Posted on

True ‘shift left and extend right’ security requires empowered developers

Idan Plotnik
Contributor

Idan Plotnik is the CEO and founder of Apiiro, a code risk platform.

DevOps is fundamentally about collaboration and agility. Unfortunately, when we add security and compliance to the picture, the message gets distorted.
The term “DevSecOps” has come into fashion the past few years with the intention of seamlessly integrating security and compliance into the DevOps framework. However, the reality is far from the ideal: Security tools have been bolted onto the existing DevOps process along with new layers of automation, and everyone’s calling it “DevSecOps.” This is a misguided approach that fails to embrace …

Read More

Posted on

Microsoft confirms it’s buying cybersecurity startup RiskIQ

Microsoft has confirmed it’s buying RiskIQ, a San Francisco-based cybersecurity company that provides threat intelligence and cloud-based software as a service for organizations.
Terms of the deal, which will see RiskIQ’s threat intelligence services integrated into Microsoft’s flagship security offerings, were not disclosed, although Bloomberg previously reported that Microsoft will pay more than $500 million in cash for the company. Microsoft declined to confirm the reported figure.
The announcement comes amid a heightened security landscape as organizations shift to remote and hybrid working strategies.
RiskIQ scours the web, mapping out details about websites and networks, domain name records, …

Read More

Posted on

America’s small businesses face the brunt of China’s Exchange server hacks

As the U.S. reportedly readies for retaliation against Russia for hacking into some of the government’s most sensitive federal networks, the U.S. is facing another old adversary in cyberspace: China.
Microsoft last week revealed a new hacking group it calls Hafnium, which operates in, and is backed by, China. Hafnium used four previously unreported vulnerabilities — or zero-days — to break into at least tens of thousands of organizations running vulnerable Microsoft Exchange email servers and steal email mailboxes and address books.
It’s not clear what Hafnium’s motives are. Some liken the activity to espionage — a nation-state …

Read More

Posted on

Cybersecurity startup SpiderSilk raises $2.25M to help prevent data breaches

Dubai-based cybersecurity startup SpiderSilk has raised $2.25 million in a pre-Series A round, led by venture firms Global Ventures and STV.
In the past two years, SpiderSilk has discovered some of the biggest data breaches: Blind, the allegedly anonymous social network that exposed private complaints by Silicon Valley employees; a lab leaked highly sensitive Samsung source code; an inadvertently public code repository revealed apps, code, and apartment building camera footage belonging to controversial facial recognition startup Clearview AI; and a massive spill of unencrypted customer card numbers at now-defunct MoviePass may have been the final nail in the already-beleaguered subscription service’ …

Read More

Posted on

Google, Cisco and VMware join Microsoft to oppose NSO Group in WhatsApp spyware case

A coalition of companies have filed an amicus brief in support of a legal case brought by WhatsApp against Israeli intelligence firm NSO Group, accusing the company of using an undisclosed vulnerability in the messaging app to hack into at least 1,400 devices, some of which were owned by journalists and human rights activists.
NSO develops and sells governments access to its Pegasus spyware, allowing its nation-state customers to target and stealthily hack into the devices of its targets. Spyware like Pegasus can track a victim’s location, read their messages and listen to their calls, steal their photos and files …

Read More

Posted on

Researchers say hardcoded passwords in GE medical imaging devices could put patient data at risk

Dozens of medical imaging devices built by General Electric are secured with hardcoded default passwords that can’t be easily changed, but could be exploited to access sensitive patient scans, according to new findings by security firm CyberMDX.
The researchers said that an attacker would only need to be on the same network to exploit a vulnerable device, such as by tricking an employee into opening an email with malware. From there, the attacker could use those unchanged hardcoded passwords to obtain whatever patient data was left on the device or disrupt the device from operating properly.
CyberMDX said X-ray …

Read More