OWASP has added two new categories to the revised version of its Top 10 list of the most critical risks to web applications.
The post Two New Web Application Risk Categories Added to OWASP Top 10 appeared first on SecurityWeek.
Micki Boland is a global cyber security warrior and evangelist with Check Point’s Office of the CTO. Micki has over 20 years in ICT, cyber security, emerging technology, and innovation. Micki’s focus is helping customers, system integrators, and service providers reduce risk through the adoption of emerging cyber security technologies. Micki is an ISC2 CISSP and holds a Master of Science in Technology Commercialization from the University of Texas at Austin, and an MBA with a global security concentration from East Carolina University.
In this dynamic and insightful interview, Check Point expert Micki Boland discusses how deepfakes are evolving, why that matters for organizations, and how organizations can take action to protect themselves. Discover on-point analyses that could reshape your decisions, improving cyber security and business outcomes. Don’t miss this.
Deepfakes involve simulated video, audio, and images to be delivered as content via online news, mobile applications, and through social media platforms. Deepfake videos are created with Generative Adversarial Networks (GAN), a type of Artificial Neural Network that uses Deep Learning to create synthetic content.
GAN are a class of machine learning systems that have two neural network models; a generator and discriminator which game each other. Training data in the form of video, still images, and audio is fed to the generator, which then seeks to recreate it. The discriminator then tries to discern the training data from the recreated data produced by the generator.
The two artificial intelligence engines repeatedly game each other, getting iteratively better. The result is convincing, high quality synthetic video, images, or audio. A good example of GAN at work is NVIDIA GAN. Navigate to the website https://thispersondoesnotexist.com/ and you will see a composite image of a human face that was created by the NVIDIA GAN using faces on the internet. Refreshing the internet browser yields a new synthetic image of a human that does not exist.
Most people are not even aware of deepfake technologies, although these have now been infamously utilized to conduct major financial fraud. Politicians have also used the technology against their political adversaries. Early in the war between Russia and Ukraine, Russia created and disseminated a deepfake video of Ukrainian President Volodymyr Zelenskyy advising Ukrainian soldiers to “lay down their arms” and surrender to Russia.
The deepfake quality was poor and it was immediately identified as a deepfake video attributable to Russia. However, the technology is becoming so convincing and so real that soon it will be impossible for the regular human being to discern GenAI at work. And detection technologies, while have a tremendous amount of funding and support by big technology corporations, are lagging way behind.
Hollywood is using deepfake technologies in motion picture creation to recreate actor personas. One such example is Bruce Willis, who sold his persona to be used in movies without his acting due to his debilitating health issues. Voicefake technology (another type of deepfake) enabled an autistic college valedictorian to address her class at her graduation.
Yet, deepfakes pose a significant threat. Deepfakes are used to lure people to “click bait” for launching malware (bots, ransomware, malware), and to conduct financial fraud through CEO and CFO impersonation. More recently, deepfakes have been used by nation-state adversaries to infiltrate organizations via impersonation or fake jobs interviews over Zoom.
Europol has really been a leader in identifying GenAI and deepfake as a major issue. Europol supports the global law enforcement community in the Europol Innovation Lab, which aims to develop innovative solutions for EU Member States’ operational work. Already in Europe, there are laws against deepfake usage for non-consensual pornography and cyber criminal gangs’ use of deepfakes in financial fraud.
Every organization is seeking to adopt GenAI to help improve customer satisfaction, deliver new and innovative services, reduce administrative overhead and costs, scale rapidly, do more with less and do it more efficiently. In consideration of adopting GenAI, organizations should first understand the risks, rewards, and tradeoffs associated with adopting this technology. Additionally, organizations must be concerned with privacy and data protection, as well as potential copyright challenges.
On January 26th, 2023, NIST released its forty-two page Artificial Intelligence Risk Management Framework (AI RMF 1.0) and AI Risk Management Playbook (NIST 2023). For any organization, this is a good place to start.
The primary goal of the NIST AI Risk Management Framework is to help organizations create AI-focused risk management programs, leading to the responsible development and adoption of AI platforms and systems.
The NIST AI Risk Management Framework will help any organization align organizational goals for and use cases for AI. Most importantly, this risk management framework is human centered. It includes social responsibility information, sustainability information and helps organizations closely focus on the potential or unintended consequences and impact of AI use.
Another immense help for organizations that wish to further understand risk associated with GenAI Large Language Model adoption is the OWASP Top 10 LLM Risks list. OWASP released version 1.1 on October 16th, 2023. Through this list, organizations can better understand risks such as inject and data poisoning. These risks are especially critical to know about when bringing an LLM in house.
As organizations adopt GenAI, they need a solid framework through which to assess, monitor, and identify GenAI-centric attacks. MITRE has recently introduced ATLAS, a robust framework developed specifically for artificial intelligence and aligned to the MITRE ATT&CK framework.
For more of Check Point expert Micki Boland’s insights into deepfakes, please see CyberTalk.org’s past coverage. Lastly, to receive cyber security thought leadership articles, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.
The post Deepfake misuse & deepfake detection (before it’s too late) appeared first on CyberTalk.
In our previous article, we talked about the growing number of cybersecurity tools available on the market and how difficult it can be to choose which ones you need to deploy to protect your information and infrastructure from cyberattack. That article described how Asset Discovery and Management solutions work in concert with Pentesting to ensure that you are testing all of your assets. In this article, we’ll take a look at Red Teaming and how it works together with Pentesting to give you a thorough view of your cybersecurity defenses.
Red Teaming and Pentesting are often confused. Red Teaming is a simulated cyberattack on your software or your organization to test your cyber defenses in a real world situation. On the surface this sounds a lot like Pentesting. They are similar and use many of the same testing techniques. But Red Teaming and Pentesting have different objectives and different testing methodologies.
Pentesting focuses on the organization’s total vulnerability picture. With Pentesting, the objective is to find as many cybersecurity vulnerabilities as possible, exploit them and determine their risk levels. It is performed across the entire organization, and in Synack’s case it can be done continuously throughout the year but is usually limited to a two-week period. Pentesting teams are best composed from security researchers external to the organization. Testers are provided with knowledge regarding organization assets as well as existing cybersecurity measures.
Red Teaming is more like an actual attack. Researchers usually have narrowed objectives, such as accessing a particular folder, exfiltrating specific data or checking vulnerabilities per a specific security guideline. The Red Team’s goal is to test the organization’s detection and response capabilities as well as to exploit defense loopholes.
There are a lot of articles floating around the internet describing Pentesting and Red Teaming and offering suggestions on which tool to choose for your organization. The two solutions have different objectives, but they are complementary. Pentesting provides a broad assessment of your cybersecurity defenses while Red Teaming concentrates on a narrow set of attack objectives to provide information on the depth of those defenses. So why not deploy both? A security program that combines Red Teaming with Pentesting gives you a more complete picture of your cyber defenses than either one alone can provide.
Traditionally, Red Teaming and Pentesting have been separate programs carried out by separate groups or teams. But Synack offers programs and solutions that combine both Pentesting and Red Teaming, all performed via one platform and carried out by the Synack Red Team, our diverse and vetted community of experienced security researchers.
With Synack you have complete flexibility to develop a program that meets your security requirements. You can perform a Pentest to provide an overall view of your cybersecurity posture. Then conduct a Red Teaming exercise to check your defenses regarding specific company critical infrastructure or your adherence to security guidelines such as the OWASP (Open Web Application Security Project) Top 10, or the CVE (Common Vulnerabilities and Exposures) Checklist.
But don’t stop there. Your attack surface and applications are constantly changing. You need to have a long-term view of cybersecurity. Synack can help you set up continuous testing, both Pentesting and Red Teaming, to ensure that new cybersecurity gaps are detected and fixed or remediated as quickly as possible.
To learn more about how Synack Pentesting can work with Red Teaming to help protect your organization against cyberattack, contact us.
The post See Your Cyber Defenses with an Adversarial Perspective Using Red Teaming and Pentesting appeared first on Synack.
Vulnerability testing, whether via an automatic scanning program or human-based penetration testing, can find an overwhelming number of vulnerabilities in your system as recent trends would suggest. Since 2017, record numbers of Common Vulnerabilities and Exposures (CVEs) have been reported, with 2022 on track to set a new high.
Sorting through a record number of vulnerabilities to keep your organization secure is a daunting task without additional support and distillation.
The good news is that of all the vulnerabilities that might show up on a traditional vulnerability report, only around 5% of vulnerabilities discovered are ever exploited in the wild. And most of the exploited vulnerabilities are those with the highest CVSS (Common Vulnerability Scoring System) severity score of 9 or 10.
So how do you know which vulnerabilities in your system need to be addressed right now, and which can be put on the back burner? Some vulnerabilities are an immediate risk to the business, while others are highly unlikely to be exploited. Prioritizing critical vulnerabilities can mean the difference between preventing an attack and responding to one.
Finding and triaging critical vulnerabilities is where Synack’s pentesting outperforms traditional models. We continuously prioritize impactful vulns for your organization, surfacing only vulnerabilities that are reproducible and show exploitability.
The Synack Platform is the only solution to harness the best in augmented intelligence for more effective, continuous pentesting. First, the Synack Red Team (SRT), a group of vetted researchers, conducts open vulnerability discovery, while our automated SmartScan provides broad attack surface coverage. Together, they find vulnerabilities across your attack surface.
Next, the Synack Vulnerability Operations team assesses vulnerabilities found by the SRT and SmartScan by using a rigorous vetting process. Noise, such as duplicate submissions by SRT or non-replicable exploits, low-impact vulns, is kept to a minimum during penetration testing and you’re ultimately served vulnerabilities that present a clear risk.
This additional step to triaging is key to faster remediation and minimizing business risk.
The Vulnerability Operations team is a group of seasoned security professionals with hacking expertise. They are full-time Synack employees with extensive vulnerability knowledge–they’ve seen tens of thousands of them. For the most accurate triaging, high impact vulnerabilities are often reviewed by multiple team members. So, when you get a vulnerability report from Synack, you know that it matters.
The Vulnerability Ops team works alongside the SRT 365 days a year to bring order to the thousands of CVEs. When the team receives an initial vulnerability report, they will first validate the vulnerability by replicating it based on details provided in the report. When the vulnerability is confirmed, the Ops team proofreads and formats the report for utility and readability by a development team. Everything needed to reproduce the vulnerability is provided in each report.
After vulnerabilities are deemed exploitable and impactful, and the report has been detailed with steps to reproduce and suggestions on remediation, it will be published to the Synack Platform.
From there, the Synack Platform provides real-time findings on vulnerabilities found–their CVSS score, steps to remediate and evidence of the researcher’s finding. With this information you can address the vulnerabilities that are most important to your organization in a systematic and thorough manner.
Through the Synack Platform, teams are also able to check if their remediation efforts were successful with Patch Verification. Patch Verification can be requested on-demand, and the researcher will provide further communications on the patch efficacy.
Most organizations don’t have the resources to go chasing every vulnerability reported from initial testing. To further safeguard your organization, someone needs to determine which are true vulnerabilities and which of those are exploitable and at what level of criticality. That process is noise reduction, and it is essential for any cybersecurity operation to shoot for the highest level of noise reduction before proceeding to remediation. Synack, through the Vulnerability Operations, team can take on this task for you.
Using Synack’s unique approach to continuous pentesting, your team will be able to proceed with confidence that their remediation efforts are critical to keeping the organization secure. Get started with Synack penetration testing today.
The post Synack Triaging Prioritizes the Vulnerabilities that Matter appeared first on Synack.
By Bruce Kang, Associate Security Operations Engineer
In the 2021 iteration of the OWASP Top 10, Cryptographic Failures moved up one ranking to take the No. 2 spot. Its name also changed from “Sensitive Data Exposure” to “Cryptographic Failures” to more accurately describe the vulnerability. In this article, we will take a deep dive into this vulnerability and explain how and why it exists, and also how to prevent them from being exploited.
To understand what falls under the broad category of Cryptographic Failures, it’s important to first understand what cryptography is exactly. To keep things simple, cryptography can be thought of as a way of secure communication so that sensitive information can only be viewed by authorized parties. The process for this usually involves having an original “plaintext” message, which is then put through some sort of encryption algorithm, which turns it into unreadable “ciphertext.” This ciphertext is then only able to be decrypted back to its original plaintext by the intended recipient(s), usually by using a cryptographic key that only the intended recipient(s) have access to.
Cryptography is ubiquitous in today’s computing world. It is implemented in technologies like:
Since cryptography is used so widely and has many different implementations, there are several ways for vulnerabilities to occur. This could be through implementation errors, using weak encryption methods, not encrypting data at all, and much more. Therefore, a Cryptographic Failure vulnerability is a broad vulnerability category that encompasses all types of attacks that are related to anything cryptography related. As one could imagine, a vulnerability of this type could lead to serious consequences, as cryptography is meant to secure sensitive information. Thus, if there is a failure at any point in this process, this information could be exposed to any number of malicious attackers.
For our first example of a Cryptographic Failure, imagine if a banking website did not use HTTPS. To give some context, HTTPS encrypts traffic being sent between the user and the website, as opposed to HTTP which sends everything “in the clear”. This is very important considering things like passwords, social security numbers, etc. could be communicated between the user and website. Using HTTPS means an attacker would not be able to view the information being exchanged if they were to intercept the traffic. Therefore, failure to use HTTPS would make users vulnerable to what would be called a “Man in the Middle” attack. As the name suggests, this type of attack happens when an attacker is able to intercept traffic between two nodes and view the information being exchanged, usually possible by being on the same network. This attack would look something like this:
Here the attacker is able to view all the information the user is sending to the website, possibly including things like the credentials for their bank account. This is all because the website failed to implement the necessary cryptographic controls for preventing this attack.
Usually, a Man in the Middle attack can prove to be pointless if the data is encrypted, as the collected data will be impossible to read without the decryption key. However, there are ways to bypass this. A real example of this attack vector was found by one of our Synack researchers (sensitive information redacted). They found that the application they were testing was using weak, outdated block ciphers for encrypting communication being sent back and forth between the users and the application. It is important to remember that block ciphers encrypt data in “blocks” of data. The larger the blocks, the more layers of complexity are added to the encryption, in turn making the data harder to decrypt without the key.
However, the application was found to be using only 64 bit block ciphers, an outdated method of block cipher encryption due to it being vulnerable to the “Sweet32” vulnerability (CVE-2016-2183, CVE-2016-6329). Without getting into the mathematics behind this vulnerability, it can essentially be understood as being used to crack any encryption that uses 64 bit block ciphers. Because of this, it has been advised to use encryption algorithms that use block sizes of at least 128 bits, such as AES.
What this means is that attackers could potentially conduct a Man in the Middle attack (as described earlier) to capture encrypted traffic between the user and the application, then crack the encryption easily due to the weak cipher.
This vulnerability was found by the researcher utilizing a tool called testssl.sh (https://github.com/drwetter/testssl.sh). This tool was run against the target website like so:
After identifying that the website uses weak ciphers, testssl.sh can be used again to find that this causes it to be exploitable via Sweet32.
With this information, an attacker now knows that a Man in the Middle attack could be used to capture sensitive data, then easily be cracked using the Sweet32 vulnerability.
This vulnerability showcases how important it is to ensure that the strongest, most up to date encryption algorithms be used whenever possible, especially considering that encryption algorithms are constantly evolving.
In our second real world example showcasing Cryptographic Failures, one of our own Synack researchers managed to find hard-coded admin credentials for an application through source code review (sensitive information changed or redacted). The researcher found that the target was running “Manage Engine Service Desk Analytics Plus Application.” Upon finding this, the researcher was able to request for the source code of this application from the vendor.
The researcher then found that the source code contained hard-coded credentials
public static final String DEFAULT_USER = “admin@website.com”;
public static final String DEFAULT_USER_PWD = “admin123”;
public static final String PARTNER_ADMIN = “partner+admin@website.com”;
public static final String PARTNER_ADMIN_PWD = “Password123”;
These credentials were then able to be used on the target that was running this application, thereby granting administrative access to the hosting server. This is a very clear and simple example of a Cryptographic Failure, as these credentials should have been encrypted or stored in a key vault, instead of being hard-coded into the source code.
This third example of Cryptographic Failures also shows an example of an organization not encrypting all of their data. A Synack researcher managed to find a client’s file backups that were not completely encrypted. Specifically, the vulnerable application backed up Office 365 mailboxes in a Microsoft Azure storage account, and claimed that these files were in fact encrypted with the key being stored in Azure Key Vault. However, the researcher discovered that the data was only encrypted server-side. This meant that the encryption would only protect the backups if an attacker were able to gain physical access to the hard disk on the host server, which would be incredibly difficult to do considering Microsoft Azure is a major cloud provider.
Instead, the researcher found that any user who had access to the Microsoft Azure storage account would be able to view every mailbox that was backed up to it, without even needing the key. This vulnerability was found by first creating the backup via the vulnerable website:
After the backup is created, a blob storage folder is created in the Azure storage account called “o365-backups”, which contains all backed up mailboxes and attachments. One could then view the location of any user’s attachments folder by logging into the storage account and accessing this URL:
https://storage_account.blob.core.windows.net/o365-backups/<mailbox_user>/attachments/
From here all the researcher had to do was generate a download URL for any of the attachments found. After downloading the file, a Hex Editor can then be used to change the file from its original custom file format to a PNG, making it viewable. This would work for any attachments for other users on the application as well, potentially exposing sensitive information stored in user’s mailboxes.
What was probably intended here was for the storage account to be used to manage the mailbox backups without actually being able to read what was in them. Thus cryptography was not properly implemented and allowed the Azure storage account to view more information than was necessary, violating the principle of least privilege and potentially exposing sensitive information to unwanted eyes.
This next example is very similar to the second one that was shown, as it involves the hardcoding of sensitive cryptographic information. This information was found through source code review on a client’s GitHub repository. One of our Synack researchers reviewed the publicly available code and found that it exposed a JWT private signing key.
JWT stands for “JSON Web Token,” which is usually used for authentication. These tokens contain various data in JSON format about a user, and also must be signed by a private signing key in order to be used for authenticating into a specific application. If an attacker knows the fields needed for a valid JWT, and has the private signing key, it is possible for them to create their own valid JWT to impersonate other users. In turn, they would have full access to all that user’s data.
The researcher was first able to find this private key in the client’s GitHub repository
Using this private key, they then could generate a public key using openssl. Then, by using information found from the GitHub repository, the researcher was able to find the other fields used in the JWT. The resulting JWT was this. Note: the username of the user being impersonated must be known beforehand, likely through some type of user enumeration.
{
“sub”: “1234567890”,
“name”: “USER2”,
“iat”: 1516239022
}
The header was also found to be using HS256
{
“alg”: “HS256”,
“typ”: “JWT
}
Then, a JWT generator website like https://jwt.io/#debugger-io could be used to combine all this information to create a valid JWT token that could be used. The payload, header, private key, and public key were all used to create the encoded JWT, as shown below.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlVTRVIxIiwiaWF0IjoxNTE2MjM5MDIyfQ.MlOB8X3VEZgAuD_Q7odNy_TEXbv5gSeXb3vHd538BKE
This was then used to authenticate the application as “USER2” by changing the attacker’s cookie. The researcher then had access to all of USER2’s data.
Thus, it is important to remember that hardcoding sensitive information into viewable source code is almost always bad practice.
Cryptographic Failure vulnerabilities can also arise when the original plaintext itself is not following best practices. This mostly applies to the encryption of passwords, as having weak passwords can often lead to them being compromised, even if proper encryption is used to hash them.
Offline password cracking usually involves having a set of compromised passwords that are still hashed, then using some kind of cracking tool to decrypt them. These include tools like hashcat, John the Ripper, THC Hydra, and more. The basis of all these tools is that they will go through each hashed password and attempt to guess the plaintext using a wordlist of common passwords, or use a rainbow table of pre-calculated hashes for common passwords.
An example of this involves another one of our Synack researchers, who cracked an administrator’s password for a server management application running on a client’s network. The researcher was first able to find that the vulnerable host was running HP Integrated Lights-Out (iLO), which uses the IPMI v2 authentication protocol. The problem is that IPMI v2 has a design flaw that could be used to dump the password hash of the requested user, before even authenticating. The only requirement is that a valid username be known. The following Metasploit module can be used to dump these hashes.
auxiliary/scanner/ipmi/ipmi_dumphashes
After the password hashes are retrieved, they can then be cracked offline. Normally, strong passwords that are salted are extremely hard to crack. This is because 1) a unique, complex password will generate an equally unique hash that is not part of any existing rainbow tables, and the password itself will not be in any common brute force wordlists. 2) Salting the password adds more complexity to the hash, as it will add a unique, random string of characters to each password before it is hashed, which is then only known by the application.
However, the researcher found that this application was not following either of these practices for their administrator passwords, and thus was able to crack them very easily. All the researcher had to do was run hashcat on a text file containing the dumped hashes, along with another text file containing common administrator usernames (admin, administrator, root, etc.).
hashcat –username -a 3 -m 7300 hashes.txt
These credentials could then be used to gain administrative access to iLO, in turn allowing the attacker to have a shell environment on the host. This vulnerability has even been reported as being used in ransomware attacks: https://www.bleepingcomputer.com/news/security/ransomware-hits-hpe-ilo-remote-management-interfaces.
This is why it is of the utmost importance to ensure that strong password policies are enforced to ensure that they cannot easily be cracked. Best practices include having policies around password length, complexity, or just using a password management solution.
Ensuring that cryptography is properly implemented is critical. Understanding why cryptography is important and how it works is paramount to using it correctly. To find out more about preventing these vulnerabilities, The OWASP guide can be found here.
It is clear why the OWASP Top 10 has put Cryptographic Failures so high up on its list, as the prevalence and consequences of these vulnerabilities are enormous. Learn more about how Synack can help prevent these and other vulnerabilities in your systems here.
The post Preventing Cryptographic Failures: The No. 2 Vulnerability in the OWASP Top 10 appeared first on Synack.
Cybersecurity for web apps has never been more important than it is today. Websites and online applications are under constant attack by people and groups looking to penetrate systems to cause damage or steal vital information. And it’s not just criminals and mischief-makers; government-sponsored attackers are at work as well. Consider these cybersecurity statistics compiled by Patchstack:
Even more, telling is a 2019 report that found that 47% of all hacked websites contained at least one backdoor, allowing hackers access to the website. And the costs associated with data breaches continue to climb. The average cost of a data breach among companies surveyed in a 2021 IBM report reached $4.24 million per incident, the highest in 17 years.
Security personnel has a number of tools at their disposal to thwart cyberattacks. One of the most valuable is pentesting — checking for vulnerabilities that could give a hacker access to the system. But although not as reactive as remediating a breach that has already occurred, traditional pentesting is still somewhat reactive in nature. You’re being proactive in checking for vulnerabilities that could potentially be used by an attacker, but the vulnerabilities already exist. It’s like calling in a plumber to check for leaks in your pipes that could potentially cause water damage. The leaks are expected to already be there and be found, just as the vulnerabilities are in a pentest. So, although a valuable tool, pentesting only takes you part of the way to a truly security-hardened organization.
What you need is a way to check your security posture for conditions that might lead to a future vulnerability and remediate those issues as well. Only then can you consider your site truly security-hardened. It’s like that plumber fixing all the leaks in your pipes, then going back and making a systematic check of your pipes for conditions that could lead to a leak, such as rusting, pipes located in places where they are likely to freeze or improperly connected pipes.
ASVS provides for this by listing security conditions analogous to those that might lead to leaky pipes. This is how ASVS benchmarks enable proactive security.
The Application Security Verification Standard (ASVS) was developed by the Open Web Application Security Project (OWASP) to help organizations examine the state of their cybersecurity. The primary aim of the ASVS Project was to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls and technical security controls in the environment that protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection.
The ASVS benchmark provides a compilation of security controls that are expected to be in place in a well-secured application. It also provides developers with a list of requirements for secure development. The ASVS does not provide a framework to check for vulnerabilities. Rather, it provides a framework to check for controls that prevent, and conditions that could lead to, exploitable vulnerabilities. Synack recommends performing ASVS benchmark testing as part of an ongoing security process for maximum cybersecurity.
OWASP lists the following as objectives achieved by ASVS:
The ASVS framework is best suited for organizations that are relatively mature in their security posture. Since the tests don’t actually check for vulnerabilities, it is most appropriate to run ASVS tests after you have examined your system for existing vulnerabilities and remediated them through continuous and effective penetration testing. Once existing vulnerabilities have been discovered and remediated or resolved, then it is time to check your security controls for best practice implementations. Running the ASVS benchmark can then help the organization create a better defense in depth posture.
There are three levels of ASVS benchmarks available in the Synack Catalog – Basic, Standard, and Advanced. You choose the Synack ASVS Campaign to run based on the level that is appropriate for the organization. Across levels, an ASVS Campaign can ensure that an application follows best practices to protect user data and prevent exploitation by adversaries. An ASVS Campaign does this while respecting the appropriate level of security for an application, one that thoroughly protects the application, while not hampering user experience or business needs.
This process to engage Synack to prevent vulnerabilities before they occur is unique. Testing the ASVS framework lets us look for and proactively address the systemic issues that let the vulnerabilities come to an exploitable state and unlock the door for an attacker.
With an ASVS benchmark test, you will receive a detailed report from a researcher on the Synack Red Team, our community of global ethical hackers, regarding their findings on the security posture of your assets. Their mission is to evaluate your assets relative to the ASVS framework. The goal of this assessment is to determine if your security controls are adequate for the application use case your organization has.
This report can offer guidance on where efforts would be best applied to further harden and future-proof assets. It can also be used to show a year-over-year improvement in the asset hardness, and can help quantify the effectiveness with both the ASVS metrics and a reduction in vulnerability findings. Long-term, the ASVS campaign can help support a multi-year effort to reduce the attack surface and improve the controls in assets against flaws.
Completing an ASVS assessment for your organization is easy with Synack Campaigns. The ASVS campaigns are listed in the Security Benchmark section of the Catalog. Once credits are purchased, you can activate your campaign on-demand any time in the Synack Platform.
Synack researchers complete the missions specified by the ASVS benchmark tests. After completing them, your team can leverage Synack’s Custom Report feature for audit-ready reports that will provide you with a view of security issues discovered by our testing.
When you are comfortable that pentesting and resulting remediation has moved your site to a sufficiently secure security posture, evidenced by pentesting not finding a significant number of new vulnerabilities, then you can move on to running the Synack ASVS Campaign. After completing the ASVS Campaign and remediating any discovered issues, it’s time to set up a plan for periodic testing going forward. Then you can be assured that you have applied the most comprehensive security testing to protect your assets.
To learn more about Synack ASVS Campaigns and how it can expose conditions that could lead to exploitable vulnerabilities, contact Synack at sales@synack.com.
The post Get Ahead of Vulnerabilities With Proactive ASVS Benchmark Pentesting appeared first on Synack.
Recently, Microsoft disclosed four zero-day vulnerabilities in Microsoft Exchange Servers. A Research Director from Palo Alto Networks claimed that adversaries were scanning for vulnerabilities within 25 minutes of vulnerabilities being released. Synack customers discovered the critical Apache Log4j vulnerability (CVE-2021-44228) within hours of its disclosure through a Synack CVE check offering. Scanning traffic for the vulnerability piqued just five days after the disclosure and has continued. There has never been a higher need for fast reporting and remediation timelines on high-priority vulnerabilities.
In the 1970s, James P. Anderson invented point-in-time pentests as a public policy and technical innovation to secure communication systems and other networks from malicious hackers. But the threat landscape and the sophistication of digital threats have changed vastly since then, having a significant impact on pentesting. Other major factors include increased attacker sophistication and vulnerabilities, new DevSecOps workflows and collaboration/security software (Splunk, Jira, Slack, SOAR, etc.), and growing adoption of cloud services, infrastructure, and storage. With these macro changes, the traditional way of doing pentesting is too slow, disruptive, and ineffective. The good news is that Synack has heard these customer challenges and developed an on-demand pentest that’s continuous, performance-driven, and intelligent.
Cloud Services & Providers Are Dynamic
Point-in-time pentesting cannot keep pace with agile cloud services, which are often spun up around specific projects. On average, large organizations add 3.5 new publicly accessible cloud services per day. Remote code vulnerabilities or external misconfigurations can occur at any time and leave organizations’ public and private assets vulnerable.
New DevSecOps Workflows & Security Software Stack
The average security team now uses about 45 cybersecurity-related tools on their network. Collaboration tools have replaced email. Typically, most security, ops, and development teams communicate using Splunk, Slack, Jira, or ServiceNow. Code releases are constant. It’s important to have a DevSecOps process that automates a lot of the work across these platforms, or risk spending time on administrative processes that distract from securing your organization.
Increase In Sheer Number of Vulnerabilities & More Sophisticated Adversaries
Security researchers have found an increasing number of vulnerabilities in recent years. In fact, the number of new vulnerabilities increased by 127% from 2017-2018 compared to single digit growth rates in previous years. An average of roughly 17,416 new vulnerabilities are added each year and point in time pentests can’t keep up. Attackers are more efficient than ever with some popular exploitable vulnerabilities pursued within a hours of when a patch is released (i.e. Microsoft Exchange CVE-2021-26855, Apache Log4j CVE-2021-44228)
Typically, in a traditional pentest model an organization seeks out an established consulting firm to do the work. As the complexity of assets has increased, pentesters specialize; they vary in attack types (reverse engineering, password cracking, etc.), and focus on certain asset types (IoT, mobile, web, IaaS). Hiring enough skilled personnel is a top challenge to implementing and maintaining a pentest program. As a result, pentesters with sought-after skill sets may need to be scheduled months in advance. Scheduling a new program, or launching a new test can take weeks or even months, especially if the team needs to work on site.
Too often, security teams do not receive sufficient support to effectively communicate results. Vendors send pentest reports in PDFs or Excel via email. A security team member needs to copy and paste information into ticketing tools like Jira or ServiceNow, or collaboration tools (i.e. Slack). Reports are written in a way that’s not accessible to other key teams like legal, operations, IT or development. If they have questions, security teams can’t easily communicate with researchers that surface the vulnerabilities. Finally, once a vulnerability is closed, it’s not possible to re-test the vulnerability in a standard pentest. Vulnerabilities can fall between the cracks and take months or years to remediate.
One of the most frustrating aspects of penetration testing is the inability to see meaningful progress over time. How can you create a benchmark for your defenses? What security metrics should you consider to take stock of your various assets besides the CVSS score or quantity of vulnerabilities? Traditional pentesting does not provide holistic risk scores at the asset or company level.
In response to these challenges, Synack offers a continuous, intelligent, and performance-driven on-demand pentest to improve your organization’s security posture overtime.
More than 1,500 vetted security researchers from across the globe are actively working with the Synack Red Team, hunting for vulnerabilities around the clock. The SRT is second to none when it comes to skills and trust, thanks to rigorous vetting and assessment of researcher expertise in the application process. Synack Ops can launch new pentests in as little as 3–5 days and start on-demand security tasks such as asset discovery in seconds.
Organizations need to be wary of new vulnerabilities like Log4J or SolarWinds Orion. It’s never been more important to continually test public and private cloud assets. Synack offers configuration reviews of Azure environments, CVE checks, and testing for dynamic internal and external hosts. Synack integrates with numerous cloud providers (AWS, Azure and GCP). Additionally, our API pulls from major cloud providers daily to help detect any changes to external hosts when Synack is testing.
With traditional pentesting, there are not a lot of great metrics for measuring your security status overtime. Number of vulnerabilities found can be a helpful benchmark, but often don’t include other critical stats such as vulnerability remediation timelines. Synack provides a security risk score that takes a holistic approach based on metrics like attacker cost, severity of findings, and remediation efficiency.
Synack offers 43% more coverage of your assets than a traditional pentest with SmartScan, a scanner that you can use on your medium priority assets to surface vulnerabilities. These “suspected vulnerabilities” are triaged by the researchers in order to provide you with actionable results.
Traditional pentests are built for your organization’s compliance objectives, but lack the agility necessary for digital transformation. Synack provides easily readable and compliance-ready reports on a wide range of metrics (i.e. vulnerability severity, vulnerability status, steps to reproduce, recommended fixes, remediation status) for legal, policy and leadership teams as well as real-time metrics on exploitable vulnerabilities that are the top priority for security, ops and development teams. Synack also integrates with Jira, ServiceNow, Splunk, and offers an API to facilitate faster DevSecOps processes.
Attackers are more vigilant than ever. Security teams need to be one step ahead of their adversaries to help make sure they are keeping their organizations’ environments safe. The choice is clear. Synack provides 159% more ROI than a traditional pentest.
Change your pentest provider today and schedule a demo with our team, or download a solutions overview of Synack 365—our continuous pentest offering.
The post How Synack Is Disrupting Pentesting To Find Vulnerabilities Faster appeared first on Synack.
Description:
If you want to learn how to defend or attack networks, one of the most important thing is the ability to detect and analyze vulnerabilities in systems or networks.
In this course, you will learn how to follow a systematic process and use it to detect and handle potential vulnerabilities. At . first, you’ll learn passive and active scanning techniques for vulnerabilities. Next, you’ll learn how to extract the results from the data and analyze them to identify vulnerabilities that can be attack, or identify risks that need to be minimize. Finally, you’ll learn how to apply the three most popular vulnerability scanners and compare them with each other. At the end of the course, you will have have the knowledge and skills needed to identify vulnerabilities and take take action.
Course content:
Login