Siri Varma, tech lead and software development engineer with Microsoft Security, works with both developers and cybersecurity teams every day. Next, there’s the knowledge gap; coders may lack the necessary understanding of security practices, and cybersecurity teams may not fully grasp the complexities of the development process. On the other hand, cybersecurity teams might not fully appreciate the developer’s workflow and the constraints they face, which can lead to miscommunications about why certain security measures are challenging to implement. Microsoft is one company that’s trying to change how software developers feel about security and is actively taking steps to train teams in concepts like threat intelligence and attacker motivation. 4 min read - According to a recent paper published at the 2024 Web Conference, so-called "phantom domains" make it possible for malicious actors to hijack hyperlinks and exploit users' trust in familiar websites.The research defines phantom domains as active links to dot-com domains that have never been registered.Here's what enterprises need to know about how phantom domains emerge, the potential risks they represent and what they can do to disrupt phantom attacks. By embedding security into the development process from the start, organizations can build stronger defenses against emerging threats as they foster a culture where security fits naturally into development. By embedding security into the DevOps pipeline (DevSecOps), developers can catch and fix issues earlier, reducing both security risks and the cost of addressing vulnerabilities later in the process. The most impactful request would be for developers to shift left on security — which integrates security earlier in the development process. 4 min read - In 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team operation against an FCEB (Federal Civilian Executive Branch) organization. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security. This shift can only be achieved by embedding security practices throughout the development process and creating a culture where security is a continuous and shared responsibility. This can lead to friction when security policies impose measures that developers feel slow down their workflow. In July 2024, CISA released a new CSA that detailed the findings of this assessment along with key findings relevant to the security of the organization’s network.One of the interesting findings of this SILENTSHIELD assessment was the renewed importance placed on defense-in-depth strategies. For example, a security policy might mandate blocking all traffic to the internet by default to minimize exposure to potential attacks. They may prioritize feature development and assume that security concerns can be addressed later in the process. Plus, the view of security as merely a final checklist task rather than an integral part of the development culture needs to change. This integration is so crucial that the Open Worldwide Application Security Project (OWASP) Foundation has developed maturity models to guide organizations at various stages of DevSecOps implementation. Topic updates Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research. Developers often prioritize speed, functionality and time-to-market, while cybersecurity teams prioritize safety and risk mitigation. 4 min read - The SANS Institute — a leading authority in cybersecurity research, education and certification — released its annual Top Attacks and Threats Report. 2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. Developers frequently consider security an afterthought. As the relationship between developers and cybersecurity teams continues to evolve, collaboration and sharing responsibility are more crucial than ever.
This Cyber News was published on securityintelligence.com. Publication date: Wed, 02 Oct 2024 13:43:07 +0000