In the News

Hackers can see your Tinder photos and figure out your matches

23 Jan 2018 | By Shannon Liao

Tinder isn’t using encryption to keep your photos safe from strangers who are sharing the same coffee shop Wi-Fi as you, security researchers found in a report today. Researchers from the Tel Aviv-based firm Checkmarx found that Tinder’s iOS and Android mobile apps still lack basic HTTPS encryption, meaning that anyone sharing the same Wi-Fi as you can see your Tinder photos or add their own into the photostream.

The firm built a proof-of-concept app called TinderDrift, demoed on YouTube, that can reconstruct a user’s session on Tinder if that person is sharing the same Wi-Fi. Although swipes and matches on Tinder remain HTTPS-encrypted, potential hackers on the network can still tell encrypted commands apart due to the specific patterns of bytes that represent a left swipe, a right swipe, a Super Like, and a match, according to Checkmarx.

Tinder isn’t using encryption to keep your photos safe from strangers who are sharing the same coffee shop Wi-Fi as you, security researchers found in a report today. Researchers from the Tel Aviv-based firm Checkmarx found that Tinder’s iOS and Android mobile apps still lack basic HTTPS encryption, meaning that anyone sharing the same Wi-Fi as you can see your Tinder photos or add their own into the photostream.

The firm built a proof-of-concept app called TinderDrift, demoed on YouTube, that can reconstruct a user’s session on Tinder if that person is sharing the same Wi-Fi. Although swipes and matches on Tinder remain HTTPS-encrypted, potential hackers on the network can still tell encrypted commands apart due to the specific patterns of bytes that represent a left swipe, a right swipe, a Super Like, and a match, according to Checkmarx.


</close>

Major Tinder security flaw could enable hackers to spy on your swipes

23 Jan 2018 | By Chris Smith

The security flaw, which Checkmarx demonstrated in a proof-of-concept app, enables a third party to intercept images, provided the user is on the same Wi-Fi network.

The malicious individual could even use the exploit to insert their own photos into the unsuspecting user’s stream.

The security flaw, which Checkmarx demonstrated in a proof-of-concept app, enables a third party to intercept images, provided the user is on the same Wi-Fi network.

The malicious individual could even use the exploit to insert their own photos into the unsuspecting user’s stream.


</close>

Swipe fright: Tinder hackers may know how desperate you really are

23 Jan 2018 | By Shaun Nichols

A lack of security protections in Tinder's mobile app is leaving lonely hearts vulnerable to eavesdropping.

That's according to security biz Checkmarx this week, which claimed Android and iOS builds of the dating app fail to properly encrypt network traffic, meaning the basic actions of peeps looking to hookup – such as swipes on profiles – could be collected by anyone on the same Wi-Fi or carrying out similar snooping.

A lack of security protections in Tinder’s mobile app is leaving lonely hearts vulnerable to eavesdropping.

That’s according to security biz Checkmarx this week, which claimed Android and iOS builds of the dating app fail to properly encrypt network traffic, meaning the basic actions of peeps looking to hookup – such as swipes on profiles – could be collected by anyone on the same Wi-Fi or carrying out similar snooping.


</close>

Vulnerabilities let people see your Tinder swipes and photos

23 Jan 2018 | By Alfred Ng

You might want to swipe left on Tinder's security.

Researchers at Checkmarx, which helps developers test the security of their applications, said in a blog post Tuesday that the popular dating app has a couple of vulnerabilities. The flaws could let an attacker on the same Wi-Fi network you're using see what profile photos you're looking at and whether you swipe right or left, Checkmarx said. That's because profile pictures on Tinder use HTTP instead of HTTPS, the encrypted protocol that more than half the internet uses to protect data from prying eyes.

You might want to swipe left on Tinder’s security.

Researchers at Checkmarx, which helps developers test the security of their applications, said in a blog post Tuesday that the popular dating app has a couple of vulnerabilities. The flaws could let an attacker on the same Wi-Fi network you’re using see what profile photos you’re looking at and whether you swipe right or left, Checkmarx said. That’s because profile pictures on Tinder use HTTP instead of HTTPS, the encrypted protocol that more than half the internet uses to protect data from prying eyes.


</close>

2018 DevOps Predictions

18 Dec 2017 | By

In 2018 one major change we will see as it relates to Application Security (AppSec) is that there will be a reduction of organizations running their own dynamic application security testing (DAST). Many organizations will begin to leverage interactive application security testing (IAST), validating the results by running DAST-as-a-Service. Looking past 2018, the application security testing portfolio will continue to grow with an increase of statistic application security testing (SAS[[AA]] T) as part of the development environment. There will also be a stronger emphasis of security (Sec) into DevOps and will allow developers to take a more active role and ownership in identifying and remediating code vulnerabilities. The DevOps world will be the first to adapt IAST solutions that are able to leverage automation tests to deliver security analysis in real time.

In 2018 one major change we will see as it relates to Application Security (AppSec) is that there will be a reduction of organizations running their own dynamic application security testing (DAST). Many organizations will begin to leverage interactive application security testing (IAST), validating the results by running DAST-as-a-Service. Looking past 2018, the application security testing portfolio will continue to grow with an increase of statistic application security testing (SAS[[AA]] T) as part of the development environment. There will also be a stronger emphasis of security (Sec) into DevOps and will allow developers to take a more active role and ownership in identifying and remediating code vulnerabilities. The DevOps world will be the first to adapt IAST solutions that are able to leverage automation tests to deliver security analysis in real time.


</close>

Why mobile game developers need to say “Game Over” to the man-in-the-middle

14 Dec 2017 | By Amit Ashbel

With a whopping 2.2 billion smartphone users worldwide, it is no surprise that mobile games make up 42 percent of the gaming market equating to $46.1 billion in revenue. What is surprising is that most of the mobile games, including those most popular among children and teens, are highly vulnerable to a breach, often inviting hackers into children's lives. While there is heightened awareness from consumers of the dangers associated with mobile hacks and breaches, the fact that hackers have access to personal information is particularly disturbing when it involves applications most frequently used by children.

With a whopping 2.2 billion smartphone users worldwide, it is no surprise that mobile games make up 42 percent of the gaming market equating to $46.1 billion in revenue. What is surprising is that most of the mobile games, including those most popular among children and teens, are highly vulnerable to a breach, often inviting hackers into children’s lives. While there is heightened awareness from consumers of the dangers associated with mobile hacks and breaches, the fact that hackers have access to personal information is particularly disturbing when it involves applications most frequently used by children.


</close>

Predictions 2018: How DevOps, AI Will Impact Security

14 Dec 2017 | By Chris Preimesberger

Amit Ashbel, Director of Product Marketing and Cyber Security Evangelist, Checkmarx:  Here’s what’s next for DevOps. 
“DevOps is still maturing, and while many organizations are shifting to DevOps, many are still in the process and not there yet. That said, the DevOps movement will continue to grow and increase its scope to cover additional aspects of the product’s lifecycle. For us specifically, the introduction of security into DevOps is most interesting. The challenge continues to revolve around fast processes and short cycles of security tests with very clear and accurate findings led by remediation that has to be handed in a silver spoon to the developers. While many in the security industry are trying to make DevOps adopt security, I believe that the security vendors should work harder on adapting security practices to DevOps environments which is exactly what Checkmarx have been doing for many years now.”

Amit Ashbel, Director of Product Marketing and Cyber Security Evangelist, Checkmarx:  Here’s what’s next for DevOps. 
“DevOps is still maturing, and while many organizations are shifting to DevOps, many are still in the process and not there yet. That said, the DevOps movement will continue to grow and increase its scope to cover additional aspects of the product’s lifecycle. For us specifically, the introduction of security into DevOps is most interesting. The challenge continues to revolve around fast processes and short cycles of security tests with very clear and accurate findings led by remediation that has to be handed in a silver spoon to the developers. While many in the security industry are trying to make DevOps adopt security, I believe that the security vendors should work harder on adapting security practices to DevOps environments which is exactly what Checkmarx have been doing for many years now.”


</close>

Infosec expert viewpoint: DevOps security

27 Nov 2017 | By Mirko Zorz

In talking to companies all over the U.S, it is almost unanimous that DevOps is here to stay. DevOps modernizes the software development life cycle and deployment to account for the way businesses are run. I would say 90-95% of enterprise companies have some sort of DevOps initiative and are investing significant time and resources into the DevOps initiative. Organizations that have truly implemented DevOps are already seeing significant results in terms of application quality and speed to market.

Along with the benefits of creating effective and efficient software applications, DevOps can ensure organizations are secure by simply following the integration and automation process that already exists within development.

If security is bolted on as an addition or implemented outside of the DevOps process – instead of automated like CI/CD and baked into the practice – it will not be successful. This removes the manual aspect of security testing which produces push back from developers and DevOps players. However, DevOps players are not security experts and their primary goal is releasing quality software faster.

In talking to companies all over the U.S, it is almost unanimous that DevOps is here to stay. DevOps modernizes the software development life cycle and deployment to account for the way businesses are run. I would say 90-95% of enterprise companies have some sort of DevOps initiative and are investing significant time and resources into the DevOps initiative. Organizations that have truly implemented DevOps are already seeing significant results in terms of application quality and speed to market.

Along with the benefits of creating effective and efficient software applications, DevOps can ensure organizations are secure by simply following the integration and automation process that already exists within development.

If security is bolted on as an addition or implemented outside of the DevOps process – instead of automated like CI/CD and baked into the practice – it will not be successful. This removes the manual aspect of security testing which produces push back from developers and DevOps players. However, DevOps players are not security experts and their primary goal is releasing quality software faster.


</close>

Share the Cost of Secure Application Development

22 Nov 2017 | By Amit Ashbel

The cost of protecting applications from cyberattacks is climbing fast. So, it's time for business units to help cover the pricetag.

The 2017 Ponemon Institute study reaffirms that while this year has seen more hacks and breaches than 2016, organizations are actually spending less money per breach. But the climbing security stocks in the wake of recent hacks seem to indicate that organizations and their CISOs are more than prepared to invest in increased security measures.

In fact, SANS Institute reported last year that despite IT budgets decreasing overall, on average, security budgets are increasing. Furthermore, 76% of SANS respondents said application security fell into their top spending category.

The cost of protecting applications from cyberattacks is climbing fast. So, it’s time for business units to help cover the pricetag.

The 2017 Ponemon Institute study reaffirms that while this year has seen more hacks and breaches than 2016, organizations are actually spending less money per breach. But the climbing security stocks in the wake of recent hacks seem to indicate that organizations and their CISOs are more than prepared to invest in increased security measures.

In fact, SANS Institute reported last year that despite IT budgets decreasing overall, on average, security budgets are increasing. Furthermore, 76% of SANS respondents said application security fell into their top spending category.


</close>

The Best Way for Dev and Ops to Collaborate

9 Nov 2017 | By DevOps Digest

The DevOps culture removes the barriers between departments, and especially among those most deeply involved in DevOps; that is, the operations teams and developers. Historically, there has been a culture of inefficiency and miscommunication between developers and operations teams. This is due to many reasons, but primarily is due to a lack of unified goals: Developers work to code a project as quickly as possible to hand it off to operations in order for them to release it. But with DevOps requirements for small teams comprised of diverse team members working together on a project, and because agile processes are so dependent on the integration of these teams and their tools, collaboration in DevOps enterprises are automatically improved. These single teams break down silos by bringing together employees of diverse skill levels and backgrounds to help inspire more mutual trust and respect.
Amit Ashbel
Director of Product Marketing & Cyber Security Evangelist, Checkmarx

The DevOps culture removes the barriers between departments, and especially among those most deeply involved in DevOps; that is, the operations teams and developers. Historically, there has been a culture of inefficiency and miscommunication between developers and operations teams. This is due to many reasons, but primarily is due to a lack of unified goals: Developers work to code a project as quickly as possible to hand it off to operations in order for them to release it. But with DevOps requirements for small teams comprised of diverse team members working together on a project, and because agile processes are so dependent on the integration of these teams and their tools, collaboration in DevOps enterprises are automatically improved. These single teams break down silos by bringing together employees of diverse skill levels and backgrounds to help inspire more mutual trust and respect.
Amit Ashbel
Director of Product Marketing & Cyber Security Evangelist, Checkmarx


</close>