BlueRock.io

“Your complex codebase is the enemy of security.” BedRock your organization against threats and strengthen your security by reducing the attack surface. See how it works: https://lnkd.in/dgDYHH8 #cybersecurity #cyberdefense #cyberattack #activesecurity #BHV

#ICYMI MITRE released their annual analysis of the Top 25 Most Dangerous Software Weaknesses: https://lnkd.in/e72RheYm <?? –???? take> For better or worse, I file this (with a lot of other #cybersecurity data) under True But Unhelpful ? for a few reasons: 1?? It's _very_ difficult to take any action on. If—as a software developer—one understands the seriousness of these things, then they probably did their level best to avoid them in the first place. The guidance for any given #CWE can range from very abstract to extremely specific. The analysis controls for this, but it just doesn't feel quite as clear-cut or accessible as, say, the OWASP Cheat Sheets. Unfortunately, there isn't much defenders can with the information do other than hope that developers will double-down on eliminating these issues in their code. 2?? The methodology (or maybe just the title?) is... confusing. The weighting is a combination of frequency analysis and #CVSS v3.0 or v3.1 scores. However, 7 of the 25 incl. 3 of the top 10 _aren't_ tied to any #CVEs in the #KEV. So... they pop up a lot, _seem_ severe (based on established criteria—which is a different kettle of fish), but there isn't any evidence of exploitation for over 25% of them. That raises the question: if something happens a lot without leading to a negative outcome, is it actually dangerous? Or—to make a hash of it all—the enumerated weaknesses that cause vulnerabilities aren't always exposures. You may roast me in the comments for the clumsiness of that "joke". 3?? The analysis relies heavily on active participation from CVE Numbering Authorities (CNAs). That participation—or lack thereof—can impact the resulting, since MITRE relies on the CNAs to confirm or correct the results of automated CWE mappings that were conducted. The automated mappings are likely accurate but may not be the most precise, which is why MITRE engages the CNAs. But 73% of the CVEs in the corpus were not confirmed or corrected by the issuing CNA. </?? –???? take> So what does this report tell us? A couple of things, I think, both bad: ? The most common problems in software are long-lived. Yes, some of the rankings have changed but only two weaknesses dropped off the list this year. And this despite having well-understood root causes and mitigations for many of them (I'm looking at you #SQLInjection, holding steady at number 3 and my very favorite type of weaknesses/vulnerability because it's as old as my oldest child—but perennial favorites like out-of-bounds read/write, use-after-free, and deserialization of untrusted data are still hangin' in there too). ? #SAST and #DAST tools either aren't widely deployed enough (or deployed correctly), or just aren't up to the challenge of catching this stuff. There's no way to know which it is based on the data, but if this ranking even remotely reflects that state of commercial software, I shudder to think about the state of orgs' internal development.

Are you a #PlatformEngineering or #DevSecOps person? Are you headed #KubeCon NA in Salt Lake City? So are we! And we'd like to show you how #ShiftingDown with our agent-less runtime #security solution can help you cut down on alerts, reduce costs by securely consolidating #k8s clusters, and generally make your developers' lives easier! Get in touch to schedule a meeting! https://lnkd.in/gX6um-y6

Local Privilege Escalation (LPE) is a critical phase in most attacks. Once an attacker has a foothold within a compromised Linux container, an LPE exploit is how attackers achieve root-level access, break out of the container, and cause additional harm.

Google's kernelCTF team discovered #CVE 2024-26581 and has released a PoC for this Local Privilege Escalation (LPE) vulnerability. Here's a break-down of how BlueRock protects against this (and other) similar attacks. https://lnkd.in/gYx83wSi

Bluerock.io was recently featured in Forbes , where we shared insights on advancing cloud security through real-time prevention. The article explores essential strategies to protect cloud environments effectively and seamlessly, aligning with our...

Our co-founder and CEO Bob Tinker shares some insights on how real-time prevention complements and improves existing #cloud #security practices. https://lnkd.in/eQH3jq4F

Hyperbole aside, #OpenSource Software (#OSS) did have some troubling disclosures during the final week of the month. On March 26th, a vulnerability researcher using the handle notselwyn published an extremely detailed writeup of CVE-2024-1086 , a...

By now, David J. Bianco’s Pyramid of Pain should be well-known to defenders: originally published in 2013 (with minor updates in 2014), the model provides a succinct categorization of attack indicators and the corresponding difficulty adversaries have...

In the same way that Linux and containers have become the foundation of modern application development, Enhanced Berkeley Packet Filter (eBPF) has become the de facto technology for observability—and therefore security—for Linux and containers....