Search This Blog

Showing posts with label SCA checks. Show all posts

Commercial Third Party Code Sources Pose Security Risks

 

Despite the fact that the use of third-party code in IoT projects has increased by 17 percent in the last five years, according to VDC Research, only 56 percent of OEMs have structured security testing policies. Meanwhile, 73.6 percent of respondents said protection was essential, very important, or critical to current projects when asked how important, very important, or critical it was. 

For years, the rate of required innovation outpaced the rate of resource growth within production and quality assurance organizations, making it difficult to keep up organically. With organizations no longer able to focus their code development strategy on custom code, using content from other sources has become more important. 

Because of the possible consequences for corporate harm, liability, and brand reputation loss, protection has become a pervasive and paramount concern in the software supply chain. 

“With more complex software supply chains becoming the norm, organizations are leaning on these third party assets to accelerate their internal software development, which creates security blind spots,” said Chris Rommel, EVP, IoT & Industrial Technology for VDC Research. “With standards such as IEC 62443 requiring increased security of IoT devices, new testing capabilities are needed to address these software creation changes to ensure code quality and minimize risk.” 

GrammaTech, a provider of application security testing tools, launched a new approach in 2020 aimed at exposing vulnerabilities in third-party code used in the production of custom applications. It was called CodeSentry, and it used binary software composition analysis (SCA) to create the code and find any bugs it might have. 

"Using third-party components, rather than building applications from scratch, is an accepted practice for accelerating time to market, and is fueling a massive growth in reusable code," said Mike Dager, CEO of GrammaTech, in a statement. "Most organizations now recognize the security risks that third-party code poses to their applications and business, and the need for software composition analysis provided by CodeSentry, which inspects binaries for unmatched precision."

“Commercial third party code, which is the fastest-growing component software within the IoT market, can contain both proprietary and open source components,” said Andy Meyer, CMO for GrammaTech.

Banking customers are tricked by SCA checks

Online scammers are using changes to European banking rules around customer authentication to trick consumers into handing over their sensitive financial details, according to Which?

The consumer rights group warned that attackers are spoofing the emails being sent from banks, payment firms and e-commerce providers asking for up-to-date info, as part of new Strong Customer Authentication (SCA) requirements.

Firms across the EU are gearing up for the changes, part of PSD2, which will require a form of two-factor authentication on any online transactions over €30, although some exceptions apply.

Ironically, payments providers and e-commerce firms in the UK have been given a further 18 months to comply with the new rules, originally set for a September 14 deadline.

Yet that hasn’t stopped the scammers: Which? claimed it has already spotted phishing emails imitating emails from Santander, Royal Bank of Scotland (RBS) and HSBC.

Urging the recipient to update their banking information ahead of “new procedures,” they include links designed to take the victim to a legitimate-looking page designed to harvest banking details.

Which? argued that in many cases, legitimate brands are making it harder for consumers to spot phishing emails, by including links in their own emails, and by using multiple unusual domains for various landing pages.

The group claimed that 78% of its members think banks and other financial firms should never include links in emails, to make phishing attempts easier to spot.

Tripwire VP, Tim Erlin, agreed, arguing that companies can’t simultaneously tell customers not to follow links in emails but then continue to send them emails urging them to click through.

“As long as banks send legitimate emails as a means of communicating with customers, scammers will attempt the same with fake emails,” he added.

“Email as implemented today is a terrible system for conducting business. While attempts have been made to improve the technology, none of them have taken hold.”