The EU's Cyber Resilience Act (Regulation 2024/2847) shifts cybersecurity responsibility upstream. Explore the March 2026 guidance on secure-by-design requirements, software bills of materials (SBOM), and the impact on U.S. manufacturers.
The post The EU CRA – Treating Cybersecurity as Product Liability appeared first on Security Boulevard.
The March 2026 Cyber Strategy shifts focus from private sector compliance to national power and adversary disruption. Explore the tension between geopolitical deterrence and the economic realities of cybercrime.
The post The Danger of Treating CyberCrime as War – The New National Cybersecurity Strategy appeared first on Security Boulevard.
Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and customers whose sensitive information was compromised.
Expect to see more software supply chain attacks moving forward. According to ReversingLabs’ The State of Software Supply Chain Security 2024 study, attacks against the software supply chain are getting easier and more ubiquitous.
“For example, Operation Brainleeches, identified by ReversingLabs in July, showed elements of software supply chain attacks supporting commodity phishing attacks that use malicious email attachments to harvest Microsoft.com logins,” the report stated.
It is easier to conduct software supply chain attacks, so they are increasing at an alarming rate. The ReversingLabs report saw a 1,300% increase in threats coming from open-source package repositories last year. That’s the bad news.
The good news is that cybersecurity teams and government entities recognize the risks coming from the software supply chain, and there is a lot of action toward defending against these attacks and steps to solidify security before the software is released into the wild.
Who controls the software and who controls the device are the game-changers in software supply chain security, according to Xin Qiu, Sr., Director of Security Product Marketing and Management at CommScope. But that’s hyper-focused down to the developers and system engineers creating the software and setting up the systems. The problem is that there is little integration within an organization to enable effective control.
Companies have a lot of tools, but they are scattered around, says Qiu. Everyone is siloed, doing things in different ways. That approach has to change.
It is the federal government that is taking the lead in tackling software supply chain security with technical regulations and laws.
“To improve your software supply chain security, you need to have a common standard,” says Qiu. “I think this is a good way to fill those gaps.”
The most recognizable action taken by the government entities was the Executive Order(EO) from the Biden administration, which addresses the nation’s cybersecurity but especially emphasizes protecting the software supply chain. In conjunction with that EO, a cross-sector group representing different government agencies, the Enduring Security Framework (ESF) Software Supply Chain Working Panel, put together a comprehensive guide for recommended practices of security in the software supply chain for developers. NIST also has a framework to secure the software supply chain.
But government guidelines and regulations only go so far, and it is up to organizations to better equip themselves with the tools, solutions and processes that allow developers, engineers and security and IT teams to address risks within the software supply chain. There are a number of ideas and tools out there, some initiated by the government, that are trending in the battle against vulnerabilities and threats.
At RSAC2024, CISA Director Jen Easterly and a panel of cybersecurity professionals gave a panel on CISA’s Secure by Design initiative. The idea is to build security into products and make it a business feature and core technical requirement rather than the more standard approach of treating security as a failure. “During the design phase of a product’s development lifecycle, companies should implement Secure by Design principles to significantly decrease the number of exploitable flaws before introducing them to the market for widespread use or consumption,” the initiative’s website states.
Part of the presentation was the introduction of the initial group of businesses that took the Secure by Design pledge. According to CISA, “By participating in the pledge, software manufacturers are pledging to make a good-faith effort to work towards the goals listed below over the following year.” The pledge includes a list of goals for developers and organizations to work toward. These goals include standards around MFA, reducing default passwords and better transparency around vulnerability disclosure and reporting. More than 200 organizations have taken the pledge so far.
Learn how cybersecurity shapes supply chain resilienceSBOMs are a nested inventory of all the components that make up a software application. The components can include open source, third parties, patch status and licenses. SBOMs have become a key part of the software supply chain security structure and are endorsed by CISA as a way for developers to build a community that works together to share ideas and experiences around operationalization, scaling, technologies, new tools and use cases. To encourage SBOM use and understanding, CISA facilitates regular meetings from those across the software development and design community and also offers a resource library.
SBOMs can help an organization identify risks, especially in third-party and proprietary software packages: track vulnerabilities within the different components; ensure compliance and help the team make better security decisions by being more aware of the component parts of their software.
SLSA is a security framework to safeguard the integrity of software artifacts. It is a checklist of standards to better improve the integrity of the software, prevent tampering and exploitation and keep the infrastructure and application packages secure. The framework was based on Google’s production workloads and offers a structured approach to evaluating the security posture of software components throughout the supply chain.
GRC management is used to mitigate security risks within a software development supply chain while ensuring the software meets required regulatory compliances and security standards. Some of the areas that GRC monitors include:
GRC management tools can also be used with SBOM analysis.
This is just a sample of the tools and solutions used to protect the software supply chain from risk. As security is more consciously built into the software and developers and engineers share information in communities rather than working in silos, there is a fighting chance of slowing the threats against the software supply chain.
The post 4 trends in software supply chain security appeared first on Security Intelligence.
Cybersecurity concerns in 2024 can be summed up in two letters: AI (or five letters if you narrow it down to gen AI). Organizations are still in the early stages of understanding the risks and rewards of this technology. For all the good it can do to improve data protection, keep up with compliance regulations and enable faster threat detection, threat actors are also using AI to accelerate their social engineering attacks and sabotage AI models with malware.
AI might have gotten the lion’s share of attention in 2024, but it wasn’t the only cyber threat organizations had to deal with. Credential theft continues to be problematic, with a 71% year-over-year increase in attacks using compromised credentials. The skills shortage continues, costing companies an additional $1.76 million in a data breach aftermath. And as more companies rely on the cloud, it shouldn’t be surprising that there has been a spike in cloud intrusions.
But there have been positive steps in cybersecurity over the past year. CISA’s Secure by Design program signed on more than 250 software manufacturers to improve their cybersecurity hygiene. CISA also introduced its Cyber Incident Reporting Portal to improve the way organizations share cyber information.
Last year’s cybersecurity predictions focused heavily on AI and its impact on how security teams will operate in the future. This year’s predictions also emphasize AI, showing that cybersecurity may have reached a point where security and AI are interdependent on each other, for both good and bad.
Here are this year’s predictions.
Shadow AI will prove to be more common — and risky — than we thought. Businesses have more and more generative AI models deployed across their systems each day, sometimes without their knowledge. In 2025, enterprises will truly see the scope of “shadow AI” – unsanctioned AI models used by staff that aren’t properly governed. Shadow AI presents a major risk to data security, and businesses that successfully confront this issue in 2025 will use a mix of clear governance policies, comprehensive workforce training and diligent detection and response.
How enterprises think about identity will continue to transform in the wake of hybrid cloud and app modernization initiatives. Recognizing that identity has become the new security perimeter, enterprises will continue their shift to an Identity-First strategy, managing and securing access to applications and critical data, including gen AI models. In 2025, a fundamental component of this strategy is to build an effective identity fabric, a product-agnostic integrated set of identity tools and services. When done right, this will be a welcome relief to security professionals, taming the chaos and risk caused by a proliferation of multicloud environments and scattered identity solutions.
Explore cybersecurity servicesCybersecurity teams will no longer be able to effectively manage threats in isolation. Threats from generative AI and hybrid cloud adoption are rapidly evolving. Meanwhile, the risk quantum computing poses to modern standards of public-key encryption will become unavoidable. Given the maturation of new quantum-safe cryptography standards, there will be a drive to discover encrypted assets and accelerate the modernization of cryptography management. Next year, successful organizations will be those where executives and diverse teams jointly develop and enforce cybersecurity strategies, embedding security into the organizational culture.
As organizations begin the transition to post-quantum cryptography over the next year, agility will be crucial to ensure systems are prepared for continued transformation, particularly as the U.S. National Institute of Standards and Technology (NIST) continues to expand its toolbox of post-quantum cryptography standards. NIST’s initial post-quantum cryptography standards were a signal to the world that the time is now to start the journey to becoming quantum-safe. But equally important is the need for crypto agility, ensuring that systems can rapidly adapt to new cryptographic mechanisms and algorithms in response to changing threats, technological advances and vulnerabilities. Ideally, automation will streamline and accelerate the process.
Data and AI security will become an essential ingredient of trustworthy AI. “Trustworthy AI” is often interpreted as AI that is transparent, fair and privacy-protecting. These are critical characteristics. But if AI and the data powering it aren’t also secure, then all other characteristics are compromised. In 2025, as businesses, governments and individuals interact with AI more often and with higher stakes, data and AI security will be viewed as an even more important part of the trustworthy AI recipe.
As AI matures from proof-of-concept to wide-scale deployment, enterprises reap the benefits of productivity and efficiency gains, including automating security and compliance tasks to protect their data and assets. But organizations need to be aware of AI being used as a new tool or conduit for threat actors to breach long-standing security processes and protocols. Businesses need to adopt security frameworks, best practice recommendations and guardrails for AI and adapt quickly — to address both the benefits and risks associated with rapid AI advancements.
Protect against AI-assisted threats; plan for AI-powered threats. There is a distinction between AI-powered and AI-assisted threats, including how organizations should think about their proactive security posture. AI-powered attacks, like deepfake video scams, have been limited to date; today’s threats remain primarily AI-assisted — meaning AI can help threat actors create variants of existing malware or a better phishing email lure. To address current AI-assisted threats, organizations should prioritize implementing end-to-end security for their own AI solutions, including protecting user interfaces, APIs, language models and machine learning operations, while remaining mindful of strategies to defend against future AI-powered attacks.
There’s a very clear message from these predictions that understanding how AI can help and hurt an organization is vital to ensuring your company and its assets are protected in 2025 and beyond.
The post Cybersecurity trends: IBM’s predictions for 2025 appeared first on Security Intelligence.
Entrar