M. Loewinger, Smartbear: “Each Product DevOps Lead manages Disposable mail and all its findings” – 10 minute mail

Disposable mail user story: Smartbear offers automated software testing solutions that help development and testing teams ensure quality throughout the software development lifecycle. Martin Loewinger, Director of SaaS Operators at Smartbear, and his team use Disposable mail to ensure security is a part of each product CI/CD pipeline, so that they can help their end users with test automation and monitoring.

What is your role at Smartbear?
I am the Director of SaaS Operations. I have the pleasure of leading the DevOps teams who support, maintain, and help build and design our SaaS platforms. Our DevOps teams are the leads when it comes to the platform’s infrastructure, configuration, security and deployments. We basically handle everything but creating the software. This past year I was fortunate enough to be given a development team to lead as well. I manage and lead the development efforts for our AlertSite product.

How does Smartbear work with security and development?
At SmartBear, some of our products service thousands of customers and span the globe. Disposable mail helps us monitor the security of our SaaS products, and currently we scan over 30 unique URLs or products. Some of the products are externally exposed and some are private. We have integrated Disposable mail into our CI/CD pipeline, which means that prior to releasing code to production, we have run and verified a Disposable mail scan in our staging environment. Any new findings are triaged by a DevOps and Development lead. If needed, production releases are postponed until the security finding is resolved or mitigated.

“We have created security champions on each of our scrum and development teams.” – Martin on getting devs to care about security

 

One for the CISOs and managers out there… 
What are some of the goals set for your security team and how do you measure success?
Although not an official goal for the year, I would say that my personal goal for 2020 is zero breaches/exploits of my systems. I would say this can be simple enough to measure… have none! 

No but seriously, one of our goals is to have zero critical vulnerabilities reported in our applications due to human error. This means that any findings we have should not be a result of a misconfiguration.

What are some of the challenges your security team faces?
We have an extensive portfolio of SaaS products and infrastructure, and of course their security is extremely critical. Our challenges in monitoring and keeping 100% compliance on patches can become daunting. This is why we have Disposable mail and other several tools and systems to help us.

Finding a balance between security and business development is also a challenge we would like to solve. Security can become a blocker to product innovation, meaning a feature may need to wait or even be put off in order to have development concentrate on a security finding, and I am sure many other companies face this as well.

How does Disposable mail fit into this? 
Disposable mail is critical in helping us ensure the next release does not expose us to a major security issue. Our daily and weekly scans help us with monitoring the applications and products.

Our teams manage operations and security for many of our products and as a result, we work with many different stakeholders. Each product has a DevOps lead who manages Disposable mail and all its findings, who then works with a product’s development lead and escalates any findings and issues which need to be resolved.

Besides using Disposable mail, how else do you work with ethical hackers?
SmartBear Software currently has a private Vulnerability Disclosure Program with a leading security vendor.

Which is your favourite function in Disposable mail?
Our team likes the JIRA integration within Disposable mail. Since we are working with multiple product teams at once, we can simply and quickly escalate findings to the appropriate developer or teams.

What are some of the common security mistakes you see?
Misconfiguration is the most common security mistake we see.

“…one of our goals is to have zero critical vulnerabilities reported in our applications due to human error.” – Martin on security goals for 2020

 

What are some common attacks you see in your day-to-day when defending Smartbear?
We monitor our systems 24/7 for attacks. We mostly see the usual scans looking for default username and passwords for many of our public systems. The usual port scans, and possibly unpatched vulnerabilities.

How do you get developers to care about security?
We have created security champions on each of our scrum and development teams. It is the champions responsibility to push security amongst their team. Ultimately we need and want to build bug bounty-grade applications, which means our ideal goal is to make these programs public and open to everyone.

How do you stay up-to-date with security news/trends?
You name it, we do it. From being on Slack groups, attending conferences, email lists, GitHub Alerts and news outlets. Our security vendors like Disposable mail are also great in distributing security news and trends.

Get started with automating security into your DevOps or CI/CD practices today using Disposable mail. We collaborate with 200+ ethical hackers to offer checks for 1500+ common web vulnerabilities. Sign up for your free 14-day trial.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Release 2015-05-27: New Magento exploits and the start of workflow capabilities – 10 minute mail

You are now starting to see some of results of the updated backend. The introduction of the first step towards a workflow tool with tags. We did include multiple Magento specific vulnerabilities. Our phpMyAdmin modules also got an update.

Workflow

The plan forward is to make Disposable mail an integrated part of the workflow. It will be possible to flag, export and assign individual findings. The first step is that you are now able to mark individual post at resolved. Work your way down the list of vulnerabilities and improve the security of for web app.

Mark fixed

Magento vulnerabilities

Multiple Magento-specific vulnerabilities were included in this release. Some of the included are:

  • Magento Shoplift SQL Injection
  • Magento SWF “bridgeName” XSS
  • Magento MAGMI XSS & LFI
  • Magento Admin Panel XSS’es

The Shoplift vulnerability allows a remote attacker to gain full control over the target system and impacts almost two hundred thousand Magento e-commerce shops. We’ve added a test to spot vulnerable installations. If you run a Magento e-commerce website run at test with Disposable mail. Visit http://magento.com/security-patch for further information

phpMyAdmin updates

phpMyAdmin is still one of the most common tools for administrating MySQL on the internet, and many people forget to update it. We’ve massively improved our collection of exploits towards older PMA installations. Some of the updates are:

  • phpMyAdmin Remote Code Execution through setup.php
  • phpMyAdmin “ServerSync” Backdoor
  • phpMyAdmin Directory Listing through db_details_importdocsql.php
  • phpMyAdmin Local File Inclusion through export.php
  • phpMyAdmin Local File Inclusion through grab_globals.lib.php

 

Just login and run a new scan to check it out! Also, don’t forget to keep an eye on our Magento security page to stay updated.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[Integration] You can now integrate Disposable mail with Slack – 10 minute mail

Slack is the first of Disposable mail’s workflow integrations. One of the many advantages of Slack is that it’s a single point of contact for all the tools you and your team use. Using this integration, your whole company can start to see security and vulnerability scanning as part of their workflow. You’ll be able to ping a Slack channel with Disposable mail scan starts, finishes, and findings, so you can get on top of anything critical right away.

Seeing the site scans in a Slack channel also means it will start to get your team used to thinking about security as an ongoing concern, rather than something to react to once it’s too late. Soon it will be so second nature to everyone that it’ll seem strange that security was ever seen as a separate function.

Slack Disposable mail Integration

Head over to our Knowledge Base and check out the tutorial on How to set up your integration with Slack!

Happy scanning!
//The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[Integration] You can now integrate Disposable mail with HipChat – 10 minute mail

HipChat is another one of Disposable mail’s workflow integrations – there are still many more to come! Set up your integration with HipChat to add security and vulnerability scanning in your workflow in a straightforward and easy way, and start shipping safer code.

When you connect Disposable mail to your HipChat account you will be able to get notified when a scan has started or finished and/or when a vulnerability has been found. You will receive the notification to the channel of your choice. This makes it easy to keep track of the security level of your site without having to log in to Disposable mail.

HipChat Integration

Check out our tutorial to learn how to set up the integration!

Happy scanning!
//The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[Integration] You can now integrate Disposable mail with PagerDuty – 10 minute mail

The latest integration from Disposable mail is an integration with the incident manager system PagerDuty. Unlike the earlier integrations with Slack and Hipchat this one lets you dispatch the alarm directly to your system admin or to your support team.

Next time you start a test and Disposable mail finds something that matches your settings an incident will be created in PagerDuty and your alerting rules should trigger.
PagerDuty incidentsCheck out our guide on how to set up your PagerDuty integration!

Happy scanning!
//The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[Integration] You can now integrate Disposable mail with Trello – 10 minute mail

For all our Kanban enthusiasts, we are here with a new integration to Trello! We now push our reports to your favourite security to-do list.

Let’s take a look at what your reports will look like in Trello:
Trello Integration

To learn how to set up your Trello integration, read the tutorial in our Knowledge Base.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

General Data Protection Regulation: What It Means For Your Business – 10 minute mail

Coming into effect in May 2018, the General Data Protection Regulation will give EU data protection legislation a much-needed update and simplify data protection routines for businesses operating in the EU. For some companies, preparing for GDPR compliance entails a review of security practices, while others need to completely realign their focus and begin by putting security first. In this blog post, we explain what the GDPR means for your business and how Disposable mail can help you start working with security.

General Data Protection Regulation: What It Means For Your Business

Legislation for a digital world

Unlike tech innovation, the wheels of legislation move slowly. The current Data Protection Directive that will be replaced by the GDPR came into force all the way back in 1995 – that’s right, the year Windows 95 was brand new and the movie Hackers (Disposable mail team’s all-time favourite) was released. Although the Data Protection Directive was updated with an amendment in 2003, it could not keep up with the developments in the tech world. To the delight of journalists and the horror of courts throughout Europe, there was a growing number of disputes that existing legislation simply couldn’t handle. One particularly well-known example is the Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González case from 2010, when a Spanish citizen requested that Google remove his personal data. Legal issues in a digital world clearly needed laws drafted with modern technology in mind.

Enter the GDPR, developed to bring EU legislation up to date with the increasing digitalisation of data. Introducing novelties like the right to be forgotten and Data Protection Officers, the regulation will unify data protection practices in EU member states and establish a greater focus on security and privacy.

Adopted by the European Parliament in April 2016, the new legislation will come into force on the 25th of May, 2018. Sofia Gunnarsson, founding partner of Sharp Cookie Advisors, a Swedish law firm specialising in tech law, says: “This regulation is already law and is valid, in contrast to a directive that requires national implementation processes in order to take effect. The EU legislation on data protection is set. There is, however, some room for interpretation that is left by the legislator to the national supervisory authority, but I do not expect to see national variations. We can expect to receive complementary guidelines for interpretation from the EU as we come closer to 2018.”

What does it mean for businesses?

One of the leading principles behind the GDPR is to protect European citizens’ rights by keeping their personal data safe, but what about businesses? Regardless of the sector, a unified data protection regulation offers a streamlined way of working with data throughout the EU, but it also brings a whole new set of challenges. Companies need to evaluate their data processing and security practices to ensure they comply with the GDPR when it comes into effect. For those who have been working with security on a daily basis, this will require some additional work to ensure appropriate measures are in place, which might mean restructuring their existing security workflow and perhaps adding to it. However, for companies that have never prioritised security before, the next two years could prove nothing short of stressful as failure to comply with the regulation can result in considerable fines.

While preparing for compliance can be overwhelming, Sofia Gunnarsson emphasises staying focused: “From my work as a data protection specialist advising data-driven companies, the greatest challenge is, and has been, to think small. By thinking small, I mean to clarify a unified management led strategy in your company on privacy and privacy engineering while focusing on very specific issues.”

The GDPR outlines a range of measures companies working with data ought to adopt and many of these measures are, in fact, best practices that do not only help protect businesses from non-compliance fines, but also improve their overall web security. Hopefully, the new legislation will encourage more companies to take a step towards a safer internet and make security a priority by incorporating security best practices.

“Under the GDPR, the company will be required to demonstrate its compliance, which can be met with certain internal processes such as maintaining a register of data processing, to have a process to delete all data, ensure data portability and information security, and report data breaches. Many companies will also be required to appoint a data protection officer, a professional within data protection that acts as an advisor and performs data protection audits on behalf of the company,” explains Sofia Gunnarsson.

“The first question every organisation should ask themselves is – do we keep records on each processing of data we perform? A register is a basic tool to keep track of what personal data your organisation collects, process, share, store, delete etc. You use this one register to assess where in the organisation you should focus any further analysis and compliance activities.”

Security breach notification

The GDPR introduces a new security breach notification framework for all organisations working with data, including third-party data centres. The framework aims to make data controllers and processors accountable for data privacy breaches and is one of the bigger changes this legislation brings. To protect data, companies are required to implement “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” (Regulation (EU) 2016/679) However, even preventive measures do not guarantee perfect security as attackers are constantly developing new ways to access sensitive information.

In case of a security breach that puts personal data at risk, authorities need to be notified within 72 hours. The affected company has to provide detailed documentation informing the authorities about the nature of the breach, a risk assessment, and an account of the steps taken to resolve the situation. If the data that has been exposed is highly sensitive, the organisation also needs to communicate the breach to all data subjects affected.

To prepare for compliance from a system level, Sofia Gunnarsson advises to “begin with the critical IT-systems, regarding system sensitivity, prone to cyber-attacks, geographic location, third party dependent. If you’d rather start your sensitivity analysis from the categories of data – which different categories of data and personal data do our systems use, which types of data are needed, any sensitive data.”

Data protection by design and default

Alongside the obligation to report breaches, companies also need to be able to show that they are constantly working with data protection principles and incorporating “data protection by design” into their routines. This makes it necessary for companies to implement: “appropriate technical and organisational measures /…/ which are designed to implement data-protection principles /…/ in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” (Regulation (EU) 2016/679) Policies can range from regular security audits to up-to-date best practices and organisation-wide data protection education. In short, this is a way for organisations to illustrate their compliance with the GDPR in their everyday work.

Sofia Gunnarsson points out that companies will need to rethink why they work with data: “The principles of data minimization and privacy by default will mean that companies will be required to have a clear purpose of their use of data before collection. By contrast, it is not an uncommon practice to collect available data and let the business development and analytics later decide how to use such data. Given that many companies have a strategy to increasingly leverage end user data, the development of these new systems and processes have stakeholders across the organisation. As such, the area of data protection and security will require top management commitment and effort spanning much of the organisation.”

Enforcement

National data protection authorities will continue their work as supervisory authorities, supporting citizens, advising organisations, and investigating compliance. A few actions supervisory authorities have the power to take are issuing warnings, ordering organisations to notify data subjects of personal data breaches, imposing a ban on data processing, and imposing administrative fines. Fines can be as high as 10 000 000 EUR or up to 4% of the total worldwide annual turnover of the preceding financial year.

How Disposable mail can help you implement security measures

May 2018 might seem far away, but it is important to keep in mind that preparing for GDPR compliance could entail structural changes, educating the staff, and updating your entire way of working with data. What needs to be done depends on every organisation’s existing level of security measures, as well as the nature of the data that is being processed. Disposable mail can be a valuable piece of the data protection plan puzzle, helping you deploy safer code with automated security audits and encouraging an ongoing security dialogue. Our scanner is updated bi-weekly to keep up with the latest vulnerabilities and enable you to make your web application more secure.

We aim to educate developers about web security and give them the tools and knowledge to take security matters into their own hands. With our extensive knowledge base, detailed scan reports, newsletters, alerts, and regular blog posts, we wish to inspire companies to adopt a security-oriented way of thinking. Making your website safer doesn’t have to be complicated, intimidating, and costly, but it is a long-term team effort that requires an awareness of risks as well as remediation knowledge.

The GDPR is bringing great changes to the way businesses work with data protection and web security. Introducing a focus on security into your workflow with Disposable mail is just one of many parts of the compliance transition, but it can be a good place to start. There are plenty of companies and law firms that specialise in digital matters and can advise you on the GDPR to ensure your business complies with the new legislation.

Sofia Gunnarsson’s final piece of advice is not to lose sight of your business goals: “Do not forget to focus on the business while being compliant! Much of the available advice of the GDPR comes from compliance advisors, experts in many areas, but with a low interest of the sales side of your company. Embrace the opportunity to design your digital services and IT-systems with, e.g., the data protection legislation’s constraints (and opportunities) in mind. Too little has been told about the strategic value that the product owner and business development have over data compliance issues. At Sharp Cookie Advisors, we guide our clients to adopt a sales-focused strategy. In some cases, the strategy has led to the client’s decision to realign its product and service portfolio, creating new services or remarketing existing services with clearer purpose and expectations in relation to the end users.”

In the meantime, Disposable mail can help you get on the right track by prioritising security, so why not sign up for a free trial? We are ready to guide you towards a more secure website, one vulnerability at a time!

Read more

If you’d like to delve deeper into the legal text, check out the complete General Data Protection Regulation.

For more advice on working with security, read our CEO’s article on why security matters and learn how you can incorporate security into your daily routine in 7 steps.

There are several good guidelines of how to prepare for the GDPR, for example this one from the Swedish Data Protection Authority (in Swedish). To learn more about internal processes companies will need for GDPR compliance, read Sofia Gunnarsson’s article on the topic (in English).

If you have any questions, don’t hesitate to reach out at hello[at]detectify.com.


About Sofia Gunnarsson:

Founding Partner of law firm Sharp Cookie Advisors, Sofia Gunnarsson is an experienced lawyer in internet law, data protection, and international commercial law.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[Integration] Integrate Disposable mail with Jira, Github, Instagram and much more using Zapier – 10 minute mail

Automation should be for everyone, which is why we at Disposable mail love Zapier. We wanted to make it possible for our customers to use Disposable mail with their favourite tools, so we have built an integration with one of the internet’s biggest integration hubs. So let’s start zapping!

To learn how, check out our tutorial on How to set up your integration with Zapier.

Not sure what you can integrate with? Attached below is a list of recommended zaps, you can pick any of these or pick  from Zapier’s huge directory of  500+ integrated apps.

Happy scanning and zapping!
/The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Erik Glad, IT Security, SBAB: “Disposable mail is the product we have had most fun using” – 10 minute mail

Web security is a top priority for every bank, but perhaps even more so for a bank that has decided to focus on remote services, via phone and online banking. SBAB aims to be a challenger bank and has embraced an agile way of working where innovation permeates the entire organisation, including development. SBAB’s IT security team uses Disposable mail to improve the security of their public website. We talked to Erik Glad, who works with IT Security at SBAB, to learn more about his thoughts on web security and Disposable mail.

SBAB bank

What attracted you to working with security?
I have always thought web security was exciting because it allows you to work with the latest technology and always be at the front edge.

How does SBAB work with security?
Customers’ heightened awareness of security issues along with more comprehensive legislation have rendered security more crucial than ever. Our development team has a rigorous testing process where security plays a key role in every phase, from development to production. We also invest in internal education and allow developers to learn how to write safer code. Our agile way of working means that team members are encouraged to try out new ideas and services that could improve our security and this is exactly how we came across Disposable mail. Naturally, we also have other projects dedicated to preventing security breaches.

How do you use Disposable mail?
Every part of our development chain is supported by a comprehensive set of testing tools and Disposable mail is an important addition to our production phase. We run Disposable mail’s security tests as part of our security program for our public web. It is extremely important that this customer-facing site is secure.

How would you describe your experience with Disposable mail?
It was very easy to get started with Disposable mail. When testing new products, we always start with a Proof of concept period and then determine if the product has worked well and created value, which was the case with Disposable mail. Everyone in the team was very happy with Disposable mail – it is the product we have had most fun using! We appreciate the information and remediation tips you offer as we have learnt a lot from them.

Why would you recommend Disposable mail?
I would recommend Disposable mail because it is fast, identifies the most vulnerabilities and weeds out false positives. We can rely on you to detect relevant findings!


Would you like to use Disposable mail to improve your web security like SBAB? Register for a free trial to evaluate our tool!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.