DEV Community: Nando Delgado

Using Cyber Security to Maximize Your Company Profits

Nando Delgado — Fri, 10 May 2019 20:38:47 +0000

(and create very happy customers)

There are certain universal truths about how to build a successful business and create happy customers: Have a clear and impactful mission statement. Offer products and solutions that add value. Listen to the customer and address their needs. Be one step ahead of the ever-changing tide that is innovation.

These are simple truths that the most successful companies embrace and achieve daily. Business needs and market opinion change rapidly and frequently, but there is one concept that has never gone out of style or fallen out of societal favor: security.

TL;DR

Let us lay it all out on the line: It’s a bit crazy to not have a cybersecurity plan in place if you want to succeed in business in 2019 and beyond.

However, did you know that cybersecurity can do much more than just keep your client’s data safe and protect your classified business information? Cybersecurity can be leveraged to maximize your daily profits and build your business.

Banking on Change

People like to know that their investments and property are secure, and as such, businesses who provide that level of security and comfort to their clients tend to become wildly successful.

Once upon a time, banks would brag about their bigger, stronger, and bolder bank vaults. The banks that offered the best vaults typically got the most customers.

As times changed, the vaults became less the focus, and then the mental security of Federally insured banks became the emphasis. Then, as technology took over our world, the banking system had to find a new way to offer security to their customers in order to keep their business, and slowly but surely, the data security field exploded.

Cybersecurity is the modern version of the big vault: If you can show that you have the strongest and most impenetrable cybersecurity plan, your business will benefit.

Bigger Protection, Bolstered Accounts

According to various reports, the WannaCry ransomware attack of 2017 cost companies a total of 4 billion dollars worldwide. That 4 billion dollar damage represented businesses, healthcare facilities, financial institutions, and educational systems – organizations that typically brag about being focused on providing the highest levels of security.

In addition to the money lost in the ransom attacks, a large amount of that 4 billion dollar damage was also from clients terminating their accounts and agreements with the businesses that had been attacked.

Today, in order to keep your business thriving and capture new clients while retaining your old ones, you simply have to do more. Clients are looking for the cybersecurity equivalent to the big, fancy, impenetrable vault from banking days of yore.

Customers are seeking security, and the more they trust their information is safe, the more they’re willing to spend. Investment in cybersecurity dramatically increases customer loyalty.

According to PWC’s 21st CEO Survey, nearly 90% of CEOs also say that they believe investing in cybersecurity will build trust with their customers, and the surveys among clients confirm that belief.

Repeatedly, customers are expressing their exclusivity to businesses that are focusing on security their private data and money.

71% of executives say that cybersecurity concerns impede innovation in their organization

Faster Adaptation, Speedier Growth

So how can not having a quality cybersecurity plan in place can be holding your company back? According to Cisco Cybersecurity, 71% of executives say that cybersecurity concerns impede innovation in their organization. When a business is stymied by cybersecurity issues, their ability to innovate and revolutionize is stunted.

Companies that are spending the majority of their resources fighting off data breaches and various cyberattacks are not companies that are spending their resources on product development and growth. Looking to the future of the business can seem impossible if your business is spending the majority of it’s time dealing with the fallout of another cybersecurity blunder.

When the worry and stress of cybersecurity is lifted from an organization, its energy can be focused in a more productive manner and allow for newer, fresher, and more visionary products and services to be created.

As your business is able to create new groundbreaking offerings to your clients, your business has more ability to grow and thrive.

Stronger Systems, Happier Staff

Turnover cost is one of the least recognized financial black holes for every business, regardless of size. Millions of dollars are lost every year to employee turnover, and only recently have companies started to address this massive profit-drainer.

Companies are now realizing that simply offering a paycheck and benefits isn’t enough to retain an employee. Employees are seeking more than just financial and health benefits, they are looking for purpose, respect, and recognition in the workplace. Whether you agree with the new demands of the modern worker is neither here nor there, the reality is that failing to ensure your employees are appreciated and respected can result in a large turnover rate, and that can tank your bottom line.

Again, much like with customers, security is a factor. An employee who has to spend hours focusing on whether or not a new piece of software is safe, or worried about falling victim to a phishing attack is not accomplishing their job, and as such, are less likely to be satisfied in their work, or as productive as they could be.

By having a solid cybersecurity plan in place, pressure is taken off employees of the company so they can focus on what they do, and not on whether the email they are about to open is a virus or if the trial software they want to download for a project has malware.

Employees are given the autonomy to use their technology in the way they see fit to help move the business forward, while also having the security of knowing the company has systems in place to keep their data and their efforts safe.

More than just a necessity for your business in the modern world, cybersecurity can be used as a tool to raise profits, innovate faster, and reduce employee turnover, all which can boost your business and your profits to the next level.

There’s still opportunity when security fails

All that said, the general notion is that a security breach will inevitably cause a loss of consumer confidence and an increase in churn, but that doesn’t have to be the case. A well handled security breach can still be an opportunity to boost brand equity.

Take the case of Cloudflare, the CDN provider was subject to a significant breach back in 2017, and due to its ability to respond quickly and inform the issue to their users quickly along with their mitigations plans they were able to add value to their brand as being honest, transparent, and quick to respond to difficult situations.

If your business is on top of its security, and aware of flaws before they can cause damage, then you have an opportunity to position in a more positive light in the minds of your customers.

Hackmetrix is a tool that helps businesses keep their data and their customers’ secure by scanning for over 500 known vulnerabilities and delivering an actionable report with descriptions of all issues found and tips on how to fix them. You can sign up for a free account and try our service out today at hackmetrix.com.

How to Hire a Cybersecurity Expert (Before It’s Too Late)

Nando Delgado — Thu, 28 Mar 2019 22:02:44 +0000

In the game of supply and demand, quality cybersecurity experts can be tricky to find. Market data has shown that the need for cybersecurity experts in the workforce has grown 53% through 2018, and there is a predicted shortfall of 1.5 million cybersecurity professionals in the near future.

What’s more, at Hackmetrix we’ve identified that the 10 most common security issues found on our users’ web apps are relatively simple fixes once you know what you’re looking for.

Now, we understand that hiring a cybersecurity expert for your business might not sound like the most riveting topic, and you might already find yourself dozing off, we will provide you with the TL;DR version of this piece right off the bat:

TL;DR

Cybersecurity is more important than ever in protecting businesses and profits
There aren’t enough qualified people in the workforce to keep your business secure, and the need is going to keep growing
You need to get your act together and figure out how to find a cybersecurity expert to protect your customers and keep your business from going under
Cybersecurity professionals’ qualifications vary hugely, you need to know what to look for

There. That sums it up nicely. Still here and want to learn how to hire the right cybersecurity expert to protect you and your business?

Yeah. We thought so. Let’s dive in:

Do They Have a Record

When it comes to cybersecurity expertise and experience, there are many ways to skin a cat.

Education and experience varies wildly in cybersecurity, and that isn’t necessarily a bad thing. Perhaps they have more c-level executive experience, or perhaps they have a degree from some high ticket University. They might have half a dozen certifications or decades of work in a well-respected cybersecurity firm.

Cybersecurity experts come in different shapes, sizes, backgrounds, and experiences. Ultimately, how they got trained is almost inconsequential. When hiring a cybersecurity expert, you want to see their track record. Who have they worked with? How long? What types of systems have they seen and what kind of clients have they helped?

The track record of a cybersecurity expert will tell you far more than their educational background.

But Speaking of Certifications…

That being said, you still want your cybersecurity expert to have applicable certifications.

Looking at all the certification options, it sometimes resembles a bowl of alphabet soup that got tipped over: OSCP, CSM, CISM, CISSP, CompTIA, Security+, the list goes on and on. Depending on your business needs, there are specialized certifications that can cater to you – and the goal is to find the right cybersecurity expert to work with your business who has the certifications you want.

The Pack Survives

The media often portrays the brilliant and socially awkward IT genius who doesn’t know how to fit in and work with a team, often speaking jargon that leaves their peers glossy eyed and confused as they walk away, shaking their heads all the while.

While that character might work great on screen, it would be a nightmare for your business. If you have to hire an interpreter to decode what your cybersecurity expert is telling you to do, you haven’t found a very cost efficient or useful strategy to handle your IT needs.

When hiring a cybersecurity expert, you want to find someone who can explain clearly what the issue is, and also clearly explain the solutions. Your cybersecurity expert needs to be a team player, not a rogue IT nerd who talks down to everyone.

Actions Speak Louder than Words

Here’s the rub: Finding a problem is easy. Understanding a problem is trickier.

Solving a problem is what separates the wheat from the chaff. When hiring a cybersecurity expert, ask for their track record in actual problem solving, not problem identifying.

You need someone who actually knows how to fix the problems they find, without that, you’re wasting your time and money.

Code is Gold

Now, one caveat: You can have an outstanding cybersecurity expert who doesn’t know how to code. It is possible. That being said, there are a number of major benefits to having your cybersecurity team know how to code. Whether it is to help troubleshoot problems that have already happened, recognize problems or weaknesses before they happen, or understand potential threats lying in wait.

Can They Do the Boring Stuff

Yes, you want to have them on your team because they understand cybersecurity and all things technical in a way that you might not understand. Yes, you are hiring them because of their expertise. However, it doesn’t matter how brilliant or talented they are if they can’t also work within your day to day business needs.

The best cybersecurity expert is also someone who can write up clear reports and understand how budgets work. You want to hire a cybersecurity expert who is part of the team, and that means being able to do the boring day to day work that keeps the business working.

The reality is, hiring a cybersecurity expert is just not optional in business anymore. Having a cybersecurity expert is as critical as having an HR department for your business: It protects you from threats, risks, and potential lawsuits.

The longer your business waits to hire this critical position, the longer your business, your data, and your entire livelihood is at risk. Choose wisely, but move quickly.

GDPR Compliance: How Continuous Vulnerability Scanning is Key

Nando Delgado — Wed, 30 Jan 2019 21:14:09 +0000

Even months after interest in GDPR compliance peaked, some companies are struggling to make sure they comply with this new set of regulations aimed at protecting the privacy and security of European citizens. The regulation applies to businesses anywhere as long as their users are in the EU, and with the highest penalties potentially reaching the millions of euros, they’re right to worry.

Take the case of British Airways for example. On September 6th, 2018 the airline announced that it had suffered a breach that affected around 380,000 users, and that part of the stolen data included personal and payment information.

Now, although we don’t know the fine that will be levied on British Airways, under GDPR a violation such as this one may lead to a fine of €20 million or up to 4% of a company’s annual turnover in the previous year (whichever is higher), which for BA could reach about £489 million (US$633 million) based on 2017 figures.

A similar case is that of Marriott. In November 2018 they announced that they had been a victim of an attack that compromised the data of 500 million users. Marriott’s annual turnover in 2017 was US$22.9 billion.

More recently, Google has been the target of a €50 million fine in France for failing to provide enough information to users about its data consent policies and not giving them enough control over how their information is used.

Often when we read about GDPR, it may sound like it’s all about notifications (letting users know what kind of data the company is using and how it will be used and notifying them of security breaches in a timely fashion), but if these cases show us anything it’s that companies will be under scrutiny not only for how they use their customer’s data but also how they protect it. This is where early detection and prevention of security vulnerabilities is key.

Article 32 of the GDPR provides that businesses must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including […] as appropriate: […] a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

Granted, that’s not very specific. What counts and what doesn’t as a “process for regularly testing” security? We outline a few possibilities below:

Penetration testing

A penetration test or “pen test” is a simulated attack against a system to determine its security and any vulnerabilities it may have that leave it open to attackers. Pen tests are usually done by consultants using both automated tools and manual, ad-hoc tactics to attempt to exploit the system.

The cost for a pen test depends on who’s doing it, but they usually start at around US$5,000.

On-premises vulnerability scanners

Some of the tools pen testers use are available for purchase. These usually include desktop or online scanners, but require some advanced knowledge of web security to be able to act on vulnerabilities they find.

Pricing depends on the software of choice, with some providers charging a one-time fee of around $5,000, and others about the same amount on a yearly basis.

Cloud vulnerability scanners

Cloud-based web scanners are services that simulate attacks to a web app in the same way an actual attacker might. They use some of the same tools consultants use during a pen test. Once the scan is complete, you’ll get a report with any vulnerabilities found.

The cost for these scanners varies, with paid versions starting at under US$100 a month, but you can also find free forever starter plans.

The benefit of prevention vs reaction

According to IBM Security the average cost of a large data breach (in which more than one million records are lost) in 2018 was $3.9 million dollars. This figure takes into account the many categories of expense arising from a breach, including lost business, technical investigations, legal penalties, and employee time spent on recovery.

A cost that high really helps put into perspective the benefit of regularly scanning your apps and finding security holes that need fixing before someone else does. In combatting data breaches, the cost of prevention is much lower than that of reacting after the fact.

Overall, with the number and frequency of attacks increasing in recent years and the fact that the GDPR is now in effect, “better safe than sorry” makes more sense than ever.

Should you care about XSS in Vue.js?

Nando Delgado — Tue, 20 Nov 2018 15:06:29 +0000

Let’s get the obvious part of this article out of the way first: if you don’t sanitize your data you’ll always be vulnerable to cross-site scripting (XSS) attacks, no matter what framework you use.

The goal of this article is to show you a few ways that you might become vulnerable to XSS while using Vue, and hopefully, how to prevent them.

If at this point you’re thinking “wait, what’s cross-site scripting?”, then we need to backtrack a little bit. If you’re already familiar with this subject, then you can skip the next section right on through.

What is cross-site scripting?

Cross-site scripting (XSS) is a type of web app vulnerability that injects client-side scripts into pages viewed by other users.

XSS is caused when sites render user input directly into a page without processing (sanitizing) it first by escaping special characters. This enables attackers to add scripts through regular user inputs, or URL parameters, that will then be executed once the page loads.

You can read more about two types of XSS here: Reflected XSS and Stored XSS

So how is Vue vulnerable?

Any time server-generated HTML is injected into a website, that website may be vulnerable to XSS attacks. In the case of Vue this is through the v-html directive.

The v-html directive

The v-html directive in Vue is used to output raw HTML into a component in your app.

To be honest, there’s probably few good reasons to use this if you’re already using Vue, as you should be able to apply any attributes dynamically.

However, one use case as mentioned in Alligator.io would be if you’re working with a legacy system that has raw HTML stored in a database and you need to render that in your app.

So unlike using mustache expressions, and although v-html might be useful (it’s there for a reason after all), it can open you up to XSS attacks since Javascript rendered through v-html will be executed.

See a quick demo here of the same string rendered via mustache expressions and v-html and try and click on the link there to see the injection in action.

Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.

Mixing server-side and client-side rendering

Another time sites using Vue may be vulnerable to XSS is if they mix server-side and client-side rendering, even if you are escaping characters. What’s also worth noting is that this vulnerability applies even if you’re not using v-html.

This is explored in detail in this repo by dotboris, it includes a very clear example and instructions which we will overview below.

To briefly run through this case, the app takes a user input as a query parameter and renders it. Both the input field and the rendered HTML are in a Vue element that is used to dynamically increase or decrease the number in a counter.

If we write an expression with a bit math in the input field you’ll see that it’s correctly processed by Vue, for example, typing

{{ 2 + 2 }}

in it will result in the app rendering

You have injected: 4

So now we know that an injection can be done.

Using that same method for any Javascript function though, won’t work as well. So if we try

{{ alert(‘xss’) }}

we’ll get something like:

TypeError: alert is not a function at Proxy.eval (eval at createFunction (vue.js:10518), <anonymous>:3:114) at Vue$3.Vue._render (vue.js:4465) at Vue$3.updateComponent (vue.js:2765) at Watcher.get (vue.js:3113) at new Watcher (vue.js:3102) at mountComponent (vue.js:2772) at Vue$3.$mount (vue.js:8416) at Vue$3.$mount (vue.js:10777) at Vue$3.Vue._init (vue.js:4557) at new Vue$3 (vue.js:4646)

This is because any Vue expressions are evaluated in the context of their instance. So when we typed alert(‘xss’) it tried looking for the alert method in our Vue instance, which of course, does not exist.

To go around it, the example in the repo goes with

{{constructor.constructor("alert('xss')")() }}

If you try typing that into the input field you should see it work without a problem.

Why does this work? Quoting directly from dotboris:

“In javascript, all constructors are functions and all functions are objects. This means that Vue$3 has a constructor. This constructor is the Function constructor. Writing constructor.constructor gives us the Function constructor.

The Function constructor let’s us define a function dynamically at runtime. We pass it the code of our function and it returns a function that we can run. In this case we end up with Function(“alert(‘xss’)”)(). This creates a function that calls alert (the real alert in the global scope) and then calls it.”

This works because although the user input is being escaped by the app, when the page gets to the browser Vue takes the HTML and renders it like a template, running a complex eval on that HTML.

At this point Vue can’t tell the difference between the template which is safe, and any unsafe input that may have been sent by the user.

So how can we prevent this? Using the v-pre directive whenever server-side values are injected into the template works well, but it’s easy to miss when it needs to be manually added into each and every element that does this.

An alternative proposed by the author of this example is to define a global variable in the page that holds all server side variables, that way $_GET[‘var’] would become SERVER_VARIABLES.var, which gives the developer a more secure way of passing values from the server to the client.

On our side, our recommendation would also be to limit Vue to where it’s needed in cases like this. One of the benefits of Vue vs other frameworks is that it doesn’t need to be used on a whole page.

In this particular example Vue is only used to increase and decrease the number in a counter, but the counter and the element that displays user input are inside the same div, and so are affected by the same Vue instance.

If instead of keeping it this way we take the element displaying user input and put it outside the Vue element, then the app doesn’t lose any functionality, and any user input rendered is safely displayed regardless if it’s a function or not (as long as it’s escaped server-side).

Long story short, always remember to escape user input, and as convenient as modern frameworks may be, don’t depend on them having covered every single security flaw.

V-pre and avoiding injecting raw HTML directly are good practices, but as it is with app, it’s better to take the time to understand where there may be holes in your app early on, and learn how to prevent them.

We launched a new version of Hackmetrix! Still free, just better.

Nando Delgado — Mon, 05 Nov 2018 20:56:52 +0000

Hey everyone! Nando, writing for the Hackmetrix team here.

We just released the new version of Hackmetrix with a totally renewed design and several new features including API access, recurring scans, an integration with slack, and scanning web apps as a logged in user.

For those of you who've never heard of us before, Hackmetrix lets you scan your web apps to discover security flaws and then gives you super clear dev-friendly tips on how to fix them.

We'd love to hear your thoughts on our work, so please feel free to try it out and drop me a line on Twitter

You can make a free account (no shenanigans and no CC required) at this link

Thanks!