Astra Security is a web application security company that offers holistic website security solutions via real-time malware monitoring, threat protection, malware removal & website protection services.
Their flagship product, ASTRA, brings together an extensive feature set of manual and automated penetration testing tools, while performing a comprehensive vulnerability assessment and proactively responding to threats.
In these changing times, it’s important to know what threats are out there and how to defend against them, so I sat down with Astra Co-founder & CEO Shikhil Sharma to get his practical advice and perspective on current cybercrime trends and how to defend against them.
Let’s begin with a little bit of background about Astra Security: how it started, what was the main idea, and how it has evolved so far.
My co-founder Ananda and I started Astra Security about four years ago. We met at university, where we studied computer science. Since our early teenage years, we were both very interested in security. We used to spend summer vacations together here in India building malware just for fun. At the time, we didn’t even know that it was malware, we used to play tricks on our friends by switching their computers on and off remotely. And you know, 10-15 years ago, this was a really big thing. I got interested in hacking before I became interested in security. At the age of 16, I found a vulnerability on one of the Indian army’s websites, which I reported. An Indian Army general replied and complimented me, so I realized becoming an ethical hacker was way better than being on the bad side of things and ending up in jail.
Fast forward, me and my co-founder really wanted to learn how to make money online. I started a blog called HackingTweaks.com and my co-founder started a blog called Yaabot, so we used to write extensively about hacking and blogging. We were only in our teenage years when we began to earn money online, and that’s when we realized how powerful the internet can be, because you don’t even have to be 18 or have a college degree to actually get a job.
So, we started thinking of working together and we realized no one is going to pay us to hack, but to secure. We began to work on the service side of things, finding vulnerabilities in various big companies, and helping to fix them in return for bug bounties.
We realized that if giants like Yahoo, Microsoft, Adobe and At&T have such vulnerabilities, and we have the ability to find them, then smaller businesses would have so many more vulnerabilities because they don’t have hundreds of employees working on security like Yahoo or Microsoft do. So that’s when we thought, let’s make security super simple for businesses, without making them spend $15,000 on security; Instead, we would give them a super easy-to-use service, and we would do it for a nominal fee that a small or medium enterprise can afford.
Often, when people start using a security solution, they realize it is too difficult to configure. Sometimes solutions give false positives and other inaccuracies, so we worked on giving businesses super simple solutions that they can understand, and that’s how Astra Security was born.
We used the money we made from security audits to build the product and along the way, we got about 400 beta signup customers. From that point, our product began gaining popularity and we received a few awards, including an award from the Prime Minister of India, which we received at a global conference on cybersecurity. Further down the line, we got a grant from the government of France, to expand our business in Europe.
So, over the last two years, we have been working with a team of 14 people, half of which were from our original Indian team. We were in France, trying to expand our business using the grant that we got from the French government. So it’s been quite a rollercoaster ride and now, we’ve reached the point where we are able to stop more than 7 million attacks per month on thousands of websites, as well as to detect millions of malware attacks. So, that’s what we do, we spread happiness by making security super simple for small and medium enterprises.
Here’s a brief overview of what you can get with Astra
What are the security challenges that website and mobile app owners are facing these days, and how does Astra Security help?
First, I would like to mention that SSL is just one layer of security. Somehow, over the years, SSL has been considered by end customers who are not too tech-savvy, to be totally secure. SSL is super important, even for SEO purposes; it has become important for Google’s updates. But SSL doesn’t necessarily ensure that your website is super secure.
These days we’ve been seeing some severe vulnerabilities. COVID-19 has made a huge impact on businesses. Hackers have also become really active in targeting phishing campaigns around COVID-19. They put donation boxes on eCommerce websites, offering to donate a percentage of each sale to a COVID-19 Relief Program. Click this button if you would like to proceed with the donation amount. So perhaps the consumers don’t mind paying $30 or $50 for COVID relief, but what they don’t know is that the website owner has never put that donation option on their website. It was put by hackers and the money was transferred straight to a hacker-controlled server. Such hacks are commonly found on eCommerce stores built on popular platforms such as WooCommerce, Magento, PrestaShop and OpenCart.
Another example we’ve been seeing a lot lately is when websites that only accept one payment method, suddenly have a PayPal option appear on their shopping cart, giving customers the option to pay through PayPal. So hackers are able to inject a payment method into websites and the owners only realize it several weeks later, when customers start claiming that they paid for products that were never delivered. As it turns out, those payments went straight to the hacker’s PayPal account. That’s a classic SQL injection attack.
These bad bots attack websites, scraping the data, injecting spam, or hijacking SEO. These kinds of attacks have been going on for years now, and we see them almost on a daily basis.
You mentioned that some of these attacks are performed automatically by bots. Is there a way businesses can leverage Artificial Intelligence or Machine Learning to stay ahead of these attacks?
Absolutely, I think that’s the most sought after solution for security. Before I move on to AI or machine learning, there are a couple of practical steps business owners can take and many of them still don’t.
Not utilizing reCAPTCHA or an invisible CAPTCHA by Google is one weak point that bots are trying to find. There’s something known as fingerprinting or probing, where they’re trying to find out how vulnerable the website can be. And if at that point, you give them the CAPTCHA challenge, they realize that you have some security in place and they move on to the next website. But if you’re letting them in and you don’t even have CAPTCHA, which is the most basic security measure that only takes a few minutes to implement, they will see you as a potential victim and exploit you.
Moving on to how business owners can actually make small honey pots. That’s something that we do with Astra. Whenever a vulnerability scanner or a bot comes to your website to scan it for vulnerabilities, they never obey your robots.txt file. It’s a trait used by security scanners and bots. They would actually want to find what’s in the robots.txt file. When you mention, for example, that /admin URLs should not be indexed, that is something which is more important to a security professional or a hacker. So what you can do is simply put a small honeypot system whereby anyone who visits a link from an IP that is not yours or your organization’s and does not follow the robots.txt rule that you’ve put there, it automatically turns into bot block page. So a realistic implementation of this is that in the robots.txt file, where you put your admin or whatever sensitive files, you can put a dummy file that you create, for instance, anything.php. Anyone who visits that file isn’t supposed to be visiting there and should be automatically blocked from the website. So that’s a very small honeypot you can put in place to protect you from bots, and it doesn’t take too much time to implement.
Regarding machine learning, I think one of the biggest web security problems that machine learning can solve is detecting how a person is able to interact on the website. That’s something that we at Astra have been debating about internally. If an SEO company like HotJar or CrazyEgg is able to tell exactly what a person’s doing on your website by recording their actions or doing heatmaps, then similarly, a security company can find an application for the same thing by seeing how a person’s interacting with your website. The ways in which bots and humans interact with the website are massively different. A bot would come to your website and open 50 pages within 10 seconds. That’s not possible with a human. So these are a few data points that can be used to detect human versus bot behaviors to create pattern-based machine learning algorithms.
In the recent years, Cloudflare, which is one of the big players in the industry, has tried to do something like that, but one of the key challenges that came up was that there seemed to be some false positives. So for the time being, machine learning isn’t giving very good accuracy. A 90% accuracy is massive for a machine learning algorithm, but even that 10% is too big a compromise for business owners.
Let’s take an eCommerce store owner as an example. We tell him that Okay, I have a machine learning solution that would prevent all attacks on the system, but it works with 90% accuracy. So they would say, what if that 10% is a customer who is going to spend $5,000 on my website. Will they get blocked falsely? So that’s a massive conflict between user experience and security, and we at Astra are very careful about it.
In terms of things that happen in the back end, like payment gateway security and analysis of customer authenticity, those can easily tell us if, for example, the customer is using a stolen credit card that he’s found on the Deep Web. These kinds of scenarios are definitely solvable with machine learning and we are starting to see way more applications using it.
In your view, how is COVID-19 affecting your industry?
First of all, we’re all really overwhelmed with all the COVID-19 emails that we’ve been getting and how every company is doing a webinar. We did one webinar recently and, as it turns out, people are interested in these webinars because of the human interaction, which has become rare in up until recently.
As I mentioned earlier, COVID-19 brought some very targeted attacks. I think it’s really low for hackers to be targeting people who are worried about the pandemic, but this is exactly the kind of emotional loophole within the human mind that those hackers are after. So we’ve been seeing such attacks happening on a lot of websites. Similarly, we’ve seen a lot of attacks happening on end customers; people who are not really using websites or selling through websites but are using online banking or check their email. A lot of phishing campaigns have started to happen where some financial app would send a nicely coated email, suggesting that you donate to a COVID-19 relief fund, or saying that you need to take some action in order to receive funds.
In terms of how sales and how our market in general is getting impacted, I think one of the industries that have benefited the most from COVID-19 has been the security industry, especially around VPN and remote work security. That doesn’t concern us directly, but it concerns what we do. A lot of organizations were not prepared to do work from home and sadly, it all happened so quickly that they didn’t have enough time to prepare for it. If you are a small startup, you can make that transition at a fairly reasonable time, but if you’re running a company with 100 employees or more, you need so much tech infrastructure to enable work from home. Ensuring secure VPN connections when communicating with clients, colleagues, and employees from different departments. You need to make sure that data is being accessed in a secure way. So since all of that was not in place, people have now started to invest in security solutions, and that is definitely on the rise. I think security spending will continue to grow as more and more people would make the permanent choice of working from home. So these are interesting times for our industry.
Which trends and technologies do you find to be particularly intriguing these days, and why?
One of the things that I see shifting is that the CMS market is becoming huge. WordPress, Magento, OpenCart, all these content management systems are growing massively. WordPress is the biggest of them all, capturing a good 34% of the entire internet. I see this becoming a massive change in the next three to four years. WordPress is becoming all headless, it is becoming all reaction-based. It is becoming very disconnected from its back end like the dashboard and the front end of WordPress. I see them becoming really joint together. In terms of security, it means the number of attacks happening would decrease. So this would be a very massive change where everyone in the industry would get affected because even if you don’t make money directly from WordPress, people have their blogs on WordPress. With Gatsby and a couple of other companies coming in, making a React-based website would become huge.
Generally, despite the bad reputation that Zoom got recently, we are still doing this call on zoom. So any tool that enables remote access or makes it easier to work remotely is going to become huge.
The third segment I would mention is Biotech. I think that’s a lesson that the world altogether is learning. We used to feel so proud of ourselves for creating new organisms, mixed breeds and all sorts of biologic interventions, but then a small virus comes and the entire world population gets shut in their homes and not allowed to go out. So I think that in the next decades, biotech is going to be a big thing, and so it will be interesting to see what role technology has to play in that.
Following that line of thought, I think we will see more identity management systems and common AI. Going forward, the need for a common identity for all citizens of the world will become really important. because people would have a lot of apprehension before letting foreigners into their countries. For example, if someone from the US comes to a border crossing saying they are healthy, I don’t think the UK government is going to take their word for it. I expect there will be a universal system to make sure that the health of every individual surpasses a certain threshold before they can go on a plane or enter another country. So it will be interesting to see how that turns out.