From the report, “While the developers of this Guide strongly support the important role that governments play in convening a diverse ecosystem, the imposition of prescriptive, compliance-focused regulatory requirements will inhibit the security innovation that is key to staying ahead of today’s sophisticated threats. Moreover, earlier policy efforts were based on utopian solutions to these threats, premised on the notions that internet service providers (ISPs) can simply shut down all botnets, or that manufacturers can make all devices universally secure. Instead, dynamic, flexible solutions that are informed by voluntary consensus standards, driven by market demands, and implemented by stakeholders throughout the global digital economy, are the better answer to these evolving systemic challenges.”

“Almost immediately following the WannaCry cyberattack, the NotPetya malware affected countries and organisations around the globe that had strikingly similar repercussions and lessons to take away. This attack exemplified the chronic failings organisations and nation-states continue to have despite the blatant and ongoing threats cyberspace poses. With cyber threats remaining a critical issue for organisations, there is still a great deal organisations need to do to mitigate these for future resilience.”

This report is the first in a bi-annual series that examines risks and attacks in the cloud native computing ecosystem. The next report will be released in the first half of 2019.

The first edition of the “State of Cybersecurity report” was well received by customers, industry analysts and cybersecurity professionals. The 2018 edition of the Report maintains the same unique structure to build on the first edition’s ethos and bring in new viewpoints and findings. The rest of this section is reproduced from last year’s report for the benefit of first-time readers.

You can use container security tools to secure critical applications, speed development efforts, and tamperproof your containers. But to access these benefits, you’ll first have to select from a diverse set of vendors — vendors that vary by size, functionality, geography, and vertical market focus. Security pros should use Forrester’s Now Tech report to understand the value they can expect from a container security provider and select vendors based on size and functionality.

This report provides new intelligence by the NCSC on two tools used by the Turla group to target the UK. It contains IOCs and signatures for detection by network defenders.

In late 2017 and early 2018, the Enterprise Strategy Group (ESG) completed a research survey of 413 IT and cybersecurity professionals with knowledge of, or responsibility for, the planning, implementation, and/or operations of their organization’s security policies, processes, or technical safeguards. Survey respondents were in the United States, U.K., and Australia and worked at enterprise organizations (i.e., more than 1,000 employees). Respondents represented numerous industry and government segments, with the largest participation coming from financial services (i.e., banking, securities, insurance, 18%), manufacturing (16%), retail/wholesale (13%), health care (12%), and information technology (10%).

“Many businesses and government agencies have embraced supervisory control and data acquisition (SCADA) systems or industrial control systems (ICS) in recent years, but the technologies face major security challenges. Nearly 6 in 10 organizations using SCADA or ICS that were surveyed by Forrester Consulting in a study commissioned by Fortinet indicate they experienced a breach in those systems in the past year—and many of those organizations are adding to their risk by allowing technology and other partners a high level of access into their systems. Most organizations also report connections between their traditional IT systems and their SCADA/ICS, introducing the potential for outside hackers to penetrate these control systems.”

“For a long time now, SOSS has provided a reliable yardstick for the most common vulnerabilities found in software, as well as how organizations are measuring up to security industry benchmarks throughout the software development lifecycle (SDLC). One thing we’ve always wanted to understand better, though, is how quickly these organizations are actually fixing flaws once they’ve been identified in application security scans. This year, we turned our data analysis up a notch by working with the data scientists at Cyentia Institute, so that we could gain better visibility into the factors that go into fixing flaws. Readers will find valuable insight on how factors like flaw severity, business criticality of applications, and exploitability of the flaws change the rate at which certain vulnerabilities are fixed.”

This document discusses the vulnerabilities discovered by edgescanTM over the past year – 2016. The vulnerabilities discovered are a result of providing “Fullstack” continuous vulnerability management to a wide range of client verticals; from Small Businesses to Global Enterprises, From Telecoms & Media companies to Software Development, Gaming, Energy and Medical organisations. The statistics are based on the continuous security assessment & management of over 57,000 systems distributed globally.

This report covers performance, security, and encryption essentials for online applications.

This white paper discusses the principals of the GNU Public License (GPL), the risks of using GPL-licensed code, and how GPL code may be used in proprietary products while minimizing legal compliance issues.

Recommendations for securing and managing privileged credentials used by enterprise applications

This Quarterly report continues Rapid7’s excellent work of providing insight to the threats they have witnessed during the 2nd Quarter of 2018.

This document discusses the vulnerabilities discovered by edgescanTM over the past year – 2015. The vulnerabilities discovered are a result of providing continuous vulnerability management to a wide range of client verticals; from Small Businesses to Global Enterprises; Telecoms & Media, Software Development, Gaming, Energy and Medical organizations.

In this report, they examine that series of interacting tiers—application services, application access, Transport Layer Security (TLS), domain name services (DNS), and the network—because each one is a potential target of attack.

Ponemon Institute is pleased to present the findings of the 2018 Global Study on The State Application Security sponsored by Arxan Technologies. We surveyed 1,399 IT and IT security practitioners in the United States, European Union and Asia-Pacific to understand the risk unprotected applications pose to businesses when running in unsecured environments and how they are addressing this risk in practice.

This report answers some questions about Bug Bounty organizations.

This technical white paper describes a new approach to identifying your most critical web application vulnerabilities faster and at lower cost.

This report from the U.S. Department of Health And Human Services, offers insight into how the FDA has taken steps to address emerging cybersecurity concerns in networked medical devices by issuing guidance, reviewing cybersecurity information in submissions, and—when needed—obtaining additional information from manufacturers. It also discusses how the FDA could take additional steps to more fully integrate cybersecurity into its premarket review process.

This paper seeks to help improve the IT situation in the Healthcare industry.