This edition of Detectify Security Defenders Insights focuses on best practices on how not to lose security visibility in 2021:
For many small to mid-sized tech organizations, security visibility is an increasing challenge. 2020 was the true catalyst to their tech transformation from all in-house to suddenly working from home. This meant a pressured effort to make sure security was top-of-mind especially now that everyone was literally out-of-sight. Security defenders worked harder to keep an eye on everything that was happening between employee home networks and company work servers.
Hardening authentication
Having Multi-Factor Authentication can stop 99% of identity theft attempts, so it’s no surprise that our security defenders network stated this as their top implementation in 2020. Related to authentication, many implemented SSO and show improved security visibility during the lockdown – even the already remote teams.
“I intend to switch from Nessus to OpenVAS for our internal VA’s.” – Kevin Willock, DevOps, and Infrastructure specialist.
More automation
A majority of our Security Defenders have been remote-work friendly and hosted in the cloud before the COVID-19 pandemic. Not only have they relied on automation to detect bugs, but as Kevin Willocks, DevOps specialist noted, “There has been an increase in automated bot scanners.”
To maintain a productive and secure setup, having more automation in place for security checks in the infrastructure is still a priority. Application security solutions like Detectify will rank web vulnerabilities based on severity which saves time and prioritization efforts.
“I appreciate Detectify’s automated scans that can be injected in our existing CD/CI pipelines and slack alerts based on criticality.” – Ajaya, LeanTaaS Inc, Engineering Manager
“As we are entirely cloud-based, we have added more automated checks of our infrastructure. That is checks for unsecure configurations and unexpected changes.” – Martin, Recorded Future.
Awareness training and repeat
If security visibility and awareness wasn’t a priority, hopefully, it is now. Our security defender saw the importance of returning to baseline measures and repeating awareness training to keep everyone alert about fraudulent activities and phishing attempts.
In addition to this, security training for better visibility can also happen when you involve developers in security remediation when more eyes are checking the exposed attack surface. At Detectify, access to security knowledge is part of our delivery which is why we’ve built this in with clear guidance to put it into the hands of devs. Security Defender Eugene told us, “I find the Reports and remediation steps in Detectify valuable.”
“Educate, educate, educate – to increase colleagues’ awareness of the cybersecurity landscape. I help them understand why they need to have MFA, how to spot phishing, and also the importance of keeping the tech stack updated. I am a believer that when you set foundations right, then you can move to higher-level topics.” – Tomas Kaminskas, Cloud Engineer.
Setting up a Security Champions group is another way to spread security awareness amongst teams. You can learn more about Detectify’s initiative and gain some top-knotch security tips from our champs.
Replacing VPNs
Bob of Lovecrafts shared this incident on how they’ve removed reliance on IP Allow Listing and VPNs to Identity Aware Proxies.
More from Bob: “We have some employees connecting to production APIs from their home laptops over VPNs and on their home wifi along with their kids playing Fortnite – What could possibly go wrong? I’ve managed to replace most of those with identity-aware proxies that link to their SSO access, ensuring 2FA and allows them to reset their own passwords if needed. Since they don’t need VPN software or to be coached through installing certs, we’ve mitigated potential access to any internal services they aren’t authorized for.”
Collaboration with ethical hackers
Detectify’s own Crowdsource ethical hacker community grew 30%, and we saw individuals join with backgrounds as full-time bug bounty hunters and daytime developers with security research interests. Besides getting access to ethical hacker knowledge through companies like Detectify, security defenders are also running their own responsible disclosure programs to keep the door open to help from the ethical hacker community.
“We’re having more collaboration with bounty hunters and white hat hackers that are scanning the site and finding issues. Most of them are also based in discovery suites – so Detectify is catching them – but sometimes they’re also doing manual pentesting, and responsible disclosures, which improves our security posture.” – Adrián Moreno Peña aka @zetxek, Tech Lead at VanMoof.
More security visibility in 2021
Many security defenders anticipate that this remote-work reality is here to stay, making it more important to not lose sight of the organization’s security awareness, especially as the new workplace is at home with distractions and an increased attack surface. By adding authentication tools, automation, and hacker help, you can set up alerts and controls that help you gain more security visibility over a perimeter less workforce and act on threats in time.
How does Detectify help you secure 2021?
Detectify detects wildly exploited vulnerabilities across your attack surface and chained throughout the web application layer. Our findings are verified with payload testing and ranked by severity to help you prioritize. Reports with remediation tips can be dispatched to Slack, JIRA or other popular developer tools, and queued up in the CI/CD pipeline to be fixed. This puts security knowledge into the hands of your application security defenders.
Find vulnerabilities that you thought were fixed and more with Detectify. Begin a free 2-week trial and go hack yourself.