UPDATE (11/04/2014): Proof of Concept exploit module added to Appcheck NG: Screenshot
On 7th April 2014 a group of security researchers disclosed a critical security flaw in the popular cryptographic software library OpenSSL.
The Heartbleed Bug allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
OpenSSL is the most popular open source library for providing encrypted SSL communications on the Internet and therefore there is a high chance that this flaw will affect your network and applications.
The Sec-1 AppCheck NG Web Application and Infrastructure vulnerability scanner has already been updated with a plugin to detect the flaw.
A high-profile news article published last week brought the risk of insider threats from current or disgruntled employees to reality. A high profile retailer suffered the loss of thousands of employee data records at the hands of an employee who has since been arrested.
This real life example and the exposure of this attack has propelled this type of threat to the forefront with a recent study by Sec-1 partner, Imperva, identifying that 70% of employees admit to accessing data which they shouldn’t.
A recent report revealed a 32% increase in cross-site scripting (XSS) and SQL injection attacks on the web-facing and cloud applications that carry sensitive information about organisations and their customers.
Advances in technology and ever-increasing knowledge around these attack techniques mean that this is set to increase. In light of this, organisations should brace themselves for a spate of activity.
Posted in News
Tagged cross-site scripting, Imperva, Leeds, penetration testing, Sec-1 Ltd, SecureSphere, SQL injection, WAF, Web Application Firewall, web applications, XSS
As defined by the Payment Card Industry Security Standards Council (PCI SSC), the cardholder environment (CDE) consists of the people, processes and technology that process, transmits or stores cardholder data or sensitive authentication data, including any connected systems components.
This means a penetration test of the CDE must include the analysis of card data flow in electronic form on any system within the CDE and any connected systems.