ForAllSecure

MAY 2, 2023

Historically, security has been bolted on at the end of the development cycle, often resulting in software riddled with vulnerabilities. This leaves the door open for security breaches that can lead to serious financial and reputational damage. According to the 2022 cost of a data breach report by IBM , the average cost of a data breach in the United States is $9,440,000.

Security 52

Security Risk Data breaches Compliance 52

ForAllSecure

APRIL 27, 2023

From humble beginnings in basic IT configuration automation, DevOps has become the de facto standard for organizations looking to ship software faster. “Shift left” approaches combined development processes and methodologies with traditional operations tasks, putting more work on development teams in exchange for freedom from fire drills and production fixes.

Security 52

Security Risk Education IT 52

ForAllSecure

APRIL 26, 2023

Criminal hacking has become a major threat to today’s organizations. According to a Deloitte Center for Controllership poll , “During the past 12 months, 34.5% of polled executives report that their organizations' accounting and financial data were targeted by cyber adversaries.” And, “Nearly half (48.8%) of C-suite and other executives expect the number and size of cyber events targeting their organizations’ accounting and financial data to increase in the year ahe

Passwords 40

Passwords Access Authentication Education 40

ForAllSecure

APRIL 19, 2023

It’s time to evolve beyond the UNIX operating system. OSes today are basically ineffective database managers, so why not build an OS that’s a database manager? Michael Coden, Associate Director, Cybersecurity, MIT Sloan, along with Michael Stonebreaker will present this novel concept at RSAC 2023. You can learn more at dbos-project.github.io.

Analytics 40

Analytics Communications Computer and Electronics Cybersecurity 40

ForAllSecure

APRIL 14, 2023

“Life at ForAllSecure” is a Q&A series dedicated to our growing company. For this month’s profile, we talked with James Kessler, Staff Software Engineer, who joined the company in April, 2022 and is based out of Calgary, Alberta. 1. What did your career path look like before you came to work here? I got my BS from the University of Calgary in 2003.

IT 40

IT Government 40

ForAllSecure

APRIL 11, 2023

As software development becomes increasingly complex, ensuring the quality of the software is essential. One critical aspect of quality assurance is test coverage, which refers to the percentage of the code covered by automated tests. The higher the test coverage, the more confidence we have in the software's functionality and reliability. In this post, we will explore how to increase test coverage in your API with Mayhem in four easy steps.

Data structuring 40

Data structuring Authentication IT Security 40

ForAllSecure

APRIL 6, 2023

The word “hacker” is all too often associated with criminal activities—“The hacker who broke into the systems at …” This association, however, does a disservice to the legitimately curious people, including students, academics and researchers—“Researchers worked with Microsoft to patch the vulnerability before it became known.” What people don’t often realize is that these “researchers” are hackers.

Military 75

Military Cybersecurity Encryption Security 75

ForAllSecure

MARCH 31, 2023

The Mayhem team participated in the Miami Cybersecurity Summit, Automotive IQ, and Wright-Patterson AFB Training last month. We have a number of upcoming events planned for April 2023, including: RSA Conference, DevSecOps Days, and BSides Webinar: How to Increase Test Coverage With Mayhem for API Speed vs. Resilience: Making the Right Trade-offs for Software Security Securing Open Source Software University Hackathon Read on to learn more about April’s events.

Cybersecurity 52

Cybersecurity Marketing Risk Security 52

ForAllSecure

MARCH 29, 2023

Application Programming Interfaces (APIs) are a fundamental component of modern software development. APIs allow developers to integrate different software systems, making it easier than ever to create complex applications and services. However, as with any software component, APIs are also prone to security vulnerabilities that can be exploited by attackers.

Security 40

Security Authentication Passwords Encryption 40

ForAllSecure

MARCH 23, 2023

No matter what approach you take to building your API, it’s important to test your API for security. In a previous post, we talked about the key features of REST, gRPC, and GraphQL APIs. In this post, we’ll first cover general principles of API security, then we’ll break down specific recommendations and examples for testing REST, gRPC and GraphQL.

Authentication 75

Authentication Access Risk Encryption 75

ForAllSecure

MARCH 22, 2023

We’ve seen drug marketplaces and extremists use the Dark Web. Will generative AI tools like ChatGPT make things crazier by lowering the barrier to entry? Delilah Schwartz, from Cybersixgill, brings her extensive background with online extremists to The Hacker Mind to talk about how she’s seeing a lot of chatter in the Dark Web about generative AI being used online for scams.

Marketing 52

Marketing Ransomware Access IT 52

ForAllSecure

MARCH 8, 2023

Booth babes and rampant sexism were more of a problem in infosec in the past. That is, until Chenxi Wang spoke up. Today she runs a 100% woman owned VC. She’s an amazing person who has done an amazing number of things in a short amount of time -- CMU professor, Forrester analyst, CSO at a successful startup -- and she’s not done changing the industry.

Cloud 40

Cloud Marketing IT Security 40

ForAllSecure

MARCH 7, 2023

In May 2021, the fitness company Peloton realized they had a problem with their APIs. The company, known for their fitness bikes, relied upon APIs to log members in and track their progress. The APIs also had access to account details such as name, address, and other personal information. Then, a consultant for Pen Test Partners, Jan Masters, discovered a vulnerability that could make unauthorized requests to back-end APIs used by Peloton.

Security 52

Security Compliance Access IT 52

ForAllSecure

MARCH 1, 2023

Which API testing is best for you largely depends on the type and complexity of the APIs being tested. If you're dealing with a basic API that mainly performs CRUD (Create, Read, Update, Delete) operations, then simple manual testing may be sufficient. However, if the API is more complex or requires loads of data manipulation to get the results you’re after, then an automated API testing tool is the way to go.

Security 52

Security Authentication IT 52

ForAllSecure

FEBRUARY 21, 2023

In last week’s post we talked about what API testing is and why it’s important. In this week’s post, we’ll talk about when API testing is required and industry-specific API standards. When is API testing required? As a whole, API testing is not regulated, so it isn’t legally required in most cases. API security is a fairly new field, so while there aren’t currently many regulations around how APIs are built and secured, conducting API testing is still an impor

Manufacturing 40

Manufacturing Financial Services Compliance Access 40

ForAllSecure

FEBRUARY 22, 2023

What if DEF CON CTFs were televised? What if you could see their screens and have interviews with the players in the moment? You can. Jordan Wiens, from Vector 35 , maker of Binary Ninja, is no stranger to CTFs. He’s played in ten final DEF CON CTFs, was a part of DARPA’s Cyber Grand Challenge, and recently he’s moderated the live broadcast of the annual Hack-A-Sat competition.

IT 40

IT Marketing Access Government 40

ForAllSecure

FEBRUARY 17, 2023

APIs share data and enable communication between everything connected to the internet. API testing ensures that these connections work as intended and that the information carried by APIs remains secure. What is API testing? API testing is a type of software testing that tests application programming interfaces (APIs). API testing helps developers identify bugs within the API and optimize its performance, functionality, reliability, and security.

IT 40

IT Communications Customer Experience Risk 40

ForAllSecure

FEBRUARY 15, 2023

In the rush to comply with various standards, such as addressing the OWASP Top 10 API , companies are looking at API security with renewed interest. Some organizations have begun using Web Application Firewalls (WAFs) to protect their APIs, but this isn’t a true solution to API security. What do APIs do? An application programming interface (API) allows various computer programs to work together by sharing data.

Security 40

Security Data breaches Authentication Cloud 40

ForAllSecure

FEBRUARY 14, 2023

“Life at ForAllSecure” is a Q&A series dedicated to our growing company. For this month’s profile, we talked with Dylan Bargatze , Senior Staff Engineer at ForAllSecure, who joined the company in 2020 and is based out of Cincinnati, Ohio. 1. Tell our readers a little bit about what your role as Senior Staff Engineer entails. I was hired for the analysis team because I have a background in reverse engineering, vulnerability research, that sort of thing.

Cybersecurity 40

Cybersecurity IT Government Access 40

ForAllSecure

FEBRUARY 8, 2023

When we hear about bad actors on a compromised system for 200+ days, we wonder how they survived for so long. Often they hide in common misconfigurations. From her talk at SecTor 2022 , Paula Januszkiewicz, CEO of Cqure , returns to The Hacker Mind and explains how a lot of little configuration errors in common Windows tools and services can open the door to persistence on a system for bad actors and what sysadmins can do to mitigate these.

Access 40

Access IT Phishing Passwords 40

ForAllSecure

FEBRUARY 2, 2023

Cybersecurity risks are on the rise for small and medium-sized businesses , as they are easier targets for attacks, often lacking the resources to both prevent and recover from attacks. Finding an effective way to protect applications from malicious actors can be a daunting task. Running tests manually is time-consuming, and small teams may feel that they don’t have the time required to secure their applications.

Marketing 40

Marketing Access Security Cybersecurity 40

ForAllSecure

JANUARY 31, 2023

On October 3, 2022, the Federal Financial Institutions Examination Council's ( FFIEC ) updated its 2018 Cybersecurity Resource Guide for Financial Institutions. The resource guide is a valuable tool for financial institutions of all sizes as it provides best practices, recommendations, and resources to help organizations protect their networks and data from cyber threats.

Cybersecurity 52

Cybersecurity IT Financial Services Risk 52

ForAllSecure

JANUARY 31, 2023

For developers and DevOps engineers, running tests against applications is a vital part of the development process. But running tests manually can be time-consuming and tedious. That's where Mayhem comes in. Mayhem is an application security platform that uses machine learning (ML) techniques like fuzzing and symbolic execution to automatically create and run thousands of tests.

Security 52

Security Risk IT 52

ForAllSecure

JANUARY 26, 2023

As long as applications exist, there will be vulnerabilities, and as long as there are vulnerabilities, there will be exploits. In the six-year span from 2015 to 2021, newly reported zero-day exploits rose from from one-per-week to one-per-day, and they are only becoming more prevalent. This doesn’t mean that there is nothing you can do to protect yourself from vulnerabilities.

Risk 52

Risk Security IT Access 52

ForAllSecure

JANUARY 22, 2023

Having a common framework around vulnerabilities, around threats , helps us understand the infosec landscape better. STRIDE provides an easy mnemonic. Adam Shostack has a new book, Threats: What Every Engineer Should Learn From Star Wars. that uses both Star Wars and STRIDE to help engineers under vulnerabilities and threats in software development.

Cloud 40

Cloud Security IT Authentication 40

ForAllSecure

JANUARY 24, 2023

At ForAllSecure, we're often asked whether other companies actively fuzz test their software in development. And the answer is yes. Google Chrome has long done this. Similarly, Mozilla, makers of the Firefox browser, fuzz test their software as well. Recently the company reported 20 vulnerabilities they found through fuzz testing their code. The Mozilla vulnerabilities include 5 Critical and 15 High vulnerabilities.

Security 40

Security IT 40

ForAllSecure

JANUARY 17, 2023

I believe it's exponentially easier to defend when you can anticipate the offense. So what will cyber offense start doing this year, and how can you prepare? I’m David Brumley, CEO of ForAllSecure, and here are my top three predictions for offense in 2023: 1. Hackers are going to ransom our cars. I’m pegging 2023 as the first year someone finds ransomware has locked them out of their car.

Paper 73

Paper Security Ransomware Cybersecurity 73

ForAllSecure

JANUARY 10, 2023

Happy New Year from the team at ForAllSecure! As we move into 2023, we are taking some time to look back at our accomplishments and milestones over the previous year: 1. We launched a free version of Mayhem. In January of 2022, we launched a free version of Mayhem to help individuals and small teams deliver safer, more reliable applications and APIs.

Marketing 52

Marketing Sales Cybersecurity Security 52

ForAllSecure

JANUARY 4, 2023

In a previous blog post , we looked at the federal government’s recent release of the Securing The Software Supply Chain series, in particular, p art one: guidance for developers. In this blog post, we’ll take a deeper look at the National Institute of Standards and Technology (NIST) guidance for software development. In particular, we’ll look at PW 8.2 in NIST 800-218 which is cited.

Security 52

Security Risk Government Access 52

ForAllSecure

JANUARY 3, 2023

Last month, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and Office of the Director of National Intelligence (ODNI) released the final installment of its Securing The Software Supply Chain series. Part one provided guidance for developers and was released in August 2022. Part two provided guidance for suppliers in October 2022.

Security 52

Security Cybersecurity Government IT 52

ForAllSecure

DECEMBER 15, 2022

If your current software security testing does vulnerability scanning, congratulations. You are addressing the known vulnerabilities, some of which may be exploited against your software in a future attack. Unfortunately, you are only addressing the known vulnerabilities and missing the bigger picture, which are the unknown vulnerabilities. That’s where the zero days live.

Security 52

Security Marketing IT 52

ForAllSecure

DECEMBER 14, 2022

Mayhem for API can’t even begin to imagine every single configuration of an API. Working systems grow and add layers of complexity with all sorts of different configurations. Sometimes an API service has an exotic authentication protocol, or nonce values need to be carefully managed in the headers of requests, or you have to go through a load balancer with minute-by-minute expiring access tokens.

Authentication 52

Authentication Access IT 52

ForAllSecure

DECEMBER 13, 2022

“Life at ForAllSecure” is a Q&A series dedicated to our growing company. For this month’s profile, we talked with Ivan Gotovchits, Analysis Engineer at ForAllSecure, who joined ForAllSecure in September and is based out of Pittsburgh, PA. 1. Tell our readers a little bit about what your role as an Analysis Engineer entails. I am working on the symbolic executor, one of the secret sauces that makes Mayhem work.

Military 40

Military Security IT 40

ForAllSecure

DECEMBER 8, 2022

Nearly every development team uses Static Application Security Testing (SAST) to identify issues in their applications. This type of scanning helps flag vulnerabilities for developers to fix. But using SAST alone can cause significant frustration for developers and fall short for security for two fundamental reasons. First, most SAST tools return both false positives and false negatives, meaning they both miss real vulnerabilities and provide false positives.

Security 52

Security Risk IT 52

ForAllSecure

DECEMBER 7, 2022

If you call someone on the other side of the world, perhaps you notice the latency in responses. For voice that’s okay, but for live music that’s disastrous. Mark Goldstein thinks he’s solved the latency problem associated with the production of live musical performances online. Having one musician in Bangalore, another in California, and yet another in New York?

Computer and Electronics 40

Computer and Electronics IT Communications Cloud 40

ForAllSecure

DECEMBER 6, 2022

Shifting left for API security has many benefits. It allows developers to produce better code, catch API issues earlier in the development cycle, and get their work done faster. In order to build API security testing into the development process naturally, use a shift left approach along with an automated API tester, such as Mayhem for API. What Is Shifting Left?

Security 52

Security Marketing IT 52

ForAllSecure

NOVEMBER 30, 2022

Over the last several weeks, we’ve made a number of updates to both our flagship Mayhem for Code product and Mayhem for API. Recent improvements to Mayhem for Code (version 2.1) include: Automated Behavior Testing service. Slow Tests Reporting. Dismay / Client side fuzzing updates. Recent improvements to Mayhem for API (version 2.15.7) include: Default branch.

Authentication 52

Authentication Access Security IT 52