A recent post on Boring AppSec touted the diminishing value of Dynamic Application Security Testing tools.

However, contrary to this post and despite the rapid pace of technological advancements that often renders many solutions obsolete, some DAST solutions have adapted and remain more relevant than ever in 2023.

Adapting to development velocity: Seamless Integration in the Development Pipeline

To meet the increasing demand for faster deployment, developer-centric DAST has adapted by integrating itself seamlessly into the software development lifecycle (SDLC). Shifting left and testing earlier in the pipeline offers significant time and cost savings through timely detection and remediation. Solutions like Bright go even a step further – we’ve integrated our scanner into the unit testing phase, revolutionizing the whole process by testing applications very early in the SDLC. 

Indeed, AppSec professionals, regardless of how good they are, cannot scale nearly at the rate of dev-centric DAST due to the very high ratio of developers to AppSec professionals and the increased demand due to frequent deployments by development. 

Therefore, instead of AppSec professionals testing each and every scan, with a dev-centric DAST, AppSec can provide governance, guidance and validation while developers can manage incremental scans early in the dev lifecycle, analyze the results presented in a dev-friendly way and remediate vulnerabilities based on clear remediation guidelines. Developers can also self-onboard with minimal AppSec assistance and immediately deliver comprehensive results. 

This enables organizations to scale their application testing endlessly across different platforms without skipping a beat. This saves countless hours of work, and with it, money – plus, it allows for AppSec professionals to focus on more pressing issues beyond analyzing each and every deployment.

Minimizing False Positives

One challenge DAST (and many other AppSec solutions)faced is the prevalence of false positives. Many tools have been designed with only the AppSec professional in mind and without regard for minimizing false positives, which easily overwhelm developers and puts additional pressure on AppSec professionals to triage them. However, modern DAST solutions are purpose built for both AppSec and developers minimizing false positives, enabling developers to focus on building and developing instead of sifting through misleading information.

Detecting Business Logic Vulnerabilities

As demand for detecting business logic vulnerabilities increases, many application security testing tools struggle to meet this challenge. Modern DAST, however, is capable of identifying these vulnerabilities across both WebApps and APIs by emulating a hacker’s behavior and testing every possible user flow until it uncovers the vulnerability. This advanced capability sets solutions such as Bright apart from other DAST solutions, allowing for a more thorough security analysis.

Language-Agnostic Testing

Unlike other application security testing tools, DAST is not language-dependent. This versatility allows it to accommodate diverse and dynamic development teams, keeping track of security features regardless of programming language differences. This ensures that no application is left untested, providing comprehensive protection across the organization.

Empowering Security Champions

The concept of security champions is still relatively new and underdeveloped. As the industry continues to grow and more security champions emerge, their role in supporting developers and bridging the gap between AppSec and development becomes increasingly important. By providing training and resources for these champions, organizations can further enhance their security posture and streamline the integration of DAST into the development process.

In conclusion, DAST’s ability to adapt and provide a simple, developer and AppSec friendly solution that effectively detects vulnerabilities without false positives ensures its continued relevance in the cybersecurity landscape. As organizations recognize the value of robust and flexible security testing tools, the resurgence of DAST will only continue to gain momentum.

Key Benefits of Modern DAST:

1. Fast, seamless integration into the development pipeline through early SDLC integration (SecTester)
2. Capable of detecting business logic vulnerabilities
3. User-friendly, low-maintenance, and developer-centric approach
4. Security champions can bridge the gap between AppSec and development
5. Minimizes false positives, avoiding unnecessary distractions for developers
6. Language-agnostic, accommodating diverse programming languages
7. Efficiently tests APIs, ensuring comprehensive security coverage

Legacy DAST is dead, LONG LIVE MODERN DAST!

What is ChatGPT

Unless you’ve been living under a rock, you’ve heard of the breakthrough technology that is ChatGPT. However, ChatGPT in itself is just the tip of the iceberg. What lies underneath is GPT-3 (Generative Pre-trained Transformer 3), a large language model with an unseen amount of processing power and computing capability. 

The arms race for the best AI out there is in full force. Google already announced Google Bard, a tool that they hope would challenge OpenAI with the ability to scour the internet, which is one of the pain points of ChatGPT. Chatsonic is another challenger – an AI tool built on top of ChatGPT inherits the might of its sibling, but with the added benefit of accessing Google’s search engine. It makes up for an interesting battle that will surely rapidly develop into some miraculous solutions in the years to come.

However, as things stand, GPT-3 is firmly on the throne.

To even try and grasp the might of GPT-3, let’s take a look at some data. According to Sigmoid, GPT-3 has more than 175 billion machine learning parameters, thus thwarting Microsoft’s Turing NLG which had ‘just’ 17 billion parameters. As time goes on, ChatGPT will only become more powerful, as its founders, OpenAI, are also utilizing reinforcement training, where they employ trainers specifically tasked with talking to their engine and giving it human feedback which then rolls into the insurmountable data, creating a mighty product for us to use. 

ChatGPT in Cybersecurity

You’ll often find that the barrier to entering the cybersecurity world can be pretty high. There’s so much knowledge you need to consume before getting started on your journey to become a cybersecurity expert, that for most people, it’s not worth it. 

However, that changes with ChatGPT. With its ability to instantly generate code, it enables even just curious enthusiasts to give cybersecurity a shot. This could very well result in a dramatic rise of cybersecurity attacks across the globe, as the number of potential hackers will rise up like never before due to the simplicity of using a tool such as ChatGPT. Suddenly, the barrier to entering the cybersecurity world went down. No more dark terminals, lengthy books, and frustrations – now you just have to fire up the good ol’ AI and you’re good to go, right?

Well, not so fast.

While it is true that ChatGPT is indeed capable of writing malware, apparently the quality isn’t up to the standard. This is clearly some good news, but it’s not all roses; there are plenty of ways clever hackers could use ChatGPT, even if their prompts don’t look ominous on the surface. 

BlackBerry conducted a survey that returned some alarming results. On a scale of 1500, more than half of them (51%) predicted there would be a cybersecurity attack credited to ChatGPT in the upcoming year. While it’s hard to expect large-scale cybersecurity attacks to go raving immediately, smaller-scale stuff might go off the rails, and there’s a good reason why. 

Phishing Attack

It’s globally the most common and frowned upon method of hacking – the phishing attack. Why it made its way into a ChatGPT article, you ask? Well, the answer is quite simple, yet scary. 

Phishing attacks could run riot in the upcoming months. 

For those who don’t know, a phishing attack is scamming a person into giving their sensitive data by pretending to be someone else. It could be an email that looks just like a legit company’s would, but with slight changes that an end-user wouldn’t notice, or it could be a full-fledged clone of an existing website, where the victim would enter their data thinking it was a normal website, thus giving away the sensitive info. 

With ChatGPT being able to create code to build websites, cloning existing websites and writing convincing emails has never been easier. This is why you must be extra careful these days – always double-check the URL of the website you’re visiting & make sure that the emails you exchange are coming from the right sources. 

It’s not only visuals either; ChatGPT enables hackers to easily generate convincing emails in any language they want. This used to be a big barrier for a lot of non-English hackers as people would quickly recognize broken grammar, but the game has changed now and nobody is off limits. 

Conclusion

The time of artificial intelligence has come and it’s not going away anytime soon. With that, we must adapt rather than find a way to get around it. The reality is that machine learning models will only get powerful as they rapidly gather more data and build up to an already fascinating structure. 

It’s not just the cybersecurity world that’s in danger. ChatGPT could also be used for some criminal actions as some authors already found a way of getting the program to explain how to create an explosive or hand out practical tips for shoplifting. 

While we can’t help you with protecting your physical goods, we certainly can do something about your digital security. Bright allows you to create a safe environment for your apps by finding vulnerabilities early in the SDLC, which allows you to reach quickly and remediate on time. Just like ChatGPT simplifies cybersecurity attacks, we at Bright simplify protection as you’ll find that our dev-centric solution could be the very thing that successfully protects your applications from ominous intents. 

So, you recently decided to purchase a password manager. It is time to say goodbye to remembering an endless number of passwords or storing your passwords in unsafe locations (please, not on a post-it note on your desk!). Your passwords are safe, and you no longer need to worry about your data becoming compromised. Life just got a whole lot easier, right? Not necessarily. Although password managers are beneficial tools for keeping your passwords organized and encrypted in a single place, no solution is perfect. 

The Case of LastPass 

Password management service, LastPass, reported a data breach of their system in August 2022. The attacker obtained source code and technical information from the development environment, which was leveraged to target a specific employee. Once the employee had authenticated using multi-factor authentication, the actor utilized their persistent access to impersonate the employee. 

Gaining access to the employee’s device, the attacker lifted the employee’s credentials and security keys to gain access to files from the company’s cloud-based storage services. In December 2022, the company reported that the attacker obtained a backup of the customer vault data through the third-party cloud-based storage service. 

Let’s talk about the timeline

LastPass’ issues started back in August of 2022. In this incident, attackers had gained access to portions of a development environment due to a compromised developer account and stole technical and proprietary information. LastPass initially claimed that no evidence existed that the incident involved any access to customer data or encrypted password vaults. And that appeared to be the end of the issue. 

However, in a LastPass blog by Karim Toubba updated in December 2022, it was revealed that a “threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022.” What does this mean? It means that someone was able to break into a storage vault, using information they had gained during the August incident. But what happened once they got into that vault? Were they able to take the passwords and information right out of the vault? Well, technically, no. The passwords themselves were encrypted, however, it doesn’t mean that LastPass was out of hot water.  The attacker had obtained basic customer information, including email addresses, billing addresses, IP addresses of where LastPass was accessed, and telephone numbers. And, as other sources have suggested, a LastPass password is not difficult to decrypt with the right resources, mainly due to the fact that entropy in password creation does not prevail when it comes to users choosing any type of password. As such, these passwords are crackable, encryption or not. 

What Does This Mean For Users? 

Although the stolen vault remains protected with 256-bit AES encryption, users with weak master passwords could be at risk. To successfully decrypt the data, the attacker would need access to a unique encryption key derived from each user’s master password. Lastpass utilizes an industry-standard Zero Knowledge architecture, which ensures the company can never gain access to the customer’s master password. Without knowledge of this password, no one other than the vault owner can decrypt the data. 

However, the hacker could access the vault through brute force if password best practices aren’t followed. Additionally, the attacker could leverage the customer’s basic information to target individual users through various attack methods, such as phishing. 

How to Protect Yourself 

While password managers are a great tool, best practices must still be followed to protect yourself from becoming vulnerable to an attack. In the case of Lastpass, users with weak master passwords are the ones at risk. Luckily, there are steps you can take to protect your passwords and ensure your data is secure in 2023. 

1. Use a minimum of 12 characters 
2. Combine upper case, lower case, numeric, and special character values 
3. Ensure your password is easy to remember; but not easy to guess! 
4. Never use personal information 
5. Ensure your password is unique; don’t share it with other accounts! 
6. For extra layers of security (better safe than sorry!), change all of the passwords you have saved in your LastPass accounts. This will take some time, but add an extra layer of protection for your sensitive information. 

What does this mean for LastPass’ future?

We of course don’t know for sure. However, even for security professionals, going through and rotating entire swaths of passwords for extra security after this breach will take quite some time, leaving a bad taste in these customers’ mouths. For a layman, it is safe to say that taking this extra layer of security precaution may not enter their minds, or will take months to complete. So, the severity of this breach cannot be underestimated, and consumer trust has certainly been broken. It remains to be seen if trust and transparency on the part of LastPass can be regained in the coming months.  

The term “artificial intelligence” (AI) describes a machine’s capacity to carry out operations traditionally performed by intelligent entities like humans or animals. Artificial intelligence (AI) systems are capable of reasoning, problem-solving, generalization, planning, and experience-based learning. 

AI is still developing in terms of practical applications and yet, despite this, organizations have been using it in recent years to modify their processes to become ready for opportunities and problems in advance. However, cybercriminals are now also using this technology to increase the effectiveness of their cyberattacks and hacks.

They achieve this by utilizing the intelligent automation offered by AI systems to enhance traditional cyberattacks by accelerating their speed, expanding their coverage, and raising their level of sophistication. Thus, the disruption of AI-enabled cyberattacks is three-fold. AI can assist a variety of attacker strategies and offers fresh methods to better accomplish the attackers’ objectives.

AI’s offensive capabilities

AI’s offensive capabilities are expressed in the following ways:

1. Automation
   • boosts the autonomy of cyberattacks and decreases the manual effort needed by an attacker
   • makes it possible to coordinate attacks to determine the optimal attack vector, the most vulnerable target, and the most effective attack window
2. Stealth
   • capacity to develop content that resembles the distribution from which it learned and can therefore hide malicious behavior
   • offers ways to get beyond security measures including email filters and malware detectors
3. Social engineering
   • can study humans to better understand how to manipulate their trust and emotions and offers methods for choosing and tracking targets
   • can automate and personalize interactions with people both offline and online, i.e. chatbots and spear phishing emails
   • can be employed to create fake online personas and impersonate real individuals in order to connect with selected victims, i.e. deepfakes and voice cloning
4. Credential theft
   • can mimic human behavior to replicate authentication procedures and guess credentials and is used for both initial access and credential access tactics
   • offers methods for fooling biometric identification systems by imitating a user’s voice and face, keystroke patterns and eye movements
   • can guess passwords with low entropy or personal details

Examples of AI-enabled cyberattacks

In Spear phishing with target selection, AI can assist in the selection of phishing victims via user profiling to detect and target particular traits. The attacker initially gathers online profiles from social media networks in order to profile people. Then, sensible traits like friends, interests, and hobbies are used to categorize possible victims into groups with similar traits. The last step involves locating and classifying clusters of interest, such as those that are “very gullible” or “high value,” which later become the target of spear phishing attacks. 

The interests of targets are usually fed into a natural language generation (NLG) model, many of which are publicly accessible online, i.e. GPT3. The model is then used to create customized emails or social media postings that mimic the target’s hobbies and writing style, boosting the likelihood that the attack will be successful. In fact, a tool that generates phishing tweets, called SNAP_R, proved to be more successful at triggering victim click-through than human written tweets.

Deep learning techniques are used by a technology known as deep voice to mimic a target’s voice and create speech from text. Audio samples of a person’s voice are necessary for training a deep voice model. The audio of public appearances or recorded online meetings, both of which are widely accessible online, can be used to gather this information. This technology enables vishing (voice phishing) attacks, many of which are successful and some have already been made public. In July 2019, a vishing call that pretended to be the CEO of a UK-based energy company resulted in a fraudulent $243,000 money transfer.

Deepfakes, which allow an attacker to simulate a target’s face and behavior, can take impersonation to a new level, as no prior technology was able to convincingly mimic voices, facial structure and gestures of targets.

How to protect yourself

At large, automation and artificial intelligence have made organizations more innovative and efficient than ever before. However, they can also be a ruthless enemy when put into the wrong hands. As humans, we know playing against a computer rarely ends in victory. Have you ever played online chess or checkers against a machine? Chances are, you lost. In this situation, the odds are stacked against you. Similarly, leaving the burden to the cyber experts in your organization to prevent AI-based attacks will leave your team feeling defeated and burnt out. 

The best way to protect yourself against these attacks is to use common sense, spread awareness and fact-check using multiple sources. It’s crucial for an organization to be aware of the risks and to develop a skeptical eye among its employees, as they are the biggest vulnerability in AI-enabled cyberattacks. By reporting suspicious emails, posts and other business related activities, you can help your organization act quickly and protect others from similar attacks. 

Beyond educating and monitoring your employees, additional measures can be taken to increase overall security. In recent years, artificial intelligence has enabled malicious actors to become more sophisticated in their attack strategies. As a result, organizations are being tasked with finding sophisticated solutions to defend their assets and keep their data safe. Luckily, solutions are available that can assist in reaching this goal. 

Through adopting an automated solution, your organization can reap the benefits of faster analysis and mitigation of threats through vulnerability management, network security, and application security. Equip your organization with proper tools, and reduce the risk to your organization from malicious actors. 

Protect your organizational assets with Bright 

Bright’s Dynamic Application Security Scanner enables you to secure your applications and APIs for both technical and business logic vulnerabilities at the speed of DevOps, with minimal false positives. Avoid security becoming an afterthought, and ensure proper measures are taken to prevent attacks before they happen. 

Malicious actors are out there, and although there is no one perfect solution to protect your organization from an attack, with proper security measures in place, you can reduce your organizational risk and rest easy! 

Intro

With the COVID-19 pandemic, organizations found themselves facing brand new problems  with security and the cloud— namely, the trouble of securely moving away from data centers and into the cloud, all while protecting the ‘edge’ of their networks in a secure manner. (By edge, I mean the boundary of wherever your network ends — wherever the employees are). The old paradigm of networking in company-specific data centers tied to offices is no longer viable in today’s cloud-based, IoT-heavy, distributed workforce, and as such, SASE was born.

What is SASE

SASE is a framework for a network architecture that bundles cloud-native security technologies and Wide Area Network (WAN) capabilities. Put more simply, it’s the intersection of networking and security in a cloud-based environment. It is not a single technology, but a conglomerate of many different technologies, such as Software-defined WAN (SD-WAN), Cloud Access Security Broker (CASB), NGFW and Firewall-as-a-Service (FWaaS), Zero Trust Network Access (ZTNA), and Secure Web Gateways (SWG).

You can learn more about the different components of SASE here.

Where is SASE going

Gartner’s projections of top trends in infrastructure and operations (IO) puts SASE at the top of the list for a significant impact in 2023. With a total worldwide end-user spending of up to $9.2 billion dollars forecasted, we can see a growing trend of SASE adaptation; up 39% from 2022. There is a significant market for single-vendor SASEs, and while the market is still immature, there are a number of options for single-vendor SASEs.

Dell’Oro group, a market research firm, forecasts that the SASE market will triple by 2026, topping $13 billion. Gartner is even more bullish, predicting that the SASE market will grow at a 36% compound annual growth rate (CAGR) between 2020 and 2025, reaching $14.7 billion by 2025.

Also of note from the Gartner report is a prediction that by 2024, 40% of organizations will have strategies in place to adopt SASE, up from a mere 1% in 2018.

Lastly, there is a movement to standardize SASE. A nonprofit called MEF seeks to lead the way in SASE standardization. From the MEF website, we can see the purpose of the standardization is as follows:

‘MEF’s industry-first SASE standard defines a Secure Access Service Edge (SASE) Service framework and specifies service attributes that need to be agreed upon between a service provider and a subscriber for SASE services, including security functions, policies, and connectivity services. The standard aligns stakeholders on common terminology and service attributes when buying, selling, and delivering SASE services, and makes it easier to interface policy with security functions for cloud-based cybersecurity from anywhere.’ —  https://tinyurl.com/226d8pw2

You can find MEF’s standardization document here.

Why does this matter?

The old paradigm of networking for in-house data centers and in-office employees are dying. In the mad rush to adopt cloud-based services, adequate security tooling is ever more important to protect company assets. Tool consolidation is also becoming an ever more appealing option for organizations, as the ‘bits-and-pieces approach to tooling covered by SASE is quickly becoming overwhelming for customers. With reduced complexity and security being available no matter where the user is, SASE streamlines networking and security for a remote-first world.

Conclusion

SASE, while still in a nascent stage as far as standardization of services, is projected by Gartner and many others to be the networking solution of the future. With significant money to be made, and single-store solutions paving the way for adaptation, SASE deserves a second look from anyone as a promising emerging technology.

Additional Resources

What is SASE (Secure Access Service Edge)? | Versa Networks

SASE is an entire package of technologies that embeds security into the global fabric of the network. Major components…versa-networks.com

Secure access service edge: What is SASE?

The Software-as-a-Service (SaaS) industry is forecast to generate $157 billion by 2022, as more and more organizations…www.polymerhq.io

Invest Implications: ‘The Future of Network Security Is in the Cloud’

What is Gartner research? Gartner research, which includes in-depth proprietary studies, peer and industry best…www.gartner.com

With global events happening all around us, it’s time to reflect on how the year before us affected the cybersecurity world, and the lessons we learned during this period. It’s been a very turbulent time in cybersecurity, with the technology sector going through financial turmoil, which in turn caused some critical vulnerabilities to occur.

This is part of a series of articles about Data Breach.

The Biggest Breaches

Some of the biggest breaches involved some of the biggest tech companies! Twitter & WhatsApp are just top-of-the-shelf examples of how even the richest and most powerful organizations constantly have to keep up in order to keep their data safe. 

Optus Data Breach

It sounds bad when you first learn that a giant telecommunications company suffered a data breach. But it’s only when you learn that no less than 11 million people had their data leaked does it go to the next level. 

The hackers accessed all sorts of personal data after which they supposedly contacted all the users with a $1300 offer to keep their data private. Not only that, but those users started becoming a target of recurring phishing attacks. Some journalists reported that the hackers gained access to the data by accessing an unauthenticated API endpoint, although the details of the attack are yet to be published online.

Medibank Data Breach

Another company from The Land Down Under took over the unfortunate headlines in the twilight of this year as Medibank suffered a huge cybersecurity breach. To be more specific, an anonymous hacker collected  9.7 million records of Medibank’s customers. 

After the company refused to give in to hackers’ requests, the cybercriminals dumped more than 5GB of compressed data online. All the analysis indicates that the data dump, indeed, contains the Medibank customer information. 

DoorDash Data Breach

The summer of ‘22 won’t be remembered as a particularly happy one for DoorDash users. Perhaps the biggest food delivery company suffered an enormous leak where almost 5 million of their users had their data stolen. 

What’s really interesting is that the attack happened via a very sophisticated phishing campaign, ultimately causing big damage to DoorDash in terms of customer trust.

Luckily, hackers only accessed some credit card data from a smaller group of people, but even in those cases, it was mostly the last four digits of their card number – still a big risk, but not as threatening as some other data leaks out there.

Security Starts at Your Own Home

When talking about big security breaches, a lot of companies focus their defense mechanisms solely on technical details. They make sure that the system they’re using is impenetrable. However, there’s a big gap that often occurs, resulting in some of the biggest data leaks – and it’s human error.

Making sure that your employees are the first line of defense is crucial in maintaining safe environment, protected from outside breaches. This means constant education of your employees, enrolling and encouraging them to take up security courses, and raising the overall level of cybersecurity awareness in your company. 

Creating a safe environment isn’t, and never has been an individual effort of a few people specialized in cybersecurity. It’s always about the whole group that has to stay organized and aware of all the outside threats in order to make sure that costly slip-ups don’t happen. Ultimately, the chain is as strong as its weakest link, and that theory perfectly applies to cybersecurity.

From all the lessons we’ve learned in 2022, it’s time for all of us to take action, broaden our knowledge, and work on our cybersecurity awareness. These are the steps necessary in going to the next level and raising our security levels online.

Dynamic Application Security Testing (DAST) tools have been around for decades. However, what was once the dominant market solution is becoming obsolete. Primarily, this shift boils down to organizations moving to DevOps practices, which is the philosophy of getting all the teams to work closely together, throughout the SDLC, with the focus being on efficiency, fast feedback, and constant improvement. Through adoption, organizations can release code faster than ever before; sounds great, right? The downside is that the lion’s share of organizations are still knowingly releasing vulnerable Apps and APIs into the market. So, although speed has improved, security has not. By not finding vulnerabilities early enough in the SDLC, organizations are unable to take swift action to remediate and protect themselves. This is where Bright comes in.

DAST tools scan your application from the outside in, simulating an attack. Traditionally, DAST scanning was conducted during the final two stages of the SDLC: testing and release/maintenance. When releasing every couple of months, testing during the final stages didn’t pose a problem as there was still time to find and remediate vulnerabilities. However, the advent of DevOps posed a problem for these legacy tools. Equipped with new speed, organizations could now release faster than ever before. The problem was that the AppSec team could no longer keep up with this new fast-paced way of doing things. As a result, there was no time to verify that there were no vulnerabilities before release.

Understanding this, Bright’s CEO and Co-founder, Gadi Bashvitz, wondered whether Bright could create a DAST solution that would start scanning earlier in the development life cycle, thereby empowering developers to take control of their own DAST scans. In doing so, organizations can get the information they need early enough in the SDLC to resolve vulnerabilities in minutes. This saves time and money, as waiting until pre-production or production to resolve the same problem could take weeks to resolve due to heavy processes, context switching, having to redo testing, etc., affecting the entire sprint. By providing developers with tools made for them, to be implemented early on in the SDLC, organizations gain the confidence to release applications and APIs without the risk of releasing vulnerabilities into the market.

Is Bright Reinventing DAST?

Simply put, yes! By integrating DAST earlier in the system development lifecycle, Bright has helped hundreds of companies shift left.

But, you may be asking yourself, what does it mean to shift left?

Shifting left is the philosophy behind starting security earlier in the SDLC, by building it into every phase, starting from the project kick off meeting. In doing so, organizations can focus on what truly matters, releasing code. They can also save time, money, and their reputation!

Adopting a shift-left approach to our dev-centric DAST, you can find vulnerabilities earlier in the SDLC, minimizing internal friction to create a cohesive team and an overall more secure application.

Every August, hackers descend onto Las Vegas, Nevada to participate in #HackerSummerCamp, a combination of multiple cyber security/hacker events that occur simultaneously. There are several events, but the main ones you are likely to hear about are Black Hat, Def Con, B-Sides Las Vegas and the Diana Initiative. #HackerSummerCamp is just the affectionate nickname, it is not the official name.

Formally named or not, #HackerSummerCamp can provide security risks to you and your personal devices! In this article we will detail several ways you can protect yourself and your devices from the small minority of attendees at this event who behave unprofessionally by causing others issues during this annual event.

• Do not connect to any WiFi with a device that you love. Bring a burner phone or laptop if you must connect while at/near the conference.
• Use a VPN if you are going to connect for work, from your hotel. And use Cellular data if you can, instead of wifi. Do not connect to work from the conference WiFi. Do not connect to the conference WiFi unless you are using a burner or ghosted+backed-up device.
• Make a backup of your laptop, then ghost it, attend Hacker Summer Camp, then ghost it again when you get home, then restore from your backup disk. This helped a lot when I received “the gift of malware” in 2016 at my first Def Con. Glad I prepared before I left home!
• Turn off your Bluetooth and WiFi. Ensure they won’t turn themselves back on or do any scans in the background.
• Use cellular, it’s safer.
• Ensure that YOU are physically safe at all times. It’s best to not go to a party alone or with people you don’t know, but if you do, don’t get drunk/high/out of control.
• Don’t accept drinks from strangers. Even if they are famous.
• Don’t go back to someone’s hotel room unless you feel safe to do so, and preferably tell someone where you will be and don’t forget the room number when you say where you will be. Have someone check in with you after.
• Exercise all the caution in the world when it comes to your physical safety, and then some more. Even if you have met someone before or feel like you know them very well from the internet, be careful; you are the most valuable thing you have.
• Register for parties in advance to make sure you get a ticket. Getting tickets to thing last minute is a pain, and they often sell out.
• Buy tickets to conferences in advance to make sure you get in.
• If you have to do live demos I suggest recording them (I KNOW! Then they are not live). You can always ALSO do them live, but you have a back up just in case. That’s what I did and guess what? My laptop is fine AND my demo looked awesome!
• If you go to Def Con, prepare to wait in line for at least 50% of the time you spend at the conference. Seriously. If you are an extrovert like me this can be fun, but if you are an introvert be prepared. #linecon
• If you can network and make friends in advance of the event, it’s a good idea to do so. Attending in a group is always safer and usually more fun as well. If you can meet people who are part of a larger group, such as Diana Initiative, CyberJutsu, WoSEC, OWASP, etc. that can lead to even more fun (and safety).
• If something happens, TELL SOMEONE. If a person has done something obviously inappropriate to you, they will (sadly) likely do it to even more people if you let them get away with it. Please report. For DEFCON there’s a hotline. And the people working there are super awesome and kind. They will help, regardless of the situation you’re in, regardless of the persons involved. You can even report anonymously over the hotline. Again: if something really bad happens please report.

Our guest today believes that security testing should be done as early as possible in the development lifecycle.

As the world gets more connected, it is no surprise that threat actors are constantly on the lookout for vulnerabilities to exploit. With vast amounts of software and applications being released every minute, experts believe that a new development approach must be taken – one where security is weaved into the product from day one.

To talk about the importance of the security-first approach, we invited Gadi Bashvitz, the Co-founder and CEO of Bright Security – a company ensuring that no vulnerability goes unnoticed in the software development process.

How did the idea of Bright originate? What has your journey been like so far?

With roughly 70% of the vulnerabilities affecting companies today originating in the application layer (Apps or APIs), it became clear that proper application security (or AppSec) is one of the most crucial areas of need in cybersecurity. Looking at the market and the solutions, we realized that the legacy security solutions in the space were fast becoming antiquated and were not able to keep up with the pace of modern DevOps practices. We wanted to create a solution that addressed the key issues the market was facing as this issue will only grow more pressing as the rate of software development continues to increase.

The most important trend, as we saw it, was (and still is) “shift left”, or the idea of moving security testing early on in the software development lifecycle (SDLC). Earlier testing will lead to a more efficient security process and prevent vulnerabilities from ever making it to production, but while the concept is great, the execution hasn’t been.

Dynamic Application Security Testing (DAST), which is the process of testing the security of the running application from the outside-in, was an area that we identified as in need of some innovation. The legacy DAST solutions were not built for developers, but for AppSec experts, and were not suitable for a world in which software releases happen multiple times a day. The flaws in these older solutions led many developers to avoid using them altogether as they were more of a hindrance than a help. We set out to create a DAST solution that not only worked for the needs of developers but one that they would want to use.

The journey so far has been incredible. It’s very exciting to see both large banks and leading global Cybersecurity companies, on the one hand, and small dev teams, on the other, rely on our platform to secure their apps. We’ve learned a ton along the way, such as the importance of business logic vulnerabilities, the need for securing APIs – not just human-facing apps, and how to make it so developers actually WANT to use the product.

Can you introduce us to your application testing platform? What are its key features?

Bright is a Dynamic Application Security Testing (DAST) platform built for software developers. The solution approaches applications from the outside, mimicking how a hacker would approach the application, and automatically tests for vulnerabilities that bad actors could use to exploit. 

Unlike legacy tools which were designed exclusively for expert security users after the application is already in production, Bright’s tool was built to be “developer-first”. It was designed to empower developers to create more secure applications and APIs starting in the development phase and across all stages leading up to and including production so that vulnerabilities are caught and remediated earlier. 

To truly be a dev-centric platform, we needed to develop some key features that align with how developers prefer to work:

• Setup takes minutes and there’s no need for security expertise – we take care of all that
• No false positives: Our special technology automatically verifies that any vulnerability it detects is actually exploitable so that devs don’t waste time remediating vulnerabilities that aren’t a threat
• Remediation instructions that make sense: If a scan detects an issue, the developers received easy-to-follow remediation guidelines with the information developers need to fix it
• Control everything with code: Although Bright has a great UI, developers love using our CLI and API that lets them control everything
• Scans take minutes instead of hours or days: Bright’s unique approach allows you to scan only the relevant parts of an app so that you don’t have to slow down the build process – including for unit testing!
• Seamless integration with the developer toolchain: Bright works with existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing. It can also automatically add tickets to Jira, GitHub, Azure Boards, GitLab, and other systems.

And while we hope developers will love working with Bright, we also want to make sure security teams can rely on it. No tool out there has more comprehensive testing coverage than Bright, and that includes business logic vulnerabilities and API scanning.

What would you consider the main challenges development teams run into nowadays?

The biggest challenge for development teams is keeping up with the pace of today’s world. Developers today are releasing 100x more code into production compared to only ten years ago, and so the challenge becomes developing and releasing software at a much faster pace, while still ensuring that it is both bug-free and secure. To do that, you want as much automation throughout the SDLC as you can put in (aka DevOps). The issue developers face is that securing software before it’s released – without a platform such as Bright – is a tedious, manual, and time-consuming process. Today, almost 90% of organizations are knowingly releasing vulnerable applications and APIs into production because they can’t detect and remediate vulnerabilities quickly enough. These vulnerabilities take an average of nine months to be fixed, leaving organizations exposed for considerable periods of time and we’re working to change that reality.

How do you think the recent global events affected the way people approach cybersecurity?

On the macro level, the increase in attacks is just accelerating the growing understanding of the importance of addressing cybersecurity flaws. Companies are repeatedly seeing the financial and reputation fallout from cyberattacks and hacks and are placing a premium on cybersecurity, which is becoming a key factor in purchasing. Nobody wants to buy a product that isn’t secured, and so companies must adjust to ensure security is part of the design of the product and incorporated throughout the process.

Part of that is accomplished by moving all forms of security testing earlier in the process (i.e., shift left). And that’s a place where we are seeing a massive change in attitude – especially among developers. Developers are quickly coming to the realization that security vulnerabilities are bugs (but often with more severe consequences). And as no developer prides themselves on releasing buggy code, they also want to make sure they release secure apps.

What are the most common vulnerabilities nowadays, that if overlooked, can lead to serious problems for a business?

At the application level, which is where we live, we’re seeing that the most common vulnerabilities are indeed the ones that are on the OWASP Top Ten and similar lists, which enable attacks such as SQL injection, cross-site scripting, CSRF, and XXE. There’s a fairly good awareness level of these vulnerabilities, which we call “technical vulnerabilities.” 

That said, there is a whole different class of vulnerabilities – business logic vulnerabilities (BLVs) – that are still often overlooked and can be very severely exploited by bad actors. BLVs are particularly tricky because exploiting (and detecting) them requires an understanding of the application’s flow and business purpose, and finding them has traditionally relied on costly and error-prone manual testing. 

Awareness of BLVs is so low currently that unlike CVEs for technical vulnerabilities there is no naming or classification system. Our researchers at Bright are identifying them and classifying them with proper names. Our automated solution thoroughly analyzes the application’s flow, understands the context, and tests the system through a multitude of interaction combinations, eliminating the need for manual processes.

In your opinion, what kind of tests and checkups should every company conduct regularly?

In a perfect world, companies should use all of the tools in the toolbox: SCA, SAST, DAST, IAST, GRC, RASP, etc. But as important as what tests they run is when they run them. It is much more cost-effective to run the tests as early as possible in the cycle. DAST was traditionally employed when the application was already fully developed and running (in pre-production or production), but fixing vulnerabilities at that point is both expensive and risky. 

There have traditionally been many challenges in running DAST during the development phase. For one thing, traditional dynamic tests take many hours, even days, and running a test that late in the process often creates unaffordable delays in production.

We’ve developed smart ways to analyze, understand and break down the application’s attack surface so that we can run short tests that only cover what’s relevant at that point. 

Another issue with legacy DAST was that it created many false positives – indications of potential flaws in the system that aren’t actually exploitable. Developers hate these false positives because they end up “chasing ghosts” having to remediate dozens of “vulnerabilities” that actually don’t really matter. It slows down the whole process and has actually turned many developers away from DAST tools. We’ve eliminated that issue by intelligently verifying that each issue we discover is actually exploitable.

Once you’ve solved these issues (and a few others we won’t get into), you can now automatically run DAST tests with every build via the CI/CD pipeline throughout the development lifecycle.

What are the best practices companies should follow when developing, and, when launching applications?

When it comes to application and API security, the key practice is to automatically run tests with every build as part of the CI/CD pipeline. This is sometimes called DevSecOps. At Bright, we fully embrace DevSecOps practices and developed deep integration into CI tools such as Github Actions, GitLab, CircleCI, Jenkins, TeamCity, and others to ensure that you can integrate with any platform to test as early as possible.

We’ve even taken it a step further that allows developers to run a DAST scan at the unit testing phase – one of the earliest points in development. This was especially challenging because dynamic security tests, by definition, scan a running application, but unit tests are for snippets of code. We developed a way to run those snippets as if they are a fully-formed application and then scan them.

We’re actually seeing how this is changing our customers’ behavior. Moving the process earlier has enabled customers to test earlier and more often and has increased the average from running four scans a month that take seven hours each to run hundreds of tests that take three minutes each.

Talking about personal cybersecurity, what measures do you think everyone should implement to protect themselves from emerging threats?

A few of the practices I religiously follow are using multi-factor authentication whenever possible and using a different password for everything (which requires a password manager). Hackers are always looking for easy targets, like the person whose password is “password,” and I think that for personal security practicing the basics will go a long way towards keeping you safe. 

What does the future hold for Bright?

The future is bright (pun intended). We’re quadrupling down on some of the things I mentioned here, such as broader and better coverage of business logic vulnerabilities, and making dynamic security testing easier and more automated.

We’re especially focused on making our DAST scanner developer-friendly. That has many aspects to it, such as providing remediation guidelines in a way that’s easily understood by developers, not AppSec experts; and intelligently configuring the tests we scan for based on the target and past tests. We also want to make sure the solution scales with the needs of our customers, some of whom are among the world’s largest organizations. 

We are very focused on serving our dozens of enterprise customers and more than 6,000 development teams using our product. We are constantly learning from our community and working with them to perfect a truly developer-centric DAST solution that is easy to deploy and helps organizations build secure applications and APIs.

To read the original story, please visit CyberNews