Barracuda

Your journey, secured

Tushar Richabadas

Tushar is the Product Manager, Web Application Firewall and Load Balancer ADC, Barracuda Networks India. He blogs about application security, public cloud security, and OWASP Top 10 vulnerabilities.

Connect with Tushar on LinkedIn

Follow Tushar's blog via RSS

AppSec News Roundup: Docker, WordPress, bruteforce attacks, and more

By

These are the biggest #AppSec headlines of April 2019.  I love the analogy of the developer getting mugged in this first example.  And we have more incidents of credential stuffing here.  

Dockerhub breach results in 190,000 credentials stolen

Docker has announced a large breach that has resulted in over 190000 credentials being stolen. The impact is best explained by Kenn White:

Kenn White, a security researcher, explained the potential impact of the breach with an analogy.

“Think of it like this: developer gets mugged, and gets his keychain and wallet stolen. If the only keys were to his house and cars, that’s not great but it’s not a problem for the company,” White told Motherboard in an online chat. “In this case, potentially 190,000 keychains were pilfered, but with keys to company’s front doors too. Now it’s everybody’s problem.”

[Read more…] about AppSec News Roundup: Docker, WordPress, bruteforce attacks, and more

The Evolution of Software Development: From Waterfall to Continuous Security

By

Early software development followed the waterfall model, a term coined in the 1970s.  In the waterfall model, the software development process was pre-planned, set in stone, with a separate phase for every step. Predictably, this made the process sluggish.

Every team involved in developing a software application was siloed and had its own priorities and processes to follow. For example, it was common for a development team to have their own timelines, only to find out that the quality assurance team was busy testing another application, and operations hadn’t been notified in time to build out the necessary infrastructure. On top of that, security often felt they weren’t taken seriously. [Read more…] about The Evolution of Software Development: From Waterfall to Continuous Security

AppSec News Roundup for February 2019: Credential stuffing, Facebook CSRF, public APIs, and more

By

Here are a handful of the most significant #AppSec news items from February 2019.  

More raw material for Credential stuffing attacks are turning up

Some of the major hacks in the last few years that haven’t leaked out are now turning up for sale. An unidentified hacker has released at least 3 rounds of these credentials for sale, with the last round costing about $9350. They have claimed that the databases include credentials for Pizap, who’ve stated that they are not aware of a hack and will investigate immediately.

[Read more…] about AppSec News Roundup for February 2019: Credential stuffing, Facebook CSRF, public APIs, and more

Application security trends through 2019 and beyond

By

2018 was a very long, eventful year in Application Security. There were many good things that came into place – the new OWASP Top 10 list (pdf) (late 2017, but close enough 😉), GDPR and similar laws that have created financial incentives for firms to secure user data, and a general rise in awareness for the need for web app security, patching and the like. It was, however, also a bumper year for attackers, and to me, is the year the Data Breach Notification became mainstream. (By mainstream, I mean that people who normally would not have thought about these breaches have heard of them and understand the consequences.)

Looking at the trends in terms of attacks over the last year, I see three clear attack vectors that have become very popular and will become a bigger problem in 2019 and beyond.

Account takeover (ATO) attacks using bots, exploits, and credential dumps, are expected to increase over the next year. Plan and deploy defenses like attack detection and 2FA to protect yourself from this attack.Click To Tweet

The first one is Account Takeover attacks using bots and credential stuffing. Over the years, we’ve become used to massive automated exploit campaigns, like the one a couple of years ago where 5000 websites were backdoored in a very short period. In the last two years, this automated approach to hacking has also naturally expanded to account takeover attacks. Starting with the basic SentryMBA tool and going into bespoke tools that perform low and slow attacks, this type of breach has become more prevalent. The many breaches that occurred with websites from Ashley Madison, LinkedIn, Twitter to vBulletin message boards have provided attackers with huge credential “dumps” to perform these attacks.

[Read more…] about Application security trends through 2019 and beyond

AppSec News Roundup for January 2019: WebStresser, Mirai, reCAPTCHA, and more

By

Application security news never stops, and it can be hard to follow all of the incidents that are #AppSec related.  In this roundup, I’ve picked a handful of the most significant news items from January 2019.  

Credential Stuffing Attacks are increasing, and free raw material is abundant

Credential stuffing attacks are becoming increasingly common and visible. Two especially visible examples occurred in the last couple of months – Warby Parker and DailyMotion.  For more information on credential stuffing attacks, including anatomy of an attack and a diagram, visit the OWASP site here.

A “megabreach” was also discovered this month. As with most such “megabreach” credential dumps, this one seems to be a merged list of multiple older breaches, with a few million newer credentials in the mix.

Troy Hunt’s HaveIBeenPwned has integrated this list, in case you want to check on your credentials.

Our latest #AppSec blog discusses credential stuffing, megabreaches, and includes resources to help you find out if you are a victim. Click To Tweet

[Read more…] about AppSec News Roundup for January 2019: WebStresser, Mirai, reCAPTCHA, and more