Jay Wallace’s Post

Interesting vulnerabilities rank by MITRE. Even more interesting is the fact that 8 out of the top 10 happens when developers try to reinvent the wheel. By that I mean, they don't use tried and safe languages/libraries that exist to abstract those things and make it basically impossible to introduce those types of vulnerabilities. Seen over and over while doing code reviews.

An intriguing post from Patrick Garrity looking at the CWE Top 25 in light of KEV counts. Some quick thoughts: - Hey! Did you want ranks 26 to 40? Of course you do! Well, this year's On-the-Cusp list is now available! </endPromo> https://lnkd.in/e9HV_GTD - Some CWEs that Patrick mentioned aren't in the list because they were folded into view 1003, e.g. CWE-122 - Super-high-level CWEs like CWE-284 (a top-level Pillar) were excluded entirely (note that CWE-284 is "Discouraged" for CWE mappings but it's on our watch list for demotion to "Prohibited" due to factors such as "Frequent Misuse") - I suspect that some CWEs/vulns probably aren't easily detectable from an exploit perspective. For example, I wonder if the nature of CWE-352 can make it difficult to automatically distinguish malicious CSRF requests from regular, legitimate web requests. - The Top 25 Methodology helps give context for some of the CWEs under discussion, including non-top-25 CWEs included in the VulnCheck analysis: https://lnkd.in/eVujr79c - The Top 25 used a slightly different version of data than Patrick did; namely, we used updated mappings from many CVE CNAs, but NVD was not necessarily updated with those mappings; and we integrated mappings from multiple sources. (See Methodology.) - For metrics geeks who wonder more about the role of raw CVE counts in influencing the list, see our discussion of other proposed metrics from the 2022: https://lnkd.in/ebPvhuqD

Really insightful, and proof yet again that having some kind of structured analysis as part of your vulnerability program is key to making it cost effective. Effective vulnerability management is easy. Just patch them all. That’s prohibitively expensive though so any team that is worth their cost has to get really good at prioritizing.

Very interesting intersection between these two datasets. Now I have a rabbit hole to go down in the full research and further into each organization’s data collection methods for these datasets. Serious question here: How can we increase the number of breaches that get reported, explored, and detailed findings published so we can learn from them? I was doing research for a previous assignment and the lack of transparancy for a breach within my topic was mind-boggling. Other companies in the same industry were likely hit with the same attacks because there was no details published about the attack vector.

In November, MITRE released the 2024 CWE Top 25 Most Dangerous Software Weaknesses list which inspired us to take a deeper look. We wondered, "Are the Top 25 CWEs truly the most dangerous software weaknesses in 2024?" We calculated the total number of CVEs, the count of known exploited vulnerabilities (KEVs) using VulnCheck KEV and calculated a KVE-to-CVE ratio for each CWE in the chart below as the start of our research to help software developers and security teams gain a better understanding of what CWE's might pose the greatest threat. The full research is available here: https://lnkd.in/g5XtTUR6 #cybersecurity #infosecurity #riskmanagement #vulnerabilitymanagement

Very insightful statistics about the correlation of CISA KEV's to Mitre CWE categories based on ground truth evidence. Thank you Patrick Garrity 👾🛹💙 The 3 most commonly used attack paths used by hackers are: 1. People 2. Software 3. Supply Chain This data confirms that fact.

At OX Security, we're on a mission to exterminate the manual processes in AppSec that are eating away at our efficiency—much like locusts in a field! 🦗 Our latest research, presented at Black Hat 2024 by Eyal Paz and Liad Cohen, uncovers a swarm of hidden dangers: transitive vulnerabilities in software dependencies. While developers often rely on standard outputs to spot vulnerabilities, our findings show that this is just scratching the surface. Read our latest research report to see how we can protect our software fields from being overrun: https://lnkd.in/esSEiWFc #AppSec #CyberSecurity #DevSecOps #BlackHat2024 #SoftwareSecurity #TransitiveLocusts

🏛 𝐍𝐞𝐰 𝐆𝐥𝐨𝐬𝐬𝐚𝐫𝐲 𝐄𝐧𝐭𝐫𝐲 𝐀𝐥𝐞𝐫𝐭: 𝐖𝐡𝐚𝐭 𝐢𝐬 𝐎𝐩𝐞𝐧 𝐒𝐨𝐮𝐫𝐜𝐞 𝐒𝐨𝐟𝐭𝐰𝐚𝐫𝐞 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲?  ➡ https://lnkd.in/gPxxEWXB Explore the latest addition to #XygeniAcademy and learn how to secure open-source software to protect your applications from vulnerabilities. 🛡️ Understand the key security practices to keep your open-source code safe and resilient. Read now: Xygeni Open Source Software Security Glossary ⬇ https://lnkd.in/gPxxEWXB Stay ahead of threats with expert insights from Xygeni! #OpenSourceSecurity #CyberSecurity #SSCS #XygeniAcademy #RiskManagement #DevSecOps #SoftwareSecurity #SecureCoding

Takeaways from an interview with Gil Shwed, Founder and CEO of Check Point Software Technologies: The recent global IT outage underscores how dependent we are on software, and proves our need for rapid updates to combat vulnerabilities. #CyberSecurity #SoftwareUpdate #ITOutage

CVE-2024-24919: Act Now to Secure Your Systems 👩💻 💬🤔Have you heard about the recent vulnerabilities affecting Check Point Software gateways? In our new video, we dive into CVE-2024-24919, showing you how attackers could exploit this weakness and sharing essential steps to safeguard your systems. Let’s stay one step ahead together! 💻🔐 #VulnerabilityManagement #infosec #cybersecurity #exploit #CRAC