It's time for another #AppSec News Roundup, and start with a topic close to our hearts!
Before I get into the survey results, le me get on my soapbox regarding the need to bring infrastructure, particularly security, and DevOps together. Digital transformation requires businesses to move with speed. Speed requires IT agility. IT agility requires app development and infrastructure to be agile and, in most organizations, security is anything but agile. In fact, security is often left to the very end so companies can build a new app and then have to wait months until the security teams have made their changes and are ready. A better approach is to build security into the application development process.
Singapore has a near-perfect approach to cybersecurity, but many other rich countries have holes in their defenses and some poorer countries are showing them how it should be done, a U.N. survey showed on Wednesday..
A post that underscores the importance of having a bug bounty program!
We launched our HackerOne program a year ago to increase the security of Flexport. HackerOne allows us to provide hobbyist and professional penetration testers a means to find vulnerabilities and motivation to do so through bounties. Since then we have received nearly 200 reports ranging from removing server tokens from nginx headers to XSS vulnerabilities. Here are 6 of the most interesting vulnerabilities from those 200 reports.
WhiteHat Security releases its annual Application Security Statistics Report, underscoring the case for DevSecOps
The idea of DevSecOps has captured the imaginations of many of us working in security. Making security part of a developer’s processes and workflow makes sense to a security practitioner, but it represents a greater challenge to a developer who doesn’t have a background in security. Compounding the problem is the fact that developers are being asked to release apps faster and faster all the time. Like it or not, it’s becoming imperative that security “move left in the SDLC” to become as much a part of the developer’s coding process as any other aspect of software development. This is because applications have become the driving force of the digital business yet they remain the most vulnerable component. The Verizon 2017 Data Breach Investigations Report found that “almost 60% of breaches involved web applications either as the asset affected, and/or a vector to the affected asset.” The great news for developers is that we’ve uncovered some compelling evidence that the security effort is worth it. In the section of this report titled “Case Study: Making the Case for DevSecOps”, we’ve profiled a WhiteHat customer that implemented a program for creating “Security Heroes” in the development organization, putting the training and infrastructure in place necessary to support secure coding in an agile DevOps environment. The results of this effort were impressive: critical vulnerabilities in applications in development and in production were resolved in a fraction of the time that it takes organizations that haven’t engaged DevOps teams in the security effort.
- Medium refused to fix persistent XSS. If you got spare $75, you can hijack their accounts
- Origins are broken by design, proper web origins must consist of the public key of the server. Not of proprietary, centralized and changing-hands domain name. It would fix persistent XSS backdooring I mentioned and DNS rebinding as well.
- Never rely on domains that were registered not by you. They could have preloaded malicious backdoor in users browsers. Even without appcache there’s always a distant probability of hacking users who never reload their browser.
Website-building service Wix.com was the subject of a massive cyber-attack in April 2016 when a botnet of rogue Chrome extensions was creating Wix websites to spread itself to new users.
The attack went unreported at the time, but last week, speaking at the Black Hat and DEF CON security conferences that took place in Las Vegas, Tomer Cohen, lead for Wix's security team, revealed more details about the incident.
AS THEY DO every year, hackers descended on Las Vegas this week to show off the many ways they can decimate the internet's security systems. Here's a collection of some of our favorite talks from this week's Black Hat conference, including some we didn't get the chance to cover in depth.
On April 8, 2017, a Russian-speaking member of a top-tier hacking forum introduced “Katyusha Scanner,” the powerful and fully automated SQLi vulnerability scanner that utilizes the functionality of Telegram messenger and Arachni Scanner, an open-source penetration testing tool.
In April this year whilst roaming the plains of the wild world web, I stumbled across an old Myspace account of mine. Attempting to gain access and delete the account I discovered a business process so flawed it deserves its own place in history….
As you can see, application security issues are everywhere. You may think this is a niche topic, but it literally affects everyone who uses applications or does business with an organization that does. It's one of the least understood threat vectors and one that is not often considered by the end user.
Barracuda offers multiple security solutions to help you protect your organization. For information on our Barracuda Web Application Firewall, visit our corporate website here. If you'd like to suggest an #appsec topic for discussion, leave a comment below. You can also ping us on twitter @barracuda using #appsec.
Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.