Posts

Showing posts from 2020

Application Security Validation Pitfalls, False Positives and Misconceptions

Image
I recently did a webinar with one of our senior security warriors, James Mullen discussing where automated validation works and where it doesn't.  We also discussed false positives in both technical and logical vulnerabilities.  This is worth tuning into if you want to understand the constraints of automation, where is falls down and why we think reliance on automation alone for vulnerability management is a poor idea, we currently still need "the Human Element". Check it out if you want to learn more..
Image
  What’s the worst that can happen…..An Ode to Risk Risk a widely used word in many walks of life but do we understand what it means… “ Risk  involves uncertainty about the effects/implications of an activity with respect to something that human’s value (such as health, well-being, wealth, property or the environment), often focusing on negative, undesirable consequences .” Cyber security often talks about risk....  A high-risk vulnerability or the risk of an event occurring.  So, risk is related to statistical occurrence of an event and the negative outcome…. We often talk about likelihood and impact. The chance of something happening and the effect the of it happening. As CISO’s or cyber security professionals we try to first address items with the highest risk or combination of likelihood and impact we call this prioritization. The reason we need to prioritize is because we can’t fix all the issues and not every vulnerability is created equal . We ...

Edgescan inclusion in the Verizon DBiR

Image
For the third year running Edgescan contributed to the Verizon DBiR . The DBiR is recognized as the defacto cyber report which casts a wide net across all types of cyber security and breaches, this includes vulnerability management in both infrastructure and applications. Edgescan vulnerability data is curated and validated, sanitized and reflects tens of thousands of assessments we deliver globally across the full stack to our clients. As stated by Gabriel Basset of Verizon " I think there’s a positive story around how vulnerability scanning, patching, and filtering are preventing exploiting vulns from being the easiest way to cause a breach but that asset management is needed to identify and patch unpatched systems... " A few things that stand out to me in the report are as follows: Nearly half of breaches involved Hacking and 70% of breaches were external threat actors. To me this makes sense as in our experience most large enterprises h...

API Detection and Assessment: What they don't tell you in class...

Image
API’s   ( Application Programming Interfaces ) are backend services   which expose an interface which can be used to connect to and transact or read/write information to and from a backend system. The are super useful and a great architecture decision delivering flexibility and extensibility of a service. API’s deliver functionality once the client service knows how to “talk” to the API. API’s generally sit behind a HTTP port and can’t be “seen” unlike a website but they may deliver an equal level of value and functionality to the requesting client. Many websites may use an API but the User does not invoke the API directly but rather the Website /App is a proxy for the API. API’s are not built to be human readable, like a website, but rather machine readable. There are two challenges relating to API security assessment: 1. API Discovery : Do we have an inventory of all API’s deployed on the public Internet. You may have API’s hosted on systems behind HTTP por...