Computer Software: This is one of the most impactful of the industry sectors. The products in the high-tech industry serve a variety of users. A vulnerability or defect in one can impact many users. For example, on July 19th, 2024, CrowdStrike released a faulty software update that caused a widespread outage which resulted in five hundred-million-dollar loss for a single airline. The use of open-source libraries and third-party dependencies only exacerbates the risks. Enforcing in-depth security privilege management and enforcement across Windows, Linux and MacOS, each with its own security model only adds to the challenges. Noting that while privilege escalation is slightly lower than previous years but inconsistent security check is pervasive in this sector, the security experts recommend ensuring access is limited to necessary resources on a least-privileged basis and granted only to specific roles. This should be paired with an Intrusion detection system or intrusion prevention systems using alerts and actions. All components of the software products must be regularly patched.

Internet and online services: This is similar to that of the computer software sector except that the updates and releases in this sector occur at a faster rate than anywhere else. The push to scale quickly and roll out new features makes it tough to enforce strict access controls consistently. The speed and innovation allow vulnerabilities to slip through. The recommendations from the security experts call for improved authentication mechanisms such as MFA and re-authentication in addition to the least-privileged RBAC authorization methods as earlier.

Crypto and Blockchain: Organizations in this sector stand out for their many outliers by nature because of their unique offerings and operations. While they build rigorous security practices from the start, they tend to overlook the business logic discrepancies that lay waste to the security mechanisms in place. This high-rate of business logic errors is the highest across industry sectors. When the business models become complex, it becomes tough to eliminate edge cases or unintended uses. For example, smart contracts which run on blockchain and execute automatically are immutable once deployed which also implies that certain errors cannot be undone. Since they cause financial loss, they are prime targets for bug bounty hunters. The recommendations from security experts include test-driven development of business logic and integration testing to cover various scenarios and edge cases and the authorization of business logic on a least privilege basis.

Travel and Hospitality: This industry relies heavily on marketing and often works in partnership with other agencies that require OAuth redirects and referrals. Attackers may exploit open redirect vulnerabilities by tampering with the links to lead users to malicious sites. The exploitations can work their way through the least secured sites to the highly privileged ones via referrals and integrations that is the de facto in this sector. The recommendations from the security experts include provide clear warning for all redirects, notifying users on exit from and entry to a site and sanitizing the user inputs and allow listing based on the client IPs or other user side information.

Across these and the industry sectors in the earlier article, organizations spend a lot of their budget on known vulnerabilities types including indirect object references vulnerabilities that have potential for unauthorized access, modification, or deletion of sensitive information. The security experts community recommends that organizations monitor report volume, payout levels, and researcher feedback to adjust budgets over time as their security programs evolve.

Reference: previous article.

#codingexercise: CodingExercise-12-29-2024.docx

 This is a summary of the book titled “Reaching for the stars” written by Jose M Fernandez and published by Center Street in 2012. This is an inspiring story of a migrant farm worker’s son turned NASA Astronaut. As he recounts, his hardworking family kept him focused on education and his future. He calls his parents role models and put to best use their belief that he belong in the school and not the farm. He earned his engineering degrees, worked in prestigious Lawrence Livermore Labs, the US Department of Energy, and then NASA. In his journey, he had to surmount several rejections and prejudice. His heartwarming book is an illustration of American dream come true.

José Hernández, born in 1962, is inspired by his immigrant parents, Salvador and his friend, who were both undocumented migrant farmworkers in the San Joaquin Valley in California. Salvador's father, Salvador, had many dreams and goals at a young age, but he never reached third grade. At 15, Salvador and his friend traveled to the United States with a friend, where they worked as undocumented migrant farmworkers. Hernández's youngest child, José M., was born in August 1962.

Hernández's father insisted that everyone in the world is the same, and he focused on his studies, learning math and watching Star Trek. His family's financial struggles led him to pursue his dream of becoming an astronaut, inspired by the first moon landing and the final Apollo mission, Apollo 17. Hernández's parents' resilience and determination inspired him to pursue his dreams and make a difference in the world.

As a poor and brown student from Mexico, he was influenced by his parents' belief in the importance of education for his future. His parents, Salvador and his wife, believed that their children should be in school rather than working in the fields. Hernández's parents made hard choices without knowing if their children would seize the opportunities available. Eventually, he entered middle school and made friends in a rough neighborhood. By 1980, he was ready to graduate and move on to university. He heard about Dr. Franklin Chang Díaz, a poor boy from Costa Rica who studied engineering at MIT and became NASA's first Latino astronaut candidate. With the help of a teacher, Hernández received a scholarship to study engineering at the University of the Pacific. He worked multiple jobs throughout college, believing education was the path to his future. Hernández applied for an internship at the Lawrence Livermore National Laboratory, which offered him a job through a program for minority students funded by the Office of Equal Opportunity.

Hernández graduated from the University of the Pacific in 1985 and began his career at the Lawrence Livermore National Laboratory in Livermore, California. He worked on a nuclear X-ray laser project as part of President Ronald Reagan's Strategic Defense Initiative. After the Soviet Union's end in 1991, Hernández applied to become an astronaut but was initially rejected. However, he fell in love with a woman he would marry and pursued new opportunities.

NASA selected Hernández as an astronaut after the Columbia tragedy in 2003. Hernández joined the team providing technical support for the investigation into the tragedy. NASA began selecting new astronaut candidates again in fall 2003, and Hernández was accepted after a two-year training process. Astronaut training involves acquiring new skills, such as survival underwater, co-piloting T-34C airplanes, and studying the space shuttle's systems in classrooms and simulators.

He achieved his lifelong dream of launching a space shuttle in 2009. Despite facing challenges due to weather conditions, the flight was launched without incident. Hernández installed computers, helped inspect the thermal protection system on the wings, and docked with the International Space Station (ISS). He hoped his story would inspire others to leave their own footprints and reach their own stars. After completing systems tests and preparations, Hernández's team returned to Earth, despite an extra day due to bad weather at the Kennedy Space Center. The view from space was spectacular, and on day 15, the shuttle burst through clouds at 26,000 feet, landing with the astronauts applauding.

#Codingexercise Codingexercise-12-28-2024.docx

 

Breaches in software security exploiting vulnerabilities have jumped almost double from the previous year. The defense-in-depth section of this article series is the preferred path to stronger security. These are some of the security and vulnerabilities assessment across specific industries:

1.      Financial Services:  This is one of the most targeted and regulated sectors. Standards like GPDR and PCI-DSS incentivize researchers to flag potential issues which lead to a high number of vulnerability report filings. Since this sector usually has assets that comprise of complex, multi-layered applications that manage PII data, the most prevalent form of vulnerabilities reported are insecure direct object reference vulnerabilities, especially those that involve money transfers and heighten the risk of IDOR exploits when access controls are weak. Incorrect configuration and a high volume of sensitive data handling are the main culprit. The recommendations from security experts, therefore, include proper authorization, avoiding functions that automatically bind a client’s input into variables, objects, or properties, and instead mapping random unique customer-facing identifiers to hidden actual objects on the server side.

2.      Government: The agencies for the Government encounter a much higher rate of XSS vulnerability reports than the industry average, which is likely due to numerous, even legacy and often sprawling web environments with inconsistent security practices, making some more vulnerable than others. The slower pace of updates in the government IT further increases their exposure and risks. The recommendations from security experts are in line with these characteristics and include treating all input as malicious, encoding output that depends on context and implementing a content-security policy to restrict the sources of executable scripts and limiting the potential of XSS attacks.

3.      Telecoms: These organizations manage vast networks with millions of subscribers, both individuals and enterprises and their devices. Improper authentication methods due to misconfigurations and complex infrastructure plagues this sector. Outdated systems and encryption standards affect APIs and UIs. The recommendation from security experts is to use robust and secure authentication methods such as strong passwords, MFA, secure storage, account lockout mechanisms, managing session and authentication tokens by generating random ones, implementing proper session expirations, and avoiding disclosure of sensitive information in API and UI responses, errors, and logs.

4.      Retail and E-commerce: Cybercrime is the primary manifestation of security vulnerabilities in this sector which gets the most information disclosure vulnerabilities reported among all sectors. Due to the vast amounts of sensitive data handling, dynamic websites and applications, and flawed data management practices, the number of end-users affected runs into thousands. The recommendation from security experts is to avoid exposing unnecessary data and ensuring that sensitive data is protected both at rest and in transit. Users and processes must be granted access following the principle of least privilege

5.      Transportation: Many transportation organizations rely on legacy systems developed before modern security practices became widespread. So, they display most of the OWASP top 10 vulnerabilities including improper input validation and SQL injection. The functionalities of booking, navigation, and maintenance are poorly integrated and often with third-party vendors. Therefore, security hardening is inconsistent. The recommendations from security experts are to implement prepared statements in SQL with parameterized queries, validating all user input and implementing web application firewalls to detect and block these injection attacks.

6.      Media and Entertainment:  These organizations encounter the highest number of reports for misconfigurations. Since this industry requires content to be shared and made available worldwide, it relies on CDNs and streaming platforms to distribute this content. Improper security settings and access control compromise their content which is produced at a fast rate. The recommendation from security experts is to implement automated configuration management tools, create standardized patterns across content types, regularly performing security audits, and implementing least-privilege policies.

Reference: Previous articles

#codingexercise: CodingExercise-12-27-2024.docx

 From the previous articles on AI security and safety and organizations efforts for AI Red Teaming, the defense-in-depth strategy was discussed from the organization’s perspectives. It is also important to gather the perspectives of external security researchers as shared out by them in online publications and company disclosed feedback. Security research is a full-time career and one that requires constant upskilling. Many of them spend twenty hours a week hacking. While earning money is a key motivator, hacking itself helps them to both improve and advance their career. It is important to highlight the security researcher community’s commitment to making a positive impact to organizations and end-users.

Initially most hacking activity focused on web applications as fortified by the development of OWASP Top 10 list, but the landscape is shifting to more products and technologies including chatbots. As more security researchers include AI products in their testing, they still need to prioritize their picks within the emerging products. About 88% of security researchers are targeting web applications, more than half target web APIs, and about a third target mobile applications. These numbers give an indication for the requirement and current participation in emerging applications with AI models.

Security researchers excel in reconnaissance and manual exploitation that automated scanners can’t match. As they uncover unsecured or overlooked domain or spot a unique vulnerability from an outsider’s view or perform exploit chaining where initial gains can lead to significant breaches, they are blending their strengths with GenAI for high-impact exploits. For example, security researchers are using GenAI to close the gap between the discovery of an exploit and a detailed higher-quality report of the same.

The trouble with scanners is that there are a lot of false positives and noise, but a report filed by a security researcher gets attention because of the information and context and organizations strive to provide response following an expected timeline for acknowledgement, triage, and resolution. The stronger the relationship is between the organization and the security researchers, the more impactful the program becomes. Prompt response to security researchers and with respect and professionalism even when a report is invalid or duplicate, encourages this ongoing collaboration. Bounties top the list to draw them in and low bounties often discourage them. As they juggle companies that they work with, excellent communication and safe harbor legal protections retain them.

Researchers often talk about the bounty table, but they invest in programs that give back to them in the way the organizations communicate and the time to fix. Beyond this, they value strong relationships with security teams and are discouraged by negative peer reviews. This underscores how significant the perception is for attracting security researchers for an organization to scale a program effectively.

 

AI for security

The ways in which AI is used for Security Research and vulnerability management depends a lot on human expertise as much as the risk management in AI deployments and keeping it trustworthy for everyone. As industry struggles to catch up with AI improvements, the AI-based tools are often pitched one against another which is showing significant number of defects and bringing into question the quality of the tools. LLM-as-a-judge is one such example to evaluate AI models for security. Among the risks faced by organizations, the most notable ones are GenAI, supply chain/third parties, phishing, exploited vulnerabilities, insider threat, and nation-state actors in that order. While there is growing confidence in managing risks in AI deployments, the listing of GenAI as a top concern is reflected in the widespread use of GenAI. There are no standards but there is a growing perception that AI legislations will help enhance safety and security. Most organizations are already reaping benefits of GenAI in their operations, so the ability to defend against AI threats is catching up. In the high-tech sector, there is a deep understanding of the challenges in securing this emerging technology while in other industry sectors, there is more concern for reputational risks of AI.

Safety and security flaws in the AI products are being addressed with a practice called AI Red Teaming – where organizations invite security researchers for an external unbiased review. This is highly effective, and the benefits of cross-company expertise are valuable. The AI assets inventory must be actively managed to make the most use of this best practice. Organizations that are engaged in AI Red Teaming have discovered a common pattern in the common vulnerabilities in AI applications with a simple majority of those falling in AI safety defects. The remainder comprises business logic errors, prompt injection, training data poisoning and sensitive information disclosure. Unlike traditional security vulnerabilities, it is rather difficult to gate the reporting of defects and presents a different risk profile. This might explain why the AI safety defect category is dominating other categories.

Companies without AI and automation face longer response times and higher breach costs. Copilots have gained popularity among security engineers across the board for the wealth of information at their fingertips. Agents, monitors, alerts, and dashboards are being sought after by those savvy to leverage automation and continuous monitoring. Budgets for AI projects including security are blooming as specific investments become deeper while others are being pulled back after less successful ventures or initial experiments.

AI powered vulnerability scanners, for example, quickly identify potential weak points in a system and AI is also helpful for reporting. There is a lot of time saved by AI from streamlining processes and report writing. All the details are still included, the tone is appropriate, and the review is often easy. This allows security experts to focus on more complex and nuanced aspects of security testing.

#codingexercise: CodingExercise-12-25-2024.docx

 The best security programs are built around a defense-in-depth strategy. In order to continually strengthen every layer of their security posture, organizations must ensure continuous vulnerability detection throughout the SDLC, maximizing coverage from the earliest stages of development through deployment and beyond. The layered approach is not just helpful to visualize each step of the process but also stands out as a critical element on its own. Findings from one layer can inform and refine the effectiveness of the others. When put in a loop, insights become actionable for continuous vulnerability detection. An iterative process ensures that the security strategy is always evolving, becoming more robust and adaptive over time.

A vulnerability disclosure program is an effective response and is effective with rapid deployment. Source code review is helpful to code security and audit and must be continuously incorporated into automations and integrations. Programmatic on-demand penetration tests are helpful for pentest-as-a-service and go well with direct researcher access. Testing AI for safety and security can be achieved with AI Red Teaming and helps build intelligence and analytics. Time-bound offensive testing in the form of challenges goes well payment management. Continuous offensive testing can be incorporated into bug bounty programs and followed up with enhances security controls.

Everyone looks for a return while reducing risk but scaling the security program across multiple lines of business is a challenge. It is not a specialized discipline to be exclusively handled by a central security team although earmarking efforts do help but a culture to be fostered among everyone. Specific events like security assessments for product releases, bug bounty for continuous testing and a mechanism for third-party security researchers to submit vulnerabilities help significantly for external engagements.

As with all tracking of defects, certain timeless principles hold true. Information workers must have the ability to log into a platform portal, receive a notification when a bug is reported, and take remedial actions that can be tracked. As long as there is workflow, and information workers can contribute to it, there is no point of failure, and the state progresses continuously on the work items. The capabilities of ITSM, ITBM, ITOM and CMDB are useful for security vulnerabilities as well. These acronyms denote the techniques for situations such as:

1. If you have a desired state you want to transition to, use a workflow,

2. If you have a problem, open a service ticket.

3. If you want orchestration and subscribe to events, use events monitoring and alerts.

4. If you want a logical model of inventory, use a configuration management database.

Lastly, training, and self-paced learning programs as well as campaigns during company events and executive endorsements help as always.

 This is a summary of the book titled “Superconvergence” written by Jamie Metzl and published by Hachette Book Group USA in 2024. The author is a biotech expert who explores the future with advances in biotechnology, genetics, and AI. He covers the gamut of healthcare, industries and private life and the hopes and threats that people can expect. He reminds us that the good of the people and the planet depends on how we embrace our responsibilities. The advances give us unprecedented power and we will use them to reshape more sophisticated and personalized experiences for ourselves. Biotechnology will be indispensable for feeding the world. Even industrial farming will change. A global circular economy is emerging where we source our materials from plants and then recycle or reuse them. Among the threats, we can count DIY biohacking, antibiotic resistant superbugs.

Advances in AI, genetics, and biotechnology are giving humanity "godlike" powers, transforming the relationship between humans and the biological world. Scientists have made progress in synthesizing life, with researchers collaborating across universities to synthesize 16 chromosomes found in baker's yeast and inserting these genes into living cells. They are also working on creating new amino acid sequences and implanting them into cells to produce new proteins. AI will reshape health care, providing more sophisticated, personalized prevention and treatment. In the future, healthcare practitioners, individuals, and AI systems will work together to improve health outcomes. AI tools will enable healthcare providers to offer individualized care based on patient's electronic health record and other health and biological data. AI systems could also suggest individualized medical treatments and health interventions, such as personalized medications and cancer vaccines. Expanding health care with AI could have significant positive effects on health and longevity, but it must be mitigated to avoid negative outcomes like privacy violations and false positives.

Biotechnology is set to become indispensable for feeding the world, as it has been used to genetically modify agricultural plants since ancient times. As the global population continues to grow, it is crucial to consider sustainable agriculture methods that use less land and less land. Researchers predict that consumption of domesticated crops will rise 50% by 2050, requiring the conversion of vast stretches of wild areas into farmland, water use, and climate change impacts. Bioengineered crops, such as synthetic microbial soil communities, could help feed future humans while reducing dependence on chemical fertilizers. Industrial farming will need to be transformed to meet the growing demand for meat, as the consumption of land-based animals will rise from 340 billion kilograms to 460 to 570 billion tons by 2050. Alternative solutions include genetically engineered cows, salmon, pigs, and animals that can tolerate extreme temperatures. Lab-grown meat, created by scientist Mark Post, may not seem strange in the future, and companies are exploring innovative ways to grow cultivated meat scalably.

The future of sustainable grocery stores will likely see an increase in plant-based meat alternatives, reducing climate footprints and providing affordable nutrition. A global circular bioeconomy is emerging, where manufacturers source materials from plants and recycle or reuse them. This shift away from extractive capitalism towards a circular bioeconomy involves bioengineered plant materials, replacing fossil fuels and valuing waste products as raw materials. Investing in biotechnology can boost the global economy and help nations transition from fossil fuels to sustainable biofuels. Researchers are currently bioengineering biofuels through genetic engineering of plants, such as CelA, which facilitates the breakdown of plants into simple sugars. The UK government, China, India, and many African countries are developing strategies for the bioeconomy. However, mitigating potential risks and navigating challenges of embracing a new economic model is crucial.

The rapid development of biotech, genetics, and AI has the potential to make the world worse if not carefully managed. The rise of "do-it-yourself" biology and AI modeling tools has led to individuals sharing knowledge and tools, creating "biohacker spaces." Society must prepare for potential harms and mistakes, and a global effort is needed to minimize potential harms. The interconnectedness of all people and the health of our planet must be acknowledged. The OneShared.World movement, which promotes the democratic expression of common humanity, is a step in the right direction. Uniting humanity in the coming years is crucial.