Web security trends 2020 from 3 security leaders – 10 minute mail

In part 1 of web security trends 2020, we discussed the rise of Crowdsourced Security and the ever-changing attack surface. This time we turned to 3 security leaders to get their perspective on trends to come in 2020:

Anne-Marie Eklund Löwinder

CISO at the Swedish Internet Foundation, Internet Hall of Fame (2013) and holder of one of The Keys to the Internet:

Photo of Anne-Marie Eklund Löwinder (source: internetstiftelsen)

Photo of Anne-Marie Eklund Löwinder (source: internetstiftelsen)

What security issues/trends are you anticipating for 2020?
We are all targets. I believe that the world of digitalization continues to grow in complexity. As a result of that, it becomes even more difficult to protect the technical environment appropriately in our homes and workplaces.

With more and more systems and software, plugins and apps, we will continue to be challenged with keeping everything updated. Attackers will probably outpace incomplete and hurried patches. With more devices brought to our homes, most of them with network access with or without our knowledge, the exposition will let cybercriminals to home in on IoT devices for espionage and extortion. The digitalization leads to critical infrastructures being more exposed and they will most certainly be plagued by more attacks and production downtimes (I’ve just finished reading Sandworm by Andy Greenberg).

The increasing use of cloud services continues to change the security map. When more and more companies are handing over their information to someone else’s IT environment, aka cloud service providers, vulnerabilities in their environment, such as container components, will be top security concerns for DevOps teams.

Some novelties will introduce new attack surfaces for misconfiguration and vulnerable codes. Not monitoring enough will result in bigger damages than necessary. User misconfigurations and insecure third-party involvement will also compound risks in cloud platforms.

Threat intelligence will need to be augmented with security analytics expertise for protection across security layers. Which means companies must put more resources on security. But will they? Are the executive leaders of the companies willing to act upon the increasing risks? To what extent?

Are there any trends to do with security automation or ethical hackers? 
I am not aware of any specific trends that do with security automation or ethical hackers, but the value in skilled ethical hacking is critical for identifying vulnerability in cybersecurity solutions before a real bad actor comes along. NSA recently handed over a serious vulnerability in Windows 10 to Microsoft, which to me shows a change in behaviour. Maybe they understand the problem with keeping them secret for future use when the collateral damage threatens to be global.

What are your current challenges and how do you plan to tackle these this year?
My current challenges are to keep the staff (at the Swedish Internet Foundation) happy by offering new and modern solutions, and keep them informed about the risks and of what’s going on at the same time.

What event do you look forward to in 2020?
Internetdagarna! As always.

Tanya Janca

Application security specialist, Ethical hacker, Pentester, Women in Security co-founder, frequent speaker:

Photo of Tanya Janca

Photo of Tanya Janca, application security specialist, pentester and frequent speaker

What security issues/trends are you anticipating for 2020?
I anticipate more breaches and news stories of ‘cyber tragedy’, but also more companies investing in their employees via training and enablement in the workplace to create processes for faster and more effective security.

I also think we will see a lot more cultures moving towards DevOps and automation of security testing, defences and detection. I believe the Information Security field will try to move towards using more Artificial Intelligence/Machine Learning to provide better security experiences, for better or worse. I also foresee many companies abusing new technologies to violate user’s privacy, which is a trend I find both unethical and worrisome.

Read: Tanya’s blog series on DevOps and security: Pushing Left, Like a Boss.

Are there any trends to do with security automation or ethical hackers?
More and more development shops are realizing that if they don’t move to the DevOps model/culture they will no longer have a competitive advantage. I am currently seeing many security teams that are getting on board with this, adding automation, security sprints and adding security tooling to CI/CD pipelines, and other forms of “DevSecOps” (application security activities that are adapted to DevOps environments). I’m also seeing quite a few mature AppSec companies creating stripped-down versions of their tools to be used in pipelines, with varying results, and newer companies that have CI/CD in mind when creating brand new products.

I’m very, very excited to see innovation in this area in 2020. Application Security is a young field, and I suspect there will be very new types of tools coming out to solve this problem in new ways, and I can’t wait to see it.

What are your current challenges and how do you plan to tackle these this year?

This year I have three career goals:

  • to help guide and support a few new AppSec startups in hopes to help them launch new and innovative products
  • to create DevSecOps and AppSec training that is affordable, accessible and fun
  • to have a better work/life balance than I have had in previous years.

I will also continue to coach companies launching and improving their AppSec, DevSecOps and Azure security programs. Wish me luck!

What ways will you/your team measure success this year?
I keep personal and professional KPIs that I won’t share here, but I can say that I believe setting goals and measuring yourself (regularly) against them is a fantastic way to ensure you reach your version of success.

I also believe in setting and enforcing personal and professional boundaries (for example, I do not take meetings before 9:00 am because sleep is very important to me). Setting a list of yearly/quarterly/monthly goals, as well as a set of boundaries, is an activity that I feel would serve any person well in their career.

What event do you look forward to in 2020?
I always look forward to every WoSEC (Women of Security) meetup, especially the “WoSEC Crashes RSAC” meetup during RSAC this year! I’m also looking forward to several different locations of B-Sides, and I especially love the AppSec conferences from OWASP.

Laura Kankaala

Security Researcher and Undetected podcast host at Disposable mail, ethical hacker, Disobey board member and frequent speaker:

Photo of Laura Kankaala

Photo of Laura Kankaala, security researcher, Disobey board member

What security issues are you anticipating for 2020? 
Security of cloud environments and understanding exposed attack surface is going to be crucial for companies to secure sensitive data. Having sensitive data storage or internal servers accessible over the Internet and indexed directly in services such as Shodan is an unnecessary risk that companies are taking with their infrastructure. As of writing this, there are more than 73,000 MongoDBs available indexed in Shodan. Most of these are likely hosted in some Software-as-a-Service (SaaS) platform.

On the positive side, I think companies are becoming more vigilant about security. It is kind of hard to ignore security because data breaches and security incidents are constantly in the mainstream media. I encourage companies of all sizes to take a critical look at their security practices and at least include a responsible disclosure policy on their public website.

Are there any trends to do with security automation or ethical hackers? 
I’m sure the usage of crowdsourced security will increase, it seems like the number of bug bounty programs, both public and private, outnumber the active researchers. For Crowdsourced security to be successful, we [security professionals] need to get better at sharing knowledge and offer help to get people started in security research.

However, bug bounties are just one facet of ethical hacking, as they typically just scratch the surface of the overall security of the company. For example, fixing an XSS bug found by a bug bounty researcher won’t fix the root cause of why XSS vulnerabilities exist. Preventative measures like security tools and educational content should reach the developers without increasing their workload tremendously.

When it comes to automating security, I think it is important to automate tedious tasks to pave way for tasks that require more time and attention. Automation also works to provide more consistency in security testing results in different phases of software development. In order for companies to grow bigger and faster in a secure manner, it makes a lot of sense to employ automation in the appropriate places.

What are your current challenges and how do you plan to tackle these this year?
This challenge will probably span over multiple years, but I want to make security automation the norm.

What we are doing at detectify is in addition to in-house security researchers we work closely with Crowdsource ethical hackers all around the world to be able to tap into the knowledge of novel vulnerabilities to complement our security automation tool. I don’t think this is necessarily a challenge, but more like a great opportunity for our customers to get insight into the security posture of their web applications and get knowledge of zero-day vulnerabilities as soon as possible.

What ways will you/your team measure success this year?
For me, success doesn’t happen in a void. Things are either done or they are not done. Getting things done can surely be a success, but will it truly matter unless it has a positive effect on someone else’s life?

My team and I have set numeric and performance-based goals that are a general path to follow. However, to be successful, the teams need to meet more than numbers and performance metrics. We need to collaborate and provide something meaningful to our community and peers.

What event do you look forward to in 2020?

I have a personal stake in this, but I am looking forward to Disobey that we are organizing in Helsinki, Finland. I am on the board of members for this conference so I hope that everything runs smoothly. We have a very active infosec community in Finland, but it’s exciting to see people from all over the world attending our event, either as a speaker or as an attendee.


How can Disposable mail help with your security plans for 2020?

Keeping up with the fast-pace of web security is a challenge if you are only relying on standard CVE libraries and annual security checks. Disposable mail works with some of the best ethical hackers in the world to deliver security research and modules from the forefront of security, so you can stay on top of emerging threats. Interested in giving Disposable mail a go? Start your 14-day free trial today.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Web security trends to watch for 2020 – 10 minute mail

What are web security trends for 2020? This year we anticipate the build-up of a new security market category, growing targets in automation, a new perimeter and continuation of DevSecOps. Here is what we are watching for in 2020:

Disposable mail's web security trends for 2020

Rise of the “Crowdsourced Security” market

Keeping up with the threat landscape is a common pain point for many developer teams and C-level personnel. In fact, 48% of developers in this survey know security is important but don’t have enough time to spend on it. Even with a good overview of your software asset inventory, the digitalization of companies requires modern and automated ways of working with security, which is why more are adopting Crowdsourced security. This means they are gathering security knowledge from external experts – ethical hackers and bug bounty hunters. This is the principle behind Disposable mail Crowdsource.

Crowdsourced security is an up-and-coming industry and MarketsandMarkets reported that it will grow up to USD 135 million by 2024. Bug bounty programs could be the first thing that comes to mind, but there are other companies in this space offering options that don’t require top-dollar. For example, Disposable mail collaborates with ethical hackers to make the knowledge available through automation to users with or without a crowdsources security program.

As mentioned in the Undetected podcast, some hackers report with goodwill, which is why setting up a responsible disclosure policy is a good way to begin working with ethical hackers, and we even saw examples of such vigilance in the recent case of Citrix, where malicious hackers are exploited it wildly for personal gain, while this report suggests there could be a vigilante that’s using it in a way to beat others to the punch. It would have been a challenge for Citrix to communicate all their users at once to remediate the security bug, and with the reach of ethical hackers, the information has probably gotten to some companies sooner. For this reason, we anticipate more companies to add Crowdsourced security services to their toolbox.

CI/CD automation becoming the low hanging fruit

Today, the low-hanging fruit is rarely finding a SQL injection in a website, but the attackers are starting to look elsewhere for easy access into sensitive information and internal servers – the automation process. 

Taking into consideration the increasing CI/CD processes and tools, there are attack surfaces that, while not new, have become more critical. This means misconfigurations, the tools, and dependencies used for deployment and orchestration, or a storage place of API tokens for integrations, are increasingly interesting for attackers. 

Misconfigurations, especially when CI/CD tools are used in cloud environments, can accidentally leave internal data storage exposed online due to lack of authentication or general security as in this case with MongoDB. While some of these can be caused by manual error, automation certainly doesn’t make it easy to evaluate the perimeter of your cloud environment. Accidentally exposing internal services or data to the public Internet seems to be a growing trend throughout 2019 and is expected to keep on growing in 2020.

Sometimes attackers dig deeper even beyond the code stored in your private code repositories. They go after the dependencies. This makes sense, because how often does an average organization review the source code for a Dockerfile that uses public images from Dockerhub? Running automated security in the background can help identify common security bugs and schedule fixes into the development cycle.

Cloud-powered web apps become the perimeter to defend

Nothing in the cloud is inherently secure or insecure. Cloud service providers employ a shared responsibility model, which roughly means that it is the user’s responsibility what and how the user deploys on the cloud provider’s service. The majority of improper access controls through misused credentials or API tokens, or misconfigurations in the services used, such as setting 0.0.0.0/0 firewall rules and allowing all access to internal data storage. 

The sense of perimeter is different in cloud services (or at least some of them), because they introduce networking on the software level and in addition to IP addresses, some resources may have resource names and URLs that can be queried. The “Great Firewall” solution cannot be replicated in cloud environments, when access rights need to be given and blocked on the instance level, or with role-based access control solutions. Also, every cloud provider comes with different default configurations– some cloud providers may not deny traffic by default or may not force to generate strong passwords for data storage.

New web apps are stretching the security perimeter each time, and companies that can scale security with development will keep up with the rate at which vulnerabilities are discovered and exploited. Not only do companies need to monitor the security of their own code, but it’s important to also check for security when acquiring 3rd software tools and javascript. You may already spend a large portion of your budget securing your main application, and keeping track of the growing inventory of web applications will need just as much attention.

DevOps continues towards DevSecOps

External tools and sources for testing for misconfigurations, many of the cloud service providers offer a wide variety of services and tools to support security. However, as stated above, the way these services are used and the type of security controls implemented is up to the developers building things in the cloud. Cultivating security culture amongst developers and taking advantage of available security assessing tools can make a difference in any environment.

The web is becoming safer due to improved frameworks used in web development, regulations around data security and increased know-how of developers. They’re doing this by considering security earlier in the software development lifecycle. There’s a lot of talk about shifting left or pushing left, and for good reason. Developers in advanced tech organizations are practicing DevOps and see the importance of including security as part of their role, and (surprise!) the security bit isn’t slowing them down. Just take a look at companies like Netflix, Atlassian, Slack – they are often speakers for better app security at OWASP AppSec conferences and more. Security becomes enabling, and is scaled up together with development. This isn’t a new trend, but we expect it to continue to grow.

Make it a safer 2020

There is no silver bullet to security, and it is ultimately a sum of many things including threat-modeling, pen-testing, automated security, asset monitoring, etc. Leaders in SaaS and tech use a combination of Crowdsourced security, CI/CD practices, cloud-native solutions and a positive security culture like DevSecOps, which is why we are keeping an eye on these areas for 2020.

How can Disposable mail help with web security trends of 2020?

Disposable mail is the first company of its kind to automate the cutting-edge knowledge of the best ethical hackers in the world to secure public web applications. Users check web applications against 1500+ known vulnerabilities beyond the OWASP Top 10. In a fast-paced tech environment, the potential attack surface increases with each release and new app created. Using Disposable mail, you can monitor your subdomains for potential takeovers and remediate security issues in staging and production, and find vulnerabilities as soon as they are known, to stay on top of threats. Keep up with web security trends in 2020 with Disposable mail. Get a guided demo or try Disposable mail on your own with a 14-day free trial.


Written by: Laura Kankaala, Security Researcher

Edited by: Jocelyn Chan, Content Manager

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Security is everyone’s business | Disposable mail Blog – 10 minute mail

There’s no such thing as perfect security. To a security expert, this sentence is a reminder of why working in security is so much fun. To everyone else, it sounds like a threat.

The more personalized content becomes on the web, and the more tightly our ‘real’ identities are tied to our digital logins, the more we’re swapping privacy for convenience. As we build this more ‘convenient’ web, we have a responsibility to make sure it’s also more secure, by tying security and privacy as tightly to this as we can. We make a better web by making security a habit.

For most people, even relatively technical types, security is a separate function, even an afterthought. Their primary exposure to security issues is in the form of terrifying news stories about hackers, data breaches, and deliberate privacy violations. When they go looking for information, so much of what’s out there is too technical for non-experts or too scaremongering to actually act on.

How do you convince people to take a little more care without confusing them into inaction, or driving them to avoidance tactics with terrifying scenarios? In order to get motivated to do something, people need to understand the risk, feel a little bit challenged, and have enough information to be empowered. That’s where Zen and the Art of Making Tech Work for You comes in. Last winter, 50 human rights and internet activists gathered on the German-Polish border to discuss privacy, threat modeling, and what they could share with other people, primarily women and trans persons, to help everyone take control of their data and privacy. What resulted is this draft, a living document of practical information and tactical steps, aimed primarily at women, to do just that. It’s realistic, accessible, and not prescriptive – it’s open about the pros and cons of a range of approaches to personal data, security, and privacy.

It outlines some of the terminology (most people really do need a good, clear explanation of what metadata is and why it matters), and has sections on:

  • Managing online identities
  • Creating new online identities
  • Diversifying your machines
  • Safe spaces and activism
  • Combating harassment and trolls (including using bots) Options for online community formation in more privacy-friendly forums
  • How to establish a baseline level of knowledge of security and privacy (keep your devices clean and healthy, dammit!)

Until December of this year, the document remains in draft form, and they’re looking for interesting tools, processes, readings, and case studies that they can put into the final version. There’s a link to a feedback form at the bottom of the document if you want to contribute. This guide is incredibly useful, whether or not you’re an intersectional feminist. What we like best about it is not that it’s non-technical and useful – it is those things – but that, rather than a set of defensive actions done out of fear, the tactics and information help non-experts see that a security and privacy habit can be an opportunity to get creative and inventive.

All of a sudden, your non-expert friends will see why ‘there’s no such thing as perfect security’ makes you downright happy. Maybe they’ll start building security into their lives, and they might even decide they think it’s fun.

PS: If you haven’t heard the 99% Invisible podcast’s episode on perfect security, you should listen to it ASAP It’s the original Go Hack Yourself!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How to make sure your site is secure before releasing it to the public – 10 minute mail

Most developers today know that one should run unit tests and integration tests before pushing things live. But not all developers know how to test if their site is secure.

Development or staging environments usually aren’t accessible from the internet, but there is a solution and that solution is called ngrok. ngrok is a tool that creates a secure tunnel to a closed environment, which is perfect for granting Disposable mail access.

For a complete guide, read How to set up your staging environment using ngrok and Disposable mail in our knowledge base.

Disposable mail ngrokDo not hesitate to reach out at [email protected] if you want help setting it all up.

Happy scanning!
//The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Wake up – You’re vulnerable to mayhem! – 10 minute mail

Once your business goes live online, you’re vulnerable to mayhem. Disposable mail’s CEO Rickard Carlsson explains why web security matters and how you can protect your organization on the internet.

Rickard Carlsson

The Internet is broken, from a security point of view, and most organizations are vulnerable to attack. You need to figure out how vulnerable your business is, and find the best way to protect your information online. Web security is a long-term commitment that can protect your customers and brand, and keep your website safe from hackers. If you’re running an online business, you need to make security a habit as soon as possible.

To get started, let’s clarify three common misconceptions about web security.

I’m safe, because nobody wants to hack us.

Most hacks are automated and do not target specific organizations. They’re designed to spread malware via your site, send a political or commercial message, carry out an advertising scam, or some other malicious activity. Hackers don’t care about you, specifically. But if they’re successful, the damage will hurt your brand and give you unnecessary clean up work. It is increasingly common for hackers to attack multiple organizations without a specific target in mind, so your website could be at risk even if you think you have nothing of value to steal.

I’m safe, because we only use integrated third party services.

Third party services are vulnerable too and can cause a great deal of damage if they’re hacked. For instance, poor use of JavaScript on a third party service or a plugin could compromise the security of your complete domain. This includes your blog (blog.yourdomain.com) and your general website (support.yourdomain.com).

I’m safe, because we let an agency do our development.

Unless you asked for a security assessment or safe development, you’re not safe. Even if an agency is taking care of your development, your business can be compromised. What can happen? A potential attacker might try to steal information, or use your site for illegal activities or to spread harmful code. Or the hacker might encrypt all your data, just for fun.

Here’s what can happen if your site gets hacked …

Hackers can replace your site with just about anything, like Viagra ads or changed board member information for new visitors while you still see the original information. Customer data can be obtained and leaked from sites with user login and profiles, and if you are using SaaS service and web-shops, hackers can impersonate a user on your system and trigger actions or complete a purchase.

This might leave you feeling a bit depressed, but don’t give up yet. Here’s what you can do to improve your security through automated tools and professional services dedicated to protecting your business:

  • Start by identifying the myriad ways a hacker can get into your system. The most common methods of hacking into a system are outlined annually by the people at the Open Web Application Security Projects (OWASP), who list their top ten risks.
  • Update and patch your system regularly, and re-configure your servers.
  • Use automated testing tools on a regular basis. They will allow you to find mistakes when coding, as well as discover and replace old versions left behind.
  • Protect all your business devices with full-disk encryption and strong passwords.
  • Do manual testing with external resources from a security firm or freelance security experts on Elance-oDesk.
  • Add systems that detect abnormal system activities.
  • Most companies don’t know where to start, or whose job it is to find and deal with security breaches, let alone prevent them. Put together a strategy including what to do in case of an attack, such as who to inform and what actions to take.

Start protecting your systems today and make security a priority. Make sure no stone is left unturned and run security scans on a regular basis.

Go hack yourself…. or someone else will!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

GUIDE: How to get rid of your ‘This site may be hacked’-flag – 10 minute mail

You might have noticed that Google occasionally flags some websites with a “This site may be hacked”-flag or a “This site may harm your computer”-flag. This is bad for your business because it could scare away potential customers, as Google’s recommendation is to avoid visiting flagged sites.

This guide explains what the flag means and how you can remove it.

Your site may be hacked flag

 

What it means

If a website is flagged, it has served either malware or spam advertisements recently. We can assume that is not your intention, and therefore the only logical assumption is that someone has hacked you.

It is also possible that you have not been hacked, but instead an advertisement company having serving advertisements on your website.

For those who prefer to watch and listen, here is a Youtube video from Google explaining their flagging system:

What to do after being hacked

So, you have identified you have been hacked. What now?

  • Sign up for Google’s search console. You will be able to find more details on why you got the flag and other information regarding this.
  • Realize it most likely is not personal. Hackers want to hack as many as possible, not you specifically. There is no reason to panic, people have survived getting hacked before.
  • Contact your hosting company. They may be able to help you out, and they should also be interested in the attack against you as that could affect their other customers.
  • If possible, take your website offline. This ensures that the hacker cannot do anything more, and allows you to continue with the following steps without the hacker interfering.
  • Scan your own machine for malware with an antivirus program. It is possible that someone has infected your computer and got access to your site that way.
  • Assume everything is leaked. Every password needs to be changed. This includes admin accounts, FTP-accounts, internal databases etc. If you have user accounts registered at the site, reach out to them and explain what has happened. It may not be fun to give them bad news, but they will be even angrier if they find their credentials leaked online without you informing them about it.
  • Clean up after the attackers. This can be very hard to do yourself if you are not technically minded, and we would recommend you to hire someone for the task. If possible, do a clean install of the system to ensure hackers have not planted any backdoor.
  • If possible, identify how the hacker was able to get in and fix that security hole.
  • After cleaning up the system you want to make sure it never happens again. This is where services as Disposable mail come in, scan your site using our system to identify and fix vulnerabilities so hackers cannot use them against you!
  • Bring your site online again.
  • See this is a lesson to start doing back-ups if you are not already doing so you do not risk losing information just because you got hacked.
  • Make sure your site is not on any blacklist of hacked websites that you would like to be removed from.
  • Login to the search console again and request a review of your site so Google will remove the flag.

If anything is unclear, do not hesitate to contact us at [email protected] and we will help you as best we can.

Additional resources/links
Google Search Help


Author: 

Linus Särud, Security Researcher
Twitter: @zulln 


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Security-focused Work Routine in 7 Steps – 10 minute mail

Security is not only a competitive edge, it’s a must. Companies will soon be compelled to implement a holistic security approach to keep up with the user demand of more secure services. But staying on top of web security in an ever-changing environment can be a great challenge for anyone. We believe that the most successful way to stay safe as a company is to integrate security into the development process. If you seamlessly add security as a continuous element during planning, development, testing and production, you are ahead of many other companies.

However, integrating security manually into all these phases would be very time-consuming and problematic, which is why you need to add systems and services that monitor the development cycle for you, so that you do not need to spend all your time worrying about security. Disposable mail is an example of a security service that works uninterruptedly in the background, analyzing your website and reporting back to you with actionable reports of the identified security issues. It fits seamlessly into the development cycle, so that your dev teams do not need to spend a lot of time setting up another complicated new tool.

Follow our step-by-step-guide to more security-focused work routines with the help of Disposable mail!

security focused work routine

It is worth repeating; security is not a one-man-show, so make sure to invite as many stakeholders as possible into the process. It will make it easier to raise awareness and change the company mindset to work more actively with security. Talk about security in a way that everyone in the organization understands. Highlight the benefits that come with a security-conscious organization.

In discussions with the CMO, you might want to mention how you will stay one step ahead of the competitors, increase customer loyalty and avoid the negative PR that a hacker attack can cause. When talking to the Head of Development, team leaders or developers, try pointing out how easy it is to integrate security services like Disposable mail into developers’ existing sprints and agile work routines. Clarify that the (already busy) team will not be swamped with yet another service. When speaking to the CIO, point out how all studies show that security and automation are two important and growing areas to invest in to keep your IT infrastructure safe. Everyone in the organization will benefit from adapting a security-focused way of working.

It is useful to review your current situation already in the planning phase. Go over your entire IT infrastructure and re-consider what kinds of facilities and services you need. Based on your conclusions, you will need to consider if you have the right internal processes in place and if you have sufficient tool support to identify, organize and prioritize your security work.

This guide is, however, focused on implementing web application security, so let’s move on to that.

We highly recommend using a dedicated service to continuously monitor your website security. Many of the solutions out there do not have web security as their core business, and therefore do not update their services with new vulnerabilities frequently, which is essential in order to stay as safe as possible When choosing a web security service, make sure it covers OWASP Top 10.

Disposable mail specializes in web security and if you choose to use us to monitor your website’s security, our customer success managers are more than happy to help you with training, account setup and making you successful with our service. Just send us a short note at hello[at]detectify.com if you want help to get started or sign up for a 14-day free trial. We have tons of best practices from working with all types of industries and organizations and can easily help you navigate through the security jungle.

The first step when setting up your Disposable mail account is to define your target and its scope. Disposable mail allows you to configure test profiles to help you make sure that you cover all aspects of your application. As an example, you can have one profile where you log in to the tool and one profile that examines the site as an external, non-logged in, visitor. The tests can also be set up differently to match predefined goals.

There’s a few more things to think about when setting up an account in order to get the most out of Disposable mail.  For instance, to scan your entire domain, you will need to add your target(s) without including “www”. If your domain is “www.example.com” and you want to scan the entire domain and not only the top domain, you should add “example.com”, and by doing so, we will also cover your site’s subdomains. This results in a larger scope and therefore more secure coverage.

For more information on setting up your account, watch our demo.

Disposable mail believes in making security an integrated part of the development process to avoid releasing unsecure services to the public. We have therefore made it possible to scan staging sites on local environments by using ngrok. By doing so, your development team can work on resolving possible vulnerabilities during the development process instead of doing it after release. Not only will this result in a less stressful release, it will also make security something that is on top of mind when writing the code. As we all know, the IT infrastructure will differ between the staging and production environment. Therefore we recommend that you perform a test as soon as the release is live.

After going live, you will still need to test your production site continuously for possible threats. New vulnerabilities turn up every day, and Disposable mail adds new vulnerabilities to the scanner on a continuous basis. This is why the default setting when adding a new target to the service is to monitor and scan your site every 7 days.

Security is a continuous effort rather than a one-off project. Your application will most likely not remain static and unfortunately, black hat hackers constantly invent new attack strategies that can make your site vulnerable. Therefore, we recommend you run routine tests with Disposable mail. Our recommendation is to do them on a weekly basis. You can always complement the scheduled tests with one time scans whenever you need to test certain aspects of your application.

Make sure that the findings are added to the next sprint planning. This way, you make sure to always stay on top of your security as we constantly update the tool to cover new attack vectors.

The security reports are downloadable and easily shared. By inviting your coworkers to Disposable mail and granting them view access, you can enable your whole team to review findings. Being transparent, talking regularly about security and learning from each other is essential to become better and more secure. Do not let the results be a waste, make sure knowledge and best practices are passed on to everyone concerned. Our security expert and ethical hacker Frans Rosén often mentions Google as a great example of security teamwork, as it is practically impossible to find the same vulnerability on Google twice. Try to have the same mindset as them!

In addition to downloading the results in PDF-format, Disposable mail can also be integrated with the most common developer tools such as Slack, HipChat, PagerDuty and Trello. By integrating Disposable mail directly into your infrastructure you will get notified when vulnerabilities are found and keep people informed about the latest security issues on a regular basis.

Stay tuned on our blog, our twitter (@detectify) and sign up for our newsletter through the opt-in field in the sidebar to get more security news. And if you have any ideas, feedback or any comment, do not hesitate to reach out to us to start a dialogue.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

General Data Protection Regulation: What It Means For Your Business – 10 minute mail

Coming into effect in May 2018, the General Data Protection Regulation will give EU data protection legislation a much-needed update and simplify data protection routines for businesses operating in the EU. For some companies, preparing for GDPR compliance entails a review of security practices, while others need to completely realign their focus and begin by putting security first. In this blog post, we explain what the GDPR means for your business and how Disposable mail can help you start working with security.

General Data Protection Regulation: What It Means For Your Business

Legislation for a digital world

Unlike tech innovation, the wheels of legislation move slowly. The current Data Protection Directive that will be replaced by the GDPR came into force all the way back in 1995 – that’s right, the year Windows 95 was brand new and the movie Hackers (Disposable mail team’s all-time favourite) was released. Although the Data Protection Directive was updated with an amendment in 2003, it could not keep up with the developments in the tech world. To the delight of journalists and the horror of courts throughout Europe, there was a growing number of disputes that existing legislation simply couldn’t handle. One particularly well-known example is the Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González case from 2010, when a Spanish citizen requested that Google remove his personal data. Legal issues in a digital world clearly needed laws drafted with modern technology in mind.

Enter the GDPR, developed to bring EU legislation up to date with the increasing digitalisation of data. Introducing novelties like the right to be forgotten and Data Protection Officers, the regulation will unify data protection practices in EU member states and establish a greater focus on security and privacy.

Adopted by the European Parliament in April 2016, the new legislation will come into force on the 25th of May, 2018. Sofia Gunnarsson, founding partner of Sharp Cookie Advisors, a Swedish law firm specialising in tech law, says: “This regulation is already law and is valid, in contrast to a directive that requires national implementation processes in order to take effect. The EU legislation on data protection is set. There is, however, some room for interpretation that is left by the legislator to the national supervisory authority, but I do not expect to see national variations. We can expect to receive complementary guidelines for interpretation from the EU as we come closer to 2018.”

What does it mean for businesses?

One of the leading principles behind the GDPR is to protect European citizens’ rights by keeping their personal data safe, but what about businesses? Regardless of the sector, a unified data protection regulation offers a streamlined way of working with data throughout the EU, but it also brings a whole new set of challenges. Companies need to evaluate their data processing and security practices to ensure they comply with the GDPR when it comes into effect. For those who have been working with security on a daily basis, this will require some additional work to ensure appropriate measures are in place, which might mean restructuring their existing security workflow and perhaps adding to it. However, for companies that have never prioritised security before, the next two years could prove nothing short of stressful as failure to comply with the regulation can result in considerable fines.

While preparing for compliance can be overwhelming, Sofia Gunnarsson emphasises staying focused: “From my work as a data protection specialist advising data-driven companies, the greatest challenge is, and has been, to think small. By thinking small, I mean to clarify a unified management led strategy in your company on privacy and privacy engineering while focusing on very specific issues.”

The GDPR outlines a range of measures companies working with data ought to adopt and many of these measures are, in fact, best practices that do not only help protect businesses from non-compliance fines, but also improve their overall web security. Hopefully, the new legislation will encourage more companies to take a step towards a safer internet and make security a priority by incorporating security best practices.

“Under the GDPR, the company will be required to demonstrate its compliance, which can be met with certain internal processes such as maintaining a register of data processing, to have a process to delete all data, ensure data portability and information security, and report data breaches. Many companies will also be required to appoint a data protection officer, a professional within data protection that acts as an advisor and performs data protection audits on behalf of the company,” explains Sofia Gunnarsson.

“The first question every organisation should ask themselves is – do we keep records on each processing of data we perform? A register is a basic tool to keep track of what personal data your organisation collects, process, share, store, delete etc. You use this one register to assess where in the organisation you should focus any further analysis and compliance activities.”

Security breach notification

The GDPR introduces a new security breach notification framework for all organisations working with data, including third-party data centres. The framework aims to make data controllers and processors accountable for data privacy breaches and is one of the bigger changes this legislation brings. To protect data, companies are required to implement “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” (Regulation (EU) 2016/679) However, even preventive measures do not guarantee perfect security as attackers are constantly developing new ways to access sensitive information.

In case of a security breach that puts personal data at risk, authorities need to be notified within 72 hours. The affected company has to provide detailed documentation informing the authorities about the nature of the breach, a risk assessment, and an account of the steps taken to resolve the situation. If the data that has been exposed is highly sensitive, the organisation also needs to communicate the breach to all data subjects affected.

To prepare for compliance from a system level, Sofia Gunnarsson advises to “begin with the critical IT-systems, regarding system sensitivity, prone to cyber-attacks, geographic location, third party dependent. If you’d rather start your sensitivity analysis from the categories of data – which different categories of data and personal data do our systems use, which types of data are needed, any sensitive data.”

Data protection by design and default

Alongside the obligation to report breaches, companies also need to be able to show that they are constantly working with data protection principles and incorporating “data protection by design” into their routines. This makes it necessary for companies to implement: “appropriate technical and organisational measures /…/ which are designed to implement data-protection principles /…/ in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” (Regulation (EU) 2016/679) Policies can range from regular security audits to up-to-date best practices and organisation-wide data protection education. In short, this is a way for organisations to illustrate their compliance with the GDPR in their everyday work.

Sofia Gunnarsson points out that companies will need to rethink why they work with data: “The principles of data minimization and privacy by default will mean that companies will be required to have a clear purpose of their use of data before collection. By contrast, it is not an uncommon practice to collect available data and let the business development and analytics later decide how to use such data. Given that many companies have a strategy to increasingly leverage end user data, the development of these new systems and processes have stakeholders across the organisation. As such, the area of data protection and security will require top management commitment and effort spanning much of the organisation.”

Enforcement

National data protection authorities will continue their work as supervisory authorities, supporting citizens, advising organisations, and investigating compliance. A few actions supervisory authorities have the power to take are issuing warnings, ordering organisations to notify data subjects of personal data breaches, imposing a ban on data processing, and imposing administrative fines. Fines can be as high as 10 000 000 EUR or up to 4% of the total worldwide annual turnover of the preceding financial year.

How Disposable mail can help you implement security measures

May 2018 might seem far away, but it is important to keep in mind that preparing for GDPR compliance could entail structural changes, educating the staff, and updating your entire way of working with data. What needs to be done depends on every organisation’s existing level of security measures, as well as the nature of the data that is being processed. Disposable mail can be a valuable piece of the data protection plan puzzle, helping you deploy safer code with automated security audits and encouraging an ongoing security dialogue. Our scanner is updated bi-weekly to keep up with the latest vulnerabilities and enable you to make your web application more secure.

We aim to educate developers about web security and give them the tools and knowledge to take security matters into their own hands. With our extensive knowledge base, detailed scan reports, newsletters, alerts, and regular blog posts, we wish to inspire companies to adopt a security-oriented way of thinking. Making your website safer doesn’t have to be complicated, intimidating, and costly, but it is a long-term team effort that requires an awareness of risks as well as remediation knowledge.

The GDPR is bringing great changes to the way businesses work with data protection and web security. Introducing a focus on security into your workflow with Disposable mail is just one of many parts of the compliance transition, but it can be a good place to start. There are plenty of companies and law firms that specialise in digital matters and can advise you on the GDPR to ensure your business complies with the new legislation.

Sofia Gunnarsson’s final piece of advice is not to lose sight of your business goals: “Do not forget to focus on the business while being compliant! Much of the available advice of the GDPR comes from compliance advisors, experts in many areas, but with a low interest of the sales side of your company. Embrace the opportunity to design your digital services and IT-systems with, e.g., the data protection legislation’s constraints (and opportunities) in mind. Too little has been told about the strategic value that the product owner and business development have over data compliance issues. At Sharp Cookie Advisors, we guide our clients to adopt a sales-focused strategy. In some cases, the strategy has led to the client’s decision to realign its product and service portfolio, creating new services or remarketing existing services with clearer purpose and expectations in relation to the end users.”

In the meantime, Disposable mail can help you get on the right track by prioritising security, so why not sign up for a free trial? We are ready to guide you towards a more secure website, one vulnerability at a time!

Read more

If you’d like to delve deeper into the legal text, check out the complete General Data Protection Regulation.

For more advice on working with security, read our CEO’s article on why security matters and learn how you can incorporate security into your daily routine in 7 steps.

There are several good guidelines of how to prepare for the GDPR, for example this one from the Swedish Data Protection Authority (in Swedish). To learn more about internal processes companies will need for GDPR compliance, read Sofia Gunnarsson’s article on the topic (in English).

If you have any questions, don’t hesitate to reach out at hello[at]detectify.com.


About Sofia Gunnarsson:

Founding Partner of law firm Sharp Cookie Advisors, Sofia Gunnarsson is an experienced lawyer in internet law, data protection, and international commercial law.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Web Security Now and Then – 10 minute mail

Web security in 2016 is very different from what it was like in 2006, 1996 or even further back. As technology evolves and leaps forward, unfortunately, so do vulnerabilities. Prevention strategies that were sufficient ten years ago might not hold up well in the face of fast-paced progress. Our society is becoming increasingly networked, which broadens the scope of potential exploits. All this warrants a new perspective on security based on an understanding of how the field has changed and how to respond to new challenges. In this article, we explain how web security has evolved and share best practices that are key to staying safe online.

Web Security Now and Then

1. FREQUENCY OF TESTING

Thumbs upContinuous security with automation

Thumbs down

One-off penetration testing

The frequency of testing might be the greatest and most crucial change the evolution of web security has brought. Not that long ago, quarterly and even yearly penetration tests were very common and were not considered inadequate, but this is not the case anymore.

New vulnerabilities emerge all the time, which is why continuous security testing is necessary to stay safe online. Unlike traditional tests, regular scans are automated and faster than in the past, allowing you to keep an eye on security while having plenty of time to focus on developing awesome stuff. Imagine security is like an onion; using automation to be able to keep up with developments in web security is just one of the many layers that make up a complete security strategy. Finding services that fit your team and support your everyday work is an important step towards shifting to a more security-focused work routine.

2. SECURITY MINDSET

Thumbs upPervasive

IsolatedThumbs down

Back in the day, security was most often the domain of a highly specialised team (or individual!) responsible for keeping the organisation safe from attackers. Other teams had little to do with security matters and were not usually up to date on the latest developments and best practices.

Nowadays, security permeates all aspects of day-to-day work and is present in every step of the development process. It takes time and effort to educate teams and incorporate an updated work routine, but fear not, it’s worth it! Shifting to a security-oriented mindset demystifies security, increases risk awareness and makes it easier to take action if your site’s security ever becomes compromised. While security teams remain the main line of defense, every organisation can benefit from introducing security into other teams’ work.

However, your work with security need not, and should not, stay confined to your company. Add layers to your security onion! Bug bounty programs and platforms like HackerOne, Bugcrowd and Disposable mail Crowdsource are incredibly valuable resources for organisations looking to improve their security. You will never be able to recruit ethical hackers to a 9-5 job, but they can still help you out. Disposable mail Crowdsource draws on the community’s knowledge by building crowdsourced modules into the Disposable mail service. Finally, you might want to consider hiring manual pentesters to complement your staff’s knowledge and make your work with security more comprehensive. The layers of your security outline might look something like this:

  • Security awareness within your team
  • Disposable mail Crowdsource
  • Bug bounty programs
  • Manual pentesting

3. ACCESSIBILITY

Thumbs upAccessible

ObscureThumbs down

As a result of security being the sole responsibility of a specialised security team in the past, it seemed complicated and perhaps even slightly intimidating. High prices of security solutions reinforced the idea of security as a totally idiosyncratic field and also rendered decision-making difficult and expensive. Adjusting one-off manual pentests to specific needs or making changes was not easy without help from experts.

Luckily, a lot has changed. Services like Disposable mail offer easy-to-use interfaces that make working with security simple and intuitive, while also providing knowledge that can help users feel more comfortable tackling security issues. Using security tools is no longer an expensive and time-consuming endeavour, but instead gives your team additional support in their daily work. The flexibility of automated security services like Disposable mail makes it easy to adjust the testing to your needs, with options to add subdomains, only scan specific areas, or scan behind login.

Thinking of new vulnerabilities and exploits might worry you, but it is important to keep in mind that working with security has never been this thorough and accessible. With the support of automated security testing and ethical hackers’ knowledge, you can introduce a security-oriented way of thinking into your organisation and successfully work with security. Go hack yourself!

Interested in using automation to support your work with security? Sign up for a free trial!

If you have any questions about implementing security into your workflow, let us know at hello[at]detectify.com.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

SPF Record Research | Disposable mail Blog – 10 minute mail

To prevent email spoofing, it is important to manually configure email authentication systems to the highest standard. This is a complicated process that often results in misconfigured email servers or companies simply skipping authentication and leaving their domain at risk of being spoofed. Here you can find our SPF research as well as a guide to help you configure your email server’s authentication.

We have researched the email authentication configuration of the top 500 Alexa sites and discovered that less than half of the domains had proper email authentication in place.

After looking into the SPF records of the world’s top domains, we checked the configurations of Finland’s largest companies and found that the majority lacked security measures preventing email spoofing.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.