Latest news with #BlackDuck
Techday NZ
07-08-2025
- Business
- Techday NZ
Palo Alto Networks unveils Cortex Cloud ASPM to block app risks
Palo Alto Networks has introduced Cortex Cloud Application Security Posture Management (ASPM), a product designed to prevent security risks from impacting applications before they are deployed. The new Cortex Cloud ASPM module is positioned as a prevention-first solution, blocking vulnerabilities from reaching production environments. According to Palo Alto Networks, the product is intended to give security professionals and developers the ability to identify and address security risks in cloud and AI applications prior to deployment, streamlining the remediation process and reducing associated costs. Prevention-focused approach Cortex Cloud ASPM incorporates an open AppSec partner ecosystem, allowing organisations to aggregate data from various third-party code scanners within a central platform. This integration aims to improve security teams' visibility and enable them to work with their preferred development tools without disruption. Supported partner vendors include Black Duck, Checkmarx, GitLab, HashiCorp, Semgrep, Snyk, and Veracode. This release builds upon the existing Cortex Cloud platform, which previously combined cloud native application protection platform (CNAPP) capabilities with cloud detection and response (CDR) for real-time threat management. Cortex Cloud as a whole is designed to provide protection across the entire application lifecycle, using data that spans code, cloud infrastructure, and security operations centres (SOC). Detailing the organisation's vision, Sarit Tager, Vice President of Product Management at Palo Alto Networks, said: "As AI-generated code compresses application development from months to hours, security must evolve to protect the speed of innovation. Equipped with an industry-leading CNAPP, best-in-class CDR and now prevention-first ASPM, Cortex Cloud delivers the most comprehensive approach to cloud security and automatically stops risks before they reach production with end-to-end visibility across the entire application lifecycle." The integration of ASPM into Cortex Cloud is intended to enhance existing security offerings, enabling organisations to implement preventive controls across development and production environments. Key product features Cortex Cloud ASPM offers several core benefits. The platform is designed to proactively stop risks from progressing into live production environments by enforcing targeted guardrails based on application and business context. A key feature is the correlation of findings from both native security controls and third-party scanning solutions, providing prioritisation of critical and exploitable risks without mandating changes to existing development tools. Automation is another focus area for the product. The platform aims to minimise the need for manual remediation by automating security fixes, allowing both security and development teams to address vulnerabilities efficiently throughout the application lifecycle. Industry perspective Commenting on the challenges in application security, Katie Norton, Research Manager, DevSecOps and Software Supply Chain Security at IDC, said: "Application risks reaching production remain a persistent challenge for security teams and continue to leave organisations exposed. As development speed accelerates, the challenge is not just identifying vulnerabilities but focusing on those that pose real risk. By connecting application security with the live threat landscape, Palo Alto Networks' Cortex Cloud ASPM can help organisations to stop threats faster and operate more efficiently." Palo Alto Networks expects that the solution will allow organisations to streamline their approach to application security posture management, while accommodating the increasing pace of development associated with cloud and AI-driven applications. Availability Cortex Cloud ASPM is currently in early access, with general availability anticipated in the second half of 2025.
Techday NZ
07-08-2025
- Business
- Techday NZ
Palo Alto upgrades Cortex Cloud to tackle AI-driven code risks
Palo Alto Networks has launched a new capability aimed at securing applications developed with AI-generated code. The latest addition, part of the Cortex Cloud platform, addresses the growing issue of quality and security lapses introduced by AI in software development. As organisations increasingly adopt AI-driven tools to speed up production, concerns are rising over poorly structured, insecure, or redundant code, sometimes described as "AI slop." These problems can result in application failures, unpredictable outages, and security vulnerabilities that are challenging to detect and resolve, particularly in cloud-native environments. ASPM focus The new module, Cortex Cloud Application Security Posture Management (ASPM), is described as a prevention-first solution, focusing on blocking security risks before deployment rather than remediating problems retrospectively. According to Palo Alto Networks, it automates the identification of potential risks and business impacts without disrupting development workflows, while prioritising serious security concerns over less significant issues. The company also introduced an open AppSec partner ecosystem within Cortex Cloud ASPM, enabling organisations to unify data from prominent third-party application security scanners. Partners include Black Duck, Checkmarx, GitLab, HashiCorp, Semgrep, Snyk and Veracode. This consolidation aims to give security teams a clearer, more comprehensive overview of their code security postures by aggregating both native and third-party insights in a single platform. The integration is designed to avoid the need for developers to switch between tools during their work. The new ASPM expansion builds on the February introduction of Cortex Cloud, a platform that merged Palo Alto Networks' cloud native application protection platform (CNAPP) and cloud detection and response (CDR) features. Customers using Cortex Cloud have access to AI-ready data spanning code repositories, cloud resources, and security operations centres, with the goal of unifying and streamlining security management. Industry perspectives "As AI-generated code compresses application development from months to hours, security must evolve to protect the speed of innovation. Equipped with an industry-leading CNAPP, best-in-class CDR, and now prevention-first ASPM, Cortex Cloud delivers the most comprehensive approach to cloud security and automatically stops risks before they reach production with end-to-end visibility across the entire application lifecycle," said Sarit Tager, Vice President of Product Management at Palo Alto Networks. According to the company, key benefits of Cortex Cloud ASPM include proactive prevention of issues from reaching production, prioritisation of genuine risks by correlating findings across a range of scanners and platforms, and extensive automation to reduce manual intervention by security and development teams. Application and software supply chain security is also a concern for industry analysts. Katie Norton, Research Manager for DevSecOps and Software Supply Chain Security at IDC, commented on the need for focused, efficient security amidst rapid development cycles. She stated, "Application risks reaching production remain a persistent challenge for security teams and continue to leave organizations exposed. As development speed accelerates, the challenge is not just identifying vulnerabilities but focusing on those that pose real risk. By connecting application security with the live threat landscape, Palo Alto Networks' Cortex Cloud ASPM can help organizations to stop threats faster and operate more efficiently." Availability Cortex Cloud ASPM is now in early access and is expected to become generally available in the second half of 2025. The company highlights the role of automated and context-aware security solutions as the pace of development increases and as AI continues to change software production practices within organisations.
Forbes
27-04-2025
- Forbes
Law Enforcement Can Break 77% Of ‘Three Random Word' Passwords
Digital forensics researchers crack majoirty of three random word passwords. Update, April 27, 2025: This story, originally published April 26, has been updated with additional advice for securing your passwords from security experts as World Password Day 2025 fast approaches, along with information on replacing your passwords with passkeys. Passwords. Hate them or hate them, they just won't die. Let's be honest, nobody loves passwords; at best, they are a necessary evil, at worst, the weak link through which criminal attackers and law enforcement can access your data. Despite the best efforts of major technology companies to replace them with passkeys, the humble password remains with us. Yet, infostealer malware has compromised hundreds of millions of the credentials, attackers continually find new ways to trick you into handing them over, and now even recommended methods of creating strong and secure passwords are being proven to be less than optimal in the face of new research. Here's what you need to know and do. Over the years, there have been plenty of people trying to convince you that they know how to create perfect passwords. Most have been proven wrong. The use of 3,600 smiley face emojis was never going to solve the secure password problem, let's face it. As Akhil Mittal, senior security consulting manager at Black Duck, said, 'every few years, a so-called 'fix' for passwords emerges — longer passphrases, image-based logins and now emoji passwords.' In the real world, they all fall at the hurdle of predictability, reuse, and human error. But what about the secure password creation methods that are supported by the likes of the U.K. National Cyber Security Centre, for example? 'Combine three random words to create a password that's long enough and strong enough,' the NCSC said, the argument being that doing so will create passwords that are easy to remember but strong enough to keep the cybercriminals out. That advice, it seems, is now shot to pieces by new research. Given that it is the likes of law enforcement and security agencies that have advised consumers to employ a secure password construction method of using three random words, perhaps it should come as no surprise that new research has found that these bodies can benefit from people doing just that. The Optimizing Password Cracking for Digital Investigations report, authored by Mohamad Hachem, Adam Lanfranchi and Nathan Clarke from the University of Plymouth, along with Joakim Kavrestad from Jönköping University, has confirmed that 'up to 77.5% of passwords,' created this way can be 'cracked using a 30% common-word dictionary subset.' The researchers explored ways to more efficiently crack passwords as part of digital forensics processes during criminal investigations, and determined that the traditional methods using brute-force, dictionary and rule-based attacks, 'face challenges in balancing efficiency with increasing computational complexity.' The research they carried out sought to enhance the effectiveness of law enforcement password cracking using rule-based optimisation techniques while minimizing the resources consumed. The researchers discovered that by using 'an optimized rule set that reduces computational iterations by approximately 40%,' they were able to significantly improve the speed at which passwords could be recovered. Furthermore, the results suggested that 'while three-word passwords provide improved memorability and usability, they remain vulnerable when common word combinations are used.' Whether you want to keep your passwords secure against 'the man' or the hordes of criminal attackers who want to compromise them, the question remains the same: what's the most secure method of creating a password? Honestly, the three random words approach isn't all bad, and if you increase it to four or five random words, then those passwords will become increasingly more time-consuming and difficult to crack. They also become harder to remember, of course. Which is where the use of passphrases enters the equation. Instead of random words, create a passphrase that is memorable but long, but not obvious either. Most password managers will now create these passphrases for you. To be honest, though, if you are using a password manager, and you really should, then skip the passphrase and go straight for the stupidly long, random and complex password instead. I mean, you don't have to remember it, that's the job of your password manager application, so why worry about making something memorable? Better still, use a passkey. Your password manager can handle these for you as well, and they are way more secure than a lowly password. I am reliably informed that Thursday, March 1, is World Password Day. This means that security experts are keen to share best password practices with as many people as they can. I'm not a great fan of these arbitrary days, which is why I provide my password advice all year round, but any opportunity to make people more secure is a good opportunity, so here's what they have been saying. The security team at Fasthosts has urged businesses and individuals to prioritize password security by using strong passwords, but as I've already covered that, let's look at what else they recommended. Enabling two-factor authentication isn't, strictly speaking, a password recommendation, but rather a login protection one. Think of 2FA as being an extra layer using an additional means of verification beyond your password. That verification can be by way of a one-time code, preferably created by a dedicated app or hardware key rather than sent by the relatively insecure method of SMS text message, or even a push notification from the service you are logging into and to sent to your smartphone. Something that definitely is a password tip worth sharing is to use a password manager which, as I've said earlier, is the best way to both create strong passwords, store them and then deploy them as required without involving any great usability stumbling block for the average user. A Mastercard spokesperson, meanwhile, has recommended something that is straight from my own security advice playbook: use a passkey. 'Skip the hassle of remembering passwords by setting up payment passkeys,' Mastercard advised. Just like a password manager these strengthen your security posture without adding usability hurdles, in fact, they make it easier to be more secure. 'Passkeys use the biometric authentication already on your device (like your face or fingerprint) to log in to a merchant profile,' Mastercard said. Passkeys are, essentially, strong by default, phishing and social-engineering resistant as well as being effortless to both create and use. The only question you need to ask yourself is why you haven't replaced your passwords with passkeys yet?
Forbes
09-04-2025
- Forbes
New WhatsApp Warning—Update Now To Fix Security Flaw
WhatsApp has issued a new warning to update now after fixing a flaw that could allow attackers to ... More plant malware on your device. WhatsApp has issued a new warning to update now after fixing a flaw that could allow attackers to plant malware on your device. Tracked as CVE-2025-30401, the spoofing issue could see adversaries deploy malware via an attachment such as an image. The vulnerability, which affects WhatsApp for Windows Desktop prior to 2.2450.6, impacts users interacting with attachments sent through the platform. The spoofing issue stems from a fundamental flaw in how WhatsApp for Windows processes file attachments. 'A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp,' WhatsApp owner Meta said in a security advisory. WhatsApp has come under fire recently after adding an AI assistant to the app that can't be removed. The latest warning is a reminder that WhatsApp's billions of users that the app is increasingly targeted by cyber attackers keen to take advantage of its customer base. I contacted WhatsApp owner Meta for a statement and will update this article if the firm responds. There's no doubt about it, the WhatsApp flaw is nasty, making it important you update as soon as you can. Adam Brown, managing security consultant at Black Duck calls the new WhatsApp flaw 'a particularly nasty vulnerability for the everyday user.' The WhatsApp issue would allow a malicious program to easily be disguised as an attached image file, Brown says. 'When the user clicks on the attachment in WhatsApp Web for Windows, the program executes on their Windows machine. A malicious attachment could be used for data theft, running malware or spreading it, account and identity theft, or anything a nefarious actor chooses.' Everyone should be careful when clicking on attachments — even from people they know — and Windows users of WhatsApp should be especially vigilant, says Brown. Windows WhatsApp users should upgrade to version 2.2450.6 or later to fix the issue. The vulnerability must not be taken lightly and users should update their software to the newest version now, says Dr Martin Kraemer, security awareness advocate at KnowBe4. He advises people to be extremely careful when opening attachments or files. 'Think of WhatsApp the same way as email. You would not want to open an unexpected email attachment, especially not from someone you do not know. You also would not want to forward attachments that pose risks to friends or family. If in doubt, delete the message and file.' So if you use WhatsApp on your Windows device, it's time to update it now. Meanwhile, always be careful what you click on, whether via WhatsApp, email, or another app, and only open images and files from people you trust.
