Tag: IoT

Fasoo Launches Sparrow on Cloud, SaaS version of SASTSPARROW, a static code analysis application, is now available as a Software as a Service (SaaS) offering to help organizations quickly detect critical software vulnerabilities at the early stages of software development.  “SPARROW on Cloud“, SPARROW’s cloud solution is an agile, flexible, reliable and cost effective solution that allows organizations to easily manage application security challenges.

“IoT has brought an upsurge in new software that connects and operates everything from cars to medical devices and with that, enormous risk at the development level,” said Fasoo’s CEO Dr. Kyugon Cho. “Providing software developers with a cloud based application security testing solution was the logical next step for Fasoo as it is so essential for software to be secure at the code level.”

Unlike other Static application security testing (SAST) solutions, SPARROW analyzes source code with a robust static analysis engine that uses a deep semantic method to find vulnerabilities that other SAST applications may have difficulty identifying.  The solution is designed to enforce multiple policies dynamically to different projects or users/groups, and offers faster analysis speed (1M LOC per hour) with accuracy (OWASP benchmark score: 94.8).  In addition, SPARROW enables organizations to identify and fix issues by leveraging machine learning and automation features like:

  • Intelligent Issue Clustering: SPARROW categorizes similar issues in groups that allow organizations to identify and correct issues efficiently.
  • Active Suggestion: SPARROW not only identifies software vulnerabilities, but also can help remediate code using automated code suggestions.
  • Issue Classification:  SPARROW analyzes, ranks, and prioritizes high priority issues in an easy to read dashboard display.
  • Advanced Issue Filtering: SPARROW provides detailed filter options for the detected issues (e.g., source API, sink API, called method, etc.).

SPARROW is used by government agencies, corporations and anyone developing embedded software that requires a very high level of software quality. The SAST version of SPARROW is also used by government and the financial industry which aim to eliminate security weaknesses from their source code.

Fasoo is offering a limited introductory promotion for the cloud version of SPARROW. By purchasing a subscription between January 17, 2017 and March 30, 2017, customers will get the equivalent amount of extra time at no extra cost. For example, if customers select a one month subscription (Silver) they will receive an extra month free. Please click here for more information about SPARROW on Cloud.

Cyber Security Takes Center Stage at Stevens Institute Of TechnologyFasoo and the New Jersey Technology Council sponsored “Closing the Threat Gap: Executive Perspectives on the Cybersecurity Landscape” at the Stevens Institute Of Technology in Hoboken, New Jersey on October 26, 2016.  The event featured cyber security leaders discussing the effects of internal and external threats to businesses.  There was a great turnout with some existing Fasoo customers, executives, attorneys, risk officers, CISOs, IT and security professionals from numerous organizations in the greater NY area.  Common feedback from the event was an appreciation for understanding the larger cyber security landscape and how everything from drones to DDOS attacks can affect their companies and personal lives.

Dr. Larry Ponemon, Chairman of the Ponemon Institute, was the first keynote speaker. He talked about the increased threat landscape and how trusted insiders are fast becoming one of the main threats to organizations.  Citing from the recent study “Risky Business: How Company Insiders Put High Value Information at Risk“, he emphasized how ill prepared many companies are to detect and prevent data breaches from trusted insiders with over 70 percent of companies not confident they can manage and control employee access to confidential files.  Dr. Ponemon also talked about results from “The Rise of Nation State Attacks” citing organizations’ lack of readiness to respond to nation state attacks due to an uncertainty as to what a nation state attack is and how to identify the key characteristics, methods and motives of these attacks.

Mark Lobel, US and Global TICE Cybersecurity Leader at PwC focused his keynote on results of the recent PwC “Global State of Information Security Survey 2017”.  Mark mentioned that spending on security is increasing in most organizations and many are realizing that they have to concede the perimeter.  With increasing threats and the landscape constantly shifting to include IoT devices and greater mobility of the workforce, the need for better threat intelligence, monitoring and protection of high value assets is greater than ever.  We still need perimeter security, but companies need to focus on preventing the exfiltration of sensitive information from either hackers or insiders through sophisticated means.  Mark used the analogy of cyber security being like a game of chess with the kings removed. You can never win and it’s a constant battle to keep ahead of the exploits and vulnerabilities.

A panel discussion moderated by Dr. Paul Rohmeyer, Associate PFasoo dinner with Dr. Larry Ponemon and Dr. Paul Rohmeyerrofessor Information Security Management, and Risk Assessment at Stevens, discussed recent cyber security events and some major trends going forward.  The panel consisted of Mark Lobel, Dr. Larry Ponemon, Michael Frank, President at Secure Business Strategies, and Mike Miracle, an executive at BlackRidge Technology. There was a lively discussion of the recent DDOS attack that crippled major websites, like Netflix and Twitter.  This lead to audience interaction as the panel and audience members discussed who is responsible for security related to a product. Should the manufacturer build security into the product or is it the responsibility of the organization implementing the product to ensure the network and access to the product and it’s data is secure?  Or in the case of DDOS is it up to the telecoms to block that traffic?

In the case of IoT devices, like those used for the DDOS attack, the consensus was the manufacturer needs to build security in, but in many cases there are no standards or certifications available to ensure security.  One panelist mentioned wanting something similar to the Underwriters Labs (UL) mark to ensure safety and security.  There were discussions about the increasing sophistication of attacks from hackers and how best to prevent taking down your systems or more commonly stop someone from stealing your most sensitive information.  It is most important to secure the data so that if it gets into the wrong hands, it is protected.

There was one question from the audience about legal responsibility when organizations share information on attacks with the goal of improving their security. The guidelines of what to share and how are still being developed and debated.  Numerous Information Sharing and Analysis Organizations (ISAO) do exist, but the sharing of attack and vulnerability information is still a work in progress. It may make sense technically to share, but if you are sharing sensitive data with a competitor that might potentially use it against you, you are less likely to share it.

There was also a lot of discussion on how process and policy needs to go hand in hand with technology. While the goal is to simplify security so that the user is unaware of it, the reality is that policy and process are needed to guide technology. I can have the best technology, but if it’s not used properly and people ignore security basics, they will ultimately get in trouble.  Organizations need a combination of good policy, process and technology.  While the goal is to improve our machine learning capabilities to take the human out of the cyber security decision tree, people are still at the heart of the problem and solution.

Fasoo Had a Busy Month in October Showing Data Security SolutionsThe month of October was very busy for Fasoo as we were all over the US talking to people about data-centric security and how it is the best solution to protect your sensitive information from insider threats and external hackers (APTs).

We started the month by attending the Rochester Security Summit in Rochester, NY.  This two-day event brought together executives and technical staff from numerous organizations in the Rochester area to share intelligence on how to protect their businesses from cyber attacks.  Fasoo was part of a vendor pavilion with our partner Brite Computers showing attendees how to protect data localized from databases, files downloaded from content management systems and those shared through the cloud and on mobile devices.  Ron Arden, Vice President – North America, presented to a packed room on “Closing the Threat Gap: A 21st Century Approach to Minimizing Risk” as part of the Threat Landscape track at the event.

The following week saw Fasoo sponsoring an executive luncheon on The Internet of Things (IoT) at the Nasdaq Ron Arden and Bill Blake at the National Cyber Security Awareness month eventMarketsite in New York City.  The event was put on by the National Cyber Security Alliance (NCSA) as part of National Cyber Security Awareness Month (NCSAM).  Bill Blake, President – North America, and Ron Arden got to participate in the luncheon and spoke to the numerous executives and government officials.  We were even part of the closing bell ceremony; look for us around 1:00 into the video.  With all the interest in IoT devices and the tremendous data that each will generate, Fasoo was educating people on how to protect the information collected and ensure that PII, PHI and other personal data is protected.

We finished the month in Las Vegas at the IBM Insight 2015 conference.  Fasoo was a Silver Plus Sponsor, so we had a booth right in the middle of all the action.  Security and analytics were big focuses of the conference this Dayhuff and Fasoo show charging station at IBM Insight 2015year as many organizations are trying to understand where they have sensitive information (the crown jewels) and how best to protect it from internal and external threats.

Bill Blake, Ron Arden and National Account Manager Alper Kizar were all in Vegas talking to customers, IBM staff and generally enjoying the warm weather.  Bill presented “Closing the Threat Gap: A 21st Century Approach to Minimizing Risk” to an enthusiastic audience at the Expo Theater.  Our partners Dayhuff and Neocol joined us in the booth and throughout the conference as many attendees were talking about securing the mountains of unstructured data in their companies.  Of course Vegas would not be complete without some fun, so Dayhuff held its annual get together at the Ri Ra Irish Pub.  The Irish definitely make some great beer and it was great to unwind with everyone after a long day at the conference.

During the different events, I heard a lot of recurring themes from attendees, vendors, speakers and security professionals.  I think they show the challenges CISOs, CIOs and other executives face as they try to move their businesses forward in an ever changing security landscape.  Here are a few of them.

clip_image001 Corporations do not have perimeters anymore

clip_image001 Security is everybody’s job

clip_image001 Monitoring data is hard, it’s like dust, it’s everywhere

clip_image001 Users are very naive about security and need to be educated

clip_image001 More than half of all data breaches are caused by human error

clip_image001 When you increase where the data is, it increases the risk

clip_image001 Being compliant doesn’t mean you are secure

Fasoo has the best approach to address each of these points through strong file encryption and persistent security policies that travel with the data.  Access to sensitive data is controlled through good identity management that ensures your sensitive data is protected and controlled regardless of location or device.  Working with existing applications and workflows makes it very easy for users to apply security to files, since they don’t have to think about it.  Automatic security policies apply the right level of access control as soon as someone creates a file.  This makes it easy to control unstructured data, whether it’s created locally or downloaded from an existing information system.

Check out some of the pictures from our busy October as the weather turns colder and the end of the year is in sight.  Hopefully we can help you create a secure work environment by protecting your most sensitive information from getting into the wrong hands.

Stay One Step Ahead Of The App HackersI recently wrote an article about hackers getting iOS App developers to use a bogus Xcode development kit downloaded from a Chinese site to create applications.  The development kit contained malicious code that caused all types of security problems in iPhone and iPad apps.  Read the entire article here.

This is a new frontier for hackers.  Rather than attacking perimeter security defenses, like firewalls and end point encryption applications, the hackers are getting developers to embed security vulnerabilities into their code.  This essentially bypasses the middle man, since the applications are already compromised.  Hackers just need to activate malicious capabilities to steal sensitive information or compromise systems.  It’s a clever ploy and takes these attacks to a new level.

Fortunately there is a way to thwart these attacks.  Using a semantic-based static analysis tool helps developers discover and eliminate these security vulnerabilities in the source code.  It can analyze millions of lines of code quickly and locate bugs, security holes, runtime errors, hard-coded passwords, cross-site scripting, SQL injections and more at the early stages of software development.

Most organizations and regulations now demand that developers follow secure coding compliance requirements for software development. This is in reaction to major incidents of cyber terrorism and events like the compromised App Store applications.  According to NIST, if organizations detect and remove security weaknesses before completing development, they can reduce a maximum of 30 times of the expense compared to finding and removing security weaknesses after development. The use of a semantic-based static analysis tool is the only way to detect all of these security weaknesses within the source code before it is released.

As everyone relies more heavily on apps, especially with the emergence of IoT (Internet of Things), hackers will go where the sensitive and private information lives.  Your phone and tablet can access a lot of sensitive personal and business information, giving attackers a lot of bang for the buck.  Stopping bugs and security vulnerabilities before you create and release your apps, ensures that users of those apps can do so safely without concern for a data breach.  Stop the bugs before they stop you and your users.


Photo credit Brian Klug

Data Security’s Impact on Internet of Things

According to Gartner, Inc. by 2020, 25 billion Internet connected “things” will be in use. The Internet of Things “IoT” has rapidly become one of the most used expression across business and technology. IoT, is defined as “a scenario in which objects, animals or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.”

Now, how does data security play into this? Well, there are very clear data collection guidelines that companies and public organizations must abide by in the EU, however, there is yet to be a single data protection law comparable to that of the EU. Yet the US has a patchwork system of federal and state laws and regulation that can sometimes overlap. Either way, when it comes to ‘things’ collecting data, there has yet to be a standard guidelines, laws or regulations on securing this data. With a recent study estimating 13 billion ‘things’ collecting data – and that number will nearly double within five years, everyone should be concerned. If this data is not secure, hackers and insider theft could cause catastrophic damage.

It is vital that this data is secured and even more so encrypted in order to avoid not just theft of data but also to avoid data from being deliberately miscommunicated to cause harm by terrorists. This may seem extreme for some, but with recent cyber attacks reported were from state governments and terrorists groups, is it even worth taking our chances not to secure this data?

Although there are some benefits such as smart cities, better healthcare through remote sensors and better ways of targeting consumers for businesses, government and consumers, we are handing over a lot of data without perhaps realizing it.

When we encrypt the data and apply persistent security policies to them automatically, sensitive data is protected regardless of where it is or how it is transmitted. If those that are collecting the data regardless if they are inside or outside of the organization, tried to use it for any other means and tried to open it without the proper authorization, they would be denied access to the data.

The future and promise of the IoT is huge, but so is the potential for security breaches and threat gaps. Every organization that deals with data collected from these IoTs must rethink how to protect these massive amounts of data. By protecting it with data-centric security, this will ensure that data will be secure and consumers will continue to use these ‘things’ for the convenience it was intended to be used for plus the assurance that their data is secure.

Photo credit by: Playing Futures: Applied Nomadology

Book a meeting