All the sessions available on demand from the Intelligent Security Summit are listed below here.


Denial of access is not like ransomware or breaches that target sensitive data. of service Services are being taken down by exploits of DoS (Defense-of-Service) and They are therefore virtually impossible to access. 

Many such attacks occurred. in Recent memory: Google, last June for example, blocked What was at the time the biggest distributed denial of service (DDoS) attack in history. Akami That record was then broken in It was September and Averted an attack in Europe. 

In a recent development, Legit Security It was announced today of An easy to use DoS vulnerability in Markdown libraries used by GitHubGitLab and Other applications that use a common markdown rendering service Commonmarker.

“Imagine taking down GitHub for some time,” said Liav Caspi, cofounder and CTO of Software supply chain security platform “This could be a major global disruption and shut down most software development shops. The impact would likely be unprecedented.”

Event

Intelligent Security Summit on-Demand

Find out the crucial role of AI & ML in Security and Case studies specific to the industry. You can watch the on-demand session right now.


Watch Here

GitHubThe company did not respond to our requests for comment by VentureBeat posted a formal acknowledgment and fix

Denial of service Disruption is the goal

Both DoS and DDoS overloading a web server or app in an attempt to disrupt services. 

As Fortinet This is how it works: DoS by Traffic flooding on a server and DDoS makes a resource or website unavailable. It uses multiple machines or computers to flood targeted resources.

And, there’s no question that they are on the rise — steeply, in fact. Cisco noted Year-over year growth of 776% in attacks of From 2018 to 2019, it was between 100 and 400 gigabits/second and 2019. According to the company, this total is approximately 50,000 of Attacks on DDoS will increase by 23% from 7.9 Million in 2018. To 15.4 Million this year. 

But although DDoS attacks aren’t always intended to score sensitive data or hefty ransom payouts, they nonetheless are costly. You can read more Gartner Research the average cost of It costs $5,600 per Minute to have IT go down The cost of IT downtime varies depending on the size and complexity of your organization. of Downtime costs can run from $140,000 up to $5,000,000 per hour.

And, with so many apps incorporating open-source code — a whopping 97% by one estimate — organizations don’t have full visibility of Their security position and Potential gaps and vulnerabilities. 

Indeed, open-source libraries Are “ubiquitous” in modern software development, said Caspi — so when vulnerabilities emerge, they can be very difficult to track due to uncontrolled copies of The original vulnerability code. A library is popular when it becomes well-known. and widespread, a vulnerability This could allow for an attack against countless projects. 

“Those attacks can include disruption of critical business services,” Caspi “such as crippling the software supply chain and the ability to release new business applications.”

Vulnerability revealed

Caspi explained that markdown is the process of creating formatted text by using a common plain text editor. in software development tools and environments. There are many options of Applications and Projects implement this popular open-source markingdown librariesSuch as the most popular version found here in GitHub’s implementation called GitHub Flavored MarkdownGFM).

One copy of The GFM implementation vulnerability was discovered in commonmarkerThe popular Ruby package that implements markdown support. This package has over 1,000,000 users. dependent repositories.) Coined “MarkDownTime,” This allows attackers to launch a DoS attack on digital businesses that could shut them down. by disrupting application development pipelines, said Caspi. 

Legit Security researchers have found it easy to initiate unbounded resource exhaustion that leads to DoS attacks. Every product capable of reading and display markdown (*.md files) and He said that vulnerable libraries can be used to target.

“In some cases, an attacker can continuously utilize this vulnerability to keep the service down until it is entirely blocked,” Caspi. 

He explained that Legit Security’s research team was looking into vulnerabilities in GitHub and GitLab part of Its ongoing research into software supply chain security. They disclosed the security concern to both the commonmarker keeper as well to both. GitHub and GitLab. 

“All of them have fixed the issues, but many more copies of this markdown implementation have been deployed and are in use,” Caspi. 

As such, “precaution and mitigation measures should be employed.”

Visibility is controlled with great force

This is to protect them from this vulnerabilityBusinesses should update to make it safer of Markdown Library and Caspi suggested that GitLab users upgrade to the latest version. 

Organizations should generally have stronger security controls for third-party software when protecting against attacks on the software supply chain. libraries You use. You must also be vigilant for vulnerabilities and then upgrade to the safer version. 

Reputation is another important aspect. and Popularity of open-source software should be considered — in Avoid unmaintained software that is not trusted. Keep your SDLC systems, such as GitLab, up-to-date and Caspi stated that it was secure.

VentureBeat’s Mission is to become a digital square for technical decision makers to get knowledge about transformational enterprise technology and transact. Find out more about our Briefings.