Tinfoil Security for Microsoft Azure
By- June 03, 2015
Tinfoil Security is proud to announce a brand new partnership with Microsoft Azure, to provide their customers unparallelled web application security for their Azure Web Apps—the first such security solution to be offered on the Azure Marketplace. Microsoft has long been known for making it incredibly easy to build and deploy web applications, but customers always had to go elsewhere to ensure those same applications were safe and secure. Now, with the launch of this exciting partnership, it’s never been easier for you to secure your application. Tinfoil Security is built into your Azure Web Apps management portal, and can be set up with just the click of a button.
Microsoft Azure provides its customers industry-leading protection at the network and data-center level, but previously offered no web application security solutions. Now, with the aid of Tinfoil Security, Microsoft Azure’s customers finally have an easy way to secure their entire software stack.
Starting today, you can secure your Azure Web Apps by continuously scanning them for vulnerabilities. You’ll be scanned for over 60 types of vulnerabilities, including the OWASP Top 10, and we’ll provide detailed instructions on fixing every vulnerability we find.
Furthermore, we’ve added the ability to convert your scan results into ModSecurity rules. ModSecurity is a web application firewall (WAF) that Microsoft Azure includes as part of their Web Apps Service; think of ModSecurity as a layer in front of your application that inspects requests and decides whether or not to block them based on rules you’ve configured. As of today, you can enable our ModSecurity rules to help prevent attacks while you fix each underlying issue we discover. Tinfoil and Azure make this process easy, fast, and consistent.
Tinfoil has always had a great respect for Microsoft and, specifically, for the Azure team. When we first interacted with them back in 2013, we were left with the distinct impression that we shared both vision and goals: an extreme focus on the user experience, an intention to make development easier than ever before, and an understanding that security is a necessary and paramount part of the development process, especially as more and more companies continue to get breached and lose sensitive customer data.
This partnership has been a long time coming. We explored many different routes as we investigated how we could best offer our best-in-breed security and couple it with Azure’s top-notch build and deploy user experience. We’re proud to announce what we genuinely believe is the most valuable solution to Azure and Tinfoil customers alike.
We hope you’re as excited as we are about this exciting new offer for Microsoft Azure customers, so please don’t hesitate to let us know what you think.
Click here to get started on securing your Microsoft Azure Web Apps today.
If you’re not on the Azure platform, or if you want to integrate security deeper into your development and DevOps process, feel free to check out our main product at https://www.tinfoilsecurity.com.
Spamming Contact Forms No More
By- March 06, 2013
At Tinfoil Security, we work hard to ensure that your security scans thoroughly examine every piece of functionality of your website while minimizing unexpected side-effects on your servers. One common side-effect of scanning contact forms can be a mass spamming of whatever email or support service receives requests sent through that form. Our scanner examines anywhere it can, so we’ve seen the reality of this firsthand. With help of many of our customers, we’ve built a fix and are happy to announce that we’ve implemented a new module to help prevent this!
With our new technology, when we find a contact form that we believe is spammable, we will avoid it and mark it as a vulnerability - the thing to remember is that if we can spam it, so can a much more malicious attacker, and they won’t stop. The new module is turned on for all of the introductory scans that are run from our homepage, but is turned off for full scans that are run from your Dashboard once you’ve logged in. In a new design coming out soon, you will be able to control this for all scans. Unfortunately contact forms are still one of the most common places we find vulnerabilities in our customers’ websites, so we think it’s important to scan it during our “full” scans.
This is an issue you could face with any automated attack (regulated or not). Our Getting Started tips prior to running a full scan, as well as our FAQ, suggest ways for you to to combat this kind of bot spam by providing suggestions on how to setup CAPTCHAs - both the typical kind you see (those terribly annoying characters that show up on forms sometimes), as well as negative CAPTCHAs. Negative CAPTCHAs turn the concept of CAPTCHAs on its head, adding a task that only bots can do, but humans cannot (or normally wouldn’t) do. We really like negative CAPTCHAs as they provide similar spam protection to word CAPTCHAs, aren’t significantly harder to implement, and provide a far better user experience. Providing instruction on how to properly protect our customers’ websites from spam helped quite a bit, but we felt there was more that we could do.
As always, we’re open to feedback, so please keep it coming. This module is new, and we won’t pretend it’s entirely perfect, so please let us know if you run into any issues with it. Remember you can always cancel a scan at any time. We are more than happy to chat via email or in our support chat, and all customer feedback is taken into account with a great bit of weight. After all, our goal is to keep you secure and happy, and that’s what we strive to do. :) If you need any help implementing a CAPTCHA or want suggestions on what types may work best for your use case, we are more than happy to provide thoughts. Just get in touch!