A group of New York University researchers are testing a new approach to software security: adding more bugs to it instead of removing them. The idea is to “drown attackers in a sea of enticing-looking but ultimately non-exploitable bugs” and waste skilled attackers’ time.
This approach is aimed at disrupting the triage and exploit development stages of the attackers’ workflow by introducing chaff bugs (the name is a nod to the strips of foil dispensed by military aircraft to confuse enemy radar).
Read more about the concept of chaff bugs, which researchers believe can be developed to form a valuable layer of defense, on Help Net Security.
Secure by default is not a new issue, but it is an ever-increasing challenge. That’s because enterprise environments continue to become more complex as IT capabilities increase and the sheer volume of data grows exponentially.
In this world, the traditional view of secure by default — which has largely been secure out of the box — is too narrow, according to Tom Thomassen, Senior Staff Engineer of Security at MarkLogic. Instead, secure by default today is no less than an entire ecosystem of moving parts aligned to the same goal. In fact, it is not really possible to build a product that’s secure out of the box. For secure by default to truly reach its potential, customers who use that product must be able to securely develop and deploy solutions for it.
Read which three parameters Tom Thomassen believes should be considered to broaden the concept of secure by default, on DarkReading.
A popular fitness app that claims over six million users was leaking private and sensitive data, including health information and private messages sent between users. PumpUp, an Ontario-based company, bills itself as a fitness community, allowing subscribers to discover new workouts and record their results, and get advice from fitness coaches and other users.
But the company left a core backend server, hosted on Amazon’s cloud, exposed without a password, allowing anyone to see who was signing on and who was sending messages — and their contents — in real-time. Security researcher Oliver Hough found the exposed server and contacted ZDNet to investigate.
Read more about the PumpUp data leak, which exposed users’ health data, private messages, and full credit card data in some cases, on ZDNet.
Every application that is downloaded via an app store runs in a zero-trust environment. When a protected app is published to an official app store, an open loop of protection is created, leaving the app without a way of communicating its current threat status. With more than 5 million apps available for download, this opens up a whole host of opportunities for bad actors to reverse engineer code and execute attacks that steal sensitive data.
The potential revenue impact, brand damage and loss of customer trust because of an application security breach can be as devastating to an organisation as any other major security event. Without proper protection in place, a breach is inevitable.
Read why Rusty Carter, VP Product Management at Arxan Technologies, believes that in order to lower risk of a breach, application protection needs to be updated regularly and address the current threats, on Help Net Security.
The Ponemon Institute surveyed nearly 1,400 IT and IT security practitioners in the United States, European Union and Asia-Pacific to understand the risk unprotected applications pose to businesses when running in unsecured environments and how they are addressing this risk.
The results indicated a predominant global issue: application breaches are rising and so are the security risks of running business critical apps in zero-trust environments. However, companies are not adequately investing in application security measures until after breaches occur, resulting in loss of productivity, customer trust and revenue.
Read more about the findings of the new Ponemon Institute survey on Help Net Security.