DATA SECURITY

Detectify Introduces an Open Source Security Tool for Ethical Hackers

Detectify | May 19, 2021

Ugly Duckling, a stand-alone application security tool specially designed for ethical hackers to make it easier for them to share their discoveries, is now available from Detectify, the SaaS security company powered by ethical hackers.

To keep on top of web application security, it's important to find web vulnerabilities as soon as they appear - before attackers exploit them. By offering ethical hackers the tools to build further test modules independently, Ugly Duckling speeds up the integration of vulnerabilities discovered by ethical hackers into automatic security tests on Detectify's platform.

When an ethical hacker discovers a loophole, he or she will create a module as a JSON file and test it in Ugly Duckling to ensure that it works. The JSON file is then implemented on Detectify's platform, allowing thousands of app owners and security teams to access the quality-checked findings. Vulnerability reports submitted to Ugly Duckling can be run live as security checks within 5-10 minutes of submission. It's a win-win situation: security and engineering teams can keep up with the latest exploitable vulnerabilities discovered in the wild, while ethical hackers can get paid more quickly.

To define the vulnerabilities, Ugly Duckling uses a custom JSON-based template format. It detects "stateless" vulnerabilities, i.e., vulnerabilities that can be discovered by analyzing the response to a single HTTP request.

Detectify crowdsources the most latest security research from ethical hackers and distributes it as payload-based tests to security engineers and application owners, allowing them to regularly check their applications for vulnerabilities.

On Github, you can find the Ugly Duckling vulnerability scanning tool, which is open-source and MIT-licensed. The Ugly Duckling web scanner is not limited to ethical hackers in Detectify's Crowdsourced network, but is open for all to use for bug bounty hunting, security research, or penetration testing, in keeping with the company's belief in a collective approach to security.

About Detectify


Detectify believes that everybody should have access to world-class cybersecurity knowledge. Detectify automates the most latest security findings from the world's top ethical hackers and delivers them to security defenders and web application teams. Detectify's security tools, which are driven by a network of hand-picked ethical hackers, check your application outside the OWASP Top 10 and help you keep on top of cloud threats.

Spotlight

In the evolution of Internet-based technologies, Web 2.0 introduced popular decentralized services that accelerated interactivity between websites and users. Looking to capitalize on this innovation, businesses rushed to launch applications to the market. However, both the Web 2.0 architecture and dependent businesses failed to incorporate key security principles into the design and implementation of these services, resulting in critical vulnerabilities.

Spotlight

In the evolution of Internet-based technologies, Web 2.0 introduced popular decentralized services that accelerated interactivity between websites and users. Looking to capitalize on this innovation, businesses rushed to launch applications to the market. However, both the Web 2.0 architecture and dependent businesses failed to incorporate key security principles into the design and implementation of these services, resulting in critical vulnerabilities.

Related News

DATA SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY

Neosec Introduces Automated Tokenization to Enable Full API Visibility Without Exposure of Sensitive Data

Neosec | November 16, 2022

Neosec, the pioneer in discovering and identifying API threats using behavioral analytics, today announced that it now tokenizes API activity data to enable organizations to fully see and store API data, removing the possibility of keeping sensitive data at-rest. Today, many organizations are blind to the threats lurking within their API traffic. Even worse, organizations are forced to implement basic logging of its API traffic that doesn't contain the meaningful information about who accessed, what records were accessed or manipulated and how. There exists a justified fear of logging sensitive data or being out of compliance, and with the lack of technology that can perform it at scale, they prefer to log with low fidelity. Those logs tell you that "somebody modified or accessed a record" but typically don't disclose who accessed it, which record, or what action was performed. This decision also results in a downstream issue of "insufficient logging", which is noted by the Open Web Application Security Project as one of the top security problems in its 2021 OWASP API Top 10. "Insufficient logging" is poor for incident forensics and, in practice, means that you can't detect abuse or investigate a case, even if you know it happened. Tokenization is the process of substituting a sensitive data element, like a credit card number, for a non-sensitive equivalent that has no intrinsic or exploitable value or meaning. Neosec's automated tokenization is part of its 'privacy by design' philosophy and is already deployed successfully at customers around the world in financial services, insurance and hospitality companies among others. The process allows retaining tokenized API activity data for the purposes of performing true behavioral analytics over time, ensures that sensitive data is never stored at rest, and enables only the customer to de-tokenize, based on the strictest data privacy practices. "Solving API security starts with basic visibility and the ability to see how the APIs are used. The problem is that virtually every company logs API activity with low fidelity that doesn't enable this basic visibility. "In order to perform true behavioral analytics and investigate cases you must store and examine historical data. But if this analysis is performed on un-tokenized data you risk storing PII and creating compliance issues. Neosec successfully retains all API activity data, in the highest fidelity, and ensures it meets data privacy standards." Giora Engel, co-founder and chief executive officer, Neosec This focus on data and the visibility it brings is what previously defined the creation of the EDR (Endpoint Detection & Response) security space. "Trying to implement API security without enabling basic visibility of activity is like going back to the antivirus age before the advent of EDR. Visibility into API activity allows you to detect threats, understand behavior, investigate and remediate" said Engel. The Neosec API security solution discovers and maintains an up-to-date inventory of all APIs in use by an organization and then uses machine learning and behavioral analytics on tokenized data to find fraud and abuse by third parties and attackers. Neosec also enables proactive API threat hunting and investigations without storing any sensitive data. The automated API data tokenization is now a capability of the Neosec platform and is fully available. There is no extra cost for use of this unique capability. About Neosec Neosec is re-inventing application security with a powerful platform that unifies security and development teams to protect modern applications from threats. The foundation of the SaaS platform is built on data and analytics to manage security at scale. Neosec prevents threats from abusing the complex network of APIs that connect today's businesses. The platform helps organizations discover every API and audit risk. Neosec has pioneered the use of behavioral analytics to understand normal versus abnormal API usage and delivers powerful threat hunting capabilities together with a team of expert threat hunters. Neosec prevents threats and stops abuse hiding within APIs and brings new intelligence to application security. Neosec is based in Palo Alto, California with R&D in Tel Aviv, Israel.

Read More

ENTERPRISE IDENTITY,PLATFORM SECURITY,IDENTITY MANAGEMENT

Simeio and SailPoint Partner to Provide Enterprise Identity Security

Simeio | December 27, 2022

A business needs to manage and protect the digital identities of its employees, contractors, partners, and customers. Enabling the right individuals to access the right resources at the right times for the right reasons with secure access control is needed for organizations to keep their vital information safe and secure at all times. In this regard, Simeio provides identity and access management (IAM) solutions. Using intelligent solutions, enhanced cybersecurity measures are enforced on systems with cloud identity security services. Simeio, a leader in the cybersecurity industry when it comes to identity and access management (IAM) services, has announced a partnership with SailPoint, a leader in enterprise identity security. The goal of the partnership is to improve the security and protection of the companies' identities by using enterprise identity governance controls and best-in-class technologies. The partnership will also allow clients to simplify, automate, and enable their identity governance and administration (IGA) programs, providing continuous threat protection and improving the maturity of identity processes across enterprises. Simeio plans to bring over 50 SailPoint-certified identity experts to the partnership. The clients of both companies will benefit from the identity convergence capabilities of the Simeio IO platform, which brings together IGA, access management, and privilege identity functions to deliver cross-domain identity analytics. Through this partnership, organizations will also be able to update their identity security services in the cloud. "The global identity and access management (IAM) market is expected to grow from USD 14.82 billion in 2020 to USD 31.74 billion by 2025, at a CAGR of 16.7% during the forecast period, as per Marketsandmarkets." Companies are getting more and more identity security and access management solutions because cyber threats and data breaches are getting worse. Artificial intelligence, machine learning, IoT compatibility, decentralized identity systems, and the use of innovative biometric authentication mechanisms are all part of the future of identity security. About Simeio Simeio is a global managed services provider that offers identity and access management solutions as a service. Simeio's 700+ employees secure 160 million identities for businesses and governments. Simeio offers Customer Identity & Access Management, Privileged Access Management, Identity Proofing, Access Management & Federation, Identity Governance & Administration, and Application Onboarding. Gartner, Forrester, KuppingerCole, and Great Places to Work® have recognized the company's business and technical leadership. About SailPoint SailPoint is the market leader in enterprise identity security. SailPoint automates the management and control of access by leveraging the power of AI and machine learning, granting only the required access to the right identities and technology resources at the right time. Our advanced identity platform integrates seamlessly with existing systems and workflows, providing a unified view of all identities and their access. We meet customers where they are with an intelligent identity solution that satisfies the enterprise's scale, velocity, and environment requirements. SailPoint empowers the world's most complex businesses to establish a security foundation based on identity security.

Read More

DATA SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY

Filecloud Introduces the Industry First Zero Trust File Sharing℠

FileCloud | January 11, 2023

On January 10, 2023, FileCloud announced the addition of Zero Trust File Sharing, bringing another layer of hyper-security to the market's most robust content collaboration platform. The latest, Zero Trust File Sharing, enables users to collaborate securely with employees along with other personnel, including external partners, vendors and clients. This functionality extends beyond modulating share permissions or setting Data Loss Prevention (DLP) policies. Zero Trust File Sharing will become increasingly crucial for enterprises and organizations that handle sensitive or protected data, such as Personally Identifiable Information (PII) and Confidential Unclassified Information (CUI). The emergence of cloud service technologies, remote access applications, and disappearing network edges have revealed multiple vulnerabilities in perimeter-based IT security models. The Zero Trust framework, built on a system of least privilege, provides a more resilient and adaptable approach that imposes identity authentication, regardless of where or how the request for access gets derived. The U.S. Department of Defense has recently come up with a Zero Trust Strategy and Roadmap to eventually cover all U.S. government departments, which is likely to be adopted by the private sector. As a result, critical infrastructure sectors are ideal candidates for integrating Zero Trust File Sharing to protect their information systems from increasingly sophisticated cyberattacks launched by nation-states. FileCloud's Zero Trust support enables enterprises to have an added layer of security on top of FileCloud's built-in access controls. The data within the environment is secured using a Zip file structure and password protection. The user can also set a Zero Trust password and create a sharing link to a file or folder. The data remains inaccessible without this password, even with a shared direct link or in case of a data breach. Furthermore, the data remains protected by password-based encryption even if the Zero Trust protected folder is accessed via unauthorized means, including social engineering techniques. Users who access the data with the Zero Trust password will also be restricted in their ability to edit or manipulate the data contained within the Zero Trust folder based on the share permissions. About FileCloud Headquartered in Austin, Texas, FileCloud is a leading hyper-secure content collaboration platform (CCP) providing data governance, industry-leading compliance, data leak protection, data retention and digital rights management capabilities to millions of users worldwide. Its complete CCP stack includes workflow automation and granular control of content sharing across most enterprise platforms. The platform offers powerful file sharing, mobile access and synchronization capabilities on public, private, and hybrid clouds to customers, including top Global 1000 enterprises, government organizations, educational institutions and managed service providers.

Read More