• Search for:
    19Dec, 2023
    MITRE Unveils EMB3D Threat Model for Embedded Devices Used in Critical Infrastructure

    MITRE has teamed up with the cybersecurity community and the industrial sector to create EMB3D, a threat model specifically designed for embedded devices used in critical infrastructure.

    EMB3D is the work of MITRE, Red Balloon Security, Narf Industries, and Niyo ‘Little Thunder’ Pearson of ONE Gas. 

    Its goal is to provide a collaborative framework that enables organizations to have a common understanding of the threats targeting embedded devices and how those threats can be mitigated. 

    The new threat model — recommended for manufacturers, vendors, asset owners, testers and security researchers — expands on resources such as ATT&CK, CVE and CWE, with a focus on embedded devices. It provides a knowledge base of threats, including ones seen in the wild and ones demonstrated through theoretic research and proofs of concept. 

    In order to help users create and tailor threat models to specific devices, threats are mapped to device properties. The mitigations suggested by EMB3D are exclusively focused on technical mechanisms that can be implemented by device vendors. 

    “The EMB3D model will provide a means for ICS device manufacturers to understand the evolving threat landscape and potential available mitigations earlier in the design cycle, resulting in more inherently secure devices,” Pearson said. “This will eliminate or reduce the need to ‘bolt on’ security after the fact, resulting in more secure infrastructure and reduced security costs.” 

    The framework will be continuously updated by its maintainers and the cybersecurity community with new information on threat actors, vulnerabilities and defenses. 

    EMB3D is in a pre-release review period, with device vendors, asset owners, academics and researchers being encouraged to review the framework before its official launch, which is scheduled for early 2024.

    Resource : https://www.securityweek.com/mitre-unveils-emb3d-threat-model-for-embedded-devices-used-in-critical-infrastructure/

    18Dec, 2023
    MongoDB Suffers Security Breach, Exposing Customer Data

    MongoDB on Saturday disclosed it’s actively investigating a security incident that has led to unauthorized access to “certain” corporate systems, resulting in the exposure of customer account metadata and contact information.

    The American database software company said it first detected anomalous activity on December 13, 2023, and that it immediately activated its incident response efforts.

    It further noted that “this unauthorized access has been going on for some period of time before discovery,” but emphasized it’s not “aware of any exposure to the data that customers store in MongoDB Atlas.” It did not disclose the exact time period of the compromise.

    In light of the breach, MongoDB recommends that all customers be on the lookout for social engineering and phishing attacks, enforce phishing-resistant multi-factor authentication (MFA), as well as rotate their MongoDB Atlas passwords.

    That’s not all. The company said it’s also experiencing elevated login attempts that are causing issues for customers attempting to log in to Atlas and its Support Portal. It, however, said the problem is unrelated to the security event.

    When reached for comment, MongoDB told The Hacker News that the incident is a matter of ongoing investigation and that it will “provide updates as soon as we can.”

    Resource : https://thehackernews.com/2023/12/mongodb-suffers-security-breach.html

    24Nov, 2023
    Introducing Bambdas

    You’ve might have heard of Lambdas. But have you heard of Bambdas? They’re a unique new way to customize Burp Suite directly from the UI, using only small snippets of Java.

    Changing the face of Burp Suite

    The introduction of Bambdas exposes some of the core “behind the scenes” functionality of Burp Suite for the very first time. In essence, as the feature is rolled out across various tools within Burp Suite, you’ll be able to customize Burp to make it work in exactly the way that you want it to.

    The possibilities contained within the Bambdas functionality are theoretically endless. As the feature develops, we believe it’ll enable you to replace the age-old frustrated cry of “Why can’t Burp do this?” with a shiny new phrase. “I wonder if I can create a Bambda to make this work the way I need it to?”.

    How to work with Bambdas

    The first Bambda we’ve introduced enables you to write custom filters for the Proxy HTTP history. To help you get to grips with the unique potential of this functionality, we’ve created some examples to showcase some interesting request and response filters you might want to try.

    Find requests with a specific cookie value

    //Find requests with a specific cookie value
    if (requestResponse.request().hasParameter("foo", HttpParameterType.COOKIE)) {
    var cookieValue = requestResponse
    .request()
    .parameter("foo", HttpParameterType.COOKIE)
    .value();

    return cookieValue.contains("1337");
    }

    return false;

    Find JSON responses with wrong Content-Type

    //Find JSON respones with wrong Content-Type
    //The content is probably json but the content type is not application/json

    var contentType = requestResponse.response().headerValue("Content-Type");

    if (contentType != null && !contentType.contains("application/json")) {
    String body = requestResponse.response().bodyToString().trim();

    return body.startsWith( "{" ) || body.startsWith( "[" );
    }

    return false;

    Find role within JWT claims

    //Find role within JWT claims
    var body = requestResponse.response().bodyToString().trim();

    if (requestResponse.response().hasHeader("authorization")) {
    var authValue = requestResponse.response().headerValue("authorization");

    if (authValue.startsWith("Bearer ey")) {
    var tokens = authValue.split("\\.");

    if (tokens.length == 3) {
    var decodedClaims = utilities().base64Utils().decode(tokens[1], Base64DecodingOptions.URL).toString();

    return decodedClaims.toLowerCase().contains("role");
    }
    }
    }

    return false;

    Some helpful Bambdas code snippets

    Once you’re comfortable with the basics of how Bambdas work, there are a few tricks you might want to utilize to help you get even more value from the functionality. If you’re using something a lot, and want to save yourself some time, you can assign it to a variable. For example:var request = requestResponse.request();

    If you want to check if a parameter exists, and if it’s value is present, you can request it by name and check it for null instead:var cookie = request.parameter("foo", HttpParameterType.COOKIE);

    So that you can see how these code snippets can be applied, we’ve recreated the first example on finding requests with a specific cookie value.

    Hear from the developers of Bambdas

    Sean from the development team is here to introduce you to Bambdas, a unique new way to customize Burp Suite on the fly with small snippets of Java. You’ll learn what a Bambda is, why we’ve built them into Burp Suite, and see a couple of examples of how Bambdas work.

    Resource : https://portswigger.net/blog/introducing-bambdas

    8Nov, 2023
    Performance Development: Unlock Your Team’s Potential

    SHRM defines performance management as “the process of maintaining or improving employee job performance through the use of performance assessment tools, coaching, and counseling as well as providing continuous feedback.”

    But far too many organizations stop at the first part — performance assessment — and miss the opportunity to actually improve employee performance. Only about one in four employees strongly agree that their manager provides meaningful feedback to them or that the feedback they receive helps them do better work. And only 21% of employees strongly agree that their performance is managed in a way that motivates them to do outstanding work.

    Best-in-class organizations are integrating continuous feedback and development to enable more effective performance management. This approach is often referred to as performance development — think of it as the place where performance management meets career development — and it can be a great way to unlock your team members’ full potential.

    The benefits of performance development

    Performance development goes beyond traditional employee reviews to focus on fostering continuous growth, skills enhancement, and career progression.

    Investing in a more robust approach to performance management has many benefits, including: 

    • Building emerging skill sets. Skills sets for jobs have changed by around 25% since 2015 — and this number is expected to grow to 65% by 2030. Effective performance management can help your team members identify and learn the in-demand and emerging skills they need to be successful in their current roles — and in their future ones. 
    • Increasing employee engagement. Performance development demonstrates the direct connection between feedback and career growth, motivating employees to go above and beyond at work. In fact, Gallup found that development is a top driver of employee engagement.
    • Reducing turnover. Continuous feedback and development shows your organization’s commitment to an employee’s long-term success, making your team members more likely to stay. The Josh Bersin Company found that organizations that offer ongoing skill development to their employees are 7.2x more likely to retain and engage their employees than those that don’t.
    • Improving business outcomes. Upskilling, engaging, and retaining talented team members through effective performance development practices can make a tremendous impact on your organization’s success. Companies that facilitate career development are 4x more likely to innovate effectively and 2.6x more likely to exceed financial targets.

    Building a performance management program that encourages career development

    Effective performance management is more than an annual event — it’s an ongoing process of goal setting, employee development, performance evaluation, and rewards. Each should be discussed regularly to nurture an engaged, motivated, and highly skilled workforce.

    Align on goals and performance expectations

    Just 50% of employees clearly understand what’s expected of them at work and only 21% strongly agree they have performance metrics that are within their control. Ambiguity and uncertainty around job expectations can hinder performance and negatively impact engagement.

    Discussing goals and expectations with each of your team members is a critical step toward effective performance management. Employees should understand how their success is being measured and feel empowered to accomplish their goals.

    Begin discussions on goal setting during your employee onboarding process by reviewing the job description, organizational goals, and your team member’s expected impact. Work together to build achievable short- and long-term goals, revisiting them during check-ins and performance reviews to gauge progress and make adjustments. 

    Employees whose managers involve them in goal setting are 3.6x more likely than other employees to be engaged, making this a worthwhile step in your performance management process.

    Build and maintain employee development plans

    Every employee has opportunities to learn and develop — and most want to. More than four out of five employees (83%) say that improving their skills is one of their top priorities

    Hold regular conversations with your team members to learn about each person’s professional growth goals, career aspirations, and skills they’d like to master. Then find the intersection of your team member’s development goals and your business needs to create a personalized performance development plan for each employee. 

    Performance development should go beyond addressing areas for improvement to also include honing strengths, learning emerging skills, and reskilling. Employees’ top motivation to learn is progress toward career goals, so it’s crucial to get your team members’ feedback and buy-in around their development plan to ensure alignment.

    Update development plans as your team members acquire new skills and identify additional opportunities for professional growth. The most effective development plans are flexible to accommodate evolving needs and interests.

    Provide continuous feedback

    Only 21% of U.S. employees strongly agree they have received meaningful feedback in the last week, with nearly half saying they receive feedback a few times a year or less. In other words, most employees don’t get enough performance feedback to understand what they’re doing well or when they need a course correction.

    Effective performance development requires that feedback be given consistently so employees have the guidance they need to be successful in their roles. Things you can do to make sure this happens include:

    • Initiate casual conversations. Let employees know when you see commendable efforts or teachable moments in their day-to-day work. Frequent feedback lets your team members know how you feel about their current performance and guides their development. Record the feedback in your performance management system so it can be referenced during future performance discussions.
    • Plan regular check-ins. Schedule regular one-on-one meetings to discuss progress toward goals, challenges, and development needs. These informal check-ins are a great opportunity to go in-depth on performance development discussions so you can make necessary adjustments to employee goals and development plans. 
    • Conduct regular performance evaluations. Plan comprehensive performance reviews at regular intervals to assess your employee’s overall performance and goal attainment. If you do performance development well, employees shouldn’t be hearing any feedback for the first time during the review process.

    Reward your team members for professional development

    Rewarding your team members for professional development acknowledges their effort and demonstrates the value your organization places on learning and growth. It can also help you retain employees: Compensation and career progression are among the top reasons for turnover.

    Offer raises and promotions as appropriate to reward your team members for developing their skill sets and gaining new experiences. This is particularly important if your employee’s new competencies or responsibilities qualify them for a higher pay grade or job level according to your compensation strategy.

    Final thoughts: Effective performance management is an ongoing process

    Gone are the days where an annual review is considered sufficient to manage employee performance. Modern teams encourage ongoing performance development to help employees achieve professional growth and meet evolving organizational goals. This approach can help you unlock your team’s full potential and drive your company’s success.

    Resource : https://www.linkedin.com/business/talent/blog/learning-and-development/performance-development

    30Oct, 2023
    New Project Analyzes and Catalogs Vendor Support for Secure PLC Coding

    ATLANTA – SECURITYWEEK 2023 ICS CYBERSECURITY CONFERENCE – A new project aims to make it easier for PLC programmers to implement secure coding practices by analyzing and cataloging useful files and functions from each PLC vendor.

    The new project was presented on Tuesday at SecurityWeek’s ICS Cybersecurity Conference in Atlanta by David Formby, CEO and CTO of Fortiphyd Logic, a company that specializes in endpoint detection for programmable logic controllers (PLCs) and virtual industrial control systems (ICS) security training labs.

    The project builds on the ‘Top 20 Secure PLC Coding Practices’, whose goal is to provide PLC programmers with guidelines for improving security. 

    Some of these practices apply to all PLCs, regardless of vendor. This includes modularizing code, leaving operational logic directly in the PLC, assigning registers by function, using correlation and input plausibility checks, monitoring PLC uptime, trapping false negatives/positives, restricting third-party data interfaces, defining a safe start state in case of a restart, and validating timers, paired input/output, and indirections. 

    However, some secure PLC coding practices are different for each vendor and it can be difficult to identify relevant documentation. The goal of the Fortiphyd Logic project is to provide the information needed for vendor-specific practices in an easy-to-digest format. 

    The information is provided in a table format and includes the product name and model, whether required functionality is supported, and the file or function that enables access to the required data. 

    One secure PLC coding recommendation whose implementation is different for each vendor involves tracking the device’s operating mode. PLCs can have various modes, such as ‘run’, ‘program’, ‘test’ and ‘debug’. It’s easier for an attacker to hack a PLC that is not in ‘run’ mode, which is why it’s important that PLCs are not left in ‘program’, ‘test’ and ‘debug’ modes. In addition, mode changes should be monitored in order to detect a potential attack. 

    However, monitoring mode changes is done differently for each PLC, Formby pointed out. For instance, in the case of Rockwell Automation PLCs, the data can be obtained through the ‘GSV(ControllerDevice.Status)’ instruction or from a status file, while in the case of Siemens PLCs this can be achieved using the ‘GET_DIAG’ function.

    Another vendor-specific secure PLC coding practice involves monitoring flags that indicate various errors and faults, which can be triggered by malicious attacks. However, PLCs from each vendor have different errors and faults and there are different ways of reading them, Formby explained. 

    Attackers targeting PLCs can make changes to the PLC logic and some controllers have checksums that enable users to detect changes in logic. Monitoring checksums can be useful for detecting attacks, but different vendors have different functions for achieving this and in some cases checksum monitoring is not supported at all. 

    Other examples of vendor-specific PLC secure coding practices covered by Fortiphyd Logic’s new project include monitoring cycle times, hard stops, and memory usage, as well as the detection of unused software. 

    For the time being, the new project, hosted on GitHub, only provides information for products made by Schneider Electric, Siemens and Rockwell Automation, but information will be added for other vendors as well, with the goal being to cover all PLC vendors. Anyone can contribute to the project. 

    Fortiphyd Logic has also created a custom module for the top 20 secure PLC coding practices for CISA’s Cyber Security Evaluation Tool (CSET), which provides a series of requirement questionnaires to help organizations assess their security posture.

    Resource : https://www.securityweek.com/new-project-analyzes-and-catalogs-vendor-support-for-secure-plc-coding/?web_view=true

    27May, 2023
    Fake CapCut Websites Spread Information Stealers

    A malware campaign has been found impersonating the CapCut video editing tool to spread different stealers. CapCut is an official video editor, developed by ByteDance. It is popularly used as an editing tool for TikTok videos (also owned by ByteDance) and comes with several features. CapCut has over 500 million downloads on Google Play and its website receives over 30 million monthly hits, making it an attractive target for cyberattacks.

    What’s happening?

    Owing to the nationwide bans in India, Taiwan, and other countries, users are looking for alternative ways to get access to the CapCut app. The popularity of CapCut has made users look for alternative ways of getting the app. To harness this opportunity, attackers have created websites that spread malware disguised as CapCut.

    • The attackers are suspected to be using search ads, black hat SEO, and social media to advertise these malicious sites.
    • They used multiple domains, such as capcut-editor-video[.]com and capcutdownload[.]com, to deliver information stealers to victims’ systems via two different campaigns detailed below.

    Offx Stealer campaign

    The first campaign uses fake CapCut sites with a download button spreading the Offx Stealer on systems. The stealer binary uses PyInstaller and only runs on Windows 8, 10, and 11.

    • Whenever a victim runs the downloaded file, they are shown a fake error message stating that the app launch has failed. However, Offx Stealer keeps operating in the background.
    • The malware attempts to steal credentials and cookies from web browsers and targets data stored in Discord, Telegram, popular cryptocurrency wallet apps (Bytecoin, Atomic, Zcash), and remote access software (AnyDesk and UltraViewer).

    Redline Stealer campaign

    The second campaign uses fake CapCut sites delivering the ‘CapCut_Pro_Edit_Video[.]rar’ file on systems, including a batch script that executes a PowerShell script when opened.

    • The PowerShell script decompresses, decrypts, and loads the final payload – a DotNET executable and Redline Stealer. The DotNET executable bypasses the AMSI Windows security feature.
    • Additionally, the same fake CapCut site serves as a host for BatLoader.

    Resource: https://cyware.com/news/fake-capcut-websites-spread-information-stealers-7ac5436c

    20Feb, 2023
    API management (APIM): What It Is and Where It’s Going

    Analyzing the concept of API management (APIM), its benefits, and what it will look like as the API landscape continues to evolve.

    There are two fundamental truths in the API landscape.

    • First: APIs have become a strategic tool for companies to expand their digital reach, accelerate their businesses, and do more for their customers.
    • Second: because of the way they work and how they’ve been used so far, APIs are particularly vulnerable to attacks from bad actors. In fact, according to recent research, malicious API attack traffic surged 117% over the past year, indicating that the threat on APIs is far from abating.

    So, where does this leave businesses that want to leverage the power of APIs? For starters, they need to invest in an API security strategy that covers all their bases. A robust strategy will be held up by a number of different tools and methodologies, including API management (APIM).

    In this article, we’re taking a closer look at what APIM is, its benefits, and what it will look like as the API landscape continues to evolve.

    What Is APIM?

    APIM is the process of creating, distributing, monitoring, and analysing APIs that connect applications and data across the enterprise and clouds. Typically deployed as a scalable platform, APIM allows enterprises to share their API configurations while controlling access, monitoring and collecting usage data, and enforcing security policies related to APIs.

    In other words, APIM gives businesses the power to better leverage the API economy without compromising on security. There are also internal benefits: managing all APIs on one unified platform lets enterprises share API documentation and coding constructs between teams, ultimately making things easier (and faster) for developers.

    What Are the Components of APIM?

    To facilitate flexibility, quality, speed, and security for enterprise APIs, APIM platforms are usually comprised of five key elements, outlined below.

    API gateway: The API gateway acts as the portal through which all routing requests and protocol translations are handled. As APIs often have different structures and languages and are constantly changing, an API gateway facilitates communication, providing a single point of contact for internal and external parties to interact with APIs.

    API developer portal: The developer portal provides a self-service hub for developers that want to access and share API documentation. This contributes significantly to speeding up how developers work with APIs, streamlining the building and testing processes, and providing consistency across the team.

    API analytics: There’s a lot of value in understanding and evaluating a given API’s usage and operational metrics — and that’s where an API reporting and analytics function comes in. APIM platforms are often equipped with dashboards that provide this visibility and allow enterprise teams to make better decisions about how they use their APIs, such as whether it’s worth monetizing them. From an operational perspective, these dashboards help identify issues early so they can be addressed proactively.

    API lifecycle management: With APIs, one of the biggest challenges is that there isn’t visibility into the whole lifecycle — from design to implementation and retirement. The reason is that APIs are often created for small internal uses and then launched into bigger use cases without the proper vetting. Lifecycle management mitigates this, providing a sustainable solution for building, testing, and managing APIs with version control support.

    API policy manager: Each API should operate within a set of API policies that shape its evolution. API policy managers control the lifecycle of these policies and house broader policies that impact the entire API infrastructure.

    In an APIM platform, each of these tools comes together to give companies a more complete and comprehensive view into their APIs and the control to enhance security across the API ecosystem.

    What APIM is Not

    From a security perspective, while APIM platforms are key for creating unified visibility and control over a company’s API infrastructure — and for facilitating the implementation of API security features — it’s important to note that it’s only one pillar in a robust API security strategy. API management platforms are not, fundamentally, security platforms. They lack key API security elements organizations should enforce, including continuous authentication and authorization, access control, data validation, runtime security tailored to the OWASP API Top 10 attacks, and a testing plan for APIs both in production and pre-prod.

    It’s also important to note that APIM isn’t a one-size-fits-all solution. It’s essential to evaluate the company’s IT infrastructure and other resources to ensure that they are equipped to adopt and implement a new platform for its APIs. Do you have the right level of expertise on your team? Are you working with enough APIs to justify the adoption of an APIM platform? Do you have API security policies in place to enable your APIM tool to do its best work? These are all critical questions to ask as you evaluate this solution.

    What Are the Benefits of APIM?

    For many enterprises, APIs are the Wild West of their technical infrastructure. APIs often differ significantly from one another, making it challenging to create overarching measures to manage them. The landscape is constantly changing, so documentation quickly becomes outdated and irrelevant. This is part of what makes APIs such an appealing threat vector for cybercriminals. APIM remedies this while providing other benefits.

    APIM supports businesses by:

    • Centralising visibility to all API connections, lowering the risk of attacks, and giving teams the ability to identify gaps and duplicates
    • Facilitating data-driven decisions for the business, such as monetizing the API
    • Protecting the business from API-related threats
    • Enabling the creation of detailed API documentation
    • Creating better user experiences for API consumers
    • Improving developer experiences
    • Providing better insights into the current state of API security, allowing teams to create a better ecosystem

    What Does the Future of APIM Look Like?

    APIs aren’t going anywhere. Businesses are continuing to build applications that rely on hundreds, if not thousands, of APIs. With APIs exposed to multiple data centres, cloud providers, and customers, with different levels of access requirements and customization, the scale and complexity of the ecosystem are only going to get bigger. For enterprises that want to stay agile, organised, and secure, APIM will be crucial.

    APIM will continue to be an important driver for functions such as versioning, deployment processes, usage metrics, and interoperability. And from a security perspective, they will develop as API gateways become more mature, doing more in the rate limiting, data masking, and authentication spaces.

    Other changes will come within the interfaces themselves. There’s a growing shift in the developer tooling space with the emergence of tools that favour visual drag-and-drop functionalities instead of coding. This way, different teams can contribute to APIM within the bounds of their skill sets and still have a clear understanding of the workflows, API lifecycles, and API security policies.

    As APIM platforms continue to mature, they will become an even more strategic asset for businesses that want to make the most of the API landscape without compromising their security.

    About the Author: Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire’s State of Security blog, she’s also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that’s well suited for writing in the cybersecurity space. She is also a regular writer for Bora

    Resource : https://securityaffairs.com/141738/security/api-management-apim.html

    20Feb, 2023
    Top 5 API Lessons for Software Engineering Leaders

    It is important for software engineering leaders to balance the technical and business goals of their API strategy and practice by considering these top 5 aspects.

    Software engineering leaders around the world see application programming interfaces (APIs) as the best option to connect systems and applications to build impactful and composable software architectures. However, they overlook the business potential of APIs as digital products and focus largely on technical use cases. 

    To deliver meaningful business outcomes and gain the trust of stakeholders, organizations need a modern API strategy that is closely aligned to business goals, and which covers API security, governance, life cycle management, developer enablement and potential for monetization. 

    “Software engineering leaders responsible for API strategies shouldn’t focus only on the technical benefits of APIs. They must incorporate the business perspectives to avoid risking the support of business stakeholders,” says Shameen Pillai, Sr Director Analyst at Gartner.

    Here are the top five considerations for software engineering leaders to develop an effective API strategy and practice.

    No. 1. Don’t let API governance create bottlenecks

    For developing, managing and governing APIs without creating bureaucratic hurdles, software engineering leaders can implement an “adaptive governance” model. The idea is to create a federated API platform team (for example, having product managers from different business groups such as digital, commerce and logistic API teams) and manage the locally built APIs without undermining the overall API strategy.

    To support localized standards, tools and processes, ensure that API product teams do not create disjointed or overlapping standards and actively participate in federated API governance. The platform teams and product managers should have consistent communication to be aware of shared assets, policies and practices.

    No. 2. Treat APIs as products, even if you don’t plan to monetize them

    Looking at APIs as a way to achieve technical purposes isn’t enough in the postpandemic world. They are now essential in advancing digital business strategies and should be treated as products without prioritizing monetization. Although many organizations monetize APIs, the majority don’t. Many organizations use API products for internal consumption only.

    Regardless, the development, organization and management of APIs should be driven by a consumer-centric mindset that requires product managers to:

    • Prepare API roadmaps and measure business outcomes
    • Understand and cater to the needs of API consumers (for example, developers) to promote API products and improve developer relations (DevRel)

    No. 3. Discover your APIs before hackers do

    As APIs are the gateways to systems, applications and services, they are always vulnerable to security threats. This may result in the loss of private and sensitive information about millions of users.

    The security strategy for APIs should focus on threat protection, well-refined access control and data privacy. Software engineering leaders often protect the published APIs, but there can be shadow or unpublished APIs. API discovery is the key to ensuring that there are no blind spots and to track any malicious usage of APIs.  

    Software engineering leaders should adopt a DevSecOps strategy and institute a security governance policy across the organization. They should assess and enhance the capabilities of API security and management solutions to discover APIs and potential threats from hackers.

    No. 4.Manage the life cycle of APIs

    An API’s life cycle involves four stages:

    • Planning and initial design
    • Implementation and testing
    • Deploy and run
    • Versioning and retirement

    Software engineering leaders should build a consistent process around the four life cycle stages to develop a comprehensive API strategy and practice. For example, the “planning and initial design” stage should focus on an iterative process, consisting of a design approach, methodology and governance. Likewise, the “deploy and run” stage should focus on advanced security analytics to measure API business value.

    Leverage automation to sustain API quality, track issues and optimize the API’s life cycle based on actual performance.

    Align the development of APIs with the organization’s DevOps process for continuous integration and delivery. This way, software engineering leaders learn about other considerations when building, deploying, testing and implementing APIs in various environments. For example, as per API testing guidelines, certain functional, performance and security testing requirements can be mandatory.

    No. 5. Choose best-fit API technologies

    There are a variety of vendor solutions for developing and managing APIs available in the market today. However, the API market is evolving, with some vendors focusing on specific aspects of APIs like design, testing, monitoring, security, portals and ecosystem management. 

    Related webinar: How to Benefit From API Startups and New API Trends

    With so many different solutions to select from, software engineering leaders should have clarity regarding the needs of their organization and engineering groups. To make the selection more credible and collaborative, involve API product managers, API platform teams and security teams in the process. 

    It may be difficult to identify what differentiates different vendor solutions when it comes to potential, viability and maturity. Review critical capabilities for API life cycle management to understand the respective strengths and weaknesses of each solution and select the best possible fit.

    Resource: https://www.gartner.com/smarterwithgartner/top-5-api-lessons-for-software-engineering-leaders

    22Dec, 2022
    Cost of a Data Breach: Infrastructure

    What Is Critical Infrastructure?

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) classifies 16 infrastructure sectors as critical to the nation. Among these critical sectors are financial services, critical manufacturing, information technology, energy, transportation systems, communications, health care and public health, food and agriculture and emergency services.

    CISA designates certain industries as critical because their assets, systems and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety or some combination of those factors. When cybersecurity issues occur in organizations in critical industries, there is a ripple effect with many often-unexpected consequences.

    The Colonial Pipeline ransomware attack, for example, shut down an oil pipeline that stretches 5,500 miles from Texas to New York and carries up to 3 million barrels of fuel per day. The five-day shutdown reduced the amount of gas available to the East Coast by half. Therefore, many areas experienced gas shortages and high prices. In addition, Colonial Pipeline paid $4.5 million in ransom to restore its compromised systems and faces more fines for operational lapses and management failures. The attack also resulted in new directives issued by the Transportation Security Administration for U.S. pipelines to prevent similar attacks and reduce their impact.

    What Is a Critical Infrastructure Data Breach?

    Each time an organization in a critical sector is the victim of any type of cybersecurity incident that results in data loss, the event counts as a critical infrastructure data breach. The IBM 2022 Cost of a Data Breach Report revealed the following breakdown of types of attacks on critical infrastructure industries:

    • IT failure (25%)
    • Human error (22%)
    • Third-party business partner (17%)
    • Destructive attacks (16%)
    • Ransomware (12%)
    • Other malicious attacks (8%).

    Impact of a Critical Infrastructure Data Breach

    Interestingly, the average cost of a critical infrastructure data breach was more than $1 million more than other data breaches. It cost an average of $4.82 million compared to $3.83 million in industries such as pharmaceuticals, services, entertainment, consumer goods, media, hospitality, retail and research. These totals do not include the impacts data breaches and disruption of services have on consumers and other businesses. Those might include supply chain issues or greater health care costs from delays in care.

    Not surprisingly, health care continued its 12-year reign as the most costly industry for a data breach. In 2021, the average cost of a health care data breach was $9.23 million. However, the new report found the average cost increased to $10.10 million in 2022, an increase of 9.4%. Other critical infrastructure industries ranked in the top four, with financial services coming in second at $5.97 million. Other high-cost critical infrastructure industries include technology ($4.97 million) and energy ($4.72 million).

    Although the costs for critical infrastructure are higher, the report found that defenders find and contain breaches more quickly there than in other industries. That proves the costs would be even higher without the quick action and high priority of cybersecurity workers. The Mean Time to Identify in critical infrastructure industries was 204 days, compared to 211 days for other industries. The Mean Time to Contain for critical infrastructure industries was 69 days, compared to 71 days for other industries. Overall, the combined average for critical infrastructure industries was nine days shorter than the 282 days average for other industries. 

    Zero Trust Can Reduce Costs of Data Breaches

    A surprising finding from the report: critical infrastructure organizations were much less likely to use a zero trust framework. With a zero trust approach, an organization moves away from the traditional strategy of protecting the perimeter and endpoints. Instead, the organization reduces risk by assuming that all access requests from apps, users and devices are not authorized. The user must then prove otherwise since the organization meets every request with zero trust.

    The higher costs for critical infrastructure breaches likely relate to the lower adoption of the framework in these industries. The report found that one in five organizations in critical infrastructure industries are using zero trust. However, 41% of all organizations — both critical and non-critical infrastructure industries — now use a zero trust approach.

    The report discovered that critical infrastructure organizations that use a zero trust approach have an average breach cost of $4.23 million. Meanwhile, critical infrastructure organizations that are not using a zero trust approach have an average cost of $5.40 million. That’s a difference of $1.17 million per breach. Critical infrastructure industry organizations can reduce the cost of a breach simply by using a zero trust approach.

    Moving Forward With Zero Trust in Critical Infrastructure Industries

    While the prospect of completely shifting your cybersecurity approach can feel overwhelming, zero trust consists of multiple types of processes and technologies. By starting small, with one type of zero trust approach such as multi-factor authentication or micro-segmentation, your organization can begin to see the benefits of the approach.

    Organizations can build upon their initial framework by adding more technology and strategies as they become more experienced with zero trust. The report found that the level of maturity in zero trust makes a difference in breach costs for all organizations. That holds true both in critical infrastructure sectors and other industries. Organizations with a mature zero trust approach spent $1.51 million less than organizations just starting their journey.

    Creating a fully mature zero trust framework doesn’t happen overnight. By starting your journey today, your organization can begin reducing both risks and costs of a breach.

    Because you are in the critical infrastructure industry, your cybersecurity decisions don’t just affect your employees and customers. They affect people across the country, and even the world. With a zero trust approach, your organization ensures it is able to provide the services others depend on.

    Resource : https://securityintelligence.com/category/data-protection/

    15Dec, 2022
    Test Cases

    What Is A Test Case And How To Write Test Cases?

    Writing effective cases is a skill. You can learn it from the experience and knowledge of the application under test.

    For basic instructions on how to write tests, please check the following video:

    https://youtube.com/watch?v=9abf1eQephA%3Frel%3D0

    The above resources should give us the basics of the test writing process.

    Levels of Test writing process:

    • Level 1: In this level, you will write the basic cases from the available specification and user documentation.
    • Level 2: This is the practical stage in which writing cases depend on the actual functional and system flow of the application.
    • Level 3: This is the stage in which you will group some cases and write a test procedure. The test procedure is nothing but a group of small cases, maybe a maximum of 10.
    • Level 4: Automation of the project. This will minimize human interaction with the system and thus the QA can focus on the currently updated functionalities to test rather than remaining busy with Regression testing.

    Why do we Write Tests?

    The basic objective of writing cases is to validate the test coverage of an application.

    If you are working in any CMMi organization, then the test standards are followed more closely. Writing cases brings some sort of standardization and minimizes the ad hoc approach in testing.

    How to Write Test Cases?

    Fields:

    • Test case id
    • Unit to test: What to be verified?
    • Assumptions
    • Test data: Variables and their values
    • Steps to be executed
    • Expected Result
    • Actual result
    • Pass/Fail
    • Comments

    Basic Format of Test Case Statement

    Verify
    Using     [tool name, tag name, dialog, etc]
    With [conditions]
    To [what is returned, shown, demonstrated]

    Verify: Used as the first word of the test statement.
    Using: To identify what is being tested. You can use ‘entering’ or ‘selecting’ here instead of using depending on the situation.

    For any application, you need to cover all types of tests as:

    • Functional cases
    • Negative cases
    • Boundary value cases

    While writing these, all your TC’s should be simple and easy to understand.

    Resource : https://www.softwaretestinghelp.com/how-to-write-effective-test-cases-test-cases-procedures-and-definitions/