Tag Archive for: unicorn

How Christina Cacioppo Built Startup Vanta Into A $1.6 Billion Unicorn To Automate Complicated Security Compliance Issues


The Stanford graduate built a fast-growing software company to automate what had previously been a manual process. She’s now one of America’s richest self-made women.


About five years ago, Vanta CEO and cofounder Christina Cacioppo received a message from one of the customers of her nascent security and compliance automation company that something was wrong. The automated email the customer received each morning detailing what had happened in their Vanta account in the past 24 hours had the wrong company name in it. Cacioppo responded: “There’s a bug, we’re so sorry. We’ll fix it.”

What the customer didn’t realize was that the “automated” email was actually one that Cacioppo had sent early that morning. Cacioppo, who had founded Vanta just months earlier, set her alarm each day for 5:45 a.m. and crafted the emails by hand. She did this to make sure customers liked the emails before spending time writing code that would automate them. Once she knew what customers wanted, she and Vanta’s founding team sat down and wrote the code—and didn’t need to change it for a year and a half.

It’s just one example of the Ohio native’s scrappy approach—which also included everything from buying coffee in bulk from Costco to running Vanta without formal executive or staff meetings for its first two years. That hustle has helped her company land an estimated 5,000 customers including Quora, Autodesk and payments software firm Modern Treasury, with 600 new customers signing up each quarter, according to Vanta. Cacioppo has also helped score $203 million in funding to date from such venture capital firms as Craft Ventures and Sequoia, including $110 million raised in June 2022 that values the company at $1.6 billion. That’s enough to earn Cacioppo, 36, a spot on Forbes’ list of America’s Richest Self-Made Women with a $385 million fortune based on her stake in Vanta.

“Prior to Vanta, the way security and compliance was done was entirely with spreadsheets and screenshots of information that were collected in folders and shown to [certified…

Source…

Blunder burns unicorn attack that exploited Windows and Reader

Enlarge (credit: Lisa Cooper / Flickr)

It’s not every day someone develops a malware attack that, with one click, exploits separate zero-day vulnerabilities in two widely different pieces of software. It’s even rarer that a careless mistake burns such a unicorn before it can be used. Researchers say that’s precisely happened to malicious PDF document designed to target unpatched vulnerabilities in both Adobe Reader and older versions of Microsoft Windows.

Modern applications typically contain “sandboxes” and other defenses that make it much harder for exploits to successfully execute malicious code on computers. When these protections work as intended, attacks that exploit buffer overflows and other common software vulnerabilities result in a simple application crash rather than a potentially catastrophic security event. The defenses require attackers to chain together two or more exploits: one executes malicious code, and a separate exploit allows the code to break out of the sandbox.

A security researcher from antivirus provider Eset recently found a PDF document that bypassed these protections when Reader ran on older Windows versions. It exploited a then-unpatched memory corruption vulnerability, known as a double free, in Reader that made it possible to gain a limited ability to read and write to memory. But to install programs, the PDF still needed a way to bypass the sandbox so that the code could run in more sensitive parts of the OS.

Read 6 remaining paragraphs | Comments

Biz & IT – Ars Technica

Elegant 0-day unicorn underscores “serious concerns” about Linux security

Enlarge / A screenshot showing an exploit that takes full control of a fully updated version of Fedora. (credit: Chris Evans)

Recently released exploit code makes people running fully patched versions of Fedora and other Linux distributions vulnerable to drive-by attacks that can install keyloggers, backdoors, and other types of malware, a security researcher says.

One of the exploits—which targets a memory corruption vulnerability in the GStreamer framework that by default ships with many mainstream Linux distributions—is also noteworthy for its elegance. To wit: it uses a rarely seen approach to defeat address space layout randomization and data execution prevention, which are two of the security protections built in to Linux to make software exploits harder to carry out. ASLR randomizes the locations in computer memory where software loads specific chunks of code. As a result, code that exploits existing flaws often results in a simple computer crash rather than a catastrophic system compromise. Meanwhile, DEP, which is often referred to as NX or No-Execute, blocks the execution of code that such exploits load into memory. (Ars Technology Editor Peter Bright has much more about ASLR and DEP here.)

Unlike most ASLR and DEP bypasses, the one folded into the GStreamer exploit doesn’t rely on code to manipulate the memory layout or other environmental variables. Instead, it painstakingly arranges the bytes of code in a way that completely disables the protections. And by eliminating the need for JavaScript or other memory-massaging code to execute on a targeted computer, it’s possible to carry out attacks that otherwise wouldn’t be possible. Chris Evans, the security researcher who developed the exploit, describes the challenge as “a real beast.”

Read 6 remaining paragraphs | Comments

Technology Lab – Ars Technica