Latest news with #CommonVulnerabilityScoringSystem
Techday NZ
22-05-2025
- Business
- Techday NZ
Picus launches tool for real-time validation of exploitable risks
Picus Security has introduced a new capability designed to help security teams determine which vulnerabilities in their environments are actually exploitable. The new feature, called Picus Exposure Validation, uses real-time attack simulations to provide evidence-based assessments of vulnerability risks within a specific organisation's environment. This approach aims to address the challenge of large numbers of vulnerabilities that are often identified but not all requiring immediate attention or remediation. With more than 40,000 new Common Vulnerabilities and Exposures (CVEs) disclosed in 2024 - with 61% ranked as high or critical - security teams often struggle to respond effectively, as traditional vulnerability management methods can lead to inefficient allocation of resources. Picus Security says the new capability assists security teams in distinguishing between vulnerabilities that can actually be exploited in their unique systems and those that can be safely deprioritised. Traditional vulnerability management is typically driven by severity metrics such as Common Vulnerability Scoring System (CVSS) and Exploit Prediction Scoring System (EPSS), which provide generalised risk indicators but may not account for an individual organisation's existing security controls and asset criticality. Picus Exposure Validation aims to fill this gap with the Picus Exposure Score, an evidence-based, context-aware metric intended to reflect actual risk, according to the company. The system continuously tests security controls using real-world attack techniques to determine whether known vulnerabilities can be exploited given the organisation's current defences. The findings are automatically updated and presented in transparent reports, enabling quicker and more confident decision-making in response to new security threats. Volkan Ertürk, Co-Founder and Chief Technology Officer at Picus Security, commented: "The challenge today isn't finding vulnerabilities, it's knowing which ones matter in your unique environment. CVSS, EPSS and KEV offer theoretical risk signals. Picus Exposure Validation delivers proof by testing threats against your production defenses in real time. It replaces assumptions with evidence so security teams can focus on vulnerabilities that are actually exploitable." Key features highlighted by the company include the ability for security teams to more accurately prioritise remediation work, safely deprioritise less urgent vulnerabilities, and reduce manual workloads through the use of automated validation processes. The solution is said to include tailored recommendations to quickly improve the effectiveness of security controls, offering an alternative when immediate patching is not feasible. A global industrial firm reported that, upon deploying Picus Exposure Validation, it was able to reduce its list of critical patches by 85%. Based solely on CVSS ratings, 63% of the vulnerabilities in the organisation's systems were initially classified as critical. However, after applying Picus Exposure Validation, it was found that only 9% of those were truly high risk and required prioritisation. This reduction reportedly saved the organisation thousands of hours on patching activity and allowed the security team to focus resources more efficiently. The company positions Picus Exposure Validation as a new methodology for combining data about vulnerabilities with automated attack simulation to create an organisation-specific analysis of exploitability. This approach, according to Picus, offers security teams a more focused view on where to deploy efforts for mitigation and remediation and thereby enables more effective closing of security gaps. The Picus Exposure Validation feature is now available to organisations seeking enhanced vulnerability validation for their own environments. Follow us on: Share on:
Techday NZ
09-05-2025
- Business
- Techday NZ
Broadcom forces VMware clients to roll back crucial updates
Broadcom's recent changes to VMware licensing agreements are causing concern among IT professionals. Reports suggest that customers are being forced to roll back security updates, potentially exposing them to previously patched vulnerabilities. In early May 2025, VMware's parent company Broadcom began issuing cease-and-desist letters to customers with perpetual licences whose customer support had expired. These letters, according to reports verified by Ars Technica and highlighted by Comparitech in an analysis, demand that customers remove all updates made after the end of their support contracts, under threat of audits and possible litigation. The only exception to this demand allows customers to retain updates addressing zero-day vulnerabilities, or those with a Common Vulnerability Scoring System (CVSS) score of 9.0 or higher. All other security updates must be rolled back in compliance with Broadcom's current policy. Network administrators and IT professionals have expressed alarm at this directive's potential security and operational ramifications. According to users active on technical forums, including Reddit's /r/sysadmin, affected companies are placed in a difficult position: either remove important updates and risk security lapses, switch to more expensive subscription packages, or face the possibility of legal actions. Comparitech's analysis described this as leaving companies in a "zero-sum game" that could jeopardise future business prospects and the security of sensitive data. "Broadcom has effectively created a zero-sum game in which many existing customers who were grandfathered in after it purchased VMWare must now make a choice that could cost them millions and risk not only the future of their company but also the secure data that they maintain," the analysis stated. The policy has broader cybersecurity implications because rolling back updates reintroduces known vulnerabilities into network environments. These are security flaws that cybercriminals, including ransomware groups such as those behind the notorious WannaCry attacks, have previously exploited. "Update and security patch rollbacks are not benign. They reintroduce well-documented security flaws that cyber criminals have already learned to scan for and exploit," the analysis explained. The security concern is that ransomware gangs may target these known vulnerabilities, exploiting them to breach companies that had already patched the flaws. "Broadcom's efforts to force security rollbacks effectively threaten license holders with an order-of-magnitude increase in their risk of a data breach. While the company holding the license ultimately has the legal responsibility and business imperative to protect data, such actions on Broadcom's part raise serious ethical questions when businesses are forced to decrease protections and increase risk," Comparitech notes. Beyond security, update rollbacks could negatively affect the stability of critical IT infrastructure. Many updates patch security holes and deliver performance improvements and compatibility enhancements. Reverting to previous software states may destabilise hypervisors, break integrations with backup or disaster recovery tools, and disrupt operations in environments where reliability is crucial. "When companies are forced to revert their systems to an earlier state, it can quickly destabilise hypervisors, completely invalidate integrations with backup or DR tooling, and painfully disrupt resource scheduling for virtual workloads," Comparitech warned. For organisations in sectors such as education, healthcare, and government, where large volumes of regulated personal or health information are managed, system failures and downtime can become significant operational and financial risks. The sentiment among long-time VMware customers is described as betrayal and frustration. "This is like a mafioso shaking down a shopkeeper for protection money. I swear, if they won't be reasonable on my next phone call with them, then I will make it my mission — with God as my witness — to break the land speed record for fastest total datacenter migration to Hyper-V or Proxmox or whatever and shutting off ESXi forever. I'm THAT pissed off," one IT professional commented in April 2025 on /r/sysadmin. Comparitech's analysis suggests that Broadcom's actions put companies in a position where expensive migration to alternative platforms or subscription services may be the only safe option. However, these can be lengthy and complex processes. Many organisations may face significant costs or risks during the transition, and some may be unprepared to switch off VMware infrastructure quickly. With Broadcom reportedly willing to take legal action against non-compliant customers, as seen in an ongoing case against Siemens, the only immediate recourse for affected companies is to fortify their IT security. Steps recommended include hardening network perimeters, isolating vulnerable systems, implementing strict access controls, enhancing monitoring and detection, regular vulnerability scanning, auditing backup systems, reducing internet-facing exposures, and establishing a rapid response plan during the migration period. Broadcom completed its acquisition of VMware in 2023 and subsequently shifted VMware's licensing strategy. Perpetual licences for VMware products were discontinued, and new requirements pushed customers towards pricier, multi-year subscription models. In early 2024, the company also ended the availability of VMware's free ESXi hypervisor. It began restricting access to software downloads and binaries for customers without an active support-and-subscription agreement. "Broadcom's push to change VMware's licensing strategy was terrible from a customer service and customer satisfaction standpoint, but not immediately dangerous to customers and their data. However, the company's new efforts to strong-arm perpetual license holders into pricier subscription packages by canceling or failing to allow renewals of SnS agreements push its strategy into potentially unethical realms that endanger companies and their customers," Comparitech noted in its analysis. Comparitech plans to continue monitoring ransomware attack trends to assess whether future incidents can be traced to systems exposed through the forced rollback of security updates under Broadcom's policy.
Scoop
24-04-2025
- Scoop
Only 18% Of Critical Vulnerabilities Truly Worth Prioritising According To Datadog Report
Press Release – Datadog The report also found that exploitable vulnerabilities are especially prevalent in Java applications. To better understand the severity of a vulnerability, Datadog developed a prioritisation algorithm that factored in runtime context to its Common … Datadog today released its new report, the State of DevSecOps 2025, which found that only a fraction of critical vulnerabilities are truly worth prioritising. To better understand the severity of a vulnerability, Datadog developed a prioritisation algorithm that factored in runtime context to its Common Vulnerability Scoring System (CVSS) base score. Adding in runtime context provided factors about a vulnerability—for example, whether the vulnerability was running in a production environment, or if the application in which the vulnerability was found was exposed to the internet—that CVSS did not take into account. This helped to reduce noise and identify the issues that are most urgent. After runtime context was applied, Datadog found that only 18% of vulnerabilities with a critical CVSS score—less than one in five—were still considered critical. 'The State of DevSecOps 2025 report found that security engineers are wasting a lot of time on vulnerabilities that aren't necessarily all that severe,' said Andrew Krug, Head of Security Advocacy at Datadog. 'The massive amount of noise security teams have to deal with is a major issue because it distracts from prioritising the really critical vulnerabilities. If defenders are able to spend less time triaging issues, they can reduce their organisations' attack surface all the faster. Focusing on easily exploitable vulnerabilities that are running in production environments for publicly exposed applications will yield the greatest real-world improvements in security posture.' Another key finding from the report was that vulnerabilities are particularly prevalent among Java services, with 44% of applications containing a known-exploited vulnerability. The average number of applications with a known-exploited vulnerability among the other services in the report—Go, Python, .NET, PHP, Ruby and JavaScript—was only 2%. In addition to being more likely to contain high-impact vulnerabilities, Java applications are also patched more slowly than those from other programming ecosystems. The report found that applications from the Java-based Apache Maven ecosystem took 62 days on average for library fixes, compared to 46 days for those in the .NET-based ecosystem and 19 days for applications built using npm packages, which are JavaScript-based. Other key findings from the report include: Attackers continue to target the software supply chain: Datadog's report identified thousands of malicious PyPI and npm libraries—some of these packages were malicious by nature and attempted to mimic a legitimate package (for instance, passports-js mimicking the legitimate passport library), a technique known as typosquatting. Others were active takeovers of popular, legitimate dependencies (such as Ultralytics, Solana and lottie-player). These techniques are used both by state-sponsored actors and cybercriminals. Credential management is improving, but slowly: One of the most common causes of data breaches is long-lived credentials. Last year, 63% of organisations used a form of long-lived credential at least once to authenticate GitHub Actions pipelines. This year, that number dropped to 58%, a positive sign that organisations are slowly improving their credential management processes. Outdated libraries are a challenge for all developers: Across all programming languages, dependencies are months behind their latest major update. And those that are less frequently deployed are more likely to be using out-of-date libraries—dependencies in services that are deployed less than once a month are 47% more outdated than those deployed daily. This is an issue for developers as outdated libraries can increase the likelihood that a dependency contains unpatched, exploitable vulnerabilities. For the report, Datadog analysed tens of thousands of applications and container images within thousands of cloud environments in order to assess the types of risks defenders need to be aware of and what practices they can adopt to improve their security posture.
Scoop
24-04-2025
- Scoop
Only 18% Of Critical Vulnerabilities Truly Worth Prioritising According To Datadog Report
Datadog today released its new report, the State of DevSecOps 2025, which found that only a fraction of critical vulnerabilities are truly worth prioritising. To better understand the severity of a vulnerability, Datadog developed a prioritisation algorithm that factored in runtime context to its Common Vulnerability Scoring System (CVSS) base score. Adding in runtime context provided factors about a vulnerability—for example, whether the vulnerability was running in a production environment, or if the application in which the vulnerability was found was exposed to the internet—that CVSS did not take into account. This helped to reduce noise and identify the issues that are most urgent. After runtime context was applied, Datadog found that only 18% of vulnerabilities with a critical CVSS score—less than one in five—were still considered critical. 'The State of DevSecOps 2025 report found that security engineers are wasting a lot of time on vulnerabilities that aren't necessarily all that severe,' said Andrew Krug, Head of Security Advocacy at Datadog. 'The massive amount of noise security teams have to deal with is a major issue because it distracts from prioritising the really critical vulnerabilities. If defenders are able to spend less time triaging issues, they can reduce their organisations' attack surface all the faster. Focusing on easily exploitable vulnerabilities that are running in production environments for publicly exposed applications will yield the greatest real-world improvements in security posture.' Another key finding from the report was that vulnerabilities are particularly prevalent among Java services, with 44% of applications containing a known-exploited vulnerability. The average number of applications with a known-exploited vulnerability among the other services in the report—Go, Python, .NET, PHP, Ruby and JavaScript—was only 2%. In addition to being more likely to contain high-impact vulnerabilities, Java applications are also patched more slowly than those from other programming ecosystems. The report found that applications from the Java-based Apache Maven ecosystem took 62 days on average for library fixes, compared to 46 days for those in the .NET-based ecosystem and 19 days for applications built using npm packages, which are JavaScript-based. Other key findings from the report include: Attackers continue to target the software supply chain: Datadog's report identified thousands of malicious PyPI and npm libraries—some of these packages were malicious by nature and attempted to mimic a legitimate package (for instance, passports-js mimicking the legitimate passport library), a technique known as typosquatting. Others were active takeovers of popular, legitimate dependencies (such as Ultralytics, Solana and lottie-player). These techniques are used both by state-sponsored actors and cybercriminals. Credential management is improving, but slowly: One of the most common causes of data breaches is long-lived credentials. Last year, 63% of organisations used a form of long-lived credential at least once to authenticate GitHub Actions pipelines. This year, that number dropped to 58%, a positive sign that organisations are slowly improving their credential management processes. Outdated libraries are a challenge for all developers: Across all programming languages, dependencies are months behind their latest major update. And those that are less frequently deployed are more likely to be using out-of-date libraries—dependencies in services that are deployed less than once a month are 47% more outdated than those deployed daily. This is an issue for developers as outdated libraries can increase the likelihood that a dependency contains unpatched, exploitable vulnerabilities. For the report, Datadog analysed tens of thousands of applications and container images within thousands of cloud environments in order to assess the types of risks defenders need to be aware of and what practices they can adopt to improve their security posture.
Techday NZ
24-04-2025
- Business
- Techday NZ
Datadog acquires Metaplane to boost AI & data observability
Datadog has published findings from its latest State of DevSecOps report and revealed the acquisition of data observability firm Metaplane. The State of DevSecOps 2025 report details that Datadog developed a vulnerability prioritisation algorithm incorporating runtime context—measuring factors such as whether a vulnerability is present in a production environment or exposed to the internet. This additional context filtered out issues of less immediate concern, resulting in only 18% of vulnerabilities with a critical Common Vulnerability Scoring System (CVSS) rating being classified as truly critical. Andrew Krug, Head of Security Advocacy at Datadog, commented: "The State of DevSecOps 2025 report found that security engineers are wasting a lot of time on vulnerabilities that aren't necessarily all that severe. The massive amount of noise security teams have to deal with is a major issue because it distracts from prioritising the really critical vulnerabilities. If defenders are able to spend less time triaging issues, they can reduce their organisations' attack surface all the faster. Focusing on easily exploitable vulnerabilities that are running in production environments for publicly exposed applications will yield the greatest real-world improvements in security posture." One significant insight from the report is that Java applications have an especially high prevalence of known-exploited vulnerabilities, with 44% of Java services affected. In contrast, applications built with Go, Python, .NET, PHP, Ruby, and JavaScript collectively averaged only 2% of applications with such vulnerabilities. On patching speed, the report observed that Java-based Apache Maven ecosystems took an average of 62 days to implement library fixes, compared with 46 days for .NET-based ecosystems and 19 days for JavaScript-based npm packages. The report also highlights ongoing risks to the software supply chain. The analysis identified thousands of malicious libraries on PyPI and npm, with some employing typosquatting such as 'passports-js' mimicking the legitimate 'passport' library. Other threats included active takeovers of popular dependencies, as seen with Ultralytics, Solana and lottie-player. Both state-sponsored and criminal actors were found exploiting these supply chain vulnerabilities. The research notes a slow improvement in credential management. In the previous year, 63% of organisations used long-lived credentials at least once to authenticate GitHub Actions pipelines. This year's figure dropped to 58%. Outdated libraries also remain an industry challenge. Dependencies across all programming languages lag months behind their most recent major updates. Services deployed less than once a month were observed to have dependencies 47% more outdated than those in services updated daily, contributing to greater potential exposure to unpatched vulnerabilities. Datadog's report was compiled through the analysis of tens of thousands of applications and container images distributed across thousands of cloud environments to assess contemporary risk factors and security practices. Separately, Datadog announced its acquisition of Metaplane, a platform specialising in end-to-end data observability using machine learning-powered monitoring and column-level lineage. With businesses increasingly turning to AI and adopting platforms including Snowflake and Databricks, Datadog stated the integration of Metaplane technologies will speed its move from cloud observability into full data observability. This is expected to enhance its set of data-centric monitoring tools, such as Data Jobs Monitoring and Data Streams Monitoring. Michael Whetten, VP of Product at Datadog, stated: "Observability is no longer just for developers and IT teams; it's now an essential part of data teams' day-to-day responsibilities as they manage increasingly complex and business-critical workflows. This complexity will become even more pronounced as more businesses deploy AI applications. By unifying observability across applications and data, Datadog will help organisations build reliable AI systems." Kevin Hu, co-founder and CEO of Metaplane, said: "Our mission at Metaplane is to help companies ensure trust in the data that powers their business. Joining forces with Datadog enables us to bring data observability to tens of thousands more companies, while bringing data teams and software teams closer together." Following the acquisition, Metaplane will continue to support both existing and new customers as part of the Metaplane by Datadog offering.
