Platform Security

NowSecure Announces New Pen Testing Service and Software

NowSecure, the industry's leading provider of standards-based mobile app security and privacy software, today announced the launch of the world's largest mobile app pen testing service for the OWASP Mobile Application Security Verification Standard (MASVS) and the addition of automated MASVS testing to the NowSecure Platform. Presently, mobile enterprises, application developers, and security teams can rely on NowSecure specialists for the gold standard of mobile app testing to assure OWASP MASVS compliance.

In 2021, 200 billion installed mobile applications produced over $170 billion in revenue, indicating that mobile applications are driving the global economy. Customers and staff alike prefer mobile applications over online apps, with over 70% of all digital time spent in mobile apps vs. web apps. However, assaults and breaches have increased significantly in the last year, with major mobile app security problems affecting Amazon Ring, Apple iMessage, Park Mobile, Slack, and US Customs and Border Protection. According to the NowSecure MobileRiskTracker, 85% of evaluated applications contain security flaws, and 70% leak sensitive data. Companies must be careful in incorporating security into their mobile applications and extensively testing them to assure their safety.

Since its inception in 2013, the OWASP mobile project has pushed for standards-based security criteria and testing methodologies. The OWASP mobile project, which is used by mobile app developers, architects, security teams, and security researchers, contains three essential resources, the most recent of which was updated in January 2022, to give the best risk reduction method for mobile app teams:

  • The OWASP Mobile Application Security Verification Standard (MASVS) establishes a standard for mobile app security.
  • The OWASP Mobile Security Testing Guide (MSTG) describes how to put the MASVS criteria to the test.
  • The OWASP Mobile App Security Checklist keeps track of security assessment tasks for mobile apps.

NowSecure practitioners have collaborated on spec evolution and tools with the OWASP mobile project from its inception, and the firm acts as an OWASP "god mode" sponsor for the OWASP MASVS.

"The OWASP MASVS and MSTG are the foundation of a mobile appsec program. The MASVS guides developers and security analysts on architecture, threat modeling and proper techniques to secure mobile data. The MSTG has hundreds of tests you should perform and there are many nuances and edge cases to consider. Without the right expertise it can be tough to effectively achieve full MASVS compliance. The MSTG encourages the use of automated tools to leverage static and dynamic analysis but also emphasizes that having security professionals you can trust is essential."

Carlos Holguera, OWASP project lead and NowSecure Security Researcher

NowSecure CEO Alan Snyder said that "NowSecure is the recognized expert for standards-based testing software and services, partnering with organizations to safeguard trust in their mobile app initiatives. As an OWASP contributor and sponsor for years, we are committed to the evolution of the specifications. Today we are adding these products and services to help customers ensure the security and privacy of their mobile apps leveraging the gold standard of OWASP MASVS."

Spotlight

Organizations are losing IT and security control Once upon a time, IT and security teams focused mostly on managing their organization’s on-prem environment. But as business requirements changed, customer bases became global, and remote work took root, these technology teams were handed responsibility across more domains: cloud


Other News
Software Security

Deepwatch Announces New Forensic-Focused Operations Service To Enhance Cyber Resilience

Deepwatch | January 09, 2024

Deepwatch, the leading managed security platform for the cyber resilient enterprise, today announced the launch of Threat Signal, its standalone forensic-focused operations service. Deepwatch designed Threat Signal to enhance companies’ cybersecurity defenses, proactively identify and help mitigate attack vectors, and stay ahead of evolving risks to strengthen cyber resilience. Threat Signal provides protection beyond traditional security measures, finding advanced cyber threats that have bypassed existing controls by leveraging the latest attacker methodologies to stay in tune with the constantly evolving threat landscape. Using an “outside-in” methodology, Threat Signal evaluates an organization’s externally accessible presence from an attacker’s perspective to pinpoint and investigate risky systems and services. This informs the initial investigation and allows Deepwatch Experts to leverage advanced capabilities through organic intelligence, deep forensics, and threat hunting. According to Forrester’s “How to Make Threat Intelligence Actionable” report¹, “Over time, companies need to move beyond tactical use cases. Threat hunting can uncover threats that have bypassed traditional security tools, allowing companies to stop attacks earlier to minimize disruptions. As Forrester’s Threat Hunting 101 report describes, threat intelligence is vital because it provides insights into the TTPs of threat actors and details on how malware behaves. If time, expertise, and resources are constrained, consider leveraging an external service provider to conduct the threat-hunting exercise as an annual consulting engagement.” Threat Signal provides tailored and proactive security measures through customer-specific intelligence that takes an organization's unique attack surface, business risks, and the latest adversary intelligence or "threat cases" into account. Threat Signal’s additional features and capabilities include: Deepwatch Experts - Seasoned forensic security experts perform in-depth investigations, identifying threats before they disrupt an organization. Attack Surface Profiles - These profiles provide a customer actionable report, detailing external opportunity areas that an attacker could leverage against an organization, including high-risk opportunities, mitigation recommendations, and threat hunting leads. Forensic-Agent-Based Threat Hunting Engagements - Deepwatch’s specialists consistently engage in hunting activities to reveal concealed threats within a company’s infrastructure and provide a threat hunt summary report with detailed observations and any actions that the customer took during that hunt cycle. Reporting and Reviews - Deepwatch provides customers with reports, including: Weekly intelligence brief reports on analyzed open-source intelligence with Deepwatch recommendations. Summary presentations on the solution engagement status, including but not limited to hunting reports. Up to two executive reviews of the solution and observables per year. Ad-hoc awareness briefs of security advisories based on Deepwatch threat criteria. Annual intelligence reports on incident lessons learned and predictions. Malware Analysis - Deepwatch’s Adversary Tactics and Intelligence (ATI) team analyze collected malware and provide a report. Enhanced Security - Deepwatch’s MDR customers benefit from cross-collaborative security operations, harnessing advanced threat detection, and hyper-responsive capabilities. “As security professionals, we look to enhance a company’s security readiness. To do that, it’s critical for them to look beyond their existing security controls to ensure they are identifying and proactively protecting the business from external threats,” said Jerrod Barton, VP, Cyber Operations & Intelligence for Deepwatch. “With Threat Signal, we’re able to help our enterprise customers view their security readiness through the lens of the ‘attackers,’ ensuring that they can rapidly respond to any incoming threats, which in turn helps them elevate their cyber resilience.” About Deepwatch Deepwatch is the leading managed security platform for the cyber resilient enterprise. The Deepwatch Managed Security Platform and security experts provide enterprises with 24/7/365 cyber resilience, rapid detections, high fidelity alerts, reduced false positives, and automated actions. We operate as an extension of cybersecurity teams by delivering exceptional security expertise, visibility across your attack surface, precision response to threats, and a compelling return on your security investments. The Deepwatch Managed Security Platform is trusted by many of the world’s leading brands to improve their security posture, cyber resilience, and peace of mind. Learn more at www.deepwatch.com.

Read More

Data Security

CrowdStrike Announces General Availability of Falcon Data Protection to Disrupt Legacy DLP

CrowdStrike | December 18, 2023

CrowdStrike (NASDAQ: CRWD) today announced the general availability of CrowdStrike FalconData Protection, liberating customers from legacy data loss prevention (DLP) products with a modern, frictionless approach to data security that prevents adversary exfiltration and accidental leakage. With this latest offering for the AI-native CrowdStrike Falcon XDR platform, customers can consolidate costly and ineffective DLP point products with CrowdStrike’s single, revolutionary lightweight agent. Organizations struggle with legacy DLP solutions that are difficult to deploy, complex to manage and unable to comprehensively track data in the modern cloud and AI era. This results in risky monitor-mode only deployments that fail to stop data theft. CrowdStrike Falcon Data Protection harnesses the CrowdStrike Falcon platform’s industry-leading visibility and protection for the epicenter of productivity and risk – the endpoint – to secure critical data from insider threats and adversaries. With CrowdStrike Falcon Data Protection, enterprises can now: Deploy data protection immediately from their existing Falcon agent to consolidate legacy DLP point products, reduce complexity and gain nearly instant time to value. Instantly expand visibility of data flows across the enterprise to rapidly identify and shut down data exfiltration or accidental leakage. Accelerate detection and response with a single console and unified workflow that saves security analysts time investigating potential data theft. “Today's DLP market is where legacy AV was when we started CrowdStrike: ripe for disruption. With this release, we’re bringing to market the future of data protection as part of a unified platform,” said Raj Rajamani, head of products at CrowdStrike. “We’re proud to have partnered with some of the largest organizations in the world to develop a groundbreaking approach to data protection that enables customers to stop the breach, while consolidating legacy DLP tools. Customers can deploy Falcon Data Protection immediately from their existing agent with near zero configuration requirements.” About CrowdStrike CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data. Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities. Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

Read More

Data Security

GuidePoint Security Announces Portfolio of Data Security Governance Services

GuidePoint Security | January 30, 2024

GuidePoint Security, a cybersecurity solutions leader enabling organizations to make smarter decisions and minimize risk, today announced the availability of its Data Security Governance services, which are designed to help customers address the challenges of unstructured data and data sprawl through a proven process and program to meet their unique needs. GuidePoint’s Data Security Governance services consist of policies, standards, and processes leveraging the newest technologies to meet organizations’ data governance goals in both on-prem and cloud environments. Once the right strategy is determined with the customer, GuidePoint Security consultants will review program requirements, assess current policies and controls, perform gap analysis, design and develop/enhance the program, recommend and implement supporting technologies, and create operational processes and metrics. “Whether an organization is just beginning to build their data security governance program or needs help assessing and improving an existing program, our team and service capabilities are built to meet them at their current maturity level,” said Scott Griswold, Practice Director - Security Governance Services, GuidePoint Security. “We work side by side with the customer to conduct the necessary data discovery in their environment and provide tailored recommendations for solutions and processes to ultimately build/improve upon the data security governance program.” GuidePoint’s Data Security Governance Services include: Sensitive Data Cataloging: For organizations just getting started in the process of protecting their sensitive data, GuidePoint offers Data Identification workshops to identify sensitive data types in the environment, including trade secrets, intellectual property, and sensitive business communications. Data Security Governance Program Assessment: For organizations with existing Data Security Governance or Data Protection programs, GuidePoint Security experts will assess the program to identify policy non-compliance, gaps in data protection requirements—whether legal, regulatory, contractual, or business—and program maturity levels. Data Security Governance Program Strategy Development: The GuidePoint team will work with an organization's key stakeholders to design a program strategy aligned with relevant requirements. The outputs of this effort include delivering ongoing sensitive data discovery, automated classification and labeling, the application of required sensitive data protections, restrictions on where sensitive data can be stored and sent, and data retention policy enforcement. Merger and Acquisition Data Identification: This offering provides the ability to identify sensitive data within an M&A target or recent acquisition (including locations, amounts, and access rights) and then perform penetration testing on the storage repositories where that sensitive data exists to determine the risk of data compromise. About GuidePoint Security GuidePoint Security provides trusted cybersecurity expertise, solutions and services that help organizations make better decisions that minimize risk. Our experts act as your trusted advisor to understand your business and challenges, helping you through an evaluation of your cybersecurity posture and ecosystem to expose risks, optimize resources and implement best-fit solutions. GuidePoint’s unmatched expertise has enabled a third of Fortune 500 companies and more than half of the U.S. government cabinet-level agencies to improve their security posture and reduce risk. Learn more at www.guidepointsecurity.com.

Read More

Software Security

Salt Security API Protection Platform Wins Gold in 13th Annual Best in Biz Awards

Salt Security | December 13, 2023

Salt Security, the leading API security company, today announced that the Salt Security API Protection Platform has been named a Gold Winner in the "Enterprise Product of the Year - Security Software" category in the Best in Biz Awards 2023. The Salt Security API Protection Platform is a best-in-class solution that combines the power of cloud-scale big data and time-tested ML/AI to detect and prevent API attacks. With its patented approach to blocking today's low-and-slow API attacks, only Salt provides the adaptive intelligence needed to protect APIs. By correlating activities across millions of APIs and users over time, Salt delivers deep context with real-time analysis and continuous insights into API threats and vulnerabilities, including those outlined in the OWASP API Security Top 10 list. "APIs sit at the core of today's modern applications, connecting enterprises to vital data and services," said Michael Nicosia, co-founder and COO, Salt Security. "Given the amount of sensitive information being transmitted through APIs, along with the growing complexity of API attacks, strong API security has become critical for modern businesses. The Salt platform is the only solution that provides cloud-scale big data and real-time analysis across all application environments, pinpointing and stopping attackers in their tracks. We are honored to have our solution's unique capabilities recognized by the Best in Biz Awards." According to the Salt Labs State of API Security Report, Q1 2023, 94% of organizations experienced security problems in production APIs in the past year, with a 400% increase in unique attackers overall in the last six months. The Salt platform protects APIs across their full lifecycle – build, deploy and runtime phases. Through its unique API Context Engine (ACE) architecture, the Salt platform provides API design analysis in pre-production, discovers all APIs, pinpoints and stops API attackers, and provides remediation insights learned during runtime to harden APIs. "As in years past, determining winners in some categories was a matter of selecting the very best from among the very good and came down to the smallest details," said Best in Biz Awards staff. "Each year, the judges are impressed by the innovations, growth, and change emanating from the winning companies and permeating across layers of society, from their employees through clients to local and global communities." The 13th annual program saw intense competition among more than 600 entries from public and private companies, representing all industries and regions in the U.S. and Canada and ranging from some of the most iconic global brands to the most innovative start-ups and beloved local companies. This year's judges highlighted the winning companies' breadth and depth of innovation, their novel approaches to employing new technologies, impressive workplace benefits and employee diversity and inclusion programs, as well as continued community involvement and critical investments in environment and corporate social responsibility programs. About Salt Security Salt Security protects the APIs that form the core of every modern application. Its patented API Protection Platform is the only API security solution that combines the power of cloud-scale big data and time-tested ML/AI to detect and prevent API attacks. By correlating activities across millions of APIs and users over time, Salt delivers deep context with real-time analysis and continuous insights for API discovery, attack prevention, and hardening APIs. Deployed quickly and seamlessly integrated within existing systems, the Salt platform gives customers immediate value and protection, so they can innovate with confidence and accelerate their digital transformation initiatives. For more information, visit: https://salt.security/ About Best in Biz Awards Since 2011, Best in Biz Awards has been the only independent business awards program judged by a who's who of prominent reporters and editors from top-tier publications from North America and around the world. Over the years, judges in the prestigious awards program have ranged from Associated Press to the Wall Street Journal and winners have spanned the spectrum, from blue-chip companies that form the bedrock of the global economy to some of the world's most innovative start-ups and nimble local companies. Each year, Best in Biz Awards honors are conferred in two separate programs: North America and International, and in 100 categories, including company, team, executive, product, and CSR, media, PR and other categories. For more information, visit: http://www.bestinbizawards.com.

Read More

Spotlight

Organizations are losing IT and security control Once upon a time, IT and security teams focused mostly on managing their organization’s on-prem environment. But as business requirements changed, customer bases became global, and remote work took root, these technology teams were handed responsibility across more domains: cloud

Resources