DATA SECURITY

Detectify Introduces an Open Source Security Tool for Ethical Hackers

Detectify | May 19, 2021

Ugly Duckling, a stand-alone application security tool specially designed for ethical hackers to make it easier for them to share their discoveries, is now available from Detectify, the SaaS security company powered by ethical hackers.

To keep on top of web application security, it's important to find web vulnerabilities as soon as they appear - before attackers exploit them. By offering ethical hackers the tools to build further test modules independently, Ugly Duckling speeds up the integration of vulnerabilities discovered by ethical hackers into automatic security tests on Detectify's platform.

When an ethical hacker discovers a loophole, he or she will create a module as a JSON file and test it in Ugly Duckling to ensure that it works. The JSON file is then implemented on Detectify's platform, allowing thousands of app owners and security teams to access the quality-checked findings. Vulnerability reports submitted to Ugly Duckling can be run live as security checks within 5-10 minutes of submission. It's a win-win situation: security and engineering teams can keep up with the latest exploitable vulnerabilities discovered in the wild, while ethical hackers can get paid more quickly.

To define the vulnerabilities, Ugly Duckling uses a custom JSON-based template format. It detects "stateless" vulnerabilities, i.e., vulnerabilities that can be discovered by analyzing the response to a single HTTP request.

Detectify crowdsources the most latest security research from ethical hackers and distributes it as payload-based tests to security engineers and application owners, allowing them to regularly check their applications for vulnerabilities.

On Github, you can find the Ugly Duckling vulnerability scanning tool, which is open-source and MIT-licensed. The Ugly Duckling web scanner is not limited to ethical hackers in Detectify's Crowdsourced network, but is open for all to use for bug bounty hunting, security research, or penetration testing, in keeping with the company's belief in a collective approach to security.

About Detectify


Detectify believes that everybody should have access to world-class cybersecurity knowledge. Detectify automates the most latest security findings from the world's top ethical hackers and delivers them to security defenders and web application teams. Detectify's security tools, which are driven by a network of hand-picked ethical hackers, check your application outside the OWASP Top 10 and help you keep on top of cloud threats.

Spotlight

This year there are some common themes that endure, so we’ll highlight these as “work in progress”. Transformations often take longer than 12 months to be identifi ed as necessary, to be executed and to become established. However, there are other themes emerging through a combination of drivers from audit, compliance security and governance that are now showing signs of infl uencing the way that cyber risks are managed in a much shorter timescale.

Spotlight

This year there are some common themes that endure, so we’ll highlight these as “work in progress”. Transformations often take longer than 12 months to be identifi ed as necessary, to be executed and to become established. However, there are other themes emerging through a combination of drivers from audit, compliance security and governance that are now showing signs of infl uencing the way that cyber risks are managed in a much shorter timescale.

Related News

DATA SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY

SentinelOne LABScon Security Research Conference Unifies Private and Public Sector Through Groundbreaking Cybersecurity Discoveries

SentinelOne | September 22, 2022

SentinelOne, an autonomous cybersecurity platform company, today launched the inaugural LABScon, a conference dedicated to advancing cybersecurity research for the benefit of collective digital defense. The event features novel findings from sought-after voices in cybersecurity and groundbreaking research by leading research teams. “The goal of LABScon is to provide a venue for advanced security collaboration and community building,” said Migo Kedem, VP Growth and Head of SentinelLabs, SentinelOne. “We are pleased to unite the cybersecurity community - researchers, vendors, and practitioners - to strengthen collective understanding of the security landscape. Only through shared knowledge and collaboration will cybersecurity evolve.” The conference lineup features prominent speakers and world-class researchers presenting on today's most important cyber security topics. Conference highlights include: Mark Russinovich, Microsoft Azure CTO, presents the story of his seminal malware analysis toolkit, which transformed malware analysis and forensic investigation Dmitri Alperovitch, Executive Chairman of the Silverado Policy Accelerator and CrowdStrike Co-Founder and former CTO, discusses cyberwarfare and effective policies Morgan Adamski, Director of NSA's Cyber Collaboration Center, keynotes “Operational Collaboration: The Realities of Success” Chris Krebs, the first director of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and Partner of the Krebs Stamos Group, shares in-the-trenches perspectives on cybersecurity and government M.J. Emanuel, CISA Incident Response Analyst, delves into recent cyberattacks targeting satellite communications and critical infrastructure Mauro Vignati, International Red Cross, discusses the line between combatants and digital collaborators in war Thomas Rid, Professor of Strategic Studies and founding director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins SAIS, debuts cybersecurity discoveries Kim Zetter, world-renowned cybersecurity author, facilitates fireside chats and shares perspectives on cyberwar Kris McConkey, PwC’s Global Cyber Threat Intelligence Practice Lead, releases research detailing new activity emanating from Chinese advanced persistent threat (APT) groups Mandiant, Sophos, Volexity, BlackLotus, PwC, and Binarly drops new APT research and vulnerabilities SentinelLabs releases “Metador,” our most ambitious APT research to date LABScon is hosted by SentinelLabs, a world-class team of security researchers that identifies critical vulnerabilities, new attack vectors, malware strains, and threat actors. The event is sponsored by Stairwell, Luta Security, Cisco Talos, GreyNoise, HP Wolf Security, Aesir, Binarly, Team Cymru, and ReversingLabs. To stay updated with groundbreaking threat research and cybersecurity discoveries, visit https://www.sentinelone.com/labs/ About SentinelOne SentinelOne’s cybersecurity solution encompasses AI-powered prevention, detection, response and hunting across endpoints, containers, cloud workloads, and IoT devices in a single autonomous XDR platform.

Read More

PLATFORM SECURITY

Zscaler Achieves Zero Trust Security-as-a-Service FedRAMP High Authorization

Zscaler | August 02, 2022

Zscaler, Inc., the leader in cloud security, today announced that Zscaler Internet Access™ (ZIA™) achieved Federal Risk and Authorization Management Program (FedRAMP) High Authority to Operate from the FedRAMP Joint Authorization Board (JAB). This federal government certification enables ZIA to meet civilian agencies’ high security requirements, as well as those of the Department of Defense (DoD) and other intelligence organizations. ZIA is currently the only Secure Access Service Edge (SASE) Trusted Internet Connections (TIC) 3.0 solution that has achieved FedRAMP’s highest authorization. FedRAMP High authorization indicates to federal decision-makers that ZIA and ZPA have undergone rigorous audits of critical security controls to protect the government’s most sensitive unclassified data in remote cloud computing environments. The company’s Zscaler Private Access™ (ZPA™), the other key component of the Zscaler Zero Trust Exchange platform, is also JAB High authorized, and along with ZIA, comprise the JAB High authorized Zscaler Zero Trust Exchange™ for federal customers. The certification confirms that ZIA can securely connect government users to external applications, including SaaS applications and internet destinations, regardless of device, location, or network, providing superior cyber and data protection for mission-critical government information. With both ZIA and ZPA now JAB-High authorized, agencies can resolve ongoing user experience and cost challenges associated with securing the explosive use of cloud-based applications. These challenges include continued poor user experience through VPNs, security risks from users who bypass VPNs leading to a lack of visibility and protection, and increased network usage costs associated with backhauling the growing volume of internet traffic flowing through the government's TIC. Since achieving FedRAMP Moderate certification in 2018, Zscaler, a Leader in the 2022 Gartner® Magic Quadrant™ for Security Service Edge (SSE) – a security-specific component in the SASE framework – has completed SSE deployments for more than 100 US federal government and federal systems integrator customers at the Moderate impact level. Many of these deployments supported the requirements of the Executive Order 14028, including zero trust, as well as met TIC 3.0 use cases. "This FedRAMP High authorization elevates Zscaler and our support of the US government as currently the only cloud security company with two FedRAMP High JAB authorizations in the market," said Drew Schnabel, Vice President of Federal at Zscaler. Federal agencies, DoD commands, and federal contractors can now take full advantage of the Zero Trust Exchange at the JAB High or Moderate level. Customers can align their security posture with their workload requirements and meet Executive Order 14028 zero trust goals at all levels available under the FedRAMP program. “Delivering zero trust and SASE through FedRAMP authorized platforms at the highest impact levels is crucial for the security of our nation's future. “Zscaler committed to our customers that we would deliver a comprehensive zero trust and SASE platform at the High and Moderate baseline levels. Today, we are proud to announce we have met that commitment. The Zscaler team continues to follow the guidance of Executive Order 14028, CISA’s TIC 3.0 and zero trust use cases, DOD/DISA’s National Defense Authorization Act, and our customers and partners. We are delivering FedRAMP High authorized cloud platforms, while helping agencies modernize and transform their legacy cybersecurity environments to cloud-based SASE and zero trust solutions.” Stephen Kovac, Chief Compliance Officer at Zscaler “FedRAMP High is a must-have for many federal agency deployments,” said Zeus Kerravala, Founder and Principal Analyst at ZK Research. “We see more and more CISOs and CIOs across state and local government, education, and the private sector recognizing the value of a third-party validated security assessment.” The Zero Trust Exchange is a cloud-native security platform that securely connects any user, device, and application, regardless of location. Following the principle of least-privileged access, the platform establishes trust through user identity and context – including location, device, application, and content – and then creates secure, direct connections based on policy enforcement. The platform supports IT federal mission transformation by reducing costs, eliminating the internet attack surface, and preventing lateral movement of threats while providing an excellent user experience. The Zscaler Zero Trust Exchange is powered by the world’s largest security cloud, with more than 10 years of operational excellence enabling the processing of more than 240 billion daily transactions and stopping over seven billion threats and policy violations per day for the largest, most demanding organizations around the globe. Today’s news builds on recent announcements including: Zscaler Private Access Achieves DoD Impact Level 5 (IL5) Zscaler is chosen to run a pilot program in support of Executive Order 14028 by the National Institute of Standards and Technology (NIST) Zscaler is First Zero Trust Remote Access Cloud Service to Achieve FedRAMP-High JAB Authorization ZIA™ receives Authorization to Operate (ATO) at the Moderate Impact level Zscaler is a Leader in the 2022 Gartner Magic Quadrant for Security Service Edge (SSE), following up 10 consecutive years as a Leader in the Gartner Magic Quadrant for Secure Web Gateway About FedRAMP FedRAMP is a government-wide program with input from numerous departments, agencies, and government groups. The program’s primary decision-making body is the Joint Authorization Board (JAB), comprised of the CIOs from DOD, DHS, and GSA. In addition to the JAB, other organizations such as OMB, the Federal CIO Council, NIST, DHS, and the FedRAMP Program Management Office (PMO) also play key roles in effectively running FedRAMP. Using a “do once, use many times” framework, the program ensures information systems/services used government-wide have adequate information security; eliminates duplication of effort and reduces risk management costs; and enables rapid and cost-effective procurement of information systems/services for federal agencies. About Zscaler Zscaler accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SSE-based Zero Trust Exchange is the world’s largest in-line cloud security platform.

Read More

DATA SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY

Apiiro to Sponsor Cloud Native SecurityCon and KubeCon + CloudNativeCon North America

Apiiro | September 12, 2022

Apiiro, the leader in Cloud-Native Application Security, today announced it is a platinum sponsor of Cloud Native SecurityCon, an event designed to foster collaboration, discussion and knowledge sharing of cloud native security projects to address security challenges and opportunities. The in-person event takes place October 24-25, 2022 in Detroit, MI and will showcase breakthrough technology and advances in modern cybersecurity approaches including secure software development and supply chain security. Cloud Native SecurityCon is co-located at KubeCon + CloudNativeCon, the Cloud Native Computing Foundation's flagship conference. Apiiro executives including VP of Security Research Moshe Zioni will be in attendance to discuss how Apiiro is accelerating secure software delivery by addressing critical risks in cloud-native applications. KubeCon attendees can also meet with Apiiro executives to learn more about the code risk platform by visiting booth SU63. About Apiiro Apiiro helps security and development teams proactively remediate risk before releasing to the cloud. Backed by Greylock and Kleiner Perkins.

Read More