Appsec adventures

Mobile apps are increasingly targeted by attackers, making a robust Mobile App Security Testing (MAST) stack essential. The stack combines static and dynamic testing to detect vulnerabilities early, analyzes open-source components for security flaws, and provides developers with security training. This multi-layered approach helps safeguard mobile apps throughout the software development lifecycle, ensuring user trust and protecting businesses in a mobile-driven world. https://www.nowsecure.com/

The House Science, Space and Technology Committee has advanced the AI Incident Reporting and Security Enhancement Act, which would allow the National Institute of Standards and Technology (NIST) to establish a formal process for reporting security vulnerabilities in AI systems. This bipartisan bill aims to incorporate AI vulnerabilities into the National Vulnerability Database (NVD), the federal repository for tracking security issues in software and hardware. However, the initiative faces challenges, primarily due to potential funding concerns, as NIST's workload has already been strained by budget cuts and resource limitations.  https://www.darkreading.com/application-security/congress-advances-bill-add-ai-nvd

WuppieFuzz is a REST API fuzzer built on the LibAFL framework, supporting black-box, grey-box, and white-box fuzzing to test APIs without requiring detailed knowledge of the application code. It generates diverse requests based on the OpenAPI specification and uses coverage-guided fuzzing to prioritize new mutations that target deeper business logic. The results are displayed on a dashboard, showing which endpoints and code areas were tested. Developers can use the dashboard to replay and debug crashes, improving the API's reliability, stability, and security.  https://github.com/TNO-S3/WuppieFuzz

 A data leak or unauthorized access to systems is a company's worst nightmare, triggering responses from security, PR, and legal teams. The 2020s have highlighted the critical value of data, with cybercriminals persistently targeting it across all sectors. The outdated approach of prioritizing speed over security is no longer viable. Companies now need to adopt comprehensive application security (AppSec) programs to safeguard against cyber threats. AppSec not only protects information systems but also aligns with broader business needs, including regulatory and compliance requirements based on the industry. https://www.forbes.com/councils/forbestechcouncil/2024/09/27/why-your-business-should-consider-an-appsec-program-in-2025/

Torq excels in key areas such as case management, collaboration, automated alert prioritization, triage, autonomous operations, and security validation. It has earned high marks across multiple criteria and boasts a strong customer base. According to an IDC report, hyperautomation in security enhances network protection by predicting gaps, assessing vulnerabilities, and providing comprehensive visibility and control over all processes and environments.  https://torq.io/

 Cybeats SBOM Studio is an enterprise solution that enables organizations to track and manage third-party components integrated into their software. It helps document software origins, plan maintenance, and prevent security issues over time. Key features include supply chain screening for transparency into software provenance, continuous security risk assessments to support DevSecOps practices, software license compliance analysis, and insights into the impact of vendor vulnerabilities or component end-of-life. SBOM Studio supports standards like SPDX and OWASP CycloneDX for software component documentation. https://www.cybeats.com/sbom-studio

 DefectDojo, a leader in scalable application security, announced a $7 million funding round to meet growing demand and further its mission of connecting security strategy with execution for smarter risk management. Led by Iolar Ventures and Aspenwood Ventures, the funding will drive innovation, product development, and market expansion. With over 38 million downloads and integrations with 180+ security tools, DefectDojo is a trusted platform for application security and vulnerability management. Serving users from Fortune 10 companies to solo consultants, it stands as the only open-source solution in the Application Security Posture Management (ASPM) space. It aggregates data, automates workflows, and provides actionable insights to help organizations effectively manage and improve their security posture. https://www.businesswire.com/news/home/20240924680078/en/DefectDojo-Raises-7-Million-in-Funding-to-Accelerate-AppSec-Innovation

 The global security and vulnerability management market is projected to grow at a CAGR of 10% during the forecast period. Various specialized tools are available for assessing security vulnerabilities, including web application scanners, network security scanners like Nmap and Wireshark for network devices, container security tools such as Docker Security Scanning and Clair for container images, and Cloud Security Posture Management (CSPM) solutions like AWS Security Hub and Azure Security Center for managing risks in cloud environments. https://www.openpr.com/news/3663307/security-and-vulnerability-management-market-is-likely

 GitLab 17.4 introduces several updates, including integration with the Extension Marketplace for third-party extensions and enhanced code suggestions through GitLab Duo. Ultimate customers can also utilize a new scanner for Advanced Static Application Security Testing (SAST), leveraging technology acquired from Oxeye. This scanner aims to provide more accurate vulnerability detection with fewer false positives. https://www.heise.de/en/news/GitLab-17-4-makes-code-suggestions-more-dependent-on-context-9939131.html

 As organizations increase their use of applications, the complexity and volume of risks they face also rise, making it harder to maintain security. To tackle these challenges, two methods have emerged: Application Security Posture Management (ASPM) and Application Security Orchestration and Correlation (ASOC), which help organizations enhance their application security (AppSec). https://www.techtarget.com/searchsecurity/tip/ASPM-vs-ASOC-How-do-they-differ

 Ahead of the end of President Joe Biden's administration, the U.S. Department of Commerce proposed a ban on Chinese-made components and software in vehicles connected to U.S. road systems, citing national security concerns. This move would essentially block the entry of Chinese cars and trucks into the U.S. market. https://voi.id/en/otoinfo/419032

 Large enterprises are increasingly requesting Software Bills of Materials (SBOMs), with suppliers like Splunk regularly providing them. Despite regulatory uncertainty, the U.S. Army has started incorporating SBOMs into procurement. Army Directive 2024-02 calls for modernizing software acquisition, and an August memo outlines SBOM policy, effective in late 2024. Jose Caseja from the Army discussed internal SBOM workflows and the use of open-source tools like Syft, Grype, Dependency-Track, and Bomber to analyze SBOM data and vulnerabilities during a CISA event. https://www.techtarget.com/searchitoperations/feature/366611692/US-Army-Lockheed-Martin-detail-SBOM-progress

Checkmarx, a leader in cloud-native application security, has enhanced its open-source support by integrating with ZAP, the most widely used dynamic application security testing (DAST) tool. ZAP project leaders Simon Bennetts, Rick Mitchell, and Ricardo Pereira have joined Checkmarx to help develop the next generation of the company's enterprise-grade DAST solutions while continuing to contribute to the ZAP open-source community. This collaboration aims to advance both Checkmarx’s offerings and the ZAP project.  https://finance.yahoo.com/news/checkmarx-joins-forces-zap-supercharge-110000494.html

This vulnerability scanner is designed for container images and filesystems. It's easy to install and works with Syft, a powerful SBOM tool that analyzes container images and filesystems to generate detailed software bills of materials. https://github.com/anchore/grype

SecObserve is an open-source vulnerability management system designed for software development and cloud environments. It integrates with various open-source vulnerability scanners and can be easily embedded into CI/CD pipelines. It consolidates results from different scanning tools, providing a centralized platform for assessing and reporting potential security flaws. https://github.com/MaibornWolff/SecObserve

When you receive a Software Bill of Materials (SBOM) in JSON format for a closed-source product, the first step is to check if any listed components have security vulnerabilities and assess the licenses associated with them. This helps evaluate the risks of using the product. To streamline this process, you can use a tool like "bomber," which can analyze SBOMs in formats like CycloneDX, SPDX, or Syft (JSON or XML) and quickly identify any vulnerabilities in the components. https://github.com/devops-kung-fu/bomber