Julie Tsai

Okta signed the Cybersecurity and Infrastructure Security Agency’s Secure by Design pledge at #RSAC to take meaningful steps in adopting #secure by design principles in the coming year. I am excited that we are accompanying our peers in the industry to take the steps needed to prioritize application security. Identity-based #attacks have become a top method for cybercriminals, and according to the Open Worldwide Application Security Project, broken access control is the number one most common web application security risk. It’s putting companies building their applications at risk. This is a priority for Okta. There’s never been a more critical time for us to come together and implement secure design principles to keep the #identity #secure. Learn more about this pledge https://bit.ly/3UQNLbz. Tomorrow is also Okta Showcase! I am excited to join Todd McKinnon, Sagnik Nandy , and others to share the latest product innovations & commitments Okta is making to secure identity. You can tune in here: https://bit.ly/4cLldaI

189

2 Comments

Relying Solely on the NVD or severity score? You Might Be Exposed The National Vulnerability Database (NVD) has been facing serious delays this year. Budget cuts and a rising number of reported vulnerabilities have slowed NVD's ability to keep up. The result? over 93% of new vulnerabilities still waiting for analysis. This backlog means that if your security tools rely exclusively on the NVD for vulnerability data, you’re likely missing out on a significant portion of recent threats. Even more concerning, attackers are adapting their tactics. Instead of focusing solely on high-severity vulnerabilities, they are now exploiting medium and low-severity issues, vulnerabilities that may not even be flagged yet by the NVD, which may leave you with a huge blind spot. What should you do? Check your SCA tool: If your vulnerability management system depends entirely on the NVD, you're likely missing many recent vulnerabilities. Focus on exploitability: Don’t just prioritize critical vulnerabilities. Medium and low-severity vulnerabilities can be just as dangerous if they are easy for attackers to exploit. Stay proactive. Stay protected. #FOSSAware #OpenSourceSecurity #VulnerabilityManagement #NVD #OpenSourceRisk

7

You need to use the findings and automate based on those. eBPF is not enough.

2

Zero Trust, SMB and National Security. INTEL CTO Exclusive. Steve Orrin, Federal CTO for Intel, discusses secrets inside zero trust and the latest cyber security concerns. New episode. Available everywhere you get podcasts and on YouTube.

11

1 Comment

The latest issue of the AuthZ newsletter is out, thanks to David Brossard for pitching in to review the latest talks uploaded from #Identiverse, the upcoming talks for #fwdCloudSec and new reviews from #IDPro, including an interview with Sarah Cecchetti! Please subscribe (for free!) at AuthZ on Substack — the attached PDF is a different way to share on LinkedIn as an experiment

15

3 Comments

Thanks Michael Bishop, @Marius Kleidl and Rich Salz for documenting #HTTP API #antipattern with HTTP API Keys and Privacy I-D https://lnkd.in/gt4f5iwa and providing guidance. Redirecting HTTP requests to HTTPS, a common pattern for human-facing web resources, can be an anti-pattern for authenticated API traffic. This document discusses the pitfalls and makes deployment recommendations for authenticated HTTP APIs. It does not specify a protocol....This document describes actions API servers and clients should take in order to safeguard credentials.

21

1 Comment

Cyber Explorers, It's that time of year for mid cycle performance review. I found this insightful article on Medium written by Travis Felder. Introspect and diverse feedback are critical in professional growth. If you lead teams it is crucially important to be mindful of hidden biases and how they can derail a team's growth and individual performance. Read “Unveiling Hidden Biases: A Manager’s Guide to Fair Performance Evaluations in Cybersecurity“ by Travis Felder on Medium:

6

2 Comments

"Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection... Marriott agreed to pay a $52 million penalty to 49 states and the District of Columbia to resolve similar data security allegations, the FTC said The FTC says that Marriott and Starwood DECEIVED CONSUMERS by claiming to have reasonable and appropriate data security. Despite these claims, the companies unfairly failed to deploy reasonable or appropriate security to protect personal information. Specifically, the proposed complaint alleges that Marriott and Starwood failed to: implement appropriate password controls, access controls, firewall controls, or network segmentation; patch outdated software and systems; adequately log and monitor network environments; and deploy adequate multifactor authentication The FTC alleged that security failures by Marriott and Starwood resulted in at least three separate data breaches wherein malicious actors obtained the passport information, payment card numbers, loyalty numbers, dates of birth, email addresses and/or personal information from hundreds of millions of consumers, according to the proposed complaint The three large data breaches, which took place from 2014 to 2020, affected more than 344 million customers worldwide, the FTC said Let's not forget that much of the problem arose from Marriott's failure to conduct proper due diligence during the 2015/16 Starwood merger negotiations. This created other serious, still unresolved, issues "As indicated in the agreements with the FTC and the state Attorneys General, Marriott makes no admission of liability with respect to the underlying allegations," the statement said. How absolutely pathetic! John Shepherd (Marriott victim and hunger striker) Anthony Capuano David Marriott Rena Reiss #marriott #marriottinternational #marriottbonvoy #corruption #hotelindustry #risk

3

Really conflicted on this "Lessons from XZ Utils" piece from CISA. A lot of it is good, but the conclusions seem disconnected from the actual attack, impractical, and misguided - particularly this section: "This compromise highlights a fundamental shift needed: every technology manufacturer that profits from open source software must do their part by being responsible consumers of and sustainable contributors to the open source packages they depend on." In the xz attack itself, the burnout that led to the maintainer transfer was *caused* by the attackers and sock-puppets. It's also a dramatic oversimplification to imply that issues like this would be prevented if companies contributed financially or through work. Yes - responsible OSS consumption requires a deep understanding of what you're using and a plan to maintain it in the event of the project going EOL or an unpatched vulnerability, but requiring organizations to contribute back is an overreach not backed by real-world data or even the post-mortem of this specific event. Funding and contribution has a role in OSS, but for most organizations it should come far far far after basic security principles like defense-in-depth, inventory management, and patching procedures. Groups like CISA are in a great position to help monitor the broader OSS ecosystem for risk and align efforts to help make funding and contribution productive, but without that foundation in place this is just a recipe for confusion. Simply framing organizations that use OSS in a secure-manner in full accordance with all the terms in the licensing as "irresponsible" is much more irresponsible IMO. https://lnkd.in/eYFR9fgT #cisa #oss #xz #sustainability

33

7 Comments

Cybersecurity is more than an IT issue—it's a business issue. Yet, many companies struggle to communicate cyber risks in terms that the board and executives can understand. This disconnect often leads to poor prioritization and costly mistakes. #cyberrisk #cybermaturity

10

Security teams need answers to tough cloud data security questions and to close exposures faster. That’s why we’re introducing data security posture management (DSPM) and AI security posture management (AI-SPM) capabilities for Tenable Cloud Security. Key benefits: ✔️ Gain complete visibility of your cloud data ✔️ Proactively identify cloud data exposure ✔️ Reduce the likelihood of a data breach 🔗 Learn more: http://ow.ly/q424105O2IL

8

A person of interest is someone who has come to the attention of law enforcement officials in connection with a crime. This could be because they were seen near the crime scene, knew the victim, or have a criminal history. However, a person of interest has not yet been arrested or charged with a crime. Investigators will typically gather more information about a person of interest before deciding whether to pursue charges. Here are some of the reasons why someone might become a person of interest: · They were seen near the crime scene around the time it took place. · They have a history of committing similar crimes. · They knew the victim well. · They lied to investigators about their whereabouts or activities. · They have suspicious financial activity linked to the crime. It is important to note that being a person of interest does not mean that someone is guilty of a crime. Law enforcement officials investigate many people during a criminal investigation, and most of them are never charged. If you are ever contacted by law enforcement officials and told that you are a person of interest, it is important to be polite and cooperative. However, you should also consult with an attorney to protect your rights. You have the right to remain silent and the right to an attorney. https://lnkd.in/dJZSRkpT

16

1 Comment

I find RiskOptics's Kelly Hood sharing and explanation on National Institute of Standards and Technology (NIST) Cyber Security Framework (NIST CSF) related topic to be very helpful, easy to understand and informative. I am sure she deliver the same quality sharing on topic of Cybersecurity Maturity Model Certification (CMMC) program in this YouTube video https://lnkd.in/eQ2rntgV _________________________ About United States Department of Defense Cybersecurity Maturity Model Certification (CMMC) Program. The Cybersecurity Maturity Model Certification (CMMC) program is aligned to DoD’s information security requirements for DIB partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information. 🔗 https://lnkd.in/eZ-DSEjt _________________________ What is Cybersecurity? Cybersecurity is the practice of protecting internet-connected systems such as hardware, software and data from cyberthreats. It's used by individuals and enterprises to protect against unauthorized access to data centers and other computerized systems. An effective cybersecurity strategy can provide a strong security posture against malicious attacks designed to access, alter, delete, destroy or extort an organization's or user's systems and sensitive data. Cybersecurity is also instrumental in preventing attacks designed to disable or disrupt a system's or device's operations. Link: TechTarget https://lnkd.in/g-2D7ER8 _________________________ Want to learn more about CyberSecurity? Joining ISC2 would be one the smart choice to do so, as a non-profit organization which specializes in training and certifications for cybersecurity professionals, it has been described as the "world's largest IT security organization". Do DM/PM Ts. Hon Hao Kong the Director of Membership via LinkedIn for ISC2 Malaysia Chapter to enquire for more details. https://isc2chapter.my/ _________________________ Important Note: This is not an endorsement of the organisation, brand or product mentioned, just merely sharing of knowledge. _________________________ 👋 My name is Robin Yong 💻 I share CyberSecurity news, opinion and trend. 💡 Connect with me at https://lnkd.in/gVPUvc22 ⚠️ Opinions expressed are solely my own and do not express the views or opinions of my employer or the organisation I am associate with.

7

We do a lot of security questionnaires. Increasingly, we see AI Questionnaires attached to security questionnaires and procurement flows. Many assume companies use AI. There is no "yes" / "no" option, just "explain how you train your models" or "how do you prevent using our data from training your models". The same questionnaires that assume companies use AI don't even assume the company encrypts data but ask whether the company does encrypt data before asking "how do you encrypt data at rest". #ai #trust #iso42001

7

Put some thoughts together on why traditional CA/CLM infrastructures fall short in dynamic, cloud-native environments. Purpose-built solutions like SPIFFE offer dynamic, attested identities, decentralized issuance, and granular policy enforcement, making them essential for modern workload credential management.

20

Proud to contribute to LLM security along with my colleagues Mika Ayenson, Ph.D. Dan Kortschak,, Jake King, and Andrew Kroh! When working with various vendors such as Bedrock (Amazon), and Azure OpenAI, it becomes even more important to ingest the logs with standardized/unified fields. Then we can build detections and security features on top of those unified fields to protect against model misuse, DoS, and more. This is part of our team's initiatives highlighted at RSA Conference. Read more: Elastic Advances LLM Security with Standardized Fields and Integrations https://lnkd.in/gAeinuAG

22

Forrester couldn’t have put it more clearly. "Simply put, it’s the right moment for businesses to build an API security landscape that addresses the modern challenges head on." "According to Forrester’s research, API security software is no longer a “nice to have” but a necessity." I would add: It’s time to shift from reactive to proactive API security - anticipate those business logic related threats before they escalate. Time to grab a Pynt! #apisecurity #apisecuritytesting #proactiveapisecurity

39

Wondering how cybersecurity leaders can demonstrate the business value of cybersecurity and better align it with business objectives? Check out these five best practices to consider.

1

🛡 Forrester Urges CISOs to Prioritize API and Supply Chain Security in 2025 Forrester's latest report, 2025 CISO Budget Priorities, highlights six essential areas where CISOs need to focus to stay ahead of emerging threats and secure business-critical operations. They include the following: 🔐 API Security: With APIs driving over 83% of all web traffic, they are now the primary target for cybercriminals. Forrester advises CISOs to allocate up to 20% of their security budgets to safeguard these critical interfaces against breaches. 🔗 Supply Chain Security: Forrester’s report shows that 36% of security leaders are increasing investments here, recognizing the significant risks posed by third-party vulnerabilities. 🔧 Application Security and Business-Critical Infrastructure: Securing application security and business-critical infrastructure is a top priority for 2025. Forrester emphasizes the need to double down on threats and controls in these areas to protect revenue-generating IT assets. 🛡️ Zero Trust Architecture: As perimeter-based defenses become obsolete, Forrester recommends that CISOs prioritize a Zero Trust approach. 💾 IoT and OT Security: IoT devices continue to be major attack vectors, particularly in industrial control systems. Forrester recommends integrating IoT security into Zero Trust frameworks to reduce the risk of breaches. 🤖 Resource Optimization: Forrester notes that 55% of CISOs plan to leverage AI and automation to enhance security operations, ensuring every dollar spent delivers maximum impact. Read the full story on VentureBeat to learn more about Forrester’s key findings regarding CISOs' budget priorities for 2025: #CyberSecurity #CISO #APISecurity #SupplyChainSecurity #ZeroTrust #IoTSecurity #Forrester #Budget2025 #ThreatMitigation #AI #Automation #SecurityStrategy

6