Beyond Security by Fortra is aware of a recently disclosed security issue related to the open-source Apache “Log4j2” utility (CVE-2021-44228).
Log4j is a logging framework found in Java software. The flaw is tied to a failure by certain features in the Java Naming and Directory Interface (JNDI) which is used in configuration, log messages and parameters to protect against attacker controller LDAP servers and other endpoints. A remote attacker who can control log messages or log message parameters can run arbitrary code loaded from LDAP servers on any application that uses Log4j when message lookup is enabled.
The flaw affects all versions of Log4j from 2.0-beta9 to 2.14.1. This flaw is actively being exploited.
We strongly encourage customers who manage environments containing Log4j2 to update to the latest version released by the Apache Foundation which addresses the issue available at: https://logging.apache.org/log4j/2.x/download.html or their operating system’s software update mechanism.
If updating the software is not an option, the Foundation has also shared mitigation measures for versions of Log4j versions 2.10 and later to protect against the remote code execution via the vulnerability.
BeSECURE
Beyond Security uses Log4j in the beSECURE LSS scanners and beSECURE II scanner and management bundle. Java is used by beSECURE LSS’s to schedule, run scans and send results back to the local or cloud management server. An attacker would need access to the local or cloud LSS to inject the required payload.
Currently, Beyond Security is not aware of a means for a remote attacker to access the necessary resources to initiate an attack. Affected cloud versions of the LSS have been patched. Beyond Security has released a new LSS base image that does not include the JNDI class. New deployments of LSS and beSECUREII will not contain the vulnerable JNDI class.
Beyond Security is working on an update that will remove the JDNI class from existing LSS scanners as a means of adding additional precaution and protection – though there is no means of reaching the vulnerable code (as mentioned above). The beSECURE UI is not affected. Beyond Security has provided a preliminary scanner check for this vuln on December 14, 2021 in LSS scanner build 1145. Security Advisory – Log4j
BeSTORM
The beSTORM product is not written in Java and does not use the Log4j utility and is not affected by this flaw.
BeSOURCE
The beSOURCE Developer edition does not use the log4j utility. The beSOURCE Enterprise edition uses log4j 1.2.x and is not directly affected by the current flaw.
If you have any questions about this flaw or need assistance updating your LSS, please contact Beyond Security Support.
–Beyond Security
Create A Zero Trust Strategy
A cybersecurity strategy is only as effective as the systems that it controls and operates with. This guide, Vulnerability Management: The Backbone of a Zero Trust Strategy will show you the steps needed to create a zero trust security strategy.
Infographic: BEST CODING PRACTICES FOR SECURE WEB APPLICATIONS
Keeping your organization protected from web application vulnerabilities doesn’t have to be complicated. There are some best secure coding practices that you can follow to ensure that you’re protecting your customers and preventing cyber criminals from damaging your company.
New Automotive Cybersecurity Standards Require SAST and DAST Solutions
In the last decade, there have been 633 automotive cybersecurity incidents. Yet, this year at Black Hat, the automobile industry was able to breathe a momentary sigh of relief when a connected vehicle was presented as a hacking challenge, and no one succeeded. This stood in stark contrast to 2015 when researchers demonstrated the real danger of automotive cyber-attacks by hijacking a jeep remotely and taking over the entire system. Technology is even more deeply integrated into all aspects of a vehicle now, and an estimated 75% of vehicles shipped in 2020 having some connection to the internet, which underscores just how crucial automotive cybersecurity is for customer safety.
2021 Raises Automotive Software Standards
While the Black Hat demonstration underscores the progress of the industry in recent years, there is still a lot of work to do. Various regulatory standards organizations have helped in these efforts, requiring carmakers and manufacturers of automotive components to adhere to secure development processes. These requirements include testing and audits of the security of the software used in all connected vehicles built today.
ISO/SAE 21434 — Securing Connected Vehicles on the Road
The newest standard, ISO/SAE 21434 was officially released August 31, 2021. It addresses the cybersecurity of electrical and electronic (E/E) systems within road vehicles in a couple of ways:
It requires engineers to include state-of-the-art technology in all E/E systems to protect against evolving cyberattack methods.
It focuses on the cybersecurity risks in the design and development of car electronics, ensuring that Original Equipment Manufacturers (OEMs) and all participants in the supply chain implement structured processes that support “Security by Design.”
ISO/SAE 21434 represents a collaboration between two standards development entities — the . Standards introduced by the International Organizations for Standardization (ISO) and Society Automotive Engineers (SAE) International. The jointly published standard is an extension of the first automotive cybersecurity standard created, SAE J3061, which bakes cybersecurity into cyber-physical vehicle systems from conception through production, operation, service, and decommissioning. It includes provisions for identifying and assessing cybersecurity threats using static application security testing (SAST) and dynamic application security testing (DAST. SAE J3061 also includes additional guidelines for penetration testing as well as validation of assessments completed for effectiveness.
The ISO/SAE 21434 standard covers all stages of the vehicle lifecycle. This includes system and component testing using SAST and DAST.
SAST, or white box testing, looks at the underlying framework and code of an application for vulnerabilities and coding errors, essentially testing from the inside out before an application is released. Access to source code is required.
DAST, or black box testing, seeks to identify vulnerabilities by testing running applications from the outside in, so source code is not required. Both are essential for thorough application security testing.
Advantages of SAST and DAST Testing
SAST is done in the early stages of software development, so any weaknesses that are found can be mitigated rather easily and before they pose a risk of exploitation. SAST tools help verify that the underlying code in an application is strong, providing a secure foundation. They also work quickly and can be automated to ensure compliance.
DAST testing allows for functional testing of existing code that is running. Unlike static testing, which reviews the code before it is compiled, DAST attacks the running code as a cybercriminal would — by using various techniques to identify weaknesses and exploit them. It does not require access to the source code.
Modern DAST Solutions
DAST testing in automotive is more complicated because vehicles have different interfaces than standard computers connected to the internet. This can require customization and specialized hardware to test.
Customizing DAST to understand existing protocols is often a very unique and challenging process. Fortunately, advanced DAST testing tools for the automotive industry
already have protocols pre-defined and configured, allowing testers to use them immediately rather than sinking large amounts of time into configuration or hiring expensive external experts to do the initial setup.
Legacy DAST tools take a scattershot approach to testing and either generate excessive random data testing edge cases or require pre-defining test cases from scratch to be effective. Modern DAST solutions can run sequential data testing to make it easier to record, pinpoint, and recreate exceptions. They can take incomplete protocol descriptions and generate fuzzing approaches within the specification to cover the entire protocol and not just specific defined cases.
Modern DAST tools come with existing pre-built modules that cover numerous protocols rather than designing test cases from scratch. In addition, DAST tools with intelligent fuzzers use prioritization algorithms to quickly target high probability vulnerabilities rather than generating large amounts of random data done by legacy tools. This allows for completely covering a protocol in testing using the combination of all tests.
Modern SAST Solutions
Legacy SAST solutions focused on identifying patterns that indicate potential vulnerabilities. This generated large numbers of false positives causing many developers to ignore results altogether. Otherwise, organizations had to spend significant amounts of time for developers to tune the tool so that results were more valid over time.
Modern SAST tools are more contextually aware with the ability to trace execution paths. This allows the tool to filter out code results that could be a vulnerability but are inaccessible to an attacker. These tools are also set to map to industry-standard regulations such as OWASP Top 10, SANS top 25, Common Weakness Enumeration (CWE), and CERT Secure Coding Guidelines. So when vulnerabilities are identified, they are relevant and actionable.
Application Security Test Monitoring
Test monitoring should detect and record when an exploit occurred, including the exact parameters that triggered the vulnerability. This data helps generate reports that allow programmers to debug the application using their chosen development environment effectively.
Robust reporting also allows independent auditors to assess testing effectiveness and how well it aligns with the standards. Insufficient reporting could make it difficult to show compliance with the new standards.
Automotive Cybersecurity is More than Compliance
Automotive Cybersecurity testing is not simply about meeting compliance objectives but improving the overall quality and safety of the product delivered to the end-user. With comprehensive DAST and SAST testing, organizations can show the due diligence required to meet compliance objectives while identifying flaws and vulnerabilities that could compromise the safety of vehicle operators. By baking testing into the development process early on, manufacturers and developers can proactively identify issues and remediate them before making it to the road.
Learn how BeSTORM can help your team perform comprehensive, dynamic security testing on any software or hardware – before hackers do. Discover code weaknesses and certify the security strength of any product without access to source code. Test any protocol or hardware with beSTORM, even those used in IoT, process control, automotive and aerospace.
The COVID-19 pandemic left its indelible mark across our society. Our work, recreation, healthcare, and even grocery shopping became remote, digital, and reliant on the internet. The eruption of new apps and Internet of Things (IoT) devices proved a tempting target for cyber attackers; that brought security issues new and old to the fore.
IoT Devices are Everywhere
IoT device use was expanding even before the pandemic, with almost 4.8 billion devices. The overwhelming load that the pandemic created with the need for virtual education, telehealth, video conferencing, remote facility monitoring, and other services only expanded this number. These devices are estimated to account for nearly 30% of all endpoints in existence today.
While IoT devices made life bearable during lockdowns and boosted business continuity in the face of a once-in-a-lifetime global plague, the downside is that they are easy targets. Over half of them are vulnerable to medium or high severity cyberattacks. These devices are often-overlooked vulnerabilities lurking on your network, waiting to be exploited by attackers who will capitalize on them and pivot to bigger targets once inside your systems.
BOYD. It’s an IoT Party
Bring Your Own Device – or BYOD – might sound like a call back to your college years with a slightly different spelling. Still, it’s a trend that has saved many organizations, from colleges to companies, thousands in infrastructure and operations costs. Devices such as tablets and smartphones keep employees connected throughout the workday, simplify remote work, facilitate travel, and offer a way for employees to be more productive with their time. However, tablets and smartphones aren’t the only IoT lurking in the office.
IoT in Business Processes
IoT is ubiquitous in business environments. Its presence in the last few years has only become more prevalent, with increases in spending from $215 billion in 2015 to $832 billion in 2020, according to PwC. These devices integrate into business processes managing security and operations. Organizational uses range from badge checking and monitoring to automatically lighting or controlling HVAC settings. This automation saves businesses money and reduces the cost of day-to-day operations.
The Threat in IoT
IoT devices generate and transmit data regularly in the course of their functions, but this means that each of these connections is yet another target for cybercriminals. A recent report by threat intelligence team Unit 42 discovered that over half of all IoT devices are vulnerable to acute cybersecurity attacks. “We see lateral movements originating from successful phishing attacks targeting IoT systems on the same network and exploiting vulnerabilities remotely. 57% of IoT devices are vulnerable to medium- or high-severity attacks, making IoT the low-hanging fruit for attackers.”
In a rush to market, device manufacturers often overlook or fail to test for hardware and software security design flaws due to a laser focus on delivering the newest, cutting-edge functionality at the lowest cost.
So how can you protect yourself and your organization from IoT device vulnerability without crippling efficiency?
Is There A Way to Secure IoT?
Implementing some basic steps to manage IoT devices on your network can significantly improve your security posture as an organization.
Identify IoT Devices
Managing IoT in your organization requires first identifying and locating where these devices are on the network. Network administrators can use scanning tools like network monitoring software and vulnerability scanners to detect and map what devices are currently connected to the network. This not only helps to identify IoT devices that are attached but may also uncover Shadow IT. Knowing what technologies are on your network is the first step toward protecting it.
Use Google Password Hygiene
Enforced strong password policies for IoT devices raises the challenge level for attackers and removes an easy target. Just because an IoT device comes with a poor default password does not mean it has to stay that way. Change the default password to one that is more complex and difficult to guess. Consider periodically rotating passwords. This prevents the password from being re-used or reduces the length of usefulness if shared. Implementing strong password policies already commonly in use throughout the industry and is an excellent first step in IoT security.
Limit Access
Once IoT devices have been identified, their overall access to the network needs to be limited. This doesn’t necessarily mean removing all network access; it might simply mean trimming access down to the least privilege. By only giving the access necessary for the device to perform its intended function, you reduce the scope of any potential damage should an attack occur. Access can be limited in a couple of ways. One method is to use network rules that restrict what other systems the device can communicate with and what ports it can use.
Another way to limit access is by creating a virtual local area network (VLAN) that the devices can access. Instead of limiting access on a device-by-device basis, the VLAN can have rules set to regulate communication that passes through it, allowing for easier overall management. It also makes it harder for IoT devices to be targeted by attackers. In the event they are, it reduces the scope of potential damage.
Scan & Monitor
Integrating your IoT devices into your threat prevention and detection process is crucial in securing your network. Vulnerability scanners allow you to detect current weaknesses in your devices, such as configuration issues and known code vulnerabilities. Remediating these issues early on will help make it more challenging for attackers.
The other half of this equation is to monitor your IoT devices for suspicious activity continuously. Overseeing their operations and alerting your team of unusual behavior allows them to respond to incidents and eradicate them from the system quickly. Early detection allows for identifying threats early in the attack chain so they can be stopped well before disrupting operational productivity.
Next Steps
IoT devices are not going away; we expect to see a continued proliferation of these devices as technology advances. But that doesn’t mean you’re saddled with the risk. IoT device security benefits from the initial proactive measures we’ve discussed above, but there are many other measures available to organizations wishing to take their IoT security beyond the basics.
With IoT, vulnerability scanning offers another way for your organization to stay one step ahead of attackers by identifying IoT devices and assessing them for vulnerabilities before the attackers do.
For more information on how a vulnerability assessment can protect against IoT device risks without crippling efficiency, check out beSECURE.
Protect Against The Unknown With Black Box Fuzzers
Find out how black box fuzzing tools like beSTORM protect against unknown vulnerabilities. Read the guide, How Black Box Fuzzers Protect Against The Unknown to learn more.
beSECURE Announces Integration with Core Impact Penetration Testing Tool
Though its already known for swiftly identifying, evaluating, prioritizing, and reporting on security weaknesses, vulnerability management solution beSECURE can now streamline your security even further through a new integration with Core Security’s comprehensive penetration testing tool, Core Impact. By combining these two best-in-class tools, your organization can take its security strategy to the next level.
How Do Pen Tests Enhance Vulnerability Management?
Vulnerability management solutions like beSECURE are vital tools that continually scan for network and application vulnerabilities, map an environment, and create detailed reports that include identified vulnerabilities and remediation advice. Penetration testing tools like Core Impact take the next step, providing additional context by seeing if these vulnerabilities could be leveraged to gain access within your environment.
How Do beSECURE and Core Impact Work Together?
Core Impact enables security teams to conduct advanced pen tests using guided automations to safely exploit:
servers
endpoints
web applications
wireless networks
network devices
mobile devices
and other potential attack vectors to determine the risk level of security weaknesses. Core Impact can now directly import scanning results from beSECURE, using this data to more efficiently run vulnerability validation tests.
Core Impact will not only determine if any of the imported vulnerabilities can be exploited, but will also identify what business-critical assets and data can be accessed through that exploit. It provides IT teams real-world risk context that is invaluable when planning and prioritizing remediation. These remediation efforts can later be validated using Core Impact as well.
Better Together: Centralizing Your Security
With beSECURE and Core Impact both under the Fortra umbrella, organizations can not only establish a robust cybersecurity toolkit, they can also benefit from having one point of contact and the same best in class support to further simplify your security.
If you’d like to learn more about Core Impact you can watch a demo or contact us to learn more about the integration.
Get a 5-Minute Guided Tour
Take a quick, step-by-step vulnerability management tour and see how VM can work for you.
Agent-Based vs. Agentless Scanning: Choosing the Right Vulnerability Scanning Method
Preventable Attacks
Another day, another data breach. Cybercrime is on the rise, and the only way to stop a cyberattack is to think like an attacker. In many cases, the bad actor’s first step is scanning the victim’s systems for vulnerabilities that allow them to gain a foothold. According to Forrester’s State of Application Security, 39% of external attacks exploited holes found in web applications vulnerabilities, with another 30% taking advantage of software flaws. Based on these figures, nearly 70% of these attacks are preventable.
One thing is clear, proactive identification and remediation of vulnerabilities are critical to the strength of your cybersecurity program. But where do you start? Sure, you need vulnerability scanning, but how do you know what tools best fit your needs?
Vulnerability scanning comes in three basic flavors — agent-based, agentless, or a hybrid of the two. Which of these is best for you depends on the environment and your organizational needs. Let’s take a look at each option.
Agent-Based Scanning
Agent-based scanning is suitable for organizations with a geographically diverse workforce, particularly if the organization includes remote workers. This is the more traditional type of vulnerability scanner.
‘Agents’ are a software package deployed to each device that needs to be tested. Once installed, the agent collects data that indicates whether the device may have vulnerability issues. The agent passes this data back to collection servers and information gathered across the entire infrastructure is then consolidated into a ‘single pane of glass’ interface for analysis. This simplifies the administration and analysis process for the security team and helps address adherence to regulatory data protection compliance requirements.
Advantages of Agent-based Vulnerability Scanning
There are many environments where agent-based scanning is preferred. In environments that are widely distributed or have numerous remote employees, agent-based scanning is most effective. This allows the agent to return scan results to the collection server, even if they are located behind private subnets or non-corporate networks.
Some advantages of agent-based scanners include:
Device credential requirements
Agent-based scanners are designed to circumvent the need for credentials as the agents are installed directly on a device.
Reduced network traffic
Pre-installed agents reduce network traffic, and frequent network scans are replaced by rules that set event-driven or periodic scheduled scans.
No IP limitation
Another advantage of agent-based scanning is that it is not limited by IP. Assets using dynamic addressing or that are located off-site behind private subnets are still accessible with agent-based scanning as they connect back to the servers.
Coverage of disconnected devices
Devices that aren’t perpetually connected to the network can still be scanned. Agents wait until a connection to the internet is re-established and then send data back to the server; thus, a scheduled scan can be paused and restarted if an interruption in the connection occurs. This feature can be desirable in a WFH environment or for active business travelers with intermittent Wi-Fi.
BYOD support
The increasing use of personal devices for corporate usage creates legitimate security concerns for organizations. Having agents installed provides the data on a device’s security, such as if the device is fully patched. This intelligence can help to enforce corporate security policies.
Challenges with Agent-Based Vulnerability Scanning
One of the drawbacks of agent-based vulnerability scanning is that they are operating system (OS) dependent and generally can’t scan network assets like routers, switches, and firewalls. However, most agent-based scanning solutions will have support for multiple common OSes.
Agent-based scanning also comes with administrative overhead as new devices added to the network must have agents installed. While updates of agents are usually automated, new installs and changes in scanners will require extra work for IT staff.
Agentless Scanning
Agentless scanning does not require agents to be installed on each device and instead reaches out from the server to the assets. While the data collected is similar to an agent-based approach, it eliminates installing and managing additional software on all devices. In this respect, this approach is a highly lightweight method to scan for security vulnerabilities.
Advantages of Agentless Vulnerability Scanning
There are many environments where agentless scanning is preferred. For environments where most of the devices are located within corporately controlled networks, agentless scanning allows for wider network analysis and assessment of all varieties of network devices.
Additional data: Agentless scanning can provide some gap data not provided by Agent-based scanning. For example, agentless vulnerability scanners can locate SSL certificates that aren’t stored on a device.
Network scanning: Agentless scanning can observe the entire network and identify all hosts and devices connected. This allows the identification and scanning of assets that might be missed by agent-based scanning.
Agnostic: There are no OS compatibility requirements to detect and scan assets. This allows for IoT (Internet of Things) and network-based devices such as routers and switches to be included in scans.
Challenges with Agentless Vulnerability Scanning
A severe drawback of the use of agentless scanning is the requirement for a consistent network connection. In a remote work environment with users behind home networks, their devices are not accessible to agentless scanners.
Agentless access also does not have the depth of visibility that agent-based solutions do. Agent-based software can see vulnerabilities hidden from remote solutions because it has privileged access to the OS.
Best of Both Worlds
Using only agent-based or agentless scanning as the sole solution leaves gaps in the data collected. While agentless solutions provide a deeper view of the network than agent-based approaches, they fall short for remote workers and dynamic cloud-based environments. The symbiotic nature of agentless and agent-based vulnerability scanning offers a third option with unique advantages.
The combination of the two approaches allows more in-depth data to be collected. Issues about whether a device is off-site or managing agents for on-premises infrastructure are eliminated. In this way, organizations that need comprehensive visibility can create a highly efficient vulnerability scanning ecosystem.
If you’d like to learn more about which vulnerability scanning approach is best for your organization and how beSECURE can provide the best of both worlds.
Boost Your Security Posture Without Breaking Your Budget
Headlines scream about a new cyberattack every few days, and organizations worldwide scramble to buff their cybersecurity posture. Welcome to the era of high-stakes hacking, and high-profile breaches. No one wants to be the next big news story, but robust cybersecurity comes at a price.
You can do everything with a big enough budget. But that’s not the reality for many companies. Businesses struggle to do more with less in an ever-changing threat landscape mottled by ransomware, insider threats, and application vulnerabilities. The fact is you do as much as you can with the budget you’ve got. But, what’s the best use for those security dollars?
Application Security in the Cross-Hairs
Application security is a crucial component to comprehensive security, as evidenced by how bug bounties soared last year. The 2020 bug bounty submissions ballooned 50% larger than the submissions seen in 2019. This mass of vulnerabilities wasn’t just limited to traditional web applications — the number of submissions for API vulnerabilities doubled. When you consider that organizations are exposing a higher percentage of applications to the internet or third parties through APIs than ever before, it’s no surprise that cyberattackers focus on APIs as a prime target.
Application security is in the cross-hairs but hardening your infrastructure requires a risk-money tradeoff. So, what’s the best way to stretch your security dollar? Let’s look at some ways you can boost your application security that won’t break the budget.
Transform DevOps into DevSecOps
Organizations learned a long time ago that they could kill two birds with one stone by combining Development and Operations into DevOps. This streamlined many processes, accelerated application delivery, and reduced overall cost. Yet, a recent study found that 60% of organizations had production applications exploited by OWASP Top 10 vulnerabilities in the past 12 months. Organizations need to emphasize managing risk and improving cyber resiliency as much as they do cost savings.
It isn’t easy to protect data and applications without affecting business operations, especially if security is an afterthought. When security is a stand-alone process, it often isn’t addressed until late in the development cycle, which makes it needlessly expensive.
Start With Security in Mind
According to Gartner, “Discovering an architectural flaw late in the testing phase leaves project managers only a few, expensive options: mitigation, risk acceptance, or redesign.” That is why one of the most cost-effective things you can do is bake in security from the start. Get security experts involved early in the design process so identifying and resolving code-related security vulnerabilities is less expensive.
Make Threat Modeling a Practice
Another way to discover vulnerabilities sooner is to take advantage of threat modeling. This process improves security by identifying vulnerabilities, objectives, and countermeasures that can prevent or mitigate the effects of cyber threats.
While security engineers generally are the ones who do threat modeling. Any member of the team, from developer to software project manager, can do it. The basic elements of threat modeling fall into three segments.
Identify Your Assets — Consider what data and equipment need to be secured?
Assess the Threats — What danger does a cyberattacker pose to your systems?
Manage Your Vulnerabilities — Consider the flaws in your systems. Can a bad actor capitalize on them to gain a foothold or realize a threat?
Threat modeling builds a solid foundation for moving to a security-first mindset which increases collaboration between Development, Security, and Operations — transforming DevOps into DevSecOps. By pinpointing threats and vulnerabilities early in the development life cycle, you discover gaps, mitigate risk, and ensure the application is secure, saving time and money. The best part is that there are many free and inexpensive threat modeling tools available.
Application Security Testing Tools Are Your Friends
Leveraging the right tools helps your security spending to go further. Incorporating static application security testing (SAST) or software composition analysis (SCA) into the development cycle is a great first step. These tools are easy to use and inexpensive. With a fast learning curve, it’s simple to ensure your code adheres to all the pertinent standards like OWASP Top 10, SANS Top 25, and Common Weakness Enumeration (CWE).
Remember, start doing application testing early. A security-first mindset means bringing security into the picture right from the start, including executing application security testing.
DevSecOps done right will prevent you from being the next big news story. No one wants to be sued or lose customer confidence because security vulnerabilities in their software and applications allowed a system to be compromised or criminals to steal sensitive information. Embracing DevSecOps preserves innovation velocity, which ensures the achievement of business goals without skimping on security.
Fuzz More — Stress Less
In July 2021, the National Institute of Standards and Technology (NIST) issued Guidelines on Minimum Standards for Developer Verification of Software which recommends fuzz testing as one of 11 recommendations for software verification techniques. The report mentions that “pre-release fuzzing is particularly useful, as it denies malicious parties use of the very same tool to find bugs to exploit.” Even Microsoft employs it as a part of its software development lifecycle to find vulnerabilities and improve product stability.
Fuzzers shift the testing model from traditional analysis tools that simply point out flaws to uncovering them and directly demonstrating their impact. A fuzzer prevents developers from wasting time sorting through false positives because the tool only reports legitimate problems. By running fuzzers automatically for days and weeks, similar to how attackers in real-life operate, organizations can identify progressively more vulnerabilities as a system is tested. Fuzzing is more than just the newest cybersecurity buzzword. It’s an inexpensive way for your organization to stay ahead of cybercriminals by using the very tools that they employ to attack your systems.
With the accelerated shift to cloud-based networks services and the expanded use of Software-as-a-Service (SaaS) applications, mission-critical resources and sensitive data are no longer in a data center. The security implications continue to be debated and discussed regularly. Yet, this SaaS growth has brought advantages to many organizations. Especially those unable to field the massive cybersecurity contingents found at Microsoft, Facebook, or Amazon. Thanks to the SaaS model, there is a range of specialized security tools and services that significantly reduce the amount of time and money required to protect your digital resources. SaaS tools allow organizations to invest in cybersecurity tool functionality without investing in setting up the infrastructure to support it. This investment savings comes in several forms. Instead of making a large upfront purchase, the cost is broken out over time as a subscription. Additionally, the burden of installing, configuring, and supporting the hardware and operating system components is offloaded to the SaaS provider. For organizations with limited staff and smaller budgets, SaaS allows the adoption of security tools that might otherwise be inaccessible.
Don’t Be a Star
Application security is crucial to your cybersecurity program, regardless of the size of your budget. In this dynamic threat landscape, where 84% of security incidents happen at the application layer, even organizations with larger budgets must prioritize where their security dollars go. These are just a few strategies you can leverage to manage risk and improve cyber resiliency, even if the purse strings are a bit tight. No one wants the starring role in the story of the next big breach.
Looking for a fuzzing or other application security testing methods? Contact us to schedule a free demo of our application security testing and vulnerability assessment solutions.
The Four Essentials for Scalable Cloud Security and Compliance
In the evolution of cloud computing, at first it was just about moving some workloads to the cloud. Next, companies realized that whatever they move to the cloud needs to be secured. As time went by, it seemed that everything moved to the cloud, including data that not only had to be secured, but also had to be in compliance with one or more regulations.
As more and more workloads migrate to the cloud, so too has the need to protect the data there and keep it in compliance. Today, many organizations have most or all of their workloads in the cloud. So, now it’s not just about security and compliance. It’s also about having the ability to scale security and compliance.
To support scalability in the cloud, you need to make things as hands-off as possible; you need to be able to accommodate all the different kinds of infrastructure — including multiple cloud service providers (CSP) — and you need complete visibility of what’s going on.
In this article we briefly discuss four essential capabilities that meet these objectives and facilitate scalability for cloud security and compliance: 1) agentless discovery; 2) cross-stack references; 3) multi-cloud deployment; and 4) context-aware security.
[ Learn about beSECURE. | Want to see how it works or try 30-day free trial? Request a demo today. ]
Agentless Discovery
You can’t scale security and compliance in the cloud if you don’t know what you have there. You’re going to need an up-to-the-minute inventory. As your cloud presence grows, however, you’re faced with two challenges. First, there’s a lot of inventory to discover and second, much of what you need to discover is fleeting — as VMs and containers can get spun up and shut down quickly in response to workload demands. Visibility into your cloud environment is critical for assessing vulnerabilities, detecting threats and identifying risks.
When you only have a small inventory of physical infrastructure, installing agents isn’t too much of a burden. But as the inventory grows, and much of it is virtual, the only real way to scale discovery in support of security and compliance is agentless discovery.
Cross-stack references
As technologies mature, eventually processes move to the template phase. Here the template is used as a starting point for a new deployment, thereby avoiding the need to “start from scratch”. Cloud deployments have matured to the template phase, which aids in the ability to scale security and compliance.
In Amazon Web Services (AWS), these templates are called CloudFormation. A CloudFormation template describes your desired resources and their dependencies so you can launch and configure them together as a stack.
What would make things even more scalable, would be the ability to build a single CloudFormation resource stack and have multiple workloads utilize that stack, rather than having to build a separate stack for each workload. And that’s where cross-stack references come in.
In AWS, cross-stack references let you use a layered or service-oriented architecture. Instead of including all resources in a single stack, you create related AWS resources in separate stacks; then you can refer to required resource outputs from other stacks. In other words, you only have to create a resource once — like a security group — and all the workloads get to take advantage of it. That’s how you scale for security and compliance using cross-stack references.
Multi-cloud deployment
Most companies operate more than one cloud and there’s a good reason for that. It makes good business sense. Rarely does one cloud service provider (CSP) excel at everything. And even if they did, it’s frequently more cost effective to assign different workloads to different clouds just based on unique CSP pricing. Ultimately, multi-cloud maximizes the opportunity to optimize for performance.
The implication here is that scaling security and compliance must address multi-cloud. That means security assessments must be multi-cloud and compliance audits must be multi-cloud. And implicit in multi-cloud is the necessity of taking a more holistic approach to security. It’s important to not only consider the severity of the risk, but also its potential impact on accessibility and the business itself.
Multi-cloud deployments also mean that the tools and strategies you use to assess and manage your clouds must be chosen for their flexibility to work in different cloud environments. This is especially important as you scale, becausemisconfiguration of cloud services is the number one risk for security and compliance.
Context-aware security
Context-aware security is the use of supplemental information to improve security decisions at the time they are made, resulting in more accurate security decisions capable of supporting dynamic business and IT environments. Important context information to security and compliance includes IP address, device type, URL and threat context, among others.
You cannot respond to every alert, especially in a multi-cloud environment, so it’s helpful to be able to filter on only the most critical security risks. The idea is to take advantage of metadata, typically by using APIs, to create a more context-aware vulnerability assessment which encompasses all your clouds.
In large cloud or multi-cloud environments, it is neither advisable nor practical to consider workloads in a vacuum. By combining all the work loads in all your clouds and analyzing the threats, vulnerabilities and risks in a context-aware manner, you produce more meaningful and actionable insights. which ultimately drive better business decisions.
Scalability and Security
If it’s even possible, cloud adoption is accelerating. And security and compliance need to keep up. The key to scalability is to take advantage of scalable technologies. The four capabilities detailed here all do that.
Agentless discovery eliminates the need to manually install agents in infrastructure. Cross-stack references eliminate the need to create redundant resource stacks. Multi-cloud accommodates scalability by optimizing cloud infrastructure. And security context awareness reduces the need for security and compliance professionals. Incorporate these four essentials to properly scale your cloud security and compliance.
If you’d like to learn more about securing your cloud networks and applications, please request a demo to learn how to get started.
SAST vs DAST: Partners or Enemies?
In our fast-paced digital world, the pressure is on to release new apps, features and enhancements as quickly and as often as possible. But how do you manage constant code changes without introducing security vulnerabilities?
This is where automated security testing comes in — the most popular of which are static application security testing (SAST) and dynamic application security testing (DAST). Each addresses different issues and has its own set of pros and cons, but both are aimed at increasing the speed, efficiency and coverage paths for testing applications as part of the software development lifecycle (SDLC).
Let’s take a closer look, and learn the advantages and disadvantages of using SAST and DAST and when to use one over the other — or even use both (which we recommend).
Static application security testing (SAST) is a type of white-box testing used in earlier stages of software development to ensure secure coding practices and help developers detect vulnerabilities before the code is pushed into production. SAST solutions analyze applications from the inside out and run tests against static inputs and source code to check for flaws in the software before the code is compiled. This prevents hackers from exploiting vulnerable code and saves DevOps teams from having to fix problems after the application is deployed.
Dynamic application security testing (DAST) is the opposite of SAST. Used later in the process, DAST tools do not have access to the source code, and test applications from the outside in, much like a hacker trying to break in. Because of this, DAST is often called behavioral testing or black-box testing (as well as fuzzing). DAST goes beyond SAST tools by looking at the whole environment of a running application, including how it’s used by end-users.
OWASP recommends using DAST tools for web application vulnerability testing, especially if those applications use open-source code which are prone to unknown vulnerabilities. It acts like a hacker scanning your application for vulnerabilities, but instead of exploiting them, DAST gives you the opportunity to remediate them before you promote the application to production.
Discovered vulnerabilities can then be used to locate issues in the architecture or design of the underlying code — improving its security as you make changes from DAST reports. It’s used to locate vulnerabilities across the entire attack surface, including API endpoints and web services, the physical infrastructure, as well as elements of a host system.
Overview of SAST vs DAST
SAST Pros and Cons
Using a SAST solution, your SDLC takes a “security first” approach to development. Developers get instant notifications as they generate logic and functionality into the codebase. SAST scanning identifies logic flaws that could be exploited. For example, unsanitized input can be used in a SQL injection or Cross-Site Scripting (XSS) attack. A SAST tool will identify functions that do not sanitize user-generated input and alert the developer to the flaw. The benefit is remediation of the vulnerability before it’s committed to the main branch of your codebase.
The disadvantage of SAST (and why it’s best to use both solutions) is that it can only identify a limited set of vulnerabilities. For example, a developer could sanitize user input but overlook a well-crafted SQL injection string. SAST may not find this oversight and allow the code to pass inspection.
Another disadvantage of a SAST tool is that it does not find misconfiguration errors. During deployment, servers are often configured to allow the software to run. A SAST only scans the developer’s code within their environment, so it does not identify vulnerabilities across your attack surface.
SAST pros and cons cheat sheet
DAST Pros and Cons
DAST solutions are a reactive approach to security, but they still have benefits that SAST tools don’t offer. The primary benefit is the ability to scan your entire attack surface across multiple servers, environments (e.g., cloud and on-premises), API endpoints, and other infrastructure. For example, you could have applications that work with your API endpoint that receive and deliver data. A DAST solution can be configured to scan endpoints for vulnerabilities in addition to the main application.
Although DAST solutions offer a more comprehensive scan of your environment, they have a few disadvantages. DAST solutions must be configured for your environment, so it requires a bit more knowledge in penetration testing and exploitations. If the environment is not well audited, you could miss an entry point and unknowingly have vulnerabilities.
A full scan of the environment could be overwhelming to developers. If they don’t know where the vulnerable code exists or understand reports, it could be difficult for developers to identify the functionality causing the issue. A DAST tool requires more knowledge of the OWASP Top 10 and what could happen in exploitation of the code.
Another concern with DAST tools is its limitations. DAST works with web-based applications, so you would need additional security support for software that cannot be scanned over the network (e.g., local desktop applications).
DAST pros and cons cheat sheet
SAST vs DAST: Which should you choose?
You could choose one or the other, but the most beneficial way to test your software is using both SAST and DAST. SAST runs while developers code, and DAST scans software after deployment to a testing environment. They both prevent vulnerabilities from being introduced to production, reducing your risk and likelihood of a data breach.
Using SAST and DAST together provides a 360-degree view of your application’s security. They both reduce the chance of introducing vulnerabilities to production, but each have their own methods of detection.
The best setup is to use both solutions, but let’s consider two scenarios where one would be more beneficial than the other.
Scenario 1: You have a team of developers writing code in one monolithic environment. Developers commit their changes to the main codebase as they finish their updates. The software is compiled monthly and promoted to a production environment on a scheduled date. Vulnerabilities aren’t found until much later, and developers must then go back and patch their vulnerable code. A SAST tool would be beneficial in this scenario, because it will scan code prior to being committed. Developers see the issue as they code, so they can fix it prior to the vulnerability ever being introduced into the main codebase.
Scenario 2: You have an efficient DevOps environment where automation is part of the SLDC. In your environment, you leverage containerization where deployment spans local and cloud platforms (e.g., Azure or Amazon Web Services). Developers code their changes, and then DevOps tools automatically compile code and generate a container where it’s deployed within minutes. This continuous integration and delivery (CI/CD) methodology speeds up deployment, but it expands your attack surface. A DAST tool would be beneficial in this scenario, because it will scan your entire attack surface and find configuration issues as well as vulnerable code in your production and testing environments.
A symbiotic approach to software security testing
Modern SAST and DAST tools assist operations and developers in understanding key security issues in your software. SAST, for example, can be automated and used to create reports that developers can rely on to quickly locate flaws in source code that can then be remediated. Real-time reports can be generated by SAST tools to provide on-the-fly feedback during the coding process. This prevents a cascade of flaws from being promoted during the software development lifecycle (SDLC). SAST can be used to combine DevOps and DevSecOps to provide a comprehensive view of an application’s vulnerabilities and give developers secure coding guidance.
Modern DAST tools also automate vulnerability testing and may incorporate ‘Fuzz Testing’ or ‘Black Box Fuzzing’. This technique tests for exploitable vulnerabilities in protocols, API interfaces, and other environmental variables. DAST tools can also be used with mobile device management (MDM) to find vulnerabilities in mobile apps across an expanded network, including remote users and users working with bring-your-own-access (BYOD) policies.
Modern software development and the DevOps process are essential for fast promotion of code and deployment of patches. However, this fast process also means that software vulnerabilities can be overlooked. Using automated SAST and DAST tools together provides a symbiotic DevSecOps/DevOps process built on actionable and effective testing and reporting. The merger of these two testing methodologies generates a more secure SDLC and reduces the overall chance that a promoted application will contain vulnerabilities that could result in a system breach.
If you’d like to incorporate SAST or DAST into your SDLC or certify the security strength of your products, request a demo to learn how to get started.
beSECURE Updates 10: New Features & Improvements in 2020
We strive to make our products intuitive and efficient to use while at the same time offering the most comprehensive detection and response solutions on the market. Last year, with beSECURE 10, we added dozens of new powerful features including live, customizable dashboards, IT and OT convergence, agent scanning, credentials storage and new post scan integrations to increase security and reduce your mean time to respond (MTTR).
Live, customizable dashboards
Looking for real-time threat intelligence? You’re in the right place. We’ve moved beyond static dashboards and on to live, up-to-the-minute dashboards — with data pulled from the latest vulnerability scans and ongoing monitoring of your networks and assets.
Additionally, you can now create customized dashboards, widgets, asset groups, scan reports and more.
Frequently used charts and scorecards
Risk Distribution – for viewing the percentage of high, medium and low-risk vulnerabilities.
Quarterly/Monthly Trend – for viewing vulnerability trends over time
Bubble Graph – for viewing vulnerabilities according to CVSS score and affected hosts
Assets Trend – for viewing how many assets were tagged due to specified criteria
You can build personalized dashboard views after filtering data from a list of available options chosen to provide meaningful insights into risks affecting your business. Once you’ve finished building your dashboard, you can save your filters for future use.
Available dashboard filters
Category
Quick Add
Organization
Scan
Asset Group
Charts
Affected Hosts vs Vulnerabilities
Lowest Score Host(s)
Most Frequent Vulnerabilities
Most Frequent Vulnerability Type
Most Vulnerable Host(s)
Organization Monthly Trend
Organization Quarterly Trend
Persistent / New / Remediated Vulnerabilities
Risk Distribution
Informational
Preset Dashboard
Major Vulnerabilities
Major Categories
Categories
High / Medium Count
Host Information
Score
Organization
Company
Organizational groups and departments such as MSP clients
Get a 5-Minute Guided Tour of BeSECURE’s Current Features
Take a quick, step-by-step BeSECURE tour and see how VM can work for you.
We recently added OT scanning to our vulnerability management platform for unified IT, SCADA and ICS security. With beSECURE OT, security teams can monitor their entire infrastructure from a single pane of glass and protect operational technology (OT) from common exploits and weaknesses in SCADA systems.
The new OT assets view gives you critical information about your network assets including OS type, netBIOS name and IP address.
Learn about automated detection and network access control. Get a 30-day free trial. Contact one of our experienced Solution Engineers to find out how.
We also added agent-based scanning this year to give enterprises complete visibility across their networks and all connected endpoints including IoT, OT and BYOD assets. Users of agent-based scanning can now perform authenticated scans on endpoints not connected to the network – such as unmanaged devices used by remote employees – or on assets that are not “always on” such as desktops that may be turned off when the vulnerability scan runs.
Additional new features for assets management
Auto Tagging – for adding customized tags to your assets so you can view all related assets in one view and consolidate data needed to respond to alerts faster.
Port Overview – for identifying open ports that might be exposed to attackers and mitigating vulnerabilities targeting common ports
Device Collectors – for selecting a device collector that will automatically collect the devices (assigned to it) with no the need to manually enter hosts and IPs with the scan range into scans.
Credentials storage and post scan integrations
By enhancing our vulnerability management platform with third-party PAM (privileged access management) solutions, we have simplified credentialed scanning and privileged account security.
You’ll be able to retrieve or rotate login information anytime, anywhere without needing to update your credentials in the beSECURE platform. Recent PAM partners include: Thycotic and Wallix.
Other new integrators
Genians– for delivering cloud-based NAC (network access control) to forcibly quarantine vulnerable endpoints.
Ivanti– for quickly detecting vulnerabilities and instantly patching Windows and Linux machines as well as physical and virtual servers.
PagerDuty – for end-to-end vulnerability detection and incident response.
Portnox– for blocking vulnerable hosts from accessing selected networks via remote armed incident response.
Tufin– for increased visibility, control and incident response across heterogeneous networks.
Get a live demo
This version was all about improving efficiency and speed while continuing to manage your vulnerabilities with the accuracy you’ve come to rely on. Since we didn’t want to take all the fun away from our support and sales team, we only touched upon the biggest updates. To dig deeper into our latest version of beSECURE and learn about additional updates such as a new report scheduler and new CIS templates, please schedule a live demo.
If you are already a customer and need to reach support, please email: [email protected].
