Tuesday, January 30, 2018

2018 Vulnerability Stats Report - Simple things make the difference.

We finally finished off the 2018 edgescan Vulnerability Stats report this week.
Overall things have not changed too much but we did a little more digging into the vulnerability data we harvested over the 12 months to December 2017.

To that end we did some PCI compliance comparison (given that edgescan is a certified PCI ASV) service in addition to the awesome full stack vulnerability intelligence solution it always has been.

How to improve security in a dramatic fashion? Whats the biggest quick win to improve your security posture you ask?

All vulnerabilities are not created equal.
We need to look at vulnerability management in a pragmatic way. Its not possible to be vulnerability-free and 100% secure, but we can aim for removing any issues which may give rise to a breach of client or organisational data. So, lets mitigate the highest risks first and not sweat about the small stuff.
Risk is not linear and reducing vulnerability count does not necessarily translate to significant risk reduction.

If we look at vulnerabilities from a risk-based pragmatic approach the following items should be examined (assuming you wish to keep your estate secure):

In 2017 we discovered that on average, 27% of all vulnerabilities were associated with web applications and 73% were network vulnerabilities....BUT
The majority of critical and high risk issues were firms situated on the application layer.


  • Network: More noise, more vulnerabilities, less risk.
  • Web/Layer 7: Fewer overall vulnerabilities, higher risk. Most of the weaknesses which could result in a breach are living here.

This is due to each application being uniquely developed (hosting environments are homogeneous in comparison) and apparent difficulties in managing component version control and patching of third party libraries.


Fullstack Cyber Security View:
18% of all vulnerabilities discovered in edgescan had a CVSS v2 score of 4.0 or more.- This is a PCI fail .
Host/Server View:
13% of all vulnerabilities in the network layer had a CVSS v2 score of 4.0 or more. - Also PCI DSS fail
Network/Host View:
32% of ALL vulnerabilities in the web application layer (Layer 7) has a score of 4.0 or more - Also a PCI DSS fail.


Finally we are still finding a non trivial amount of old vulnerabilities on live Internet facing systems.
People discuss the importance of Zerodays but the root cause of many breaches is exploitation of unpatched systems. Don't worry about Zerodays, focus on patching your current stuff.

In 2017 edgescan found systems without patches for vulnerabilities dating back to 1999.
The most common CVE was from 2004. To see more read the edgescan report here

Wednesday, January 24, 2018

Vulnerability Management: False Positives, False Negatives, Technical, Logical Vulnerabilities and Human Error

At edgescan, we have delivered thousands of assessments over the past years and one topic which is both a commonly known weakness but also a source of concern is Accuracy of assessment

- The challenge being (human & technical);

  • Can the technology detect security weaknesses report accurate findings ?  
  • Can the technology avoid reporting issues that are not real? - "False Positives"
  • Can the technology miss critical issues and simply not report the weakness - "False Negatives"
  • In addition, once an issue is reported shall the human dismiss the issue as a "False positive" because they misunderstand or cannot reproduce the issue, resulting in a "False negative"

The majority of commercial and open source vulnerability scanning tools can not provide reliable results and require significant human validation which can also fail (as above).

Simple Vectors:

Most tools can accurately discover simple vulnerabilities sending a tainted request and analyzing the response. If the response is one of a number of typical expected responses signifying a vulnerability it is marked by the scanner as a vulnerable issue. - This assumes the scanner actually gets to scan the vulnerable parameter by virtue of knowing it exists in the first place......

Crawling/Coverage Challenge:

A scanner discovers an applications layout by Crawling/Spidering the site looking for Href and Links to other pages and invocations of HTTP methods. - Many scanners don't crawl applications very well and don't map the entire site. The is more and more the case not we have heavily front-loaded JavaScript-driven web applications / One-Page apps. - Poor crawling results in less than optimal coverage. The results in parts of a web application not being tested properly, if at all and leading us into the territory of "False Negatives".

Example issues:
CSRF Tokens Preventing CrawlingCross-Site-Request Forgery tokens need to be resent with every request. If the token is not valid the application may invalidate the session. Tokens can be embedded in the HTML and not automatically used by the scanner. This results in the scanner not crawling or testing the site adequately.

DOM Security Vulnerabilities:  Client-Side security issues which do not generate HTTP requests may go undiscovered due to tools only testing the application via sending and receiving HTTP requests. DOM (Document Object Model) vulnerabilities may go undiscovered as the tool does not process client side scripts.

Dynamically Generated RequestsContemporary applications may dynamically generate HTTP requests via JavaScript functions and tools which crawl applications to establish site maps may not detect such dynamic links and requests.

Recursive Links - Limiting Repetitive FunctionalityApplications with recursive links may result in 1000’s of unnecessary requests. An example of this could be a calendar control or search result function. This may result in 1000’s of extra requests being sent to the application with little value to be yielded.
/Item/5/view , /Item/6/view, /Item/7/view,..,..

Interpretation of results:
This challenge can be both as a result of human error or automation. Tools can misinterpret results by claiming there is a security issue when there is not (False Positive) or by not applying an appropriate request to detect a vulnerability (False negative). Humans can get it wrong also (as above).

Wednesday, February 1, 2017

edgescan & GDPR: Improving compliance and reducing the cost of cybersecurity

Navigating GDPR from a cyber security perspective…..

Update - September 2017
Some people still don't know where to start with GDPR. Here are some simple key points to kick you off....
  • Identify the personal data you collect and where data is stored - Is it stored appropriately how are you protecting the data from a cyber standpoint? Are your applications secure, regularly tested, designed with security in mind? Can you prove this?
  • Review your internal policies including a review of security breach response policy. - Incident response, DR and BCP. What happens if something goes badly wrong. Whats happens in the event of a breach? Do I have mitigation controls and notification procedures in place?
  • Review the type of data processing carried out, identify the legal basis for the processing and document it. - do you need all that client data you possess and do you have a legal basis for storing client data.
  • Review how you handle all applicable client's rights, including the deletion of personal data, right to be forgotten (RTBF).
  • Review if and how you seek, obtain and record client consent and whether any changes are needed. - Do clients know you are storing their data and what you are using it for? Have they consented to what you are doing? Can you prove this?
  • Review your external privacy policies and EULA's and do a refresh with necessary changes for transparency and relevancy.
  • Review and update your processor/subprocessor, third party agreements. Third party risk for up/down stream processors of your clients data. - You can outsource the service but not the risk. Do you know if your B2B partners are secure, store your client data properly and don't use it for any other reason other than what is agreed? Do they have a policy to reflect this and how is it policed? How often do they get technical security assessments of the systems used to process your clients data? How do they demonstrate this?
  • Review the lawful basis for the transfer of personal data outside the EU. If you transfer data outside of the EU are you permitted to do so by the data owner (client)?

Cyber-security, GDPR, Articles and Controls:

The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec which is enforceable as of May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.

The GDPR does suggest actions to take in order to be compliant such as a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
From a cybersecurity standpoint this covers aspects such as technical assessment, patching and maintenance, vulnerability management, threat detection /prevention, asset and service profiling & visibility and overall better governance of an organisations digital estate and technical controls.

        EU GDPR – Article 32, Security of Processing
        Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

GDPR in effect is mandating that appropriate technical security controls are required amongst other equally important controls (citizen access and control of their data) to ensure a level of security based on the data and risk/impact of disclosure of such information.

to ensure a level of security appropriate to the risk” is an important aspect which should be considered. Given that a firm may be custodians of a users financial or Personal Identifiable Information (PII) there is a duty of care to protect the data and ensure proper authorisation and security controls surround it. 

From a technical standpoint security assessments and vulnerability management are some of the tools used to help maintain that level of assurance……

edgescan provides continuous assessment of technical systems in order to help discover vulnerabilities which may lead to breach. The “win” in using edgescan is you have an auditable history of all assessments and individual vulnerability history to demonstrate the vulnerability lifecycle to easily demonstrate compliance and continuous improvement.

The idea of a single or bi-annual assessment is becoming non-sustainable given the rate of change of systems in particularly cloud based deployments. 

The ability to continually assess security posture on an ongoing basis and exploiting a combination of automation and human intelligence is taking traction globally resulting in cost reduction and increasing rigor depending on the vendor used.

There is a trend in the industry to move towards Managed Security Services Providers (MSSP) and leveraging experts who deliver services such as vulnerability management on a fulltime basis. An MSSP should address requirements where you don’t have in-house expertise.

EU GDPR - Recitals of Interest
        Recital (78) The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this regulation are met.

Appropriate technical measures are easily confirmed and identified using edgescan as a complete security history can be reviewed for any period of time on an on-going basis.

In the case of a reasonable fast moving technical environment which undergoes change on a frequent basis e.g Cloud environment, Agile system development methodologies an annual or a bi-annual security assessment to help ensure the security of the systems in scope may seem like a reasonable approach but the risk is the rate of change of the environment and the resulting window of exposure due to the infrequency of technical security assessment.

Continuous assessment as per the edgescan service helps you maintain constant vigilance in order to assist with GDPR compliance.

        In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.....

Demonstrating compliance in relation to cyber security is easily delivered as the edgescan portal delivers a complete history of all vulnerabilities (web & infrastructure) discovered and closed over the entire licensing period. 

Many of our clients in highly regulated industries use edgescan to demonstrate to external auditor’s constant assessment approach they have adopted to cyber security.

Data Protection by default can be assessed in both pre-production environments and deployed production systems. Using edgescan to detect and mitigate vulnerabilities (via WAF integration) is core to being able to demonstrate compliance.

        Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.

You can’t improve what you can’t measure”; edgescan gives our clients the ability to continuously improve by tracking security posture at any point in time. The metrics supplied by edgescan let our clients easily focus on what is the most common vulnerability, the root cause and identify quick wins in a clear and easy fashion.

        When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

In pre-production environments edgescan gives our clients the ability to assess the security of a solution quickly and on-demand. This assists with detection of cyber security issues before a system is deployed to production, resulting in a “secure by default” posture.

        Recital (49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.

        This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

Detecting weaknesses of the security posture in an ever-changing environment is core to what edgescan provides. Our fullstack approach to security gives our users visibility of both web application and supporting host/cloud security.
As new deployments and features are delivered edgescan automatically assesses the security posture of the deployment and associated subsystems.

This approach including validation of all discovered vulnerabilities by our experts in effect removes the need for expensive consulting firms and also improve security resilience on an ongoing basis.

        Recital (81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

edgescan’s continuous and on demand fullstack approach provides sufficient guarantees that your systems are constantly being assessed for security weaknesses. Provision of historical assessment frequency, vulnerability data and proof of continuous improvement and vigilance is what is required to be GDPR compliant. You can easily demonstrate compliance with

       Recital (83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.
        Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.
        In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

edgescan detects weaknesses in cyber security posture so you can quickly address issues as they are found. Via our API, alerting or integration you can easily and quickly understand risks by priority easily evaluate potential impacts and prevent the destructive forces of being hacked and associated fines of being non-GDPR compliant.

Want to know more:

edgescan: edgescan.com
Client reviews: Gartner Peer Insights
GDPR Document: EU GDPR

Monday, September 19, 2016

Monday, August 22, 2016

Dynamic Auto Assessment - Simple but effective

edgescan provides our clients with #fullstack security assessments but what does #fullstack mean?

#fullstack covers may layers in the OSI  inter-connectivity diagram.

From "the top down......"

Deep Coverage

Web Applications:

  1. Technical vulnerabilities (Injection attacks, scripting, error based attacks)
  2. Logical vulnerabilities
  3. Component Security (end-of-life components/plugins, insecure config)

Host Security:

  1. Patching
  2. Enabled services (Type, version, known vulnerabilities etc)
  3. Operating System Known vulnerabilities
  4. Weak protocols
  5. Weak configuration
So unlike many application-only or Host-only assessment services, edgescan discovers more possible weaknesses as a result of either via poor maintenance, configuration mistakes, deployment security, patching and also developer code....#fullstack

Wide Coverage

The holistic approach also covers ranges of IP's such as say a /24 or /16 cidr block.

Automatic Assessment:
edgescan shall assess anything that is "live" at a given point in time across the entire block. We find this helps with the use case of rogue deployments, insecure services being deployed, APT, data ex-filtration servers etc

In the age of the cloud, organisations servers are constantly being spun-up and torn-down depending on demand. Our approach to range-based assessments covers this scenario as our clients know everything live within their range shall be detected and assessed.

Automatic vulnerability assessment coupled with continuous asset profiling provides our clients with a very adaptable solution when their systems are constantly in a state of flux.

No need for messy licensing or paper work for every assessment given our licensing is range based and we don't mind how many servers are live at any point in-time they shall all be assessed and the results manually validated in our SoC...

edgescan also has alerting capability such as SMS, email and soon to be #slack alerting which shall be 2-way (think of it as a vulnerability management #slackbot). 
You and ask edgescan to alert you if certain conditions arise such as:
  1. New asset discovered
  2. New Vulnerability Discovered
  3. Change in hosting environment
  4. Assessment cycle is completed
  5. etc etc
Risk Mitigation
Via our API you can now generate web layer mitigation rules for Web Application Firewalls (WAF) on demand (CItrix Netscalar and Mod_Security). This gives you the flexibility to virtually patch discovered issues very quickly using your underused WAF :)

Tuesday, August 2, 2016

Continuous Asset Profiling - What is your attack surface?

At edgescan we have a solution called HIDE (Host Index Discovery and Enumeration) which is in effect a continuous asset profiling function it does the following:

HIDE query's entire IP ranges for our clients. This "blanket" covering of ranges gives our clients the ability to see whats "Alive" and whats enabled in seconds.
If an endpoint is decommissioned or newly deployed, HIDE detects the change and can alert users.

  • Detection of the state of all endpoints exposed to the public Internet
  • Identification the endpoint and tries to resolve any DNS associated with it
  • Enumeration the services and open ports enabled on the endpoint.
  • Automated alerts based on user defined criterion (e.g. New host discovered,  HOST dies etc).
  • Detection is via cloud API's and/or port enumeration (TCP/UDP).
Via the HIDE console you can query say across 10,000 endpoints, what system is running Linux and has port 25 open etc.

Why is HIDE "a hit" with our clients...?

Larger and growing organisations sometimes don't know what they have deployed to the public Internet.

Organisations which have migrated to the cloud may spin-up and tear-down instances on a frequent basis which can result in reallocation of IP's on a dynamic basis.

Tracking a dynamic attack surface in the case of cloud is challenging using traditional techniques and results in poor coverage and reaction time.

Even using immutable secure baseline instances in the cloud requires constant validation, this is where HIDE comes in.

The ability to provide continuous vigilance and alerting in a constantly changing environment is very attractive to most CISO's

Dynamic automated vulnerability management

As we can track the dynamic attack surface we can also deliver on-point vulnerability management such that once we discover a new instance we can immediately verify if it poses any security risk to the business. This coupled with alerting and awareness gives our clients much greater visibility of our security posture as our attack surface grows and reduces over time.

Pop over to www.edgescan.com for more information.

Wednesday, July 20, 2016

edgescan - Virtual Patching and WAF integration - Reducing "time-to-fix"

What is a Virtual Patch?

The idea of virtual patching is to apply a rule on a perimeter endpoint which mitigates/reduces the risk of the vulnerability being exploited. This can be performed without changing any application source code and is in effect applying a rule to an IDS/IPS or WAF such that it is aware and can defend against a particular attack vector and protect a system from exploitation or breach.

When you consider the numerous use cases when organizations can’t simply edit and fix the source code, the benefits of virtual patching becomes apparent.
  • It is a scalable solution as it is implemented in a single location (the firewall) vs. installing patches on all hosts.
  • It reduces/mitigates risk of breach or exploitation until a vendor-supplied patch is released or while a patch is being tested and applied.
  • The source code is not altered and hence it reduces the likelihood of code conflicts or introducing errors.
  • It provides timely protection for mission-critical systems that may not be taken offline but have an exposed vulnerability.
  • Legacy/3rd Party Apps; The code may not be available but we need to fix the vulnerability.
"Defenders are always on the back-foot as time to fix is longer than time-to-exploit. This slow reaction time creates a permanent offensive advantage to the attacker."

edgescan provides continuous vulnerability managed coupled with expert validation and support via its cloud based SaaS. It manages over 20,000 systems globally every month and provides full-stack vulnerability management to our clients. 

A new feature in edgescan gives or users the ability to generate rules for a chosen firewall vendor/version which are customized to the vulnerabilities unique to the application in question.

  • Auto-generation of firewall rules gives you the ability to patch a critical issue very quickly using your Web Application Firewall.
  • No need to change the applications source code (and maybe that's not possible).
  • Multiple web application vulnerabilities can be mitigated at the same time.
  • No need to be a firewall expert.
  • The edgescan API gives access to automating rule generation and easy deployment to pre-production / production environments.
Generating Virtual Patch rules for an entire application is as simple as hitting the "WAF Rules" button.

Rules generated for Citrix Netscalar
WAF Rules generation for a single selected vulnerability