Software developers admit releasing poor code, product warnings from Palo Alto Networks and VMware, and more.
Welcome to Cyber Security Today. It’s Friday, April 8th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Every employee has to do their part in making sure their organization is safe from getting or enabling cyber attacks. That’s especially true of software developers. However, a survey of 1,200 developers around the world conducted for a company called Secure Code Warriors suggests other things are on their minds. When asked what their priority is when doing their job, code quality, application performance and solving real-world problems ranked first, second and third. Only 14 per cent of respondents said application security was their top priority. Sixty-seven per cent admitted they routinely left known vulnerabilities and exploits in their code before being released. Why? Tight deadlines, prioritizing functionality over security, or because they simply did not have the required training or knowledge about how to fix security problems.
Palo Alto Networks is warning IT departments that firewalls using its PAN-OS operating system, its Global Protect App and its Cortex XDR agent are vulnerable to a bug in the OpenSSL library. If exploited the hole can result in the application being victimized by a denial of service attack. Security updates will be available during the week of April 18th. In the meantime, operators with a Palo Alto threat prevention subscription can block attacks through mitigations. There’s a link to the document on this in the text version of this podcast. The Prisma Cloud and Cortex XSOAR products are not impacted by this vulnerability.
Meanwhile VMware released important security updates for Workspace One Access, Identity Manager, vRealize Automation, vRealize Suite Lifecycle Manager and VMware Cloud Foundation.
Another phony voicemail scam has been spotted. Security researchers at Armorblox say a threat group is sending emails with an attachment for a supposed secure voice message on WhatsApp. When a recipient hits play on the recording malware is downloaded. Employees need to be reminded that malware can not only be spread through infected documents, they can come from any message with an unexpected attachment.
IT leaders responsible for protecting customer data should know Canadians are getting tired of being defrauded in part due to identity theft. According to a survey released this week by Interac, which runs the IT network used by credit card companies, 78 per cent of respondents said they lack information on protecting their identity data online. One problem, says Interac, is Canadians aren’t being careful enough with their data online, such as being too open on social media. They also aren’t taking advantage of multifactor authentication offered by the online services they use. Interac says companies have a role in delivering solutions to improve the safety of customers.
That’s it for now. But don’t forget later today the Week in Review podcast will be out. Today’s topics include supply chain attacks and tabletop exercises.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com.
You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.