Web security trends to watch for 2020 – 10 minute mail

What are web security trends for 2020? This year we anticipate the build-up of a new security market category, growing targets in automation, a new perimeter and continuation of DevSecOps. Here is what we are watching for in 2020:

Disposable mail's web security trends for 2020

Rise of the “Crowdsourced Security” market

Keeping up with the threat landscape is a common pain point for many developer teams and C-level personnel. In fact, 48% of developers in this survey know security is important but don’t have enough time to spend on it. Even with a good overview of your software asset inventory, the digitalization of companies requires modern and automated ways of working with security, which is why more are adopting Crowdsourced security. This means they are gathering security knowledge from external experts – ethical hackers and bug bounty hunters. This is the principle behind Disposable mail Crowdsource.

Crowdsourced security is an up-and-coming industry and MarketsandMarkets reported that it will grow up to USD 135 million by 2024. Bug bounty programs could be the first thing that comes to mind, but there are other companies in this space offering options that don’t require top-dollar. For example, Disposable mail collaborates with ethical hackers to make the knowledge available through automation to users with or without a crowdsources security program.

As mentioned in the Undetected podcast, some hackers report with goodwill, which is why setting up a responsible disclosure policy is a good way to begin working with ethical hackers, and we even saw examples of such vigilance in the recent case of Citrix, where malicious hackers are exploited it wildly for personal gain, while this report suggests there could be a vigilante that’s using it in a way to beat others to the punch. It would have been a challenge for Citrix to communicate all their users at once to remediate the security bug, and with the reach of ethical hackers, the information has probably gotten to some companies sooner. For this reason, we anticipate more companies to add Crowdsourced security services to their toolbox.

CI/CD automation becoming the low hanging fruit

Today, the low-hanging fruit is rarely finding a SQL injection in a website, but the attackers are starting to look elsewhere for easy access into sensitive information and internal servers – the automation process. 

Taking into consideration the increasing CI/CD processes and tools, there are attack surfaces that, while not new, have become more critical. This means misconfigurations, the tools, and dependencies used for deployment and orchestration, or a storage place of API tokens for integrations, are increasingly interesting for attackers. 

Misconfigurations, especially when CI/CD tools are used in cloud environments, can accidentally leave internal data storage exposed online due to lack of authentication or general security as in this case with MongoDB. While some of these can be caused by manual error, automation certainly doesn’t make it easy to evaluate the perimeter of your cloud environment. Accidentally exposing internal services or data to the public Internet seems to be a growing trend throughout 2019 and is expected to keep on growing in 2020.

Sometimes attackers dig deeper even beyond the code stored in your private code repositories. They go after the dependencies. This makes sense, because how often does an average organization review the source code for a Dockerfile that uses public images from Dockerhub? Running automated security in the background can help identify common security bugs and schedule fixes into the development cycle.

Cloud-powered web apps become the perimeter to defend

Nothing in the cloud is inherently secure or insecure. Cloud service providers employ a shared responsibility model, which roughly means that it is the user’s responsibility what and how the user deploys on the cloud provider’s service. The majority of improper access controls through misused credentials or API tokens, or misconfigurations in the services used, such as setting 0.0.0.0/0 firewall rules and allowing all access to internal data storage. 

The sense of perimeter is different in cloud services (or at least some of them), because they introduce networking on the software level and in addition to IP addresses, some resources may have resource names and URLs that can be queried. The “Great Firewall” solution cannot be replicated in cloud environments, when access rights need to be given and blocked on the instance level, or with role-based access control solutions. Also, every cloud provider comes with different default configurations– some cloud providers may not deny traffic by default or may not force to generate strong passwords for data storage.

New web apps are stretching the security perimeter each time, and companies that can scale security with development will keep up with the rate at which vulnerabilities are discovered and exploited. Not only do companies need to monitor the security of their own code, but it’s important to also check for security when acquiring 3rd software tools and javascript. You may already spend a large portion of your budget securing your main application, and keeping track of the growing inventory of web applications will need just as much attention.

DevOps continues towards DevSecOps

External tools and sources for testing for misconfigurations, many of the cloud service providers offer a wide variety of services and tools to support security. However, as stated above, the way these services are used and the type of security controls implemented is up to the developers building things in the cloud. Cultivating security culture amongst developers and taking advantage of available security assessing tools can make a difference in any environment.

The web is becoming safer due to improved frameworks used in web development, regulations around data security and increased know-how of developers. They’re doing this by considering security earlier in the software development lifecycle. There’s a lot of talk about shifting left or pushing left, and for good reason. Developers in advanced tech organizations are practicing DevOps and see the importance of including security as part of their role, and (surprise!) the security bit isn’t slowing them down. Just take a look at companies like Netflix, Atlassian, Slack – they are often speakers for better app security at OWASP AppSec conferences and more. Security becomes enabling, and is scaled up together with development. This isn’t a new trend, but we expect it to continue to grow.

Make it a safer 2020

There is no silver bullet to security, and it is ultimately a sum of many things including threat-modeling, pen-testing, automated security, asset monitoring, etc. Leaders in SaaS and tech use a combination of Crowdsourced security, CI/CD practices, cloud-native solutions and a positive security culture like DevSecOps, which is why we are keeping an eye on these areas for 2020.

How can Disposable mail help with web security trends of 2020?

Disposable mail is the first company of its kind to automate the cutting-edge knowledge of the best ethical hackers in the world to secure public web applications. Users check web applications against 1500+ known vulnerabilities beyond the OWASP Top 10. In a fast-paced tech environment, the potential attack surface increases with each release and new app created. Using Disposable mail, you can monitor your subdomains for potential takeovers and remediate security issues in staging and production, and find vulnerabilities as soon as they are known, to stay on top of threats. Keep up with web security trends in 2020 with Disposable mail. Get a guided demo or try Disposable mail on your own with a 14-day free trial.


Written by: Laura Kankaala, Security Researcher

Edited by: Jocelyn Chan, Content Manager

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Fitting automated security throughout the CI/CD pipeline – 10 minute mail

As companies compete with how fast new features and products can be released on the digital market, a byproduct of DevOps could be the neglect of sufficient and consistent information security throughout the pipeline – yes that means from start to the next improvement. Sure, automated security testing in production is a given, but what about during build and testing in the Continuous Integration and Continuous Delivery (CI/CD) Pipeline?

This guide goes into why security is needed in the various stages of software development and how automated security like Disposable mail’s scanner could be applied:

The evolution of DevOps

Developers and operations teams are coming closer together in the workplace and even integrated in the same team or role to reduce production bottlenecks. Some would even argue that Ops is thinking and working more like Developers to upkeep continuous delivery of web applications and product. This practice is commonly known as Continuous Integration and Continuous Delivery (CI/CD).

Continuous integration and delivery also needs continuous monitoring

Security professionals today are outnumbered massively by developers. While modern developers are becoming more aware of the risks of coding without security, they’re faced with an even greater pressure of delivering quickly and frequently to meet customer or market demands. Sometimes security is overlooked in developer environments or it’s seen as a blocker to releasing new features, and it can be easily left out of the DevOps culture. We don’t have to look far for the proof, as we see more headlines of companies leaving digital artefacts behind such as API keys and user tokens found in git repositories. By adding continuous web application security scanning earlier in development, you may be able to catch sensitive information before it moves onto the next stage of development.

For example, Disposable mail’s web app scanner runs security tests called Sensitive Information Disclosure, and this test will check applications for details such as leaked usernames, passwords, etc. That way affected teams are notified when such sensitive information is found so the developer team can take action.

Why should you run security scanning on internal environments?

In the build or testing stages there may be a lot of proprietary information available as you are developing. The last thing you would want is for an external actor to gain access into your development and leak or even steal your company plans.

In 2018, the DevOps Community survey reported 33% had or suspected a breach due to web application vulnerabilities in the last 12 months. Checking the security of web applications even in early phases can help secure that this information stays private before production and no sensitive information like user tokens or login details are accidentally leaked. You can also make audits to check that access is limited to the intended users only.

How to set up Disposable mail for internal environments:

  • If you would like Disposable mail to reach an application behind a firewall, you can whitelist our IPs to give access. We use AWS as our cloud service provider and our data centres are located in Ireland. Get the IPs and more details here.
  • For developer or staging environments, Disposable mail will be able to reach your environment if you have ngrok or a similar alternative. You will find the detailed guide to setup here.

Why automate security in DevSecOps?

DevSecOps aims to scale up security together with the CI/CD. One way of doing this is to replace the manual work of code reviews for security issues with automated security testing. Developers with the knowledge of vulnerability testing can build their own tests for automation, but this can take time. An alternative is to use web application security scanners to run automated scans to check for any common security flaws on a continuous basis: during staging, production, live or the moment something is deployed. Time and effort could be saved from scanning and fixing bugs after releases.

If you’re using a tool like Disposable mail, scan summaries are provided and notifications of critical vulnerabilities can be sent to security engineers or directly to the developer team via Jira or another integration. Since Disposable mail provides remediation tips in the report, developers can take immediate action on a critical vulnerability or prioritize as they see fit.

Leveraging white hat hacker knowledge together with automation

White hat hacking has emerged in the application security space to help bring common vulnerabilities and out-of-the-box logical flaws to light, and also show the implications of leaving such an opportunity open to bad actors.

Bug bounty

Image: How bug bounty programs reward

Bug bounty programs like Hackerone, bugcrowd and intigriti are offering such services to connect companies with hackers who are then reward for each valid bug they find aka bug bounty hunters. And for DevOps teams, receiving a vulnerability report with a valid proof of concept makes it easier to understand what went wrong, how did it happen and ideally information on how you can remediate it. These adjustments are made to the build and pushed through the CI/CD pipeline.

An alternative would be to subscribe to an automated security scanner that is collaborating with white hat hackers or bug bounty hunters to source vulnerability tests like Disposable mail. Applications are then automatically monitored for bugs with a test bed of up-to-date vulnerability knowledge from forefront of cybersecurity. Since crowdsourced security knowledge is automated through the scanner, it can benefit a team that is not ready to take on an influx of reports from bug bounty hunters. It can even complement existing pentesting or go together with bug bounty programs.

It’s time to “push left” and automate Security throughout the CI/CD

This paradigm shift of developers building products with security is being championed by security engineers and DevOps leaders in application security today. The idea is to move security testing left in the CI/CD process and encourage security by design. In fact, security Organizations can start seeing security from a proactive point of view as a business benefit and enabler instead of it becoming a blocker or a reason to suspend an application. Applying security and automated security earlier on would then become a reason for developers to push code live with confidence.

How does Disposable mail help?

Detecify is a SaaS-based web application and domain monitoring security scanner. We collaborate with our Disposable mail Crowdsource community of handpicked white hat hackers to crowdsource security research from the forefront of cybersecurity.

Our user-friendly and intuitive tool, makes security reporting and remediation easier for developers and security teams. It is a DAST tool which means conduct black-box testing for security audits on your applications just a hacker would, but using harmless payloads. We offer integrations into services like Splunk, Slack, PaperDuty and Jira. Start your free 14-day trial with Disposable mail today and sign up here.

 


 

Written by:

Jocelyn Chan
Marketing Coordinator

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.