Table of Content

1. AI’s offensive capabilities
2. Examples of AI-enabled cyberattacks
3. How to protect yourself
4. Protect your organizational assets with Bright 

The term “artificial intelligence” (AI) describes a machine’s capacity to carry out operations traditionally performed by intelligent entities like humans or animals. Artificial intelligence (AI) systems are capable of reasoning, problem-solving, generalization, planning, and experience-based learning. 

AI is still developing in terms of practical applications and yet, despite this, organizations have been using it in recent years to modify their processes to become ready for opportunities and problems in advance. However, cybercriminals are now also using this technology to increase the effectiveness of their cyberattacks and hacks.

They achieve this by utilizing the intelligent automation offered by AI systems to enhance traditional cyberattacks by accelerating their speed, expanding their coverage, and raising their level of sophistication. Thus, the disruption of AI-enabled cyberattacks is three-fold. AI can assist a variety of attacker strategies and offers fresh methods to better accomplish the attackers’ objectives.

AI’s offensive capabilities

AI’s offensive capabilities are expressed in the following ways:

1. Automation
   • boosts the autonomy of cyberattacks and decreases the manual effort needed by an attacker
   • makes it possible to coordinate attacks to determine the optimal attack vector, the most vulnerable target, and the most effective attack window
2. Stealth
   • capacity to develop content that resembles the distribution from which it learned and can therefore hide malicious behavior
   • offers ways to get beyond security measures including email filters and malware detectors
3. Social engineering
   • can study humans to better understand how to manipulate their trust and emotions and offers methods for choosing and tracking targets
   • can automate and personalize interactions with people both offline and online, i.e. chatbots and spear phishing emails
   • can be employed to create fake online personas and impersonate real individuals in order to connect with selected victims, i.e. deepfakes and voice cloning
4. Credential theft
   • can mimic human behavior to replicate authentication procedures and guess credentials and is used for both initial access and credential access tactics
   • offers methods for fooling biometric identification systems by imitating a user’s voice and face, keystroke patterns and eye movements
   • can guess passwords with low entropy or personal details

Examples of AI-enabled cyberattacks

In Spear phishing with target selection, AI can assist in the selection of phishing victims via user profiling to detect and target particular traits. The attacker initially gathers online profiles from social media networks in order to profile people. Then, sensible traits like friends, interests, and hobbies are used to categorize possible victims into groups with similar traits. The last step involves locating and classifying clusters of interest, such as those that are “very gullible” or “high value,” which later become the target of spear phishing attacks. 

The interests of targets are usually fed into a natural language generation (NLG) model, many of which are publicly accessible online, i.e. GPT3. The model is then used to create customized emails or social media postings that mimic the target’s hobbies and writing style, boosting the likelihood that the attack will be successful. In fact, a tool that generates phishing tweets, called SNAP_R, proved to be more successful at triggering victim click-through than human written tweets.

Deep learning techniques are used by a technology known as deep voice to mimic a target’s voice and create speech from text. Audio samples of a person’s voice are necessary for training a deep voice model. The audio of public appearances or recorded online meetings, both of which are widely accessible online, can be used to gather this information. This technology enables vishing (voice phishing) attacks, many of which are successful and some have already been made public. In July 2019, a vishing call that pretended to be the CEO of a UK-based energy company resulted in a fraudulent $243,000 money transfer.

Deepfakes, which allow an attacker to simulate a target’s face and behavior, can take impersonation to a new level, as no prior technology was able to convincingly mimic voices, facial structure and gestures of targets.

How to protect yourself

At large, automation and artificial intelligence have made organizations more innovative and efficient than ever before. However, they can also be a ruthless enemy when put into the wrong hands. As humans, we know playing against a computer rarely ends in victory. Have you ever played online chess or checkers against a machine? Chances are, you lost. In this situation, the odds are stacked against you. Similarly, leaving the burden to the cyber experts in your organization to prevent AI-based attacks will leave your team feeling defeated and burnt out. 

The best way to protect yourself against these attacks is to use common sense, spread awareness and fact-check using multiple sources. It’s crucial for an organization to be aware of the risks and to develop a skeptical eye among its employees, as they are the biggest vulnerability in AI-enabled cyberattacks. By reporting suspicious emails, posts and other business related activities, you can help your organization act quickly and protect others from similar attacks. 

Beyond educating and monitoring your employees, additional measures can be taken to increase overall security. In recent years, artificial intelligence has enabled malicious actors to become more sophisticated in their attack strategies. As a result, organizations are being tasked with finding sophisticated solutions to defend their assets and keep their data safe. Luckily, solutions are available that can assist in reaching this goal. 

Through adopting an automated solution, your organization can reap the benefits of faster analysis and mitigation of threats through vulnerability management, network security, and application security. Equip your organization with proper tools, and reduce the risk to your organization from malicious actors. 

Protect your organizational assets with Bright 

Bright’s Dynamic Application Security Scanner enables you to secure your applications and APIs for both technical and business logic vulnerabilities at the speed of DevOps, with minimal false positives. Avoid security becoming an afterthought, and ensure proper measures are taken to prevent attacks before they happen. 

Malicious actors are out there, and although there is no one perfect solution to protect your organization from an attack, with proper security measures in place, you can reduce your organizational risk and rest easy! 

Table of Content

1. Intro
2. What is SASE
3. Where is SASE going
4. Why does this matter?
5. Conclusion
6. Additional Resources

Intro

With the COVID-19 pandemic, organizations found themselves facing brand new problems  with security and the cloud— namely, the trouble of securely moving away from data centers and into the cloud, all while protecting the ‘edge’ of their networks in a secure manner. (By edge, I mean the boundary of wherever your network ends — wherever the employees are). The old paradigm of networking in company-specific data centers tied to offices is no longer viable in today’s cloud-based, IoT-heavy, distributed workforce, and as such, SASE was born.

What is SASE

SASE is a framework for a network architecture that bundles cloud-native security technologies and Wide Area Network (WAN) capabilities. Put more simply, it’s the intersection of networking and security in a cloud-based environment. It is not a single technology, but a conglomerate of many different technologies, such as Software-defined WAN (SD-WAN), Cloud Access Security Broker (CASB), NGFW and Firewall-as-a-Service (FWaaS), Zero Trust Network Access (ZTNA), and Secure Web Gateways (SWG).

You can learn more about the different components of SASE here.

Where is SASE going

Gartner’s projections of top trends in infrastructure and operations (IO) puts SASE at the top of the list for a significant impact in 2023. With a total worldwide end-user spending of up to $9.2 billion dollars forecasted, we can see a growing trend of SASE adaptation; up 39% from 2022. There is a significant market for single-vendor SASEs, and while the market is still immature, there are a number of options for single-vendor SASEs.

Dell’Oro group, a market research firm, forecasts that the SASE market will triple by 2026, topping $13 billion. Gartner is even more bullish, predicting that the SASE market will grow at a 36% compound annual growth rate (CAGR) between 2020 and 2025, reaching $14.7 billion by 2025.

Also of note from the Gartner report is a prediction that by 2024, 40% of organizations will have strategies in place to adopt SASE, up from a mere 1% in 2018.

Lastly, there is a movement to standardize SASE. A nonprofit called MEF seeks to lead the way in SASE standardization. From the MEF website, we can see the purpose of the standardization is as follows:

‘MEF’s industry-first SASE standard defines a Secure Access Service Edge (SASE) Service framework and specifies service attributes that need to be agreed upon between a service provider and a subscriber for SASE services, including security functions, policies, and connectivity services. The standard aligns stakeholders on common terminology and service attributes when buying, selling, and delivering SASE services, and makes it easier to interface policy with security functions for cloud-based cybersecurity from anywhere.’ —  https://tinyurl.com/226d8pw2

You can find MEF’s standardization document here.

Why does this matter?

The old paradigm of networking for in-house data centers and in-office employees are dying. In the mad rush to adopt cloud-based services, adequate security tooling is ever more important to protect company assets. Tool consolidation is also becoming an ever more appealing option for organizations, as the ‘bits-and-pieces approach to tooling covered by SASE is quickly becoming overwhelming for customers. With reduced complexity and security being available no matter where the user is, SASE streamlines networking and security for a remote-first world.

Conclusion

SASE, while still in a nascent stage as far as standardization of services, is projected by Gartner and many others to be the networking solution of the future. With significant money to be made, and single-store solutions paving the way for adaptation, SASE deserves a second look from anyone as a promising emerging technology.

Additional Resources

What is SASE (Secure Access Service Edge)? | Versa Networks

SASE is an entire package of technologies that embeds security into the global fabric of the network. Major components…versa-networks.com

Secure access service edge: What is SASE?

The Software-as-a-Service (SaaS) industry is forecast to generate $157 billion by 2022, as more and more organizations…www.polymerhq.io

Invest Implications: ‘The Future of Network Security Is in the Cloud’

What is Gartner research? Gartner research, which includes in-depth proprietary studies, peer and industry best…www.gartner.com

Table of Content

1. The Biggest Breaches
2. Security Starts at Your Own Home

With global events happening all around us, it’s time to reflect on how the year before us affected the cybersecurity world, and the lessons we learned during this period. It’s been a very turbulent time in cybersecurity, with the technology sector going through financial turmoil, which in turn caused some critical vulnerabilities to occur.

This is part of a series of articles about Data Breach.

The Biggest Breaches

Some of the biggest breaches involved some of the biggest tech companies! Twitter & WhatsApp are just top-of-the-shelf examples of how even the richest and most powerful organizations constantly have to keep up in order to keep their data safe. 

Optus Data Breach

It sounds bad when you first learn that a giant telecommunications company suffered a data breach. But it’s only when you learn that no less than 11 million people had their data leaked does it go to the next level. 

The hackers accessed all sorts of personal data after which they supposedly contacted all the users with a $1300 offer to keep their data private. Not only that, but those users started becoming a target of recurring phishing attacks. Some journalists reported that the hackers gained access to the data by accessing an unauthenticated API endpoint, although the details of the attack are yet to be published online.

Medibank Data Breach

Another company from The Land Down Under took over the unfortunate headlines in the twilight of this year as Medibank suffered a huge cybersecurity breach. To be more specific, an anonymous hacker collected  9.7 million records of Medibank’s customers. 

After the company refused to give in to hackers’ requests, the cybercriminals dumped more than 5GB of compressed data online. All the analysis indicates that the data dump, indeed, contains the Medibank customer information. 

DoorDash Data Breach

The summer of ‘22 won’t be remembered as a particularly happy one for DoorDash users. Perhaps the biggest food delivery company suffered an enormous leak where almost 5 million of their users had their data stolen. 

What’s really interesting is that the attack happened via a very sophisticated phishing campaign, ultimately causing big damage to DoorDash in terms of customer trust.

Luckily, hackers only accessed some credit card data from a smaller group of people, but even in those cases, it was mostly the last four digits of their card number – still a big risk, but not as threatening as some other data leaks out there.

Security Starts at Your Own Home

When talking about big security breaches, a lot of companies focus their defense mechanisms solely on technical details. They make sure that the system they’re using is impenetrable. However, there’s a big gap that often occurs, resulting in some of the biggest data leaks – and it’s human error.

Making sure that your employees are the first line of defense is crucial in maintaining safe environment, protected from outside breaches. This means constant education of your employees, enrolling and encouraging them to take up security courses, and raising the overall level of cybersecurity awareness in your company. 

Creating a safe environment isn’t, and never has been an individual effort of a few people specialized in cybersecurity. It’s always about the whole group that has to stay organized and aware of all the outside threats in order to make sure that costly slip-ups don’t happen. Ultimately, the chain is as strong as its weakest link, and that theory perfectly applies to cybersecurity.

From all the lessons we’ve learned in 2022, it’s time for all of us to take action, broaden our knowledge, and work on our cybersecurity awareness. These are the steps necessary in going to the next level and raising our security levels online.

Table of Content

1. Is Bright Reinventing DAST?

Dynamic Application Security Testing (DAST) tools have been around for decades. However, what was once the dominant market solution is becoming obsolete. Primarily, this shift boils down to organizations moving to DevOps practices, which is the philosophy of getting all the teams to work closely together, throughout the SDLC, with the focus being on efficiency, fast feedback, and constant improvement. Through adoption, organizations can release code faster than ever before; sounds great, right? The downside is that the lion’s share of organizations are still knowingly releasing vulnerable Apps and APIs into the market. So, although speed has improved, security has not. By not finding vulnerabilities early enough in the SDLC, organizations are unable to take swift action to remediate and protect themselves. This is where Bright comes in.

DAST tools scan your application from the outside in, simulating an attack. Traditionally, DAST scanning was conducted during the final two stages of the SDLC: testing and release/maintenance. When releasing every couple of months, testing during the final stages didn’t pose a problem as there was still time to find and remediate vulnerabilities. However, the advent of DevOps posed a problem for these legacy tools. Equipped with new speed, organizations could now release faster than ever before. The problem was that the AppSec team could no longer keep up with this new fast-paced way of doing things. As a result, there was no time to verify that there were no vulnerabilities before release.

Understanding this, Bright’s CEO and Co-founder, Gadi Bashvitz, wondered whether Bright could create a DAST solution that would start scanning earlier in the development life cycle, thereby empowering developers to take control of their own DAST scans. In doing so, organizations can get the information they need early enough in the SDLC to resolve vulnerabilities in minutes. This saves time and money, as waiting until pre-production or production to resolve the same problem could take weeks to resolve due to heavy processes, context switching, having to redo testing, etc., affecting the entire sprint. By providing developers with tools made for them, to be implemented early on in the SDLC, organizations gain the confidence to release applications and APIs without the risk of releasing vulnerabilities into the market.

Is Bright Reinventing DAST?

Simply put, yes! By integrating DAST earlier in the system development lifecycle, Bright has helped hundreds of companies shift left.

But, you may be asking yourself, what does it mean to shift left?

Shifting left is the philosophy behind starting security earlier in the SDLC, by building it into every phase, starting from the project kick off meeting. In doing so, organizations can focus on what truly matters, releasing code. They can also save time, money, and their reputation!

Adopting a shift-left approach to our dev-centric DAST, you can find vulnerabilities earlier in the SDLC, minimizing internal friction to create a cohesive team and an overall more secure application.

Every August, hackers descend onto Las Vegas, Nevada to participate in #HackerSummerCamp, a combination of multiple cyber security/hacker events that occur simultaneously. There are several events, but the main ones you are likely to hear about are Black Hat, Def Con, B-Sides Las Vegas and the Diana Initiative. #HackerSummerCamp is just the affectionate nickname, it is not the official name.

Formally named or not, #HackerSummerCamp can provide security risks to you and your personal devices! In this article we will detail several ways you can protect yourself and your devices from the small minority of attendees at this event who behave unprofessionally by causing others issues during this annual event.

• Do not connect to any WiFi with a device that you love. Bring a burner phone or laptop if you must connect while at/near the conference.
• Use a VPN if you are going to connect for work, from your hotel. And use Cellular data if you can, instead of wifi. Do not connect to work from the conference WiFi. Do not connect to the conference WiFi unless you are using a burner or ghosted+backed-up device.
• Make a backup of your laptop, then ghost it, attend Hacker Summer Camp, then ghost it again when you get home, then restore from your backup disk. This helped a lot when I received “the gift of malware” in 2016 at my first Def Con. Glad I prepared before I left home!
• Turn off your Bluetooth and WiFi. Ensure they won’t turn themselves back on or do any scans in the background.
• Use cellular, it’s safer.
• Ensure that YOU are physically safe at all times. It’s best to not go to a party alone or with people you don’t know, but if you do, don’t get drunk/high/out of control.
• Don’t accept drinks from strangers. Even if they are famous.
• Don’t go back to someone’s hotel room unless you feel safe to do so, and preferably tell someone where you will be and don’t forget the room number when you say where you will be. Have someone check in with you after.
• Exercise all the caution in the world when it comes to your physical safety, and then some more. Even if you have met someone before or feel like you know them very well from the internet, be careful; you are the most valuable thing you have.
• Register for parties in advance to make sure you get a ticket. Getting tickets to thing last minute is a pain, and they often sell out.
• Buy tickets to conferences in advance to make sure you get in.
• If you have to do live demos I suggest recording them (I KNOW! Then they are not live). You can always ALSO do them live, but you have a back up just in case. That’s what I did and guess what? My laptop is fine AND my demo looked awesome!
• If you go to Def Con, prepare to wait in line for at least 50% of the time you spend at the conference. Seriously. If you are an extrovert like me this can be fun, but if you are an introvert be prepared. #linecon
• If you can network and make friends in advance of the event, it’s a good idea to do so. Attending in a group is always safer and usually more fun as well. If you can meet people who are part of a larger group, such as Diana Initiative, CyberJutsu, WoSEC, OWASP, etc. that can lead to even more fun (and safety).
• If something happens, TELL SOMEONE. If a person has done something obviously inappropriate to you, they will (sadly) likely do it to even more people if you let them get away with it. Please report. For DEFCON there’s a hotline. And the people working there are super awesome and kind. They will help, regardless of the situation you’re in, regardless of the persons involved. You can even report anonymously over the hotline. Again: if something really bad happens please report.

Table of Content

1. How did the idea of Bright originate? What has your journey been like so far?
2. Can you introduce us to your application testing platform? What are its key features?
3. What would you consider the main challenges development teams run into nowadays?
4. How do you think the recent global events affected the way people approach cybersecurity?
5. What are the most common vulnerabilities nowadays, that if overlooked, can lead to serious problems for a business?
6. In your opinion, what kind of tests and checkups should every company conduct regularly?
7. What are the best practices companies should follow when developing, and, when launching applications?
8. Talking about personal cybersecurity, what measures do you think everyone should implement to protect themselves from emerging threats?
9. What does the future hold for Bright?

Our guest today believes that security testing should be done as early as possible in the development lifecycle.

As the world gets more connected, it is no surprise that threat actors are constantly on the lookout for vulnerabilities to exploit. With vast amounts of software and applications being released every minute, experts believe that a new development approach must be taken – one where security is weaved into the product from day one.

To talk about the importance of the security-first approach, we invited Gadi Bashvitz, the Co-founder and CEO of Bright Security – a company ensuring that no vulnerability goes unnoticed in the software development process.

How did the idea of Bright originate? What has your journey been like so far?

With roughly 70% of the vulnerabilities affecting companies today originating in the application layer (Apps or APIs), it became clear that proper application security (or AppSec) is one of the most crucial areas of need in cybersecurity. Looking at the market and the solutions, we realized that the legacy security solutions in the space were fast becoming antiquated and were not able to keep up with the pace of modern DevOps practices. We wanted to create a solution that addressed the key issues the market was facing as this issue will only grow more pressing as the rate of software development continues to increase.

The most important trend, as we saw it, was (and still is) “shift left”, or the idea of moving security testing early on in the software development lifecycle (SDLC). Earlier testing will lead to a more efficient security process and prevent vulnerabilities from ever making it to production, but while the concept is great, the execution hasn’t been.

Dynamic Application Security Testing (DAST), which is the process of testing the security of the running application from the outside-in, was an area that we identified as in need of some innovation. The legacy DAST solutions were not built for developers, but for AppSec experts, and were not suitable for a world in which software releases happen multiple times a day. The flaws in these older solutions led many developers to avoid using them altogether as they were more of a hindrance than a help. We set out to create a DAST solution that not only worked for the needs of developers but one that they would want to use.

The journey so far has been incredible. It’s very exciting to see both large banks and leading global Cybersecurity companies, on the one hand, and small dev teams, on the other, rely on our platform to secure their apps. We’ve learned a ton along the way, such as the importance of business logic vulnerabilities, the need for securing APIs – not just human-facing apps, and how to make it so developers actually WANT to use the product.

Can you introduce us to your application testing platform? What are its key features?

Bright is a Dynamic Application Security Testing (DAST) platform built for software developers. The solution approaches applications from the outside, mimicking how a hacker would approach the application, and automatically tests for vulnerabilities that bad actors could use to exploit. 

Unlike legacy tools which were designed exclusively for expert security users after the application is already in production, Bright’s tool was built to be “developer-first”. It was designed to empower developers to create more secure applications and APIs starting in the development phase and across all stages leading up to and including production so that vulnerabilities are caught and remediated earlier. 

To truly be a dev-centric platform, we needed to develop some key features that align with how developers prefer to work:

• Setup takes minutes and there’s no need for security expertise – we take care of all that
• No false positives: Our special technology automatically verifies that any vulnerability it detects is actually exploitable so that devs don’t waste time remediating vulnerabilities that aren’t a threat
• Remediation instructions that make sense: If a scan detects an issue, the developers received easy-to-follow remediation guidelines with the information developers need to fix it
• Control everything with code: Although Bright has a great UI, developers love using our CLI and API that lets them control everything
• Scans take minutes instead of hours or days: Bright’s unique approach allows you to scan only the relevant parts of an app so that you don’t have to slow down the build process – including for unit testing!
• Seamless integration with the developer toolchain: Bright works with existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing. It can also automatically add tickets to Jira, GitHub, Azure Boards, GitLab, and other systems.

And while we hope developers will love working with Bright, we also want to make sure security teams can rely on it. No tool out there has more comprehensive testing coverage than Bright, and that includes business logic vulnerabilities and API scanning.

What would you consider the main challenges development teams run into nowadays?

The biggest challenge for development teams is keeping up with the pace of today’s world. Developers today are releasing 100x more code into production compared to only ten years ago, and so the challenge becomes developing and releasing software at a much faster pace, while still ensuring that it is both bug-free and secure. To do that, you want as much automation throughout the SDLC as you can put in (aka DevOps). The issue developers face is that securing software before it’s released – without a platform such as Bright – is a tedious, manual, and time-consuming process. Today, almost 90% of organizations are knowingly releasing vulnerable applications and APIs into production because they can’t detect and remediate vulnerabilities quickly enough. These vulnerabilities take an average of nine months to be fixed, leaving organizations exposed for considerable periods of time and we’re working to change that reality.

How do you think the recent global events affected the way people approach cybersecurity?

On the macro level, the increase in attacks is just accelerating the growing understanding of the importance of addressing cybersecurity flaws. Companies are repeatedly seeing the financial and reputation fallout from cyberattacks and hacks and are placing a premium on cybersecurity, which is becoming a key factor in purchasing. Nobody wants to buy a product that isn’t secured, and so companies must adjust to ensure security is part of the design of the product and incorporated throughout the process.

Part of that is accomplished by moving all forms of security testing earlier in the process (i.e., shift left). And that’s a place where we are seeing a massive change in attitude – especially among developers. Developers are quickly coming to the realization that security vulnerabilities are bugs (but often with more severe consequences). And as no developer prides themselves on releasing buggy code, they also want to make sure they release secure apps.

What are the most common vulnerabilities nowadays, that if overlooked, can lead to serious problems for a business?

At the application level, which is where we live, we’re seeing that the most common vulnerabilities are indeed the ones that are on the OWASP Top Ten and similar lists, which enable attacks such as SQL injection, cross-site scripting, CSRF, and XXE. There’s a fairly good awareness level of these vulnerabilities, which we call “technical vulnerabilities.” 

That said, there is a whole different class of vulnerabilities – business logic vulnerabilities (BLVs) – that are still often overlooked and can be very severely exploited by bad actors. BLVs are particularly tricky because exploiting (and detecting) them requires an understanding of the application’s flow and business purpose, and finding them has traditionally relied on costly and error-prone manual testing. 

Awareness of BLVs is so low currently that unlike CVEs for technical vulnerabilities there is no naming or classification system. Our researchers at Bright are identifying them and classifying them with proper names. Our automated solution thoroughly analyzes the application’s flow, understands the context, and tests the system through a multitude of interaction combinations, eliminating the need for manual processes.

In your opinion, what kind of tests and checkups should every company conduct regularly?

In a perfect world, companies should use all of the tools in the toolbox: SCA, SAST, DAST, IAST, GRC, RASP, etc. But as important as what tests they run is when they run them. It is much more cost-effective to run the tests as early as possible in the cycle. DAST was traditionally employed when the application was already fully developed and running (in pre-production or production), but fixing vulnerabilities at that point is both expensive and risky. 

There have traditionally been many challenges in running DAST during the development phase. For one thing, traditional dynamic tests take many hours, even days, and running a test that late in the process often creates unaffordable delays in production.

We’ve developed smart ways to analyze, understand and break down the application’s attack surface so that we can run short tests that only cover what’s relevant at that point. 

Another issue with legacy DAST was that it created many false positives – indications of potential flaws in the system that aren’t actually exploitable. Developers hate these false positives because they end up “chasing ghosts” having to remediate dozens of “vulnerabilities” that actually don’t really matter. It slows down the whole process and has actually turned many developers away from DAST tools. We’ve eliminated that issue by intelligently verifying that each issue we discover is actually exploitable.

Once you’ve solved these issues (and a few others we won’t get into), you can now automatically run DAST tests with every build via the CI/CD pipeline throughout the development lifecycle.

What are the best practices companies should follow when developing, and, when launching applications?

When it comes to application and API security, the key practice is to automatically run tests with every build as part of the CI/CD pipeline. This is sometimes called DevSecOps. At Bright, we fully embrace DevSecOps practices and developed deep integration into CI tools such as Github Actions, GitLab, CircleCI, Jenkins, TeamCity, and others to ensure that you can integrate with any platform to test as early as possible.

We’ve even taken it a step further that allows developers to run a DAST scan at the unit testing phase – one of the earliest points in development. This was especially challenging because dynamic security tests, by definition, scan a running application, but unit tests are for snippets of code. We developed a way to run those snippets as if they are a fully-formed application and then scan them.

We’re actually seeing how this is changing our customers’ behavior. Moving the process earlier has enabled customers to test earlier and more often and has increased the average from running four scans a month that take seven hours each to run hundreds of tests that take three minutes each.

Talking about personal cybersecurity, what measures do you think everyone should implement to protect themselves from emerging threats?

A few of the practices I religiously follow are using multi-factor authentication whenever possible and using a different password for everything (which requires a password manager). Hackers are always looking for easy targets, like the person whose password is “password,” and I think that for personal security practicing the basics will go a long way towards keeping you safe. 

What does the future hold for Bright?

The future is bright (pun intended). We’re quadrupling down on some of the things I mentioned here, such as broader and better coverage of business logic vulnerabilities, and making dynamic security testing easier and more automated.

We’re especially focused on making our DAST scanner developer-friendly. That has many aspects to it, such as providing remediation guidelines in a way that’s easily understood by developers, not AppSec experts; and intelligently configuring the tests we scan for based on the target and past tests. We also want to make sure the solution scales with the needs of our customers, some of whom are among the world’s largest organizations. 

We are very focused on serving our dozens of enterprise customers and more than 6,000 development teams using our product. We are constantly learning from our community and working with them to perfect a truly developer-centric DAST solution that is easy to deploy and helps organizations build secure applications and APIs.

To read the original story, please visit CyberNews

Table of Content

1. The solution: make it easy for developers
2. Unlike traditional DAST tools, Bright was built for developers
3. What makes Bright a dev-first DAST platform?
4. Our Series A funding round

Today we are announcing an additional $20 million in funding to fuel our growth and continue to help organizations (and their software developers) secure their applications and APIs. We’re also changing our company name from NeuraLegion to Bright Security.

When Shoham Cohen, Bar Hofesh, Art Linkov, and I founded the company three years ago, there was no doubt that application security would remain a huge need for many years to come. But there were already many solutions companies could use to secure their applications. Despite that, we observed that many of the existing AppSec solutions – particularly Dynamic Applications Security Testing (or DAST) tools – no longer fit the way modern apps are developed and released. The consequences of that were grave: more than 80% of organizations knowingly release vulnerable apps into production.

The solution: make it easy for developers

It’s well-known that moving security testing earlier in the Software Development Lifecycle (SDLC) is better in every respect: In addition to reducing the risk of vulnerabilities making it into production, it makes remediation faster and cheaper. Thus, the term “shift left” became popular. But that’s easier said than done, especially with DAST.

Unlike traditional DAST tools, Bright was built for developers

Bright’s DAST tool was built to be “developer-first”. It was designed to empower developers to create more secure applications and APIs starting early in the development process and through all stages leading to and including production while enabling the AppSec team to provide the governance. Traditional DAST tools are made for application security (AppSec) experts, who typically test the app after the development cycle is complete and it’s in production.

What makes Bright a dev-first DAST platform?

• Setup takes minutes and there’s no need for security expertise – we take care of all that
• No false positives: Our special technology automatically verifies that any vulnerability it detects is actually exploitable so that devs don’t waste time chasing ghosts
• Remediation instructions that make sense: If a scan detects an issue, get easy-to-follow remediation guidelines with the information developers will need to fix it
• Control everything with code: Although Bright has a great GUI, developers love using our CLI that lets them control everything
• Scans take minutes instead of hours or days: Bright’s unique approach allows you to scan only the relevant parts of an app so that you don’t have to slow down the build process – including for unit testing! 
• Seamless integration with the developer toolchain: Bright works with existing CI/CD pipelines – trigger scans on every commit, pull request, or build with unit testing. It can also automatically add tickets to Jira, GitHub, Azure Boards, GitLab, and other systems.
• Identify business logic vulnerabilities:  We are determined that AppSec tools can find more than just “classic” technical vulnerabilities, but also find business logic issues. Exploiting business logic vulnerabilities requires an understanding of the application’s flow and business purpose, and the process has traditionally relied on costly and time-consuming manual testing. Bright’s automated AI-powered solution thoroughly analyzes the application’s flow, understands the context, and tests the system through a multitude of interaction combinations, eliminating the need for manual processes.

Our Series A funding round

We’re grateful to have some of the best names in cybersecurity join our journey as investors and to thank them not only for believing in our vision but in the team’s ability to execute. The round, which brings Bright’s total funding to a bit over $25 million, was led by Evolution Equity Partners, who invested in some of the greatest cybersecurity startups out there. Our existing investors DNX Ventures, J Ventures, Fusion Fund, and Incubate Fund are also participating. I’m excited to have Karthik Subramanian of Evolution join our board of directors. 

This funding will allow us to grow the team and make major improvements to the platform (stay tuned for what we have in store…).

We want to thank the more than 4,000 developer teams and enterprise customers around the world who trusted us, shared our vision, and partnered with us on this exciting journey as users and customers.

Last but not least, my co-founders and I are very thankful for the amazing Bright team for their brilliance, dedication, and hard work. None of this would have happened without you, and we’re just getting started!

Now is also a great opportunity to join our growing company. We are looking for marketing, product, and sales roles, and of course, engineers. Head over to our Careers page.

Join us to help developers all over the world build and release secure apps and APIs!

Oh, and have you tried Bright yet? Get your free account.

Gadi Bashvitz, co-founder and CEO, Bright Security

Table of Contents

1. Tanya Janca, Founder & CEO at WeHackPurple Academy
2. Ofer Maor, Co-Founder & CTO at Mitiga 

I’m thrilled to announce our newly-formed industry advisory board and welcome to it two luminaries of the industry, each bringing their own unique perspective. They will be helping the team at Bright to continue delivering a cutting-edge, developer-focused application security platform to market.

Here’s a quick introduction:

Tanya Janca, Founder & CEO at WeHackPurple Academy

Tanya, known to many as SheHacksPurple, is the best-selling author of Alice and Bob Learn Application Security. She is also the founder of We Hack Purple, an online learning academy, community, and podcast that revolves around creating secure software. 

Tanya has been coding and working in IT for over twenty years, won countless awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats: startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger and streamer and has delivered hundreds of talks and training sessions on six continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives. 

Ofer Maor, Co-Founder & CTO at Mitiga 

Ofer is the CTO & co-founder of Mitiga where he’s building a groundbreaking Cloud Incident Response platform. He has more than 25 years of experience in cybersecurity and entrepreneurship and was previously the CTO and founder of Seeker (acquired by Synopsys), where he invented IAST, a next-generation application security testing technology, currently used by some of the largest organizations in the world. 

Prior to Seeker Ofer was the CTO and founder of Hacktics (acquired by EY), and a founding employee at Imperva. He is also active in the cybersecurity community and has served as a Global Board Member at OWASP.

One of the most critical aspects Ofer and Tanya have already been working with us on is directly related to our core mission: empowering developers to build secure applications — fast. And with that in mind, I invite you all to sign up for a free Bright account. Once you do, you’re minutes away from securing your app.

I’m sure I speak on behalf of the entire team when I say we can’t wait to get to work with Ofer and Tanya, as they help take Bright to the next level.

Ofer, Tanya — welcome aboard!

We at Bright are very proud to announce that we have been awarded the accredited certification on ISO 27701, the international standard on data privacy. This builds on the ISO 27001 certification we received a couple months ago and shows our continued commitment to meeting the highest standards of customer security and reliability.

The ISO 27701 standard provides an overarching framework on Privacy Information Management Systems (PIMS), to help companies fine-tune their data privacy practices and keep pace with the changing privacy threat and regulatory landscape through a rigorous risk and compliance driven approach, while being focused on measurement and continuous improvement. This is the world’s first International Standard on PIMS and incorporates a mapping against the requirements of EU GDPR – considered the gold standard in data privacy laws. Being certified to this global standard demonstrates Bright’s ability to effectively and consistently deliver solutions and services to clients in compliance with data privacy regulations and contractual requirements in applicable countries.

This is a significant accomplishment for us, given that we could get an accredited certification for the globally recognized, certifiable data privacy standard quickly and effectively. This was possible only because of the maturity of our data privacy processes. I’m confident this certification will go a long way in being a differentiator and in increasing the trust our clients and other stakeholders place in Bright.

We are excited to offer our Application Security Solutions from build to compliance across Web, mobile and APIs with 0-false positives with this highest level of security.