Information security is infatuated with colours. It started with the blue boxing that allowed anyone to make free calls, then moved to black hats, white hats, grey hats (to denote attackers), then off to black box, grey box and white box testing to define the type of testing. The latest trend in colours reference red teaming, blue teaming and purple teaming. We will deal with the last one in the remainder of this blog.
Cybersecurity is beginning to take it's rightful place at the forefront of business operations, but hackers are constantly searching for work arounds. They're constantly looking for weak links to increase their chance of breaching secure targets. That's where supply chain attacks come in.
We, as Foregenix and as a security community, have seen our fair amount of breaches publicised the last year or so. Many of them are your run-of-the-mill breach where software is out-of-date, which provides an avenue for attackers within your infrastructure; or a phishing email that is sent to a list of potential targets to act upon it. We have also seen an increase in a certain category of attacks called a supply chain attack. But, what is a supply chain attack and why should you care?
Having such an exposure to application related testing means we have seen our share of vulnerabilities. These range across different categories, attempts of mitigation, good practices, bad practices, the full monty. Every once in a while, a vulnerability appears whose exploitation makes you scratch your head, scream at the computer screen, or just walk away in the hopes that the solution will present itself in the next morning.
The purpose of this post is to help clients better prepare, digest and act upon the results of a web application penetration test.
A short (and fairly common) story of how quick and dirty initiatives to deal with security weaknesses can actually land you an ordeal of problems and eventually get your systems compromised.
Information security is infatuated with colours. It started with the blue boxing that allowed anyone to make free calls, then moved to black hats, white hats, grey hats (to denote attackers), then off to black box, grey box and white box testing to define the type of testing. The latest trend in colours reference red teaming, blue teaming and purple teaming. We will deal with the last one in the remainder of this blog.
Cybersecurity is beginning to take it's rightful place at the forefront of business operations, but hackers are constantly searching for work arounds. They're constantly looking for weak links to increase their chance of breaching secure targets. That's where supply chain attacks come in.
We, as Foregenix and as a security community, have seen our fair amount of breaches publicised the last year or so. Many of them are your run-of-the-mill breach where software is out-of-date, which provides an avenue for attackers within your infrastructure; or a phishing email that is sent to a list of potential targets to act upon it. We have also seen an increase in a certain category of attacks called a supply chain attack. But, what is a supply chain attack and why should you care?
Having such an exposure to application related testing means we have seen our share of vulnerabilities. These range across different categories, attempts of mitigation, good practices, bad practices, the full monty. Every once in a while, a vulnerability appears whose exploitation makes you scratch your head, scream at the computer screen, or just walk away in the hopes that the solution will present itself in the next morning.
The purpose of this post is to help clients better prepare, digest and act upon the results of a web application penetration test.
A short (and fairly common) story of how quick and dirty initiatives to deal with security weaknesses can actually land you an ordeal of problems and eventually get your systems compromised.
