Software Secured

📣 Join Us for an OWASP Ottawa Meetup! Discover CVE-2024-3661: A VPN Bypass or a Feature? 📣 On October 16, 2024, we’re hosting an insightful session on "TunnelVision (CVE-2024-3661)", a newly discovered vulnerability that can bypass VPN protections and compromise secure connections. 📅 Date: October 16, 2024 ⏰ Time: 6:00 PM EST - Arrival, setup, and pizza 🍕 📍 Location: 150 Louis-Pasteur Private, University of Ottawa, Room 117 Speaker: Harsh Makwana, M.Eng, Application Security Consultant at Software Secured What to Expect: Learn how this novel attack exploits network routing protocols to bypass VPN security, threatening the integrity of secure tunnels. Perfect for anyone passionate about network security and vulnerability discovery! 🔗 https://lnkd.in/e86jaa_i Don't miss out on this exciting opportunity to learn and network with fellow cybersecurity professionals! #OWASP #Ottawa #Cybersecurity #VPNBypass #Networking #ITSecurity

I recently had an interesting chat with a customer about preventing cross-site scripting (XSS). They were curious about the difference between input sanitization and HTML encoding. Here's how I broke it down: Both methods can help stop XSS, but HTML encoding often comes out on top. Here's why: 1. It's more flexible: Input sanitization can be a headache, requiring you to filter out or allow specific characters carefully. Some apps need to use certain characters that might get caught in the filter. 2. It works across the board: HTML encoding converts all characters to their encoded versions, making it a more universal fix. 3. It keeps the original meaning: HTML encoding lets the app show user input as intended without changing the original content. 4. It's simpler to implement: Setting up HTML encoding is usually easier and less likely to go wrong compared to creating a bunch of sanitization rules. 5. It can be faster: In many cases, HTML encoding is more efficient than complex sanitization algorithms. Keep in mind that the best approach often depends on your specific app's needs. But generally speaking, HTML encoding is a more solid and adaptable solution for preventing XSS attacks. What's been your experience with these methods? I'm really curious to hear your thoughts!

Hey LinkedIn fam! At Software Secured, we're all about making cybersecurity easy and effective. 💻 Whether you're in need of HIPAA compliance, SOC 2 certification, PCI DSS compliance, or a comprehensive penetration testing for your environment, we've got you covered! We understand the importance of protecting your data and your reputation, which is why our team is dedicated to providing top-notch services tailored to your specific needs. From thorough assessments to actionable recommendations, we're here to ensure your peace of mind in an ever-evolving digital landscape. If you're ready to take your cybersecurity strategy to the next level, I'd love to chat! Drop me a message, and let's discuss how Software Secured can safeguard your business. Your security is our priority! 🔐 #Cybersecurity #SoftwareSecured #HIPAA #SOC2 #PCIDSS #PenTesting

This is the best-orchestrated software supply chain attack to date! If you haven’t heard about the “xz Utils” backdoor. You should! “xz Utils” is a library that is commonly used in different Linux distributions. Someone just identified a backdoor that would allow a hacker to SSH their way into ANY machine with this library and would have admin privileges immediately. This is what happened: 1- In 2021, someone with the username JiaT75 made their first commit to an open-source library. Although the commit was named “Added error text to warning when untaring with bsdtar”. The change itself replaced safe_fprint function with its less safe version fprintf! Suspicious!! 2—The following year, JiaT75 submitted a patch to the xz Utils mailing list. Almost immediately, someone named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of the xz Utils library, hadn’t been updating the library well enough. 3- Soon after, a bunch of newbies also joined the library’s mailing list, basically backing up Jigar. Pressuring Collins to add another developer 4—JiaT75, who used the name Jian Tan, kept adding more commits to xz Utils, getting more involved. Tan also requested that oss-fuzz disable the ifunc function during testing, a change that prevented it from detecting the malicious change about to happen. 5- In February 2024, Tan issued commits for version 5.6.0 and 5.6.1 of xz utils. The updates implemented the backdoor. Tan and the others now appealed to developers of Ubuntu, RedHat and Debian to merge the updates. 6- Luckily, only Fedora, Debian, OpenSUSE and Kali Linux merged. If Ubuntu and the others would have merged that change, it would have been a massacre. What’s interesting  is that this master plan attacked exactly where open-source is strong: trust, community and democracy!! Read more information here https://lnkd.in/emR_jRbH

Hear from Sherif Koussa of Software Secured as he shares the CEO's perspective on common security program pitfalls that start-ups face during the early stages of building their business. Watch the recording: https://hubs.ly/Q02qb0tS0

“Dave, what’s your secret!!” - I said to my Security Director customer Dave is the security director of a company that processes nearly 200 million transactions per year! “it seems like you have a very good relationship with your development team,” “You guys are always on time fixing most of the vulnerabilities we uncover” - I continued Dave looked at me and laughed :) Sensing that Dave does not want to let in easily, I continued: “Dave, you have 5 product lines, how many dev teams are there?” - I asked “8” - Dave answered with a smile “You guys must have a great culture internally” - I asked “Not necessarily!” - Answered Dave nervously “You don’t report to the CTO, do you?” - I asked “No, I report to the CIO” - Said Dave “What’s your secret then?” - I said “I explain what happens if we didn’t fix a particular vulnerability ” - He said “Tell me more!! U mean what an attacker can do!” - I said “No, they are immune against the attacker angle” - He said “How then?!” - sensing a gem coming from Dave “I know where as a business we are hurt the most, and I use that to explain the consequences” - He said “I still don’t understand” - I said sensing that Dave might be looking to protect his secret “For example, I know it costs us $100,000 for every hour of downtime, so I simply tie a vulnerability that has a side effect of denial of service to this number, all of a sudden the conversation is not about IF we fix it, it is about WHEN and HOW we fix it” - said Dave Looking at Dave as he just invented fire! “WOW, interesting, how did you get the $100k figure” - I said “It took some digging, some conversation with DevOps, some peaking into contracts but it is not hard to get once you know where to look” Here are my takeaways from my conversation with Dave 1- Technical risk is only appreciated within the security community, Business risk is universally understood within the organization. 2- Communicating business risk based on technical risk is so underrated. It sounds so simple, but very few security folks do it. 3- Security is not a goal in itself; it supports business goals, and we need to act as such.

1 DAY LEFT to register! 🗓 ⏰ 🚨 If you have been tasked with owning the security program at your growing SaaS company, this is the webinar for you. Attendees will receive: 📕 Investing in Quality Security Guide 📘 SOC 2 Readiness Guide from Eden Data Register here: https://lnkd.in/gVsn89wF

Join Software Secured's Sherif Koussa and Kassia Clifford along with Eden Data's Dominique Singer to get the inside scoop on how SOC 2 can help you accelerate sales 📈 If you have been tasked with owning the security program at your growing SaaS company, this webinar has you covered. When? 🗓: March 7th 11 AM CST/12 PM EST/ 9 AM PST Register below 👇 https://lnkd.in/ebwVsfCN #techwebinar #soc2 #soc2compliance #techevents

It's 2024, it's time to view SOC 2 from a different perspective: 𝗙𝗿𝗼𝗺 𝗰𝗵𝗲𝗰𝗸 𝗯𝗼𝘅 𝘁𝗼 𝘀𝗮𝗹𝗲𝘀 𝗲𝗻𝗮𝗯𝗹𝗲𝗿. Join the webinar “𝗜𝗳 𝗦𝗢𝗖 𝟮 𝗶𝘀𝗻’𝘁 𝗔𝗰𝗰𝗲𝗹𝗲𝗿𝗮𝘁𝗶𝗻𝗴 𝗦𝗮𝗹𝗲𝘀, 𝗬𝗼𝘂’𝗿𝗲 𝗗𝗼𝗶𝗻𝗴 𝗶𝘁 𝗪𝗿𝗼𝗻𝗴!” Witness an insightful discussion between Eden Data-Software Secured's power trio: Dominique Singer, Sherif Koussa, and Kassia Clifford.

[Cue Sub Sonar Sound] Put this session on your calendar to hear how Compliance can actually be a business-enabler! Our goal is to present considerations for the importance of a quality #cybersecurity foundation, leveraging SOC2 as a perfect starting point, and building from that to gain greater marketshare from your competition. I'll be joined by our Advanced Pentesting Partner, Software Secured, and the goal is to make this fun, lively, accessible, and not "heady" - but at the end, we'd rather just hear your questions, so sign up - and we'll see you there!