Healthcare industry continues to struggle with software security

67% of medical device manufacturers and 56% of healthcare delivery organizations (HDOs) believe an attack on a medical device built or in use by their organizations is likely to occur over the next 12 months. According to the results of a recent survey, roughly one third of device makers and HDOs are aware of potential adverse effects to patients due to an insecure medical device, but despite the risk only 17 percent of device makers … More

Software security assurance: Everybody’s invited

As more and more things in this world of ours run on software, software security assurance – i.e. confidence that software is free from vulnerabilities (either intentional or not) and functions as intended – is becoming more important than ever. The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization that aims to increase that confidence and the trust users have in information and communications technology products and services. SAFECode’s work to … More

WannaCry is a painful reminder of why enterprises must stay current on software updates

WannaCry is a wake-up call for the excessive numbers of companies needlessly dragging their feet over Windows 10 migrations. Certainly since Friday, we’ve seen an upswing in interest from companies hoping – suddenly – to accelerate the migration process, or automate their patching processes. No doubt about it, the attacks gave a vivid illustration of something we have been saying for some time: stay current on your software updates. By running a very out-of-date operating … More

US intelligence chiefs don’t trust Kaspersky Lab software

The big question in Thursday’s intelligence hearing on worldwide threats before the US Senate Intelligence Committee was whether the Russian government interfered with US elections. The respondents – CIA director Michael Pompeo, NSA director Michael Rogers, Defense Intelligence Agency director Vincent Stewart, Director of National Intelligence Dan Coats, National Geospatial-Intelligence Agency Robert Cardillo, and Acting Director of the FBI Andrew McCabe (who replaced the recently fired James Comey at the head of the Bureau) – … More

Critical RCE flaw in ATM security software found

Researchers from Positive Technologies have unearthed a critical vulnerability (CVE-2017-6968) in Checker ATM Security by Spanish corporate group GMV Innovating Solutions. The software and the flaw Checker ATM Security is a specialized security solution aimed at keeping ATMs safe from logical attacks. It does so by enforcing application whitelisting, full hard disk encryption, providing ACL-based control of process execution and resource access, enforcing security policies, restricting attempts to connect peripheral devices, and so on. The … More

Top-ranked programming Web tutorials introduce vulnerabilities into software

Researchers from several German universities have checked the PHP codebases of over 64,000 projects on GitHub, and found 117 vulnerabilities that they believe have been introduced through the use of code from popular but insufficiently reviewed tutorials. The process The researchers identified popular tutorials by inputing search terms such as “mysql tutorial”, “php search form”, “javascript echo user input”, etc. into Google Search. The first five results for each query were then manually reviewed and … More

Attacks exploiting software vulnerabilities are on the rise

Attacks conducted with the help of exploits are among the most effective as they generally do not require any user interaction, and can deliver dangerous code without arousing user suspicion. According to data gathered by Kaspersky Lab, there were 702 million attempts to launch an exploit in 2016 – an increase of 24.54 percent from 2015. During the same period, more than 297,000 users worldwide were attacked by unknown exploits (zero-day and heavily obfuscated known … More

Researchers to present new software and hardware vulnerabilities at HITB Amsterdam

Users assume the underlying hardware and software system, mobile antivirus, password managers and encryption technology will protect them from malicious attacks on their communications. Upcoming research at the HITB Security Conference in Amsterdam suggests to think twice before trusting mobile security blindly and shows that security is not a final product, but rather a bumpy process. Auditing Femtocells To secure communication via mobile devices, layered security includes secure mobile network devices. In Femtocell Hacking: From … More

Malware posing as Siemens PLC software is hitting industrial environments

What kind of malware is hitting industrial control systems, and how worried should we and the operators of theses systems actually be? These are question that Ben Miller, Director of the Dragos Threat Operations Center, has took it upon himself to answer, by sifting through data regarding ICS incidents collected over the last 13+ years and available from public datasets. The results of the analysis Miller’s analysis revealed that targeted ICS intrusions are rare. But, … More

Software development teams embrace DevSecOps automation

Mature development organizations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale, according to Sonatype. The adoption of DevOps around the world is evidenced by 67% of survey respondents describing their practices as very mature or of improving maturity. Where traditional development and operations teams see security teams and policies slowing them down (47%), DevOps teams have discovered new ways to integrate security at the speed of development. Only 28% … More