Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Cybersecurity Snapshot: CISA Calls on Software Makers To Use Memory Safe Languages, as OpenSSF Issues Secure Software Principles

CISA Calls on Software Makers To Use Memory Safe Languages, as OpenSSF Issues Secure Software Principles

CISA is urging developers to stamp out memory vulnerabilities with memory safe programming languages. Meanwhile, the OpenSSF published 10 key principles for secure software development. Plus, malware used in fake browser-update attacks ballooned in Q3. In addition, a new program aims to boost the cyber defenses of critical infrastructure orgs. And much more!

Dive into six things that are top of mind for the week ending December 8.

1 - CISA: Adopt memory safe programming languages, pronto!

Calling memory vulnerabilities a “major problem,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a clarion call for software makers to use so-called “memory safe” programming languages.

CISA urged both C-level executives and tech leaders at software companies to prioritize memory safe coding in its new “The Case for Memory Safe Roadmaps” document, released this week.

“Memory safe programming languages (MSLs) can eliminate memory safety vulnerabilities. Therefore, transitioning to MSLs would likely greatly lessen the need to invest in activities aimed at reducing these vulnerabilities or minimizing their impact,” reads the 23-page guide. 

 

CISA: Adopt memory safe programming languages, pronto!


Jointly issued with several international cyber agencies and with other U.S. law enforcement agencies, the document details steps software makers can take to create memory safe roadmaps and eliminate memory vulnerabilities.

It also includes a list of memory safe languages: C#, Go, Java, Python, Rust and Swift.

For more details, check out:

To get more information about memory safe programming:

VIDEO

How can memory safe code stop hackers? (Low Level Learning)

2 - OpenSSF issues key principles for secure software development

And speaking of secure software development, anyone involved with building software – commercial vendors, enterprise developers, open source collaborators – should check new guidance from the Open Source Security Foundation (OpenSSF).

This week, the group published version 1.0 of its “Secure Software Development Guiding Principles” list, which it describes as core security practices for software producers and suppliers.

OpenSSF issues key principles for secure software development


The 10 principles touch on areas such as:

  • Secure software development and design methods
  • Vulnerability prevention, detection, disclosure and mitigation
  • Software supply chain transparency

To get more details and see the list, check out:

For more information about secure software development practices:

3 - U.S. gov’t offers free cyber services to critical infrastructure orgs

Good news for critical infrastructure facilities that lack sufficient cybersecurity resources. CISA has launched a no-cost pilot program to help them shore up their defenses. 

As part of the program, critical infrastructure organizations that are “target rich” but “resource poor” can request to receive managed cybersecurity services, CISA said in an announcement.

Specifically, the program now offers CISA’s “Protective Domain Name System (DNS) Resolver” service, which is designed to help prevent systems from connecting to malicious domains.

U.S. gov’t offers free cyber services to critical infrastructure orgs


CISA is working with critical infrastructure organizations in healthcare, water and education. It plans to deliver program services to up to 100 entities in the coming year, as well as expand the menu of services available.

Critical infrastructure operators interested in participating in the program should contact a security advisor at their region’s CISA office.

In addition to helping critical infrastructure organizations, the program is expected to boost national security and expand the government’s insight into evolving threats against these facilities, CISA said.

To get more details:

For more information about protecting critical infrastructure from cyberattacks, check out these Tenable resources:

VIDEO

Anatomy of a Threat: Rockwell Automation Vulnerabilities (CVE-2023-3595) and (CVE-2023-3596)

4 - Sidestep the risks of “lift and shift” cloud migrations 

Taking a “lift and shift” approach to cloud migration is generally not recommended, but if you must, the U.K.’s cyber agency has some advice so you avoid common pitfalls.

“Lift and shift,” in which you replicate an on-premises system in the cloud, often yields inefficient, insecure and costly deployments that fail to take advantage of the benefits of cloud computing.

 

Sidestep the risks of “lift and shift” cloud migrations

 

However, it is a common practice, and a good option in some cases, so the U.K. National Cyber Security Centre just published recommendations for those taking the “lift and shift” road.

“Our new guidance explains how by going beyond a simple ‘lift and shift’ implementation, you can avoid the worst problems of the migration strategy,” reads the NCSC blog announcement.

NCSC recommendations in the “How to ‘lift and shift’ successfully” guide include:

  • Before migrating, securely configure the chosen platform
  • Plan the migration by, for example, taking inventory of assets, avoiding unnecessary customization and simplifying the existing permissions model
  • Avoid exposing legacy management protocols on the internet
  • Automate maintenance for things such as patching and logging
  • Migrate applications to a cloud-native approach

To get more details, check out:

5 - Malware used in fake browser attacks surges in Q3

The third quarter saw a rise in malware that infects systems after users are duped into installing a fake browser update.

That’s according to the Center for Internet Security (CIS), which this week released its “Top 10 Malware Q3 2023” list.

SocGholish, which didn’t make the list last quarter, shot up to the top spot, accounting for 31% of malware incidents in the third quarter. Its success was due to a recent campaign pushing fake browser updates for initial access to compromised systems.

Fake browser update attacks also propelled two other malware variants into the third quarter’s list: RogueRaticate and Fake Browser.

Top 10 malware for Q3

(Source: Center for Internet Security)

Here’s the full list, in descending order:

  • SocGholish, a downloader distributed through malicious websites that tricks users into downloading it by offering fake software updates 
  • NanoCore, a remote access trojan (RAT) that spreads via malspam as a malicious Excel spreadsheet
  • RogueRaticate, a downloader distributed through malicious or compromised websites using fake browser updates. 
  • Agent Tesla, a RAT that captures credentials, keystrokes and screenshots
  • Fake Browser, a downloader distributed through malicious or compromised websites using fake browser updates
  • ViperSoftX, a multi-stage crypto stealer that's spread within torrents and file sharing sites
  • CoinMiner, a cryptocurrency miner that spreads using Windows Management Instrumentation (WMI)
  • Arechclient2, also known as SectopRAT, is a .NET RAT whose capabilities include multiple stealth functions
  • Gh0st, a RAT designed to control infected endpoint devices
  • Ratenjay, a RAT that's dropped by other malware, executes remote commands and has keylogging capabilities

To get more information, check out the CIS blog report, which offers details, context and indicators of compromise for each malware strain.

For details on fake browser update attacks:

VIDEO

Fake Chrome Update Malware (The PC Security Channel)

Apple Mac OS users falling for fake browser update that installs malware (Windows, Computers and Technology)

6 - Checking in on vulnerability management practices

During our recent webinar “Tenable Vulnerability Management Customer Update - December 2023,” we took the opportunity to poll attendees about their vulnerability management dashboards. Here’s what they said when we asked them how often they check their dashboards and what dashboard features are most important to them.

Checking in on vulnerability management practices

(200 respondents polled by Tenable in December 2023)

 

Check out our poll on vulnerability management practices

(198 respondents polled by Tenable in December 2023)

Want to learn what was discussed during the webinar “Tenable Vulnerability Management Customer Update - December 2023”? Watch it on demand!


 

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.