لرن سرا

برچسب: Trust

  • should we trust Open Source after Log4J’s issues? | Code4IT


    With Log4J’s vulnerability, we’ve all been reminded that systems are vulnerable, and OSS are not immune too. What should we do now?

    Table of Contents

    Just a second! 🫷
    If you are here, it means that you are a software developer.
    So, you know that storage, networking, and domain management have a cost .

    If you want to support this blog, please ensure that you have disabled the adblocker for this site.
    I configured Google AdSense to show as few ADS as possible – I don’t want to bother you with lots of ads, but I still need to add some to pay for the resources for my site.

    Thank you for your understanding.
    Davide

    After the Log4J vulnerability, we should reflect on how open source impacts our projects, and what are the benefits and disadvantages of using such libraries.

    The following article is more an opinion, just some random thoughts about what happened and what we can learn from this event.

    A recap of the Log4J vulnerability

    To give some context to those who have never heard (or forgot) about the Log4J vulnerability, here’s a short recap.

    Log4J is a popular Java library for logging. So popular that it has been inglobed in the Apache ecosystem.

    For some reason I haven’t understood, the logger evaluates the log messages instead of just treating them as strings. So, a kind of SQL injection (but for logs) could be executed: by sending a specific string format to services that use Log4J, that string is evaluated and executed on the server; as a result, external scripts could be run on the server, allowing attackers to access your server. Of course, it’s not a detailed and 100% accurate description: there are plenty of resources on the Internet if you want to deep dive into this topic.

    Some pieces of evidence show that the earliest exploitation of this vulnerability happened on Dec 1, 2021, as stated by Matthew Prince, CEO of Cloudflare, in this Tweet. But the vulnerability became public 9 days later.

    Benefits of OSS projects

    The source code of Log4J is publicly available on GitHub

    This means that:

    it’s free to use (yes, OSS != free, but it’s rare to find paid OSS projects)
    you can download and run the source code
    you can inspect the code and propose changes
    it saves you time: you don’t have to reinvent the wheel – everything is already done by others.

    Issues with OSS projects

    Given that the source code is publicly accessible, attackers can study it to find security flaws, and – of course – take advantage of those vulnerabilities before the community notices them.

    Most of the time, OSS projects are created by single devs to solve their specific problems. Then, they share those repositories to help their peers and allow other devs to work on the library. All the coding is done for free and in their spare time. As you can expect, the quality is deeply impacted by this.

    What to do with OSS projects?

    So, what should we do with all those OSS projects? Should we stop using them?

    I don’t think so. just because those kinds of issues can arise, it doesn’t mean that they will arise so often.

    Also, it’s pretty stupid to build everything from scratch “just in case”. Just because attackers don’t know the source code, it doesn’t mean that they can’t find a way to access your systems.

    On the other hand, we should not blindly use every library we see on GitHub. It’s not true that just because it’s open source, it’s safe to use – as the Log4J story taught us.

    So, what should we do?

    I don’t have an answer. But for sure we can perform some operations when working on our projects.

    We should review which external packages we’re using, and keep track of their version. Every N months, we should write a recap (even an Excel file is enough) to update the list of packages we’re using. In this way, if a vulnerability is discovered for a package, and a patch is released, we can immediately apply that patch to our applications.

    Finding installed dependencies for .NET projects is quite simple: you can open the csproj file and see the list of NuGet packages you’re using.

    NuGet packages listed in the csproj file

    The problem with this approach is that you don’t see the internal dependencies: if one of the packages you’re using depends on another package with a known vulnerability, your application may be vulnerable too.

    How can you list all your dependencies? Are there any tools that work with your programming language? Drop a comment below, it can help other devs!

    Then, before choosing a project instead of another, we should answer (at least) three questions. Does this package solve our problem? Does the code look safe to use? Is the repository active, or is it stale?

    Spend some time skimming the source code, looking for weird pieces of code. Pay attention when they evaluate the code (possible issues like with Log4J), when they perform unexpected calls to external services (are they tracking you?), and so on.

    Look at the repository history: is the repository still being updated? Is it maintained by a single person, or is there a community around it?

    You can find this info on GitHub under the Insight tab.

    In the following picture, you can see the contributions to the Log4J library (available here):

    Contributions graph to Log4J repository

    Does this repo have tests? Without tests (or, maybe worse, with not meaningful tests), the package should not be considered safe. Have a look at the code and at the CI pipelines, if publicly available.

    Finally, a hope for a future: to define a standard and some procedures to rate the security of a package/repository. I don’t know if it can be feasible, but it would be a good addition to the OSS world.

    Further readings

    If you’re interested in the general aspects of the Log4J vulnerability, you can have a look at this article by the Wall Street Journal:

    🔗What Is the Log4j Vulnerability? What to Know | The Wall Street Journal

    If you prefer a more technical article, DataDog’s blog got you covered. In particular, jump to the “How the Log4Shell vulnerability works” section.

    🔗Takeaways from the Log4j Log4Shell vulnerability | DataDog

    But if you prefer some even more technical info, you can head to the official vulnerability description:

    🔗CVE-2021-45046 vulnerability

    Here’s the JIRA ticket created to track it:

    🔗JNDI lookups in layout (not message patterns) enabled in Log4j2 < 2.16.0 | Jira

    Wrapping up

    This was not the usual article/tutorial, it was more an opinion on the current status of OSS and on what we should do to avoid issues like those caused by Log4J.

    It’s not the first vulnerability, and for sure it won’t be the only one.

    What do you think? Should we move away from OSS?

    How would you improve the OSS world?

    Happy coding!

    🐧





    Source link

  • RBI Emphasizes Adopting Zero Trust Approaches for Banking Institutions

    RBI Emphasizes Adopting Zero Trust Approaches for Banking Institutions


    In a significant move to bolster cybersecurity in India’s financial ecosystem, the Reserve Bank of India (RBI) has underscored the urgent need for regulated entities—especially banks—to adopt Zero Trust approaches as part of a broader strategy to curb cyber fraud. In its latest Financial Stability Report (June 2025), RBI highlighted Zero Trust as a foundational pillar for risk-based supervision, AI-aware defenses, and proactive cyber risk management.

    The directive comes amid growing concerns about the digital attack surface, vendor lock-in risks, and the systemic threats posed by overreliance on a few IT infrastructure providers. RBI has clarified that traditional perimeter-based security is no longer enough, and financial institutions must transition to continuous verification models where no user or device is inherently trusted.

    What is Zero Trust?

    Zero Trust is a modern security framework built on the principle: “Never trust, always verify.”

    Unlike legacy models that grant broad access to anyone inside the network, Zero Trust requires every user, device, and application to be verified continuously, regardless of location—inside or outside the organization’s perimeter.

    Key principles of Zero Trust include:

    • Least-privilege access: Users only get access to what they need—nothing more.
    • Micro-segmentation: Breaking down networks and applications into smaller zones to isolate threats.
    • Continuous verification: Access is granted based on multiple dynamic factors, including identity, device posture, location, time, and behavior.
    • Assume breach: Security models assume threats are already inside the network and act accordingly.

    In short, Zero Trust ensures that access is never implicit, and every request is assessed with context and caution.

    Seqrite ZTNA: Zero Trust in Action for Indian Banking

    To help banks and financial institutions meet RBI’s Zero Trust directive, Seqrite ZTNA (Zero Trust Network Access) offers a modern, scalable, and India-ready solution that aligns seamlessly with RBI’s vision.

    Key Capabilities of Seqrite ZTNA

    • Granular access control
      It allows access only to specific applications based on role, user identity, device health, and risk level, eliminating broad network exposure.
    • Continuous risk-based verification
      Each access request is evaluated in real time using contextual signals like location, device posture, login time, and behavior.
    • No VPN dependency
      Removes the risks of traditional VPNs that grant excessive access. Seqrite ZTNA gives just-in-time access to authorized resources.
    • Built-in analytics and audit readiness
      Detailed logs of every session help organizations meet RBI’s incident reporting and risk-based supervision requirements.
    • Easy integration with identity systems
      Works seamlessly with Azure AD, Google Workspace, and other Identity Providers to enforce secure authentication.
    • Supports hybrid and remote workforces
      Agent-based or agent-less deployment suits internal employees, third-party vendors, and remote users.

    How Seqrite ZTNA Supports RBI’s Zero Trust Mandate

    RBI’s recommendations aren’t just about better firewalls but about shifting the cybersecurity posture entirely. Seqrite ZTNA helps financial institutions adopt this shift with:

    • Risk-Based Supervision Alignment
    • Policies can be tailored based on user risk, job function, device posture, or geography.
    • Enables graded monitoring, as RBI emphasizes, with intelligent access decisions based on risk level.
    • CART and AI-Aware Defenses
    • Behavior analytics and real-time monitoring help institutions detect anomalies and conduct Continuous Assessment-Based Red Teaming (CART) simulations.
    • Uniform Incident Reporting
    • Seqrite’s detailed session logs and access histories simplify compliance with RBI’s call for standardized incident reporting frameworks.
    • Vendor Lock-In Mitigation
    • Unlike global cloud-only vendors, Seqrite ZTNA is designed with data sovereignty and local compliance in mind, offering full control to Indian enterprises.

    Sample Use Case: A Mid-Sized Regional Bank

    Challenge: The bank must secure access to its core banking applications for remote employees and third-party vendors without relying on VPNs.

    With Seqrite ZTNA:

    • Users access only assigned applications, not the entire network.
    • Device posture is verified before every session.
    • Behavior is monitored continuously to detect anomalies.
    • Detailed logs assist compliance with RBI audits.
    • Risk-based policies automatically adjust based on context (e.g., denying access from unknown locations or outdated devices).

    Result: A Zero Trust-aligned access model with reduced attack surface, better visibility, and continuous compliance readiness.

    Conclusion: Future-Proofing Banking Security with Zero Trust

    RBI’s directive isn’t just another compliance checklist, it’s a wake-up call. As India’s financial institutions expand digitally, adopting Zero Trust is essential for staying resilient, secure, and compliant.

    Seqrite ZTNA empowers banks to implement Zero Trust in a practical, scalable way aligned with national cybersecurity priorities. With granular access control, continuous monitoring, and compliance-ready visibility, Seqrite ZTNA is the right step forward in securing India’s digital financial infrastructure.



    Source link

  • 5 Signs Your Organization Needs Zero Trust Network Access

    5 Signs Your Organization Needs Zero Trust Network Access


    In today’s hyperconnected business environment, the question isn’t if your organization will face a security breach, but when. With the growing complexity of remote workforces, cloud adoption, and third-party integrations, many businesses are discovering that their traditional security tools are no longer enough to keep threats at bay.

    Enter Zero Trust Network Access (ZTNA)—a modern security model that assumes no user, device, or request is trustworthy until proven otherwise. Unlike traditional perimeter-based security, ZTNA treats every access request suspiciously, granting application-level access based on strict verification and context.

    But how do you know when it’s time to make the shift?

    Here are five tell-tale signs that your current access strategy may be outdated—and why Zero Trust Network Access could be the upgrade your organization needs.

     

    1. Your VPN is Always on—and Always a Risk

    Virtual Private Networks (VPNs) were built for a simpler time when employees worked from office desktops, and network boundaries were clear. Today, they’re an overworked, often insecure solution trying to fit a modern, mobile-first world.

    The problem? Once a user connects via VPN, they often gain full access to the internal network, regardless of what they need. One compromised credential can unlock the entire infrastructure.

    How ZTNA helps:

    ZTNA enforces the principle of least privilege. Instead of exposing the entire network, it grants granular, application-specific access based on identity, role, and device posture. Even if credentials are compromised, the intruder won’t get far.

     

    1. Remote Access is a Growing Operational Burden

    Managing remote access for a distributed workforce is no longer optional—it’s mission-critical. Yet many organizations rely on patchwork solutions that are not designed for scale, leading to latency, downtime, and support tickets galore.

    If your IT team constantly fights connection issues, reconfigures VPN clients, or manually provisions contractor access, it’s time to rethink your approach.

    How ZTNA helps:

    ZTNA enables seamless, cloud-delivered access without the overhead of legacy systems. Employees, contractors, and partners can connect from anywhere, without IT having to manage tunnels, gateways, or physical infrastructure. It also supports agentless access, perfect for unmanaged devices or third-party vendors.

     

    1. You Lack Visibility into What Users do After They Log in

    Traditional access tools like VPNs authenticate users at the start of a session but offer little to no insight into what happens afterward. Did they access sensitive databases? Transfer files? Leave their session open on an unsecured device?

    This lack of visibility is a significant risk to security and compliance. It leaves gaps in auditing, limits forensic investigations, and increases your exposure to insider threats.

    How ZTNA helps:

    With ZTNA, organizations get deep session-level visibility and control. You can log every action, enforce session recording, restrict clipboard usage, and even automatically terminate sessions based on unusual behavior or policy violations. This isn’t just security, it’s accountability.

     

    1. Your Attack Surface is Expanding Beyond Your Control

    Every new SaaS app, third-party vendor, or remote endpoint is a new potential doorway into your environment. In traditional models, this means constantly updating firewall rules, managing IP allowlists, or creating segmented VPN tunnels—reactive and complex to scale tasks.

    How ZTNA helps:

    ZTNA eliminates network-level access. Instead of exposing apps to the public or placing them behind perimeter firewalls, ZTNA makes applications invisible, only discoverable to users with strict access policies. It drastically reduces your attack surface without limiting business agility.

     

    1. Security and User Experience Are at War

    Security policies are supposed to protect users, not frustrate them. But when authentication is slow, access requires multiple manual steps, or users are locked out due to inflexible policies, they look for shortcuts—often unsafe ones.

    This is where shadow IT thrives—and where security begins to fail.

    How ZTNA helps:

    ZTNA provides context-aware access control that strikes the right balance between security and usability. For example, a user accessing a low-risk app from a trusted device and location may pass through with minimal friction. However, someone connecting from an unknown device or foreign IP may face additional verification or be denied altogether.

    ZTNA adapts security policies based on real-time context, ensuring protection without compromising productivity.

     

    In Summary

    The traditional approach to access control is no match for today’s dynamic, perimeterless world. If you’re experiencing VPN fatigue, blind spots in user activity, growing exposure, or frustrated users, it’s time to rethink your security architecture.

    Zero Trust Network Access isn’t just another security tool—it’s a more innovative, adaptive framework for modern businesses.

    Looking to modernize your access control without compromising on security or performance? Explore Seqrite ZTNA—a future-ready ZTNA solution built for enterprises navigating today’s cybersecurity landscape.



    Source link

  • Zero Trust Best Practices for Enterprises and Businesses


    Cybersecurity threats are becoming more sophisticated and frequent in today’s digital landscape. Whether a large enterprise or a growing small business, organizations must pivot from traditional perimeter-based security models to a more modern, robust approach—Zero Trust Security. At its core, Zero Trust operates on a simple yet powerful principle: never trust, always verify.

    Implementing Zero Trust is not a one-size-fits-all approach. It requires careful planning, integration of the right technologies, and ongoing management. Here are some key zero trust best practices to help both enterprises and small businesses establish a strong zero-trust foundation:

    1. Leverage IAM and AD Integrations

    A successful Zero-Trust strategy begins with Identity and Access Management (IAM). Integrating IAM solutions with Active Directory (AD) or other identity providers helps centralize user authentication and enforce policies more effectively. These integrations allow for a unified view of user roles, permissions, and access patterns, essential for controlling who gets access to what and when.

    IAM and AD integrations also enable seamless single sign-on (SSO) capabilities, improving user experience while ensuring access control policies are consistently applied across your environment.

    If your organization does not have an IdP or AD, choose a ZT solution with a User Management feature for Local Users.

    1. Ensure Zero Trust for Both On-Prem and Remote Users

    Gone are the days when security could rely solely on protecting the corporate network perimeter. With the rise of hybrid work models, extending zero-trust principles beyond traditional office setups is critical. This means ensuring that both on-premises and remote users are subject to the same authentication, authorization, and continuous monitoring processes.

    Cloud-native Zero Trust Network Access (ZTNA) solutions help enforce consistent policies across all users, regardless of location or device. This is especially important for businesses with distributed teams or those who rely on contractors and third-party vendors.

    1. Implement MFA for All Users for Enhanced Security

    Multi-factor authentication (MFA) is one of the most effective ways to protect user identities and prevent unauthorized access. By requiring at least two forms of verification, such as a password and a one-time code sent to a mobile device, MFA dramatically reduces the risk of credential theft and phishing attacks.

    MFA should be mandatory for all users, including privileged administrators and third-party collaborators. It’s a low-hanging fruit that can yield high-security dividends for organizations of all sizes.

    1. Ensure Proper Device Posture Rules

    Zero Trust doesn’t stop at verifying users—it must also verify their devices’ health and security posture. Whether it’s a company-issued laptop or a personal mobile phone, devices should meet specific security criteria before being granted access to corporate resources.

    This includes checking for up-to-date antivirus software, secure OS configurations, and encryption settings. By enforcing device posture rules, businesses can reduce the attack surface and prevent compromised endpoints from becoming a gateway to sensitive data.

    1. Adopt Role-Based Access Control

    Access should always be granted on a need-to-know basis. Implementing Role-Based Access Control (RBAC) ensures that users only have access to the data and applications required to perform their job functions, nothing more, nothing less.

    This minimizes the risk of internal threats and lateral movement within the network in case of a breach. For small businesses, RBAC also helps simplify user management and audit processes, primarily when roles are clearly defined, and policies are enforced consistently.

    1. Regularly Review and Update Policies

    Zero Trust is not a one-time setup, it’s a continuous process. As businesses evolve, so do user roles, devices, applications, and threat landscapes. That’s why it’s essential to review and update your security policies regularly.

    Conduct periodic audits to identify outdated permissions, inactive accounts, and policy misconfigurations. Use analytics and monitoring tools to assess real-time risk levels and fine-tune access controls accordingly. This iterative approach ensures that your Zero Trust architecture remains agile and responsive to emerging threats.

    Final Thoughts

    Zero Trust is more than just a buzzword, it’s a strategic shift that aligns security with modern business realities. Adopting these zero trust best practices can help you build a more resilient and secure IT environment, whether you are a large enterprise or a small business.

    By focusing on identity, device security, access control, and continuous policy refinement, organizations can reduce risk exposure and stay ahead of today’s ever-evolving cyber threats.

    Ready to take the next step in your Zero Trust journey? Start with what you have, plan for what you need, and adopt a security-first mindset across your organization.

    Embrace the Seqrite Zero Trust Access Solution and create a secure and resilient environment for your organization’s digital assets. Contact us today.

     



    Source link

  • Zero Trust Network Access Use Cases

    Zero Trust Network Access Use Cases


    As organizations navigate the evolving threat landscape, traditional security models like VPNs and legacy access solutions are proving insufficient. Zero Trust Network Access (ZTNA) has emerged as a modern alternative that enhances security while improving user experience. Let’s explore some key use cases where ZTNA delivers significant value.

    Leveraging ZTNA as a VPN Alternative

    Virtual Private Networks (VPNs) have long been the go-to solution for secure remote access. However, they come with inherent challenges, such as excessive trust, lateral movement risks, and performance bottlenecks. ZTNA eliminates these issues by enforcing a least privilege access model, verifying every user and device before granting access to specific applications rather than entire networks. This approach minimizes attack surfaces and reduces the risk of breaches.

    ZTNA for Remote and Hybrid Workforce

    With the rise of remote and hybrid work, employees require seamless and secure access to corporate resources from anywhere. ZTNA ensures secure, identity-based access without relying on traditional perimeter defenses. By continuously validating users and devices, ZTNA provides a better security posture while offering faster, more reliable connectivity than conventional VPNs. Cloud-native ZTNA solutions can dynamically adapt to user locations, reducing latency and enhancing productivity.

    Securing BYOD Using ZTNA

    Bring Your Own Device (BYOD) policies introduce security risks due to the varied nature of personal devices connecting to corporate networks. ZTNA secures these endpoints by enforcing device posture assessments, ensuring that only compliant devices can access sensitive applications. Unlike VPNs, which expose entire networks, ZTNA grants granular access based on identity and device trust, significantly reducing the attack surface posed by unmanaged endpoints.

    Replacing Legacy VDI

    Virtual Desktop Infrastructure (VDI) has traditionally provided secure remote access. However, VDIs can be complex to manage, require significant resources, and often introduce performance challenges. ZTNA offers a lighter, more efficient alternative by providing direct, controlled access to applications without needing a full virtual desktop environment. This improves user experience, simplifies IT operations, and reduces costs.

    Secure Access to Vendors and Partners

    Third-party vendors and partners often require access to corporate applications, but providing them with excessive permission can lead to security vulnerabilities. Zero Trust Network Access enables secure, policy-driven access for external users without exposing internal networks. By implementing identity-based controls and continuous monitoring, organizations can ensure that external users only access what they need when they need it, reducing potential risks from supply chain attacks.

    Conclusion

    ZTNA is revolutionizing secure access by addressing the limitations of traditional VPNs and legacy security models. Whether securing remote workers, BYOD environments, or third-party access, ZTNA provides a scalable, flexible, and security-first approach. As cyber threats evolve, adopting ZTNA is a crucial step toward a Zero Trust architecture, ensuring robust protection without compromising user experience.

    Is your organization ready to embrace Zero Trust Network Access? Now is the time for a more secure, efficient, and scalable access solution. Contact us or visit our website for more information.



    Source link