Web security trends 2020 from 3 security leaders – 10 minute mail

In part 1 of web security trends 2020, we discussed the rise of Crowdsourced Security and the ever-changing attack surface. This time we turned to 3 security leaders to get their perspective on trends to come in 2020:

Anne-Marie Eklund Löwinder

CISO at the Swedish Internet Foundation, Internet Hall of Fame (2013) and holder of one of The Keys to the Internet:

Photo of Anne-Marie Eklund Löwinder (source: internetstiftelsen)

Photo of Anne-Marie Eklund Löwinder (source: internetstiftelsen)

What security issues/trends are you anticipating for 2020?
We are all targets. I believe that the world of digitalization continues to grow in complexity. As a result of that, it becomes even more difficult to protect the technical environment appropriately in our homes and workplaces.

With more and more systems and software, plugins and apps, we will continue to be challenged with keeping everything updated. Attackers will probably outpace incomplete and hurried patches. With more devices brought to our homes, most of them with network access with or without our knowledge, the exposition will let cybercriminals to home in on IoT devices for espionage and extortion. The digitalization leads to critical infrastructures being more exposed and they will most certainly be plagued by more attacks and production downtimes (I’ve just finished reading Sandworm by Andy Greenberg).

The increasing use of cloud services continues to change the security map. When more and more companies are handing over their information to someone else’s IT environment, aka cloud service providers, vulnerabilities in their environment, such as container components, will be top security concerns for DevOps teams.

Some novelties will introduce new attack surfaces for misconfiguration and vulnerable codes. Not monitoring enough will result in bigger damages than necessary. User misconfigurations and insecure third-party involvement will also compound risks in cloud platforms.

Threat intelligence will need to be augmented with security analytics expertise for protection across security layers. Which means companies must put more resources on security. But will they? Are the executive leaders of the companies willing to act upon the increasing risks? To what extent?

Are there any trends to do with security automation or ethical hackers? 
I am not aware of any specific trends that do with security automation or ethical hackers, but the value in skilled ethical hacking is critical for identifying vulnerability in cybersecurity solutions before a real bad actor comes along. NSA recently handed over a serious vulnerability in Windows 10 to Microsoft, which to me shows a change in behaviour. Maybe they understand the problem with keeping them secret for future use when the collateral damage threatens to be global.

What are your current challenges and how do you plan to tackle these this year?
My current challenges are to keep the staff (at the Swedish Internet Foundation) happy by offering new and modern solutions, and keep them informed about the risks and of what’s going on at the same time.

What event do you look forward to in 2020?
Internetdagarna! As always.

Tanya Janca

Application security specialist, Ethical hacker, Pentester, Women in Security co-founder, frequent speaker:

Photo of Tanya Janca

Photo of Tanya Janca, application security specialist, pentester and frequent speaker

What security issues/trends are you anticipating for 2020?
I anticipate more breaches and news stories of ‘cyber tragedy’, but also more companies investing in their employees via training and enablement in the workplace to create processes for faster and more effective security.

I also think we will see a lot more cultures moving towards DevOps and automation of security testing, defences and detection. I believe the Information Security field will try to move towards using more Artificial Intelligence/Machine Learning to provide better security experiences, for better or worse. I also foresee many companies abusing new technologies to violate user’s privacy, which is a trend I find both unethical and worrisome.

Read: Tanya’s blog series on DevOps and security: Pushing Left, Like a Boss.

Are there any trends to do with security automation or ethical hackers?
More and more development shops are realizing that if they don’t move to the DevOps model/culture they will no longer have a competitive advantage. I am currently seeing many security teams that are getting on board with this, adding automation, security sprints and adding security tooling to CI/CD pipelines, and other forms of “DevSecOps” (application security activities that are adapted to DevOps environments). I’m also seeing quite a few mature AppSec companies creating stripped-down versions of their tools to be used in pipelines, with varying results, and newer companies that have CI/CD in mind when creating brand new products.

I’m very, very excited to see innovation in this area in 2020. Application Security is a young field, and I suspect there will be very new types of tools coming out to solve this problem in new ways, and I can’t wait to see it.

What are your current challenges and how do you plan to tackle these this year?

This year I have three career goals:

  • to help guide and support a few new AppSec startups in hopes to help them launch new and innovative products
  • to create DevSecOps and AppSec training that is affordable, accessible and fun
  • to have a better work/life balance than I have had in previous years.

I will also continue to coach companies launching and improving their AppSec, DevSecOps and Azure security programs. Wish me luck!

What ways will you/your team measure success this year?
I keep personal and professional KPIs that I won’t share here, but I can say that I believe setting goals and measuring yourself (regularly) against them is a fantastic way to ensure you reach your version of success.

I also believe in setting and enforcing personal and professional boundaries (for example, I do not take meetings before 9:00 am because sleep is very important to me). Setting a list of yearly/quarterly/monthly goals, as well as a set of boundaries, is an activity that I feel would serve any person well in their career.

What event do you look forward to in 2020?
I always look forward to every WoSEC (Women of Security) meetup, especially the “WoSEC Crashes RSAC” meetup during RSAC this year! I’m also looking forward to several different locations of B-Sides, and I especially love the AppSec conferences from OWASP.

Laura Kankaala

Security Researcher and Undetected podcast host at Disposable mail, ethical hacker, Disobey board member and frequent speaker:

Photo of Laura Kankaala

Photo of Laura Kankaala, security researcher, Disobey board member

What security issues are you anticipating for 2020? 
Security of cloud environments and understanding exposed attack surface is going to be crucial for companies to secure sensitive data. Having sensitive data storage or internal servers accessible over the Internet and indexed directly in services such as Shodan is an unnecessary risk that companies are taking with their infrastructure. As of writing this, there are more than 73,000 MongoDBs available indexed in Shodan. Most of these are likely hosted in some Software-as-a-Service (SaaS) platform.

On the positive side, I think companies are becoming more vigilant about security. It is kind of hard to ignore security because data breaches and security incidents are constantly in the mainstream media. I encourage companies of all sizes to take a critical look at their security practices and at least include a responsible disclosure policy on their public website.

Are there any trends to do with security automation or ethical hackers? 
I’m sure the usage of crowdsourced security will increase, it seems like the number of bug bounty programs, both public and private, outnumber the active researchers. For Crowdsourced security to be successful, we [security professionals] need to get better at sharing knowledge and offer help to get people started in security research.

However, bug bounties are just one facet of ethical hacking, as they typically just scratch the surface of the overall security of the company. For example, fixing an XSS bug found by a bug bounty researcher won’t fix the root cause of why XSS vulnerabilities exist. Preventative measures like security tools and educational content should reach the developers without increasing their workload tremendously.

When it comes to automating security, I think it is important to automate tedious tasks to pave way for tasks that require more time and attention. Automation also works to provide more consistency in security testing results in different phases of software development. In order for companies to grow bigger and faster in a secure manner, it makes a lot of sense to employ automation in the appropriate places.

What are your current challenges and how do you plan to tackle these this year?
This challenge will probably span over multiple years, but I want to make security automation the norm.

What we are doing at detectify is in addition to in-house security researchers we work closely with Crowdsource ethical hackers all around the world to be able to tap into the knowledge of novel vulnerabilities to complement our security automation tool. I don’t think this is necessarily a challenge, but more like a great opportunity for our customers to get insight into the security posture of their web applications and get knowledge of zero-day vulnerabilities as soon as possible.

What ways will you/your team measure success this year?
For me, success doesn’t happen in a void. Things are either done or they are not done. Getting things done can surely be a success, but will it truly matter unless it has a positive effect on someone else’s life?

My team and I have set numeric and performance-based goals that are a general path to follow. However, to be successful, the teams need to meet more than numbers and performance metrics. We need to collaborate and provide something meaningful to our community and peers.

What event do you look forward to in 2020?

I have a personal stake in this, but I am looking forward to Disobey that we are organizing in Helsinki, Finland. I am on the board of members for this conference so I hope that everything runs smoothly. We have a very active infosec community in Finland, but it’s exciting to see people from all over the world attending our event, either as a speaker or as an attendee.

How can Disposable mail help with your security plans for 2020?

Keeping up with the fast-pace of web security is a challenge if you are only relying on standard CVE libraries and annual security checks. Disposable mail works with some of the best ethical hackers in the world to deliver security research and modules from the forefront of security, so you can stay on top of emerging threats. Interested in giving Disposable mail a go? Start your 14-day free trial today.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Web security trends to watch for 2020 – 10 minute mail

What are web security trends for 2020? This year we anticipate the build-up of a new security market category, growing targets in automation, a new perimeter and continuation of DevSecOps. Here is what we are watching for in 2020:

Disposable mail's web security trends for 2020

Rise of the “Crowdsourced Security” market

Keeping up with the threat landscape is a common pain point for many developer teams and C-level personnel. In fact, 48% of developers in this survey know security is important but don’t have enough time to spend on it. Even with a good overview of your software asset inventory, the digitalization of companies requires modern and automated ways of working with security, which is why more are adopting Crowdsourced security. This means they are gathering security knowledge from external experts – ethical hackers and bug bounty hunters. This is the principle behind Disposable mail Crowdsource.

Crowdsourced security is an up-and-coming industry and MarketsandMarkets reported that it will grow up to USD 135 million by 2024. Bug bounty programs could be the first thing that comes to mind, but there are other companies in this space offering options that don’t require top-dollar. For example, Disposable mail collaborates with ethical hackers to make the knowledge available through automation to users with or without a crowdsources security program.

As mentioned in the Undetected podcast, some hackers report with goodwill, which is why setting up a responsible disclosure policy is a good way to begin working with ethical hackers, and we even saw examples of such vigilance in the recent case of Citrix, where malicious hackers are exploited it wildly for personal gain, while this report suggests there could be a vigilante that’s using it in a way to beat others to the punch. It would have been a challenge for Citrix to communicate all their users at once to remediate the security bug, and with the reach of ethical hackers, the information has probably gotten to some companies sooner. For this reason, we anticipate more companies to add Crowdsourced security services to their toolbox.

CI/CD automation becoming the low hanging fruit

Today, the low-hanging fruit is rarely finding a SQL injection in a website, but the attackers are starting to look elsewhere for easy access into sensitive information and internal servers – the automation process. 

Taking into consideration the increasing CI/CD processes and tools, there are attack surfaces that, while not new, have become more critical. This means misconfigurations, the tools, and dependencies used for deployment and orchestration, or a storage place of API tokens for integrations, are increasingly interesting for attackers. 

Misconfigurations, especially when CI/CD tools are used in cloud environments, can accidentally leave internal data storage exposed online due to lack of authentication or general security as in this case with MongoDB. While some of these can be caused by manual error, automation certainly doesn’t make it easy to evaluate the perimeter of your cloud environment. Accidentally exposing internal services or data to the public Internet seems to be a growing trend throughout 2019 and is expected to keep on growing in 2020.

Sometimes attackers dig deeper even beyond the code stored in your private code repositories. They go after the dependencies. This makes sense, because how often does an average organization review the source code for a Dockerfile that uses public images from Dockerhub? Running automated security in the background can help identify common security bugs and schedule fixes into the development cycle.

Cloud-powered web apps become the perimeter to defend

Nothing in the cloud is inherently secure or insecure. Cloud service providers employ a shared responsibility model, which roughly means that it is the user’s responsibility what and how the user deploys on the cloud provider’s service. The majority of improper access controls through misused credentials or API tokens, or misconfigurations in the services used, such as setting firewall rules and allowing all access to internal data storage. 

The sense of perimeter is different in cloud services (or at least some of them), because they introduce networking on the software level and in addition to IP addresses, some resources may have resource names and URLs that can be queried. The “Great Firewall” solution cannot be replicated in cloud environments, when access rights need to be given and blocked on the instance level, or with role-based access control solutions. Also, every cloud provider comes with different default configurations– some cloud providers may not deny traffic by default or may not force to generate strong passwords for data storage.

New web apps are stretching the security perimeter each time, and companies that can scale security with development will keep up with the rate at which vulnerabilities are discovered and exploited. Not only do companies need to monitor the security of their own code, but it’s important to also check for security when acquiring 3rd software tools and javascript. You may already spend a large portion of your budget securing your main application, and keeping track of the growing inventory of web applications will need just as much attention.

DevOps continues towards DevSecOps

External tools and sources for testing for misconfigurations, many of the cloud service providers offer a wide variety of services and tools to support security. However, as stated above, the way these services are used and the type of security controls implemented is up to the developers building things in the cloud. Cultivating security culture amongst developers and taking advantage of available security assessing tools can make a difference in any environment.

The web is becoming safer due to improved frameworks used in web development, regulations around data security and increased know-how of developers. They’re doing this by considering security earlier in the software development lifecycle. There’s a lot of talk about shifting left or pushing left, and for good reason. Developers in advanced tech organizations are practicing DevOps and see the importance of including security as part of their role, and (surprise!) the security bit isn’t slowing them down. Just take a look at companies like Netflix, Atlassian, Slack – they are often speakers for better app security at OWASP AppSec conferences and more. Security becomes enabling, and is scaled up together with development. This isn’t a new trend, but we expect it to continue to grow.

Make it a safer 2020

There is no silver bullet to security, and it is ultimately a sum of many things including threat-modeling, pen-testing, automated security, asset monitoring, etc. Leaders in SaaS and tech use a combination of Crowdsourced security, CI/CD practices, cloud-native solutions and a positive security culture like DevSecOps, which is why we are keeping an eye on these areas for 2020.

How can Disposable mail help with web security trends of 2020?

Disposable mail is the first company of its kind to automate the cutting-edge knowledge of the best ethical hackers in the world to secure public web applications. Users check web applications against 1500+ known vulnerabilities beyond the OWASP Top 10. In a fast-paced tech environment, the potential attack surface increases with each release and new app created. Using Disposable mail, you can monitor your subdomains for potential takeovers and remediate security issues in staging and production, and find vulnerabilities as soon as they are known, to stay on top of threats. Keep up with web security trends in 2020 with Disposable mail. Get a guided demo or try Disposable mail on your own with a 14-day free trial.

Written by: Laura Kankaala, Security Researcher

Edited by: Jocelyn Chan, Content Manager

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.