Table of Content

1. Is Bright Reinventing DAST?

Dynamic Application Security Testing (DAST) tools have been around for decades. However, what was once the dominant market solution is becoming obsolete. Primarily, this shift boils down to organizations moving to DevOps practices, which is the philosophy of getting all the teams to work closely together, throughout the SDLC, with the focus being on efficiency, fast feedback, and constant improvement. Through adoption, organizations can release code faster than ever before; sounds great, right? The downside is that the lion’s share of organizations are still knowingly releasing vulnerable Apps and APIs into the market. So, although speed has improved, security has not. By not finding vulnerabilities early enough in the SDLC, organizations are unable to take swift action to remediate and protect themselves. This is where Bright comes in.

DAST tools scan your application from the outside in, simulating an attack. Traditionally, DAST scanning was conducted during the final two stages of the SDLC: testing and release/maintenance. When releasing every couple of months, testing during the final stages didn’t pose a problem as there was still time to find and remediate vulnerabilities. However, the advent of DevOps posed a problem for these legacy tools. Equipped with new speed, organizations could now release faster than ever before. The problem was that the AppSec team could no longer keep up with this new fast-paced way of doing things. As a result, there was no time to verify that there were no vulnerabilities before release.

Understanding this, Bright’s CEO and Co-founder, Gadi Bashvitz, wondered whether Bright could create a DAST solution that would start scanning earlier in the development life cycle, thereby empowering developers to take control of their own DAST scans. In doing so, organizations can get the information they need early enough in the SDLC to resolve vulnerabilities in minutes. This saves time and money, as waiting until pre-production or production to resolve the same problem could take weeks to resolve due to heavy processes, context switching, having to redo testing, etc., affecting the entire sprint. By providing developers with tools made for them, to be implemented early on in the SDLC, organizations gain the confidence to release applications and APIs without the risk of releasing vulnerabilities into the market.

Is Bright Reinventing DAST?

Simply put, yes! By integrating DAST earlier in the system development lifecycle, Bright has helped hundreds of companies shift left.

But, you may be asking yourself, what does it mean to shift left?

Shifting left is the philosophy behind starting security earlier in the SDLC, by building it into every phase, starting from the project kick off meeting. In doing so, organizations can focus on what truly matters, releasing code. They can also save time, money, and their reputation!

Adopting a shift-left approach to our dev-centric DAST, you can find vulnerabilities earlier in the SDLC, minimizing internal friction to create a cohesive team and an overall more secure application.

Every August, hackers descend onto Las Vegas, Nevada to participate in #HackerSummerCamp, a combination of multiple cyber security/hacker events that occur simultaneously. There are several events, but the main ones you are likely to hear about are Black Hat, Def Con, B-Sides Las Vegas and the Diana Initiative. #HackerSummerCamp is just the affectionate nickname, it is not the official name.

Formally named or not, #HackerSummerCamp can provide security risks to you and your personal devices! In this article we will detail several ways you can protect yourself and your devices from the small minority of attendees at this event who behave unprofessionally by causing others issues during this annual event.

• Do not connect to any WiFi with a device that you love. Bring a burner phone or laptop if you must connect while at/near the conference.
• Use a VPN if you are going to connect for work, from your hotel. And use Cellular data if you can, instead of wifi. Do not connect to work from the conference WiFi. Do not connect to the conference WiFi unless you are using a burner or ghosted+backed-up device.
• Make a backup of your laptop, then ghost it, attend Hacker Summer Camp, then ghost it again when you get home, then restore from your backup disk. This helped a lot when I received “the gift of malware” in 2016 at my first Def Con. Glad I prepared before I left home!
• Turn off your Bluetooth and WiFi. Ensure they won’t turn themselves back on or do any scans in the background.
• Use cellular, it’s safer.
• Ensure that YOU are physically safe at all times. It’s best to not go to a party alone or with people you don’t know, but if you do, don’t get drunk/high/out of control.
• Don’t accept drinks from strangers. Even if they are famous.
• Don’t go back to someone’s hotel room unless you feel safe to do so, and preferably tell someone where you will be and don’t forget the room number when you say where you will be. Have someone check in with you after.
• Exercise all the caution in the world when it comes to your physical safety, and then some more. Even if you have met someone before or feel like you know them very well from the internet, be careful; you are the most valuable thing you have.
• Register for parties in advance to make sure you get a ticket. Getting tickets to thing last minute is a pain, and they often sell out.
• Buy tickets to conferences in advance to make sure you get in.
• If you have to do live demos I suggest recording them (I KNOW! Then they are not live). You can always ALSO do them live, but you have a back up just in case. That’s what I did and guess what? My laptop is fine AND my demo looked awesome!
• If you go to Def Con, prepare to wait in line for at least 50% of the time you spend at the conference. Seriously. If you are an extrovert like me this can be fun, but if you are an introvert be prepared. #linecon
• If you can network and make friends in advance of the event, it’s a good idea to do so. Attending in a group is always safer and usually more fun as well. If you can meet people who are part of a larger group, such as Diana Initiative, CyberJutsu, WoSEC, OWASP, etc. that can lead to even more fun (and safety).
• If something happens, TELL SOMEONE. If a person has done something obviously inappropriate to you, they will (sadly) likely do it to even more people if you let them get away with it. Please report. For DEFCON there’s a hotline. And the people working there are super awesome and kind. They will help, regardless of the situation you’re in, regardless of the persons involved. You can even report anonymously over the hotline. Again: if something really bad happens please report.

Table of Content

1. How did the idea of Bright originate? What has your journey been like so far?
2. Can you introduce us to your application testing platform? What are its key features?
3. What would you consider the main challenges development teams run into nowadays?
4. How do you think the recent global events affected the way people approach cybersecurity?
5. What are the most common vulnerabilities nowadays, that if overlooked, can lead to serious problems for a business?
6. In your opinion, what kind of tests and checkups should every company conduct regularly?
7. What are the best practices companies should follow when developing, and, when launching applications?
8. Talking about personal cybersecurity, what measures do you think everyone should implement to protect themselves from emerging threats?
9. What does the future hold for Bright?

Our guest today believes that security testing should be done as early as possible in the development lifecycle.

As the world gets more connected, it is no surprise that threat actors are constantly on the lookout for vulnerabilities to exploit. With vast amounts of software and applications being released every minute, experts believe that a new development approach must be taken – one where security is weaved into the product from day one.

To talk about the importance of the security-first approach, we invited Gadi Bashvitz, the Co-founder and CEO of Bright Security – a company ensuring that no vulnerability goes unnoticed in the software development process.

How did the idea of Bright originate? What has your journey been like so far?

With roughly 70% of the vulnerabilities affecting companies today originating in the application layer (Apps or APIs), it became clear that proper application security (or AppSec) is one of the most crucial areas of need in cybersecurity. Looking at the market and the solutions, we realized that the legacy security solutions in the space were fast becoming antiquated and were not able to keep up with the pace of modern DevOps practices. We wanted to create a solution that addressed the key issues the market was facing as this issue will only grow more pressing as the rate of software development continues to increase.

The most important trend, as we saw it, was (and still is) “shift left”, or the idea of moving security testing early on in the software development lifecycle (SDLC). Earlier testing will lead to a more efficient security process and prevent vulnerabilities from ever making it to production, but while the concept is great, the execution hasn’t been.

Dynamic Application Security Testing (DAST), which is the process of testing the security of the running application from the outside-in, was an area that we identified as in need of some innovation. The legacy DAST solutions were not built for developers, but for AppSec experts, and were not suitable for a world in which software releases happen multiple times a day. The flaws in these older solutions led many developers to avoid using them altogether as they were more of a hindrance than a help. We set out to create a DAST solution that not only worked for the needs of developers but one that they would want to use.

The journey so far has been incredible. It’s very exciting to see both large banks and leading global Cybersecurity companies, on the one hand, and small dev teams, on the other, rely on our platform to secure their apps. We’ve learned a ton along the way, such as the importance of business logic vulnerabilities, the need for securing APIs – not just human-facing apps, and how to make it so developers actually WANT to use the product.

Can you introduce us to your application testing platform? What are its key features?

Bright is a Dynamic Application Security Testing (DAST) platform built for software developers. The solution approaches applications from the outside, mimicking how a hacker would approach the application, and automatically tests for vulnerabilities that bad actors could use to exploit. 

Unlike legacy tools which were designed exclusively for expert security users after the application is already in production, Bright’s tool was built to be “developer-first”. It was designed to empower developers to create more secure applications and APIs starting in the development phase and across all stages leading up to and including production so that vulnerabilities are caught and remediated earlier. 

To truly be a dev-centric platform, we needed to develop some key features that align with how developers prefer to work:

• Setup takes minutes and there’s no need for security expertise – we take care of all that
• No false positives: Our special technology automatically verifies that any vulnerability it detects is actually exploitable so that devs don’t waste time remediating vulnerabilities that aren’t a threat
• Remediation instructions that make sense: If a scan detects an issue, the developers received easy-to-follow remediation guidelines with the information developers need to fix it
• Control everything with code: Although Bright has a great UI, developers love using our CLI and API that lets them control everything
• Scans take minutes instead of hours or days: Bright’s unique approach allows you to scan only the relevant parts of an app so that you don’t have to slow down the build process – including for unit testing!
• Seamless integration with the developer toolchain: Bright works with existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing. It can also automatically add tickets to Jira, GitHub, Azure Boards, GitLab, and other systems.

And while we hope developers will love working with Bright, we also want to make sure security teams can rely on it. No tool out there has more comprehensive testing coverage than Bright, and that includes business logic vulnerabilities and API scanning.

What would you consider the main challenges development teams run into nowadays?

The biggest challenge for development teams is keeping up with the pace of today’s world. Developers today are releasing 100x more code into production compared to only ten years ago, and so the challenge becomes developing and releasing software at a much faster pace, while still ensuring that it is both bug-free and secure. To do that, you want as much automation throughout the SDLC as you can put in (aka DevOps). The issue developers face is that securing software before it’s released – without a platform such as Bright – is a tedious, manual, and time-consuming process. Today, almost 90% of organizations are knowingly releasing vulnerable applications and APIs into production because they can’t detect and remediate vulnerabilities quickly enough. These vulnerabilities take an average of nine months to be fixed, leaving organizations exposed for considerable periods of time and we’re working to change that reality.

How do you think the recent global events affected the way people approach cybersecurity?

On the macro level, the increase in attacks is just accelerating the growing understanding of the importance of addressing cybersecurity flaws. Companies are repeatedly seeing the financial and reputation fallout from cyberattacks and hacks and are placing a premium on cybersecurity, which is becoming a key factor in purchasing. Nobody wants to buy a product that isn’t secured, and so companies must adjust to ensure security is part of the design of the product and incorporated throughout the process.

Part of that is accomplished by moving all forms of security testing earlier in the process (i.e., shift left). And that’s a place where we are seeing a massive change in attitude – especially among developers. Developers are quickly coming to the realization that security vulnerabilities are bugs (but often with more severe consequences). And as no developer prides themselves on releasing buggy code, they also want to make sure they release secure apps.

What are the most common vulnerabilities nowadays, that if overlooked, can lead to serious problems for a business?

At the application level, which is where we live, we’re seeing that the most common vulnerabilities are indeed the ones that are on the OWASP Top Ten and similar lists, which enable attacks such as SQL injection, cross-site scripting, CSRF, and XXE. There’s a fairly good awareness level of these vulnerabilities, which we call “technical vulnerabilities.” 

That said, there is a whole different class of vulnerabilities – business logic vulnerabilities (BLVs) – that are still often overlooked and can be very severely exploited by bad actors. BLVs are particularly tricky because exploiting (and detecting) them requires an understanding of the application’s flow and business purpose, and finding them has traditionally relied on costly and error-prone manual testing. 

Awareness of BLVs is so low currently that unlike CVEs for technical vulnerabilities there is no naming or classification system. Our researchers at Bright are identifying them and classifying them with proper names. Our automated solution thoroughly analyzes the application’s flow, understands the context, and tests the system through a multitude of interaction combinations, eliminating the need for manual processes.

In your opinion, what kind of tests and checkups should every company conduct regularly?

In a perfect world, companies should use all of the tools in the toolbox: SCA, SAST, DAST, IAST, GRC, RASP, etc. But as important as what tests they run is when they run them. It is much more cost-effective to run the tests as early as possible in the cycle. DAST was traditionally employed when the application was already fully developed and running (in pre-production or production), but fixing vulnerabilities at that point is both expensive and risky. 

There have traditionally been many challenges in running DAST during the development phase. For one thing, traditional dynamic tests take many hours, even days, and running a test that late in the process often creates unaffordable delays in production.

We’ve developed smart ways to analyze, understand and break down the application’s attack surface so that we can run short tests that only cover what’s relevant at that point. 

Another issue with legacy DAST was that it created many false positives – indications of potential flaws in the system that aren’t actually exploitable. Developers hate these false positives because they end up “chasing ghosts” having to remediate dozens of “vulnerabilities” that actually don’t really matter. It slows down the whole process and has actually turned many developers away from DAST tools. We’ve eliminated that issue by intelligently verifying that each issue we discover is actually exploitable.

Once you’ve solved these issues (and a few others we won’t get into), you can now automatically run DAST tests with every build via the CI/CD pipeline throughout the development lifecycle.

What are the best practices companies should follow when developing, and, when launching applications?

When it comes to application and API security, the key practice is to automatically run tests with every build as part of the CI/CD pipeline. This is sometimes called DevSecOps. At Bright, we fully embrace DevSecOps practices and developed deep integration into CI tools such as Github Actions, GitLab, CircleCI, Jenkins, TeamCity, and others to ensure that you can integrate with any platform to test as early as possible.

We’ve even taken it a step further that allows developers to run a DAST scan at the unit testing phase – one of the earliest points in development. This was especially challenging because dynamic security tests, by definition, scan a running application, but unit tests are for snippets of code. We developed a way to run those snippets as if they are a fully-formed application and then scan them.

We’re actually seeing how this is changing our customers’ behavior. Moving the process earlier has enabled customers to test earlier and more often and has increased the average from running four scans a month that take seven hours each to run hundreds of tests that take three minutes each.

Talking about personal cybersecurity, what measures do you think everyone should implement to protect themselves from emerging threats?

A few of the practices I religiously follow are using multi-factor authentication whenever possible and using a different password for everything (which requires a password manager). Hackers are always looking for easy targets, like the person whose password is “password,” and I think that for personal security practicing the basics will go a long way towards keeping you safe. 

What does the future hold for Bright?

The future is bright (pun intended). We’re quadrupling down on some of the things I mentioned here, such as broader and better coverage of business logic vulnerabilities, and making dynamic security testing easier and more automated.

We’re especially focused on making our DAST scanner developer-friendly. That has many aspects to it, such as providing remediation guidelines in a way that’s easily understood by developers, not AppSec experts; and intelligently configuring the tests we scan for based on the target and past tests. We also want to make sure the solution scales with the needs of our customers, some of whom are among the world’s largest organizations. 

We are very focused on serving our dozens of enterprise customers and more than 6,000 development teams using our product. We are constantly learning from our community and working with them to perfect a truly developer-centric DAST solution that is easy to deploy and helps organizations build secure applications and APIs.

To read the original story, please visit CyberNews

Table of Content

1. The solution: make it easy for developers
2. Unlike traditional DAST tools, Bright was built for developers
3. What makes Bright a dev-first DAST platform?
4. Our Series A funding round

Today we are announcing an additional $20 million in funding to fuel our growth and continue to help organizations (and their software developers) secure their applications and APIs. We’re also changing our company name from NeuraLegion to Bright Security.

When Shoham Cohen, Bar Hofesh, Art Linkov, and I founded the company three years ago, there was no doubt that application security would remain a huge need for many years to come. But there were already many solutions companies could use to secure their applications. Despite that, we observed that many of the existing AppSec solutions – particularly Dynamic Applications Security Testing (or DAST) tools – no longer fit the way modern apps are developed and released. The consequences of that were grave: more than 80% of organizations knowingly release vulnerable apps into production.

The solution: make it easy for developers

It’s well-known that moving security testing earlier in the Software Development Lifecycle (SDLC) is better in every respect: In addition to reducing the risk of vulnerabilities making it into production, it makes remediation faster and cheaper. Thus, the term “shift left” became popular. But that’s easier said than done, especially with DAST.

Unlike traditional DAST tools, Bright was built for developers

Bright’s DAST tool was built to be “developer-first”. It was designed to empower developers to create more secure applications and APIs starting early in the development process and through all stages leading to and including production while enabling the AppSec team to provide the governance. Traditional DAST tools are made for application security (AppSec) experts, who typically test the app after the development cycle is complete and it’s in production.

What makes Bright a dev-first DAST platform?

• Setup takes minutes and there’s no need for security expertise – we take care of all that
• No false positives: Our special technology automatically verifies that any vulnerability it detects is actually exploitable so that devs don’t waste time chasing ghosts
• Remediation instructions that make sense: If a scan detects an issue, get easy-to-follow remediation guidelines with the information developers will need to fix it
• Control everything with code: Although Bright has a great GUI, developers love using our CLI that lets them control everything
• Scans take minutes instead of hours or days: Bright’s unique approach allows you to scan only the relevant parts of an app so that you don’t have to slow down the build process – including for unit testing! 
• Seamless integration with the developer toolchain: Bright works with existing CI/CD pipelines – trigger scans on every commit, pull request, or build with unit testing. It can also automatically add tickets to Jira, GitHub, Azure Boards, GitLab, and other systems.
• Identify business logic vulnerabilities:  We are determined that AppSec tools can find more than just “classic” technical vulnerabilities, but also find business logic issues. Exploiting business logic vulnerabilities requires an understanding of the application’s flow and business purpose, and the process has traditionally relied on costly and time-consuming manual testing. Bright’s automated AI-powered solution thoroughly analyzes the application’s flow, understands the context, and tests the system through a multitude of interaction combinations, eliminating the need for manual processes.

Our Series A funding round

We’re grateful to have some of the best names in cybersecurity join our journey as investors and to thank them not only for believing in our vision but in the team’s ability to execute. The round, which brings Bright’s total funding to a bit over $25 million, was led by Evolution Equity Partners, who invested in some of the greatest cybersecurity startups out there. Our existing investors DNX Ventures, J Ventures, Fusion Fund, and Incubate Fund are also participating. I’m excited to have Karthik Subramanian of Evolution join our board of directors. 

This funding will allow us to grow the team and make major improvements to the platform (stay tuned for what we have in store…).

We want to thank the more than 4,000 developer teams and enterprise customers around the world who trusted us, shared our vision, and partnered with us on this exciting journey as users and customers.

Last but not least, my co-founders and I are very thankful for the amazing Bright team for their brilliance, dedication, and hard work. None of this would have happened without you, and we’re just getting started!

Now is also a great opportunity to join our growing company. We are looking for marketing, product, and sales roles, and of course, engineers. Head over to our Careers page.

Join us to help developers all over the world build and release secure apps and APIs!

Oh, and have you tried Bright yet? Get your free account.

Gadi Bashvitz, co-founder and CEO, Bright Security

Table of Contents

1. Tanya Janca, Founder & CEO at WeHackPurple Academy
2. Ofer Maor, Co-Founder & CTO at Mitiga 

I’m thrilled to announce our newly-formed industry advisory board and welcome to it two luminaries of the industry, each bringing their own unique perspective. They will be helping the team at Bright to continue delivering a cutting-edge, developer-focused application security platform to market.

Here’s a quick introduction:

Tanya Janca, Founder & CEO at WeHackPurple Academy

Tanya, known to many as SheHacksPurple, is the best-selling author of Alice and Bob Learn Application Security. She is also the founder of We Hack Purple, an online learning academy, community, and podcast that revolves around creating secure software. 

Tanya has been coding and working in IT for over twenty years, won countless awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats: startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger and streamer and has delivered hundreds of talks and training sessions on six continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives. 

Ofer Maor, Co-Founder & CTO at Mitiga 

Ofer is the CTO & co-founder of Mitiga where he’s building a groundbreaking Cloud Incident Response platform. He has more than 25 years of experience in cybersecurity and entrepreneurship and was previously the CTO and founder of Seeker (acquired by Synopsys), where he invented IAST, a next-generation application security testing technology, currently used by some of the largest organizations in the world. 

Prior to Seeker Ofer was the CTO and founder of Hacktics (acquired by EY), and a founding employee at Imperva. He is also active in the cybersecurity community and has served as a Global Board Member at OWASP.

One of the most critical aspects Ofer and Tanya have already been working with us on is directly related to our core mission: empowering developers to build secure applications — fast. And with that in mind, I invite you all to sign up for a free Bright account. Once you do, you’re minutes away from securing your app.

I’m sure I speak on behalf of the entire team when I say we can’t wait to get to work with Ofer and Tanya, as they help take Bright to the next level.

Ofer, Tanya — welcome aboard!

We at Bright are very proud to announce that we have been awarded the accredited certification on ISO 27701, the international standard on data privacy. This builds on the ISO 27001 certification we received a couple months ago and shows our continued commitment to meeting the highest standards of customer security and reliability.

The ISO 27701 standard provides an overarching framework on Privacy Information Management Systems (PIMS), to help companies fine-tune their data privacy practices and keep pace with the changing privacy threat and regulatory landscape through a rigorous risk and compliance driven approach, while being focused on measurement and continuous improvement. This is the world’s first International Standard on PIMS and incorporates a mapping against the requirements of EU GDPR – considered the gold standard in data privacy laws. Being certified to this global standard demonstrates Bright’s ability to effectively and consistently deliver solutions and services to clients in compliance with data privacy regulations and contractual requirements in applicable countries.

This is a significant accomplishment for us, given that we could get an accredited certification for the globally recognized, certifiable data privacy standard quickly and effectively. This was possible only because of the maturity of our data privacy processes. I’m confident this certification will go a long way in being a differentiator and in increasing the trust our clients and other stakeholders place in Bright.

We are excited to offer our Application Security Solutions from build to compliance across Web, mobile and APIs with 0-false positives with this highest level of security.

Webomates, the leading global provider of Testing as a Service & Bright which provides a modern-day DAST solution enabling organizations to drive compliance on every build have combined their offering to enable organizations to achieve an unparalleled level of QA automation and Security Automation (SA) in one combined platform.

The offering enables organizations to deploy a fully integrated QA and DAST solution which helps them to achieve a far superior level of automation than ever offered in the market while significantly lowering costs and improving the quality and application security of their applications and products.

The combined solution takes Webomates unique offering of automated QA with test case creation, execution and analysis and Bright’s unique ability to ingest these test cases to identify application security vulnerabilities and report both quality issues and security issues in one combined dashboard. The solution also offers a completely automated mechanism for automatically opening tickets when bugs and vulnerabilities are identified and providing remediation guidelines for these issues. This offering shifts security to the extreme left as part of the development process and enables developers to remediate issues early in the development lifecycle while never leaving their development environment & achieving significant time & cost savings.

“We are excited to announce our partnership with Webomates and offer a far superior level of Application Security Testing to organizations by combining our capabilities. AST companies have been talking about shifting application security left for a long time but have grossly underdelivered. We are proud that modern solutions from companies like Webomates & Bright are finally able to deliver on this promise. We are encouraged by the significant interest we are seeing for our modern AST solutions that integrate seamlessly into the CI/CD without delaying it and enable to test web, mobile and APIs and the combined offering with Webomates”; said Gadi Bashvitz, Bright’s President & Chief Customer Officer.

“The partnership with Bright enables us to offer an unparalleled level of services spanning both Quality Assurance and Security Assurance to our customers. We have been looking for a partner that is as passionate as we are about delivering to our customers. We are thrilled to find this partner in Bright. Integrating the solutions was easy and our customers have shown a lot of interest in the combined offering that can save them significant costs.”, said Aseem Bakshi CEO Webomates

As we transition into the new normal way of conducting business, transition further into the cloud and have many more people working remotely it is paramount that every organization reconsider their past strategies for quality assurance and application security testing and adopt modern solutions that will work far better in the new environment. Bright & Webomates are very proud to be at the forefront of offering such modern solutions to their customers.

To learn more contact:
Webomates: info@webomates.com                                                               
Bright: sales@bright.com

About Webomates:

Webomates provides a cloud-based AI QA platform to carry out software regression testing in guaranteed timeframes. The platform creates test cases and executes them using multiple testing execution techniques like AI Automation, Automation, Crowdsource & manual. The results are analyzed triaged and actionable defects are listed.

Webomates supports Web, Mobile, and Windows native applications. Supported testing types are UI, API, Performance, visual and canary testing.

About Bright:

Bright helps significantly improve application security at a lower cost by providing a 0-false positive, AI-powered DAST & Fuzzer solutions that are purpose built for modern development environments. We integrate into DevOps environments and enable you to run DAST scans as part of your CI/CD flows to identify a broad set of known (7,000+ payloads) and unknown (0-day) security vulnerabilities. We enable you to scan multiple protocols across Web, mobile & API and are built for developers to provide compliance on every build by providing remediation guidelines for every vulnerability identified.

Table of Contents

1. This is the Second Marriott breach in two years
2. 5 Common Causes for  Data Breaches That Businesses Should Watch Out For

The hotel giant Marriott confirmed a new data breach, this time involving the personal information of 5.2 million guests.

According to an online notice that Marriott posted on Tuesday, the attack was carried out via a third-party software that Marriott’s hotel properties use to provide guest services.

Marriott discovered the breach in late February. The hackers obtained the login credentials of two employees and broke in weeks earlier, in mid-January.

While Marriott said it has “no reason” to believe payment data was stolen, data like names, addresses, phone numbers, loyalty member data, dates of birth and other travel information were stolen in the breach.

The hotel giant also is forcing password resets for Bonvoy loyalty club members, who will also be prompted to enable multi-factor authentication on their accounts.

This is the Second Marriott breach in two years

This was not the first time that Marriott experienced a data breach. Back in 2018, Starwood, a subsidiary of Marriott, was hacked and personal data and guest records on 383 million guests were exposed. 

The data included five million unencrypted passport numbers, in addition to more than 20 million encrypted passport numbers.

Passport numbers can be used for identity theft and to commit fraud. They are also data that remains highly valuable for spy agencies. Spy agencies can use the information to track down where government officials, diplomats and adversaries have stayed. This gives insight into what would ordinarily be clandestine activities.

Marriot also stated that 8.6 million unique payment card numbers were stolen, but only 354,000 cards were active at the time of the breach.

According to the statement by the company, there is no evidence the hackers stole the keys needed to decrypt the data, but did not say how they came to that conclusion.

The company said the contents of the stolen data were from the Starwood guest reservation database. Marriott acquired the database when it bought Starwood and its 1,200 properties in 2016.

Starwood’s security lapse became the largest data breach that year, and remains one of the most damaging hacking incidents in recent history. 

In response to that breach, European authorities fined  Marriott $123 million.

5 Common Causes for  Data Breaches That Businesses Should Watch Out For

We compiled this list to help organizations prepare and prevent a breach like the one described above. 

No business wants to deal with the blot on its reputation and the huge loss of money that follows a data breach. In order to create a robust data security and network security strategy, it’s important for you to understand what causes a data breach in the first place. Here is a list of some of the most common causes behind data breaches you should watch out for:

• Software or Network Vulnerabilities
• Accidental Employee mistake
• Malicious Misuse by Employee
• Malware attack
• Failure in Security of a Physical Device

Software or Network Vulnerabilities

Any software vulnerability that isn’t patched as soon as it is discovered is a convenient target for hackers. Make sure to test your software and find those vulnerabilities before the hackers do. If you can’t find the time or resources to test the software manually, use an automated application security testing solution like Bright.

Also please stay away from pirated software. While the fact that pirated software is illegal should be a reason enough to avoid it, what makes it even worse, it may contain all kinds of malware.

Since the network acts as a layer of protection, any faults in the network design or deployment could also lead to a data breach.

Accidental Employee mistake

From falling for a phishing scam to losing important documents containing confidential information, there is a wide range of mistakes that employees can make, causing a data breach. Lack of proper cybersecurity training as well as of stringent security policies can be blamed for these employee mistakes.

Malicious misuse by employee

Unlike the unintended employee mistakes, malicious misuse by an employee indicates something much more serious. Someone from the inside is intentionally sharing confidential business information for some sort of personal benefit. This cause of a data breach is extremely difficult for an organization to foresee. Defining clear user roles and setting suitable permissions for data and system use can help control access an employee has over business data.

Malware attack

Malvertisements and phishing are among hackers’ favorite ways of spreading malware. Malware attacks can quickly progress from its origin system, move into the network and infect other systems that come in its way. Installing an anti-malware software and keeping it updated is a must for any business. Educating employees about phishing and malvertisement is also essential.

Failure in security of a physical device

A data breach could also happen when a device is no longer secure; meaning the device is either lost or stolen. Those devices can be anything from a mobile device like laptop, smartphone, storage device, to servers. It’s not only important to keep the devices secure in the first place, but it’s also important to take extra measures, like encryption, for protecting the data on the device.

Stay safe out there!

Table of Contents

1. In the meantime here are some workarounds for you to mitigate the risk of getting hacked

Microsoft warned billions of Windows users of two critical 0-day vulnerabilities in all currently supported versions of Microsoft Windows, both server and desktop.

These vulnerabilities allow hackers to remotely take complete control over targeted computers in an AppContainer sandbox. The vulnerabilities are given a critical severity rating which is the highest Microsoft gives.

Both vulnerabilities are in the Windows Adobe Type Manager Library, a font parsing software that not only parses content when opened with a third-party software but is also used by Windows Explorer to display the content of a file in the ‘Details Pane’ or ‘Preview Pane’ without users having to open it.

The company is aware of the issues and working on patches that are typically released on the second Tuesday of the month. Although, Microsoft sometimes releases emergency patches outside of that schedule for critical flaws. We hope this could be one of those cases.

In the meantime here are some workarounds for you to mitigate the risk of getting hacked

Disable the Details Pane and Preview Pane in Windows Explorer

• Open Windows Explorer, click Organize and then click Layout.
• Clear both the Details pane and Preview pane menu options.
• Click Organize, and then click Folder and search options.
• Click the View tab.
• Under Advanced settings, check the Always show icons, never thumbnails box.
• Close all open instances of Windows Explorer for the change to take effect.

Disable WebClient to prevent attacks through WebDAV client service. 

• Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
• Right-click WebClient service and select Properties.
• Change the Startup type to Disabled. If the service is running, click Stop.
• Click OK and exit the management application.

Rename or Disable ATMFD.DLL

Microsoft is also urging users to rename the Adobe Type Manager Font Driver (ATMFD.dll) file to temporarily disable the embedded font technology, which could cause certain 3rd-party apps to stop working.

Enter the following commands at an administrative command prompt:

For 32-bit system:

cd "%windir%system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll

For 64-bit system:

cd "%windir%system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
cd "%windir%syswow64"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll

We will share further updates with you when we learn more and when there is a valid patch available for complete remediation of this security issue. 

Stay updated on our LinkedIn page and stay healthy!

Your Friends at Bright