Posted on

API Security Weekly: Issue 162

This week, we have details of compromised Google Cloud accounts being used to mine cryptocurrency (mainly with weak or no passwords on API connections), there’s an article on how GraphQL can be used as an API gateway (including security controls), a very comprehensive guide to all things relating to API security, and a new API security training course from AppSecEngineer.

Vulnerability: Compromised Google Cloud Accounts Used to Mine Cryptocurrency

The main story this week comes from HackerNews and describes how attackers are able to exploit improperly secured Google Cloud Platform (GCP) tenants. The impact on affected users included compromising their cloud resources, like uploading cryptocurrency mining software, and ransomware and phishing attacks.

Posted on

5 Best Practices for Succeeding at Developer-First Application Security

Advances in developer tools, containers, code repositories, and more enable developer teams to deliver software at an unprecedented pace. However, application security teams are often understaffed, underfunded, and laboring to keep pace with software development. One demonstrated strategy that helps AppSec teams keep up and even provides them time for high-value security tasks is to shift security left in the development cycle. 

Creating a developer-first approach to security, or in other words, shifting security left requires that developers become accountable for producing secure code. Since security is not the typical developer's area of expertise, application security engineers assume the role of providing oversight and guidance needed to enable developers to succeed. 

Posted on

4 Benefits of Empowering Your Team’s Security Champions

In today’s software development culture, there is an ever-increasing need for management to drive empowerment within their teams. You need to seek out, identify, and empower someone who can act as your team’s security champion. Find at least one champion to start, and add more if they are available. As you grow, you may even consider assembling a Security Champions team. 

What Makes a Security Champion?

Security champions should have some security background or knowledge of cyber security, as well as being willing, able, and motivated to learn much more. Your champion can be a current team member or a qualified contractor/consultant, he/she has to have a deep knowledge of the team’s goals is necessary. A security champion needs to be a positive person that can offer diligent observations and constructive suggestions to the team. 

Posted on

STRIDE Threat Modeling: What You Need to Know

Threat modeling is the ultimate shift left approach. It can be used to identify and eliminate potential vulnerabilities before a single line of code is written. Employing threat modeling methodologies should be your first step toward building networks, systems, and applications that will be secure by design.  STRIDE is a model of threats that can be used as a framework in ensuring secure application design.

STRIDE - Threat Modeling Methodology

STRIDE threat modeling

Posted on

Part II: Secure Coding Made Easy: 5 Tips to Integrate Security into Development

You’ve heard it before: it’s time to get serious about security. Cyber threats aren’t slowing down, which means security must become a critical part of your job as a developer. But it’s not always easy to fix your code during or after release to production, especially when you have to stop and search for knowledge resources. That’s where secure coding best practices and fine-tuned training meet to set you up for success.

In part one of this two-part guide, we broke down best practices like parameterizing your queries to avoid SQL injection and encoding your data to address the three main classes of Cross-Site Scripting (XSS). For part two, we’re diving into five additional tips and best practices, from protecting data to leveraging existing frameworks securely.

Posted on

Why Application Flow Maps Are the Coolest Feature in Application Security

Application flow maps are the cool feature you can use to discover that needle in a haystackhow does my running app work and what does my app connect to?

How Can Enterprise Teams Understand Application Flows?

Developers will often architect systems that cater only to business requirements and skip identification of security threats and vulnerabilities until later on when it's much more costly. Enterprises can improve overall protection and understand app flows by gathering an accurate asset inventory with connection discovery—basically mapping out your running apps and data flow—and along the way help reduce developer remediation times, security response efforts, and avoid the many costs associated with breach events.

Posted on

Incident Response Requires a New AppSec Model

Incident response found its way into our technological vernacular back in 1988 when the first internet worm — dubbed “The Morris Worm” — was released. In response, the Computer Emergency Response Team/ Coordination Center (CERT/CC) by DARPA was formed.

The goal of this nascent organization was to provide a central hub for communicating and coordinating a response to security incidents. In a nutshell, the goal of incident response is to quickly contain and mitigate an incident, with an impetus to limit damage while reducing recovery time and costs.

Posted on

Shifting Left Is Not Enough: Why Starting Left Is Your Key to Software Security Excellence

appsec-trend-predictionsIn a digitally-driven world, we are at an ever-increasing risk of data theft. With large organizations acting as the gatekeepers of our precious information, many are recognizing the need to implement stringent security standards.

Much of the initiative around shifting left, that is, introducing security much earlier in the development process, simply doesn't move the needle far enough. There is an implication there that we are still beginning the process the wrong way, ultimately backpedaling to achieve the outcome of more secure software. We must start left, enacting a cultural shift that positively engages development teams and arms them with the knowledge they currently lack. However, all training and tools are not equal. In this article, we explain the ways you can truly empower the development team, transforming them into your defensive front-line against costly cyberattacks.