Video: A Spotlight on Cybersecurity: 2022 Trends and 2023 Predictions


After years of growing in importance, cybersecurity took center stage in 2022, with cyberattacks not only continuing to cause global disturbances, but also becoming the focus of legislation, organizational planning, news coverage, and even major plot points on tv. Amidst the flurry of activity, common themes have emerged regarding cyber threats and the way respond to them, including:

  • Increased hacktivism, amidst geo-political unrest
  • Targeted attacks of specific companies, supply chains, mobile devices and more
  • New privacy and cybersecurity regulations
  • Expanded corporate liability and the need for cyber insurance

In this webinar, experts from across the Fortra cybersecurity spectrum will look back on 2022, analyzing these trends as they promise to continue into 2023 and beyond. Get insights into potential challenges of the coming year, strategic advice on what warrants prioritization, and ways to improve your security stance.

The Case for Enterprise-Grade Risk Based Vulnerability Management

This guide demonstrates the reason why risk-based enterprise grade vulnerability management is essential in today’s cybersecurity landscape.  Read the guide, The Case for Enterprise-Grade, Risk-Based Vulnerability Management, and see if your company is doing enough with vulnerability management.

What is a Supply Chain Attack and How Can Organizations Defend Against Them? 


Supply chain attacks were responsible for 62% of system intrusion incidents, according to Verizon’s 2022 Data Breach Investigations Report. This type of attack is one of the most effective ways to compromise organizations because it targets the weakest link in the security chain. Supply chain attacks usually begin by compromising a supply chain partner, such as a developer, distributor, or supplier. Once inside the organization, attackers may steal data, damage systems, or even shut down whole organizations, introducing disruptions down the line. 

There are many types of software supply chain attacks. Some focus on gaining access to sensitive information, while others try to manipulate it. Attackers sometimes use social engineering techniques to trick people into installing malware. Others attempt to steal intellectual property. Still, others seek out vulnerabilities in software development processes. These are just a few examples of what supply chain attacks can do. 

This article will look at the fundamentals of a supply chain attack: what it is, how it occurs, and the devastating impact it can have on your organization. 

What is a Supply Chain Attack?

A supply chain attack is a cyberattack where a malicious actor compromises an outside partner or supplier to conduct attacks against the supplier’s customers. 

With a supply chain, attacks often start by compromising a vendor or supplier to gain access to its customer base. Once in the vendor’s system, attackers have broad access to steal data, alter records, or delete files. They can utilize this access to install malware on the vendor’s systems, gaining the ability to spy on the vendor’s customers or alter software products to push similar malware into the customer’s environment.  

These attacks are known as “supply chain attacks” because they target weaknesses in the entire supply chain rather than targeting individual companies one by one. By compromising the supplier as a critical player in the supply chain, attackers can build the attack to target several customers along the way.  

A real-world example would be attackers targeting a software development firm where applications are created for customers. The attack affects everyone who uses it by compromising the software or application. This attack method results in a much broader reach for malicious actors.  

What is the Software Supply Chain? 

Understanding a supply chain attack requires an understanding of application development. In the past, applications were monolithic pieces of software that were self-contained, and developers created every ounce of code internally. Now, to speed up development processes and avoid re-solving common problems, applications will leverage standard components such as libraries, frameworks, web services, and databases. These components all work together to create and run the application.   

The problem is more complex because each component is similarly developed from other components. For example, a common logging library, Log4J, is part of the Apache framework and comprises other components. When a vulnerability in Log4J was discovered, it affected all applications that used it.  

The layered approach to application development expedites development but creates risk if a single layer is compromised.  

How Do Supply Chain Attacks Work? 

There are a variety of software supply chain attacks. They each take a different approach to gaining access to sensitive information, each with its own goal for the data. Some attacks use social engineering techniques to trick employees into doing as they wish, while others aim to exploit vulnerabilities to gain a foothold in the organization.  

One version of a supply chain attack targets a supplier’s systems, where a vulnerability on an internet-exposed system is used by MSPs to manage their clients. After the compromise, malicious actors take control and use this access to send out malicious scripts to install malware to clients managed by these systems. A useful tool for now weaponized. 

An alternative type of supply chain attack is a “man-in-the-middle” attack. With this attack, an attacker compromises a trusted entity through a vulnerability or social engineering to trick a user into installing malicious software. Once installed, this software intercepts communications between the victim and other systems. It uses information gathered to impersonate the victim and exfiltrate data that passes through it.  

Attacks of this nature are challenging to detect because they rely on users to use the power and access they are granted to install malware. This looks like the user behaves normally rather than attempting an attack to misuse a system.  

What are Some Recent Supply Chain Attacks?  

One example of a supply chain attack was the SolarWinds attack in 2020. Attackers gained access to the Solarwinds network and used it to inject malicious code into the Orion network performance monitoring and management product. Routine software updates distributed the malicious changes to users, which provided a backdoor into networks utilizing the product. This granted attackers unfettered access to any network that deployed the corrupt code and was connected to the internet.  

Administrative credentials are also a powerful magnifier of supply chain attacks. Attackers gain access to customer data if a provider has administrative credentials stolen. This can include sensitive information or credentials the provider uses to access customer assets allowing attackers to masquerade as the provider with the same level of access.  

Can You Defend Against a Supply Chain Attack? 

There is no foolproof way to defend against a supply chain attack, but there are ways to make it harder for an attacker to utilize a supplier to attack your organization. You can reduce your organizational risk by lowering the level of trust given to suppliers and applications from a third party. 

For example, instead of trusting all patches and updates from a “trusted” source, test and analyze them in a test environment before applying them. Similarly, limiting the access that an application from an external source has to your internal network will reduce the ability of an attacker to pivot if it is compromised. Scoping access to network resources to just the necessary components and using an administrative account rather than a domain-level account can also hinder attackers. If an attacker gains control due to a supplier issue, they cannot quickly gain access to your internal resources.  

Defending Against Supply Chain Attacks with Fortra 

One of the best ways to protect your organization against supply chain attacks is take preventative measures and assess your environment before an attack ever occurs. Fortra has a portfolio of integrated and scalable solutions to help your organization proactively improve defenses against supply chain attacks. 

For example, regular scanning with beSECURE helps identify and prioritize vulnerabilities in assets so you can eliminate them and reduce your risk of supply chain attacks. Organizations can also verify the strength of their software supply chain by deploying penetration tests with Core Impact or engaging in adversary simulation exercises with Cobalt Strike to find out whether a solution vendor is also serving as an attack vector.  

The Importance of Black Box Fuzzing in Key Industries Guide

The Internet of Things peripheral device expansion isn’t slowing down any time soon. There are key industries that need to keep their security as strong as possible with these devices. The guide The Importance of Black Box Fuzzing in Key Industries, shows which industries should deploy a black box fuzzer before their products go to market.

What is the Relationship Between Ransomware and Phishing? 


Ransomware and phishing are usually put in two separate categories when cyberattack methodologies are discussed. However, ransomware operators are increasingly leveraging phishing tactics to deploy their malicious payloads, and the potential for compromise is exponentiating as a result.  

Ransomware and Phishing – a match made in heaven 

Phishing is the number one delivery vehicle for ransomware, states risk management firm Deloitte. Industry sources agree, and phishing was identified as the primary vehicle for ransomware in Coveware’s Q4 2020 Quarterly Ransomware Report. It beat out RDP (Remote Desktop Protocol) as the top initial attack vector, once the remote work avalanche of 2020 died down, and has since moved up as the fastest way to get malicious code in front of an organization. 

In a recent survey, it was revealed that a staggering 78% of organizations experienced one or more ransomware attacks in 2021, 68% of which stated that the attack originated from a direct email payload, second-stage malware delivery, or similar cause. And, IBM’s Cyber Resilient Organization Study noted the top three causes of ransomware that year as social media (19%), malicious websites (22%), and phishing (45%).  

The logic? Phishing emails are easy to send and lure the unsuspecting victim in with minimal awareness of an attack. The carefully crafted device of a social engineering scheme, the emails are customized to specific targets and appear to be from legitimate, even familiar, senders. Faced with unmanageable email volumes, even many once-careful users fail to scrutinize incoming mail and note small changes that would otherwise be suspicious red flags. Once the victim opens an email from their “bank” or “internet service provider” and confirms a few account details – or even just clicks into the malicious fake site – the payload detonates and the work of stealing and/or encrypting sensitive data begins. Once this work is completed, users are locked out and a ransom note appears.

Phishing on Social Media

While popularly exploited on email servers, phishing attacks are not confined to inboxes. One of the rising vectors, as noted by the IBM study, is social media. Collaboration tools like Teams and Slack are prime grooming places for establishing trust and exploiting “coworkers”. Online spaces like LinkedIn are particularly vulnerable to facilitating attacks; as platforms built for connecting with strangers, they encourage direct messages which often contain links to shared professional interests. Many of those links are credible – some are not.  Unfortunately, with ransomware one click is all it takes.  

Ransomware operators also glean the personal information shared on social networking sites to craft a more custom-built attack. The authenticity and believability of many of the messages – “Hey Don, it was great talking to you at DEF CON. Here’s that link I was telling you about” – can fool even the most savvy. And, as Deloitte states, “many users are simply not sufficiently skeptical when it comes to receiving requests to do things like transfer funds, open attachments, or provide sensitive information.”  

Unfortunately, users don’t even have to engage to be at risk. A ransomware tool discovered in 2016 scraped the social media accounts of its victims to create personalized campaigns, ironically threatening to see its users in court if the ransom was not paid. Security researchers similarly noted Facebook-centered ransomware activity, allowing attackers to embed malicious code into uploaded image files which a misconfiguration then forced users to download.  

AI-Powered Ransomware

The one saving grace is that customizing ransomware phishing attacks is time-consuming work. It requires human effort and insight and is difficult to scale. However, Artificial Intelligence could close the gap that makes even that automatable before long. “We have already seen [ransomware groups] hire pen testers to break into networks to figure out how to deploy ransomware. The next step will be that they will start hiring ML and AI experts to automate their malware campaigns,” said cybersecurity expert Mikko Hyppönen. Mark Driver, a research vice president at Gartner, says this could mean an even greater acceleration of attacks. “It’s not worth their effort if it takes them hours and hours to do it manually,” he explains. “But if they can automate it, absolutely.” The bottom line? “It’s terrifying.” 

The danger is not only AI-powered ransomware models, but AI-driven deepfakes that can impersonate legitimate sources and make phishing attempts that much more convincing. Reported cases of face- and voice- altering AI technology increased by 13% last year, and 66% of surveyed cybersecurity professionals reported seeing one in the past twelve months. Deepfakes in cyberattacks aren’t coming, they’re already here. 

Prevent Phishing Attacks and Ransomware 

One industry report noted that the number of ransomware attacks doubled year-over-year in 2021, and we are reminded that nearly 80% of organizations experienced at least one attack. This makes for very dire predictions. However, the best defense is a good offense and several offensive strategies exist for mitigating ransomware attacks.  

Criminals aren’t the only ones who can hire pen testers. Probing your environment for weak spots is one of the best ways to stress test your environment before attackers can take advantage of vulnerabilities. Given the fact that 82% of breaches are attributable to the “human element” – a healthy portion of error included – it’s next to inevitable that despite an organization’s best efforts, a phishing attempt will succeed sometime. When it does, malware will infiltrate the network looking for systems to exploit and data to exfiltrate. Red teaming, attack simulation, and black box fuzzing allow your team to see what’s possible to attackers before they do.  

Email security and anti-phishing measures need to be combined with an offensive security strategy for the best defense-in-depth approach. Together, they focus on preventing ransomware payloads from detonating and harming your network.  

Beating the Business of Ransomware

Data protection is imperative, especially in the face of the growing business of ransomware. This guide, Beating the Business of Ransomware, will show you how to keep your cybersecurity measures on the offensive guard.

A Spotlight on Cybersecurity: 2022 Trends and 2023 Predictions


In 2022, geopolitical unrest and an expanding online attack surface contributed to the emergence of several themes across the cyber landscape. Infrastructures associated with opposing ideologies were highly targeted, with government agencies, supply chains, and IOT devices falling victim to high-profile campaigns. Cybercriminals launched increasingly advanced attacks on vulnerable entities, with DDoS, ransomware, and hacking for a cause all consistently making headlines. And governments around the world began responding with laws and regulations to combat the escalating threats associated with cyberattacks on organizations big and small.

Looking ahead to 2023, Fortra’s security experts anticipate new cyber challenges will emerge, and in return, organizations and authorities will work together to better strengthen their security posture and response to threats. Below is a look at what our cybersecurity experts predict for 2023.

Hacktivism and Geopolitics

The conflict in Ukraine and impending recession are two examples of factors that drove an uptick in emotionally-driven cybercrime and recruitment in 2022. Experts believe that scams associated with current events, such as political instability and war, will continue to trigger emotional responses from bad actors, with government agencies and businesses as prime targets.

The economic downturn will cause negative impacts to the cybercommunity, as history dictates an increase in cybercrime during recessions. Security teams should be on the lookout for scams masquerading as government assistance programs and job recruitment as attackers look to take advantage of job seekers or those otherwise dealing with difficult circumstances. The consequences of online attacks during the recession could be exacerbated if cybersecurity operations experience cuts in an effort to curb costs.

These spending shifts may make it easier for threat actors to recruit insiders as a point of access to company networks. This method of compromising systems will increase as actors opt to pay disgruntled employees for credentials rather than penetrate a network on their own. Additionally, as data is shared more broadly across applications, the implications around who can access that data will become more and more a question of security at organizational and geopolitical levels.

Expanded operational information sharing between private and public entities will become more commonplace as security teams acknowledge the need for broader visibility into situations across the globe and how they may affect their organizations. Attack responses will mature as a result.

Expanded Attack Targets

In 2023, the attack surface will continue to expand for both public and private companies, and daily probings will represent the norm as criminals use tools to scan the internet for vulnerabilities in operational systems and IoT devices. Implementing only one layer of security controls to combat compromise will fail to be sufficient.

Security teams should expect to see phishing emails increase in volume and variety in 2023. Ransomware and malware will remain a consistent threat, and response-based campaigns that fail to flag indicator-based security controls such as BEC and spear phishing will increasingly make it into user inboxes. These attacks prove difficult to detect as they lack links and attachments, instead relying on correspondence-based calls-to-action to make it into user inboxes.

Identity deception will become a significant threat in the new year. Attackers are targeting businesses on external channels such as social media, SMS, and search engines, with criminals leaning heavily on impersonation as a tactic. Threat actors will also embrace Artificial Intelligence to enhance campaigns and determine targets. On a positive note, these unconventional attack methods will encourage the formation of cyber allies across entities to share critical information and tools that will aid in the detection of attacks.

Multi-factor authentication (MFA) will also be the target of increased exploits. Attackers will work to compromise integrity through techniques like verification-grabbing malware and SIM swapping. Organizations should consider implementing passwordless authentication to complement MFA.

Improved Attack Responses

In 2023, attack responses will be improved upon through better controls and progress toward zero trust. Organizations will move past basic controls implemented during the COVID-driven rush to digital transformation and invest time in securing data assets that need the most protection.

Sharing avenues will continue to open between organizations, and knowledge and controls over who has access to data will be prioritized through MFA, monitoring, zero trust, and encryption.

Ongoing training that is engaging and relevant will be critical to helping users identify attacks based on real world incidents and that comply with an organization’s policies.

Threat actors will continue to go after the lowest hanging fruit and target vulnerable entities within the supply chain, investing in mid-sized organizations less equipped from a security standpoint, including credit unions, insurance, and healthcare organizations. As a result, evaluations and audits of supply chains will increase. There will also be a magnifying glass on the vendor base and what is being done with the data provided to them. The expectations placed on vendors will only grow, as they will be expected to solve for multiple use cases.

Laws and Regulations

In 2023, we can expect more cross-government and cross-nation collaborations as cybersecurity is seen as a priority. At a non-federal level, the first round of grants for the $1 billion in FEMA and CISA BIL funding will be available for state, local, and territorial governments to help understand and mitigate infrastructure risks.

More laws and guidance are expected from a federal level, spanning topics from data privacy to ransomware payments, as CISA and the DOD engage in long-term strategic planning. The FTC just announced a new rule addressing the impersonation of government and businesses, which will help with the reporting and removal of offending websites, domains, advertisements, and more in the new year. In Europe, lawmakers will continue to iron out kinks in the General Data Protection Regulation (GDPR) to support smooth data transfer out of the EU.

According to Gartner, three quarters of the world’s population will be under privacy regulations in 2023. From a business perspective, increased presence in the digital space will likely lead to more violations as organizations struggle to navigate compliance and privacy regulations.

Cyber Insurance

Cyber insurance will become a priority for businesses in 2023, as a growing number of customers expect organizations to be policyholders. That being said, market correction due to increased premiums and justification of spend will likely take place, with organizations requiring more from providers.

The increased likelihood of a cyber attack on businesses in 2023 will also contribute to complicated pre-audits and renewal processes, as well as more disputes and reduced payouts. Insurers will continue to implement a growing number of controls on the companies before providing coverage, to make sure customers comply with standards set.

The tactics, techniques, and procedures of cybercriminals will become more differentiated in 2023, as attackers lean toward the end goal of either profit or outcome of a specific cause. These elements will require security teams to continuously examine world events through a broad lens and prepare for how activity might affect their company. As these threats persist, organizations should prioritize cyber security initiatives that will promote better standards and increased awareness of threats. Security teams should also establish more proactive means of securing systems through early detection of vulnerabilities, visibility across relevant channels, and broad controls.

Watch our webinar, A Spotlight on Cybersecurity: 2022 Trends and 2023 Predictions, to learn more!

Why Is Black Box Fuzzing Important in Key Industries? 


Black Box Fuzzers 

Black box fuzzers attack code vulnerabilities the same way a real-world cybercriminal would so you can find code weaknesses before they are exploited. A form of dynamic application security testing (DAST), this tool attacks from outside the application code, using a wide range of malformed or partial code data injections to find unexpected code input errors.  This can uncover trigger conditions that lead to crashes, implementation bugs, and open the door for new or unknown exploitable weaknesses.

Black box fuzzers uncover these vulnerabilities, both known and unknown, before your product is deployed.  Using this tool early in the software development lifecycle (SDLC) gives developers the chance to fix any security holes before launch, thus preventing downtime, damaging breaches, and costly post-deployment fixes.

Which Key Industries Need Black Box Fuzzing?

Industries that have a significant impact on everyday life for the general public – such as automotive, aviation, medical, and critical infrastructure — are always going to be targeted by cyberattacks.  These key industries have an immeasurable part to play in ensuring the public’s safety and must take every precaution necessary to ensure the software they use is secured. This includes the use of black box fuzzing to secure code prior to deployment.

“Smart” devices used in the operation of cars, planes, medical equipment, and critical infrastructure like power grids must have the highest level of security to prevent potentially catastrophic attacks.  This is where black box fuzzing becomes essential.  A black box fuzzing tool can uncover unknown and known code vulnerabilities before software is released to the public.  This is the biggest reason regulations require a black box fuzzer early in the developmental lifecycle, to ensure the safety of these industries.

Protect Against The Unknown with Black Box Fuzzers

There are more threats out there than the known cybersecurity vulnerabilities. This guide, How Black Box Fuzzers Protect Against The Unknown, will show you how to protect against the unknown threats.

The Next Generation Of beSECURE Is Here


Introducing the All New beSECURE Platform 

The newest version of beSECURE has rolled out.  This version is packed with updated and innovative features.  This new version strengthens your ability to analyze, prioritize, and simplify vulnerability management.  And the best feature, there’s no additional cost. 

Meet the new features: 

  • Enhanced speed and usability
  • Powerful reporting 
  • Vulnerability remediation workflow 
  • Smart Labels 
  • Threat Intelligence 
  • Interactive network graphics 
  • Simple security rating metrics
  • Expanded customer service and support

Get a 5-Minute Guided Tour

Take a quick, step-by-step vulnerability management tour and see how VM can work for you.

Existing beSECURE Customers Upgrade Faster

Can’t wait for the new upgrade?  You can be an early adopter after your initial upgrade notification. Email Technical Support at [email protected] or create a ticket at to schedule your upgrade. 

Schedule Your Upgrade

If you don’t prefer to be an early adopter, that’s fine. Through the course of 2022, all customers will be upgraded. If you prefer to schedule yours towards the end of the upgrade period, Technical Support can schedule that as well. 

Who to Contact With Questions

Any questions or scheduling can go to our Technical Support. Just reach out at: [email protected] or submit a Freshdesk ticket if you have questions.

Vulnerability Management, SAST, and DAST Solutions

Get a demo and see how vulnerability management, SAST, and DAST are the beginning of a strong, layered offensive security solution.

Application Security Tips for PCI-DSS 4.0


PCI-DSS has long been the standard for securing payment card-related information. Meeting this bar was the bare minimum requirement for showing that an organization had sufficient controls to keep this data secure. With changes to PCI-DSS already being released and required by 2024, organizations developing and running applications to collect or process payment card-related data need to get prepared to meet the latest requirements.

Unfortunately, not every organization can meet the requirements, with auditors observing less than 30% of their clients remain compliant year over year. The failure to maintain compliance comes often occurs when organizations are unable to show evidence of current control effectiveness. If a business takes a set it and forget it approach to security, it will be unable to provide continual evidence that their controls, policies, and procedures are working effectively. Companies that don’t meet compliance will find themselves unable to take payment cards, crippling their ability to do business.

This blog explores the challenges in securing applications for PCI-DSS and how organizations can prepare for the changes in PCI-DSS 4.0. 

Securing Applications for PCI

When it comes to PCI-DSS, the heart of security needs to focus on where the payment card-related information is collected – often in an application. Ensuring that applications used for payment processing and data collection are secured is crucial for meeting the explicitly outlined PCI requirements. With the latest changes in PCI-DSS 4.0, organizations will have more flexibility in implementing the security controls that can help them meet the high bar of PCI-DSS and deliver better organizational security needs.

Changing for Flexibility

The current incarnation of PCI-DSS had particular requirements to implement to comply with the framework. Organizations that could not meet the explicitly stated needs could utilize compensating controls to deliver the equivalent of the indicated control. While this sounds good on paper, the execution of proving that compensating controls are sufficient is daunting.

To replace compensating controls and help streamline the review process, the concept of customized controls was added to PCI-DSS 4.0. Customized controls are defined by the organization and approved by an auditor. This change puts the focus on the act of achieving compliance, rather than the method of achieving it, and opens up more options for organizations to use to achieve compliance.

Bar is Still High

Just because organizations can utilize customized controls for some of the control requirements of PCI-DSS 4.0 does not mean that the requirements are any less stringent than before. Most of the exact requirements present in the current version of PCI-DSS are still in effect in 4.0. This is especially true for securing applications that handle payment card information.

A rigid set of requirements address application code and whether it is implemented using best practices. These include testing required to identify potential flaws and vulnerabilities before code can be used in a live environment. Collecting the evidence to show compliance with these controls falls on the application developer, no matter if development is in-house, externally contracted, or from off-the-shelf software. 

Meeting The Bar

Meeting PCI-DSS requirements for application security requires following best practices and having the right tools to verify your solutions. The verification involves increasing visibility into the different flaws and vulnerabilities that might exist in the code and those in the endpoints where the application is hosted. It is essential to use solutions that accurately detect issues and provide in-depth reporting that can supply evidence to auditors.


With applications, code is the best place to start testing. While manual inspection might allow testers to catch some application problems, it does not scale well for modern software – it is a lengthy process and can have a low accuracy rate. 

Current codebases amalgamate numerous external libraries and thousands of lines of code. Automated tools are the only efficient and effective way to test the code and its implementation. Using code analysis tools such as software composition analysis (SCA), static application security testing (SAST), and dynamic application security testing (DAST), testers can identify security vulnerabilities, design defects, logical errors, and implementation flaws, as PCI-DSS requires.

Vulnerability Management

The composition of software is only the starting point when evaluating the security of an application. Vulnerabilities in the underlying infrastructure and services that support the application are just as critical. Vulnerabilities exploitable by cybercriminals can bypass existing security controls such as authentication and access controls to allow attackers to directly access sensitive data, even if the application itself is bulletproof.

Detecting and managing these vulnerabilities before the attackers can identify them and make use of them is required by PCI-DSS and is a security best practice. Modern vulnerability scanners can automatically assess infrastructure on-premises and in the cloud, identifying vulnerabilities based on the same databases attackers use to find system vulnerabilities. Automatically scheduled assessment helps organizations meet PCI-DSS requirements, showing that vulnerability analysis is continuous and not a one-time effort.

App Security You Can Trust

Organizations need trustworthy solutions when working to meet PCI-DSS current and future requirements. Beyond Security offers a full suite of products to help your software solutions meet PCI-DSS requirements and ensure they are secure from design through production. With SASTDAST, and platform/network vulnerability scanning, Beyond Security delivers solutions to secure your applications throughout their lifecycle.  

Get the Complete Guide to Application Security for PCI-DSS

Learn more about how PCI-DSS 4.0 changes the application security landscape and how your organization can get prepared before the changes are mandatory.

Automotive Industries Article


By 2024, it’s predicted there’ll be more than 400 million connected vehicles in use around the world. In Automotive Industries magazine, Aviram Jenik discusses the implications for cybersecurity and looks at how rigorous testing and standard protocols can elevate the safety of these fast-evolving vehicles. 

Originally published in Automotive Industries


“Industry regulators are meeting the rise in cybercrime by strengthening mandates related to the way automotive components are produced and tested. Fast-changing cybersecurity threats require regulations and best practices to evolve quickly to keep pace. Identifying and correcting security vulnerabilities in connected systems is critical in this next phase of the evolution of connected cars, particularly as autonomous vehicles are knocking at the door. Fortunately, standards are keeping up with the times.”

Automotive Industries Require SAST and DAST

For more information about automotive industry regulations, the blog New Automotive Cybersecurity Standards Require SAST and DAST Solutions to see what more cybersecurity solutions and strategies can be implemented.

Top 3 Reasons You Need A Black Box Fuzzer


What is Black Box Fuzzing and why do you need it?

Black box fuzzers attack code vulnerabilities the same way a malicious actor would.  Black box fuzzing is a type of dynamic application security testing (DAST) that uses one of the widest ranges of attacks to find unexpected code input errors. The goal is to uncover conditions that can trigger crashes or contribute to new and unknown security weaknesses.  Using a black box fuzzer before deployment uncovers the security holes that are in the product before it’s released and allows developers to fix them prior to launch. Addressing code problems early in the lifecycle will save money and avoid costly, damaging breaches and downtime.

DAST vs Black Box Fuzzing DAST

The difference between standard dynamic application security testing (DAST) and black box fuzzing DAST is that regular DAST is a controlled, calculated methodical scan that looks for known vulnerabilities, while black box fuzzing systematically bombards a system with an onslaught of data, properly formed and malformed, to also find unpublished or unknown vulnerabilities. This is important because cybercriminals are always looking for these undiscovered ways to hack an application. They even use fuzzers to do so. Your organization should be armed with the same and perhaps better tools than the attackers you are trying to thwart.

3 Reasons to Use a Black Box Fuzzer? 

Ultimately, the most compelling reasons to do security testing of any kind are to:

●      Preserve your customers’ safety and trust

●      Avoid expensive compliance fines

●      Prevent costly post-production remediation

Below are a few reasons a black box fuzzer is one of the best tools to help you achieve these security goals.

1. Comprehensive QA Before Release:  If a company releases a product that is easily exploited, it probably won’t stay in business very long. The damage to customer trust can be insurmountable and the cost to fix a vulnerability in an application that is already deployed is extensive. It is essential for your code to be properly secured before it goes out the door.

Pre-release, security testing in the development process helps ensure that code errors never see the light of day.  The right black box fuzzing tool will analyze networks, hardware, and applications like an attacker would, to find weaknesses and the conditions that create them before a product is released to the public.

2. Efficiently Check Numerous Protocols: With a myriad of uses for black box fuzzing from assessing web applications to testing custom devices, a fuzzer needs to be flexible enough to communicate across numerous protocols. Having the right black box fuzzer that can assess the needs of your specific protocol or use prebuilt protocol testing modules will simplify the code changes needed during the Software Development Life Cycle (SDLC) testing phase. It will also systematically validate the application’s secure development. 

Accuracy is a top priority, especially when it comes to cybersecurity. A fuzzer that communicates on numerous protocols out of the box or that can easily be configured to work with new protocols provides a more thorough and efficient way to strengthen security posture. This is especially important for highly regulated industries such as automotive and medical where failures to identify vulnerabilities pose a real threat to the safety of individuals as well as expensive post-production remediation and fines.

3. Fast Automated Testing: Time constraints can cause traditional security testing to be rushed, making efficient testing tools necessary. When testing is too time-consuming, it will likely be cut short, and incomplete testing leaves threats behind, ready to be exploited.  Automated testing shortens testing time without any necessary manual intervention required. You can automate scans during development and monitor after deployment.

Without the need to access source code, the right black box fuzzer can find the majority of vulnerabilities that a manual test would within the first 24 hours of automated testing.

Additional Black Box Fuzzer Benefits

Prioritize Threats, Save Resources: Finding threats in your security is important, but deciding which threats are the most important is crucial for efficiently managing remediation efforts. Resources are limited for remediation so rapidly prioritizing issues by risk allows for assessment of which must be mitigated first and which can wait. This helps your organization eliminate the threats that are most likely to be used by cybercriminals to attack your product.

Compliance Assurance: Several industries already require DAST to achieve compliance and other verticals will soon follow. Using black box fuzzing DAST for IoT, Automotive, Medical, Aviation, and Infrastructure scanning helps your organization adhere to tightly regulated compliance standards. Fuzzers that generate in-depth reporting of repeatable findings can create the information required by auditors to show compliance and meet regulatory standards.

Summation: Comprehensive black box fuzzing needs to check all of the boxes.  It must be able to test your security as if it were actually being attacked by a cybercriminal and do so efficiently.  The right black box fuzzer can also help your team prioritize so you can tackle the biggest problems first.  Make sure the black box fuzzer you choose is protocol-aware or can be taught a custom protocol, so you’re not missing threats.  Additionally, automation is a vital capability, to save you time and money while ensuring the quality of testing.  

Find code weaknesses fast and effectively with the only black box fuzzer that combines all of these options and more.

Read our latest e-book to learn more about how black box fuzzing can help your organization get the jump on cybercriminals by discovering and remediating vulnerabilities before they even know they exist.

7 Cybersecurity Resolutions For 2022 Infographic


It’s the start of a new year, now’s the perfect time to review your cybersecurity goals.  Each year cyberthreats increase, causing more and more damage.  Your security program and protection needs to be updated and adjusted accordingly to match these threats, preventing criminals from breaching your company’s security.  

There are numerous ways your cybersecurity can be strengthened: secured managed file transfer, vulnerability management assessment, secure automation, penetration testing, digital risk protection, and multi-factor authentication (MFA).

Here are 7 Cybersecurity Resolutions for 2022 to help you strive for a secure, new year.

Read The 7 Best Vulnerability Management Practices Guide

Which options are vital for your organization’s cybersecurity? In the 7 Best Practices for Vulnerability Assessment and Management guide, find out which solutions are the best for your company.