Information Security Solutions Built on Customer Trust

The Fundamentals of Web App Penetration Testing First, let’s start with what a Web App Penetration Test is and list the different names and service synonyms that you may see that typically mean the same thing as a web app penetration test. A web app assessment, website application security testing, web app review, security testing for web applications, and several more all typically mean the same thing. Unlike a plain old pen test which typically refers to a network penetration test and is focused on the entire network; web app testing will focus only on the applications that are web-facing and most often exploited because they directly collect data from clients and customers. Second, let’s define a web app test or web app pen test or security test for web applications (we won’t do this again but wanted to make sure you understood that these terms mean essentially the same thing…folks often get confused). A web application penetration test is an assessment of the security of the code and the use of software and libraries on which the application runs. Pen testers are security professionals that will search for vulnerabilities in web apps such as: Injection vulnerabilities Broken authentication Broken authorization Incorrect error handling With so many organizations falling victim to cyber-attacks, IT security now must be willing to go beyond the network penetration test to secure internal and external web applications. Many organizations limit their security focus to vulnerability scans. However, scanning for software vulnerabilities and actually locating security failings in a web application through testing by simulating an attack will uncover critical vulnerabilities (not just software flaws) that can be exploited. The bottom line is that while vulnerability scans can highlight software flaws or known weaknesses that can be found by scanners and patched simply by downloading code…

Continue Reading

Designing and Implementing a Risk-Based Patch Management Program In this blog post, we wanted to take an additional step into explaining the benefits of quality vulnerability management, vulnerability assessments and patch management. We have discussed the topic at your request in previous blog posts including: What You Need to Know About Vulnerability Assessments – https://www.secureops.com/effective-vulnerability-assessments/ The Difference Between a Penetration Test and Vulnerability Assessment Part 1 of 2 – https://www.secureops.com/va-vs-pt/ The Difference Between a Penetration Test and Vulnerability Assessment Part 2 of 2 – https://www.secureops.com/va-vs-pt2/ Vulnerability Management – A Best Practice – https://www.secureops.com/effective-vulnerability-management/ Those four posts should provide a good foundation for understanding the need for vulnerability assessments and a vulnerability management program and will help answer the most frequently asked question in the history of IT Security – What is the difference between a vulnerability assessment and a penetration test. Ok, let’s get started with understanding risk-based patch management. Every organization has software that contains exploitable vulnerabilities. The sheer number of vulnerabilities that are discovered and ranked each year by the CVE has been over 22,000 in each of the last two years. The volume of vulnerabilities has become overwhelming and the fact that most software has multiple vulnerabilities practically guarantees that most organizations will struggle with prioritizing, testing, and applying patches. While not every organization is affected by every vulnerability; every company likely is likely impacted by hundreds of new vulnerabilities per year. In many cases, the updates associated with these vulnerabilities need to be collected, tested, applied and verified to provide complete protection. This creates a significant workload for organizations’ security teams, which are often already overwhelmed by their responsibility to protect the organization against an increasing number of incidents and threats. As a result, it should come as no surprise that many organizations are behind on…

Continue Reading

The 5 Basic Steps to Building a Zero Trust Network Zero Trust is a network security model, based on a strict identity verification process. The framework dictates that only authenticated and authorized users and devices can access applications and data – period. It also protects those applications and users from advanced threats on the Internet. At the heart of Zero Trust is data security and specifically sensitive data or PII. Data is the asset attackers want to steal, whether that’s personally identifiable data (PII), protected health information (PHI), payment card information (PCI), or intellectual property (IP), all of it obviously has value. The Zero Trust model is the response to the realization that the perimeter security approach hasn’t been effective because many data breaches happened because attackers, once they got past the corporate firewalls, were able to move through internal systems without the risk of being uncovered and stopped. In addition, the perimeter itself is no longer clearly defined, because applications and data stores are on-premises and in the cloud, with users accessing them from a variety of new and evolving technologies. Now that we’ve explained the why, let’s get into the how; but rather than getting into the details of how to set up a Zero Trust model right off the bat let’s introduce the 5 basic principles that will help protect your data: Identify sensitive data – where does it live on your systems and who has access to it? Limit access – now that you know who has access to PII, you may want to limit that access Detect threats – this goes without saying, however, monitor all activity related to data access including active directory, file and share access, and network perimeter telemetry Establish a baseline of network activity – having a baseline will allow you…

Continue Reading