Welcome! This is a new feature that will be a weekly post where we address questions of interest to the Application Information Security Community. To that end, we’d love to hear your questions! Please Tweet us with the hashtag #ThinkAppSec or leave us a comment below and we’ll pick one or two questions from that list. Let’s get talking about Application Security!

Last week I had the good fortune to spend time with many top security, privacy and risk executives at the EWF National Conference. My questions for this week were inspired by the week of information sharing and discussion.

1. To settle or not to settle?

Though AppSec wasn’t top of the agenda, we did have an excellent discussion on integrating security into the mobile application development lifecycle during the session on Mobile Risk. For this session, Lynn Terwoerds, Director of Compliance, Oracle, Shira Rubinoff, Founder and President, Green Armour Solutions and I presented the background information about the recent FTC settlement with a phone manufacturer.

Then we shared our thoughts on the impact of the settlement for software developers going forward. Finally, we asked the audience of ~200 professionals to break into groups and choose:

Would you agree to the Settlement or launch a challenge to the FTC complaint?

The answers were in favor of settling – but we did have participants from both sides present their reasoning in a point counterpoint debate. After the debate the ratio shifted, but the majority still voted to settle.

So here’s a question for you –  If you were the head of security or risk for a large company that creates and ships software, would you have settled or challenged? And why?


2. Software security in supply chain management

This question was part of the presentation by Edna Conway, Chief Security Officer, Global Supply Chain, Cisco.

Edna posited that yes, software security matters in supply chain management. Why? Because if the software used to track and inventory the assets in the supply chain isn’t secure, how can the assets being managed be accounted for and protected properly? How can logistics be tracked accurately if the software managing those logistics isn’t reliable?

Edna, made a great argument for the criticality of securing supply chain and in addition to software security she also called out the need for robust access management, monitoring and physical security.

More from Application Security

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…