Eoin & The Security

Cyber Security: Keeping Pace with Change. Getting breached can really ruin your day. Actually it normally happens on a friday evening as you are about chill for the weekend. The cause of must breaches is not rocket science, its more to do with the poor approach we have accepted because we underestimate the threat actor.  - An attacker does not scan your website/network once a quarter with a commercial or open source scanner or perform an annual penetration test against your systems to see if there is any low hanging fruit, so how do we expect to defend against such an advisory using that approach? Systems change now more frequently than ever due to the ease of cloud deployments and the speed of software deployments due to iterative development techniques. The rate of change increase results in exposures quickly manifesting and the organisation not even being aware of the exposure in the first place. Many organisations dont know what they have exposed on the public Internet. We ne...

  The cyber security industry is full of solutions to make you more secure. Some are unproven and other approaches work if deployed properly. Our industry is very fragmented. for example a recent "Cyber Defense" award I noticed has 195 categories!  I suppose we need to ask ourselves as companies from time to time why we do what we do?  So, the following post is, I guess, the reason we developed Edgescan and why we believe its a decent solution to help organizations improve and be more resilient in relation to cyber security and system protection.... Vulnerability scanning alone did not work. The idea of software testing software for vulnerabilities is a good one but both sides of the equation may have bugs. Bugs in one side (The target) may result in vulnerabilities, whilst bugs on the other side (Scanner) may result in false negatives and false positives.  Accuracy : To that end we built edgescan as a combination of automation to discover vulnerabilities at scale bu...

BBQ Cyber Security Thoughts...... During lockdown, I've taken to standing over the BBQ staring at the temperature gauge, lifting the lid occasionally and slow cooking various meats. Given the lockdown situation this provided a focal point for the day; something to attend to for the afternoon.  When standing there in a mindful stasis things go through your head, these are some of mine... "Software testing Software, who thought that would work?" "Using systems with potential vulnerabilities to discover potential vulnerabilities in systems" "Shift Left would make more sense if development was linear" "The reliance on automation to defend against a human adversary, sounds fair.....💀" "We cant improve what we cant measure; We cant secure what we cant see." "We accept false positives in scanners (Software getting it wrong) but we don't accept vulnerabilities (Software getting it wrong)." - Software testing software. "T...

  Web Application Scanning...Evolution For the past 24 months Edgescan has been developing a new Web Scanning engine, namely " Weasel ". Its a core component to the edgescan SaaS web security aspect of the service. We built it for many reasons: Faster Assessment speed. Increased coverage. Better Accuracy. More user control and configuration. Improved API support and navigation. More metrics. Javascript/Single-Page-Application (SPA) improvement. Improved content discovery. Dynamic Learning A cool thing about weasel is it has a dedicated team that not only consists of developers but also analysts and researchers. This was exciting as some of our penetration testers trained and pushed the engine and our developers implement ongoing changes. Developing a web scanning engine is certainly a treadmill and a never-ending process. Change is good, and to change often is to live well. Dynamic Learning - Once aspect that is exciting for us is the idea of continuously integrated test ca...

  What’s the worst that can happen…..An Ode to Risk Risk a widely used word in many walks of life but do we understand what it means… “ Risk  involves uncertainty about the effects/implications of an activity with respect to something that human’s value (such as health, well-being, wealth, property or the environment), often focusing on negative, undesirable consequences .” Cyber security often talks about risk....  A high-risk vulnerability or the risk of an event occurring.  So, risk is related to statistical occurrence of an event and the negative outcome…. We often talk about likelihood and impact. The chance of something happening and the effect the of it happening. As CISO’s or cyber security professionals we try to first address items with the highest risk or combination of likelihood and impact we call this prioritization. The reason we need to prioritize is because we can’t fix all the issues and not every vulnerability is created equal . We ...

Our Traditional approach to penetration testing, even large scale global penetration testing is to perform an annual/bi-annual pen test on our web applications. Question is who said once a year is enough? Most applications undergo at least quarterly updates and changes if not to provide value for customers but to ensure the web applications are fresh and to address any (hopefully) minor bugs. Cyber attackers can perform a continuous scan on your site to detect changes (code drops) and probe such changes to assess if any vulnerability has been introduced. Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability. The main reasons for a one-off test per year are simply economics: Testing takes resources Resources cost money Resources are scarce Push to deploy is stronger than push to secure Organisa...