Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

5 minutes with Doug Dooley - Full-stack application attacks

By Maria Henriquez
5mw Dooley
August 24, 2021

Doug Dooley, Chief Operating Officer at Data Theorem, discusses full-stack application attacks and why organizations are vulnerable to these types of security breaches.

 

Security: What is your background? What is your current role and responsibilities? 

Dooley: My background dates back to 20 years in the information security industry, starting back at Neoteris (later acquired by NetScreen and Juniper), where we pioneered and commercialized SSL-VPN technology. More recently, I was a venture capitalist leading security and cloud investments at Venrock. My early involvement and investments in Evident.io (acquired by Palo Alto Networks PRISMA Cloud), Niara (UEBA security acquired by HPE), and VeloCloud (SASE acquired by VMware) allowed me to help shape and hopefully positively improve the security industry. My current role is the Chief Operating Officer at Data Theorem, where we have pioneered modern application and API security. My primary responsibilities are tied to product strategy and go-to-market efforts.

 

Security: What are full-stack application attacks, and why are organizations vulnerable to this type of data breaches? 

Dooley: Full stack application attacks are a growing class of external hacking which remains the #1 reason for data breaches today (70 percent external actors, 45% hacking tactics), according to the most recent 2021 Data Breach Incident Report. Full-stack attacks can be characterized as an external attack that exploits vulnerabilities at multiple layers of an application, including the client, API and underlying cloud services. For example, an attack that harvests credentials from a mobile application (iOS or Android) to exploit authorization rules within embedded REST or GraphQL APIs is the start of a full-stack attack. Those exploited APIs allow the attacker to take advantage of storage services (e.g., S3 buckets) and cloud-hosted databases (e.g., ElasticDB, Firebase, MongoDB) to extract thousands or even millions of sensitive data records. 

 

Security: What are the consequences of full-stack attacks?

Dooley: Unfortunately, the consequences of full-stack attacks can be devastating to a business or organization whose reputation is often tied to their ability to protect their customers’ identity, location, financial, and health information. Not only can businesses lose the trust of their customers, but they can also lose the confidence of their investors. We know of one company that saw more than $13B of market cap value lost during a two-week fiasco of security exposures. The recent data breaches at Capital One Bank and Microsoft Bing are both textbook examples of full-stack attacks. In the case of Capital One, a skilled attacker named Paige Thompson was able to use multiple application layers to exploit and extract sensitive data from Capital One. The first layer was at the Web app layer by taking advantage of their WAF (Web App Firewall). From there, Thompson successfully executed SSRF (server-side forgery attacks) on the API services layer of those web applications. And lastly, she was able to extract sensitive data from the AWS cloud metadata service. Each layer of the stack helped Thompson unlock the next layer until she reached her destination of getting sensitive data that can later be monetized on the dark web. In the case of Microsoft Bing, the problem initiated in their mobile application where authentication was disabled. From the mobile layer, an attacker utilized the embedded APIs lacking authentication protection to find thousands of records unencrypted. The underlying Azure cloud ElasticSearch database revealed users’ geolocation, search queries, and Firebase tokens (credentials). In both examples, attackers exploited the full stack to access sensitive data hosted in cloud services. 

 

Security: What are some tips and best practices you have seen end users employ to mitigate this increase in full-stack attacks? 

Dooley: As more applications get built and deployed in the public cloud, IT security teams are significantly increasing their efforts focused on application and API security. In the traditional on-premise data center, IT security teams put the majority of their attention on perimeter defenses such as network firewalls, intrusion detection systems, and endpoint defense agents. However, these traditional security tools are failing to protect cloud-native applications. The best security teams have all shifted their efforts and investments toward automated security protections on API, Cloud, Mobile, and Modern Web applications. Further, Identity and Access Management (IAM), designed for cloud-native application stacks, is employed more often. Organizationally, DevOps and Security teams are figuring out better ways to help one another, especially by utilizing more security automation sooner in the CI/CD process. Lastly, IT security teams are starting to organize around a new security program called Attack Surface Management, primarily driven by cloud-native applications with a more dynamic and ever-changing attack surface. The Agile development process further fuels software innovation by allowing organizations to add new features and capabilities to their applications on a weekly and even daily basis. Rapid application development and innovation are driving digital transformation for most organizations, but without a renewed approach to security, hackers have more opportunities and attack surfaces to exploit for their benefit. Full-stack attacks are not going away any time soon, but with increased attention and investment in DevSecOps and security automation, IT security can help mitigate their organizations’ risks and protect their brand and reputation.

 

KEYWORDS: cloud security cyber security data breach risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • 5 mins with

    5 minutes with Carolyn Crandall – Detecting and preventing insider threat attacks

    See More
  • Kevin-Dooley.jpg

    5 minutes with Kevin Dooley, Sr. Director of Security and Transportation for the San Diego Padres

    See More
  • 5 mins with Doug Matthews

    5 minutes with Doug Matthews - Ransomware threats on political organizations

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing