All posts by Nate Crampton

Let’s Dance: InsightAppSec and tCell Bring New DevSecOps Improvements in Q1

Post Syndicated from Nate Crampton original https://blog.rapid7.com/2022/04/15/lets-dance-insightappsec-and-tcell-bring-new-devsecops-improvements-in-q1/

To the left, to the left, to the right, right — the CI/CD Pipeline is on the move.

Let's Dance: InsightAppSec and tCell Bring New DevSecOps Improvements in Q1

DevSecOps is all about adding security across the application lifecycle. A popular approach to application security is to shift left, which means moving security earlier in the software development lifecycle (SDLC). This makes sense: If you find a critical security bug in production, it costs a lot more to resolve it than if you found it in development.

In Q1 2022, we’ve continued to invest in improvements to InsightAppSec and tCell that help organizations shift left and automate security testing prior to production deployment. And at the same time, we’ve made other enhancements to make your life easier. Oh… and we added new attacks and blocking rules for Spring4Shell.

Shifting app security testing left in the CI/CD pipeline

Your development teams are innovating and releasing features and new experiences faster than ever before. Manual testing can no longer keep up with the speed of innovation. Taking a DevSecOps approach means baking security across the application lifecycle and includes shifting left whenever possible.

Dynamic application security testing (DAST) solutions simulate attacks just like the attackers, and they’re known for their accuracy and coverage across a wide range of technologies. However, traditional DAST solutions have struggled to work with modern applications and software development methodologies.

Since the launch of InsightAppSec — Rapid7’s industry leading cloud-native DAST — we’ve focused on providing coverage of modern applications, as well as being able to integrate as far left as the build process.

“Our app developers don’t need to come to me, they don’t need to come to our team, they don’t need to send emails. They don’t need to go through any formalities. When they commit code, the scan happens automatically. And, we created the metrics. So, if they see high-rated vulnerabilities they cannot push to production. The code will get blocked and they have to remediate it.”

– Midhun Kumar, Head of Infrastructure and Cloud Operations, Pearl Data Direct

Building on the success of our Jenkins Plugin, Atlassian Bamboo Plugin, and Azure DevOps CI/CD integrations, we recently added native GitHub Actions and GitLab CI/CD integrations into InsightAppSec.

GitHub

GitHub Actions allows development teams to automate software workflows. With our new InsightAppSec Scan Action for GitHub, you can easily pull down the repo and add it to your DevOps pipelines. As part of your actions, you can trigger the InsightAppSec scan and have the results passed back into GitHub actions. If you want, you can add scan gating to prevent vulnerable code from being deployed to production.

This is available for no additional cost in the GitHub Marketplace.

GitLab

GitLab CI/CD can automatically build, test, deploy, and monitor your applications. With our new InsightAppSec Scan Job, you can add a Docker command in your pipeline to trigger a scan. The results are sent back, and you can add scan gating to prevent vulnerable code from being deployed to production.

The feature is available for no additional cost, and we have resources to help you learn how to setup the GitLab integration.

Spring4Shell testing and protection

CVE-2022-22965, a zero-day vulnerability announced on April 1st, is no April Fools’ Day joke. While it’s not as dreadful as Log4Shell, it should still be patched, and there are reports of the Spring4Shell flaw being used to install the Mirai Botnet malware.

To help our customers secure their applications and understand their risk from Spring4Shell, Rapid7 released new capabilities, including:

  • New RCE Attack Module for Spring4Shell (InsightAppSec)
  • New Block Rule for Spring4Shell (tCell)
  • New Detection of CVE-2022-22965 in running applications (tCell)

Other enhancements

InsightAppSec comes with the ability to create custom dashboards to quickly view and get insights on the risk and status of your program. Relying on feedback from customers, we recently added the ability to create dashboards based on certain apps or groups of apps. This allows you to quickly view risk in context of what matters.

Customers often like to manage their applications at scale, and one of the easiest ways to do that is via the tCell API. Significant feature enhancements include App Firewall event and block rules, OS commands, Local Files, suspicious actors, and more have all been added or updated. Check out our API documentation.

Rapid7’s application security portfolio can help you shift left as well as shift right, depending on your needs and the status of your program. You can integrate InsightAppSec DAST into your CI/CD pipelines before deployment to production. And with tCell, you can add web application and API protection for your production environments.

Stay tuned for all we have in store in Q2!

Additional reading

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

InsightAppSec GitHub Integration Keeps Risky Code From Reaching Production

Post Syndicated from Nate Crampton original https://blog.rapid7.com/2022/03/02/insightappsec-github-integration-keeps-risky-code-from-reaching-production/

InsightAppSec GitHub Integration Keeps Risky Code From Reaching Production

We’ve all been there. The software development life cycle (SDLC) is moving at a mile a minute. Developers are writing code, updating features, and all the while attempting to keep everything introduced into production as safe and secure as possible. GitHub Actions are essential to automation and allow you to build, test, and deploy your code right from GitHub, faster than ever.

But it comes with risks.

How can you be sure your running applications aren’t vulnerable to exploitation? How will we know it’s problematic before it gets into production? Can we realistically perform kick-off, test, and provide feedback to development not using automation?

Secure apps through automation

A DevSecOps mindset is needed, with security baked into the SDLC — and now, GitHub Actions makes this easier than ever. This new integration — offered completely free to InsightAppSec customers — allows security and development teams to automate dynamic application security testing (DAST) as part of the CI/CD build pipeline workflow. For example, you can easily configure the integration to scan your team’s work for vulnerabilities, and if high-severity vulnerabilities are found, you can have it notify and/or block risky code before it reaches production environments.

Here’s how it works:

InsightAppSec GitHub Integration Keeps Risky Code From Reaching Production

All this happens automatically, so your team isn’t spending time finding and communicating application risk — they’re focusing on building a great application security program.

That’s not where the benefits end, however.

1) It helps integrate DevOps into the Security workflow: In order to help build a Dev SecOps mindset across teams, this integration allows DevOps and Security teams to work together earlier in the lifecycle, improving cross-team outcomes and making your organization safer.

2) Automate DAST as part of your CI/CD workflow: This integration fits in seamlessly with what you’re already doing, and automatically provides the vulnerability information your teams need to stay aware of risk and keep unsafe code out of your prod environments.

3) Quick and easy setup: Simply add the IAS Scan steps to your build pipeline as defined in the insightappsec-scan-github-action repo (assuming you have valid Github and InsightAppSec licenses).

And it is all for free. We’re continuously working to make InsightAppSec the easiest and most powerful security platform for your web applications and teaming with Github will supercharge your development lifecycle in the safest way possible, automatically.

Want to learn more? Here’s what you need to know about this integration.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

What’s New in InsightAppSec and tCell: Q2 2021 in Review

Post Syndicated from Nate Crampton original https://blog.rapid7.com/2021/07/21/whats-new-in-insightappsec-q2-2021-in-review/

What’s New in InsightAppSec and tCell: Q2 2021 in Review

If there’s a theme to InsightAppSec and tCell updates and improvements in the second quarter, it would be “save time by building it into the process.” Building a more efficient process is key in further securing web applications.

Can you get it done faster from home? Or do you get to the win faster with an in-person team? Do those expensive express lanes work? Or are they just as clogged with traffic as the regular lanes? The world is constantly looking for faster, but the question to ask: is the “fast” also smart? Let’s take a look at InsightAppSec Q2 releases that we think will help you be both.

Identify. API. Scan by.

That last one was just to make the entire headline rhyme. However, the new features and functionality below can (mostly) be grouped into these 3 categories.

Simplifying access to complex apps

You can now get into modern applications faster with “Automated Login.” InsightAppSec enhanced the automated authentication process to go beyond simple HTML forms to include applications built with rich user interfaces. To achieve a more accurate and efficient login process into these applications, InsightAppSec interrogates the web application, using javascript to identify login pages, complete credential fields, trigger login action, and return a confidence score.

Plus streamline automated login with the new “Verify Credentials” feature. Save time and reduce configuration friction to the process by verifying you’ve entered the correct username and password during/early in the scan configuration.

Investing in API enhancements

New API features for both tCell and InsightAppSec create additional checks and balances as well as new avenues for integration with other systems in your environment.

  • Configure policies via API in tCell: Exert greater control by enabling, disabling, or blocking various features via API. You can also reset, enable, or disable the defined Content Security Policy (CSP) for a specified application.
  • Manage security programs via API within InsightAppSec: Manage customer-specific issues more efficiently and run search queries easier with newly included tag management.

Making scans smarter

Another scan upgrade you can now take advantage of within InsightAppSec? “Incremental Scanning.” Help your team to achieve more targeted testing and triaging (that’s a lot of alliteration) by scanning only the parts of an application that are new or have changed.    

There’s also a new way to help security admins help you. Now they can catch all subdomains with 1 addition to the allowlist. This is called a “Wildcard,” and an admin can now delegate scan configuration, no longer needing to specify each subdomain explicitly.

Honorable mentions

Find vulnerabilities faster with filters. Within InsightAppSec, you can enter specific criteria to speed up triaging and prioritization and:

  • Create and save unique filters as well as leverage quick filters based on vulnerability statuses.
  • Navigate throughout applications while maintaining search queries for the session.
  • Quickly apply multiple search criteria — the more filters you add in the search bar, the more refined your results.

Now available at the Chrome web store, version 4.0 improves authentication into your web applications. It also:

  • Gives you greater capabilities to determine whether a vulnerability is valid by replaying an attack.
  • Enables tracking of user actions during authentication.
  • Gives you the ability to import and reference a traffic file within an application by sending requests to the front-end application and back-end server.

Enduring improvements

As a quick reminder, now available is the latest release of InsightAppSec’s next-gen scan engine. You can now remove any content security policy defined in the header or response body by using the new “CrawlConfig” option. You’ll also find fresh CWE references for several modules. Plus discover the latest updates aimed at improving the quality and resilience of your tCell experience.

That’s it for our Q2 ‘21 AppSec release review. We hope you have a successful third quarter and a great season, wherever your business takes you. Until next time…    

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

3 Takeaways From The 2021 VDBIR: It’s An Appandemic

Post Syndicated from Nate Crampton original https://blog.rapid7.com/2021/06/25/3-takeaways-from-the-2021-vdbir-its-an-appandemic/

VDBIR Overview

3 Takeaways From The 2021 VDBIR: It’s An Appandemic

“Appandemic” sounds a bit like “appendectomy.” From a societal standpoint, it’s almost as alarming — if not more so — as the surgical procedure is from a personal standpoint. Because in the midst of the global pandemic we’ve all experienced over the past year and a half, web applications have experienced their own version of a massive breach to their immune systems. Unfortunately for web-application security, there is no miraculous universal vaccine for these breaches.    

Over the years, the Verizon Data Breach Investigations Report (VDBIR) has highlighted similar concerns within the application-security ecosystem.

In 2018, Databases were the preferred attack vector, with web applications ranking fourth. But over the next 3 years up to now, we’ve seen a troubling trend in which web applications have shot up the rankings as the preferred method of entry. In 2019, they hovered around 30% compared to other vectors. In 2020, it tripled to nearly 90%, no doubt due in large part to the seismic cultural shift to working remotely and conducting more business online. This year’s VDBIR shows that number is sitting at about the same level today — around 90%.

What else does this year’s report have to say about the state of web-application security as the world begins its road to recovery, with more people getting vaccinated, heading back into offices, and going out and about again? Let’s take a look at 3 symptoms of the web appandemic highlighted in the 2021 VDBIR.

Symptom #1: Web apps processing payments

Attackers usually have to take a number of steps to gain access to a web application when they use a System Intrusion pattern. While they typically deploy malware or ransomware, the increasing share of Magecart-style attacks — those targeting payment card data — within the System Intrusion pattern is concerning.

This year’s report identifies that, within the specific System Intrusion attack pattern, 60% of web servers targeted were found to be sporting shiny new malware to capture information. How many of those incidents involved payment-card data?

65%

It’s clear that attackers will keep coming for card data, forever and always.

  • A vuln is exploited.
  • Stolen credentials are used to gain access.
  • Attackers modify code as they see fit.
  • Card data is captured and quickly used or sold off.  

When an incident is detected, companies can notify customers, who can then easily shut their card down and get their hands on a new one. But that’s also money and reputation lost for companies supposedly protecting those customers. It tends to leave a sour taste in a customer’s mouth, especially if it happens multiple times. Adaptable compliance solutions from Rapid7 are supported by strong institutional knowledge of what it takes to meet regulatory standards across the Payment Card Industry (PCI), no matter the region, which can help protect your customers’ card data and maintain your brand’s reputation.

65% is a big number when it comes to the likelihood that, in a given malware incident, the specific target is payment-card data. However, there is reason to be optimistic when it comes to PCI incidents: Over the past few years, attackers have specifically targeted card data less.

3 Takeaways From The 2021 VDBIR: It’s An Appandemic

*Source: Verizon Data Breach Investigations Report

While promising, that doesn’t mean you should let your defenses down. If anything, now is the time to commit to even more stringent security measures, as those previously mentioned Magecart attacks — targeting PCI in web applications — begin to pull even with overall malware intrusions targeting that same PCI.

Symptom #2: Baddies being basic

In this situation, being basic is a good thing from the baddies’ perspective. This year’s report found that baddies — aka attackers — are increasingly disclosing web-application data via a small number of steps. These are known as Basic Web Application Attack (BWAA) patterns, and they are easy for baddies to replicate in quick volume.

According to the report, attackers “are very focused on direct objectives, which include gaining access to email and web-application data.”

These rapid attacks can have maximum impact and create immediate chaos. Within a BWAA, sub-patterns exist that see attackers looking for easy credential grabs. This low-hanging fruit usually means they’re trying to compromise applications or mail servers through:

  • Using stolen credentials. This might not be happening for the first time. Attackers could be exploiting the unwillingness of many organizations to engage in regular cybersecurity hygiene to gain access to a system using stolen credentials.
  • Brute-force attacks. According to this year’s report, brute-force attacks were attempted between 637 and 3.3 billion times against 95% of companies analyzed in the report’s SIEM dataset. We can all thank the evil bots and worms out there tirelessly looking for these vulns.
  • Exploiting vulnerabilities. While not as prevalent as using stolen credentials and going brute force, vulnerability exploitation still ranked as the third-most popular method of attacking web applications. More on that in the next section.    
3 Takeaways From The 2021 VDBIR: It’s An Appandemic

*Source: Verizon Data Breach Investigations Report

Of note: 96% of compromised mail servers were based in the cloud.

So, you know, cloud security is important. That’s why DivvyCloud by Rapid7 provides unified visibility and monitoring for your cloud environments, especially when your application infrastructure sits mostly, or exclusively, in the cloud.

Symptom #3: Weaponizing vulnerabilities

Whether it’s happened to you and your team before or not, watching the development and/or security team’s work be invaded, exploited, and weaponized is heartbreaking. According to this year’s report, even though attackers are still gaining access via stolen credentials, it is definitely happening less often than web-application vulnerability exploitation.

In both instances however, attackers are more frequently focused on getting in and gaining quick leverage. Via a small number of steps, their intention might be to repurpose your app for malware distribution. Before you know it, they’re in and out with precious customer data, leaving you with lots of explaining to do.

From a solution standpoint, Rapid7 helps organizations hunt vulnerabilities by testing applications to find and remediate vulnerabilities. With powerful Runtime Application Self-Protection (RASP) capabilities, you can automatically apply protection against those attacks.

Application security: We all deserve access

Is there reason to be optimistic that we could be trending away from the current web appandemic, even with these symptoms? Much like the way the number of COVID-19 vaccinations is headed in the right direction in some parts of the world yet staying the same in other areas, it — as always — depends.

Deeper-pocketed and more-established security organizations have the ability to mount more defenses against attacks, quickly remediate incidents, and even spend big to institute a culture of offensive tactics that can ruin an attacker’s day. But solutions like InsightAppSec from Rapid7 can help organizations of all sizes scale with ease, regardless of application portfolio size.

According to this year’s report, small companies have pulled closer to their larger counterparts when bearing the brunt of web-application breaches and are losing ground in the time it takes to discover those breaches. Plus, depending on how many partners or outside contractors a smaller company has — or where that company sits in a larger and more-established partner’s supply chain — it’s in the interest of the industry at large to see that application-security equity spreads far and wide, lest breaches of every stripe proliferate the web appandemic beyond the ability of anyone to control.

Try InsightAppSec for free