About Us

WhiteSource Launched Spring4Shell Detect

WhiteSource Spring4Shell Detect, a free command-line interface (CLI) tool that swiftly searches projects for susceptible open-source libraries for CVE-2022-22965, also known as Spring4Shell, was released today by WhiteSource, a leader in application security. Spring4Shell is a remote code execution (RCE) vulnerability in Spring, one of the most widely used open-source Java frameworks today. While we are still learning about this vulnerability, its impact is anticipated to be comparable to that of Log4j, and it has a severity level of 9.8. WhiteSource’s free developer tool, which is currently accessible on GitHub, gives developers the exact path to direct and indirect dependencies, as well as the patched version, so they can fix them quickly.

Increasing the possibility of global prevalence and risks because of this zero-day vulnerability, WhiteSource advises companies to take the following steps to resolve and avoid future incidents:

  • Upgrade to the most recent version of Spring Framework if you have any vulnerable versions. Use tools like WhiteSource Renovate to update your libraries automatically with the most recent updates.
  • Inventory your whole program list to find all CVE-2022-22965 instances. WhiteSource’s free detection tool can help with this.
  • For each program in your environment, create a software bill of materials (SBOM). An SBOM gives you access to your whole software attack surface, including direct and indirect dependencies, and allows you to respond fast to vulnerability announcements.

The CEO at WhiteSource, Rami Sass, stated, “Organizations and security teams must approach Spring4Shell with the same attention and urgency they did with the recent Log4j vulnerability. This vulnerability highlights the importance of a proactive approach to software security and the need for more automated application security to be baked into the development lifecycle. Ensure you are handling your technical debt, and update.”

With over several downloads, WhiteSource Renovate automatically uploads prerequisites and has found and mitigated the Spring4Shell vulnerability for large numbers of businesses.

TSB Golden Gate Release Helps Developers Configure Policies For Their Applications

Tetrate declared the general availability of Tetrate Service Bridge (TSB), Golden Gate release.

API Gateway, a web application firewall (WAF), and service mesh capabilities are all combined into a single administration plane in this latest edition, resulting in a cloud-agnostic unified application connection platform.

TSB delivers centralized governance and decentralized enforcement to application networking by unifying these capabilities—essential for enabling zero-trust security across historical and new workloads.

The Envoy-based application networking layer from TSB blurs the lines between north-south and east-west traffic, making it all just application traffic. From the edge to the workload, developers may now apply capabilities previously only available in an API gateway to any element of their application topology. API Gateway and a comprehensive set of API governance tools are included in the TSB Golden Gate release out of the box.

Developers may find it difficult to gain access and understand how to configure application-specific network and security policies, which can have a negative impact on productivity. Simultaneously, networking and security teams lack the resources necessary to enforce policy demands and ensure that they are followed. This misalignment of access and knowledge results in non-compliant networking and uneven policy enforcement, which leads to security breaches.

With the Golden Gate version, TSB now allows developers to create policies for their applications without having to grasp the complexity of new technologies like Envoy and Istio while yet harnessing their potential.

CEO, and co-founder of Tetrate, Varun Talwar said, “Application architectures are increasingly becoming distributed in nature. When combined with the need for multi-cloud infrastructures, application networking, and security policies, management becomes a complex problem. TSB elegantly simplifies this challenge with its management plane, a layer that binds the runtime system to the users and teams. Enterprises can implement controls for regulatory requirements with confidence and maintain many unrelated teams on the same infrastructure without shared-fate outages.”

HUMAN Bot Insights Services Secures Companies Against Advanced Bot Attacks

HUMAN Security has announced HUMAN Bot Insights services to support BotGuard for Applications customers in detecting advanced bot attacks.

Security teams are overworked and understaffed, according to the Information Systems Security Association (ISSA), with a cyber security skills deficit affecting 67 percent of businesses. Many businesses lack the staff, time, or resources necessary to speed the web application security enhancements needed to protect vital internet platforms from today’s sophisticated bot attacks. Furthermore, sophisticated bots can readily avoid bot detection tools in traditional app security solutions such as CDNs, WAFs, and CAPTCHAs, leaving apps vulnerable to abuse.

John Grady, Senior Analyst at Enterprise Strategy Group said, “As organizations have shifted to more online-focused business operations, a trend further accelerated by the pandemic, attackers have doubled down on their efforts and increased the frequency of bot-driven fraud and logic abuse.”

Application vulnerabilities must be identified, and mitigation solutions must be deployed and configured to meet each customer’s specific architecture and requirements in order to be effective. Businesses must choose a specific bot management system, but HUMAN understands that winning against attackers requires more than just technology. HUMAN verifies the humanity of over 15 trillion client-side interactions per week and monitors over 3 billion devices online each month, giving Bot Insights Services customers a level of visibility that no other company can match.

Gavin Hill, Vice President, Human Insights said, “HUMAN Bot Insights Services are designed to help businesses reduce the impact of malicious bots. By enhancing their security program with dedicated bot experts from HUMAN, customers collaborate with analysts that focus 100 percent of their time on protecting businesses from sophisticated bot attacks and fraud. Our Human Insights analysts and data scientists act as an extension of your security team providing custom bot attack surface analysis and advanced policy configuration, event investigations, priority responses, and detailed threat intelligence so that customers can protect and respond more quickly to automated attacks.”

Zyxel Communications And SEC Consult Formed Partnership To Improve Cybersecurity

Zyxel Communications today announced a partnership with SEC Consult, a leading consultancy in cyber- and application security. The collaboration between the two companies will further strengthen Zyxel’s cybersecurity strategy by expediting and optimizing the ability to respond to threats and vulnerabilities posed by increasingly-complex and ever-evolving cybersecurity threats.

Zyxel Communications announced a partnership with SEC Consult, a prominent cyber- and application security firm. The partnership will boost Zyxel’s cybersecurity strategy by accelerating and improving the company’s capabilities to respond to risks and vulnerabilities caused by incredibly challenging and ever-evolving cybersecurity threats.

End-users are heavily dependant on information-sensitive online services as digitization pervades daily life and online communications tools become crucial for many services. As a result, leading internet service providers are placing an even greater emphasis on network security.

Ensuring a secure development and software architecture

To maintain the highest level of product security, Zyxel, a prominent broadband access provider, has a thorough security strategy and already employs a dedicated security team. The partnership with SEC Consult is aimed at addressing the problems that software-driven products can cause by exposing the network to unidentified security vulnerabilities. The firms collaborated to perform a thorough organisational and technological review that will result in an overall optimization of Zyxel’s safe software development process and security verification methods, with the goal of detecting and eliminating potential security risks.

SEC Consult also did a vulnerability assessment, which included a look into the software for a few Zyxel devices. The assessment’s findings were given to Zyxel’s specialised security team as input for a secure development and software architecture.

SEC Consult will now assist Zyxel in implementing a firmware security analysis platform as a regular security review mechanism in order to automate the security analysis method in the long run.

Raising the overall security level

“Cybersecurity should be considered from the very beginning. It is important to cooperate as early as possible in the value chain, starting with the manufacturers. Additionally, continuous improvement and regular assessments are just as important as the sustainable creation of security awareness in the company. We are proud that our company is supporting Zyxel to prevent, handle, and manage security vulnerabilities more efficiently in the future,” says Wolfgang Baumgartner, General Manager SEC Consult Group.

“The cooperation with SEC Consult will help us to reinforce our security awareness among employees through well-designed training programs. We expect to escalate our product security level through proactive vulnerability prevention,” said Gavin Yeh, Senior Director, EMEA CPE SBU at Zyxel.

Synopsys and The Chertoff Group partners to Provide Policy-Driven Software Security Solutions

Synopsys, Inc. announced a new partnership with The Chertoff Group, a worldwide advisory services company that offers security expertise, technology insight, and policy intelligence to help clients build resilient organizations, gain a competitive edge, and drive growth.

When it comes to helping clients make more secure software faster, Synopsys joins forces with leading solution providers around the world. A strategic partnership with The Chertoff Group will enable companies to deliver cutting-edge application security solutions and help clients gain confidence in their software investments. Clients can now benefit from the advisory services of The Chertoff Group and the application security domain expertise of Synopsys to ensure that cloud migration and digital transformation projects run smoothly.

“The Chertoff Group’s partnership with Synopsys is powerful because it combines market-leading software security and cyber risk management capabilities. As we’ve learned from the spate of disruptive technology supply chain compromises, organizations must unify their approach to product security with enterprise cyber defense. By combining The Chertoff Group’s cyber risk capabilities with Synopsys’ software security expertise, we help clients overcome that compounded challenge,” said David London, a managing director at The Chertoff Group.

“Organizations are increasingly realizing that software risk equates to business risk. This is a central focus of the partnership between Synopsys and The Chertoff Group, which was born out of a desire to educate organizations on policies and standards and how they can be directly applied to development and deployment teams,” said Tom Herrmann, vice president of channels and alliances at the Synopsys Software Integrity Group.

Rapid7 acquired Threat Intelligence specialist IntSights

Rapid7, leading security analytics and automation company, announced the acquisition of IntSights Cyber Intelligence Ltd., a leader in contextualized external threat intelligence and proactive threat remediation. Rapid7 will pay around $335 million in cash and stock for IntSights.

Rapid7 will merge its community-infused threat intelligence and deep understanding of customer environments with IntSights’ external threat intelligence capabilities following the acquisition of IntSights. This combination is aimed at giving clients a unified view of threats, relevant insights, attack surface monitoring and proactive threat mitigation for businesses of any size or security maturity level. Rapid7’s industry-leading cloud-native extended detection and response (XDR) service, InsightIDR, is enhanced by this purchase, which enables high-quality, high-fidelity alerts for efficient security operations, early threat identification, and faster response times.

IntSights enables enterprises to get the full benefits of a threat intelligence program, regardless of its extent or sophistication, while also decreasing security professionals’ burden. Unlike many other threat intelligence systems on the market today, IntSights can help security operations teams achieve the productivity and outcomes they need by providing continuous coverage for external threats, from detection to mitigation to remediation.

Rapid7’s Insight Platform is almost total security operations platforms available today, with highest capacity in detection and response, vulnerability management, cloud security, application security, and security orchestration and automation. In addition to improving its XDR service and providing a standalone threat intelligence offering, the business plans to integrate IntSights’ external threat intelligence capabilities into its platform to enable faster threat detection and remediation across the organization’s complete solution offering. Foros worked as financial consultant to Rapid7.

“Cyber security is a lopsided battle today and the odds consistently favor attackers. Both IntSights and Rapid7 have a shared belief that organizations will succeed only when they have a unified view of internal and external threats, complete with contextualized intelligence and automated threat mitigation which will allow security teams to focus on the most critical threats. We look forward to working with IntSights to make this vision a reality for our customers,” said Corey Thomas, chairman and CEO, Rapid7.

“There’s no shortage of threat intelligence information available today, but much of it lacks context, creating too much alert noise and additional work for already overburdened security teams. By integrating IntSights’ external threat intelligence capabilities into Rapid7’s XDR solution, InsightIDR, we expect to provide security teams with expanded visibility and detections of internal and external threats across their traditional and modern environments—enabling them to quickly pivot into investigations, threat hunting and containment automation all within a unified experience,” said Richard Perkett, senior vice president of detection and response at Rapid7.

“We founded IntSights to make threat intelligence instantly accessible and actionable for organizations of any type or size. We are excited to join Rapid7 to continue this mission and to bring our threat intelligence capabilities to even more customers,” said Guy Nizan, co-founder and CEO at IntSights.

“With today’s sprawling attack surface and the sophistication level of threat actors, I can’t overstate the importance of a solid threat intelligence program. Threats can come from anywhere, which is why having visibility into your internal and external threat landscape is imperative. With the acquisition of IntSights, Rapid7 is well positioned to bridge the threat intelligence gap, giving customers the ability to identify real threats earlier and accelerate response and automate remediation,” commented Jon Oltsik, senior principal analyst and fellow at the Enterprise Strategy Group (ESG).

Salt Security introduced Salt Labs to increase API Security awareness around the world

Salt Security, the industry’s leading API security firm, announced the launch of Salt Labs, a new public forum for sharing API vulnerability research. Salt Labs will be a resource for organizations wishing to protect infrastructure against API risk through vulnerability and threat research, as well as industry reports. It will also raise public awareness about API security threats, supporting Salt Security’s aim of providing comprehensive API security and accelerating corporate innovation by making APIs attack-proof.

Concerns about API security have become a huge obstacle to company innovation. According to the Salt Security State of API Security Report, 66 percent of companies have put off deploying a new app due to API security concerns. To address these concerns, Salt Labs will publish research and studies that businesses can utilize to strengthen their API security posture and prevent dangers to API-centric enterprises. Salt Labs will focus on offering high-impact threat research, identifying the latest API attack vectors, and giving remediation best practices to make API security programs more agile and actionable, using a strong technical understanding of API risks, security flaws, and misconfigurations.

“APIs represent an important and often overlooked threat vector that presents a range of challenges often not included in research efforts. We look forward to the dividends of the public research efforts of Salt Labs, which will increase our awareness of emerging API risks and help us harden our application environments to better protect both our employees and customers,” said Steve Ward, CISO, The Home Depot.

To date, the private sharing of API threat research findings has emphasized the need for further education about critical API security challenges and vulnerabilities, which are frequently assumed to be mitigated by traditional solutions like Web Application Firewalls (WAFs) and API gateways. Salt Labs’ goal is to improve users’ ability to spot security flaws in their own APIs, allowing them to take strong, proactive steps to harden their APIs and back-end systems. As a result, more businesses will be able to protect and maintain the integrity of sensitive consumer and business-critical data.

“With the growth of APIs and the central role they play in today’s application environments, the need for unbiased, relevant, and reliable research has prompted us to share the groundbreaking API security research that our team has been conducting for years. Salt Labs is dedicated to extending the safety of enterprises as they innovate in our increasingly digital and connected world. By now making this research public, we will increase education around API security and related attack vectors so that organizations of all types can strengthen their API security measures,” said Roey Eliyahu, co-founder and CEO, Salt Security.