M. Loewinger, Smartbear: “Each Product DevOps Lead manages Disposable mail and all its findings” – 10 minute mail

Disposable mail user story: Smartbear offers automated software testing solutions that help development and testing teams ensure quality throughout the software development lifecycle. Martin Loewinger, Director of SaaS Operators at Smartbear, and his team use Disposable mail to ensure security is a part of each product CI/CD pipeline, so that they can help their end users with test automation and monitoring.

What is your role at Smartbear?
I am the Director of SaaS Operations. I have the pleasure of leading the DevOps teams who support, maintain, and help build and design our SaaS platforms. Our DevOps teams are the leads when it comes to the platform’s infrastructure, configuration, security and deployments. We basically handle everything but creating the software. This past year I was fortunate enough to be given a development team to lead as well. I manage and lead the development efforts for our AlertSite product.

How does Smartbear work with security and development?
At SmartBear, some of our products service thousands of customers and span the globe. Disposable mail helps us monitor the security of our SaaS products, and currently we scan over 30 unique URLs or products. Some of the products are externally exposed and some are private. We have integrated Disposable mail into our CI/CD pipeline, which means that prior to releasing code to production, we have run and verified a Disposable mail scan in our staging environment. Any new findings are triaged by a DevOps and Development lead. If needed, production releases are postponed until the security finding is resolved or mitigated.

“We have created security champions on each of our scrum and development teams.” – Martin on getting devs to care about security

 

One for the CISOs and managers out there… 
What are some of the goals set for your security team and how do you measure success?
Although not an official goal for the year, I would say that my personal goal for 2020 is zero breaches/exploits of my systems. I would say this can be simple enough to measure… have none! 

No but seriously, one of our goals is to have zero critical vulnerabilities reported in our applications due to human error. This means that any findings we have should not be a result of a misconfiguration.

What are some of the challenges your security team faces?
We have an extensive portfolio of SaaS products and infrastructure, and of course their security is extremely critical. Our challenges in monitoring and keeping 100% compliance on patches can become daunting. This is why we have Disposable mail and other several tools and systems to help us.

Finding a balance between security and business development is also a challenge we would like to solve. Security can become a blocker to product innovation, meaning a feature may need to wait or even be put off in order to have development concentrate on a security finding, and I am sure many other companies face this as well.

How does Disposable mail fit into this? 
Disposable mail is critical in helping us ensure the next release does not expose us to a major security issue. Our daily and weekly scans help us with monitoring the applications and products.

Our teams manage operations and security for many of our products and as a result, we work with many different stakeholders. Each product has a DevOps lead who manages Disposable mail and all its findings, who then works with a product’s development lead and escalates any findings and issues which need to be resolved.

Besides using Disposable mail, how else do you work with ethical hackers?
SmartBear Software currently has a private Vulnerability Disclosure Program with a leading security vendor.

Which is your favourite function in Disposable mail?
Our team likes the JIRA integration within Disposable mail. Since we are working with multiple product teams at once, we can simply and quickly escalate findings to the appropriate developer or teams.

What are some of the common security mistakes you see?
Misconfiguration is the most common security mistake we see.

“…one of our goals is to have zero critical vulnerabilities reported in our applications due to human error.” – Martin on security goals for 2020

 

What are some common attacks you see in your day-to-day when defending Smartbear?
We monitor our systems 24/7 for attacks. We mostly see the usual scans looking for default username and passwords for many of our public systems. The usual port scans, and possibly unpatched vulnerabilities.

How do you get developers to care about security?
We have created security champions on each of our scrum and development teams. It is the champions responsibility to push security amongst their team. Ultimately we need and want to build bug bounty-grade applications, which means our ideal goal is to make these programs public and open to everyone.

How do you stay up-to-date with security news/trends?
You name it, we do it. From being on Slack groups, attending conferences, email lists, GitHub Alerts and news outlets. Our security vendors like Disposable mail are also great in distributing security news and trends.

Get started with automating security into your DevOps or CI/CD practices today using Disposable mail. We collaborate with 200+ ethical hackers to offer checks for 1500+ common web vulnerabilities. Sign up for your free 14-day trial.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Web security trends to watch for 2020 – 10 minute mail

What are web security trends for 2020? This year we anticipate the build-up of a new security market category, growing targets in automation, a new perimeter and continuation of DevSecOps. Here is what we are watching for in 2020:

Disposable mail's web security trends for 2020

Rise of the “Crowdsourced Security” market

Keeping up with the threat landscape is a common pain point for many developer teams and C-level personnel. In fact, 48% of developers in this survey know security is important but don’t have enough time to spend on it. Even with a good overview of your software asset inventory, the digitalization of companies requires modern and automated ways of working with security, which is why more are adopting Crowdsourced security. This means they are gathering security knowledge from external experts – ethical hackers and bug bounty hunters. This is the principle behind Disposable mail Crowdsource.

Crowdsourced security is an up-and-coming industry and MarketsandMarkets reported that it will grow up to USD 135 million by 2024. Bug bounty programs could be the first thing that comes to mind, but there are other companies in this space offering options that don’t require top-dollar. For example, Disposable mail collaborates with ethical hackers to make the knowledge available through automation to users with or without a crowdsources security program.

As mentioned in the Undetected podcast, some hackers report with goodwill, which is why setting up a responsible disclosure policy is a good way to begin working with ethical hackers, and we even saw examples of such vigilance in the recent case of Citrix, where malicious hackers are exploited it wildly for personal gain, while this report suggests there could be a vigilante that’s using it in a way to beat others to the punch. It would have been a challenge for Citrix to communicate all their users at once to remediate the security bug, and with the reach of ethical hackers, the information has probably gotten to some companies sooner. For this reason, we anticipate more companies to add Crowdsourced security services to their toolbox.

CI/CD automation becoming the low hanging fruit

Today, the low-hanging fruit is rarely finding a SQL injection in a website, but the attackers are starting to look elsewhere for easy access into sensitive information and internal servers – the automation process. 

Taking into consideration the increasing CI/CD processes and tools, there are attack surfaces that, while not new, have become more critical. This means misconfigurations, the tools, and dependencies used for deployment and orchestration, or a storage place of API tokens for integrations, are increasingly interesting for attackers. 

Misconfigurations, especially when CI/CD tools are used in cloud environments, can accidentally leave internal data storage exposed online due to lack of authentication or general security as in this case with MongoDB. While some of these can be caused by manual error, automation certainly doesn’t make it easy to evaluate the perimeter of your cloud environment. Accidentally exposing internal services or data to the public Internet seems to be a growing trend throughout 2019 and is expected to keep on growing in 2020.

Sometimes attackers dig deeper even beyond the code stored in your private code repositories. They go after the dependencies. This makes sense, because how often does an average organization review the source code for a Dockerfile that uses public images from Dockerhub? Running automated security in the background can help identify common security bugs and schedule fixes into the development cycle.

Cloud-powered web apps become the perimeter to defend

Nothing in the cloud is inherently secure or insecure. Cloud service providers employ a shared responsibility model, which roughly means that it is the user’s responsibility what and how the user deploys on the cloud provider’s service. The majority of improper access controls through misused credentials or API tokens, or misconfigurations in the services used, such as setting 0.0.0.0/0 firewall rules and allowing all access to internal data storage. 

The sense of perimeter is different in cloud services (or at least some of them), because they introduce networking on the software level and in addition to IP addresses, some resources may have resource names and URLs that can be queried. The “Great Firewall” solution cannot be replicated in cloud environments, when access rights need to be given and blocked on the instance level, or with role-based access control solutions. Also, every cloud provider comes with different default configurations– some cloud providers may not deny traffic by default or may not force to generate strong passwords for data storage.

New web apps are stretching the security perimeter each time, and companies that can scale security with development will keep up with the rate at which vulnerabilities are discovered and exploited. Not only do companies need to monitor the security of their own code, but it’s important to also check for security when acquiring 3rd software tools and javascript. You may already spend a large portion of your budget securing your main application, and keeping track of the growing inventory of web applications will need just as much attention.

DevOps continues towards DevSecOps

External tools and sources for testing for misconfigurations, many of the cloud service providers offer a wide variety of services and tools to support security. However, as stated above, the way these services are used and the type of security controls implemented is up to the developers building things in the cloud. Cultivating security culture amongst developers and taking advantage of available security assessing tools can make a difference in any environment.

The web is becoming safer due to improved frameworks used in web development, regulations around data security and increased know-how of developers. They’re doing this by considering security earlier in the software development lifecycle. There’s a lot of talk about shifting left or pushing left, and for good reason. Developers in advanced tech organizations are practicing DevOps and see the importance of including security as part of their role, and (surprise!) the security bit isn’t slowing them down. Just take a look at companies like Netflix, Atlassian, Slack – they are often speakers for better app security at OWASP AppSec conferences and more. Security becomes enabling, and is scaled up together with development. This isn’t a new trend, but we expect it to continue to grow.

Make it a safer 2020

There is no silver bullet to security, and it is ultimately a sum of many things including threat-modeling, pen-testing, automated security, asset monitoring, etc. Leaders in SaaS and tech use a combination of Crowdsourced security, CI/CD practices, cloud-native solutions and a positive security culture like DevSecOps, which is why we are keeping an eye on these areas for 2020.

How can Disposable mail help with web security trends of 2020?

Disposable mail is the first company of its kind to automate the cutting-edge knowledge of the best ethical hackers in the world to secure public web applications. Users check web applications against 1500+ known vulnerabilities beyond the OWASP Top 10. In a fast-paced tech environment, the potential attack surface increases with each release and new app created. Using Disposable mail, you can monitor your subdomains for potential takeovers and remediate security issues in staging and production, and find vulnerabilities as soon as they are known, to stay on top of threats. Keep up with web security trends in 2020 with Disposable mail. Get a guided demo or try Disposable mail on your own with a 14-day free trial.


Written by: Laura Kankaala, Security Researcher

Edited by: Jocelyn Chan, Content Manager

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Scaling up Security with DevOps and CI/CD practices – 10 minute mail

Some believe that “whatever can be automated, should be automated” and in general benefits include faster production, consistency in product and quality, rolling back from failures and allowing employees to focus on more creative and analytical tasks. The same can be said for the automation of quality assurance and security of developer coding and programming. As products and services become more complex, developers have to come up with more creative solutions, and fast, to gain and maintain a competitive advantage over the rest.

We’ve teamed up with mabl, a machine-learning test automation service, to show how automated security and quality assurance (QA) testing help teams sustain CI/CD practices. This article goes into how automated security scales up with DevOps practices, and to learn more about the benefits of machine-learning driven automated QA testing, visit mabl’s blog.

The growth of DevOps and how it affects Security in software development

The adoption of DevOps and Agile development has allowed products to go to market faster to meet business and customer demands. Part of this is the acceptance of automation to expedite repetitive processes and collect data for easier learning for improvements. In an ideal world, this model would also high-quality products to go to market quickly, free of bugs and security vulnerabilities, and in a cost-effective way. In reality, there’s mostly emphasis on getting to the market fast and meeting the business demand over the concern for smooth and secure user experience. As companies are competing against speed rather than cost, how will security testing be part of the cycle? Automate it!

Here are ways automation of application security scales up with continuous integration and continuous development practices (CI/CD):

Automated security checks throughout the CI/CD process

Today companies are hit by hacker attacks whether they are aware of it or not. On average a hacker can be lurking in a system undetected for around 205 days. Once in, hackers run scripts and automate hacker attacks in order to do things at scale. For example, SQL injection can be easily automated. No company would be able to conjure up enough manpower to stop the scale and speed of automated attacks from multiple actors, which is why using an automated scanner could be one way to continuously scan your code and locate vulnerabilities before they’re exploited by a malicious hacker.

Automated scanners can be SAST or DAST meaning they can check for code vulnerabilities during the various stages of development and even after it has gone live, giving security and developer teams instant feedback on the integrity of the code. Whether you deploy 100 times a day or less, security checks and improvements will be scheduled as part of the CI/CD process to keep up secure releases. Snyk’s Guy Podjarny delivered an informative presentation at QCon 2019 on how you can integrate such tools with DevOps.

Consistency and efficiency

Automation gives you better control of how processes are run as you program machines or technology to operate a specific way, and automation executes it with precision. This means high output is achieved with consistency and ideally minimal mistakes. Quality assurance and security testing can also be scheduled or programmed to be done the moment new code is pushed, removing security or quality assurance from being the blocker of production, and fewer bugs will be introduced to live products. Any new code or application released will always be audited wherever it makes the most sense in your development cycle. Security auditing becomes part of the workflow instead of only when someone finds time for it or when faced with a data breach emergency and executing incident response.

Higher confidence and skills in coding

This survey showed that 87% of developers are not confident in their own code. As mentioned, code reviews of 1000+ lines is a tedious task, which may be why flaws and bugs may never be eliminated. Automated tools audit code easily and quickly to give immediately to developers with peace of mind, instead of letting it up to chance for a broken user experience or worse, a hacker attack.

When using a security automation tool like Disposable mail, users are given feedback on where vulnerabilities exist in the code as well as remediation tips with a code snippet to encourage learning on the job and more about security. This helps reduce the barrier to learning more about secure coding and the turnaround time for fixes even faster. Developers can also start to gain better confidence in their code knowing there is a “spellchecker” for their code work before and after deployment.

Security is scalable together with development

As software development scales up in a company, security does not have to be a blocker or left behind. Like many other components, it can be automated to be part of the CI/CD pipeline. This can then enable developers to code more consistently and even improve their confidence for better performance and quick-release products.

Get started with automating security into your DevOps or CI/CD practices today using Disposable mail. We collaborate with 150+ white hat hacker to offer checks for 1000+ common web vulnerabilities. Sign up for your free 14-day trial.


Author:
Jocelyn Chan

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Fitting automated security throughout the CI/CD pipeline – 10 minute mail

As companies compete with how fast new features and products can be released on the digital market, a byproduct of DevOps could be the neglect of sufficient and consistent information security throughout the pipeline – yes that means from start to the next improvement. Sure, automated security testing in production is a given, but what about during build and testing in the Continuous Integration and Continuous Delivery (CI/CD) Pipeline?

This guide goes into why security is needed in the various stages of software development and how automated security like Disposable mail’s scanner could be applied:

The evolution of DevOps

Developers and operations teams are coming closer together in the workplace and even integrated in the same team or role to reduce production bottlenecks. Some would even argue that Ops is thinking and working more like Developers to upkeep continuous delivery of web applications and product. This practice is commonly known as Continuous Integration and Continuous Delivery (CI/CD).

Continuous integration and delivery also needs continuous monitoring

Security professionals today are outnumbered massively by developers. While modern developers are becoming more aware of the risks of coding without security, they’re faced with an even greater pressure of delivering quickly and frequently to meet customer or market demands. Sometimes security is overlooked in developer environments or it’s seen as a blocker to releasing new features, and it can be easily left out of the DevOps culture. We don’t have to look far for the proof, as we see more headlines of companies leaving digital artefacts behind such as API keys and user tokens found in git repositories. By adding continuous web application security scanning earlier in development, you may be able to catch sensitive information before it moves onto the next stage of development.

For example, Disposable mail’s web app scanner runs security tests called Sensitive Information Disclosure, and this test will check applications for details such as leaked usernames, passwords, etc. That way affected teams are notified when such sensitive information is found so the developer team can take action.

Why should you run security scanning on internal environments?

In the build or testing stages there may be a lot of proprietary information available as you are developing. The last thing you would want is for an external actor to gain access into your development and leak or even steal your company plans.

In 2018, the DevOps Community survey reported 33% had or suspected a breach due to web application vulnerabilities in the last 12 months. Checking the security of web applications even in early phases can help secure that this information stays private before production and no sensitive information like user tokens or login details are accidentally leaked. You can also make audits to check that access is limited to the intended users only.

How to set up Disposable mail for internal environments:

  • If you would like Disposable mail to reach an application behind a firewall, you can whitelist our IPs to give access. We use AWS as our cloud service provider and our data centres are located in Ireland. Get the IPs and more details here.
  • For developer or staging environments, Disposable mail will be able to reach your environment if you have ngrok or a similar alternative. You will find the detailed guide to setup here.

Why automate security in DevSecOps?

DevSecOps aims to scale up security together with the CI/CD. One way of doing this is to replace the manual work of code reviews for security issues with automated security testing. Developers with the knowledge of vulnerability testing can build their own tests for automation, but this can take time. An alternative is to use web application security scanners to run automated scans to check for any common security flaws on a continuous basis: during staging, production, live or the moment something is deployed. Time and effort could be saved from scanning and fixing bugs after releases.

If you’re using a tool like Disposable mail, scan summaries are provided and notifications of critical vulnerabilities can be sent to security engineers or directly to the developer team via Jira or another integration. Since Disposable mail provides remediation tips in the report, developers can take immediate action on a critical vulnerability or prioritize as they see fit.

Leveraging white hat hacker knowledge together with automation

White hat hacking has emerged in the application security space to help bring common vulnerabilities and out-of-the-box logical flaws to light, and also show the implications of leaving such an opportunity open to bad actors.

Bug bounty

Image: How bug bounty programs reward

Bug bounty programs like Hackerone, bugcrowd and intigriti are offering such services to connect companies with hackers who are then reward for each valid bug they find aka bug bounty hunters. And for DevOps teams, receiving a vulnerability report with a valid proof of concept makes it easier to understand what went wrong, how did it happen and ideally information on how you can remediate it. These adjustments are made to the build and pushed through the CI/CD pipeline.

An alternative would be to subscribe to an automated security scanner that is collaborating with white hat hackers or bug bounty hunters to source vulnerability tests like Disposable mail. Applications are then automatically monitored for bugs with a test bed of up-to-date vulnerability knowledge from forefront of cybersecurity. Since crowdsourced security knowledge is automated through the scanner, it can benefit a team that is not ready to take on an influx of reports from bug bounty hunters. It can even complement existing pentesting or go together with bug bounty programs.

It’s time to “push left” and automate Security throughout the CI/CD

This paradigm shift of developers building products with security is being championed by security engineers and DevOps leaders in application security today. The idea is to move security testing left in the CI/CD process and encourage security by design. In fact, security Organizations can start seeing security from a proactive point of view as a business benefit and enabler instead of it becoming a blocker or a reason to suspend an application. Applying security and automated security earlier on would then become a reason for developers to push code live with confidence.

How does Disposable mail help?

Detecify is a SaaS-based web application and domain monitoring security scanner. We collaborate with our Disposable mail Crowdsource community of handpicked white hat hackers to crowdsource security research from the forefront of cybersecurity.

Our user-friendly and intuitive tool, makes security reporting and remediation easier for developers and security teams. It is a DAST tool which means conduct black-box testing for security audits on your applications just a hacker would, but using harmless payloads. We offer integrations into services like Splunk, Slack, PaperDuty and Jira. Start your free 14-day trial with Disposable mail today and sign up here.

 


 

Written by:

Jocelyn Chan
Marketing Coordinator

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.