PCI Logo

netVigilance Advantages
 »  Focuses exclusively on solutions for Network Vulnerability Detection and Assessment, Including PCI compliance
 
 » Automatically produces robust reports that describe how to fix vulnerabilities, saving its customers tens of thousands of dollars per year in time and effort that competitive solutions require
 
 » Has Extremely low false positive rate, enabling you to focus your resources on fixing actual vulnerabilities
 
»

Is an active member of the PCI ASV Task Force and the CVSS SIG under first.org, where we are a leader in industry efforts to improve these key standards
 
 

Total Coverage with PCI
» Covers you for 365 days, not just 4 times a year.
 
» Goes Beyond Compliance to detects far more vulnerabilities than required to become a PCI ASV.
 
» Is up-to-date on the most recent and relevant vulnerabilities
 
» Works from the cloud; with an appliance or as installed software
 


*

Top Challenges Shaping the Security Breach Landscape




One of the things we are seeing these days in terms of cybersecurity is how hacks, breaches, digital scams, and ransomware attacks are running rampant. An approximation for US alone for PC/Mac throughout 2022 reported about 1802 total compromises, most of which were data breaches. This affected about 422 million people. Alongside that, we have seen a rise in software supply chain attacks. So, really, as IBM put it in their 2022 data breach report: in an evolving threat landscape, time is money.

 

 Next, I want to briefly talk about two of such security incidents.

 

Last year in July, the Virginia Commonwealth University Health System, posted a privacy violation notification on their website where they acknowledged that the transplant donor information was included in the medical records for certain transplant recipients. And the transplant recipient information had also been included in the medical records of the transplant donors. This information included names, social security numbers, lab results, medical record numbers, and dates of birth. So, really, a security design flaw caused such a privacy incident, and most importantly, it went undetected for 16 years.

 

Here's another example about the Kinsing malware. Lately we have been witnessing a rise in the number of attacks that target the container environments. And one such example is the kinsing malware that is actively breaching Kubernetes clusters by leveraging known weaknesses in the container images and misconfigurations present in PostgreSQL containers. And the Microsoft Defender Cloud team reported that they have seen an uptick lately indicating that threat actors are actively looking for specific entry points. Some of the attack prevention methods lie in security design considerations, such as minimizing access to exposed containers by, say, IP allowed list or following the principle of least privilege, and also in stepping up the security design for databases to eliminate permissive settings and misconfigurations.

 

So it wasn't a huge surprise when OWASP revised the top 10 list in 2021 and included insecure design as category number four in their list that focused on risks related to design flaw. And I think that's great because a lot of security design considerations make us think about other categories on the list and also see where they are applicable when we are designing, when we are architecting, when we are deploying, developing and deploying in accordance with it.

 

 

So what is insecure design? I would say it's a broader category and that needs more explanation to be more meaningful. But in a nutshell, according to OWASP, it is missing or ineffective control design. It is the lack of business risk profiling and the failure to determine what level of security design is really required for what we are building.

 

Cost of insecure design

Cost of insecure design

 

This is my favorite illustration because it makes us think about the cost of insecure design. Really, what starts with security best practices not being followed early on, results in security bugs, it results in security vulnerabilities, and it cascades into internal security events and/or maybe external incidents. And eventually, it results in security breaches. Ultimately, loss of reputation, precious customer trust, and revenue.

 

In 2003, IBM along with NIST conducted a study on the economics of fixing security bugs later in the software development life cycle (SDLC) at the maintenance phase as compared to the design phase. And there is a dramatic difference we see here, but that's 2003. Fast forward to 2023. 2023 is a cloud native agile environment way of working. We cannot even fathom the massive difference if you are fixing the security bugs early versus post implementation or deployment. And another factor here is that security cannot be retrofitted in software. So it's very, very important to account for it in the software design from early on. And also thinking about initial velocity versus sustained velocity, choosing not to account for critical security requirements early on can help your project velocity early on. And over the lifetime, it is eventually going to slow you down.

 

 

 

 

Copyright©2004-2011,  netVigilance, Inc.   All rights reserved  • Privacy Policy

netVigilance©