Information Security Solutions Built on Customer Trust

The Fundamentals of Web App Penetration Testing A couple of blog posts ago we went through the fundamentals of Web Application Penetration Testing. We suggested that a web application penetration test is an assessment of the security of the code and the use of software and libraries on which the application runs. Pen testers are security professionals that will search for vulnerabilities in web apps such as: Injection vulnerabilities Broken authentication Broken authorization Incorrect error handling In this blog post, we will discuss the pricing and overall economics of conducting web app penetration tests. First, as a note, from a broad perspective, a penetration test is an authorized simulated cyber-attack on a computer system or application performed to assess the strengths and weaknesses of the systems or application from that of a criminal, hacker, insider threat, and so on. One thing to remember is that a penetration test is a point-in-time test that is or should be conducted periodically as systems, applications and environments change frequently and thus, so does the security of those assets. Penetration tests are critical to providing IT security an understanding of the overall security posture of the organization and the individual assets within the organization. It tests the security controls the organization has adopted for the sole purpose of strengthening existing controls and adding new controls to eliminate weaknesses. Web Apps are the Most Targeted Asset by Hackers In our previous blog post, we touch on some of this information so why the review? Because web apps are by far the most targeted asset cybercriminals use to access systems, escalated attacks, gain privileges to high priority systems and ultimately steal the sensitive data of the organization, its customers, and employees. As a matter of fact, according to SANS institute, web applications account for more than…

Continue Reading

The SolarWinds Sunburst Attack: How to Protect Yourself from 5th Generation Cyberattacks Last week US government offices were targeted by one of the most sophisticated and severe attacks seen in history both because of the sophistication and scope. A series of mega cyber-attacks were launched and thus far it appears were conducted by state-sponsored cybercrime organizations; the attacks targeted government and technology organizations worldwide. This series of attacks were initiated by what is now thought to be Russian hackers who were able to embed a backdoor into SolarWinds software updates. Over 18,000 companies and government organizations updated their SolarWinds networking software, downloading what seemed to users to be a regular software update on their computers, unfortunately, it was actually a malicious Trojan Horse. By taking advantage of the common IT practice of software updates, the attackers utilized the backdoor to compromise the organization’s assets, both cloud and on-premise. This enabled them to spy on the 18,000 organizations and access their data. Since the attack last week, we have all been reading about the fallout from the SolarWinds supply chain attack now named Sunburst. Many of them are sales pitches riding on the popularity of buzzwords since those companies haven’t had close enough involvement to share things like the Indicators of Compromise (IOCs) or the attack techniques used. We’d like to take some time to bring up some points about incident response readiness with this to understand how organizations can better protect themselves. How The Orion Tool Gave Attackers Access to Sensitive Data A popular network management software company called SolarWinds was targeted and attackers were able to gain enough access to insert unauthorized code and malicious code into multiple distribution software builds of their Orion product over many months. The unauthorized code was then deployed to customer networks providing the…

Continue Reading

The Fundamentals of Web App Penetration Testing First, let’s start with what a Web App Penetration Test is and list the different names and service synonyms that you may see that typically mean the same thing as a web app penetration test. A web app assessment, website application security testing, web app review, security testing for web applications, and several more all typically mean the same thing. Unlike a plain old pen test which typically refers to a network penetration test and is focused on the entire network; web app testing will focus only on the applications that are web-facing and most often exploited because they directly collect data from clients and customers. Second, let’s define a web app test or web app pen test or security test for web applications (we won’t do this again but wanted to make sure you understood that these terms mean essentially the same thing…folks often get confused). A web application penetration test is an assessment of the security of the code and the use of software and libraries on which the application runs. Pen testers are security professionals that will search for vulnerabilities in web apps such as: Injection vulnerabilities Broken authentication Broken authorization Incorrect error handling With so many organizations falling victim to cyber-attacks, IT security now must be willing to go beyond the network penetration test to secure internal and external web applications. Many organizations limit their security focus to vulnerability scans. However, scanning for software vulnerabilities and actually locating security failings in a web application through testing by simulating an attack will uncover critical vulnerabilities (not just software flaws) that can be exploited. The bottom line is that while vulnerability scans can highlight software flaws or known weaknesses that can be found by scanners and patched simply by downloading code…

Continue Reading