All posts by Nate Crampton

What’s New in InsightAppSec and tCell: Q2 2021 in Review

Post Syndicated from Nate Crampton original https://blog.rapid7.com/2021/07/21/whats-new-in-insightappsec-q2-2021-in-review/

What’s New in InsightAppSec and tCell: Q2 2021 in Review

If there’s a theme to InsightAppSec and tCell updates and improvements in the second quarter, it would be “save time by building it into the process.” Building a more efficient process is key in further securing web applications.

Can you get it done faster from home? Or do you get to the win faster with an in-person team? Do those expensive express lanes work? Or are they just as clogged with traffic as the regular lanes? The world is constantly looking for faster, but the question to ask: is the “fast” also smart? Let’s take a look at InsightAppSec Q2 releases that we think will help you be both.

Identify. API. Scan by.

That last one was just to make the entire headline rhyme. However, the new features and functionality below can (mostly) be grouped into these 3 categories.

Simplifying access to complex apps

You can now get into modern applications faster with “Automated Login.” InsightAppSec enhanced the automated authentication process to go beyond simple HTML forms to include applications built with rich user interfaces. To achieve a more accurate and efficient login process into these applications, InsightAppSec interrogates the web application, using javascript to identify login pages, complete credential fields, trigger login action, and return a confidence score.

Plus streamline automated login with the new “Verify Credentials” feature. Save time and reduce configuration friction to the process by verifying you’ve entered the correct username and password during/early in the scan configuration.

Investing in API enhancements

New API features for both tCell and InsightAppSec create additional checks and balances as well as new avenues for integration with other systems in your environment.

  • Configure policies via API in tCell: Exert greater control by enabling, disabling, or blocking various features via API. You can also reset, enable, or disable the defined Content Security Policy (CSP) for a specified application.
  • Manage security programs via API within InsightAppSec: Manage customer-specific issues more efficiently and run search queries easier with newly included tag management.

Making scans smarter

Another scan upgrade you can now take advantage of within InsightAppSec? “Incremental Scanning.” Help your team to achieve more targeted testing and triaging (that’s a lot of alliteration) by scanning only the parts of an application that are new or have changed.    

There’s also a new way to help security admins help you. Now they can catch all subdomains with 1 addition to the allowlist. This is called a “Wildcard,” and an admin can now delegate scan configuration, no longer needing to specify each subdomain explicitly.

Honorable mentions

Find vulnerabilities faster with filters. Within InsightAppSec, you can enter specific criteria to speed up triaging and prioritization and:

  • Create and save unique filters as well as leverage quick filters based on vulnerability statuses.
  • Navigate throughout applications while maintaining search queries for the session.
  • Quickly apply multiple search criteria — the more filters you add in the search bar, the more refined your results.

Now available at the Chrome web store, version 4.0 improves authentication into your web applications. It also:

  • Gives you greater capabilities to determine whether a vulnerability is valid by replaying an attack.
  • Enables tracking of user actions during authentication.
  • Gives you the ability to import and reference a traffic file within an application by sending requests to the front-end application and back-end server.

Enduring improvements

As a quick reminder, now available is the latest release of InsightAppSec’s next-gen scan engine. You can now remove any content security policy defined in the header or response body by using the new “CrawlConfig” option. You’ll also find fresh CWE references for several modules. Plus discover the latest updates aimed at improving the quality and resilience of your tCell experience.

That’s it for our Q2 ‘21 AppSec release review. We hope you have a successful third quarter and a great season, wherever your business takes you. Until next time…    

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

3 Takeaways From The 2021 VDBIR: It’s An Appandemic

Post Syndicated from Nate Crampton original https://blog.rapid7.com/2021/06/25/3-takeaways-from-the-2021-vdbir-its-an-appandemic/

VDBIR Overview

3 Takeaways From The 2021 VDBIR: It’s An Appandemic

“Appandemic” sounds a bit like “appendectomy.” From a societal standpoint, it’s almost as alarming — if not more so — as the surgical procedure is from a personal standpoint. Because in the midst of the global pandemic we’ve all experienced over the past year and a half, web applications have experienced their own version of a massive breach to their immune systems. Unfortunately for web-application security, there is no miraculous universal vaccine for these breaches.    

Over the years, the Verizon Data Breach Investigations Report (VDBIR) has highlighted similar concerns within the application-security ecosystem.

In 2018, Databases were the preferred attack vector, with web applications ranking fourth. But over the next 3 years up to now, we’ve seen a troubling trend in which web applications have shot up the rankings as the preferred method of entry. In 2019, they hovered around 30% compared to other vectors. In 2020, it tripled to nearly 90%, no doubt due in large part to the seismic cultural shift to working remotely and conducting more business online. This year’s VDBIR shows that number is sitting at about the same level today — around 90%.

What else does this year’s report have to say about the state of web-application security as the world begins its road to recovery, with more people getting vaccinated, heading back into offices, and going out and about again? Let’s take a look at 3 symptoms of the web appandemic highlighted in the 2021 VDBIR.

Symptom #1: Web apps processing payments

Attackers usually have to take a number of steps to gain access to a web application when they use a System Intrusion pattern. While they typically deploy malware or ransomware, the increasing share of Magecart-style attacks — those targeting payment card data — within the System Intrusion pattern is concerning.

This year’s report identifies that, within the specific System Intrusion attack pattern, 60% of web servers targeted were found to be sporting shiny new malware to capture information. How many of those incidents involved payment-card data?

65%

It’s clear that attackers will keep coming for card data, forever and always.

  • A vuln is exploited.
  • Stolen credentials are used to gain access.
  • Attackers modify code as they see fit.
  • Card data is captured and quickly used or sold off.  

When an incident is detected, companies can notify customers, who can then easily shut their card down and get their hands on a new one. But that’s also money and reputation lost for companies supposedly protecting those customers. It tends to leave a sour taste in a customer’s mouth, especially if it happens multiple times. Adaptable compliance solutions from Rapid7 are supported by strong institutional knowledge of what it takes to meet regulatory standards across the Payment Card Industry (PCI), no matter the region, which can help protect your customers’ card data and maintain your brand’s reputation.

65% is a big number when it comes to the likelihood that, in a given malware incident, the specific target is payment-card data. However, there is reason to be optimistic when it comes to PCI incidents: Over the past few years, attackers have specifically targeted card data less.

3 Takeaways From The 2021 VDBIR: It’s An Appandemic

*Source: Verizon Data Breach Investigations Report

While promising, that doesn’t mean you should let your defenses down. If anything, now is the time to commit to even more stringent security measures, as those previously mentioned Magecart attacks — targeting PCI in web applications — begin to pull even with overall malware intrusions targeting that same PCI.

Symptom #2: Baddies being basic

In this situation, being basic is a good thing from the baddies’ perspective. This year’s report found that baddies — aka attackers — are increasingly disclosing web-application data via a small number of steps. These are known as Basic Web Application Attack (BWAA) patterns, and they are easy for baddies to replicate in quick volume.

According to the report, attackers “are very focused on direct objectives, which include gaining access to email and web-application data.”

These rapid attacks can have maximum impact and create immediate chaos. Within a BWAA, sub-patterns exist that see attackers looking for easy credential grabs. This low-hanging fruit usually means they’re trying to compromise applications or mail servers through:

  • Using stolen credentials. This might not be happening for the first time. Attackers could be exploiting the unwillingness of many organizations to engage in regular cybersecurity hygiene to gain access to a system using stolen credentials.
  • Brute-force attacks. According to this year’s report, brute-force attacks were attempted between 637 and 3.3 billion times against 95% of companies analyzed in the report’s SIEM dataset. We can all thank the evil bots and worms out there tirelessly looking for these vulns.
  • Exploiting vulnerabilities. While not as prevalent as using stolen credentials and going brute force, vulnerability exploitation still ranked as the third-most popular method of attacking web applications. More on that in the next section.    
3 Takeaways From The 2021 VDBIR: It’s An Appandemic

*Source: Verizon Data Breach Investigations Report

Of note: 96% of compromised mail servers were based in the cloud.

So, you know, cloud security is important. That’s why DivvyCloud by Rapid7 provides unified visibility and monitoring for your cloud environments, especially when your application infrastructure sits mostly, or exclusively, in the cloud.

Symptom #3: Weaponizing vulnerabilities

Whether it’s happened to you and your team before or not, watching the development and/or security team’s work be invaded, exploited, and weaponized is heartbreaking. According to this year’s report, even though attackers are still gaining access via stolen credentials, it is definitely happening less often than web-application vulnerability exploitation.

In both instances however, attackers are more frequently focused on getting in and gaining quick leverage. Via a small number of steps, their intention might be to repurpose your app for malware distribution. Before you know it, they’re in and out with precious customer data, leaving you with lots of explaining to do.

From a solution standpoint, Rapid7 helps organizations hunt vulnerabilities by testing applications to find and remediate vulnerabilities. With powerful Runtime Application Self-Protection (RASP) capabilities, you can automatically apply protection against those attacks.

Application security: We all deserve access

Is there reason to be optimistic that we could be trending away from the current web appandemic, even with these symptoms? Much like the way the number of COVID-19 vaccinations is headed in the right direction in some parts of the world yet staying the same in other areas, it — as always — depends.

Deeper-pocketed and more-established security organizations have the ability to mount more defenses against attacks, quickly remediate incidents, and even spend big to institute a culture of offensive tactics that can ruin an attacker’s day. But solutions like InsightAppSec from Rapid7 can help organizations of all sizes scale with ease, regardless of application portfolio size.

According to this year’s report, small companies have pulled closer to their larger counterparts when bearing the brunt of web-application breaches and are losing ground in the time it takes to discover those breaches. Plus, depending on how many partners or outside contractors a smaller company has — or where that company sits in a larger and more-established partner’s supply chain — it’s in the interest of the industry at large to see that application-security equity spreads far and wide, lest breaches of every stripe proliferate the web appandemic beyond the ability of anyone to control.

Try InsightAppSec for free