Barracuda

Security, Access and Reliability for Cloud-Connected Networks and Applications

Tushar Richabadas

Tushar is the Product Manager, Web Application Firewall and Load Balancer ADC, Barracuda Networks India. He blogs about application security, public cloud security, and OWASP Top 10 vulnerabilities.

Connect with Tushar on LinkedIn

Follow Tushar's blog via RSS

The Evolution of Software Development: From Waterfall to Continuous Security

by

Early software development followed the waterfall model, a term coined in the 1970s.  In the waterfall model, the software development process was pre-planned, set in stone, with a separate phase for every step. Predictably, this made the process sluggish.

Every team involved in developing a software application was siloed and had its own priorities and processes to follow. For example, it was common for a development team to have their own timelines, only to find out that the quality assurance team was busy testing another application, and operations hadn’t been notified in time to build out the necessary infrastructure. On top of that, security often felt they weren’t taken seriously. [Read more…] about The Evolution of Software Development: From Waterfall to Continuous Security

AppSec News Roundup for February 2019: Credential stuffing, Facebook CSRF, public APIs, and more

by

Here are a handful of the most significant #AppSec news items from February 2019.  

More raw material for Credential stuffing attacks are turning up

Some of the major hacks in the last few years that haven’t leaked out are now turning up for sale. An unidentified hacker has released at least 3 rounds of these credentials for sale, with the last round costing about $9350. They have claimed that the databases include credentials for Pizap, who’ve stated that they are not aware of a hack and will investigate immediately.

[Read more…] about AppSec News Roundup for February 2019: Credential stuffing, Facebook CSRF, public APIs, and more

Application security trends through 2019 and beyond

by

2018 was a very long, eventful year in Application Security. There were many good things that came into place – the new OWASP Top 10 list (pdf) (late 2017, but close enough 😉), GDPR and similar laws that have created financial incentives for firms to secure user data, and a general rise in awareness for the need for web app security, patching and the like. It was, however, also a bumper year for attackers, and to me, is the year the Data Breach Notification became mainstream. (By mainstream, I mean that people who normally would not have thought about these breaches have heard of them and understand the consequences.)

Looking at the trends in terms of attacks over the last year, I see three clear attack vectors that have become very popular and will become a bigger problem in 2019 and beyond.

Account takeover (ATO) attacks using bots, exploits, and credential dumps, are expected to increase over the next year. Plan and deploy defenses like attack detection and 2FA to protect yourself from this attack.Click To Tweet

The first one is Account Takeover attacks using bots and credential stuffing. Over the years, we’ve become used to massive automated exploit campaigns, like the one a couple of years ago where 5000 websites were backdoored in a very short period. In the last two years, this automated approach to hacking has also naturally expanded to account takeover attacks. Starting with the basic SentryMBA tool and going into bespoke tools that perform low and slow attacks, this type of breach has become more prevalent. The many breaches that occurred with websites from Ashley Madison, LinkedIn, Twitter to vBulletin message boards have provided attackers with huge credential “dumps” to perform these attacks.

[Read more…] about Application security trends through 2019 and beyond

AppSec News Roundup for January 2019: WebStresser, Mirai, reCAPTCHA, and more

by

Application security news never stops, and it can be hard to follow all of the incidents that are #AppSec related.  In this roundup, I've picked a handful of the most significant news items from January 2019.  

Credential Stuffing Attacks are increasing, and free raw material is abundant

Credential stuffing attacks are becoming increasingly common and visible. Two especially visible examples occurred in the last couple of months – Warby Parker and DailyMotion.  For more information on credential stuffing attacks, including anatomy of an attack and a diagram, visit the OWASP site here.

A “megabreach” was also discovered this month. As with most such “megabreach” credential dumps, this one seems to be a merged list of multiple older breaches, with a few million newer credentials in the mix.

Troy Hunt’s HaveIBeenPwned has integrated this list, in case you want to check on your credentials.

Our latest #AppSec blog discusses credential stuffing, megabreaches, and includes resources to help you find out if you are a victim. Click To Tweet

[Read more…] about AppSec News Roundup for January 2019: WebStresser, Mirai, reCAPTCHA, and more

Secure your APIs

by

Over the last few months, there have been a handful of public API compromises. These compromises included a “legacy” API that leaked personal information of BlackHat conference attendees, and what seem to be two separate T-Mobile leaks – one which leaked personal information, and another where both AT&T and T-Mobile leaked customer’s account PINs

An API, or Application Programming Interface, is as the name suggests, a way in which one piece of software can interact with another. A simple example is a mobile Twitter application like TweetDeck. TweetDeck uses the Twitter API to get the basic data, perform basic actions, and provide various functionalities like lists and columns.  So when you use TweetDeck to view your timeline and send tweets and direct messages in a nice, customized user interface, you are using the Twitter API.

Application Security Product Manager Tushar Richabadas talks about #API #security in this Barracuda Blog post. Click To Tweet

[Read more…] about Secure your APIs

“WAF Prevents Massive Data Breach at Equifax”… The headline that could have been, but wasn’t…

by

The entire Equifax saga is quite popcorn worthy in a way, with the daily revelations of new events and actions. That is, if you aren’t one of the roughly 50% of Americans who are affected by the hack.

From what we know now, Equifax was first hacked in early March. While details of how this breach happened are not available now, this primarily affected the API that banks and other institutions used to interact with Equifax. This was limited in impact and seemed to affect only a few persons. The big hack, however, happened later between mid-May and the 29th of July. This hack was the one that led to the data breach of roughly 143 Million records. Once Equifax identified the hack, they worked with an external firm to identify how this issue happened and released a breach notification on the 8th of September.

Post the breach, multiple issues came to light that made the entire situation worse. We’ll focus only on the ones that deal with security in general.

[Read more…] about “WAF Prevents Massive Data Breach at Equifax”… The headline that could have been, but wasn’t…

#AppSec News Roundup: DevSecOps, Medium, HackerOne, and more

by

It's time for another #AppSec News Roundup, and start with a topic close to our hearts!

DevOps & Security: Butting Heads for Years but Integration is Happening

Before I get into the survey results, le me get on my soapbox regarding the need to bring infrastructure, particularly security, and DevOps together. Digital transformation requires businesses to move with speed. Speed requires IT agility. IT agility requires app development and infrastructure to be agile and, in most organizations, security is anything but agile.  In fact, security is often left to the very end so companies can build a new app and then have to wait months until the security teams have made their changes and are ready. A better approach is to build security into the application development process.

[Read more…] about #AppSec News Roundup: DevSecOps, Medium, HackerOne, and more

Software vulnerabilities: The gifts that keep on giving

by

The image below shows the number of servers vulnerable to the Heartbleed vulnerability that was reported and fixed in 2014. The bigger problem? All of these are internet connected servers as of July 2017.

 

In October 2016, Andrey Leonov reported a successful breach of Facebook. Using the ImageTragick vulnerability, he was able to perform command injections and retrieve sufficient information to provide Facebook with proof of exploitation. Facebook patched the issue, and rewarded him. ImageTragick was fixed in May 2016, a full 5 months before the exploit.

On the 24th of September 2015, researchers published a report that showed that the scans for the Shellshock vulnerability were going up. 24th of September 2015 was the second anniversary of it’s disclosure – along with the fixes for the vulnerability.

[Read more…] about Software vulnerabilities: The gifts that keep on giving

Cloud Security Personas

by

The Cloud Security team here at Barracuda have been spending a lot of time with customers and partners, helping with their transitions to their cloud service provider of choice. We’ve been doing a series of roadshows, service provider events and more to help our customers migrate to a safe cloud. And along the way, we’ve discovered three security personas that organizations fall into, when it comes to cloud security.

The first persona is what we like to call the Optimist. The Optimist loves the cloud and cloud service providers – best thing since sliced bread in their opinion. The best thing about the cloud, in their opinion, is the security. The cloud is secure by default! The Cloud service provider takes care of most things, we just need to tune the rules a little bit. No more mucking about with Firewalls or anything. Life is good!

[Read more…] about Cloud Security Personas

Sathurbot very aggressive against WordPress sites

by

The recently observed Trojan, Sathurbot, offers a fascinating insight into the various parts of the malware spreading ecosystem. The bot compromises websites – primarily those running WordPress – and uses this to spread malware to end-users. Once it infects the end-users, it then uses them to hack more websites, and then uses the newly compromised sites to spread more malware, use for attacks, as malware C&C servers or SEO spam.

The entire process starts by compromising a site. Once this site is compromised, it serves torrent files, masquerading as legitimate torrents. These torrents appear well seeded and show up on Bing or Google searches. Users trust these torrents and use them to download the movies or software that the torrents seem to offer. The downloaded files convince the user into running them by masquerading as legitimate software and infect the user's computer. Once the malware has launched, the bot then connects to its C&C servers and uses this to update itself. The C&C server can also push other malware executables to the infected system to perform further tasks.

[Read more…] about Sathurbot very aggressive against WordPress sites