четвер, 16 жовтня 2014 р.

Ура, новий Security Hole #14

Ура-Ура-Ура. Ми знову повертаємось після маленької відпустки і організовуємо Security Hole. 3 реально цікаві спікери. 3 реально круті теми. Не проФтикайте!


ДОДАЙТЕ В КАЛЕНДАР натиснувши ТУТ
Транляція на нашому каналі http://www.ustream.tv/channel/security-hole 

четвер, 9 жовтня 2014 р.

середа, 8 жовтня 2014 р.

Public Lecture

Провели зустріч з студентами кафеди ЗІ. Розказали чим ж то ми займаємось. Цікавий досвід. 

SSL Pinning

Часто запитують як засекюрити свою аплікацію після того як ми її розковиряли.
Тут доступно описано чому важливий SSL Pinning.

понеділок, 6 жовтня 2014 р.

понеділок, 11 серпня 2014 р.

Three Pillars to Build Security Into Your SDLC


In today’s technology environment, the issue is no longer if your business is vulnerable to cyber security threats or may someday be attacked; the issue is ‘When?’ and, ‘Will you be prepared?’ The widespread use of cloud computing, SaaS and smart devices leave businesses of all types and scales more vulnerable than ever to attacks on their information systems. A company's financial security, intellectual property and level of trust are at risk. Everything can be lost as the result of a successful attack.

Security can’t be an afterthought or adjunct task in the software development process. The legitimacy of the threat necessitates the need to tightly integrate security into the software development lifecycle (SDLC). Identifying security issues at the end of a development is too late.

When you incorporate security into your SDLC, you create applications that are secure by design, not by chance or circumstance.

In particular, security in continuous integration (CI) environments can be challenging. The goal of CI is to provide rapid feedback on disparate code changes, allowing developers to correct errors as soon as possible by identifying functional defects introduced into the larger code base. In this environment, integrated security testing is needed to provide developers a real-time threat assessment of all changes they’ve made, regardless of their operational success in the larger code base. Without integrated security testing, there’s a risk of re-engineering solutions multiple times to address security threats detected long after functional solutions are accepted. That wastes valuable time, money, energy and effort.

Following are three pillars to build security into a continuous integration development environment, creating applications capable of standing up to any security threat:

1. Leverage Interactive Application Security Testing (IAST)

IAST combines into a single solution the techniques and benefits of static and dynamic application security testing, increasing the overall accuracy of testing by running continuous, automated malicious traffic against applications under development, while monitoring the applications in runtime. IAST monitors information from inside the application under test, including runtime requests, data and control flows, libraries and connections to create a comprehensive testing environment simulating real-world attacks. This includes context awareness, allowing organizations to prioritize different risk threats, as opposed to prioritizing differing vulnerabilities without the ability to assess their impact on data in the event of an attack.

Unlike other test methodologies, IAST pinpoints real vulnerabilities with no false positives and gives immediate, focused code remediation. [LINK: http://www.marketwatch.com/story/interactive-application-security-testing-iast-named-by-gartner-analysts-in-top-10-technologies-for-information-security-in-2014-2014-07-01].

IAST is the future of security testing and should me a mainstay of SDLC environments.

2. Choose the Right Tool for the Job

There are a variety of tools available in the marketplace capable of providing utility in an integrated security SDLC environment. As with all choices, some solutions may prove inadequate or an overkill to the task at hand. A good motto to follow when evaluating testing environments is, “Just because you can, doesn’t mean you should.” In other words, security testing requires the right tool for the job at hand, not any tool that can serve a level of purpose.

Thoughtfully marry your security testing solution with the type of software, language, methodology and budget matching your environment. Select security tools capable of automated testing, purpose-built to integrate with the continually evolving code base inherent to the CI software development process.

The right tools are needed to create the level of testing required to assure security of the application under development. This isn’t an area you want to skimp on or misalign.

3. Involve Your Security Analyst

Although security is everyone’s responsibility, it’s wise to have someone responsible to continuously oversee all security testing efforts. Security analysts should be used to verify and coordinate all test results, investigate suspicions of false positives and negatives, explain security defects to developers and educate quality assurance staff on ways to detect business logic defects.

Having a security analyst on your team throughout the SDLC process raises the importance of application security and provides a voice on the team that won’t compromise security for operational or functional abilities. As security shouldn’t be an afterthought in development, it shouldn’t be an afterthought in responsibility.

Conclusion

Cyber attacks are a real and growing threat to business and individuals that we need to prepare to quickly detect and thwart. One of the best defenses against a cyber attack is to develop applications within an integrated security environment. In this environment, security is part of the software development process, as opposed to a parallel or after-action activity. 

A big part of preparedness is selecting the right methodology. IAST is the latest approach to application security testing that provides continuous, real-time feedback on simulated cyber attacks. This is especially valuable in CI environments where disparate code changes are rapidly introduced for testing within a larger code set.

Beyond the testing environment, the tools and testing configurations you employ need to match your unique situation. While more than one testing solution may provide a level of functionality, security is too important an issue to use anything less than ideal support systems.

Last, but not least, security analysts should be an integral part of your development team. Their uncompromising voice for security underscores their importance in the development process and keeps security a top priority within your team.

The safe assumption is that your business will be under attack at some point in the future and catastrophic financial, intellectual property and customer losses may be the result of not being properly prepared. The issue developers need to address is how well they are prepared to withstand an attack, and that begins with measures taken in the software development process.





четвер, 10 липня 2014 р.

Security Test Case Suite

Пропонуємо вашій увазі типовий список для перевірки при виконанні пентесту аплікації.
Список доступний тут: http://goo.gl/xNJyae

Security Hole #11 - Підсумки

Вчора відбувся черговий Security Hole, який відвідали більше 25 слухачів. Присутніми були як працівники SoftServe так і інших компаній: Symphony Solutions, Epam, Perfectial, Remit, Conscensia.
Доповідачі Юрій Білик та Ігор Беляєв поділилися своїми дослідженнями в інформаційній безпеці, пов'язаними з темами: регулярні вирази, криптографія та конкурентна розвідка. Найцікавіша практична частина полягала в застосуванні прийомів конкурентної розвідки і учасники з захопленням виконували завдання.


Security Hole #12 - Lockpiking Authentication - OWASP Lviv - SoftServe


пʼятниця, 4 липня 2014 р.

Security Hole #11 - Буде цікаво!



Цього разу нас будуть вчити Юрій Блик і Ігор Беляєв. Буде дійсно цікаво!

СЕРЕДА, 9 липня, 19:00, Федьковича 60А, кімната 4004, СофтСерв офіс №4.

P.S.Для тих хто не зможе прийти фізично буде доступна жива трансляція на нашому каналі:
http://www.ustream.tv/channel/security-hole 

Де тренувати знання в тестуванні (публікація Б)

Where to train your QA engineers in Security for FREE?


With rapid increase of web applications in the internet the question about their security becomes more and more critical. It is difficult to learn and practice Web application security. Not everyone who is dealing with security testing has environment with web applications like online computer store or online banks that can be used to scan for vulnerabilities. Additionally, security professionals has the need to test tools against environment with known vulnerabilities to ensure that they are working properly. All this activities have to be done on legal environment without breaking the law. And this is one of the main stoppers in training process.
Security communities in all over the world took this facts into account and prepared a lot of great stuff, online environments, vulnerable applications that can run locally to learn and practice Web application security.
Security Compass prepared free online course based on TOP 10 Web application vulnerabilities for 2013 year according to Open Web Application Security Project (OWASP). This course is available on their web site. The easiest step-by-step guideline for students is available on Computer Security Student website.
OWASP Mutillidae II Project provides free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. It has several tasks on each vulnerability from OWASP TOP 10 list. Currently the 2.0.7 version of Mutillidae is available.
OWASP WebGoat project prepared by OWASP Community was designed to teach web application security lessons. It is easy to run and practice. Students are able to login application with different accounts, get description on each lesson and if needed obtain lessons solutions. The difference with previous project is that it contains lessons dedicated not only to break security but also to fix vulnerabilities providing secure code.
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. This project is very similar to Mutillidae as here you have no concrete tasks to solve but you have scripts with common vulnerabilities:
·         Brute Force
·         Command Execution
·         CSRF
·         File Inclusion
·         SQL Injection
·         SQL Injection (Blind)
·         Upload
·         XSS reflected
·         XSS stored
The newest version is 1.0.8
A Codelab by Bruce Leban, Mugdha Bendre, and Parisa Tabriz Web Application Exploits and Defenses provides platform that can be accessed online or installed locally. Here are tasks for both black box and white-box testing. This codelab shows how to exploit existing web application vulnerabilities and how to defend against these attacks.
OWASP prepared The Broken Web Applications (BWA) Project that produces a Virtual Machine running a variety of applications. Some of them were described earlier:
·         OWASP WebGoat (Java)
·         OWASP WebGoat.NET (ASP.NET)
·         OWASP ESAPI Java SwingSet Interactive (Java)
·         OWASP Mutillidae II (PHP)
·         OWASP RailsGoat (Ruby on Rails)
·         OWASP Bricks (PHP)
·         Damn Vulnerable Web Application (PHP)
·         Ghost (PHP)
·         Magical Code Injection Rainbow (PHP)
And many more. Resources are located here.
There are online vulnerable Web sites from Acunetix, which are used by the company to show their demo test:
·         testasp.vulnweb.com/
·         testaspnet.vulnweb.com/
·         testphp.vulnweb.com/
 To train XSS attacks specialists interested in security can use following sites:
·         html5sec.org/xssme.php
·         xssme.html5sec.org/
·         xss-game.appspot.com/
Challenges available there vary from easy level to non-trivial tasks.
Capture The Flag (CTF) security competitions probably are the most interesting for security specialists. Tasks are available online and don’t need additional software. And there is clear goal – get the flag. One of the projects is Hack This Site with set of challenges. Another CTF project from Enigma Group also has set of missions that are available here. Here security specialists and enthusiasts can try their skills competing with other teams.
These resources are available for free and cover a lot of fundamental aspects that security testers need. Of course, that is not full list of resources for practicing Web application security but it is more than enough to full your time with interesting activity.







Security Certifications

Our clients often ask us about our certificates. Here is short list:
Security Certifications: Certified Ethical Hacker (EC-Council), HP Fortify Security Technical Specialist, CIW WebSecurity Specialist, Cisco SMB Security Specialist, Zyxel Security Specialist
IT Certifications:CLE,DCTS,DCATS,NAI,CLP,NLTS,CNA,NCLA,MCTS













вівторок, 27 травня 2014 р.

Website Security – How to Prevent Breaches...

Website Security Risks


In my experience as a Security Consultant, I`ve witnessed numerous cases when lack of proper web server support and maintenance resulted in a company`s website being hacked and exploited by attackers. Unfortunately, it is not a rare case when businesses invest into website development only or store all their websites (as well as mail servers) on a single dedicated machine without an established and safe backup process. Additionally, if a company lacks a comprehensive security strategy and prefers to overlook a well-known security principle of “better safe than sorry”, a website administrator may not be ready for real-time attacks, which might result in website being down and sensitive data compromised.

Sure, skimping on server and website maintenance, regular security check-ups and trainings will save you money in the short run. However, in the long run it`ll save you more if you invest into a secure server hosting provider and proper software architecture instead.

A simple truth is, it doesn`t matter which framework you selected for website development a couple of years ago – Joomla, Wordpress, ASP .NET or Java. As the time flows, they all need to be patched for discovered vulnerabilities and require regular security check-ups. The frameworks provide a fast and cheap way to create great websites, so businesses (even the large brands such as Barnes & Noble, Citibank or Peugeot) continue using them despite of the security risks presented by possible vulnerabilities, but what`s important – they should specifically focus (and many large brands do) on proper website security and maintenance.

Secure Software Development: Levels of Responsibility

Owning an internet website is similar to owning a car – you pay to get it work smoothly, ride fast, look impressive and help you earn money. Just like with a car, you need to properly maintain your website:

·         Check for vendor notifications about updates and patches or withdraws (‘change oil & tires’)
·         Buy an insurance to protect yourself against risks.

In a company, website security starts with a developer, who should write a secure code. Then, a Quality Assurance expert tests the code for bugs and possible vulnerabilities. Next, a DevOps expert`s task is to automate build processes, patch application and server software, monitor performance and log files. At the next stage, a Security expert should review the results with security in mind. Then, there is a CIO.

Any mid-size or large company would have a person responsible for IT, who`s typically known as the CIO (Chief Information Officer). At times, this role could be combined with the CTO and even the CEO. Anyway, this person is responsible for decisions on IT support and website operations, as well as for preventing website security breaches as it is the IT staff that should support the company`s servers. A part of this process is designing backups and recovery plans for after-the-incident cases. Continuing with the car analogy, it’s similar to ensuring your backup wheel is functional in case of emergency.

When your IT engineers (or your software development vendor) develop software, your CTO/CIO should define where to deploy it (on separate servers on Amazon or special containers vs. all sites in single server) and how it should operate and be protected. Otherwise, your should ask your internal (or vendor`s) security consultants to design and implement a proper security strategy.

Six Simple Tips to Ensure Website Security:


1.     Educate your organization. Tell your employees that Security experts need to ensure that application is secure in code and design. Explain that DevOps experts are needed to implement monitoring and patch management as well as secure support of your server and software. Security often goes hand in hand with DevOps, Architecture assessment and Business analysis – and vice versa.
2.      Don’t put all eggs in one basket. Do not store all websites on a single server. It is architecturally wrong and could negatively affect websites performance.
3.      Patch your web apps and web server. Regardless of what framework you use, it`s important to remember that none is a safe haven for your website. All of them have some vulnerabilities, which will have to be addressed.
4.      Engage DevOps and/or security service provider. Your websites need regular check-ups for the code and server security review & assessment. If you don`t have such experts internally, address security vendors and ask them to help you establish a comprehensive security strategy and develop a plan for regular security check-ups. 
5.     If you`re outsourcing your website development, make sure that security is part of the deal. Discuss the security maintenance and check-up possibilities with your vendor. For long-term strategic partnerships, you might want to consider a shared responsibility model.
6.     The greedy pay twice. Don’t skimp and don`t cut corners on security, especially so if you`re responsible for protecting sensitive data of your website users. Security is a significant part of quality service and customer satisfaction.




вівторок, 8 квітня 2014 р.

VMI - draft

Today all enterprise security systems are client-server based and managed from central location. All cloud instances with security agent (Symantec, Forefront, Kaspersky) installed inside OS could be deactivated by qualified attacker. This leave cloud instance unmanaged and without any acting protection. Imagine situation if 100500 Amazon Windows instances (or all Azure instances with open 3389 port) will be affected by virus through 0-day RDP vulnerability. Should you stop all these instances for maintenance and to stop infection? Who will responsible to manage process of clean up all these OSs? Is it possible to centrally stop this infection in my cloud? We will uncover how Virtual Machine Introspection (VMI) can help to stop new threats and change cloud security management approach.
Today Clouds are mostly built based on different types of virtualization. Security of applications benefit from virtualization by running in isolated virtual machines (VMs) and building smaller trusted computing bases (TCBs).
Cloud providers also faced following security challenges:
·         Prove security hygiene of provider infrastructure to third parties
·         Auditability, certification process, risk analysis methodologies, compliance.
·         Trusted cloud computing technologies provide cryptographic evidence.
But how else virtualization is used today to enhance security? Virtual machine Introspection - open new horizons for private and public cloud security that soon will totally change understanding of managing software in the cloud.
Main problem of all modern security management and monitoring system is - Stealthy and Tamper resistance. The problem of Agent based monitoring and protection is that all this agents could be detected by user/malefactor and be subverted, and/or disabled by the attacker.
By contrast, hypervisor-based security resides outside the guest-VM, and is thus tamper-proof to any malware infections inside a VM.
VMI provide following benefits from security perspective:
1. Central processing of security functions is more efficient than distributing security controls and related overhead to each VM
2. No host agents required –guaranteeing security for all VMs regardless of operating system type and patch level, and with no impact to applications running inside the VMs.
3. Tamper-proof security. Host-agents are subject to getting compromised by the very malware they aim to thwart (e.g., Conficker turning off A/V).
VMI - is like X-ray view of all VM states in you private Cloud, including installed applications, operating systems, and patch levels. Could be used for Detection, Protection and Management, compliance and automated security enforcement. VMI use the capabilities of hypervisor to supervise VM behavior.
Virtual Machine Introspection (VMI) can be positioned as out of the box VM management that allows to apply the monitoring of all hosted virtual machines, has many applications in areas such as security and systems.
From Cloud provider prospective let’s use following terms against host server and guest OS (cloud instance):
Inspection– host server virtualization system (VMM) can examine entire state of the guest system (memory, devices, storage, executed commands etc)
Interposition–VMM can interrupt guest code at any time (stop loading malicious payload and stop loading virus body into the memory)
This approach of controlling virtual operating systems also can be used to protect the operating system on hypervisor level, which is the newest approach in designing systems to protect information in enterprise systems.
What can be monitored?
·         All user input
·         Malware on FS and in memory
·         Network Traffic
·         File activity and integrity
·         User access and activity
Other applicable areas where VMI can be very useful:
·         Malware analysis
·         Cloud SIEM
·         VM IPS/IDS
·         VM Forcing
·         Policies
·         VM Honeypot
·         Cloud Firewall
·         VM Patch management
·         Invisible system logging
·         Rootkit prevention
VMI for Cloud management
·         Quarantine of non-compliant VMs to eliminate administrative errors and reduce risk.
·         Automated security classification and enforcement for new or cloned VMs

·         Automated VM compliance assessment based on multiple VM attributes;

вівторок, 18 березня 2014 р.

interesting Kony reversing and Malware analysis resources

Минулого року робили один проек з Konu framework і тут хлопці з Veracode розповідають реверсінг однієї з своїх аплікацій
http://blog.veracode.com/2014/02/reversing-kony-javascript-ios-applications/

А також один з потенційних кандидатів на співбесіду має достатньо цікавий блог - http://k0rnev.blogspot.com/

четвер, 6 березня 2014 р.

Opensource and security testing

Не часто є можливість свій код який ти віддаєш в open-source автоматично сканувати на дефекти в безпеці. Є отака кьова пропозиція звязки між GitHub і Coverity (покриває Java i C++). Дуже рекомендую! https://scan.coverity.com/

четвер, 13 лютого 2014 р.

security робота на Elance

На елансі стало цікаво подивитися що ж пропонують круті спєци з індії по секюріті, і ось ключові проблеми клієнтів

  1. pentest аплікації по OWASP Top 10 (пре те що люди шарять що це)
  2. почистити сайт від malware (ухти як цікаво)


The "Exploit Scanner" WordPress plugin, when run, shows hashes-3.6.php missing as well as a bunch of unknown files in wp-admin and wp-includes. 

вівторок, 11 лютого 2014 р.

Security Tools comparison - results for one app

Робили експериментальний проект для того щоб порівняти результати різних засобів статичного і динамічного аналізу аплікації. Результати просто настільки різні, що зараз постає задача звести все під однин стандарт і зрозуміти хто ж таки найакуратніший і найточніший

Vulnerability Veracode OWASP LARSE +2.8 FindBugs Burp (DAST) AppScan (DAST) AppScan (SAST)
OS Command Injection 2 7 7
CRLF Injection 20 1 8
Code Quality 13 68
XSS 2111 4 3 3
Cryptographic Issues 1 1
Directory Traversal 14 66 84 1 1
Encapsulation 2
Insufficient Input Validation (URL Redirection to Untrusted Site) 6
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') 5
Time and State(‘ Insecure Temporary File’) 23
Information Leakage 27
URL Tampering  6
Parameter Tampering  68
Header Manipulation  34
XML parsing vulnerable to XXE attacks 4
Maliciuos Dynamic Code  3
AppDoS  4
Privilege Escalation  18
Validation Required  2
Error Handling, reveal Details, Message  9
Link Injection  1
Phishing Through Frames  1
Potential Order Information Found  5
Total 2224 186 104 4 10 105

середа, 5 лютого 2014 р.

Some security testing automation

Шукали як би то скриптити деякі задачі, дуже-дуже привабливим виглядає IronWASP від OWASP, чудова документаці, блог і наші QA-automation інженери зможуть ефективно його використовувати.
http://blog.ironwasp.org/

Програмно-апаратні закладки

Якщо такі круті американці в плані зйому інформації, мені стало цікаво до чого ж додумалися китайці, адже майже вся хардвара робиться саме в них) Думки викликані цим постом.
http://habrahabr.ru/post/209746/

понеділок, 3 лютого 2014 р.

burp+tor

один з проектів вимагав щоб тестування проводилося в режимі "чорного ящика", але дуже-дуже чорного.
Щоб потім його ІТ персонал переглядав логи і намагався побудувати причинно-наслідковий звязок усіх подій під час тестування.
Результати їх роботи передавалися також нам для оцінки їхнього результату.
Для цього тестування використали анонімізацію через комбінацію burp + tor , правда під вінду але конфігурація для тих хто хоче повинна бути приблизно наступною:

  1. скачуємо запускаємо Tor з Firefox адаптованим
  2. перевіряємо яку ІР нам дає Tor http://whatismyipaddress.com/ 
  3. в Burp в вкладці Options вибираємо Use SOCKS proxy і прописуєм 127.0.0.1 з портом 9150
  4. Врубуєм режим інтерпретації запитів і йдемо на сайт http://whatismyipaddress.com/
  5. перевіряємо що попадає в Burp і яку ІР і локацію показує згаданий вище сайтєц.
  6. тестуємо наш проект
(раджу також з певною періодичністю перевіряти яку всетаки адресу видає Тор бо раптом ви щось факапнули).
Ну і звичайно якщо йде велика автоматизація то краще це все роботи на лінуксах як описано тут:
Reference: http://resources.infosecinstitute.com/tor-part-2/

пʼятниця, 31 січня 2014 р.

IT Security in 2014: Focus Areas and Trends

опублікували мою статтю. дублюю тут, цікаво ваші думки.
Security Awareness on the Rise

The previous year was a tough one for the Security World: the attack rates increased, big names like Evernote, New York Times, LivingSocial, Twitter, and Facebook faced some serious security issues, and <need to include latest attacks against Target and others> Edward Snowdan blew everybody`s mind when he revealed the NSA documents. The last fact was an eye-opener for a lot of people as it drew attention to the previously overlooked area of corporate security – the internal security. This single event changed the perception of security and privacy all over the world forever.

Now many companies are highly focused on implementing security measures and even announcing them as a competitive differentiation to positioning their products in the marketplace. Customers are now more aware of the security threats and more interested in how vendors and service providers can ensure information security in their products and custom development activities. They frequently request a number of security features to be present in the products they use (for example, encryption, double verification, etc.), and demand independent 3rd party security audits as proof of security measure effectiveness.

Government and Regulatory bodies around the world apply increasingly severe regulations for domains where protecting sensitive information is a key to success, such as Finance and Healthcare.

The increased security awareness is a positive trend we expect to become even more pronounced in 2014, but there exists a parallel counter-productive tendency we`ve noticed. Though most of the new customers we start working with are aware of the security needs and take measures to heighten security at their company, their efforts seem to be limited to buying a security tool instead of creating a comprehensive security strategy, including a secure Software Development Lifecycle (SDLC) process, security trainings for developers and Quality Assurance engineers, etc.

Another paradox is that while everybody admits that security attacks are becoming more and more sophisticated, the majority of breaches are still exploited by attacks rated as “moderately” difficult or of “low” difficulty. Indeed, there`s no need to fire a missile into an unlocked window. And if the system vulnerabilities are left unaddressed, even the best security tool won`t stop a malefactor from exploiting logical defects.

Security in 2014: Focus Areas

As technology develops, there are some specific areas, especially among the emerging technology trends, that will need special attention of IT security experts in 2014:
Mobility has already become an inevitable part of life and businesses, but there are clear indications that its impact on modern business processes will grow in 2014. Mobility threats will vary from specific targeted malware (for example, to bypass two-factor authentication for a bank) to multi-target spyware for smartphones and tablets. Another possible targeted attack vector could be Mobile Enterprise Application Platforms, endangering a wide range of mobile enterprise applications.          
Internet of Things is an emerging technology which opens new business possibilities alongside with a new realm of risks. We expect serious investments to be made in this area, including investments of time and effort to harden communication channels, leverage risks, etc.   <can we expand on this a bit?>
Big Data and Machine Learning. The Advanced Persisted Threats (APTs) will continue to threaten organizations across the world. As these sophisticated, targeted attacks are hard to detect by using traditional means of analyzing familiar, already-known patterns, we expect more advanced techniques based on Big Data and Machine Learning technologies will appear to counter the APT attacks.  

In 2014, Big Data will be one of the most promising security areas. Apart from threat intelligence, it can also help with identifying user behavior patterns as a part of risks analytics during authorization decisions. The leading Security Information and Event Management (SIEM) tools are already moving in this direction, but we expect more sophisticated algorithms and a larger variety of data available for analysis.

Key Security Trends for 2014

In 2013, SoftServe`s Incident Forensics service helped a majority of our security clients counter threats of cloud breaches. In 2014, we expect a larger part of our security projects will be aimed to counter and prevent Advanced Persistent Threats – more sophisticated attacks targeting system administrators, top managers, and cloud engineers attempting to steal their accounts or cloud access certificates.
Based on our industry observations and the tendencies we`ve witnessed in our security projects, here are six trends we believe will be defining the Security World in 2014:

1. At SoftServe, we expect compliance and regulation hardening in 2014, so more businesses will need Penetration tests or even a continuous security program, such as secure Software Development Lifecycle Services (SDLC) to meet compliance requirements in the areas of Healthcare, etc. For SaaS-based Independent Software Vendors, (ISVs), a good example of standard driving effective compliance preparation and assessments activities is the ISO/IEC 27017 Cloud security standard.

2. Distributed Denial of Service (DDoS) attacks will be more frequently targeted against SaaS/Cloud based products and services, which will increase the scalability expenditures for the resource owners. Currently, Infrastructure as a Service (IaaS) providers do not build in protection against DDoS attacks, and the businesses rely on third-party security service providers for help with protecting their products against DDoS. Most often the DDoS attacks are targeting application defects, so companies should consider detailed forensics for their products to close any potential gaps.

3. The majority of ISV companies that purchased a Static Application Security Testing (SAST) code verification tool will need to apply it to the Continuous Integration (CI) and Delivery process. As a result, we expect security integration into Continuous Delivery will become a new trend in 2014. SoftServe`s security experts hold certificates for the best Gartner Application Security Testing (AST) tools and are experienced in integrating them with the CI tools like Jenkins, which helps decrease time spent on security tests by 40%.

4. In 2013, our security team had to deal with Cybersquatting and Typosquatting (URL hijacking) attacks, when malefactors purchased a domain name similar to that of a company they were targeting. They set up a web-site identical to the original portal with the same Log-in form to steal users` log-in information. The number of such attacks will increase in 2014 by 30%. To shield the businesses against such manipulations, SoftServe`s security team created a countermeasure program of technical and organizational activities. We expect it will be also effective as a counter to possible email manipulation attacks that are likely to become more frequent in 2014.

5. DevOps and Security integration is rapidly becoming a critical need for the majority of IT-related
businesses. As our experience proves, the combined DevOps + Security approach can bring security monitoring to a new level by enabling companies to detect anomalies, analyze Log files, apply proper Patch and Update management process, perform regular external Vulnerability Scanning, roll-out Security Information and Event Management (SIEM) systems to report who, when, and how accessed any internal and external resources.    

6. Social Engineering. As software security is improving, the attacks will turn on people, exploiting their psychological vulnerabilities. Social Engineering attacks will grow considerably, resulting in a need for better IT security education for employees. For example, at SoftServe we train our employees based on real-world Social Engineering cases teaching them how to apply proactive technical countermeasures in case of an attack.