Myrror Security

Myrror CEO Yoad Fekete shares how a customer using Javascript and Typescript saw their high severity vulnerabilities go from 166 to 50 using Myrror's reachability engine 💪

Meet the people behind the Myrror🪞– introducing Yogev Gabrielovitch  ✨ Myrror’s Sr. Software Engineer  ✨Responsible for developing ETLs that drive our core machine learning algorithms, ensuring our platform operates seamlessly and evolves to meet user demands.  ✨ Owner and best friend to Sammy, who doubles as Myrror's office dog – spreading cheer, cuddles, and sniffing out malware and vulnerabilities. Let's give it up for Yogev 👏

OWASP Lisbon has proven to me that Software Supply Chain Security is a top priority, and I enjoyed every second of talking with AppSec/DevSec leaders and engineers. I’ll be heading out to Security BSides Kraków, to give a talk about Supply Chain Attacks that have been detected by accident, and how to solve them. Thank you Cássio Batista Pereira for the continuous support of the DevSec community and for building this event from scratch.

Software is hard to build and maintain. Not reducing any responsibility here, but my heart goes out to the CrowdStrike team and their customers (who will hopefully get to also enjoy their weekend and to work through it). But, instead of just sharing compassionate words – here’s an automated way to solve that with Group Policy: https://lnkd.in/ecwU7CQQ Thank you Arda B. for sharing this.

What is vulnerability reachability and how does it work at a high level? VP Product Dvir Babila gives a quick breakdown:

I’m not happy to see our people work this late. A customer had a bug. It could have waited until today, but the team wanted to make sure that when the customer logs in this morning, they see that they're a first priority, because this is how we roll. There's not a pizza party in the world to make up for that. Working with this team of people fills my heart and battery to 200%, every day. All I can promise is that I’m doing my best to ensure that they will be rewarded for their efforts. Eyal Levin Myrror Security Matan Toledano

This is for people who keep telling me that they feel safe because they verify the signature of whatever they download. Don't. Similar to how the 3CX attack started with the X_TRADER initial supply chain vector - we tend to trust “Signatures” and “Anti Viruses” for verification of software -> Not enough. Another thing that I don’t appreciate is the sweeping under the Rug that we see here, and we’ve seen with the 3CX attack: “It’s currently not clear how the official domain “conceptworld[.]com” was breached to stage the counterfeit installers.” In the image, the company declares without hesitation that the software has no malware.

Platform update: Scan engines Myrror uses two cutting-edge engines: 1. Our Supply Chain Attack detection engine 2. Our Vulnerabilities Detection & Prioritization engine You can now have granular control over where to activate each module, from the organization level, all the way to the micro-service level.

I love controversial pictures, but this one is to actually say/ask — maybe it’s not a fire alarm? Let’s talk about risk management and context: We all know that upgrading Major versions is a big pain, so how can we prioritize? Context - Code Context, Environment Context, Application Context. ↳ 2.8% are still using versions of Log4j with the Log4Shell vulnerabilities - this is not cool because it’s not complex to exploit, and there are fixes. I would definitely not take the risk. ↳ 3.8 percent of applications are still using Log4j2 2.17.0, which is patched against the Log4Shell vulnerability but contains CVE-2021-44832. ↳ 32 percent of applications are using Log4j2 1.2.x, a version that reached end-of-life in August 2015 and is no longer supported with patches. This version(s) contain 7 high-risk and critical vulnerabilities. For these, the exploitation process is more complex. ↳ e,g. - for 1.2.x - CVE-2022-23305 (Deserialization RCE): Requires detailed knowledge of the application’s serialization processes and an injection point for untrusted data. So, let’s say a server has the vulnerability above. If it is not exposed to the Internet and there is no input from a user, can we contain the risk? In my opinion, yes.

Some innovative ways to implement a Software Supply Chain Attack, in this case a Chinese company simply bought the open source project! Myrror Security