Eric Gallagher’s Post

#NSA has released guidance around implementing #ZeroTrust for applications and workloads. What are the key takeaways for practitioners? Although written for the US DoD and Defense Industrial Base (DIB), the maturity model in this document could be used by any organization that wants to improve their application security. Here are the key points in the guidance: 📌 Application Inventory: create a complete list of all the apps and workloads in your environment, to identify and prioritize the most critical 📌 Implement secure development practices to bake security into your software development lifecycle: code reviews, secure coding practices, and automated testing 📌 Evaluate the risks associated with the software you use, including third-party components and supply chain vulnerabilities 📌 Implement granular access controls based on the principle of least privilege and attribute-based access control (#ABAC - there it is again!) 📌 Set up automated monitoring and logging systems to detect and respond to suspicious activities or vulnerabilities in real-time The NSA guide covers these points and more, providing a comprehensive roadmap for organizations to mature their ZT capabilities step-by-step, from preparation to advanced levels. I have heard a lot of vendor hype and practitioner skepticism about Zero Trust. It's becoming clearer that ZT is not a product, it's a way of going about #cybersecurity, and it's entirely feasible using a methodical approach.

Report: 95% of Organizations Face Severe Software Supply Chain RiskOSC&R report reveals that 95% organizations face high software supply chain risks. Despite advancements in application security programs, more work is needed to manage risks effectively. Report:, 95, Organizations, Face, Severe, Software, Supply, Chain, Risk

The recent IT outage caused by a flawed software update from CrowdStrike has sent shockwaves through the cybersecurity landscape, affecting approximately 8.5 million Windows devices globally. This incident underscores a critical lesson for all organizations: 𝐓𝐡𝐞 𝐢𝐦𝐩𝐨𝐫𝐭𝐚𝐧𝐜𝐞 𝐨𝐟 𝐫𝐢𝐠𝐨𝐫𝐨𝐮𝐬 𝐬𝐲𝐬𝐭𝐞𝐦 𝐦𝐚𝐢𝐧𝐭𝐞𝐧𝐚𝐧𝐜𝐞 𝐚𝐧𝐝 𝐪𝐮𝐚𝐥𝐢𝐭𝐲 𝐚𝐬𝐬𝐮𝐫𝐚𝐧𝐜𝐞 𝐢𝐧 𝐩𝐫𝐨𝐝𝐮𝐜𝐭 𝐝𝐞𝐯𝐞𝐥𝐨𝐩𝐦𝐞𝐧𝐭 𝐚𝐧𝐝 𝐝𝐞𝐩𝐥𝐨𝐲𝐦𝐞𝐧𝐭 𝐩𝐫𝐨𝐜𝐞𝐬𝐬𝐞𝐬. When systems fail, as seen in this unprecedented outage, the repercussions can be monumental - not just for the affected companies but for the entire digital ecosystem. Microsoft has highlighted that this incident, now considered one of the largest cyber occurrences on record, serves as a stark reminder of the vulnerabilities inherent in our reliance on technology. The economic and operational impacts of such failures can be devastating, revealing the urgent need for organizations to prioritize robust QA practices and meticulous deployment strategies. At BISTEC Global Services, we understand that maintaining system integrity is not merely a technical requirement; it is a business imperative. Our comprehensive approach to product development, quality assurance, and deployment ensures that systems are not only functional but resilient against potential disruptions. We employ best practices that include thorough testing and validation processes, proactive monitoring, and continuous improvement methodologies. As organizations navigate the complexities of the digital landscape, it is crucial to partner with experts who can safeguard their operations against unforeseen challenges. If your organization seeks to enhance its system reliability and ensure smooth deployments, contact us at: 🌐: www.bistecglobal.com 📧: [email protected] 📞: +94 777 681 014 We are committed to providing the expertise and support necessary to keep your systems running smoothly and securely. #crowdstrike #cybersecurity #itoutage #softwareupdate #qualityassurance #systemintegrity #digitalecosystem #techvulnerabilities #businesscontinuity #riskmanagement #techindustry #incidentresponse #systemreliability #cisa #microsoft #operationalimpact #cyberresilience #itmanagement #bistecglobal

Looking to elevate your business performance? My latest blog post explores ten essential tips for leveraging managed IT support to streamline operations, enhance security, and drive growth. From improving efficiency to reducing downtime, discover how strategic IT management can transform your organization. 🌟 Don’t miss out on unlocking your business’s full potential! 👉 Read more: https://lnkd.in/gY7gVStA #ManagedIT #BusinessGrowth #ITSupport #CloudSecurity #Efficiency #CyberSecurity #TechTips #SmallBusiness #DigitalTransformation #ITManagement For more information, reach out to https://lnkd.in/gJsQ5vuU.

10 𝐘𝐞𝐚𝐫𝐬 𝐨𝐟 𝐎𝐩𝐞𝐧 𝐒𝐨𝐮𝐫𝐜𝐞: 𝐈𝐧𝐧𝐨𝐯𝐚𝐭𝐢𝐨𝐧, 𝐑𝐢𝐬𝐤𝐬, 𝐚𝐧𝐝 𝐭𝐡𝐞 𝐁𝐚𝐭𝐭𝐥𝐞 𝐟𝐨𝐫 𝐒𝐮𝐩𝐩𝐥𝐲 𝐂𝐡𝐚𝐢𝐧 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 🚀 Open-source software has become the backbone of modern innovation, driving technological advancements and enabling faster development at an unprecedented scale. With over 6.6 trillion downloads projected in 2024, ecosystems like npm and PyPI continue to dominate. However, this explosive growth comes with significant risks. As software supply chains expand, attackers are increasingly exploiting vulnerabilities in open-source dependencies, leading to a staggering 156% year-over-year rise in malicious packages. While innovation thrives, the cybersecurity threat landscape is becoming more perilous than ever. 📈 In the 10th annual State of the Software Supply Chain report, Sonatype highlighted a critical gap between open-source consumption and security practices. Despite safer alternatives being readily available, 80% of application dependencies remain outdated. Shockingly, 𝐯𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐢𝐞𝐬 𝐥𝐢𝐤𝐞 𝐋𝐨𝐠4𝐣 𝐜𝐨𝐧𝐭𝐢𝐧𝐮𝐞 𝐭𝐨 𝐠𝐨 𝐮𝐧𝐩𝐚𝐭𝐜𝐡𝐞𝐝, 𝐰𝐢𝐭𝐡 13% 𝐨𝐟 𝐝𝐨𝐰𝐧𝐥𝐨𝐚𝐝𝐬 𝐬𝐭𝐢𝐥𝐥 𝐞𝐱𝐩𝐨𝐬𝐞𝐝 𝐲𝐞𝐚𝐫𝐬 𝐚𝐟𝐭𝐞𝐫 𝐭𝐡𝐞 𝐢𝐧𝐢𝐭𝐢𝐚𝐥 𝐝𝐢𝐬𝐜𝐨𝐯𝐞𝐫𝐲. This complacency in updating software, coupled with the rise of sophisticated supply chain attacks, leaves enterprises highly vulnerable. The report emphasizes that while open-source is essential for innovation, poor dependency management can turn this powerful asset into a significant liability. 🛡️ As a cybersecurity professional, I believe it is crucial for organizations to adopt proactive and continuous security measures. Relying solely on reactive approaches leaves too many gaps, especially as next-generation supply chain attacks increasingly target developer environments. By integrating tools like Software Composition Analysis (SCA) directly into CI/CD pipelines, organizations can mitigate persistent risks through automated vulnerability detection and remediation. However, tools alone aren’t enough—organizations must also foster a culture of security vigilance. Prioritizing high-quality components, reducing reliance on outdated software, and implementing real-time security measures are essential. Without these steps, the cost of a breach could far outweigh the benefits of rapid innovation. It’s no longer a matter of if, but when a vulnerable component will be exploited. ⚙️ Have you encountered challenges in managing open-source security risks in your development pipeline? What tools or practices do you rely on to secure your open-source dependencies? 🔄 https://lnkd.in/ghFQ-YEn #opensource #supplychainrisk #softwareinnovation #cybersecurity #cyberriskmanagement

10 𝐘𝐞𝐚𝐫𝐬 𝐨𝐟 𝐎𝐩𝐞𝐧 𝐒𝐨𝐮𝐫𝐜𝐞: 𝐈𝐧𝐧𝐨𝐯𝐚𝐭𝐢𝐨𝐧, 𝐑𝐢𝐬𝐤𝐬, 𝐚𝐧𝐝 𝐭𝐡𝐞 𝐁𝐚𝐭𝐭𝐥𝐞 𝐟𝐨𝐫 𝐒𝐮𝐩𝐩𝐥𝐲 𝐂𝐡𝐚𝐢𝐧 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 🚀 Open-source software has become the backbone of modern innovation, driving technological advancements and enabling faster development at an unprecedented scale. With over 6.6 trillion downloads projected in 2024, ecosystems like npm and PyPI continue to dominate. However, this explosive growth comes with significant risks. As software supply chains expand, attackers are increasingly exploiting vulnerabilities in open-source dependencies, leading to a staggering 156% year-over-year rise in malicious packages. While innovation thrives, the cybersecurity threat landscape is becoming more perilous than ever. 📈 In the 10th annual State of the Software Supply Chain report, Sonatype highlighted a critical gap between open-source consumption and security practices. Despite safer alternatives being readily available, 80% of application dependencies remain outdated. Shockingly, 𝐯𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐢𝐞𝐬 𝐥𝐢𝐤𝐞 𝐋𝐨𝐠4𝐣 𝐜𝐨𝐧𝐭𝐢𝐧𝐮𝐞 𝐭𝐨 𝐠𝐨 𝐮𝐧𝐩𝐚𝐭𝐜𝐡𝐞𝐝, 𝐰𝐢𝐭𝐡 13% 𝐨𝐟 𝐝𝐨𝐰𝐧𝐥𝐨𝐚𝐝𝐬 𝐬𝐭𝐢𝐥𝐥 𝐞𝐱𝐩𝐨𝐬𝐞𝐝 𝐲𝐞𝐚𝐫𝐬 𝐚𝐟𝐭𝐞𝐫 𝐭𝐡𝐞 𝐢𝐧𝐢𝐭𝐢𝐚𝐥 𝐝𝐢𝐬𝐜𝐨𝐯𝐞𝐫𝐲. This complacency in updating software, coupled with the rise of sophisticated supply chain attacks, leaves enterprises highly vulnerable. The report emphasizes that while open-source is essential for innovation, poor dependency management can turn this powerful asset into a significant liability. 🛡️ As a cybersecurity professional, I believe it is crucial for organizations to adopt proactive and continuous security measures. Relying solely on reactive approaches leaves too many gaps, especially as next-generation supply chain attacks increasingly target developer environments. By integrating tools like Software Composition Analysis (SCA) directly into CI/CD pipelines, organizations can mitigate persistent risks through automated vulnerability detection and remediation. However, tools alone aren’t enough—organizations must also foster a culture of security vigilance. Prioritizing high-quality components, reducing reliance on outdated software, and implementing real-time security measures are essential. Without these steps, the cost of a breach could far outweigh the benefits of rapid innovation. It’s no longer a matter of if, but when a vulnerable component will be exploited. ⚙️ Have you encountered challenges in managing open-source security risks in your development pipeline? What tools or practices do you rely on to secure your open-source dependencies? 🔄 https://lnkd.in/ghFQ-YEn hashtag #opensource hashtag #supplychainrisk hashtag #softwareinnovation hashtag #cybersecurity hashtag #cyberriskmanagement …more

Don't Get Caught in the Chain Reaction: Securing Your Organization from Supply Chain Attacks The world runs on software. From critical #infrastructure to everyday applications, software plays a vital role in every aspect of our lives. However, this reliance on software also creates a vulnerability: the software supply chain. #Cybercriminals are increasingly targeting these #supplychains to gain access to a wider range of systems and data. Why Target the Supply Chain? Think of the software supply chain like a series of interconnected links. A vulnerability in one link, like a widely used software library, can provide attackers with a backdoor into numerous downstream applications and systems. This approach allows them to compromise a vast network of users with a single exploit. How to Protect Yourself: #PatchManagement: Implement a rigorous patch management process to ensure all software is updated with the latest security patches promptly. #Vulnerability Scanning: Regularly scan your systems and software for vulnerabilities and prioritize patching critical ones. Vendor Risk Management: Evaluate the security practices of your software vendors and prioritize working with vendors who prioritize security. Multi-Factor Authentication (#MFA): Implement MFA to add an extra layer of security beyond passwords and prevent unauthorized access even if attackers gain access to a single system. Building a Secure Ecosystem: The responsibility for securing the software supply chain is shared. Here's how different stakeholders can contribute: Software Vendors: Vendors need to prioritize security throughout the software development lifecycle and implement secure coding practices. Industry Collaboration: Collaboration between industry players is crucial for sharing threat intelligence and developing best practices for securing the software supply chain. Supply chain attacks pose a significant threat, but by taking proactive measures and adopting a layered security approach, organizations can mitigate these risks. Let's work together to build a more secure software ecosystem for everyone. #cybersecurity #supplychainattacks #softwaresecurity #infosec #securityawareness #baltimore #francisscottkey

🔍 Security Composition Analysis (SCA) Tip: Prioritize Open Source Risk Management! 🔍 Did you know? 🧑💻 Most modern applications are built using 60-80% open-source components! While open-source accelerates development, it can also introduce vulnerabilities if not managed properly. 🔑 Tip: Keep an "Ingredients List" for Your Software: Your software is like a recipe made from various ingredients—third-party components and open-source libraries. By creating a Software Bill of Materials (SBOM), A detailed list of these components, you can quickly find and fix security issues when they arise. Regularly update this list, integrate it into your development process, watch for new vulnerabilities, and educate your team about these parts. This reduces hidden risks, speeds up problem-solving, meets regulations, and builds trust through transparency. Remember, keeping dependencies up-to-date is crucial for maintaining the security of your applications. 🚀 #AppSec #CyberSecurity #SCA #OpenSource #VulnerabilityManagement

My key takeaways from the "CrowdStrike incident" • Software and Hardware Vendors have a high responsibility and should extensively test their products - both with automated tools and manually • Vendors should do gradual releases of software updates, with live monitoring for issues and clients reported issues • You don't release important updates on a Friday! • Vendors should provide easy options or tools to control updates: delay updates for X amount of days, completely disable updates should always be available for IT admins • For companies at large, they should have mechanisms to delay or manually approve updates for their entire IT infrastrucutre - unfortunately this is not always easy and is largely dependant of options provided (or not provided) by Vendors Remember the 3 basic principles of Cybersecurity are Confidentiality, Integrity and Availability, in the quest to secure the systems we should pay attention to issues like this, which end-up causing as much disruptions as a major CyberAttack. We should also be aware that Cybersecurity is, in large part, a risk-management and a balancing act between those 3 pillars.

🚀 New Guidance for a More Secure Tech Ecosystem 🚀 CISA and the FBI have released crucial "Secure by Design" guidance to help organizations ensure their software manufacturers prioritize security from the start. This new document is a game-changer, providing resources to assess if suppliers integrate security into their product development lifecycle. 🔍 Why It Matters: ✅ Focus on Product Security: While many compliance standards address enterprise security, few consider product security. This guidance bridges that gap by offering tools to evaluate how manufacturers secure their products against threats. ✅ Secure by Design Principles: Organizations can now leverage this guide to ensure suppliers follow secure design principles, enhancing overall tech ecosystem security. 🔐 Embrace this guidance to bolster your procurement process and ensure your software suppliers are as committed to security as you are. Read more about how this can impact your organization and procurement strategy! 💡 If you want to accelerate your process, we have just the tool to break down any software in minutes and give you a risk score. So that you can make the right enterprise decisions. If this interests you, just let us know. Otherwise, enjoy reviewing the document. #CyberSecurity #SecureByDesign #CISA #FBI #TechSecurity #ProductSecurity #Compliance #RiskManagement