Oracle announced that it has updated this month’s Critical Patch Update (CPU), which addresses 372 vulnerabilities across multiple products, Cybersecurity news reported. The update fixes critical flaws that could allow remote code execution and unauthorized access to systems.

“Security is a top priority for Oracle, and we take great care to identify and resolve vulnerabilities in a timely manner. This latest CPU demonstrates our ongoing efforts to ensure our customers can confidently rely on our products to protect their most sensitive data and mission-critical systems”, said Ravi Kumar, Oracle’s Chief Security Officer.

The Critical Patch Update provides fixes for security flaws in widely used Oracle products, including Database Server, Fusion Middleware, Enterprise Manager, E-Business Suite, Supply Chain Products Suite, Siebel CRM, Oracle Sun Products, Java SE and more. It also includes fixes to several critical security flaws.

The vulnerabilities covered span a range of severity levels, with 34 of them classified as “critical,” meaning that malicious actors could exploit them to gain unauthorized access, execute arbitrary code, or disrupt system operation.

The update also resolves 159 vulnerabilities rated as “important” that can be exploited remotely to access sensitive data. The remaining issues are rated as moderate or low risk.

Read more:
1. Companies Unite to Create AI Tools for Enterprises
2. Acer Noted Consecutive Revenue Growth
3. Tesla Faces Stock Drop, Layoffs and Investor Pessimism

“The first generation of Fortify Audit Assistant was well ahead of its time with its use of predictive analytics and machine learning,” said Prentiss Donohue, cybersecurity executive vice president at OpenText.

“Those pioneering efforts paved the way for us to derive 10 years of data from human experts and turn them into predictive models that are significantly more accurate compared to the previous generation’s models, improving efficacy in auditing by reducing false positives up to 90%. Enterprises can now leverage this depth of information—something no one else in the industry can provide—within their own software assurance programs”, he added.

With this technology, OpenText highlights the need for advanced application security tools and practices, addressing the pressure security teams face to ensure software integrity and reliability from the start.

Key updates to Fortify Audit Assistant include the ability to account for model shifts, the flexibility to learn from a company’s unique environment, expanded model expertise through language specification, and the ability to account for nuances of scan results.

The tool also aims to streamline developers’ work by allowing them to focus on addressing the most critical vulnerabilities.

According to OpenText, the advanced auditing process is a direct response to requirements for more efficient application security testing, which is too time-consuming and requires manual processing of static analysis results.

The new generation of Fortify Audit Assistant will integrate security considerations into the earliest stages of the software development lifecycle, starting right from code creation. This will help in building software systems that are not only robust and reliable, but also inherently secure.

The tool uses machine learning technology to automate the security audit process, learning from the experience of Fortify’s human auditors. This application of AI is being identified as a strategic move to address the shortage of expertise available for manual verification, which is resource intensive and impractical for many organizations.

Fortify Audit Assistant promises to significantly reduce the overhead associated with hiring teams of software engineering, computer science and cybersecurity experts, the company explains.

Read more:
1. Allen AI Institute Launches Fully Open Large Language Model
2. From Harvard Students to Users Around the World: Facebook turns 20
3. How to Invest our Money if we are Beginners?

According to a recently released survey by the company, developers surveyed said they spend only about 25% of their time writing code. GitLab Duo helps improve product lifecycle time as it can also help with those non-development tasks such as test generation, value stream forecasting, and summarizing planning discussions.

New updates to GitLab Duo include a beta version of Chat and general availability of Code Suggestions.

GitLab Duo Chat serves as an AI assistant designed to aid developers in code analysis, planning, security issue comprehension and resolution, CI/CD pipeline troubleshooting, and support with merge requests, among various other functionalities. This feature is currently accessible as a beta version in GitLab 16.6.

“The introduction of GitLab Duo Chat furthers our momentum and focus to bring AI beyond just code creation. To realize AI’s full potential, it needs to be embedded across the software development lifecycle, allowing DevSecOps teams to benefit from boosts to security, efficiency, and collaboration”, said David DeSanto, chief product officer at GitLab.

Code Suggestions helps with new code creation and code updates. It will be generally available in the GitLab 16.7 release, coming in December.

“Keeping dependencies up to date is one of the most effective ways to reduce technical debt and avoid software vulnerabilities, especially as most companies rely heavily on external dependencies. Mend Renovate Enterprise Edition offers a commercially supported version of Renovate built with the power to help developers handle enterprise-scale needs”, said Rhys Arkins, vice president of product at Mend.io.

Renovate plays a crucial role in safeguarding the security and up-to-date status of applications. It achieves this by conducting comprehensive scans of software to detect external dependencies and automating the process of updating them to the latest versions.

Mend.io has pointed out that, although the free Renovate Community Edition and Renovate CLI are effective for smaller development setups, they may lead to delays for enterprises managing a significant number of repositories. To address this challenge, the Renovate Enterprise Edition steps in with a solution. It offers the advantage of unlimited horizontal scalability for server resources, allowing organizations to seamlessly manage numerous repositories simultaneously and ensuring developers experience optimal responsiveness.

The Mend Renovate Enterprise offers a wide array of advantages, such as automated dependency updates, enhanced interactivity, decreased technical debt, improved code quality, and more.

Both Mend Renovate Enterprise Edition and Mend Renovate Community Edition are self-hosted container-based applications, granting organizations the control they need to meet stringent internal security requirements.

Both editions are equipped with a job scheduler and webhooks. The job scheduler automates Renovate processes, while webhooks trigger Renovate tasks in response to critical events, such as package file updates or pull request merges.

Mend ensures that Renovate Enterprise consistently integrates the latest features of the open-source Renovate CLI, ensuring a stable and up-to-date version while maintaining reliability.

Newsroom uses in-depth knowledge of a customer’s external attack surface to assess its exposure to discovered vulnerabilities and provide a summary of exploits, affected software and assets within the organization, Darktrace said.

The new system also provides guidance on reducing business-specific vulnerabilities. Darktrace Newsroom is now available as part of the Darktrace PREVENT product range.

In a press release, the company also shares that Darktrace Newsroom autonomously monitors threat feeds and OSINT sources for new critical vulnerabilities and publishes them to the Darktrace PREVENT dashboard. This gap detection and aggregation complements human security teams by alleviating long and labor-intensive manual processes, the firm added.

“If we consider that an average of four new critical vulnerabilities are released every day, and the time it takes for attackers to exploit these has shrunk to an average of 12 days, you can imagine that the race against time to understand and mitigate these threats in line with your risk profile is not something that even an army of analysts, if that luxury was afforded, can carry out alone,”

Said Jim Webber, VP enterprise security and fraud management at Direct Federal Credit Union, and Newsroom early adopter.

Darktrace Newsroom addresses a major challenge facing security leaders today, namely to cut through the media noise and get to grips with the realities of their risk profile. Newsroom provides clearcut insights about the impact of new vulnerabilities in a way that is timely and bespoke to his organization.

Two new separate sets of research published this month highlight the real, hidden dangers to physical operations in today’s OT networks from wireless devices, cloud-based applications, and nested networks of programmable logic controllers (PLCs).

The research team from Forescout Technologies was able to bypass the safety and functional fences in the OT network and move laterally into different network segments at the lowest levels of the network. They exploited two recently disclosed vulnerabilities in the Schneider Modicon M340 PLC that they discovered – a flaw in remote code execution (RCE) and an authentication bypass vulnerability – to break into the PLC and move to the next level of attack by targeting the PLC’s connected devices to manipulate them and perform nefarious physical operations.

The highly sophisticated attack sequence that the researchers demonstrated with a proof-of-concept (PoC), which they acknowledged would require the technical skills and resources of nation-state attackers, is in stark contrast to a relatively new hack that another group of researchers performed. Both of these separate sets of OT attack discoveries poke holes in traditional assumptions about the inherent security of lower layers of OT networks.

In the second batch of research, a team at ICS security provider Otorio found some 38 vulnerabilities in products including cellular routers from Sierra Wireless and InHand Networks, and a remote access server for machines from ETIC Telecom. A dozen other bugs remain in the disclosure process with the affected vendors and were not named in the report.

The flaws include two dozen Web interface bugs that could give an attacker a direct line of access to OT networks.

As for the wireless access point vulnerabilities and attacks, the researchers recommend disabling weak encryption in wireless access devices, masking wireless devices publicly or at least whitelisting authorized devices, and ensuring strong authentication for IP-based devices.

Tom Winston, director of intelligence content at Dragos, says wireless access points in the industrial network should use multifactor authentication.

In conjunction with the latest release, APIwiz is offering Astrum a free downloadable version of its API governance platform for developers.

The difficulty of managing and scaling existing systems to meet ever-increasing expectations has already set businesses on a path to leverage newer architectures like MACH (Microservices-based, API-first, Cloud-native, and Headless) over the years to break away from the constant cycle of re-platforming.

The APIwiz platform provides developers with a low-code approach to API creation that ensures standardized API development practices and compliance, while automatically documenting and cataloging code to provide a single source of truth.

“One of the most significant trends shaping the API developer tools market is the abstraction of code complexity and incorporating automation,”

said Rakshith Rao, co-founder and CEO of APIwiz.

“We created APIwiz as a low-code platform to make it easy for developers to create compliant APIs without having to understand the systems’ underlying structure.We aim to deliver an API management platform that acts as a force multiplier, where the whole has much more value than the sum of its parts.”

He continued.

APIwiz 2.0 now adds automated API governance, applying common rules for API standards and security. This ensures consistency across APIs, making it easy to reuse components. APIwiz 2.0 also automates compliance, ensuring APIs conform to best practices, are compatible with other systems and have been tested for security vulnerabilities and other issues.

When started on a project, OSV-Scanner first determines all used dependencies by analyzing manifests and software specifications (SBOM). This information is used to query the OSV database and discuss any vulnerabilities associated with the project. Vulnerabilities are reported either in a tabular format or optionally in a JSON-based OSV format.

Oliver Chang, a senior staff engineer at Google, and Russ Cox, an engineer at Google, say this approach can be used to describe vulnerabilities in any open source ecosystem while not requiring ecosystem-dependent logic to handle them.

The OSV format provides a machine-readable JSON schema for representing vulnerability information. The format is designed to enforce a version specification that matches the names and schemas used in actual open source packages.

Rex Pan, a software engineer at Google, says the team aims to improve C and C++ support by building a high-quality database of C/C++ vulnerabilities by adding accurate commit-level metadata to CVE.

That’s not all. OSV-Scanner is also integrated into the OpensSSF Vulnerability Scorecard.

The report emphasised that many organisations find this to be an acceptable risk, with many organisations prepared to take these risks in order to move and release quickly.

Main messages from the report show that many organisations still have a long way to go in terms of ensuring that they provide appropriate cloud-native and container security, reports InfoQ in a recent article.

The report defines a number of key indicators to determine success in cloud native and security, and analyses the responses from a broad array of organisations to show the current trends in the industry.

In fact, Sysdig offers software that helps customers work with cloud-native and container security. The anonymous reporting functionality in Sysdig’s software allows the company to gather valuable insights and adoption stats from the users.

For instance, Amazon Web Services’ S3 provides one good mechanism for storing and serving files.  The report found that 36% of AWS S3 buckets are open to public access, and 73% of accounts have at least one public bucket.

Performance issues and cost overruns feature show that more than half of containers deployed to Kubernetes infrastructure have no memory or CPU limits defined. Having these cluster in mind, it admins to profile the applications running, and also prevent them from overrunning a cluster, or growing to size where capacity is wasted.

Furthermore, this also shows up as a third of CPU cores allocated to clusters were unused – a sign that autoscaling of capacity to meet demand is not a solved problem.

96% of the container platforms in use are Kubernetes, proving that consolidation in this area is almost complete. Measurement and monitoring of usage is showing a clear adoption trend – with Prometheus use in 83% of organisations at the expense of other less cloud-native solutions. Prometheus has gained an advantage as an open standard, and one that fits well onto applications run in a Kubernetes cluster.

In relation to this constantly growing problem, DZone listed several concerns, that every developer should take seriously to ensure their work is well-protected.

Streamline and Automation 

We are all aware that the rise in cloud computing has complicated workload security. Rather than employees at a single location being the only group permitted to access a company’s resources, access may span thousands of people across multiple sites all over the world.

However, many of the workload protection products lack identity management capabilities. This issue leaves a huge security gap. So, to prevent problems we need to have separate tools to identify a person’s identity and associated privileges when accessing cloud-stored information.

Maintain Data Privacy

Having information stored in multiple places could complicate efforts to keep it all secure.

Keeping privacy on the top list while making workload protection decisions is also vital since more places have enacted privacy laws. In fact, penalties for failing to adequately protect data can reach up to $5,000 per violation.

One method to maintain your data private is to implement controls for cloud-stored workloads, so that teams can include rules and policies for their specific companies. Developers should always apply additional controls depending on industry regulations and the type of data stored in the cloud.

Shared Responsibility of Workload Protection

One of the positive things about workload protection is that the responsibility does not all rest with a single party. The provider secures the cloud itself, but the customer takes responsibility for whatever is uploaded.

This leads to a lot of questions concerning protocols a cloud provider follows to protect against breaches, measures that data owners take when storing information or running workloads in the cloud environment, etc. Nailing this will ensure a more secure work environment.

Using Unnecessary Apps

One practical way to manage these risks is to limit the number of cloud-based apps employees use. Any unnecessary apps expand the overall attack surface size.

We should also carry out regular storage scans and security checks for all cloud-stored apps. Doing that allows identifying misconfigurations or errors that have publicly exposed data.

Premise Databases Checks

The results from recent research showed that 46% of them had vulnerabilities that made them prone to external attacks. One more worrying finding was that the average database had 26 unresolved issues, more than half of those had a “high” or “critical” severity level.

These concerns are just the tip of the iceberg. There are a lot more things that can threaten our information. To remain aware of our data protection we should stay on top of security threats regardless of where workloads reside.