<!–> Learn cybersecurity basics with this course bundle deal. StackSocial If you’re interested in a career in IT, you don’t have to get a formal education to begin your training – and you may not want to. Considering the steep learning curve of the industry, it may be worthwhile to start your education before you […] More

Samsung’s Neo QLED QN90F 100-inch TV is impressive to see in person. Kerry Wan/ZDNETCinema-sized TVs have gained a small but dedicated following since brands like Samsung and Hisense unveiled their super-sized models earlier this year. And if you’ve been on the fence about buying one for your own home theater, Samsung is offering a free 65-inch Crystal UHD U8000F TV when you purchase either a 98-inch QN90F More

With major cyber attacks on critical infrastructure such as the SolarWinds attack, the Florida’s water treatment facility hack, and the US East Coast’s Colonial Pipeline ransomware crisis, the security of products — and not just information systems — really need to be taken more seriously, argues Chris Wysopal, founder and CTO of code scanning company Veracode.  While the CISO protects information in the enterprise, Wysopal is arguing this week at the RSA 2021 conference that products need an equivalent level of attention to enterprise information systems. His call for greater focus on product security comes as supply chain attacks are on the rise and governments across the world attempt to grapple with the problem of products that have been tampered with enter an organization.  “Products are different. Products leave the enterprise. Think of Tesla’s product security. It’s the car. You could think of a medical device company, but even in more information-oriented companies, it’s an app, it’s a standalone website and they’re starting to become outside of the enterprise. They have a life of their own,” Wysopal tells ZDNet. Wysopal is notable figure in the cybersecurity scene, and was one of the original vulnerability researchers and one of seven member of the L0pht ‘hacker think tank’ who told the US Senate in 1998 that the group could bring down the internet in 30 minutes.Wysopal reckons products like these need a C-level exec with a better engineering skillset than a CISO typically has — a role more focused on monitoring networks and systems to keep hackers out. “Historically, a CISO has not been required to build in security in to a piece of software or a device,” he says.   “The traditional CISO doesn’t have that security engineering and product engineering background. They traditionally have grown up through compliance or network security, and they don’t have the understanding of software or code-level vulnerabilities. So you’ll have a lot of times where you have product security not reporting to a CISO, but reporting to the VP of engineering.”

At Veracode, the CISO reports to him as the CTO, while his head of product, which sits at a director level, also reports to him. “Product security is a separate function, even at Veracode. And we’re a software-as-a-service company. We don’t ship any products or anything IoT, which I think really requires an elevated product security person.””It’s more important than the security of the rest of the business,” he argues, adding that at some point, apps become the product rather than just an extension of backend systems. This is relevant to the banking, insurance, retail, government and other sectors that now create apps that differentiate the business amongst competitors.   “The risk of that software starts to become more important,” he says. And attackers are getting ever smarter, as shown by the SolarWinds attack.”When someone is planting a sophisticated backdoor, you’re not going to be able to detect it just by looking at the code,” he says.”That’s why the integrity and security of the software development pipeline has become so important. Because that’s how you protect against someone inserting a backdoor like in SolarWinds. So instead of hoping to look at that binary artifact at the end and hoping to detect it — that’s not a good solution to this type of attack.” The solution is, he says, to have good security on all the different parts of the pipeline. This includes making sure that developers who have permission to modify code use two factor authentication when accessing a code repository to update code. They should also be cryptographically signing all the different artifacts that become part of the final build of a software product.Wysopal is optimistic that US president Joe Biden’s cybersecurity-focused executive order will have a positive impact on how cybersecurity is handled in the private sector in the US. “We see that the requirements for doing business with the federal government will be adopted in the private sector. Enterprises in lots of different sectors will push this on to their vendors. Cyber insurance companies will look at this and say, ‘Hey, this is lowering the risk of the federal government and if you do these same practices, your insurance premiums will be less.’ “The federal government is setting a good example. Parallel to that, we see that Congress, which can pass laws that affect everyone doing business in the US. Congress will also learn from this and will codify some of this into law.”In other words, Biden’s executive order, while only applying to federal agencies, could have major implications for classical critical infrastructure as well as banking, healthcare and other sectors the US considers vitally important. “That could be dictated by law. It might not just be the market making it happen,” he says. More

McAfee has launched a selection of new cybersecurity offerings including remote browser isolation tools to tackle attacks in real-time. 

On Thursday, the cybersecurity firm took to the stage at MPOWER Digital 2020 to introduce the latest capabilities of the McAfee MVISION Unified Cloud Edge (UCE) portfolio. 
The first release of note is the integration of remote browser isolation (RBI) technology with the UCE real-time protection stack. 
RBI technology, also known as browser isolation, moves a user’s activities to a remote server. Online content is rendered and sent to the user, rather than allowing direct access, which could help protect remote workers from potential attacks — including web-based phishing campaigns and malicious websites containing exploit payloads — as well as corporate networks as a whole. 
See also: Security firm McAfee files for IPO on enthusiasm for IT stocks
With the inclusion of new unified data loss prevention (DLP) and incident management upgrades across devices and networks, McAfee says that UCE now provides a “more comprehensive converged approach to security within the Secure Access Service Edge (SASE) framework.”
“The uncertainty of 2020 has forced enterprises to accelerate their cloud transformation projects to empower their remote workforces, resulting in a 50% increase in enterprise cloud use since the start of the year,” the company added. “However, this has exposed [..] significant security challenges.”
These problems include an increase in attacks against cloud services, brute-force attacks, and data flows going beyond traditional networks — potentially exposing companies to information leaks or attacks caused by shadow IT. 
In addition, McAfee has launched MVISION XDR, an extended detection and response platform. This cloud offering is designed to blanket full IT infrastructures to improve security operations center (SOC) efficiency while also reducing overall cost.
CNET: Best home security cameras for 2020: Arlo, Wyze and more
“MVISION XDR removes the complexity of fragmented tools and provides new levels of proactivity, prioritization, and orchestration to improve the SOC effectiveness,” the company says. 
McAfee also revealed the MVISION Cloud Native Application Protection Platform (CNAPP) at the event, a new solution intended for data protection, threat prevention, data governance, and compliance for cloud-native applications. 
TechRepublic: Why ransomware has become such a huge problem for businesses
CNAPP is suitable for public clouds, virtual machines (VMs), containers, and serverless functions, and includes resource discovery, vulnerability assessment, MITRE ATT&CK framework threat mapping, zero-trust access policy controls, and data governance mechanisms. 
In related news, McAfee filed for an Initial Public Offering (IPO) in September. The cybersecurity firm is expected to reach a valuation of at least $8 billion. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

<!–> SOPA Images/Contributor/Getty Images In perhaps an unsurprising move, Optus CEO Kelly Bayer Rosmarin has resigned from her role following a service outage early this month that impacted millions in Australia.  The announcement comes after Rosmarin had appeared before the Senate on Friday to address the Nov. 8 incident, which left many without access to […] More