Today we are announcing an additional $20 million in funding to fuel our growth and continue to help organizations (and their software developers) secure their applications and APIs. We’re also changing our company name from NeuraLegion to Bright Security.

When Shoham Cohen, Bar Hofesh, Art Linkov, and I founded the company three years ago, there was no doubt that application security would remain a huge need for many years to come. But there were already many solutions companies could use to secure their applications. Despite that, we observed that many of the existing AppSec solutions – particularly Dynamic Applications Security Testing (or DAST) tools – no longer fit the way modern apps are developed and released. The consequences of that were grave: more than 80% of organizations knowingly release vulnerable apps into production.

The solution: make it easy for developers

It’s well-known that moving security testing earlier in the Software Development Lifecycle (SDLC) is better in every respect: In addition to reducing the risk of vulnerabilities making it into production, it makes remediation faster and cheaper. Thus, the term “shift left” became popular. But that’s easier said than done, especially with DAST.

Unlike traditional DAST tools, Bright was built for developers

Bright’s DAST tool was built to be “developer-first”. It was designed to empower developers to create more secure applications and APIs starting early in the development process and through all stages leading to and including production while enabling the AppSec team to provide the governance. Traditional DAST tools are made for application security (AppSec) experts, who typically test the app after the development cycle is complete and it’s in production.

What makes Bright a dev-first DAST platform?

• Setup takes minutes and there’s no need for security expertise – we take care of all that
• No false positives: Our special technology automatically verifies that any vulnerability it detects is actually exploitable so that devs don’t waste time chasing ghosts
• Remediation instructions that make sense: If a scan detects an issue, get easy-to-follow remediation guidelines with the information developers will need to fix it
• Control everything with code: Although Bright has a great GUI, developers love using our CLI that lets them control everything
• Scans take minutes instead of hours or days: Bright’s unique approach allows you to scan only the relevant parts of an app so that you don’t have to slow down the build process – including for unit testing! 
• Seamless integration with the developer toolchain: Bright works with existing CI/CD pipelines – trigger scans on every commit, pull request, or build with unit testing. It can also automatically add tickets to Jira, GitHub, Azure Boards, GitLab, and other systems.
• Identify business logic vulnerabilities:  We are determined that AppSec tools can find more than just “classic” technical vulnerabilities, but also find business logic issues. Exploiting business logic vulnerabilities requires an understanding of the application’s flow and business purpose, and the process has traditionally relied on costly and time-consuming manual testing. Bright’s automated AI-powered solution thoroughly analyzes the application’s flow, understands the context, and tests the system through a multitude of interaction combinations, eliminating the need for manual processes.

Our Series A funding round

We’re grateful to have some of the best names in cybersecurity join our journey as investors and to thank them not only for believing in our vision but in the team’s ability to execute. The round, which brings Bright’s total funding to a bit over $25 million, was led by Evolution Equity Partners, who invested in some of the greatest cybersecurity startups out there. Our existing investors DNX Ventures, J Ventures, Fusion Fund, and Incubate Fund are also participating. I’m excited to have Karthik Subramanian of Evolution join our board of directors. 

This funding will allow us to grow the team and make major improvements to the platform (stay tuned for what we have in store…).

We want to thank the more than 4,000 developer teams and enterprise customers around the world who trusted us, shared our vision, and partnered with us on this exciting journey as users and customers.

Last but not least, my co-founders and I are very thankful for the amazing Bright team for their brilliance, dedication, and hard work. None of this would have happened without you, and we’re just getting started!

Now is also a great opportunity to join our growing company. We are looking for marketing, product, and sales roles, and of course, engineers. Head over to our Careers page.

Join us to help developers all over the world build and release secure apps and APIs!

Oh, and have you tried Bright yet? Get your free account.

Gadi Bashvitz, co-founder and CEO, Bright Security

I’m thrilled to announce our newly-formed industry advisory board and welcome to it two luminaries of the industry, each bringing their own unique perspective. They will be helping the team at Bright to continue delivering a cutting-edge, developer-focused application security platform to market.

Here’s a quick introduction:

Tanya Janca, Founder & CEO at WeHackPurple Academy

Tanya, known to many as SheHacksPurple, is the best-selling author of Alice and Bob Learn Application Security. She is also the founder of We Hack Purple, an online learning academy, community, and podcast that revolves around creating secure software. 

Tanya has been coding and working in IT for over twenty years, won countless awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats: startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger and streamer and has delivered hundreds of talks and training sessions on six continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives. 

Ofer Maor, Co-Founder & CTO at Mitiga 

Ofer is the CTO & co-founder of Mitiga where he’s building a groundbreaking Cloud Incident Response platform. He has more than 25 years of experience in cybersecurity and entrepreneurship and was previously the CTO and founder of Seeker (acquired by Synopsys), where he invented IAST, a next-generation application security testing technology, currently used by some of the largest organizations in the world. 

Prior to Seeker Ofer was the CTO and founder of Hacktics (acquired by EY), and a founding employee at Imperva. He is also active in the cybersecurity community and has served as a Global Board Member at OWASP.

One of the most critical aspects Ofer and Tanya have already been working with us on is directly related to our core mission: empowering developers to build secure applications — fast. And with that in mind, I invite you all to sign up for a free Bright account. Once you do, you’re minutes away from securing your app.

I’m sure I speak on behalf of the entire team when I say we can’t wait to get to work with Ofer and Tanya, as they help take Bright to the next level.

Ofer, Tanya — welcome aboard!

We at Bright are very proud to announce that we have been awarded the accredited certification on ISO 27701, the international standard on data privacy. This builds on the ISO 27001 certification we received a couple months ago and shows our continued commitment to meeting the highest standards of customer security and reliability.

The ISO 27701 standard provides an overarching framework on Privacy Information Management Systems (PIMS), to help companies fine-tune their data privacy practices and keep pace with the changing privacy threat and regulatory landscape through a rigorous risk and compliance driven approach, while being focused on measurement and continuous improvement. This is the world’s first International Standard on PIMS and incorporates a mapping against the requirements of EU GDPR – considered the gold standard in data privacy laws. Being certified to this global standard demonstrates Bright’s ability to effectively and consistently deliver solutions and services to clients in compliance with data privacy regulations and contractual requirements in applicable countries.

This is a significant accomplishment for us, given that we could get an accredited certification for the globally recognized, certifiable data privacy standard quickly and effectively. This was possible only because of the maturity of our data privacy processes. I’m confident this certification will go a long way in being a differentiator and in increasing the trust our clients and other stakeholders place in Bright.

We are excited to offer our Application Security Solutions from build to compliance across Web, mobile and APIs with 0-false positives with this highest level of security.

Webomates, the leading global provider of Testing as a Service & Bright which provides a modern-day DAST solution enabling organizations to drive compliance on every build have combined their offering to enable organizations to achieve an unparalleled level of QA automation and Security Automation (SA) in one combined platform.

The offering enables organizations to deploy a fully integrated QA and DAST solution which helps them to achieve a far superior level of automation than ever offered in the market while significantly lowering costs and improving the quality and application security of their applications and products.

The combined solution takes Webomates unique offering of automated QA with test case creation, execution and analysis and Bright’s unique ability to ingest these test cases to identify application security vulnerabilities and report both quality issues and security issues in one combined dashboard. The solution also offers a completely automated mechanism for automatically opening tickets when bugs and vulnerabilities are identified and providing remediation guidelines for these issues. This offering shifts security to the extreme left as part of the development process and enables developers to remediate issues early in the development lifecycle while never leaving their development environment & achieving significant time & cost savings.

“We are excited to announce our partnership with Webomates and offer a far superior level of Application Security Testing to organizations by combining our capabilities. AST companies have been talking about shifting application security left for a long time but have grossly underdelivered. We are proud that modern solutions from companies like Webomates & Bright are finally able to deliver on this promise. We are encouraged by the significant interest we are seeing for our modern AST solutions that integrate seamlessly into the CI/CD without delaying it and enable to test web, mobile and APIs and the combined offering with Webomates”; said Gadi Bashvitz, Bright’s President & Chief Customer Officer.

“The partnership with Bright enables us to offer an unparalleled level of services spanning both Quality Assurance and Security Assurance to our customers. We have been looking for a partner that is as passionate as we are about delivering to our customers. We are thrilled to find this partner in Bright. Integrating the solutions was easy and our customers have shown a lot of interest in the combined offering that can save them significant costs.”, said Aseem Bakshi CEO Webomates

As we transition into the new normal way of conducting business, transition further into the cloud and have many more people working remotely it is paramount that every organization reconsider their past strategies for quality assurance and application security testing and adopt modern solutions that will work far better in the new environment. Bright & Webomates are very proud to be at the forefront of offering such modern solutions to their customers.

To learn more contact:
Webomates: info@webomates.com                                                               
Bright: sales@bright.com

About Webomates:

Webomates provides a cloud-based AI QA platform to carry out software regression testing in guaranteed timeframes. The platform creates test cases and executes them using multiple testing execution techniques like AI Automation, Automation, Crowdsource & manual. The results are analyzed triaged and actionable defects are listed.

Webomates supports Web, Mobile, and Windows native applications. Supported testing types are UI, API, Performance, visual and canary testing.

About Bright:

Bright helps significantly improve application security at a lower cost by providing a 0-false positive, AI-powered DAST & Fuzzer solutions that are purpose built for modern development environments. We integrate into DevOps environments and enable you to run DAST scans as part of your CI/CD flows to identify a broad set of known (7,000+ payloads) and unknown (0-day) security vulnerabilities. We enable you to scan multiple protocols across Web, mobile & API and are built for developers to provide compliance on every build by providing remediation guidelines for every vulnerability identified.

The hotel giant Marriott confirmed a new data breach, this time involving the personal information of 5.2 million guests.

According to an online notice that Marriott posted on Tuesday, the attack was carried out via a third-party software that Marriott’s hotel properties use to provide guest services.

Marriott discovered the breach in late February. The hackers obtained the login credentials of two employees and broke in weeks earlier, in mid-January.

While Marriott said it has “no reason” to believe payment data was stolen, data like names, addresses, phone numbers, loyalty member data, dates of birth and other travel information were stolen in the breach.

The hotel giant also is forcing password resets for Bonvoy loyalty club members, who will also be prompted to enable multi-factor authentication on their accounts.

This is the Second Marriott breach in two years

This was not the first time that Marriott experienced a data breach. Back in 2018, Starwood, a subsidiary of Marriott, was hacked and personal data and guest records on 383 million guests were exposed. 

The data included five million unencrypted passport numbers, in addition to more than 20 million encrypted passport numbers.

Passport numbers can be used for identity theft and to commit fraud. They are also data that remains highly valuable for spy agencies. Spy agencies can use the information to track down where government officials, diplomats and adversaries have stayed. This gives insight into what would ordinarily be clandestine activities.

Marriot also stated that 8.6 million unique payment card numbers were stolen, but only 354,000 cards were active at the time of the breach.

According to the statement by the company, there is no evidence the hackers stole the keys needed to decrypt the data, but did not say how they came to that conclusion.

The company said the contents of the stolen data were from the Starwood guest reservation database. Marriott acquired the database when it bought Starwood and its 1,200 properties in 2016.

Starwood’s security lapse became the largest data breach that year, and remains one of the most damaging hacking incidents in recent history. 

In response to that breach, European authorities fined  Marriott $123 million.

5 Common Causes for  Data Breaches That Businesses Should Watch Out For

We compiled this list to help organizations prepare and prevent a breach like the one described above. 

No business wants to deal with the blot on its reputation and the huge loss of money that follows a data breach. In order to create a robust data security and network security strategy, it’s important for you to understand what causes a data breach in the first place. Here is a list of some of the most common causes behind data breaches you should watch out for:

• Software or Network Vulnerabilities
• Accidental Employee mistake
• Malicious Misuse by Employee
• Malware attack
• Failure in Security of a Physical Device

Software or Network Vulnerabilities

Any software vulnerability that isn’t patched as soon as it is discovered is a convenient target for hackers. Make sure to test your software and find those vulnerabilities before the hackers do. If you can’t find the time or resources to test the software manually, use an automated application security testing solution like Bright.

Also please stay away from pirated software. While the fact that pirated software is illegal should be a reason enough to avoid it, what makes it even worse, it may contain all kinds of malware.

Since the network acts as a layer of protection, any faults in the network design or deployment could also lead to a data breach.

Accidental Employee mistake

From falling for a phishing scam to losing important documents containing confidential information, there is a wide range of mistakes that employees can make, causing a data breach. Lack of proper cybersecurity training as well as of stringent security policies can be blamed for these employee mistakes.

Malicious misuse by employee

Unlike the unintended employee mistakes, malicious misuse by an employee indicates something much more serious. Someone from the inside is intentionally sharing confidential business information for some sort of personal benefit. This cause of a data breach is extremely difficult for an organization to foresee. Defining clear user roles and setting suitable permissions for data and system use can help control access an employee has over business data.

Malware attack

Malvertisements and phishing are among hackers’ favorite ways of spreading malware. Malware attacks can quickly progress from its origin system, move into the network and infect other systems that come in its way. Installing an anti-malware software and keeping it updated is a must for any business. Educating employees about phishing and malvertisement is also essential.

Failure in security of a physical device

A data breach could also happen when a device is no longer secure; meaning the device is either lost or stolen. Those devices can be anything from a mobile device like laptop, smartphone, storage device, to servers. It’s not only important to keep the devices secure in the first place, but it’s also important to take extra measures, like encryption, for protecting the data on the device.

Stay safe out there!

Microsoft warned billions of Windows users of two critical 0-day vulnerabilities in all currently supported versions of Microsoft Windows, both server and desktop.

These vulnerabilities allow hackers to remotely take complete control over targeted computers in an AppContainer sandbox. The vulnerabilities are given a critical severity rating which is the highest Microsoft gives.

Both vulnerabilities are in the Windows Adobe Type Manager Library, a font parsing software that not only parses content when opened with a third-party software but is also used by Windows Explorer to display the content of a file in the ‘Details Pane’ or ‘Preview Pane’ without users having to open it.

The company is aware of the issues and working on patches that are typically released on the second Tuesday of the month. Although, Microsoft sometimes releases emergency patches outside of that schedule for critical flaws. We hope this could be one of those cases.

In the meantime here are some workarounds for you to mitigate the risk of getting hacked

Disable the Details Pane and Preview Pane in Windows Explorer

• Open Windows Explorer, click Organize and then click Layout.
• Clear both the Details pane and Preview pane menu options.
• Click Organize, and then click Folder and search options.
• Click the View tab.
• Under Advanced settings, check the Always show icons, never thumbnails box.
• Close all open instances of Windows Explorer for the change to take effect.

Disable WebClient to prevent attacks through WebDAV client service. 

• Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
• Right-click WebClient service and select Properties.
• Change the Startup type to Disabled. If the service is running, click Stop.
• Click OK and exit the management application.

Rename or Disable ATMFD.DLL

Microsoft is also urging users to rename the Adobe Type Manager Font Driver (ATMFD.dll) file to temporarily disable the embedded font technology, which could cause certain 3rd-party apps to stop working.

Enter the following commands at an administrative command prompt:

For 32-bit system:

cd "%windir%system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll

For 64-bit system:

cd "%windir%system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
cd "%windir%syswow64"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll

We will share further updates with you when we learn more and when there is a valid patch available for complete remediation of this security issue. 

Stay updated on our LinkedIn page and stay healthy!

Your Friends at Bright

Last week I attended my first RSA Conference in San Francisco representing Bright. I wanted to share my impressions and thoughts as a first-timer at the RSA craziness.

Let’s start with the bottom line:

• >2,000 leads collected
• >60 meetings attended
• >500 new LinkedIn followers
• 1,000 kites given away
• 2,000 stickers given to attendees
• >XYZ ounces of alcohol consumed
• <3 hours a night sleep
• Hundreds of new friends
• 0 CoronaVirus (so far…).
  

If you walked around San Francisco last week and didn’t see a NeuraLegion kite, you must have not actually been in San Francisco as they were everywhere!

The conference is a non-stop 24-hour event that starts on Monday and ends late Thursday evening. However, this is an understatement. Having a larger team from Bright represent at RSA this week, the team actually came to San Francisco on Saturday (a couple of days before the conference) so we could do some team building and PRACTICE, PRACTICE, PRACTICE to make sure we take advantage of RSA.

The conference started in earnest on Monday and most of the day was spent in pre-scheduled meetings. 

The B-Sides conference was held in San Francisco in parallel to the RSA Conference. It was great to attend some of the sessions and catch up with Tanya Janca (@shehackspurple) to discuss DevSecOps and empowering developers to write more secure code.

After the opening reception on Monday it was time to start the evening festivities. There were many events, but my favorite was the ClearSky Ventures cocktail reception. Thank you to the Clearsky team for hosting us and all the great people we met.

Shoham & Me sneaking a picture with the team before the rest of the guys showed up.

In addition to the meetings and sessions this was the busiest day at the booth and our team had hundreds of discussions with people excited to discuss AppSec, DAST, DevSecOps and many other application security related issues.

We will skip the evening festivities, but I’ll add 2 pro tips here.

Wednesday morning kicked off with a bang at the Glilotcapital breakfast. We had quite a few great discussions with representatives from Atlassian, Intuit, Barclays and others.

Wednesday wrapped up with a CICC at JVP event and many more exciting discussions about cybersecurity, AIAST, DAST & AppSec.

The team was feeling a lot more relaxed (or sleep-deprived) by Thursday…

Overall this was an excellent conference and the follow up is keeping us very busy and will likely keep us busy for months to come.

Feel free to ping me if you have any questions, or want to learn more about RSA and how to navigate it correctly. After all, I survived my first #RSAC so I must be an expert.

The partnership will focus on Bind distributing Bright’s solutions and offering services associated with these solutions.

Tel Aviv, Israel: Bright today announced a new partnership with Bind. This partnership will enable Bind to distribute Bright’s DAST and Fuzzer solutions and offer additional services associated with these solutions.

We are very excited to partner with Bind and have them distribute Bright^TM. Bind has extensive expertise selling AST solutions and providing associated services and we are proud they selected Bright as their partner following extensive research to identify the best solutions in the industry. We look forward to a great partnership

Shoham Cohen, CEO at Bright

Bind is a reseller of cybersecurity services and products that bring distinct values to its customers. Bind looked for an applicative scanning product that meets the highest standards of scanning versatility, CI/CD integration and 0-false positive to customers. Bright’s unique solutions were chosen over other competitor products we evaluated due to the remarkable technical results and energetic team standing behind the products. We are looking forward to a strong and fruitful partnership with Bright

Ronen Carmona, CEO at Bind

The combined offering will enable organizations to implement leading DAST and Fuzzer solutions alongside additional services to ensure the highest level of application security at a lower cost than they are used to paying.

Bright & Bind will be presenting at Cybertech Israel January 28-30. Come visit the Bright booth to learn more about the solutions and services we offer.

About Bright:

Bright eliminates the shortage of security personnel by enabling developers & QA teams to run their own security tests. We incorporate our automated DAST solution into customers’ unit testing process so they can resolve security concerns as part of their agile development process. Test results are provided to the security team. Follow us on LinkedIn at: www.linkedin.com/company/Brightsec and check out our website ay: www.brightsecurdev.wpenginepowered.com

About Bind:

BIND is at the forefront of global cyber and intelligence expertise, offering high-value cybersecurity and intelligence services worldwide. Using a variety of services and products we are helping organizations improve their security posture and be ready to withstand or prevent cyber-attacks.

We exhibited at Black Hat Europe, one of the Industry’s flagship events, drawing more than 3,000 Cyber Security professionals last week.

This conference marked the first in a list of conferences we will be presenting in over the next few months to help share the joy that is Bright and how we help organizations seamlessly integrate DAST solutions into the DevOps practices. Upcoming events include Cybertech Israel (at which we won top honors as the most innovative startup last year), The RSA conference in San Francisco, FIC in France and the annual Checkpoint customer conference (CPX) in both the US and Europe where we were invited to present and speak to share our innovative solutions with their customers.

Conference attendees would have found it hard to miss our unique stand which drew a lot of traffic and interest thanks to our fun “Whack a Vulnerability” activity. Delegates showed off their skills whacking vulnerabilities and the best won prizes. By our count, roughly 25% of the conference attendees joined us and played the game. Many of them came back multiple times and stayed to learn more about our offering and saw our demo in action, this is an amazing achievement. The discussions with CISOs, security experts and DevOps professionals were very interesting and it was exciting to hear that they were all very interested in our DAST and Fuzzing solutions that enable developers to remediate vulnerabilities early in the development process. Attendees shared information on the challenges they are currently facing with other solutions and the frustrations they have in implementing security as part of their DevOps process.

Below are some pictures from the event:

We look forward to the upcoming conferences and learning from every interaction.