Category: Application Security

GraphQL Security: The Next Evolution in API Protection

GraphQL is an open-source data query and manipulation language that can be used to build application program interfaces (APIs). Since its initial inception by Facebook in 2012 and subsequent release in 2015, GraphQL has grown steadily in popularity. Some estimate that by 2025, more than 50% of enterprises will use GraphQL in production, up from less than 10% in 2021.

Unlike Rest APIs, which return information called from an endpoint and require the user to extract applicable information, GraphQL allows the user to query specific data from a GraphQL schema and return precise results.

Although GraphQL is relatively new and allows you to query exactly what you require, it is still prone to the same common vulnerabilities as other APIs. There are weaknesses that attackers can exploit to gain access to sensitive data, making securing GraphQL extremely important. The ability to scan a GraphQL schema will help to remediate those weaknesses and provide additional API security coverage.

GraphQL Security: The Next Evolution in API Protection


Why GraphQL security is important

While there are numerous benefits to adopting GraphQL, the security implications are less well-understood. Can functionality be abused? What problems come with querying flexibility? Which vulnerabilities can be exploited? These are all points of concern for its use base.

GraphQL is also no different from other APIs in terms of potential attack vectors. Indeed, it has its own unique security vulnerabilities on top of those you would encounter through a REST API.

As we discussed in our recent post on API security best practices, APIs are a lucrative target that can allow hackers to gain access to an otherwise secure system and exploit vulnerabilities. Not only do APIs often suffer from the same vulnerabilities as web applications — like broken access controls, injections, security misconfigurations, and vulnerabilities inherited from other dependent code libraries — but they are also more susceptible to resource consumption and rate limiting issues due to the automated nature of their users.

Best practices for securing GraphQL

The first step in securing your GraphQL endpoint is to familiarize yourself with some of the most common vulnerabilities and best practices to protect against potential exposure. The most common are injection vulnerabilities – such as SQL injection, OS command injection, and server-side request forgery – where the data provided in the arguments of a GraphQL request is injected into commands, queries, and other executable entities by the application code. Other common vulnerabilities include a lack of resource management that can enable a  Denial of Service (DoS) attack, due to general graph/query complexity and the potential for large batch requests. Finally, broken access control vulnerabilities exist in GraphQL APIs in much the same way as in other applications and services, but they can be exacerbated by the segmented nature of GraphQL query resolvers.

There are several best practice recommendations which can be utilized to counter such attacks.

  • Only allow valid values to be passed - Values should be controlled via allow lists, custom validators and correct definitions.
  • Depth limiting - Restricting the depth of a query only to predetermined levels will allow control over the expense of a query and avoid tying up your back end unnecessarily.
  • Amount limiting - Restricting the amount of a particular object in a query will reduce the expense of the query by not allowing more than x objects to be called.
  • Query cost analysis - Checking how expensive a query may be before you allow it to run is a useful additional step to block expensive or malicious queries.
  • Control input rejections - Ensure you don’t overly expose information about the API during input rejections.
  • Introspection turned off - By default, introspection will be enabled on GraphQL, but simply disabling introspection will restrict what information the consumer can access and not allow them to learn everything about your API.

OWASP have also produced a really neat cheat sheet series, which provides an introduction to GraphQL, as well as a detailed rundown of best practices and common GraphQL attacks, to help teams with upskilling and securing GraphQL.

How to secure GraphQL

The second step in securing your GraphQL endpoint is right here with Rapid7! While almost every modern DAST solution can properly parse and understand requests to and responses from web applications and, in most cases, APIs, that doesn’t mean all those tools will specifically understand GraphQL. That’s why InsightAppSec has specifically added support for parsing GraphQL requests, responses, and schemas, so that it can properly scan GraphQL-based APIs. This new feature provides customers with the ability to scan GraphQL endpoints to identify and then remediate any vulnerabilities encountered.

Initial support will be provided to identify the following vulnerabilities:

  • SQL injection
  • Blind SQL injection
  • OS commanding
  • Server-side request forgery
  • Local file inclusion/remote file inclusion  

To find out how to execute a GraphQL scan, check out our doc on the feature in InsightAppSec for additional information, support, and guidance.

New cloud platform strengthens organizations’ cyber resilience

by making real-world threat simulation easier and more accessible

San Francisco, US, 9th November 2022 – Picus Security, the pioneer of Breach and Attack Simulation (BAS), today announced the availability of its next-generation security validation technology. The new Picus Complete Security Validation Platform levels up the company’s attack simulation capabilities to remove barriers of entry for security teams. It enables any size organization to automatically validate the performance of security controls, discover high-risk attack paths to critical assets and optimize SOC effectiveness.  

“Picus helped create the attack simulation market, and now we’re taking it to the next level,” said H. Alper Memis, Picus Security CEO and Co-Founder. “By pushing the boundaries of automated security validation and making it simpler to perform, our new platform enables organizations even without large in-house security teams to identify and address security gaps continuously.” 

The all-new-and-improved Picus platform extends Picus’s capabilities beyond security control validation to provide a more holistic view of security risks inside and outside corporate networks. It consists of three individually licensable products:

  • Security Control Validation – simulates ransomware and other real-world cyber threats to help measure and optimize the effectiveness of security controls to prevent and detect attacks.
  • Attack Path Validation – assesses an organization’s security posture from an ‘assume breach’ perspective by performing lateral movement and other evasive actions to identify high-risk attack paths to critical systems and users.
  • Detection Rule Validation – analyzes the health and performance of SIEM detection rules to ensure that SOC teams are reliably alerted to threats and can eliminate false positives. 

A global cybersecurity workforce gap of 3.4 million professionals means automated security validation is now essential to reduce manual workloads and help security teams respond to threats sooner. Recently, the US’s Cybersecurity and Infrastructure Security Agency (CISA) and UK’s National Cyber Security Centre (NCSC) published a joint advisory recommending organizations test their defenses continually and at scale against the latest techniques used by attackers.

“Insights from point-in-time testing are quickly outdated and do not give security teams a complete view of their security posture,” said Volkan Erturk, Picus Security CTO and Co-Founder. “With the Picus platform, security teams benefit from actionable insights to optimize security effectiveness whenever new threats arise, not once a quarter. With our new capabilities, these insights are now deeper and cover even more aspects of organizations’ controls and critical infrastructure.”

On 15th November 2022, Picus Security is hosting Picus reLoaded, a free virtual event for security professionals that want to learn more about its platform and how to leverage automated security validation. Register to attend and hear from thought leaders from Gartner, Frost & Sullivan, Mastercard, and more.

H. Alper Memis has also published a blog to announce the release to Picus customers.

About Picus Security

Picus Security is the pioneer of Breach and Attack Simulation (BAS). The Picus Complete Security Validation Platform is trusted by leading organizations worldwide to continuously validate security effectiveness and deliver actionable insights to strengthen resilience 24/7.

Picus has offices in North America, Europe and APAC and is supported by a global network of channel and alliance partners.

Picus has been named a ‘Cool Vendor’ by Gartner and is cited by Frost & Sullivan as one of the most innovative players in the BAS market. 

 For more information, visit www.picussecurity.com

∗The (ISC)² Cybersecurity Workforce Study 2022

The post Picus Security brings automated security validation to businesses of all sizes appeared first on Cybersecurity Insiders.

New Research: Optimizing DAST Vulnerability Triage with Deep Learning

On November 11th 2022, Rapid7 will for the first time publish and present state-of-the-art machine learning (ML) research at AISec, the leading venue for AI/ML cybersecurity innovations. Led by Dr. Stuart Millar, Senior Data Scientist, Rapid7's multi-disciplinary ML group has designed a novel deep learning model to automatically prioritize application security vulnerabilities and reduce false positive friction. Partnering with The Centre for Secure Information Technologies (CSIT) at Queen's University Belfast, this is the first deep learning system to optimize DAST vulnerability triage in application security. CSIT is the UK's Innovation and Knowledge Centre for cybersecurity, recognised by GCHQ and EPSRC as a Centre of Excellence for cybersecurity research.

Security teams struggle tremendously with prioritizing risk and managing a high level of false positive alerts, while the rise of the cloud post-Covid means web application security is more crucial than ever. Web attacks continue to be the most common type of compromise; however, high levels of false positives generated by vulnerability scanners have become an industry-wide challenge. To combat this, Rapid7's innovative ML architecture optimizes vulnerability triage by utilizing the structure of traffic exchanges between a DAST scanner and a given web application. Leveraging convolutional neural networks and natural language processing, we designed a deep learning system that encapsulates internal representations of request and response HTTP traffic before fusing them together to make a prediction of a verified vulnerability or a false positive. This system learns from historical triage carried out by our industry-leading SMEs in Rapid7's Managed Services division.

Given the skillset, time, and cognitive effort required to review high volumes of DAST results by hand, the addition of this deep learning capability to a scanner creates a hybrid system that enables application security analysts to rank scan results, deprioritise false positives, and concentrate on likely real vulnerabilities. With the system able to make hundreds of predictions per second, productivity is improved and remediation time reduced, resulting in stronger customer security postures. A rigorous evaluation of this machine learning architecture across multiple customers shows that 96% of false positives on average can automatically be detected and filtered out.

Rapid7's deep learning model uses convolutional neural networks and natural language processing to represent the structure of client-server web traffic. Neither the model nor the scanner require source code access — with this hybrid approach first finding potential vulnerabilities using a scan engine, followed by the model predicting those findings as real vulnerabilities or false positives. The resultant solution enables the augmentation of triage decisions by deprioritizing false positives. These time savings are essential to reduce exposure and harden security postures — considering the average time to detect a web breach can be several months, the sooner a vulnerability can be discovered, verified and remediated, the smaller the window of opportunity for an attacker.

Now recognized as state-of-the-art research after expert peer review, Rapid7 will introduce the work at AISec on Nov 11th 2022 at the Omni Los Angeles Hotel at California Plaza. Watch this space for further developments, and download a copy of the pre-print publication here.

 Most backup and security vendors overlook this vital communication channel

  • 70% of respondents exchange more direct messages with colleagues via User Chats than Group Channel Conversations
  • 45% send confidential and sensitive information frequently via Teams
  • This rises to 51% often sharing business-critical information
  • 48% of all respondents have accidentally sent Teams messages that should not have been sent 

Leading cybersecurity software provider Hornetsecurity has found an urgent need for greater backup for Microsoft Teams with more than half of users (45%) sending confidential and critical information frequently via the platform. Research commissioned by the company highlights the often-overlooked need for Teams backup and security, as internal business communications over chat are on the rise, reaching the same levels as communication via email.  The research was conducted by techconsult, an established German IT research and analyst firm.

 

User behaviors on Teams are ripe for data loss

Teams User Chat (direct) messaging is the preferred form of business communication over Teams Channel Conversations for 90% of respondents, and more than 41% of people send a minimum of 10 User Chat messages a day. Just over a quarter of all messages (26%) are written in Teams Group Channel Conversations, showing communication is unevenly spread across the platform. 

 

Nearly half (45%) of respondents frequently share confidential and sensitive information via Teams with 51% often sending business-critical documents and data. Users tend to send such information more when they use personal devices; 51% of those on a personal device send restricted and confidential data, compared to 29% of people on a work device.

 

It’s easy to make mistakes

The survey also found that 48% of all respondents sent messages on Teams they should not have. Of this group, 88% had been trained in the use of collaboration solutions, highlighting the need for increased and improved training on how to use Teams and the risks of sending sensitive data.

 

Urgent need for companies to scrutinise Teams backup, security and training

Over half of respondents (56%) see employee training and awareness as the primary approach to reducing cybersecurity risks. However, with 89% of respondents writing more User Chat messages than Group Channel Conversations, it is important to use a backup solution that protects all collaborative features on Teams.

 

Hornetsecurity’s CEO Daniel Hofmann said, “The increasing use of chat services has changed the way many now conduct work. With this change, the risk of data loss has unfortunately increased. Companies must have adequate safeguards in place to protect and secure business data. Otherwise, they run the risk of productivity, financial and data loss.

 

This is because Microsoft does not provide robust protection of data shared via Teams – so beyond the cybersecurity vulnerabilities, organisations must ensure information and files shared across the platform are backed up in a secure, responsible way. This is why we’re proud to offer Hornetsecurity’s 365 Total Backup, the only major third-party backup provider to protect the full range of Teams communications, from User Chats to Group Channel Conversations.”

 

For further information and a full copy of the survey: https://www.hornetsecurity.com/us/services/365-total-backup/teams-backup/

 

Notes to editors:

The Teams Backup survey by techconsult for Hornetsecurity was the result of:

        Quantitative online survey in August 2022

        Questionnaire with 19 questions

        540 participants from companies with at least 50 employees from all industries

 About Hornetsecurity

Hornetsecurity is the leading security and backup solution provider for Microsoft 365. Its flagship product is the most extensive cloud security solution for Microsoft 365 on the market, providing robust, comprehensive, award-winning protection: Spam and virus filtering, protection against phishing and ransomware, legally compliant archiving and encryption, advanced threat protection, email continuity, signatures and disclaimers. It’s an all-in-one security package that even includes backup and recovery for all data in Microsoft 365 and users’ endpoints.

Hornetsecurity Inc. is based in Pittsburgh, PA with other North America offices in Washington D.C. and Montreal, Canada. Globally, Hornetsecurity operates in more than 30 countries through its international distribution network. Its premium services are used by 50,000+ customers including Swisscom, Telefónica, KONICA MINOLTA, LVM Versicherung, and CLAAS.

The post Hornetsecurity Research Reveals Microsoft Teams Security and Backup Flaws With Nearly Half of Users Sharing Business-Critical Information on the Platform appeared first on Cybersecurity Insiders.

Are Your Apps Exposed? Know Faster With Application Discovery in InsightAppSec

“Yes, I know what applications we have publicly exposed.”  

How many times have you said that with confidence? I bet not too many. With the rapid pace of development that engineering teams can work at, it is becoming increasingly difficult to know what apps you have exposed to the internet, adding potential security risks to your organization.

This is where InsightAppSec’s new application discovery feature, powered by Rapid7’s Project Sonar, can help to fill in these gaps.

What exactly is application discovery?

Using the data supplied by Project Sonar — which was started almost a decade ago and conducts internet-wide surveys across more than 70 different services and protocols — you can enter a domain within InsightAppSec and run a discovery search. You will get back a list of results that are linked to that initial domain, along with some useful metadata.

We have had this feature open as a beta for various customers and received real-world examples of how they used it. Here are two key use cases for this functionality.

Application ports

After running a discovery scan, one customer noticed that a “business-critical web application was found on an open port that it shouldn’t have been on.”  After getting this data, they were able to work with that application team and get it locked down.

App inventory

Various customers noted that running a discovery scan helped them to get a better sense of their public-facing app inventory. From this, they were able to carry out various tasks, including “checking the list against their own list for accountability purposes” and “having relevant teams review the list before attacking.” They did this by exporting the discovery results to a CSV file and reviewing them outside of InsightAppSec.

How exactly does it work?

Running a discovery search shouldn't be difficult, so we’ve made the process as easy as possible. Start by entering a domain that you own, and hit “Discover.”  This will bring back a list of domains, along with their IP, Port, and Last Seen date (based on the last time a Sonar scan has found it.)

Are Your Apps Exposed? Know Faster With Application Discovery in InsightAppSec

Are Your Apps Exposed? Know Faster With Application Discovery in InsightAppSec

From here, you could add a domain to your allow list and then run a scan against it, using the scan config setup process.

Are Your Apps Exposed? Know Faster With Application Discovery in InsightAppSec

If you see some domains that you are not sure about, you might decide that you need to know more about the domains before you run a scan. You can do this by exporting the data as a CSV and then running your own internal process on these before taking any next steps.

Are Your Apps Exposed? Know Faster With Application Discovery in InsightAppSec

How do I access application discovery?

Running a discovery scan is currently available to all InsightAppSec Admins, but Admins can grant other users or sets of users access to the feature using the InsightPlatform role-based access control feature.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


At a time when the state of cybersecurity is constantly changing, with new and increasing threats arising each day, it is vital for all organizations to keep it near the top of their list of priorities. Business applications are increasingly targeted by cybercriminals, and their ability to protect and defend themselves against these attacks is […]… Read More

The post Application Security Report 2022: Key Trends and Challenges appeared first on The State of Security.

The rising number of cyber attacks against software applications has emphasized how security must serve as an important factor in software development.  More than the traditional Software Development Lifecycle (SDLC) procedures, now security-integrated development lifecycles are being widely adapted. These aren’t the typical security assessments that are performed at the very end of development of […]… Read More

The post Top trends in Application Security in 2022 appeared first on The State of Security.

Deploy tCell More Easily With the New AWS AMI Agent

Rapid7's tCell is a powerful tool that allows you to monitor risk and protect web applications and APIs in real time. Great! It's a fundamental part of our push to make web application security as strong and comprehensive as it needs to be in an age when web application attacks account for roughly 70% of cybersecurity incidents.

But with that power comes complexity, and we know that not every customer has the same resources available both in-house or externally to leverage tCell in all its glory right out of the box. With our newest agent addition, we're hoping to make that experience a little bit easier.

AWS AMI Agent for tCell

We've introduced the AWS AMI Agent for tCell, which makes it easier to deploy tCell into your software development life cycle (SDLC) without the need to manually configure tCell. If you aren't as familiar with deploying web apps and need help getting tCell up and running, you can now deploy tCell with ease and get runtime protection on your apps within minutes.

If you use Amazon Web Services (AWS), you can now quickly launch a tCell agent with NGINX as a reverse proxy. This is placed in front of your existing web app without having to make development or code changes. To make things even easier, the new AWS AMI Agent even comes pre-equipped with a helper utility (with the NGINX agent pre-installed) that allows you to configure your tCell agent in a single command.

Shift left seamlessly

So why is this such an important new deployment method for tCell customers? Simply put, it's a way to better utilize and understand tCell before making a case to your team of developers. To get the most out of tCell, it's best to get buy-in from your developers, as deployment efforts traditionally can require bringing the dev team into the fold in a significant way.

With the AWS AMI Agent, your security team can utilize tCell right away, with limited technical knowledge, and use those learnings (and security improvements) to make the case that a full deployment of the tCell agent is in your dev team's best interest. We've seen this barrier with some existing customers and with the overall shift-left approach within the web application community at large.

This new deployment offering is a way for your security team to get comfortable with the benefits (and there are many) of securing your web applications with tCell. They will better understand how to secure AWS-hosted web apps and how the two products work together seamlessly.

If you'd like to give it a spin, we recommend heading over to the docs to find out more.

The AWS AMI Agent is available to all existing tCell customers right now.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


It’s the Summer of AppSec: Q2 Improvements to Our Industry-Leading DAST and WAAP

Summer is in full swing, and that means soaring temperatures, backyard grill-outs, and the latest roundup of Q2 application security improvements from Rapid7. Yes, we know you’ve been waiting for this moment with more anticipation than Season 4 of Stranger Things. So let’s start running up that hill, not beat around the bush (see what we did there?), and dive right in.

OWASP Top 10 for application security

Way, way back in September of 2021 (it feels like it was yesterday), the Open Web Application Security Project (OWASP) released its top 10 list of critical web application security risks. Naturally, we were all over it, as OWASP is one of the most trusted voices in cybersecurity, and their Top 10 lists are excellent places to start understanding where and how threat actors could be coming for your applications. We released a ton of material to help our customers better understand and implement the recommendations from OWASP.

This quarter, we were able to take those protections another big step forward by providing an OWASP 2021 Attack Template and Report for InsightAppSec. With this new feature, your security team can work closely with development teams to discover and remediate vulnerabilities in ways that jive with security best practice. It also helps to focus your AppSec program around the updated categories provided by OWASP (which we highly suggest you do).

The new attack template includes all the relevant attacks included in the updated OWASP Top 10 list which means you can focus on the most important vulnerabilities to remediate, rather than be overwhelmed by too many vulnerabilities and not focusing on the right ones. Once the vulns are discovered, InsightAppSec helps your development team to remediate the issues in several different ways, including a new OWASP Top 10 report and the ability to let developers confirm vulnerabilities and fixes with Attack Replay.

Scan engine and attack enhancements

Product support for OWASP 2021 wasn’t the only improvement we made to our industry-leading DAST this quarter. In fact, we’ve been quite busy adding additional attack coverage and making scan engine improvements to increase coverage and accuracy for our customers. Here are just a few.

Spring4Shell attacks and protections with InsightAppSec and tCell

We instituted a pair of improvements to InsightAppSec and tCell meant to identify and block the now-infamous Spring4Shell vulnerability. We now have included a default RCE attack module specifically to test for the Spring4Shell vulnerability with InsightAppSec. That feature is available to all InsightAppSec customers right now, and we highly recommend using it to prevent this major vulnerability from impacting your applications.

Additionally, for those customers leveraging tCell to protect their apps, we've added new detections and the ability to block Spring4Shell attacks against your web applications. In addition, we've added Spring4Shell coverage for our Runtime SCA capability. Check out more here on both of these new enhancements.

New out-of-band attack module

We’ve added a new out-of-band SQL injection module similar to Log4Shell, except it leverages the DNS protocol, which is typically less restricted and used by the adversary. It's included in the "All Attacks" attack template and can be added to any customer attack template.

Improved scanning for session detection

We have made improvements to our scan engine on InsightAppSec to better detect unwanted logouts. When configuring authentication, the step-by-step instructions will guide you through configuring this process for your web applications.

Making it easier for our customers

This wouldn’t be a quarterly feature update if we didn’t mention ways we are making InsightAppSec and tCell even easier and more efficient for our customers. In the last few months, we have moved the "Manage Columns" function into "Vulnerabilities" in InsightAppSec to make it even more customizable. You can now also hide columns, drag and drop them where you would like, and change the order in ways that meet your needs.

We’ve also released an AWS AMI of the tCell nginx agent to make it easier for current customers to deploy tCell. This is perfect for those who are familiar with AWS and want to get up and running with tCell fast. Customers who also want a basic understanding of how tCell works and want to share tCell’s value with their dev teams will find this new AWS AMI to provide insight fast.

Summer may be a time to take it easy and enjoy the sunshine, but we’re going to be just as hard at work making improvements to InsightAppSec and tCell over the next three months as we were in the last three. With a break for a hot dog and some fireworks in there somewhere. Stay tuned for more from us and have a great summer.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


DevSecOps is the key to achieving effective IT security in software development. By taking a proactive approach to security and building it into the process from the start, DevSecOps ensures improved application security. It also allows organizations to rapidly develop application security with fewer bottlenecks and setbacks. Some critical aspects of the DevSecOps approach and […]… Read More

The post Using DevSecOps for Efficient IT Security appeared first on The State of Security.