Application Security Forum
Aug 10 2020
On July 15, 2020, several verified Twitter accounts with millions of followers were compromised in a cyberattack. Many of the hacked accounts we protected using two-factor authentication, which the hackers were somehow able to bypass. Hacked accounts included Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Mike Bloomberg, Warren Buffett, Kim Kardashian, and Kanye West, Benjamin Netanyahu, and several high profile tech companies, including Apple and Uber. The hackers posted variation of a message asking follower to transfer thousands of dollars in Bitcoin, with the promise that double the donated amount would be returned. How could Twitter have been better prepared for this? How do you rate their response?
Ken ShauretteFor some good information from a leading expert check out the webinar today 7/17 on Brighttalk by Alex Holden..... We have a lot of questions about the Twitter breach but not so many answers. I can tell you that similar cryptocurrency fraud campaigns are on-going on different social media platforms and on a different scale. Tomorrow (Friday) at 11 am CT on BrightTalk https://lnkd.in/eRuXaca We will discuss what we know about the breach and disturbing patterns that are emerging everywhere.
Ken ShauretteI like the potential for catching an unusual activity like that with our recently implemented endpoint detection tool, Cynet360. It seems so far to have about the highest level of transparency into the endpoint with a 24x7x365 backing of monitoring.
Russell WebsterSpan of control, Solid RBAC, Privileged Access Management (PAM)
Jul 27 2020
Is SonarQube is the best tool for static analysis or there are any good tools which compete with SonarQube?
Purushothaman KStatic tool we can use Fortify or IBM Appscan. SonarQube widely used for coding standards
Peter ArvedlundI am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look at the Gartner Maqic Quadeant for Application Security Testing (AST) . In the latest Gartner Quadrant for AST (Static and Dynamic App Security testing) these are the "Leaders" as per April 2020 according to Gartner ranking: 1. Synopsys 2. Checkmarx 3. MicroFocus (Fortify) 4. Veracode 5. WhiteHat Security I used to work as a Fortify Sales Specialist in HP before Fortify was acquired by MicroFocus a few years ago. I can strongly recommend Fortify because they have both the Static and Dynamic testing - and you can even choose to have the solution(-s) deployed as an "on-premise " or "Cloud" solution . In fact you can even have a "hybrid" between Cloud and On-Prem if you want depending on your organisations need and need for automation in different countries. I can see you work for ACCENTURE? That is a big WW org. with different requirements for app testing accross different countries, I imagine? So you can decide to have e.g. a Fortify "on-premise" version in one country and in another country you can have the solution deployed as a "Cloud service" so you get full freedom and the flexibility for automation and continous AppSec testing of the development teams coding. This will also educate the Developer teams into becoming better coders because they will learn from the corrections in the coding done by Fortify. And remember that you can also use this in your Sales advertising, because you can get a report to document that your coding and DevOps has been Security tested and analysed by the Fortify solution and therefore you can advertise your services are proved and documented as " Secure by design" by the Fortify solution. I can help connect you directly with my old collegue from HP. He is today Fortify EMEA Global Head of Sales (based in UK). Let me know if you want me to connect you or if you want to look at some other AppSec (AST) solution from the Gartner AST MQ report I mentioned above instead?
Jun 30 2020
Many companies wonder about whether SAST or DAST is better for application security testing. What are the relative benefits of each methodology? Is it possible to make use of both?
Dan DoggendorfSAST and DAST are not mutually exclusive and should be used in conjunction with each other. One should be used by the developers to ensure security is being addressed as they are writing the code. The other is used for evaluating existing applications already in production to ensure they are not susceptible to any new vulnerabilities that have been discovered. The real question is which should have a higher priority when it comes to introducing the concepts into your application security model. Unfortunately, there is no single answer to which comes first. It all depends on your organizations culture, business model, and your relationships with the various impacted groups.
Oscar Van Der MeerFor application security you ideally need SAST, SCA and DAST. You need all three as they essentially measure different things: SAST identifies bad coding practices that potentially could be exploited SCA identifies known vulnerabilities in the libraries and components you are using and this is the main attack vector on applications. DAST identifies some of the weaknesses that SAST and SCA identified, but also identifies weaknesses in the configuration. You might have the perfect application code with zero vulnerabilities, but if it is misconfigured, for instance using a default password, it still can be breached. If you have to choose, look at SCA and then DATS first as that gives you the best bang for your buck from a risk reduction perspective
Russell WebsterBoth. They are not in competition with each other. SAST is used for analyzing your written code for practices and patterns that are risky or vulnerable. DAST is used @ runtime for analyzing the app for vulnerabilities as shown in other ways on the runtime memory stack, etc. Both provide different value. Look into RASP vs DAST vs IAST as well.
Jun 02 2020
Which single application security tool provides the best overall protection?
Kangkan GoswamiThe best source to know the OWASP risks is the OWASP website. For top 10 risks, you may visit https://owasp.org/www-project-top-ten/ For the next question on single application security too that gives best overall protection, you might have to provide what kind of risks you want to cover. Security is not a one-liner. If you are onle focussed on the OWASP top 10, SonarQube also provides the detection capability for OWASP top 10. I would rather request you to provide more information as to what kind of protection you are looking at.
I am researching application security software for my organization. We provide systems to the airline industry. Which products provide both vulnerability scanning and quality checks? Which one(s) do you recommend and why? Thanks, CK
TundeOgunkoyaWhilst it may appear as though the real solution to a question like yours is to name a particular tool and say it is the best tool in the market because of what an analyst company like Gartner or Forrester says, I would rather ask if you have an Appsec Programme in your organization and what that AppSec Programme is like. Yes, a tool will help you find the bugs and security vulnerabilities, but a tool or combination of a tool in itself does not solve your security challenges without a proper programme. In any case, depending on what part of the SDLC you want to introduce a tool into, then it may be easier to recommend a tool. For clarification purposes, you may want to share more light into the time you want to use the tool e.g during QA, Dev, Testing, production or Post-production, also the type of integration needs you have for your CI/CD, language or protocol support that you need to look into, as well as if you are looking at continuously monitoring your systems which you supply to the Airline industry. A quick look into Gartner Application Security Testing quadrant or Forresters may give you some guidelines with respect to tools alone. but an AppSec programme is very key to the success of whatever tool you acquire.
Wanda ThomasIt depends if the application is a web app. Does it have a database? Are the systems built to any regulations required for compliance (i.e. CIS benchmarks)? Do you want an automated means to "act" on findings?
davidstromBurp Suite from PortSwigger (pen testing and vuln scans) and WebGoat from OWASP (code testing) are two that I would recommend. See this article for other recommendations: https://www.csoonline.com/article/3317523/top-application-security-tools-for-2019.html?nsdr=true#tk.twt_cso