Shaan Mulchandani

The transition to PQC is estimated to cost U.S. federal agencies $7.1 billion by 2035, with costs likely to increase. Sitehop demonstrated our PQC 100Gbps SAFE Series solution last year. Now that NIST has made its recommendations for PQC, we will release our solution by the end of this year. Message us to learn how you can get on the list for the first release!   #PQC #cybersecurity #future

32

1 Comment

What is High Fidelity Data Visual Integrity and why it matters.

1

A so-called "Sleepy Pickle" attack is performed with a tool like Flicking. Flicking is an open-source program for detecting, analyzing, reverse engineering or creating malicious Pickle files. An attacker merely has to convince a target to download a poisoned .pkl via phishing or supply chain compromise — and then, upon deserialization, their malicious operation code executes as a Python payload. https://lnkd.in/gcY6tU6B #informationsecurity #cybersecurity #technology #cyber #cybersecuritytraining #cyberawareness #usarmy #usmarines #usmc #usairforce #airforce #usnavy #navy #uscg #coastguard #military #veterans  

1

Sandboxed recommendations that are prioritized by their risk-reduction potential are part of the foundation for strategic and programmatic cyber decisions, such as those made during risk committee meetings. The outcomes of those decisions can either be technically observed (i.e., implemented and validated via integration) or provided via user feedback (i.e., silencing because of control sustainability within a given business environment). The ultimate success story for this type of capability is enabling decision-analysis across business quarters, where three very simple questions can be answered: 1) What have we done? 2) What do we need to do? 3) How are we trending? #pelloniumriskintelligence

1

We do a lot of security questionnaires. Increasingly, we see AI Questionnaires attached to security questionnaires and procurement flows. Many assume companies use AI. There is no "yes" / "no" option, just "explain how you train your models" or "how do you prevent using our data from training your models". The same questionnaires that assume companies use AI don't even assume the company encrypts data but ask whether the company does encrypt data before asking "how do you encrypt data at rest". #ai #trust #iso42001

7

Six Underappreciated Challenges Hindering the Adoption and Effectiveness of Fuzz Testing. When discussing fuzz testing, conversations often focus on the differences and advantages of various fuzzing engines, such as libFuzzer and AFL++. While these aspects are important, several frequently overlooked challenges significantly hinder the adoption of fuzz testing. 1️⃣ Selecting the Best Candidates to Fuzz: Especially in a large codebase, deciding which functions or APIs to test is crucial. Ideally, you start with a small set of public APIs that maximize fuzzing impact, such as code coverage and the number of bugs found. 2️⃣ Writing Realistic Fuzz Tests: Like unit tests, fuzz tests should respect the API contract and include necessary initialization and cleanup code. Incorrect API use can lead to false positives. 3️⃣ Maintaining Existing Fuzz Tests: As your code evolves, you should update your fuzz tests and keep them in sync with the code they test. 4️⃣ Ensuring High-Quality Fuzz Tests: High-quality fuzz tests achieve good code coverage by testing various ways an API is expected to be used. This increases the possibility of reaching good code coverage and consequently triggering more bugs. 5️⃣ Promptly Fixing Found Issues: When you start fuzzing a new project, there will be an initial burst of bugs. Often, these represent fuzzing blockers as the fuzzer will hit them over and over again, preventing it from further exploring your code. Generally, the faster you can fix bugs, the more effective the subsequent fuzzing runs become. 6️⃣ Integration into Developer Workflows: Seamlessly incorporating fuzz testing into CI/CD pipelines is key to continuous testing and quick feedback cycles, ensuring that fuzz testing is a routine part of development. By addressing these scalability challenges, you can unlock the full potential of fuzz testing and achieve its significant benefits. #fuzzing #softwaretesting #softwaresecurity

14

Microsoft is grappling with multiple zero-day vulnerabilities in its software, which cybercriminals are currently exploiting. The attacks leverage flaws in Windows, Office, and related products to execute malicious code, steal data, or gain unauthorized access to systems. Despite Microsoft's efforts to issue patches, these vulnerabilities remain a significant threat due to the software's complexity and the attackers' persistence. The article emphasizes the need for organizations to stay vigilant, apply updates promptly, and consider advanced security measures, such as endpoint detection and response (EDR) tools, to mitigate the risks posed by these ongoing exploits. #ZeroTrust #CyberSecurity

3

Friends, 💡 Decentralized systems like DAOs, DLTs, and blockchain aren't just buzzwords—they are the future of building trust. Transparency. Accountability. Immutable records. These technologies are shifting us towards a new paradigm of Zero Trust architecture. 🛡️ Why? Because the truth is—none of us are infallible. From young hustlers to seasoned executives, we're all capable of crossing lines, especially when there’s millions at stake. Take this recent example of a Detroit nonprofit CFO who siphoned off $44 million over decades for personal luxuries. With open ledgers and decentralized technology, trust is no longer a handshake—it’s code. It’s time we stop relying on “trusted” individuals and start leveraging systems designed to be unbreakable. At the end of the day, it's not just about technology; it's about reshaping our world to be accountable by design. Are you ready to build a future where trust is earned through transparency? 🌐🔗 #Blockchain #DecentralizedFuture #DigitalTrust #ZeroTrust #Innovation #TechLeadership

7

The recent discovery of Chinese cyber espionage group Volt Typhoon exploiting a zero-day vulnerability in Versa Networks' SD-WAN underscores the escalating threat of state-sponsored cyberattacks. This advanced persistent threat (APT) group targeted critical U.S. infrastructure, highlighting the global risk posed by such sophisticated cyber operations. Exploiting zero-day vulnerabilities in widely used technologies like SD-WAN has far-reaching implications, potentially impacting national security, economic stability, and global supply chains. As countries rely more on interconnected digital systems, the need for stronger international cooperation in cybersecurity defense, rapid vulnerability detection, and enhanced protocols to mitigate future threats becomes imperative. #ZeroTrustAdvocate

1

Relying Solely on the NVD or severity score? You Might Be Exposed The National Vulnerability Database (NVD) has been facing serious delays this year. Budget cuts and a rising number of reported vulnerabilities have slowed NVD's ability to keep up. The result? over 93% of new vulnerabilities still waiting for analysis. This backlog means that if your security tools rely exclusively on the NVD for vulnerability data, you’re likely missing out on a significant portion of recent threats. Even more concerning, attackers are adapting their tactics. Instead of focusing solely on high-severity vulnerabilities, they are now exploiting medium and low-severity issues, vulnerabilities that may not even be flagged yet by the NVD, which may leave you with a huge blind spot. What should you do? Check your SCA tool: If your vulnerability management system depends entirely on the NVD, you're likely missing many recent vulnerabilities. Focus on exploitability: Don’t just prioritize critical vulnerabilities. Medium and low-severity vulnerabilities can be just as dangerous if they are easy for attackers to exploit. Stay proactive. Stay protected. #FOSSAware #OpenSourceSecurity #VulnerabilityManagement #NVD #OpenSourceRisk

7

That was fast! Especially for government timelines. After announcing 48 CFR would be available for public comments just last week, it is out for public comments. This is the rule that will require the government to put a #CMMC in contracts if the contractor will process, store, or transmit CUI. Comments are due before October 15, 2024. On first read, it is what has been expected with no surprises. Some of the highlights: - Requires CMMC Level to be identified in all solicitations (with a few exceptions) where FCI and/or CUI will be handled by the contractor - Confirmed the phased rollout previously defined in the 32 CFR proposed rule - Requires primes to confirm subcontractors, at all tiers, meet CMMC requirements - Requires contractor to meet CMMC requirements prior to contract award - Includes foreign suppliers - Defines a minimal burden, approx. 15 minutes per system, to comply with the proposed rule as the technical requirements have already been addressed by the 32 CFR proposed rule Time to dig deeper to see how it will affect DoD contracts. Did you see anything interesting in the proposed rule? https://lnkd.in/gq2TZVB9

8

1 Comment

I have fun writing unique intros for every episode of Application Security Weekly. Here's what I crafted for episode 283. ---- What if #appsec wrote aviation safety scripts? Welcome to flight ASW 283. The captain has turned on the password strength sign, which means that your password must meet an annoying list of requirements as this flight is not equipped for passkeys. There are several emergency exits on this aircraft. Take a moment to locate the exit nearest you, keeping in mind that the default choice is probably insecure. If there is a loss of cabin pressure, memory safety masks will drop down. To start the flow of code, pull the mask towards you. To tighten the fit, address all the web app vulns that have nothing to do with unsafe memory. In the unlikely event of a water landing, check beneath your seat for a top 10 list of aquatic dangers. Thank you. And please use caution when opening overhead dependencies, as contents may have shifted maintainers. ---- Check out this episode at https://lnkd.in/gnTj6RYW To find more of these intros, check out https://lnkd.in/gMHi9QRk

6

Zero Trust, SMB and National Security. INTEL CTO Exclusive. Steve Orrin, Federal CTO for Intel, discusses secrets inside zero trust and the latest cyber security concerns. New episode. Available everywhere you get podcasts and on YouTube.

11

1 Comment

Love this perspective from Ross. SMBs are historically really underserved in security because of this problem. Innovation and market focus is nailed to large enterprise and heavily regulated companies. Solving security for SMB is also NOT simply a matter of selling a smaller/less expensive version of your enterprise solution. The resource constraints of SMB drive a need for a designed for SMB approach. It’s a labour of love, but we’re making solid progress tackling this problem at Kobalt.io but we have a lot of SMBs out there still to help.

2

For those waiting for the FAR update regarding #ssdf attestations... The latest Open FAR Cases report shows on May 30th Case Number 2023-002, Supply Chain Software Security, that OMB identified draft proposed FAR rule issues. OFPP, FAR and DAR staff are now working to resolve those issues. It is my understanding that this work remains opaque, and that there was no public disclosure of precisely what issues OMB identified with the proposed FAR rules relating to supply chain software security. Regardless of the status of Case 2023-002, the GSA is now requiring #ssdf attestations for anything it buys that contains software as of this past Monday morning when the government opened for business. GSA quietly updated GSA Form 7700 last month to take advantage of the CISA standard form's disclosure that "Agency-specific instructions may be provided to the software producer outside of this common form." GSA Form 7700 form has two checkboxes on page 3: Option 1: Submit the attestation online at the Cybersecurity and Infrastructure Security Agency Repository for Software Attestations and Artifacts (RSAA) portal. Option 2: Only use GSA Form 7700 submit it to a GSA specific email account. What this means to me is that if Option 1 is checked then Form 7700 is effectively a trigger mechanism for GSA to go lookup an existing attestation in RSAA. However, if Option 2 is checked, it would be interesting to know if GSA is taking that PDF and entering it into RSAA on behalf of the vendor. Option 2 also implies that a vendor may not have to attest multiple times for the same software product/version, but seemingly will have to submit multiple disparate forms to each part of the government. As we continue to see discussion about harmonizing #cybersecurity regulations, this is a great example where the government could have simply mandated using CISA RSAA. Instead, vendors will find themselves having to report using GSA Form 7700 for something through a GSA contract vehicle, and speculatively, a different form through NASA SEWP, and a different form for Dept of State, and different form for.... https://lnkd.in/eEDA-S8F If you haven't started to get serious about #software provenance ahead of the all-of-government mandate coming in September, now is a great time to start evaluating your #devsecops policies and procedures!

30

1 Comment

(I wanted to comment but my thoughts were too long for a comment) First off a disclaimer I’m a VC and invested in Radiant Security Second disclaimer is that years ago I gave up trying to understand how industry terms get chosen. I agree that AI SOC seems to be a distorted shortening of AI SOC Analyst or AI SOC Investigation. The best I can do by way of explanation is that people like short names for things? What I really want to talk about is that I took a different framing when looking at Radiant than how you’re looking at it. I wasn’t thinking about how one could reinvent the entire function of the SOC. I do agree the market is kind of pulling solutions towards that, but I also think there's going to be a strong push to decentralization of the functions in the graphic because of the scale/gravity of the data problem it represents (but that's a different debate). What I was thinking about was the fact that I don’t believe we can fill the “security skills gap” with people…it’s just too big. So I reframed the question from “skills gap” to “productivity gap” in my head. With that framing, it led me to the problem that soc analyst investigations are one of the biggest times sucks in the security function. It takes hours to days per incident for investigation, and to be honest I only say hours to cover my ass, it usually takes days. (Side note evaluating and closing out various vulnerability and configuration findings is another big time suck). With that in mind, I think a lot of organizations have relatively mature data pipeline functions for their security event data. I think the best incremental value probably isn’t reinventing that pipeline but making better use of it as above. If you go down market where that mature data pipeline statement is not true, Radiant and others have answers that can make a midmarket company pretty successful.

19

The Alphabet-Wiz deal would have the highest revenue multiple in the history of large cybersecurity M&A... ...but it's not entirely in a class of its own. Wiz would fall somewhere between a 45-65x multiple on current revenue (current revenue is estimated, most recent disclosure was $350M). There's one other cybersecurity transaction with a pretty similar profile: Okta's acquisition of Auth0 in 2021. The Okta-Auth0 deal had a 42.7x revenue multiple, which is easily the highest among large ($2.5B+) cybersecurity acquisitions that have actually closed. Auth0 was a clear leader in the Customer Identity (CIAM) market, which Okta estimates to have a $30B TAM. Leading the CIAM market was one of their highest strategic priorities — so they paid a 42.7x multiple to buy the emerging market leader. Sound familiar? Leading the cloud security market is one of Alphabet's highest strategic priorities — so they're willing to pay a 45x+ multiple to buy the emerging market leader. --- Situations like this are similar to CrowdStrike or Okta being taken off the board right before they went public. That didn't happen, obviously — but Wiz is the closest example we have in the industry today. Alphabet is betting they are acquiring a future CrowdStrike or Okta, and they know it takes a heavy premium to do it.

155

24 Comments