against these increasing attacks, even as their available security resources may be decreasing.

And a remote workforce is only one of the challenges organisations face in terms of securing their digital properties and sensitive data. While many companies want to invest in security, they may not know where to start. After all, its a challenging endeavor to identify where and how to secure your most valuable or vulnerable projects.

Its a daunting task. However, by tactically addressing their security testing capacity, staff skills and software supply chain risks today, organisations can respond to resource challenges now while fundamentally improving the effectiveness of their AppSec program going forward. Heres how.

Establish a benchmark and mature your strategy

Get started by gathering a full understanding of what your organisations security activities involve. The Building Security In Maturity Model (BSIMM) is not a how-to guide, nor is it a one-size-fits-all prescription. A BSIMM assessment reflects the software security activities currently in place within your organisation. Thus, giving you an objective benchmark whereby to begin building or maturing your software security strategy.

The BSIMM, now in its 11th iteration, is a measuring stick and can be used to inform a roadmap for organisations seeking to create or improve their SSIs, not by prescribing a set way to do things but by showing what others are already doing.

Previous years reports have documented that organisations have been successfully replacing manual governance activities with automated solutions. One reason for this is the need for speed, otherwise known as feature velocity. Organisations are doing away with the high-friction security activities conducted by the software security group (SSG) out-of-band and at gates. In their place is software-defined lifecycle governance.

Another reason is a people shortage the skills gap has been a factor in the industry for years and continues to grow. Assigning repetitive analysis and procedural tasks to bots, sensors and other automated tools makes practical sense and is increasingly the way organisations are addressing both that shortage and time management problems.

But while the shift to automation has increased velocity and fluidity across verticals, the BSIMM11 finds that it hasnt put the control of security standards and oversight out of the reach of humans.

Apply a well-rounded risk mitigation strategy

In fact, the roles of todays security professionals and software developers have become multi-dimensional. With their increasing responsibilities, they must do more in less time and while keeping applications secure. As development workflows continue to evolve to keep up with organisational agility goals, they must account for a variety of requirements, including:

This is the reality around which organisations build and/or consume software. Over the years weve witnessed the use and expansion of automation in the integration of tools such as GitLab for version control, Jenkins for continuous integration (CI), Jira for defect tracking and Docker for container integration within toolchains. These tools work together to create a cohesive automated environment that is designed to allow organisations to focus on delivering higher quality innovation faster to the market.

Through BSIMM iterations weve seen that organisations have realised theres merit in applying and sharing the value of automation by incorporating security principles at appropriate security touchpoints in the software development life cycle (SDLC), shifting the security effort left. This creates shorter feedback loops and decreases friction, which allows engineers to detect and fix security and compliance issues faster and more naturally as part of software development workflows.

More recently, a shift everywhere movement has been observed through the BSIMM as a graduation from shift left meaning firms are not just testing early in development but conducting security activity as soon as possible with the highest fidelity as soon as is practical. As development speeds and deployment frequencies intensify, security testing must compliment these multifaceted dynamic workflows. If organisations want to avoid compromising security and time to market delays, directly integrating security testing is essential.

Since organisations time to innovate continues to accelerate, firms must not abdicate their security and risk mitigation responsibilities.Managed security testing provides and delivers the key people, process and technology considerations that help firms maintain the desired pace of innovation, securely.

In fact, the right managed security testing solutions will provide the ability to invert the relationship between automation and humans, where the humans powering the managed service act out-of-band to deliver high-quality input in an otherwise machine-driven process, rather than the legacy view in which automation augments and/or complements human process.

It also affords organisations the application security testing flexibility required while driving fiscal responsibility. Organisation gain access to the brightest minds in the cybersecurity field when you need them and not paying for them when you dont; you simply draw on them as needed to address current resource testing constraints. This results in unrivaled transparency, flexibility and quality at a predictable cost plus provides the data required to remediate risks efficiently and effectively.

Enact an open source management strategy

And we must not neglect the use of open source software (OSS) a substantial building block of most, if not all modern software. Its use is persistently growing and it provides would-be attackers with a relatively low-cost vector to launch attacks on a broad range of entities that comprise the global technology supply chain.

Open source code provides the foundation of nearly every software application in use today across almost every industry. As a result, the need to identify, track and manage open source components and libraries has increased exponentially. License identification, processes to patch known vulnerabilities and policies to address outdated and unsupported open source packages are all necessary for responsible open source use. The use of open source isnt the issue, especially since reuse is a software engineering best practice; its the use of unpatched OSS that puts organisations at risk.

The 2020 Open Source Security and Risk Analysis (OSSRA) report contains some concerning statistics. Unfortunately, the time it takes organisations to mitigate known vulnerabilities is still unacceptably high. For example, six years after initial public disclosure, 2020 was the first year the Heartbleed vulnerability was not found in any of the audited commercial software that forms the basis of the OSSRA report.

Notably, 91% of the codebases examined contained components that were more than four years out of date or had no development activity in the last two years, exposing those components to a higher risk of vulnerabilities and exploits. Furthermore, the average age of vulnerabilities found in the audited codebases was a little less than 4 years. The percentage of vulnerabilities older than 10 years was 19% and the oldest vulnerability was 22 years old. It is clear that we (as open source users) are doing a less than optimal job in defending ourselves against open source enabled cyberattacks.

To put this in a bit more context, 99% of the code bases analysed for the report contained open source software, of those, 75% contained at least one vulnerability and 49% contained high-risk vulnerabilities.

If youre going to mitigate security risk in your open source codebase, you first have to know what software youre using and what exploits could impact its vulnerabilities. One increasingly popular way to get such visibility is to obtain a comprehensive bill of materials from your suppliers (sometimes referred to as a build list or a software bill of materials or SBOM). The SBOM should contain not only all open source components but also the versions used, the download locations for each project and all dependencies, the libraries to which the code calls and the libraries to which those dependencies link.

Modern applications consistently contain a wealth of open source components with possible security, licensing and code quality issues. At some point, as that open source component ages and decays (with newly discovered vulnerabilities in the code base), its almost certainly going to break or otherwise open a codebase to exploit. Without policies in place to address the risks that legacy open source can create, organisations open themselves up to the possibility of issues in their cyber assets that are 100% dependent on software.

Organisations need clearly communicated processes and policies to manage open source components and libraries; to evaluate and mitigate their open source quality, security and license risks; and to continuously monitor for vulnerabilities, upgrades and the overall health of the open source codebase. Clear policies covering introduction and documentation of new open source components can help to ensure control over what enters the codebase and that it complies with company policies.

Theres no finish line when it comes to securing the software and applications that power your business. But it is critically important to manage and monitor your assets as well as to have a clear view into your software supply chain. No matter the size of your organisation, the industry in which you conduct business, the maturity of your security programme or budget at hand, there are strategies you can enact today to progress your programme and protect your organisational data and that of your customers.

Facebook Twitter LinkedInEmailWhatsApp

Read this article:

Synopsys expert on proactive application security strategies for uncertain times - Intelligent CIO ME

AFRICA

Neylon questioned how capacity and infrastructure would be maintained, sustained and grown to support future leadership to advance African scholarship, during a webinar as part of Open Access Week organised by the Academy of Science of South Africa (ASSAf). Open Access Week started in 2008 and has been observed globally this year from 19 to 25 October, with the theme: Open with Purpose: Taking action to build structural equity and inclusion.

According to Neylon, an overview of the progress made towards open access scholarship shows that there has been massive progress over the last decade.

Kenyatta, Venda among top 100 in the world

Speaking to the theme Open Access to Scholarly Literature: Progress and evidence of African leadership, Neylon said several African institutions, including Kenyatta University in Kenya and the University of Venda in South Africa, were among the top 100 universities in the world using open access research.

He said the data showed that there was a wide range of European institutions, also Latin American and Asian but a significant number of African institutions, that were performing better in terms of delivering open access.

African countries are consistently showing very high levels of open access, and again, showing it right from 2010, from early in this process [of developing open access] through to the current play on sound leadership that has existed, over a very long period of time, said Neylon, citing Ethiopia, Kenya, Nigeria and South Africa as examples of countries with success in advancing open source scholarship.

According to Neylon, one of the key reasons for the African continents success in open source access, which has seen many outperform European and North American institutions, may be due to philanthropic funders such as the National Institute of Health and the Bill and Melinda Gates Foundation, while in South Africa the National Research Foundation has been playing a pivotal role. .Volume of open access publishing increasing

Using several graphs presented on screen, Neylon said the statistics showed the development of open access among global universities over the past eight or nine years, particularly on the African continent, adding, ...we are seeing increases in the volume of open access publishing, we're seeing increases in the number of open access to repositories.

At the moment, and we have seen a shift over the last 10 to 15 years from levels of open access around 10%, to global levels of open access of around about 50%, 60% and 70%, he said.

Neylon said that this was an astounding increase in the volume of research content that is accessible for free, at least for those that have access to high-speed internet. There are African institutions that are performing in terms of open access at a level which is equal with the best in the world, he said.

Code of conduct for researchers

But while several African nations were depicted as models of success in open source access, South Africas national science body ASSAf warned of uncertainty and the need for further guidance on the application of privacy data laws concerning research. It highlighted the importance of developing a code of conduct for research in terms of the Protection of Personal Information Act (POPIA), colloquially called the POPI Act, to ensure certainty, transparency and clarity in the use of personal information for research.

ASSAf believes there should be a code to guide the use of personal information for research in all sectors (including health, social science, genomics, etc) and has begun working on a process to facilitate the development of a Code of Conduct for Research, by engaging stakeholders, including researchers, ethicists and legally trained people.

Stringent penalties, with fines up to ZAR10 million (US$615,000), apply as part of the countrys privacy laws governing data. It became effective on 1 July 2020 with enforcement set to begin on 1 July 2021. POPIA strives to balance the right to privacy with other rights and interests, including the free flow of information within the country and across its borders.

ASSAf will appoint a steering group to guide the development of the code next month, with a writing team due to start by December and a draft expected for comment and discussions by March 2021. Pending further discussions and comments by May, it is envisaged that the code would be submitted by July to Information Regulator Pansy Tlakula for approval.

See the original post:

Africa leads the way in open access research, says expert - University World News

This article was originally published on .cult by Mynah Marie. .cult is a Berlin-based community platform for developers. We write about all things career-related, make original documentaries and share heaps of other untold developer stories from around the world.

I fell in love with programming because of the feeling of losing myself in ideas and concepts while being completely alone for hours on end. Theres just something about it, you know?

When I decided to enroll in a coding Bootcamp, I thought it would give me the opportunity to meet other people just like me. Little did I know, I was about to meet my nemesis: pair programming.

There are a lot of things I like about Agile development. I even do, now, believe in the power of pair programming. But its not because I can see the benefits of this technique that I necessarily like it. In fact, I deeply hate it. Not because I think its not effective, just because, in my case, it took all the fun out of programming.

[Read:What audience intelligence data tells us about the 2020 US presidential election]

Here are some benefits of pair programming that I personally experienced:

After a few days of Bootcamp, I had my first traumatizing pair programming experience.

We were solving basic JS challenges. I was the navigator and he was the driver. Even though I hated the fact of not being able to type the code myself, I tried to make the most out of the exercise by asking a lot of questions:

At some point, without any warning, my partner got up and left the room leaving me to my puzzlement. Turns out, someone asking loads of questions every two minutes is pretty annoying to most people.

And there started my long descent to hell.

Goodbye, the good old days when Id program for 18 hours straight from the comfort of my bed.

Goodbye, the peaceful moments with myself when Id spend days, sometimes weeks before thinking of talking to another human being.

Goodbye, the joys of working on ideas of my own.

One day, while I was at an emotional all-time low, I confessed to one of the instructors and told him that, literally, I hate pair programming.

His answer couldnt have surprised me more: Oh! yeah pair programming is horrible.

Finally, my aversion was acknowledged!

Im not against pair programming. In fact, I really do believe its great for some people. I even think it couldve been great for me if I wouldve been paired with more experienced pair programmers. But since we were all learning, most students made horrible partners (me included).

I know there are other people like me out there, who suffered at the hand of this technique and never dared to speak up because, in some cases, it can close doors to potential jobs.

But Im not looking for a job anymore, so I dont care.

So for your entertainment, heres a comprehensive list of the reasons why I hate pair programming:

Agile, I love you. You taught me the value of working in teams and learning from one another. The experience was horrendous but meaningful nonetheless.

Im now a freelancer. Back to peace, working for hours on end from the comfort of my home, with minimum human contact. The reality which became a dream is now my reality once more, with the added benefit of financial rewards.

I think I found my path.

Read next: This GPT-3-powered tool generates new ideas for your terrible blog

Read more:

A comprehensive list of reasons why pair programming sucks - The Next Web

Putting personal or business secrets and credentials up in the cloud is something most users of web-enabled devices are already doing unwittingly. For example, many are using password managers and form apps or browser extensions to conveniently access login details across devices. It is not a good idea to do this without the right security measures, though.

Storing sensitive information in the cloud requires more than just standard security solutions. The handling of passwords, login details, API tokens, SSH keys, private encryption keys, private certificates, and system-to-system passwords can potentially create vulnerabilities frequently targeted by social engineering and advanced cybersecurity attacks. Organizations need to find a way to make the most of the cloud in storing secrets without compromising security.

A Ponemon Research survey reveals that 90 percent of organizations have been hacked at least once. More than half of those surveyed said that they had little confidence in addressing further attacks. Passwords or credentials are the most common target of hacking. As revealed by the 2019 Verizon Data Breach Investigations Report, around 8 out of 10 breaches exploit compromised credentials.

Why is it important to raise the need to secure cloud secrets? It is because many processes that involve passwords and other secrets are handled without many organizations taking security seriously. A 2019 study by North Carolina State University researchers, for example, exposes the vulnerabilities of GitHub repositories. The study found that over a hundred thousand repositories contain app secrets in source codes.

The study revealed that authentication secrets such as API and cryptographic keys appear to be unprotected in a wide variety of projects. This issue does not only affect open source projects. Even private source code repositories are also prone to unauthorized access to secrets.

The cloud is a highly convenient environment for storing various data. However, it is still relatively new for many organizations. As such, only a few thoroughly understand how it works let alone how to ensure security in it.

Interestingly, CompTIA found that an overwhelming majority of organizations that use cloud services trust the security afforded by their cloud providers. Despite concerns, most cloud users report being confident or very confident (net 85 percent) in their cloud service providers security, the study writes. However, the same organizations also said they are reluctant in storing certain types of data in the cloud.

Even with high confidence in cloud security, many firms are still unwilling to store certain types of data there, the CompTIA study notes. Firms of all sizes hesitate to put onto the cloud their confidential company financial data, credit card information, employee HR files, confidential IP and trade secrets, customer contacts, and data covered by regulations.

The findings are understandably somewhat contradicting in light of the alarmingly high levels of cyber attacks businesses are exposed to. Organizations, however, can use secrets management procedures that come with the platforms or apps they are using. Also, they can turn to third-party secrets management tools like Akeyless to address the dilemma.

These tools provide a secrets management solution that ensures secrets are safe through distributed fragments cryptography and ephemeral secrets delivery.

To secure company secrets on the cloud, it is necessary to limit visibility and prevent unauthorized access. This entails encryption without creating cumbersome procedures and tedious processes that may only end up creating vulnerabilities possibly because employees miss a step or are tempted to take shortcuts.

Different platforms and applications come with different methods of securing secrets. Kubernetes, for example, has a feature aptly named Secrets, which makes it possible to save and manage passwords and other sensitive information. The Kubernetes website provides comprehensive details on how to use this feature, which is good, but imagine having to learn how to manage secrets with different platforms and applications.

Employees may have issues with this idea when working with multiple platforms and apps. It is not only tiresome; it can also create vulnerabilities in a cybersecurity system.

This is where secrets management solutions come in handy. Akeyless, for example, provides a unified interface and set of methods to secure secrets regardless of the types of secrets and apps and platforms used. Its basically vault-as-a-service, with plugin capability for popular cloud platforms, including Kubernetes, Terraform, Ansible, Docker, Jenkins, CircleCI, Puppet, Chef, Slack, and many others. This simplifies and enhances the security of secrets management with these platforms.

This results in a seamless way to handle secrets across systems and environments. In general, they are designed to automate the security procedures vital in protecting secrets. In cases when there is no encryption implemented, they enforce high-level encryption. They then automatically encrypt and decrypt data as needed by users.

Secrets management platforms are particularly useful to DevOps teams. Privileged access management (PAM) expert Tyler Reese of DevOps.com acknowledges the tendency of many teams to overlook essential security practices. Whats more, in an environment that relies heavily on code, weve seen time and time again careless developers leaking confidential information through APIs or cryptographic keys on sites such as GitHub, Reese says.

This post may sound like a recommendation to use third-party secrets management tools, but it is not the main point. The goal here is to emphasize how important it is to secure organization secrets being stored in or transmitted to the cloud.

Generally, there is nothing wrong in learning and using the specific procedures in protecting secrets for particular platforms or applications. However, some simply do not have adequate security measures in place. The Kubernetes Secrets feature briefly discussed earlier, for instance, does not perform encryption. With it, secrets are stored in Etcd in base64, which only undertakes encoding, not encryption. As such, anyone who is designated as an admin for the Kubernetes cluster can read the secrets saved in the clustera potential security loophole.

So why do you need to secure your secrets on the cloud? Its because cybersecurity attacks abound and they frequently target secrets stored in the cloud. Also, some cloud platforms and applications do not provide adequate protection for secrets. How do you protect secrets? By learning and using the specific secrets management processes associated with certain platforms or applications. If this is too cumbersome and inefficient, the logical option is to use a unified secrets management solution.

Oren Rofman, senior technology writer

Link:

The whys and hows of keeping your cloud secrets - ITProPortal