Breaking News-Events

Monthly AppSec News Round Up — July 2021 Edition

In the weeks leading up to Black Hat, there has been no shortage of news impacting the security industry. From the attacks against iPhones using Pegasus software, to Verizon’s collaboration with Google to roll out end-to-end encryption for users, the NTT Application Security team continues to be at the forefront of these conversations, sharing their unique viewpoint and giving critical insight on the topics shaping the cybersecurity landscape.

Below is a peek into some of the events that impacted the security industry last month:

July 20: Amnesty International and Forbidden Stories found evidence that NSO Group’s Pegasus software was being used to target the Apple iPhones of journalists, activists, government officials, and business executives.

Setu Kulkarni, VP of Business Development and Corporate Strategy at NTT Application Security, spoke with Threatpost, eSecurity Planet, Security Boulevard, and Security Magazine on the topic. He shared that this occurrence is a wake-up call for security researchers to back up these large organizations as they combat spyware threats.

“This provides a time for us to get behind Apple and others (including Google) as they up the ante against what was originally intended to be ‘spyware’ for societal good,” he said. “For Apple and other manufactures, this is a moment of reckoning to get further entrenched with the governments to create more checks and balances while they make their platform more impenetrable for bad actors.”

July 20: That same day, it was announced that Verizon would be partnering with Google to roll out the Rich Communications Service (RCS) standard to Android users. Users can expect Messages by Google to be preloaded onto every Verizon Android device by 2022.

Kulkarni again chimed in with his perspective on the issue in a ZDNet article, saying that the move marks Verizon taking a heavier burden of responsibility to keep its customers’ personal and private data secure from data breaches.

“Since the app is backed by Google, there is certainly a greater degree of confidence that security measures are taken but let’s not forget that the state of cybersecurity is dynamic — and that no app is guaranteed to be breach free forever.”

July 13: Security reporter Alexander Culafi broke down an issue that has presented a frustrating challenge for security teams – exploitation continuing even after patches are released.

Kulkarni discussed in the SearchSecurity article that although the intent for improved security has significantly increased, there are issues in translating that intent into practice. He stressed that security needs to become a board-level conversation.

July 1: Earlier in the month, a report from vulnerability management platform Outpost24 revealed some shocking results about the cyber hygiene of insurance companies. They found that the top European insurers have an average attack surface score of 38.10 out of 58.24. To put this in a bit more context, credit unions received a much better score of 16.39. In fact, the top European insurer had an attack surface score at 53.87.

Kulkarni provided his analysis on the results in a Security Week article. He shared that although these problems aren’t unique to the insurance industry, the applications examined have both east-west and north-south dependencies, which highlights the inherent complexity of securing these applications.

“While applications themselves are vulnerable, they also inherit vulnerabilities from the other applications and components they are dependent on – for example, if an application is using a vulnerable third-party API, the application itself is now at risk of being breached.”

The security industry, researchers, and organizations have remained on their toes this entire year, and the pace isn’t slowing down. NTT Application Security will continue to provide a key perspective from our world-class research team and leaders who have an inside look at the threat landscape.