Team NetSPI

More by Team NetSPI
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "91"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "91"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "91"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "91"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 
            [update_post_term_cache] => 1
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "91"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "91"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "91"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "91"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => SELECT   wp_posts.* FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id ) WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{2231a154a9a1744e8ed4728aa4a92bad380a39fffcda9c30d6404af0d73fcfc0}\"91\"{2231a154a9a1744e8ed4728aa4a92bad380a39fffcda9c30d6404af0d73fcfc0}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{2231a154a9a1744e8ed4728aa4a92bad380a39fffcda9c30d6404af0d73fcfc0}\"91\"{2231a154a9a1744e8ed4728aa4a92bad380a39fffcda9c30d6404af0d73fcfc0}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish')) GROUP BY wp_posts.ID ORDER BY wp_posts.post_date DESC 
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 25909
                    [post_author] => 91
                    [post_date] => 2021-07-14 13:06:23
                    [post_date_gmt] => 2021-07-14 18:06:23
                    [post_content] => 
Celebrating the 35th class of unstoppable entrepreneurs who transform the Heartland Region and beyond.

Minneapolis, Minnesota  –  Ernst & Young LLP (EY US) announced that NetSPI CEO and President Aaron Shilts was named an Entrepreneur Of The Year® 2021 Heartland Award finalist. Now in its 35th year, the Entrepreneur Of The Year program honors unstoppable business leaders whose ambition, ingenuity and courage in the face of adversity help catapult us from the now to next and beyond. 

Shilts was selected by a panel of independent judges. Award winners will be announced during a special virtual celebration on Tuesday, July 27, 2021, becoming lifetime members of an esteemed community of Entrepreneur Of The Year alumni from around the world.

Entrepreneur Of The Year is one of the preeminent competitive award programs for entrepreneurs and leaders of high-growth companies. The nominees are evaluated based on six criteria: entrepreneurial leadership; talent management; degree of difficulty; financial performance; societal impact and building a values-based company; and originality, innovation, and future plans. Since its launch, the program has expanded to recognize business leaders in more than 145 cities in over 60 countries around the world.

“This recognition validates the incredible work our team is doing,” said Shilts. “NetSPI team members operate as entrepreneurs every day and it’s an honor to help lead and support some of the most brilliant people in cybersecurity.”

Regional award winners are eligible for consideration for the Entrepreneur Of The Year National Awards, to be announced in November 2021 at the Strategic Growth Forum®, one of the nation’s most prestigious gatherings of high-growth, market-leading companies. The Entrepreneur Of The Year National Overall Award winner will then move on to compete for the EY World Entrepreneur Of The Year™ Award in June 2022.

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Sponsors

Founded and produced by Ernst & Young LLP, the Entrepreneur Of The Year Awards are nationally sponsored by SAP America and The Kauffman Foundation. In the Heartland Region sponsors also include Colliers International, Padilla, PNC Bank, SALO, LLC, and Twin Cities Business.

About Entrepreneur Of The Year®

Entrepreneur Of The Year® is the world’s most prestigious business awards program for unstoppable entrepreneurs. These visionary leaders deliver innovation, growth and prosperity that transform our world. The program engages entrepreneurs with insights and experiences that foster growth. It connects them with their peers to strengthen entrepreneurship around the world. Entrepreneur Of The Year is the first and only truly global awards program of its kind. It celebrates entrepreneurs through regional and national awards programs in more than 145 cities in over 60 countries. National Overall winners go on to compete for the EY World Entrepreneur Of The Year™ title. Visit ey.com/us/eoy

About EY Private

As Advisors to the ambitious™, EY Private professionals possess the experience and passion to support private businesses and their owners in unlocking the full potential of their ambitions. EY Private teams offer distinct insights born from the long EY history of working with business owners and entrepreneurs. These teams support the full spectrum of private enterprises including private capital managers and investors and the portfolio businesses they fund, business owners, family businesses, family offices and entrepreneurs. Visit ey.com/us/private

About EY

EY exists to build a better working world, helping create long-term value for clients, people and society and build trust in the capital markets. 

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform, and operate.

Working across assurance, consulting, law, strategy, tax, and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst& Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.

Contact:
Tori Norris, NetSPI
victoria.norris@netspi.com
(630) 258-0277

[post_title] => EY US Announces NetSPI CEO Aaron Shilts as an Entrepreneur Of The Year 2021® Heartland Award Finalist [post_excerpt] => The award celebrates unstoppable entrepreneurs who transform the Heartland Region and beyond. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => entrepreneur-of-the-year-2021-heartland-award-finalist [to_ping] => [pinged] => [post_modified] => 2021-07-15 12:00:01 [post_modified_gmt] => 2021-07-15 17:00:01 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25909 [menu_order] => 5 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 25827 [post_author] => 91 [post_date] => 2021-07-08 15:00:00 [post_date_gmt] => 2021-07-08 20:00:00 [post_content] =>

Las Vegas, Nevada  –  NetSPI, the leader in enterprise penetration testing and attack surface management, is attending Black Hat USA 2021 at the Mandalay Bay Convention Center in Las Vegas. This year, the hybrid event will be held in-person and online, featuring cybersecurity trainings, expert-led briefings, networking opportunities, and more. During the conference, the NetSPI team will feature its ransomware attack simulation service and will unveil new, innovative features added to its Penetration Testing as a Service (PTaaS) platform, Resolve™. Connect with NetSPI’s penetration testing and ransomware experts at the Black Hat Business Hall or at NetSPI’s happy hour at Mandalay Bay’s Foundation Room on Wednesday, August 4. During the happy hour event, attend an exclusive presentation on ransomware resiliency planning.

To learn more, visit the Black Hat USA website.

Who:

Aaron Shilts, President and CEO at NetSPI
Charles Horton, COO at NetSPI
Jake Reynolds, Head of Product at NetSPI
Scott Sutherland, Practice Director at NetSPI

What:

Black Hat Business Hall (In-Person and Virtual) – Meet the NetSPI team at booth #1579 to learn more about their expertise in enterprise penetration testing and attack surface management. Get a first look and demo of NetSPI’s new risk scoring feature and learn more about its ransomware attack simulation service. Bonus: Visit the in-person or virtual NetSPI booths for a chance to win a 128 GB Oculus Quest VR headset.

NetSPI Happy Hour at the Mandalay Bay Foundation Room – Attend NetSPI’s happy hour during Black Hat at the Mandalay Bay Foundation Room. On Wednesday, August 4 from 4 – 8pm PT, there will be food, drinks, live music, and a presentation on ransomware attack resiliency from cybersecurity experts Scott Sutherland and Alexander Leary. Black Hat badges are required at check-in. 

When:

Black Hat In-Person: 
August 4, 2021 | 10am – 6pm PT
August 5, 2021 | 10am – 4pm PT

Black Hat Virtual: 
August 4, 2021 | 8:30am – 5pm PT
August 5, 2021 | 8:30am – 4pm PT

NetSPI Happy Hour at Black Hat: 
August 4, 2021 | 4 – 8pm PT

Where:

Black Hat In-Person Business Hall: 
Booth #1579
Mandalay Bay Convention Center
Las Vegas, NV

Black Hat Virtual Business Hall: 
Booth #1579

NetSPI Happy Hour at Black Hat: 
Mandalay Bay Foundation Room
House of Blues Las Vegas
3950 S Las Vegas Blvd

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

About Black Hat

Founded in 1997, Black Hat is an internationally recognized cybersecurity event series providing the most technical and relevant information security research. Grown from a single annual conference to the most respected information security event series internationally, these multi-day events provide the security community with the latest cutting-edge research, developments, and trends.

Press Contact:
Tori Norris, NetSPI
victoria.norris@netspi.com
(630) 258-0277

[post_title] => NetSPI to Highlight Ransomware Resiliency, Risk-Based Vulnerability Management, and Penetration Testing as a Service During Black Hat 2021 [post_excerpt] => NetSPI attends Black Hat 2021 with a focus on ransomware, vulnerability management, and penetration testing as a service. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => black-hat-usa-2021 [to_ping] => [pinged] => [post_modified] => 2021-07-08 15:00:48 [post_modified_gmt] => 2021-07-08 20:00:48 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25827 [menu_order] => 8 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 25619 [post_author] => 91 [post_date] => 2021-06-18 15:04:22 [post_date_gmt] => 2021-06-18 20:04:22 [post_content] =>

On June 18, 2021, NetSPI was recognized as a 2021 Fire Award winner.

The Fire Awards are always meant to be a celebration of the companies and people that keep Minnesota's tech and startup scene alive.

With this year's fourth annual Fire Awards, we want to celebrate even harder than ever before after one of the most trying years in memory. That's why we have the biggest Fire Awards ever, honoring 50 companies from across the state.

We sourced these Fire winners from our readers and added some companies that have made waves in the past year or are on the precipice of big things. Many companies were honored because of the steps they took to help tackle the Covid-19 pandemic.

In July, a Blazer winner will be selected from each category by a panel of judges. Blazer winners are the hottest companies in each category, deserving some extra recognition. More details about that event will come out later this month.

We've honored companies in a variety of categories. Startup of the Year is the startup that has risen above the rest in the past year, while the Growing Companies category is for those companies that are a bit smaller but show the potential to be a Startup of the Year down the road. We're also honoring the organizations that support our ecosystem with the community builder category, as well as a few specific industries like medical devices and health and wellness.

Let's meet our Fire winners!

High Tech Company:

NetSPI is a Minneapolis-based cybersecurity company that specializes in penetration testing, which is sometimes called ethical hacking. In May, it raised $90 million in venture capital. Its clients include Fortune 500 companies like Medtronic and Microsoft.

Digi Key is an electronics distributor and one of Minnesota's largest private companies. The Theif River Falls-based company helped the University of Minnesota produce the Coventor, a jerry-rigged ventilator that helped address ventilator shortages during the Covid-19 pandemic.

Arctic Wolf is a transplanted unicorn cybersecurity company. Founded in Silicon Valley, it moved to Eden Prairie in 2020 at the same time it announced a $200 million round of venture capital funding at a valuation of over $1 billion.

Lucy, also known as Equals3, is a Minneapolis-based AI firm that helps Fortune 500 clients manage their data. It raised $3 million in June and plans to double its employee base to over 50 by the end of the year.

Carrot Health is a Minneapolis-based firm that collects consumer data for health plans to help them address what are known as the social determinants of health, or environmental factors that affect people's health. It has been experiencing 100% growth since it was founded.

Read the full article here: https://www.bizjournals.com/twincities/inno/stories/inno-on-fire/2021/06/18/meet-minne-innos-2021.html

[post_title] => Minne Inno announces the 2021 Fire Awards [post_excerpt] => On June 18, 2021, NetSPI was recognized as a 2021 Fire Award winner. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => minne-inno-announces-the-2021-fire-awards [to_ping] => [pinged] => [post_modified] => 2021-06-18 15:04:23 [post_modified_gmt] => 2021-06-18 20:04:23 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25619 [menu_order] => 14 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 25599 [post_author] => 91 [post_date] => 2021-06-17 08:00:00 [post_date_gmt] => 2021-06-17 13:00:00 [post_content] =>
Through the tech-enabled service, organizations can put their ransomware prevention and detection capabilities to the test.

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, today announced its new ransomware attack simulation service. In collaboration with its ransomware security experts, the new service enables organizations to emulate real world ransomware families to find and fix critical vulnerabilities in their cybersecurity defenses.

Recent ransomware attacks have exposed major cybersecurity gaps globally. In the U.S., the Biden administration is urging business leaders to take immediate steps to prepare for ransomware attacks. In a recent memo, deputy national security advisor for cyber and emerging technology Anne Neuberger recommends organizations, “use a third-party pentester to test the security of your systems and your ability to defend against a sophisticated [ransomware] attack.”

“Paying a ransom doesn’t guarantee your data is returned safely, yet, one in four companies worldwide pay the adversariesI,” said Scott Sutherland, Practice Director at NetSPI. “Organizations must get more proactive with their security efforts to avoid paying the ransom and funding the cybercriminals. Ransomware families are both opportunistic and targeted – and no industry is exempt from falling victim to an attack.”

“NetSPI is eager to help organizations achieve a more scalable and continuous assessment of their environment from the perspective of an adversary,” said Charles Horton, COO at NetSPI. “The addition of the ransomware attack simulation service to our adversary simulation solutions will further help organizations strengthen their defenses and become more resilient against ransomware attacks.”

During a ransomware attack simulation engagement, NetSPI closely collaborates with organizations to simulate sophisticated ransomware tactics, techniques, and procedures (TTPs) using its custom-built breach and attack simulation technology. Following each engagement, organizations gain access to NetSPI’s technology to run custom plays on their own and continuously evaluate how well their cybersecurity program will hold up to a ransomware attack.

Learn more about NetSPI’s ransomware attack simulation online here and download The Ultimate Guide to Ransomware Attacks for insights on how to prevent and respond to a ransomware attack.

The Ultimate Guide to Ransomware Attacks – Download Now

SonicWall 2021 Cyber Threat Report; https://www.sonicwall.com/2021-cyber-threat-report/

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ platform and adversary simulation through its Red Team Toolkit. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Contact:
Tori Norris
Marketing Manager, NetSPI
victoria.norris@netspi.com
(630) 258-0277

[post_title] => Improve Ransomware Attack Resiliency with NetSPI’s New Ransomware Attack Simulation [post_excerpt] => Learn how NetSPI's new ransomware attack simulation service enables organizations to find and fix critical vulnerabilities in their ransomware defenses. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => ransomware-attack-resiliency [to_ping] => [pinged] => [post_modified] => 2021-06-23 14:07:08 [post_modified_gmt] => 2021-06-23 19:07:08 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25599 [menu_order] => 15 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 25593 [post_author] => 91 [post_date] => 2021-06-16 22:48:57 [post_date_gmt] => 2021-06-17 03:48:57 [post_content] =>

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, has been named one of the Top Workplaces in Minnesota by the Star Tribune. Top Workplaces recognizes the most progressive companies in Minnesota based on employee opinions measuring engagement, organizational health, and satisfaction. 

“NetSPI wouldn’t be what it is today without its employees and the culture of innovation that we’ve built,” said NetSPI President and CEO Aaron Shilts. “Even during a turbulent 2020, we had an employee retention rate of 92% which alone speaks volumes in an industry that has zero percent unemployment. I thank each and every member of our team for helping to make NetSPI a Top Workplace.”

The results of the Star Tribune Top Workplaces are based on survey information collected by Energage, an independent company specializing in employee engagement and retention. The analysis includes responses from over 76,000 employees at Minnesota public, private and nonprofit organizations. 

NetSPI is hiring—apply today!

“We are especially proud of the fact that our employees called out NetSPI’s top strengths as interdepartmental cooperation, execution, and innovation. This award shows how well our teams work together, which is a key to our success,” said NetSPI Director of People Operations Heather Neumeister. “Seeing the variety of responses throughout the survey really validates the culture we have at NetSPI. Working with great people, doing important work, and having fun came through in many of the comments provided.”

This Top Workplace recognition follows an especially successful 12 months for NetSPI. Recently, NetSPI announced it raised $90 million in growth funding led by KKR, with participation from Ten Eleven Ventures. In 2020, NetSPI acquired Silent Break Security and incorporated its proprietary Adversary Simulation and Red Team Toolkit software into the company’s offensive cyber security and attack surface management offerings. NetSPI also launched Penetration Testing as a Service (PTaaS) in 2020, powered by its Resolve™ platform. 2021 also promises more business opportunities for NetSPI with upcoming additions of risk scoring, vulnerability intelligence, ransomwareattack simulation, and more.

To qualify for the Star Tribune Top Workplaces, a company must have more than 50 employees in Minnesota. Nearly 3,000 companies were invited to participate. Rankings were composite scores calculated purely on the basis of employee responses.

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ platform and adversary simulation through its Red Team Tool Kit. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Media Contacts:
Elyse Bauchle, Maccabee PR for NetSPI
elyse@maccabee.com
(612) 294-3125

Tori Norris
Marketing Manager, NetSPI
victoria.norris@netspi.com
(630) 258-0277

[post_title] => NetSPI Named a 2021 Top Workplace in Minnesota [post_excerpt] => Learn why NetSPI was named a 2021 top workplace in Minnesota by the Star Tribune. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => top-workplaces-minnesota-2021 [to_ping] => [pinged] => [post_modified] => 2021-06-23 14:07:16 [post_modified_gmt] => 2021-06-23 19:07:16 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25593 [menu_order] => 16 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 25552 [post_author] => 91 [post_date] => 2021-06-10 05:00:00 [post_date_gmt] => 2021-06-10 10:00:00 [post_content] =>
The new training course provides a deep dive on the attack surface introduced by Azure and how to exploit its vulnerabilities.

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, today announced Dark Side Ops (DSO) 3: Azure Cloud Pentesting, a new cybersecurity training course focused on Azure cloud penetration testing. Participants will gain a better understanding of potential risks associated with Azure cloud deployments, how to exploit them, and how to prevent and remediate critical cloud vulnerabilities.

As experts anticipateI cloud adoption to soar in the aftermath of the COVID-19 pandemic, this course helps cybersecurity, DevOps, and IT professionals better grasp the complexities that accompany Microsoft’s Azure cloud platform. The first public DSO 3: Azure Cloud Pentesting training is scheduled for August 23-24, 2021 and will be conducted virtually. The two-day training session costs $2,000/person.

“It’s no surprise that cloud security was listed as the most important skill needed to pursue a cybersecurity career in the latest (ISC)Cybersecurity Workforce StudyII,” said Aaron Shilts, President and CEO at NetSPI. “An emphasis on cloud security education and training is critical as the attack surface grows.”

“Not only does DSO 3: Azure Cloud Pentesting feature a live cloud environment and real-world examples from our extensive cloud penetration testing work, it is also designed and instructed by NetSPI practice director Karl Fosaaen, one of the foremost experts on Azure penetration testing,” Shilts added.

“Traditional network penetration testing processes need to be updated to account for the intricacies introduced by cloud infrastructure,” said Karl Fosaaen, Cloud Practice Director at NetSPI. “Through the training, I’m eager to teach others how level up their on-premise penetration testing skills and apply them to Azure cloud.”

NetSPI’s Dark Side Ops trainings, DSO 1: Malware DevDSO 2: Adversary Simulation, and DSO 3: Azure Cloud Pentesting are available as private trainings, upon request. Contact NetSPI for more information regarding private group training sessions.

For additional training details and course requirements, visit the NetSPI website. Registration is now open for all August 2021 DSO cybersecurity training courses.

Dark Side Ops 3: Azure Cloud Pentesting virtual course on August 23–24, 2021 (9AM to 5PM CT)

Gartner Newsroom; November 17, 2020; https://www.gartner.com/en/newsroom/press-releases/2020-11-17-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-18-percent-in-2021
II (ISC)2 Cybersecurity Workforce Study 2020; https://www.isc2.org/Research/Workforce-Study

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ platform and adversary simulation through its Red Team Toolkit. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Contact:
Tori Norris
Marketing Manager, NetSPI
victoria.norris@netspi.com
(630) 258-0277

[post_title] => Azure Cloud Pentesting Added to NetSPI’s Roster of Cybersecurity Training Courses [post_excerpt] => Learn how to exploit, prevent, and remediate critical Azure cloud vulnerabilities. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => azure-cloud-pentesting-cybersecurity-training [to_ping] => [pinged] => [post_modified] => 2021-06-23 14:04:03 [post_modified_gmt] => 2021-06-23 19:04:03 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25552 [menu_order] => 18 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 25333 [post_author] => 91 [post_date] => 2021-05-12 11:00:00 [post_date_gmt] => 2021-05-12 11:00:00 [post_content] =>
Investment to Fuel Innovation and Growth, Including Global Expansion and Product Innovation

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, today announced it has raised $90 million in growth funding led by KKR, with participation from Ten Eleven Ventures. The investment will be used to further accelerate NetSPI’s rapid growth by expanding the company’s cyber security and client experience teams, investing in product innovation, and deepening operations across U.S. and international markets.

“The reality is that cyber security attacks today are inevitable and put organizations at grave risk,” said NetSPI President and Chief Executive Officer Aaron Shilts. “At NetSPI, we strive to stay one step ahead of hackers, breaches, and bad actors by focusing on prevention-based security techniques. Rooted in the founding tenets of the company, our goals are purposely aggressive to help our clients adapt to the constantly evolving threat landscape.”

Since its founding, NetSPI has focused its services to help companies proactively defend themselves from cyberattacks through a robust and innovative technology platform, allowing NetSPI’s team of experts to thoroughly identify security vulnerabilities. At a time when cyber security spending is expected to exceed $200 billion per year by 2024, according to a recent Bloomberg Intelligence (BI) report, more companies are preparing to fend off sophisticated cyber-attacks and avoid reputational and business risks.

“Our clients rely on us to help secure their ever-evolving attack surface by leveraging our expertise in cloud, red team, application, and network security,” continued Shilts. “This investment from KKR and Ten Eleven Ventures allows NetSPI to better meet this demand while simultaneously fueling growth and innovation as a leader in the booming cyber security market. With our investors’ support, NetSPI will continue to transform the industry with a focus on attack surface management, enterprise security testing, and vulnerability management.”

“NetSPI has built a differentiated suite of tech-enabled services and test orchestration and reporting software that is not only enhancing cyber security for complex global enterprises across a wide range of industries, but is simultaneously disrupting the traditional penetration testing market in order for these enterprises to continuously test their applications, networks, and cloud infrastructures at scale,” said Ben Pederson, Principal at KKR. “We are excited to invest in NetSPI’s growth as they build and deliver these critically important offensive security solutions.”

Jake Heller, Head of KKR’s Technology Growth team in the Americas, added: “Aaron and his team have a deep appreciation for the needs of their customers and the increasing demand for best-in-class, tech-enabled cyber security systems.”

KKR is investing in NetSPI through its Next Generation Technology Growth Fund II. KKR and Ten Eleven Ventures have invested in market-leading cyber security companies including Darktrace, KnowBe4, Ping Identity, Cylance, ForgeRock, and ReliaQuest.

“Penetration testing is a critical component of any enterprise’s security program and will continue to be an important part of compliance and regulatory requirements in the future,” said Mark Hatfield, General Partner, Ten Eleven Ventures. “With its deep expertise and automated platform, NetSPI has developed an incredibly effective and efficient approach to penetration testing and attack surface management. We’re thrilled to partner with this exceptional team and look forward to drawing on our cyber security expertise to help NetSPI bring its technology to more companies across the globe.”

After spending its first several years as a bootstrapped, profitable business, in 2017 NetSPI partnered with Sunstone Partners, who has been instrumental to the company’s growth post-investment. Gus Alberelli, Managing Director of Sunstone Partners, said: “We’re incredibly fortunate to partner with NetSPI’s team and proud of the company’s extraordinary growth stemming from its technology-enabled penetration testing team. We are excited for KKR and Ten Eleven Ventures to join Sunstone Partners in supporting NetSPI’s growth journey.”

The investment is the latest transaction in a period of accelerated growth for NetSPI. Most recently, NetSPI acquired Silent Break Security and incorporated its proprietary Adversary Simulation and Red Team Toolkit software into the company’s offensive cyber security and attack surface management offerings. In 2020, NetSPI launched Penetration Testing as a Service (PTaaS) powered by its Resolve™ platform. Upcoming additions of risk scoring, vulnerability intelligence, breach and attack simulation, and more will continue to differentiate NetSPI's technology offerings.

Goodwin Procter LLP advised NetSPI on the transaction and Latham & Watkins LLP advised KKR and Ten Eleven Ventures.

[wonderplugin_video iframe="https://vimeo.com/547974617" lightbox=0 lightboxsize=1 lightboxwidth=960 lightboxheight=540 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=960 videoheight=540 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ platform and adversary simulation through its Red Team Tool Kit. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

About KKR

KKR is a leading global investment firm that offers alternative asset management and capital markets and insurance solutions. KKR aims to generate attractive investment returns by following a patient and disciplined investment approach, employing world-class people, and supporting growth in its portfolio companies and communities. KKR sponsors investment funds that invest in private equity, credit and real assets and has strategic partners that manage hedge funds. KKR’s insurance subsidiaries offer retirement, life, and reinsurance products under the management of The Global Atlantic Financial Group. References to KKR’s investments may include the activities of its sponsored funds and insurance subsidiaries. For additional information about KKR & Co. Inc. (NYSE: KKR), please visit KKR’s website at www.kkr.com and on Twitter @KKR_Co.

About Ten Eleven Ventures

Ten Eleven Ventures is the original venture capital firm focused solely on investing in digital security. The firm invests globally and at all stages, from seed to growth (the latter via its Joint Investment Alliance with KKR). Since its founding in Silicon Valley in 2015, Ten Eleven Ventures has raised nearly $US 500 million and invested in 30 leading cybersecurity companies including KnowBe4, Darktrace, Twistlock, Verodin, Cylance, and Ping Identity. For more information, please visit www.1011vc.com or follow us on Twitter @1011vc.

About Sunstone Partners

Sunstone Partners is a growth-oriented private equity firm that makes majority and minority investments in technology-enabled services and software businesses. Recently recognized as one of Inc.’s 2020 PE 50 founder-friendly private equity firms for entrepreneurs, the firm seeks to partner with exceptional management teams, often as their first institutional capital partner, to help accelerate organic growth and fund acquisitions. Founded in 2015, the firm has $800 million of committed capital to its first two funds. For more information, visit www.sunstonepartners.com.

Media Contacts:
Jean Hill, Maccabee PR for NetSPI
jean@maccabee.com
(612) 294-3154

KKR
Cara Major or Miles Radcliffe-Trenner
Media@KKR.com
(212) 750-8300

Ten Eleven Ventures
Megan Dubofsky
mdubofsky@1011vc.com
(917) 576-5590

[post_title] => Cyber Security Penetration Testing Leader NetSPI Secures $90 Million in Growth Funding Led by KKR [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cybersecurity-funding-investment-kkr [to_ping] => [pinged] => [post_modified] => 2021-05-12 14:13:05 [post_modified_gmt] => 2021-05-12 14:13:05 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25333 [menu_order] => 27 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [7] => WP_Post Object ( [ID] => 25347 [post_author] => 91 [post_date] => 2021-05-12 05:00:16 [post_date_gmt] => 2021-05-12 05:00:16 [post_content] =>

On May 12, 2021, NetSPI announced new funding from KKR and Ten Eleven. Learn why Ten Eleven chose to invest in NetSPI:

Today we’re pleased to announce our investment in NetSPI. In cybersecurity, understanding where weaknesses lie is a critical first step in defense. One crucial way to assess this is through penetration testing, where “ethical hackers” attempt to break into your systems before attackers can. Penetration testing is often required of technology vendors by their customers and a mandated part of certain required compliance programs and certifications, including SOC 2. Because of its importance, pen testing represents a $1.7Bn market growing at 22% a year – but companies are always looking for a way to do it in a faster and easier manner.

Read more here: https://www.1011vc.com/news/why-we-invested-in-netspi/

[post_title] => Ten Eleven: Why We Invested in NetSPI [post_excerpt] => On May 12, 2021, NetSPI announced new funding from KKR and Ten Eleven. Learn why Ten Eleven chose to invest in NetSPI. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => ten-eleven-why-we-invested-in-netspi [to_ping] => [pinged] => [post_modified] => 2021-05-12 15:52:28 [post_modified_gmt] => 2021-05-12 15:52:28 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25347 [menu_order] => 29 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [8] => WP_Post Object ( [ID] => 23017 [post_author] => 91 [post_date] => 2021-02-09 07:00:16 [post_date_gmt] => 2021-02-09 07:00:16 [post_content] =>
NetSPI’s toolkit for covert adversary simulations is now available to enterprise red teams with new features and functionality.

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, today relaunched Red Team Toolkit, a sophisticated suite of penetration testing and adversary simulation tools. NetSPI integrated and advanced the Toolkit after the acquisition of Silent Break Security in late 2020.  It features a re-designed web-based user experience and improved functionality that supports more advanced and collaborative red team operations.

“We designed the all-new Red Team Toolkit Platform to better emulate sophisticated, real-world attackers after observing critical gaps left by other well-signatured tools on the market,” said Brady Bloxham, Chief Technology Officer at NetSPI. “We continue to use the platform on our own red team operations and are constantly updating it with the latest offensive techniques and defensive countermeasures. It is the most capable offensive toolkit available to red teams today.

Red Team Toolkit’s tooling and features include:

  • Slingshot: Slingshot is a Windows post-exploitation agent used by red teams to conduct advanced network cyber-operations. Designed with stealth in mind, it enables operators to accurately emulate sophisticated adversaries. It increases the speed and efficiency of advanced operations through malleable network profiles, direct syscall execution, memory obfuscation, blended HTML traffic, scripting automation interface, and more.
  • Improved user experience: Its new web-based user interface was built with the operator experience and productivity top of mind. It is a command and control (C2) server, providing a unified interface for all current and future tools.
  • Multi-user support: The all-new Red Team Toolkit Platform supports multi-user interaction with tiered access permissions. This provides mirrored output, improved team collaboration, seamless operations, and training opportunities.
  • Keyboard-centric controls: Inspired by a traditional terminal, red teamers will feel at home with keyboard-centric controls and an integrated command palette.
  • Functional storage: Connect Red Team Toolkit to your existing database infrastructure or a simple SQLite file. Everything is well-formed, easily parsed, and recorded in one central location.

“Our teams think like adversaries and perform red teaming for some of the most advanced organizations in the world,” said Aaron Shilts, President and CEO of NetSPI. “We take pride in building technology that change how our clients think about their penetration testing programs and the industry as a whole - and we are thrilled to make it available to others with the reintroduction of Red Team Toolkit.”

Learn more about how Red Team Toolkit can optimize your Red Team engagements and increase productivity. Contact sales@netspi.com.

[wonderplugin_video iframe="https://youtu.be/zAFdEiGFQC4" lightbox=0 lightboxsize=1 lightboxwidth=960 lightboxheight=540 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=960 videoheight=540 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

About NetSPI

NetSPI is the leader in enterprise penetration testing and attack surface management. We are proud to partner with nine of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track, and fix their vulnerabilities faster. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of growth equity firm Sunstone Partners. Follow us on FacebookTwitter, and LinkedIn.

Media Contacts:
Tori Norris, NetSPI
victoria.norris@netspi.com
(630) 258-0277

Jean Hill, Maccabee PR for NetSPI
jean@maccabee.com
(612) 294-3154

[post_title] => NetSPI Relaunches Red Team Toolkit [post_excerpt] => NetSPI’s toolkit for covert adversary simulations is now available to enterprise red teams with new features and functionality. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-relaunches-red-team-toolkit [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:52:25 [post_modified_gmt] => 2021-04-14 06:52:25 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=21247 [menu_order] => 50 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [9] => WP_Post Object ( [ID] => 23016 [post_author] => 91 [post_date] => 2021-01-26 07:00:06 [post_date_gmt] => 2021-01-26 07:00:06 [post_content] =>
Following a successful year, NetSPI promotes Aaron Shilts to CEO while co-founder Deke George assumes a new role on the Board of Directors.
Minneapolis, Minnesota  –  NetSPI, the leader in enterprise security testing and vulnerability management, achieved 35% organic revenue growth in fiscal year 2020, added over 150 new clients, and expanded its team to more than 200 employees. NetSPI’s Penetration Testing as a Service (PTaaS) delivery model, core service expansion, and Silent Break Security acquisition all contributed to its strong growth. Since 2017, NetSPI has tripled its topline revenue while remaining profitable. As NetSPI looks forward to 2021, the company has promoted Aaron Shilts to President and CEO and Charles Horton to COO. NetSPI co-founder Deke George will assume a new role as Chairman on the Board of Directors and remain actively involved in the company. “2020 was full of challenges, not only for our team, but also for our clients. I’m proud of the rapid growth this team has achieved and how we’ve adapted and scaled to support our clients at a time when people and organizations are more vulnerable,” said Shilts. “More businesses recognize the foundational importance of secure software. As such, I anticipate that NetSPI’s core business in application security, vulnerability management, and cloud testing will experience even higher demand in 2021.” Achievements that contributed to NetSPI’s 2020 success include,
  • Penetration Testing as a Service (PTaaS) Powered by Resolve™: PTaaS enables customers to simplify the scoping of new engagements, view their testing results in real-time, orchestrate faster remediation, perform always-on continuous testing, and more – all through the Resolve vulnerability management and orchestration platform.
  • Cloud Security Testing Expansion: NetSPI expanded its industry-leading cloud penetration testing services to include the AWS, Azure, Google, and Oracle cloud environments, for both point-in-time and continuous testing.
  • Strategic Advisory Services: This new consulting service builds and improves application security programs. The core functions of Strategic Advisory Services include program benchmarking, roadmap development, and security metrics.
  • Static Application Security Testing (SAST) and Secure Code Review (SCR): NetSPI enhanced its SAST and SCR services to help development teams establish a more strategic approach to building secure applications and identifying vulnerabilities earlier in the software development lifecycle (SDLC).
  • Silent Break Security Acquisition: NetSPI acquired Silent Break Security to complete its offensive cybersecurity and attack surface management offerings. Silent Break Security’s manual testing team, proprietary Adversary Simulation and Red Team Toolkit software, and enterprise clients improve NetSPI’s ability to scale up vulnerability management programs to meet client needs.
  • NetSPI Thought Leadership: In 2020, NetSPI spotlighted its roster of technology and management experts, creating a breadth of thought leadership content across several platforms including the executive and technical blogs, webinars, downloadable resources, and the Agent of Influence podcast.
  • Philanthropic Activities: NetSPI became a sponsor for Change Starts With Me, a grassroots movement working to rebuild communities impacted by social, health, and economic crises. The company also continues to work closely with the University of Minnesota Masonic Children’s Hospital and raised funds to support World Central Kitchen, MasksOn.org, and Northside Funders Group.
"Technology innovation is what we do best. It’s the foundation on which we built NetSPI,” said Deke George. “This was evident over the past 12 months, and I believe NetSPI is leading a revolutionary shift in the way penetration testing and vulnerability management is performed.” “We come into the new year with incredible momentum and continued focus on delivering an exceptional client experience,” Shilts said. “In 2021 we will extend the intelligence and automation features of our Resolve platform. With data from over 80 million vulnerabilities, we give our customers access to the most robust risk scoring system on the market, the power to predict the likelihood of vulnerabilities in their environment, and the ability to automatically run adversary simulations across their entire attack surface.” Join NetSPI’s mailing list to be the first to receive company, product, and services updates. Sign up here.

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with nine of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track, and fix their vulnerabilities faster. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of growth equity firm Sunstone Partners. Follow us on FacebookTwitter, and LinkedIn. Media Contacts: Jean Hill, Maccabee PR for NetSPI jean@maccabee.com (612) 294-3154 Tori Norris, NetSPI victoria.norris@netspi.com (630) 258-0277 [post_title] => NetSPI Celebrates 35% Organic Revenue Growth in 2020 [post_excerpt] => Following a successful year, NetSPI promotes Aaron Shilts to CEO while co-founder Deke George assumes a new role on the Board of Directors. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => celebrates-35-percent-organic-revenue-growth-in-2020 [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:52:31 [post_modified_gmt] => 2021-04-14 06:52:31 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=21134 [menu_order] => 55 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [10] => WP_Post Object ( [ID] => 20716 [post_author] => 91 [post_date] => 2020-12-15 09:41:57 [post_date_gmt] => 2020-12-15 09:41:57 [post_content] =>

As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week. We know now the breaches have been linked back to a supply chain attack on the SolarWinds Orion Platform, a software platform that manages IT operations and products for over 300,000 organizations, including over 425 of the Fortune 500, all ten of the top U.S. telecommunications companies, all five branches of the U.S. Military, all five of the top U.S. accounting firms, and many, many more.

While FireEye, the U.S. Treasury, and National Telecommunications and Information Administration (NTIA) were the first to report a security breach, the breadth of SolarWinds’ customer base is an indicator that the breaches are seemingly the tip of the iceberg.

For the sake of information sharing, here is an overview of the attacks, immediate steps you can take to identify whether you have fallen victim, and tips for protecting your organization as communicated by FireEye, SolarWinds, and NetSPI. For the full technical deep-dive, we highly recommend the FireEye blog post.

Overview: SolarWinds Orion Manual Supply Chain Attack

On December 13, SolarWinds issued a security advisory alerting to a manual supply chain attack on its Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.

FireEye discovered the attack and suggests it is a state-sponsored global intrusion campaign by a group named UNC2452 - though many industry experts are attributing the attack to APT29, a group of hackers associated with the Russian Foreign Intelligence Service.

  • Attack Origin: UNC2452 gained access to victims via trojan-based updates to SolarWinds’ Orion IT monitoring and management software, distributing malware called SUNBURST. Multiple trojanized updates were digitally signed and subsequently deployed via this URL: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574 /SolarWinds-Core-v2019.4.5220-Hotfix5.msp. The downloaded file is a standard Windows Installer Patch file, which includes the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component.
  • How It Works: The digitally signed SolarWinds.Orion.Core.BusinessLayer.dll file is a component of the Orion Improvement Program (OIP) software framework that contains a backdoor that communicates with third party servers via the HTTP protocol. The malicious DLL gets loaded into the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe executables and can run dormant for up to two weeks before beaconing to a subdomain of avsvmcloud[.]com. To avoid possible detection, the C2 traffic between the beaconing server and the victim is made to resemble legitimate SolarWinds communications. This includes HTTP GET, HEAD, POST and PUT requests with JSON payloads in their bodies. The HTTP responses from the C2 server communicating with the victim contain XML data that resembles .NET assembly data used for normal SolarWinds operations. Within the XML, however, is obfuscated command information that is deobfuscated and then executed by the SolarWinds process on the victim’s system.
  • Impact/Result: Following the initial compromise and deployment of SUNBURST, a variety of more capable payloads can be deployed to facilitate lateral movement and data theft. Common payloads include TEARDROP and Cobalt Strike BEACON, both of which can be loaded into memory to improve stealth of operations.

Known breaches include:

FireEye: On December 8, FireEye communicated a state-sponsored security breach through which the attackers accessed FireEye’s Red Team assessment tools used to test customers’ security. Following the breach, the company made its list of countermeasures public. FireEye has now confirmed that this attack was a result of the SolarWinds Orion supply chain attack.

U.S. Treasury and the National Telecommunications and Information Administration (NTIA): On December 13, Reuters reported that Russian-associated hackers broke into the U.S. Treasury and Commerce department’s Microsoft 365 software and have been monitoring internal email traffic. Following a National Security Council meeting at the White House over the weekend, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for all federal agencies to power down SolarWinds Orion.

Organizations are frantically working to figure out if they have been a victim of the attack and how to protect themselves. Here are the immediate steps to take, according to SolarWinds, FireEye, and NetSPI’s team of offensive security experts:

  1. First, determine if SolarWinds Orion is deployed within your environment. If unsure, NetSPI recommends performing a network scan to identify the Orion agent. For example, this can be performed with Nmap by running: nmap --open -sT -p 17778,17790 x.x.x.x/xx, where x.x.x.x is the network address and xx is the subnet mask. If the Orion agent is found, follow SolarWinds’ recommendations.
  2. SolarWinds recommends customers upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible. It also asks customers with any of the products listed on the security advisory for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6. Additional suggestions can be found in the security advisory. While upgrading Orion will prevent future backdoored deployments from occurring, it will not remediate the potentially infected deployments that have already taken place via the Orion Platform.
  3. Additionally, FireEye provides a list of recommendations including its signatures to detect this threat actor and supply chain attack. Specific details on the YARA, Snort, and ClamAV signatures can be found on FireEye’s public GitHub page.

Get in Touch: To connect with NetSPI for support with testing efforts related to the SolarWinds Orion attack, email info@NetSPI.com.

[post_title] => FireEye, SolarWinds, U.S. Treasury: What’s Happening in the Cyber Security World Right Now? [post_excerpt] => As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => fireeye-solarwinds-us-treasury-whats-happening-in-the-cyber-security-world-right-now [to_ping] => [pinged] => [post_modified] => 2021-05-04 17:03:39 [post_modified_gmt] => 2021-05-04 17:03:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20716 [menu_order] => 65 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [11] => WP_Post Object ( [ID] => 20550 [post_author] => 91 [post_date] => 2020-12-02 07:00:59 [post_date_gmt] => 2020-12-02 07:00:59 [post_content] =>
With the acquisition of Silent Break Security, NetSPI will expand and enhance adversary simulation software and services.

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise security testing and vulnerability management, today announced its acquisition of Silent Break Security, a Utah-based security testing firm which specializes in network and application testing, red teaming, and adversary simulation. Through this acquisition, NetSPI will broaden its footprint to create a complete package for offensive cyber security and attack surface management. With the integration of Silent Break Security’s manual testing team, along with their proprietary software platforms and toolsets, NetSPI will improve its ability to scale up vulnerability management programs to meet client needs.

“It’s our vision to secure the world’s attack surfaces with brilliant people and disruptive technology. The Silent Break Security team is the perfect complement to our strong culture and its software stack a natural fit for helping us drive innovation and leverage technology as a force multiplier,” said Aaron Shilts, President and COO of NetSPI. “I am very excited about the opportunity this presents our team. By leveraging the skills that Brady built in his Silent Break Security team, I believe NetSPI has an opportunity to disrupt the penetration testing industry.”

“It is rare to find two organizations that align so closely from a mission, vision, values, and culture perspective,” added Brady Bloxham, Founder and CEO of Silent Break Security. “Both organizations have cultures of high performance, innovation, and agility. Individually, NetSPI and Silent Break have been working toward many of the same goals and, now together, we will become a much greater force to be reckoned with.”

The combined NetSPI and Silent Break team will provide a complete package for offensive security through the following core strategies:

  • Industry Leading Talent: NetSPI’s expert penetration testers conduct over 150,000 hours of testing each year and deliver technical and thought leadership content to the industry. The addition of Silent Break Security’s team, many with U.S. Department of Defense (DoD) experience, will position the combined company as the industry’s strongest penetration testing provider.
  • Technology Innovation: At the foundation of the acquisition is innovation through proprietary technology. Acquiring Silent Break Security and its technology –adversary simulation software (Silent Break Central), Red Team Toolkit, among other tools – with the goal of integrating these into NetSPI’s Resolve™ vulnerability management and orchestration software, will enable the company to consistently find vulnerabilities that others miss, accelerate remediation, provide always-on continuous testing, and simplify the entire testing process.
  • Focus on Training: The commitment to quality is evident in each organization’s emphasis on continuous professional development and training programs for employees and client security teams. Silent Break Security will bring its in-depth training programs on malware development, adversary simulations, and offensive machine learning to NetSPI employees and clients to complement NetSPI’s acclaimed NetSPI University employee training program.
  • Penetration Testing as a Service (PTaaS): The acquired technologies and expertise will allow NetSPI to optimize its core penetration testing service: PTaaS. Automated scanning, real-time reporting, and streamlined remediation processes offered through PTaaS will give the manual testing team more time to focus on the difficult, hard-to-find vulnerabilities that only humans can find. Silent Break’s software fits perfectly into our strategy to deliver always-on attack surface management giving Resolve customers the ability to run internal automated red team “plays” throughout the year.

Brady Bloxham, Founder and CEO of Silent Break Security will become NetSPI’s Chief Technology Officer (CTO). Silent Break Security operations and team members will remain in Lehi, Utah and throughout the U.S.

To learn more about the acquisition of Silent Break Security, connect with the NetSPI team by contacting Heather Rubash (heather.rubash@netspi.com; (612) 385-3006). Keep up to date with NetSPI’s latest news: visit netspi.com.

Watch NetSPI's special announcement from President and COO, Aaron Shilts

[wonderplugin_video iframe="https://youtu.be/ffJlDBdNcJo" lightbox=0 lightboxsize=1 lightboxwidth=960 lightboxheight=540 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=960 videoheight=540 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

Watch this special announcement from Silent Break Security’s Founder and CEO, Brady Bloxham — now NetSPI’s CTO

[wonderplugin_video iframe="https://youtu.be/VBfJJAqTL78" lightbox=0 lightboxsize=1 lightboxwidth=960 lightboxheight=540 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=960 videoheight=540 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with eight of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track, and fix their vulnerabilities faster. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of growth equity firm Sunstone Partners. Follow us on FacebookTwitter, and LinkedIn.

Media Contacts:
Jean Hill, Maccabee PR for NetSPI
jean@maccabee.com
(612) 294-3154

Heather Rubash, NetSPI
heather.rubash@netspi.com
(612) 385-3006

[post_title] => NetSPI Acquires Silent Break Security [post_excerpt] => With the acquisition of Silent Break Security, NetSPI will expand and enhance adversary simulation software and services. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-acquires-silent-break-security [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:52:36 [post_modified_gmt] => 2021-04-14 06:52:36 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=20550 [menu_order] => 74 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [12] => WP_Post Object ( [ID] => 19939 [post_author] => 91 [post_date] => 2020-10-21 07:00:00 [post_date_gmt] => 2020-10-21 07:00:00 [post_content] =>
Florindo Gallicchio and Robert Richardson bring a combined 50 years of cyber security experience to NetSPI.
Minneapolis, Minnesota  –  NetSPI, the leader in enterprise security testing and vulnerability management, today announced Florindo Gallicchio has joined as Managing Director and Robert Richardson has been promoted to Vice President of Customer Success. Expanding the leadership team is a principle component of NetSPI’s strategy to drive customer growth, program success, and return on investment (ROI) of penetration testing. “Finding vulnerabilities that other pentesters miss, making reporting easier to digest and act upon, and streamlining our customer engagements through the Resolve™ vulnerability management platform are key areas of focus for our team,” said Aaron Shilts, President at NetSPI. “The growth of our leadership team gives us the opportunity to evolve and expand our services, providing customers peace-of-mind that they’re working with the best security testing and vulnerability management team on the market today.” Cumulatively, Gallicchio and Richardson bring half a century of cyber security excellence to NetSPI, where they will help customers align security strategies to business goals.
  • Gallicchio  is a senior risk management and information security practitioner with over 30 years of experience in building and running cyber security programs to securely manage the business while also achieving and maintaining compliance to regulatory and industry requirements. As Managing Director at NetSPI, he will be a strategic advisor to executives, boards of directors, and technology staff, helping them understand the role of security as a business strategy. Prior to joining NetSPI, Gallicchio was the CISO at a global advisory investment firm in New York City. He began his career with the National Security Agency (NSA) while serving in the U.S. Navy, where in 10 years of service he worked in signals and communications intelligence collection and systems exploitation.
  • Richardson has more than 20 years of experience as a builder of people, processes, and sales enablement that support and drive sales growth. Richardson is being promoted to Vice President of Customer Success at NetSPI, and will focus on people leadership, personnel development, and operational efficiency. Prior to NetSPI, Richardson built a professional services process and delivery capability that resulted in 150% growth over two years as Director of Strategic Staffing and the Program Management Office (PMO) at Optiv Security. Prior to the merger that formed Optiv, Richardson managed projects at FishNet Security.
“Gallicchio and Richardson bring new perspectives to the table,” added Deke George, Founder and CEO of NetSPI. “Notably, Gallicchio’s experience on the client side as a financial services CISO and his time serving in the U.S. Navy coupled with Richardson’s personnel development track record and ability to scale operations will allow NetSPI to further improve our customers’ vulnerability management programs. Having two of the industry’s best minds on our roster is a crucial part of our mission to provide invaluable pentesting services and counsel to our clients – and continue to stay one step ahead of adversaries.” To learn more about NetSPI’s efforts to drive customer success, visit the company website to hear first-hand customer success stories or connect with the NetSPI team at info@netspi.com or call: (612) 465-8880.

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track and fix their vulnerabilities faster. Follow us on FacebookTwitter, and LinkedIn. Media Contact: Tori Norris, Maccabee PR for NetSPI tori@maccabee.com 612-294-3100 [post_title] => NetSPI Adds to Leadership Team to Support Continued Focus on Customer Success [post_excerpt] => Florindo Gallicchio and Robert Richardson bring a combined 50 years of cyber security experience to NetSPI. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-adds-to-leadership-team-to-support-continued-focus-on-customer-success [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:52:43 [post_modified_gmt] => 2021-04-14 06:52:43 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=19939 [menu_order] => 84 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [13] => WP_Post Object ( [ID] => 19512 [post_author] => 91 [post_date] => 2020-08-03 07:00:59 [post_date_gmt] => 2020-08-03 07:00:59 [post_content] =>

During the Black Hat 2020 Virtual Conference, NetSPI, a leader in enterprise security testing and vulnerability management, will provide a fresh perspective on optimizing pentesting and application security (AppSec) programs. Today, there are more software-based solutions than ever before. From rising dependency on smartphone applications to the growing remote workforce increasing the usage of cloud-based software, reliance on software continues to grow. This means more AppSec security tools and automation have become available – and, in-turn, an overwhelming number of AppSec methodologies and approaches to follow. To navigate the complex security considerations, NetSPI is working to change the way organizations think about AppSec by embracing security throughout the development lifecycle.

Who: Deke George, CEO, NetSPI Aaron Shilts, President and COO, NetSPI Nabil Hannan, Managing Director, NetSPI Jake Reynolds, Product Manager, NetSPI What: On Wednesday, August 5, at 11:20–11:40am PT, NetSPI Managing Director Nabil Hannan and Product Manager Jake Reynolds will host a session titled, Extreme Makeover: AppSec Edition. During the session, attendees will learn how leading organizations use different discovery techniques as part of their AppSec program, understand strengths and weaknesses of common AppSec vulnerability discovery technologies and adopt techniques that make security frictionless for your developers as they embrace a DevSecOps culture. Additionally, they will discover how functional your application security program can be with a “makeover” to:
  • Enhance reporting to empower leadership to optimize AppSec programs
  • Improve vulnerability ingestion, correlation, and enrichment
  • Increase speed to remediation
The NetSPI team will have a virtual exhibitor booth in the Black Hat Business Hall. Schedule a briefing to hear the latest company updates and explore NetSPI’s new products and services, including:
  • Static Application Security Testing [SAST] and Secure Code Review [SCR]: Debuted at Black Hat, the new services are designed to identify application security vulnerabilities earlier in the software development life cycle.
  • Strategic Advisory Services: In June 2020, NetSPI revealed a new application-centric approach to its Strategic Advisory Services to help organizations gain a competitive edge through a formalized, business-objective driven, and mature application security program.
  • Pentesting as a Service (PTaaS): Launched in 2020, NetSPI’s PTaaS delivery model puts customers in control of their pentests and their data, enabling them to simplify the scoping of new engagements, view their testing results in real time, orchestrate quicker remediation, and adding the ability to perform always-on continuous testing.
When: Virtual Session: Wednesday, August 5, 11:20–11:40am PST Black Hat 2020 Virtual Conference: August 1-6, 2020 Where: Attend the virtual session, Extreme Makeover: AppSec Edition, online here. Stop by NetSPI’s virtual booth by searching for NetSPI in the Black Hat event portal. Media: Virtual briefings with the NetSPI team available upon request. To attend the virtual session on August 5, register for a free Black Hat Business Pass. Contact: Tori Norris Maccabee Public Relations on behalf of NetSPI tori@maccabee.com, (612) 294-3100 [post_title] => NetSPI to Help Black Hat USA 2020 Attendees View Penetration Testing and Application Security Through a New Lens [post_excerpt] => During the Black Hat 2020 Virtual Conference, NetSPI will provide a fresh perspective on optimizing pentesting and application security (AppSec) programs. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-help-black-hat-usa-2020-attendees-view-penetration-testing-application-security-through-new-lens [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:52:48 [post_modified_gmt] => 2021-04-14 06:52:48 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=19512 [menu_order] => 104 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [14] => WP_Post Object ( [ID] => 19437 [post_author] => 91 [post_date] => 2020-07-28 07:00:25 [post_date_gmt] => 2020-07-28 07:00:25 [post_content] =>
The new services are designed to identify application security vulnerabilities earlier in the software development life cycle.
Minneapolis, Minnesota  – To mitigate possible security vulnerabilities early in the fast-paced software development life cycle process, today NetSPI, the leader in enterprise security testing and vulnerability management, launched Static Application Security Testing (SAST) and Secure Code Review (SCR) services to aid application and software development teams in establishing a more strategic approach to building secure applications. Key to NetSPI’s multi-level secure code review services involving SAST and SCR is a thorough inspection of source and compiled code to ensure security risks are eliminated before software is deployed to production, at which time the cost of remediation could increase exponentially. “With Continuous Integration/Continuous Deployment more and more becoming the backbone of the modern DevOps environment, it’s more important than ever to detect and address vulnerabilities through Static Application Security Testing and Source Code Review processes, a service that is complementary to an organization’s penetration testing efforts,” said Nabil Hannan, managing director at NetSPI. “Both testing functions enable more comprehensive vulnerability detection and, in many cases, identify vulnerabilities that are not possible to discover during dynamic testing and analysis.” NetSPI’s SAST and SCR services are offered in various engagement structures giving application and software development teams options to leverage the appropriate level of testing depth to detect, validate, and resolve security issues based on the business criticality and risk profile of their applications. The services are also a solution to adhere to application development compliance standards, including PCI DSS and HIPAA. NetSPI’s SAST and SCR offerings include:
  • Static Application Security Testing (SAST)—A static analysis performed with a combination of commercial, open source, and proprietary SAST tools, resulting in an assessment report from NetSPI that describes found vulnerabilities and actionable remediation guidance. Additionally, NetSPI offers a streamlined, more economical SAST service which focuses only on testing around the Open Web Application Security Project® (OWASP) Top 10 vulnerabilities.
  • Static Application Security Testing (SAST): Triaging—As an augmentation to an organization’s internal use of SAST tools in Application Security Programs, NetSPI offers triage services. By analyzing the data and assigning degrees of urgency on behalf of the security teams, NetSPI can validate the exploitability of vulnerabilities to remove any false positive findings, allowing development teams the time to focus exclusively on remediation.
  • Secure Code Review (SCR)—Building off the SAST offerings, NetSPI’s SCR offering employs cyber security experts to review underlying frameworks and libraries that are being leveraged to build the application. From there, manual testers identify vulnerabilities that automated scanners cannot detect, such as complex injection attacks, insecure error handling as well as authentication and authorization issues. Additionally, NetSPI offers a streamlined, more economical SCR service which focuses only on reporting around the Open Web Application Security Project® (OWASP) Top 10 vulnerabilities.
Unique to NetSPI is its instructor-led training program around secure coding and remediation for development teams, made available to clients after completion of Static Application Security Testing (SAST) or Secure Code Review (SCR) engagements. Available for up to a class size of 20, NetSPI’s one-day training details the top five categories of vulnerabilities identified in the SAST or SCR engagement and provides insights specific to that organization as well as remediation or mitigation techniques. “We’ve seen a movement to the left, in terms of prioritizing SCR earlier in the SDLC process as Application Security Programs have evolved,” said Hannan. “We support this strategic approach to security as it is critical to identify and remediate vulnerabilities, and in some cases even prevent them, during the software development phase.” Learn more about Secure Code Review (SCR) and Static Application Security Testing (SAST) from NetSPI online at netspi.com/security-testing/secure-code-review/ or email heather.rubash@netspi.com to schedule an introductory call with Nabil Hannan, Managing Director at NetSPI.

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve™ platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track and fix their vulnerabilities faster. Follow us on FacebookTwitter, and LinkedIn. Contact: Tori Norris tori@maccabee.com 612-294-3100 [post_title] => NetSPI Brings Scale, Agility, and Speed to Static Application Security Testing and Secure Code Review [post_excerpt] => On July 28, 2020, we launched Static Application Security Testing (SAST) and Secure Code Review (SCR) services to aid application and software development teams in establishing a more strategic approach to building secure applications. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-brings-scale-agility-speed-static-application-security-testing-secure-code-review [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:52:53 [post_modified_gmt] => 2021-04-14 06:52:53 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=19437 [menu_order] => 107 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [15] => WP_Post Object ( [ID] => 19238 [post_author] => 91 [post_date] => 2020-06-30 07:00:16 [post_date_gmt] => 2020-06-30 07:00:16 [post_content] =>
The new offering will help CISOs and software developers/engineers navigate application security to promote cyber security program maturity.
Minneapolis, Minnesota  – Today, NetSPI, the leader in enterprise security testing and vulnerability management, revealed a new application-centric approach to its Strategic Advisory Services to help organizations gain a competitive edge through a formalized, well-balanced, business-objective driven, and mature application security program. While advisory services are not new to NetSPI, the company saw an opportunity to use its breadth of knowledge in security testing to help define and guide organizations to implement application security into broader threat and vulnerability management programs. Through NetSPI’s Strategic Advisory Services, the company will share tangible and data-driven guidance on building or improving application security strategies and other software security initiatives. The three core functions and benefits of the new offering include:
  1. Program Benchmarking: Using real-world data, NetSPI’s program benchmarking services enable IT and security teams to evaluate program maturity against empirical data from the industry, measure and track the progress of security efforts objectively over time, compare security efforts with peers in the same business vertical, and ultimately help organizations adapt to current security best practices. Each benchmarking report will yield an evaluation of the current state of a company’s Application Security Program with details around focus areas for improvement along with areas that are currently addressing the organization’s Application Security needs effectively.
  2. Roadmap Development: Commonly performed alongside benchmarking, NetSPI’s roadmapping services define the future state of application security programs and the strategic path forward. The program roadmap will guide security stakeholders to determine the best approach to optimize application security investments by identifying unique organizational needs, leveraging established frameworks, and performing penetration tests to allow for early discovery of the types of vulnerabilities that exist while determining realistic goals and defining an appropriate timeline around key milestones.
  3. Security Metrics Development: Metrics, unlike raw data or measurements, can help answer specific business questions and help teams track progress. They are a critical component for measuring ROI of security programs, but organizations often lack the proper metrics to evaluate how application security efforts are influencing and helping achieve its business objectives. With NetSPI’s security metrics services, organizations will work with a consultant to define metrics that can be automated by leveraging existing business processes and raw data to provide necessary context to make effective business decisions.
“Given how fast application development techniques and methodologies are transforming, companies need to ensure that their security practices are staying current with the ever-evolving pressures around compliance and governance, software deployment, DevOps, Software Development Lifecycle (SDLC), and training,” said Nabil Hannan, managing director at NetSPI. “Understanding the current level of maturity and developing a data-driven plan to evolve your application security program is key to the success of your organization’s security efforts.” Learn more about Strategic Advisory Services from NetSPI online at Strategic Advisory or email heather.rubash@netspi.com to schedule an introductory call with Nabil Hannan, Managing Director at NetSPI.

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top 10 U.S. banks, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve™ platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track, and fix their vulnerabilities faster. Follow us on FacebookTwitter, and LinkedIn. [post_title] => NetSPI Reimagines Strategic Advisory Services, With a Focus on Application Security [post_excerpt] => On June 30, 2020, we revealed a new application-centric approach to its Strategic Advisory Services to help organizations gain a competitive edge through a formalized, well-balanced, business-objective driven, and mature application security program. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-reimagines-strategic-advisory-services-focus-application-security [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:52:58 [post_modified_gmt] => 2021-04-14 06:52:58 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=19238 [menu_order] => 113 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [16] => WP_Post Object ( [ID] => 17790 [post_author] => 91 [post_date] => 2020-03-17 07:00:33 [post_date_gmt] => 2020-03-17 07:00:33 [post_content] =>
On March 17, 2020, we shared the below communication with our customers in regards to COVID-19, and wanted to make it available to the broader community.
Minneapolis, Minnesota  –  During these unprecedented times, our team wanted to reach out, first and foremost, to wish you continued health and safety. In addition, we wanted to share how we are responding to the evolving COVID-19 situation through ongoing business continuity planning and our flexible approach to move forward with your penetration testing while also protecting your critical infrastructure.

NetSPI's Business Continuity Planning

We run business continuity planning exercises regularly, and recently performed a special exercise to simulate additional work-from-home load. All systems performed well in this test and validated our resiliency in a situation where all physical NetSPI offices are closed. In addition, our Resolve™ platform is crucial to our resiliency in that it allows our team of testers and project managers to communicate seamlessly with your team ensuring you can prioritize and fix your vulnerabilities faster.

Flexibility to Protect Your Critical Infrastructure

NetSPI is extremely flexible and our testing is built to ensure we do not impact your critical infrastructure. As such, we can:

  • Perform off-hours testing.
  • Modify the configuration of our tools (tweak our systems to go lower and slower than normal).
  • Conduct testing in QA and dev environments for pre-production application testing.

Employee Health and Travel

The health and safety of our employees is our primary concern. We are following CDC, state, and local guidelines for our staff and office closures. As a global organization, we have always supported a strong virtual infrastructure for team collaboration. At this time, most of our client interaction is taking place over email, phone, and video conference. We continue to focus on exceeding expectations, maintaining connectivity, and ensuring continued contact with all clients to answer questions and manage your testing needs. NetSPI is a strong, healthy business and team. Our clients can be confident leveraging our testing expertise which will continue without interruption. You are the backbone of our business and we thank you for your continued partnership and confidence. If you have specific questions about a project, please reach out to your sales or PMO contact. If you would like to speak directly to someone on our Executive Team, please feel free to contact me directly. We appreciate your business and look forward to continuing to serve you. Aaron Shilts President & COO Aaron.Shilts@NetSPI.com C: 612-326-4018 [post_title] => NetSPI Response to COVID-19 [post_excerpt] => On March 17, 2020, we shared the below communication with our customers in regards to COVID-19, and wanted to make it available to the broader community. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-response-to-covid-19 [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:53:04 [post_modified_gmt] => 2021-04-14 06:53:04 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=17790 [menu_order] => 154 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [17] => WP_Post Object ( [ID] => 16655 [post_author] => 91 [post_date] => 2020-02-17 07:00:15 [post_date_gmt] => 2020-02-17 07:00:15 [post_content] =>
PTaaS will be demoed at RSAC 2020, showcasing how the delivery model enables organizations to keep pace with today’s cybersecurity landscape.
Minneapolis, Minnesota  –  NetSPI, the leader in enterprise security testing and vulnerability management, today debuted its new delivery model, Penetration Testing as a Service (PTaaS) powered by the Resolve™ platform. PTaaS puts customers in control of their pentests and their data, enabling them to simplify the scoping of new engagements, view their testing results in real time, orchestrate quicker remediation, and adding the ability to perform always-on continuous testing. Taking note of customer needs and emerging attack surfaces, NetSPI has leveraged its knowledge in traditional, point-in-time pentests to develop a scalable, always-on model for enterprise security testing. NetSPI PTaaS delivers program level security testing comprised of an expert manual pentesting team enhanced by automation. “During our 20 years of penetration testing, our clients have consistently asked for guidance to understand, report on, and remediate their security vulnerabilities. While we’ve been excited to provide this assistance, we also knew there was more we could do to meet all our clients’ needs, which led to the creation of PTaaS,” said NetSPI President and Chief Operating Officer, Aaron Shilts. “As a leader in the cybersecurity industry, our experts have always found vulnerabilities that others miss, but PTaaS allows us to go a step further – delivering clear, actionable recommendations to our customers, enabling them to find and fix their vulnerabilities faster.” According to Gartner, “although separate from VA, penetration testing plays an important role in the prioritization and assessment of vulnerabilities from Gartner’s RBVM (risk-based vulnerability management) methodology. These services are testing your environment, with real-world skills and knowledge of the prevailing threat landscape. Security leaders need to take these recommendations and apply it directly in your security programs to address their prioritized findings.”* NetSPI believes PTaaS powered by Resolve™ solves critical cybersecurity challenges, by enabling:
  • Real-time accessible reporting: Gone are the days of managing multiple static PDF reports with out-of-date vulnerability information. With PTaaS powered by Resolve™, organizations can access their data in real-time as vulnerabilities are found by the NetSPI team of experts, and easily generate custom reports as desired.
  • Increased speed to remediation: PTaaS powered by Resolve™ helps organizations fix their vulnerabilities faster than traditional pentesting. Resolve™, a SaaS platform, will house all vulnerability data and provide remediation guidance for real-time access and assessment. In addition, customers can communicate with NetSPI security experts via the platform for additional clarity, to request remediation testing, or to scope a new engagement.
  • Continued manual testing: NetSPI’s team of highly skilled employees will continue its award-winning service of deep-dive manual penetration testing as automated pentesting and scanners will only ever find a portion of an organization’s vulnerabilities. While automation creates efficiencies, the human touch is also necessary to identify potentially high and critical severity threats that can only be discovered by manual testing.
  • More testing: Organizations with a mature security program understand that point-in-time testing is not a viable model to continuously secure their applications and networks. New code and configurations are released every day, and PTaaS powered by the Resolve™ platform’s continuous security program delivers results to customers around the clock, enabling them to manage their vulnerabilities easier and more efficiently.
Learn more about NetSPI PTaaS powered by Resolve™ at here or set up a 1:1 meeting at RSAC on February 24-28 online here. *Gartner “Market Guide for Vulnerability Assessment,” Craig Lawson, et al, 20 November 2019

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top 10 U.S. banks, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve™ platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track and fix their vulnerabilities faster. Follow us on FacebookTwitter, and LinkedIn. Media Contact Tori Norris Maccabee Public Relations Email: tori@maccabee.com Phone: (612) 294-3100 [post_title] => NetSPI Introduces Penetration Testing as a Service (PTaaS) Powered by Resolve™ [post_excerpt] => PTaaS will be demoed at RSAC 2020, showcasing how the delivery model enables organizations to keep pace with today’s cybersecurity landscape. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-introduces-penetration-testing-as-a-service-ptaas-powered-by-resolve [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:00 [post_modified_gmt] => 2021-04-14 06:54:00 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=16655 [menu_order] => 162 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [18] => WP_Post Object ( [ID] => 16308 [post_author] => 91 [post_date] => 2020-02-04 07:00:34 [post_date_gmt] => 2020-02-04 07:00:34 [post_content] =>
NetSPI Heads to RSAC 2020 to Showcase and Demo Penetration Testing as a Service (PTaaS) Powered by Resolve™
Minneapolis, Minnesota  –  NetSPI, a leader in vulnerability testing and management, is exhibiting at RSAC 2020 at the Moscone Center in San Francisco. On February 24-28, the halls will be filled cybersecurity industry conversations, including expert-led sessions and keynotes, innovation programs, in-depth tutorials and trainings, expanded networking opportunities, product demos, and more. This year, the conference theme is “Human Element,” exploring our critical role in ensuring a safer, more secure future. During the conference, the NetSPI leadership team will be showcasing its new Penetration Testing as a Service (PTaaS) delivery service model powered by Resolve™.

Who:

Deke George, Founder and CEO at NetSPI Aaron Shilts, President and COO at NetSPI Charles Horton, SVP Client Services at NetSPI Jake Reynolds, Product Manager at NetSPI

What:

RSAC Exhibitor Booth – Meet the NetSPI team at booth #4201 to learn more about their expertise in penetration testing and vulnerability management. Get a first look and demo of PTaaS Powered by Resolve™. “Scaling Your Security Program with Penetration Testing as a Service” – Whether managing an annual penetration test, or delivering and prioritizing millions of vulnerabilities, traditional service delivery methods fall short. Visit booth S-1500 in the RSAC Briefing Center on Thursday, February 28 at 4:40pm PST to hear NetSPI Product Manager Jake Reynolds speak about how Penetration Testing as a Service scales and operationalizes continuous penetration testing in an ongoing, consumable fashion. View the full conference agenda here.

When:

February 24-29, 2020

Where:

Booth #4201 Moscone Center San Francisco, California

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top ten U.S. banks, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve™ platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track and fix their vulnerabilities faster. Follow us on FacebookTwitter, and LinkedIn. Media Contact Tori Norris Maccabee on behalf of NetSPI Email: tori@maccabee.com Phone: (612) 294-3100 [post_title] => NetSPI Heads to RSAC 2020 to Showcase and Demo Penetration Testing as a Service (PTaaS) Powered by Resolve™ [post_excerpt] => NetSPI, a leader in vulnerability testing and management, is exhibiting at RSAC 2020 at the Moscone Center in San Francisco. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-heads-to-rsac-2020-to-showcase-and-demo-pen-testing-as-a-service-ptaas-powered-by-resolve [to_ping] => [pinged] => [post_modified] => 2021-04-14 07:13:25 [post_modified_gmt] => 2021-04-14 07:13:25 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=16308 [menu_order] => 165 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [19] => WP_Post Object ( [ID] => 16211 [post_author] => 91 [post_date] => 2020-01-21 07:00:32 [post_date_gmt] => 2020-01-21 07:00:32 [post_content] =>
Hannan brings 13 years’ cyber security experience to help NetSPI clients overcome vulnerability management challenges.
Minneapolis, Minnesota  –  NetSPI, a leader in enterprise security testing and vulnerability management, has added Nabil Hannan as Managing Director, where he will work with NetSPI clients on strategic security solutions incorporating both technology and services. “NetSPI’s innovative technology and services are essential for any high performing security program,” said Aaron Shilts, NetSPI President and COO. “Strategically, we continue to strive to be at the leading edge of this industry, providing valuable, actionable guidance to our clients, and Nabil adds to our ability to do this. He will consult directly with our clients and advise them on how to solve their most critical cyber security challenges in 2020 and beyond.” Hannan comes to NetSPI with a deep background in building and improving effective software security initiatives, with expertise in the financial services sector. Most notably, in his 13 years of experience in cyber security consulting, he held a position at Cigital/Synopsys Software Integrity Group, where he identified, scoped, and delivered on software security projects, including architectural risk analysis, penetration testing, secure code review, malicious code detection, vulnerability remediation, and mobile security assessments. Hannan has also worked as a Product Manager at Research In Motion/BlackBerry and has managed several flagship initiatives and projects through the full software development life cycle. “Cyber security is more critical today than ever before. We’ve all seen news of breaches in the headlines and may have even been affected by these breaches personally,” said Nabil Hannan, NetSPI Managing Director. “I look forward to advising NetSPI’s prestigious client base and helping companies protect their organizations, strategic assets, and valuable intellectual property. My role will also support NetSPI’s vision to help organizations build and maintain strong threat and vulnerability management programs – leveraging both technology and human capital.” Learn more about NetSPI’s Advisory Services at http://netspi.com/services/strategic-advisory/ or connect with Nabil on Twitter or LinkedIn.

About NetSPI

NetSPI is the leader in enterprise security testing and vulnerability management. We are proud to partner with seven of the top 10 U.S. banks, the largest global cloud providers, and many of the Fortune® 500. Our experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces. We uniquely deliver Penetration Testing as a Service (PTaaS) through our Resolve™ platform. Clients love PTaaS for the simplicity of scoping new engagements, viewing their testing results in real-time, orchestrating remediation, and the ability to perform always-on continuous testing. We find vulnerabilities that others miss and deliver clear, actionable recommendations allowing our customers to find, track and fix their vulnerabilities faster. Follow us on FacebookTwitter, and LinkedIn. Media Contact Tori Norris Maccabee Public Relations Email: tori@maccabee.com Phone: (612) 294-3100 [post_title] => NetSPI Adds Seasoned Security Expert Nabil Hannan to Its Team [post_excerpt] => Hannan brings 13 years’ cyber security experience to help NetSPI clients overcome vulnerability management challenges. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-adds-seasoned-security-expert-nabil-hannan-to-its-team [to_ping] => [pinged] => [post_modified] => 2021-04-14 07:11:03 [post_modified_gmt] => 2021-04-14 07:11:03 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=news&p=16211 [menu_order] => 167 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [20] => WP_Post Object ( [ID] => 15848 [post_author] => 91 [post_date] => 2020-01-14 07:00:02 [post_date_gmt] => 2020-01-14 07:00:02 [post_content] =>

Over the past 20 years of working with companies of all sizes and ages, NetSPI has seen some of the best and worst infosec programs. No matter what stage you’re in with developing your program, keep these three best practices in mind today to set your team and company up for success tomorrow.

Scalability First

Build scalability into every strategy and program.Ask yourself “Will this scale?” at every step. It’s very easy to paint yourself into a corner focusing on a tactical solution when a security alert or emergency occurs, so take a minute to stop and think if your solution is going to scale if it is implemented company wide. If your “solution” is not scalable, you may end up with two- or three-times the work and expense later, so try to quantify the lifetime impact of your decision upfront.

Another scalability-related tip is to plan to be successful from the outset. Choose scalable tools and processes, supported by flexible staffing, to help manage growth efficiently.

Be Flexible

Find a balance between repeatability and consistency vs. flexibility and agile ingenuity. Some processes need to be rigid and consistent, while some can be more freeform. In the past, we’ve tried to engineer a process to enforce a set of constraints only to learn that it did not really matter or mitigate risk. In the security community we tend to look for ways to make processes repeatable and remove their dynamics,but by doing so, we sometimes lose the intended purpose of the activity. It’s more art than science, but finding a balance between flexibility and rigidity is important.

Plan for Communication and Collaboration

Many problemscan be traced back to miscommunicationand misunderstanding of what is usually a technical topic by people that do not have technical expertise. As such, planning for communication and collaboration in the early stages of building out your program is critical.

Keep in mind that people interpret words differently. Scan, assessment, risk, and vulnerability have different meanings to different people and resulted in some miscommunication issues and differing expectations. Take a step back to clearly define those terms and ensure everyone is on the same page.

[post_title] => Three Things To Remember When Building Your InfoSec Program [post_excerpt] => Over the past 20 years of working with companies of all sizes and ages, NetSPI has seen some of the best and worst infosec programs. [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => three-things-to-remember-when-building-your-infosec-program [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:56:19 [post_modified_gmt] => 2021-04-14 00:56:19 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=15848 [menu_order] => 168 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [21] => WP_Post Object ( [ID] => 13214 [post_author] => 91 [post_date] => 2019-07-31 07:00:03 [post_date_gmt] => 2019-07-31 07:00:03 [post_content] => Minneapolis, Minnesota  –  NetSPI LLC, the leader in orchestrated vulnerability management and security testing, announced today its participation at Black Hat USA 2019, Aug. 7-8 (booth #105) in Las Vegas, NV. NetSPI will present and exhibit at the conference to showcase vulnerability management and penetration testing solutions that improve an organization’s information security posture. NetSPI’s security experts will provide best practices and insights during their presentations and will also be available to meet 1:1. Schedule a session now.

Presentations at NetSPI Booth #105

Attacking Modern Environments through SQL Server with PowerUpSQL

When: Wednesday, August 7 at10:30 a.m., 1:00 p.m., and 4:30 p.m.; Thursday, August 8 at 11:00 a.m. Where: NetSPI Booth #105 Presenter: Scott Sutherland Session Summary: PowerUpSQL provides insight into the risks that misconfigured SQL Servers pose to enterprise environments. See how PowerUpSQL can be used to perform SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post-exploitation actions such as Active Directory Recon and OS command execution. We’ll share an msbuild script that can be used to launch an offensive SQL Server shell with data exfiltration capabilities. Get PowerUpSQL at https://github.com/NetSPI/PowerUpSQL/wiki

Attacking Azure Environments with MicroBurst

When: Wednesday, August 7 at 11:00 a.m., 1:30 p.m., and 5:00 p.m.; Thursday, August 8 at 10:30 a.m. Where: NetSPI Booth #105 Presenter: Karl Fosaaen Session Summary: Azure tenant misconfigurations are extremely common.  See how MicroBurst can be used to perform service discovery, weak configuration auditing, privilege escalation, and other post exploitation actions such as password recovery and OS command execution. Get a preview of an update to MicroBurst. Get MicroBurst at https://github.com/NetSPI/MicroBurst

Inveigh New Release Review

When: Wednesday, August 7 at 11:30 a.m., 2:00 p.m., and 5:30 p.m.; Thursday, August 8 at 11:30 a.m. Where: NetSPI Booth #105 Presenter: Kevin Robertson Session Summary: Learn about the new 1.5 release of Inveigh, a Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer, and man-in-the-middle tool. Plus, we’ll delve into the first non-development release of InveighZero, the C# version of Inveigh. See new features, differences, and Windows post-exploitation use cases for both tools. Get Inveigh at https://github.com/Kevin-Robertson/Inveigh

Learn more at NetSPI Booth #105

In addition to the presentations, attendees will have the opportunity to learn more about the following:

Application and Infrastructure Security Testing Services

See how NetSPI’s security testing services are designed to address bandwidth, expertise gaps, and compliance needs. NetSPI provides:
  • Application Penetration Testing Services
  • Network Penetration Testing Services
  • Cloud Infrastructure Penetration Testing Services
  • NetSPI Resolve™ Threat and Vulnerability Management Software
  • Security Program Transformation Services
NetSPI’s penetration testing services cover everything from mobile and web apps to cloud, network, mainframe, IoT, and more. Additional strategic services include threat and vulnerability management assessments, and attack simulation services that encompasses red team, social engineering, detective controls testing, and more.

NetSPI Resolve™ Vulnerability Management and Orchestration Software

Many companies run multiple vulnerability scanners, but making sense of the data, plus manual penetration testing reports and remediation status from across a global enterprise, is a massive manual effort. Resolve™ correlates all vulnerability data across your organization into a single view, so you can find, prioritize, and fix vulnerabilities faster. With data integration, Resolve™ can also show the remediation status of identified vulnerabilities. This results in vulnerability management processes that scale for global organizations. Learn how NetSPI Resolve™ removes the risk of managing vulnerabilities in spreadsheets, and the arduous administrative tasks that cause inefficiencies. NetSPI Resolve™ reduces your risk while increasing your security testing coverage by more than fifty percent without adding additional staff.

Schedule a Security Advisory Sessions with NetSPI

Sign up for a one-on-one security advisory session or a software demo at Black Hat USA 2019.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that supports organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes penetration testing services, vulnerability management software platform, and advisory services. Trusted by seven of the top 10 United States banks, the largest global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. To learn why the world’s top brands trust NetSPI, visit netspi.com or follow us on Facebook, Twitter, and LinkedIn. [post_title] => NetSPI to Present and Exhibit at Black Hat USA 2019 Information Security Conference [post_excerpt] => NetSPI LLC, the leader in orchestrated vulnerability management and security testing, announced today its participation at Black Hat USA 2019, Aug. 7-8 (booth #105) in Las Vegas, NV. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-to-present-and-exhibit-at-black-hat-usa-2019-information-security-conference [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:15 [post_modified_gmt] => 2021-04-14 06:54:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13214 [menu_order] => 179 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [22] => WP_Post Object ( [ID] => 13210 [post_author] => 91 [post_date] => 2019-03-26 07:00:52 [post_date_gmt] => 2019-03-26 07:00:52 [post_content] => Minneapolis, Minnesota  –  NetSPI LLC, the leading provider of application and network security testing solutions, announced today it achieved a 50% year-over-year revenue increase in 2018 as it continued to expand its product line up, staff, clients, and office locations. “In 2018, NetSPI evolved into a high performance, high growth security company,” said President and Chief Operating Officer, Aaron Shilts. “We achieved significant growth driven from our top accounts, adding new clients, and taking market share from competitors in the penetration testing space.” In a mature market that is growing less than 10% per year, NetSPI is growing at more than five times that rate due to the increased efficiency and accuracy of its Resolve™ platform. To manage this rapid growth, NetSPI strengthened its senior management team with the addition of two industry veterans, Chief Financial Officer, Jeni Bahr, and Chief Information Security Officer, Bill Carver.  The company also added more staff, bringing the total to over 100 employees in Q418. To accommodate a larger workforce the company completed significant renovations to its Minneapolis corporate headquarters and opened its first office in the Pacific Northwest, a region that delivered significant revenue in 2018. Last year also marked the first full year of operation for the company’s Dallas office, ground zero for new product development.  Due to the efforts of the development team, NetSPI rolled out a number of new offerings in 2018. These included a complete rebuild of the company’s flagship Resolve™ software platform as well as new offerings spanning test and vulnerability management, cloud security, and mainframe testing. “With the launch of these new capabilities we were able to move beyond tactical penetration testing and vulnerability assessments to offer more strategic services,” said Shilts. “Looking forward, I expect us to increasingly help leading companies define and then build their security programs.” Last year NetSPI also increased its thought leadership activities and ramped up customer communication with the launch of the Our Thinking blog and hosted its first customer advisory board at The Biltmore in Asheville, NC. This new annual event brings together some of NetSPI’s largest customers to help set current and future product direction, prioritize new product capabilities, and gain insights into current challenges and markets. The company also hosted its largest class size ever at NetSPI University, more than doubling the number of students compared to 2017. “Attracting and retaining qualified talent is the number one challenge for cybersecurity leaders today, so NetSPI doubled-down on our rigorous training program, helping develop the next generation of penetration testing experts," said Shilts. Looking forward, NetSPI expects another strong year of growth in 2019 with increasing revenue as a result of bringing the new Resolve™ 7 platform to market as well as continued account and geographic expansion.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that supports organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes security testing services, vulnerability orchestration software platform, and advisory services. Trusted by seven of the top 10 United States banks, the largest global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. To learn why the world’s top brands trust NetSPI, visit netspi.com or follow us on Facebook, Twitter, and LinkedIn. [post_title] => NetSPI Announces 50% Year-Over-Year Revenue Growth And Rapid Expansion [post_excerpt] => The leading provider of application and network security testing solutions, announced today it achieved a 50% year-over-year revenue increase in 2018 as it continued to expand its product line up, staff, clients, and office locations. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-announces-50-year-over-year-revenue-growth-and-rapid-expansion [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:18 [post_modified_gmt] => 2021-04-14 06:54:18 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13210 [menu_order] => 183 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [23] => WP_Post Object ( [ID] => 13208 [post_author] => 91 [post_date] => 2019-02-19 07:00:24 [post_date_gmt] => 2019-02-19 07:00:24 [post_content] => Minneapolis, Minnesota  –  NetSPI LLC, the leader in orchestrated vulnerability management and security testing, announced today its participation at RSA Conference 2019 (Booth 4400, North Expo) in San Francisco, March 4-8, 2019. NetSPI will showcase its cybersecurity testing services and NetSPI Resolve™ vulnerability management and orchestration platform, which help organizations to scale and operationalize threat and vulnerability management programs. At RSA, NetSPI’s security experts will provide complimentary one-on-one sessions with attendees upon request to discuss the attendees security needs and to share best practices and insights for security and compliance. Attendees are encouraged to connect with NetSPI at RSA: NetSPI will also participate in the Expo Pub Crawl at RSA on Wednesday, March 6, 4:30 – 6:00 p.m. More about NetSPI’s services and solutions to be exhibited at RSA: Application & Infrastructure Security Testing Services:  See how NetSPI’s security testing services are designed to address bandwidth, expertise gaps, and compliance needs. NetSPI provides penetration testing services of mobile and web apps to cloud, network, mainframe, IoT, and more. Additional strategic services include threat and vulnerability management assessments, and attack simulation services for red team, social engineering, detective controls testing, and more. NetSPI Resolve™ Vulnerability Orchestration Software: See how NetSPI Resolve™ enables the orchestration of cyber security efforts across an entire organization to shorten the vulnerability management life cycle and improve the organization’s security posture. Businesses are flooded by vulnerability data that is often managed with manual and time-consuming processes. Resolve™ brings order to this chaos by helping customers fix vulnerabilities faster – and provide the insight they need to triage and prioritize remediation efforts to focus cybersecurity resources and reduce risk.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that supports organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes security testing services, vulnerability orchestration software platform, and advisory services. Trusted by seven of the top 10 United States banks, the largest global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. To learn why the world’s top brands trust NetSPI, visit netspi.com or follow us on Facebook, Twitter, and LinkedIn. [post_title] => NetSPI to Exhibit at RSA Conference 2019 [post_excerpt] => NetSPI LLC, the leader in orchestrated vulnerability management and security testing, announced today its participation at RSA Conference 2019 (Booth 4400, North Expo) in San Francisco, March 4-8, 2019. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-to-exhibit-at-rsa-conference-2019 [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:24 [post_modified_gmt] => 2021-04-14 06:54:24 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13208 [menu_order] => 187 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [24] => WP_Post Object ( [ID] => 13206 [post_author] => 91 [post_date] => 2019-01-30 07:00:47 [post_date_gmt] => 2019-01-30 07:00:47 [post_content] => Minneapolis, Minnesota  –  NetSPI LLC, the leader in orchestrated vulnerability management and security testing, has announced the launch of NetSPI Resolve™, an end-to-end solution for vulnerability management and orchestration. Companies face a growing number of vulnerabilities, leaving them at risk for data breaches that are expensive and damaging to their reputation. Resolve™ enables the orchestration of cyber security efforts across an entire organization, so businesses can shorten the vulnerability management life cycle and improve their security posture. “Businesses are flooded by vulnerability data from scanners and pentesters, but all that information doesn't add up to a coherent picture. Data piles up from multiple security testing sources, and there is no consistent way to track or prioritize vulnerabilities. It’s a manual and time-consuming process to try to make sense of your risk exposure, let alone track and report on it,” said Deke George, NetSPI CEO. “Resolve™ essentially brings order to this chaos. Not only does it help customers fix vulnerabilities faster – but it also gives them the insight they need to triage and prioritize remediation efforts, so they can focus their resources on the most critical issues and continuously reduce their risk.” The number of disclosed vulnerabilities has increased each year. In an attempt to find them all, many organizations use multiple scanners along with in-house or third-party manual penetration testing, generating a large amount of overlapping data. Resolve™ automatically correlates this disparate data into a single system of record, allowing organizations to coordinate security teams’ efforts, track remediation progress, and report on vulnerabilities across teams and departments. The result is improved visibility of vulnerabilities, faster time to remediation, and reduced exposure to risk. “There aren’t enough cyber security professionals – the unemployment rate for cyber security professionals is about zero,” George said. “The only way organizations can close critical security gaps is by automating and orchestrating security tasks to reduce manual overhead, so they can get more done without more employees or longer hours. We’re excited to offer customers a solution to some of their biggest cyber security challenges.” NetSPI, which also offers pentesting and vulnerability management services, initially developed the platform to support execution and delivery of services to its customers. The platform was designed to ingest and correlate vulnerabilities from disparate sources, standardize the vulnerability knowledge base and remediation recommendations, ensure consistency in pentest execution and resulting outcomes, and track and report progress with actionable information to prioritize resources. NetSPI Resolve™ offers the same capabilities to customer’s internal security teams, as a cloud-based solution that can scale to handle tens of millions of vulnerabilities. NetSPI Resolve™ will be showcased at a series of happy hour events during the last two weeks of March in Minneapolis, New York City, Atlanta, Seattle, Dallas, and Toronto. To register or learn more, visit Resolve™.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that supports organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes security testing services, vulnerability orchestration software platform, and advisory services. Trusted by seven of the top 10 United States banks, the largest global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. To learn why the world’s top brands trust NetSPI, visit netspi.com or follow us on Facebook, Twitter, and LinkedIn. [post_title] => NetSPI Launches New Vulnerability Management and Orchestration Platform [post_excerpt] => NetSPI Resolve™ automatically correlates vulnerability data from any source into a single view for the whole organization so you can prioritize and fix vulnerabilities faster, and continuously reduce your risk exposure. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-launches-new-vulnerability-management-and-orchestration-platform [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:28 [post_modified_gmt] => 2021-04-14 06:54:28 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13206 [menu_order] => 188 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [25] => WP_Post Object ( [ID] => 13202 [post_author] => 91 [post_date] => 2019-01-24 07:00:08 [post_date_gmt] => 2019-01-24 07:00:08 [post_content] => Minneapolis, Minnesota  –  NetSPI LLC, the leading provider of threat and vulnerability orchestration and security testing, announced today it will partner with University of Minnesota Masonic Children’s Hospital as part of a new philanthropic program called “NetSPI Gives.” “While NetSPI continues to see business growth both nationally and globally, we haven’t forgotten about giving back to our local community,” said Vice President of People Operations, Meghan Hermann. As a leading high-tech, research-focused cybersecurity company, NetSPI could immediately relate to the groundbreaking research going on at University of Minnesota Masonic Children’s Hospital. In particular, the hospital’s pediatric cancer advancements struck a chord. “We were so excited to connect with the team at the hospital and knew immediately that we needed to make a big contribution,” said Hermann. “All 110 of our employees from across the country will be together in Minneapolis this week where we will kick-off the partnership with the hospital.” To manage all of the company’s philanthropic activities so they can make the biggest impact possible, it decided to create a program called NetSPI Gives. As part of the new program, the company plans to donate time and money as part of a charitable initiative each quarter. “Our physician-scientists are pursuing new avenues of research to develop powerful alternatives that are even safer and more effective treatments for childhood cancers,” said Nick Engbloom, Director of Community Partnerships for University of Minnesota Masonic Children’s Hospital. “We are excited to partner with NetSPI’s volunteer and philanthropic efforts, which will play an essential role in elevating the impact on pediatric cancer research here.” “Our employees are always motivated by opportunities to give back to our community and are thrilled to be making a significant and lasting impact on children at the hospital," said Hermann. "We're excited about this important step in NetSPI’s growth and look forward to continuing to make a difference in the local community.” Currently, plans are underway for a number of fundraising and charitable events at the hospital involving NetSPI staff. For more information and announcements, follow NetSPI on Facebook, Twitter, and LinkedIn.

About University of Minnesota Masonic Children's Hospital

University of Minnesota Masonic Children's Hospital brings hope and healing to children and families by caring for one child at a time, while advancing education, research, and innovation on behalf of all children. By working as one health care team centered on its youngest patients, University of Minnesota Masonic Children’s Hospital and pediatric clinics create exceptional care experiences for children and their families in Minnesota and around the world.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that supports organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes security testing services, vulnerability orchestration software platform, and advisory services. Trusted by seven of the top 10 United States banks, the largest global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. To learn why the world’s top brands trust NetSPI, visit netspi.com or follow us on Facebook, Twitter, and LinkedIn. Media Contacts Krystle Barbour Media and Public Relations Specialist M Health +1.612.626.2767 [post_title] => NetSPI Partners with University of Minnesota Masonic Children’s Hospital as Part of New Philanthropic Program [post_excerpt] => NetSPI announces it will partner with University of Minnesota Masonic Children’s Hospital as part of a new philanthropic program called “NetSPI Gives.” [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-partners-with-university-of-minnesota-masonic-childrens-hospital-as-part-of-new-philanthropic-program [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:33 [post_modified_gmt] => 2021-04-14 06:54:33 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13202 [menu_order] => 189 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [26] => WP_Post Object ( [ID] => 13212 [post_author] => 91 [post_date] => 2019-01-12 07:00:59 [post_date_gmt] => 2019-01-12 07:00:59 [post_content] => Minneapolis, Minnesota  –  NetSPI LLC, the leader in vulnerability management tools and penetration testing services, has released the NetSPI Resolve™ vulnerability management integration framework. The data integration tool allows financial, healthcare, retail, technology, and other businesses to automate time-consuming manual processes and improve vulnerability management. More than 20,000 new software vulnerabilities are identified annually. Cyber-attackers use these vulnerabilities to breach networks, websites, and applications – and steal sensitive data. Many companies run multiple vulnerability scanners in an effort to find and fix vulnerabilities before attackers exploit them. Unfortunately, each vulnerability scanner uses its own data format and definitions. Making sense of the scanner data, manual penetration testing reports and remediation status from across a global enterprise is a massive manual effort. NetSPI Resolve™ vulnerability management and orchestration platform makes sense of the data from all these sources and makes a risk-based assessment to identify the most critical vulnerabilities to prioritize for remediation. With data integration, Resolve™ can also show the remediation status of identified vulnerabilities – whether their status is open, in remediation, or risk-accepted. The result is vulnerability management processes that scales for global organizations. The NetSPI Resolve™ vulnerability management integration framework enables companies to: Save time with automated data flows. The visual integration framework lets users automate the bidirectional flow and mapping of disparate data – quickly and easily – while maintaining the performance of existing vulnerability management workflows. Connect popular tools with out-of-the-box integrations. The integration framework supports the most popular application scanners, network scanners, ticketing, remediation, and governance tools, including AppScan, Qualys, Jira, Archer, and more. Build custom data integrations. Users can build their own integrations for other tools using Java, JavaScript, Ruby, Python, or Jython. Get data from structured and unstructured sources. The integration framework can connect Resolve™ to enterprise data sources, such as corporate databases and Active Directory. In addition, Resolve™ can ingest data from semi-structured and unstructured data sources, such as penetration testing reports. Push data out to other systems. Users can send notifications when vulnerabilities reach a threshold and push vulnerability data to remediation ticketing systems and governance, risk, and compliance (GRC) systems. Join NetSPI at the Gartner Security & Risk Management Summit The Resolve™ integration framework will be demonstrated publicly for the first time in Booth 1017 at the Garner Security & Risk Management Summit, June 17-20 in National Harbor, MD. Attendees can request a private demo, or attend the vulnerability management panel, Best practices for updating your vulnerability management program, on Tuesday, June 18 at 1:15 p.m. Learn more about Resolve™ at here.

About the Gartner Security & Risk Management Summit 2019

The Gartner Security & Risk Management Summit 2019 features programs focusing on key topics such as business continuity management, cloud security, privacy, securing the Internet of Things (IoT), and the chief information security officer (CISO) role. Gartner analysts will explain the latest information on new threats to enable digital business in a world of escalating risk.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that supports organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes penetration testing services, vulnerability management software platform, and advisory services. Trusted by seven of the top 10 United States banks, the largest global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. To learn why the world’s top brands trust NetSPI, visit netspi.com or follow us on Facebook, Twitter, and LinkedIn. [post_title] => NetSPI Releases Vulnerability Management Integration Framework [post_excerpt] => Out-of-the-box and build-your-own integrations support bidirectional data flow between testing, ticketing, remediation, and governance tools. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-releases-vulnerability-management-integration-framework [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:36 [post_modified_gmt] => 2021-04-14 06:54:36 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13212 [menu_order] => 190 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [27] => WP_Post Object ( [ID] => 1809 [post_author] => 91 [post_date] => 2019-01-04 07:00:08 [post_date_gmt] => 2019-01-04 07:00:08 [post_content] =>

Software development teams are often at odds with application security teams, specifically penetesting teams. In this post we explore why this happens and what five steps you can take to improve participation in security testing by the development team in your organization.

Conflicting Objectives

At a macro view, the objectives of software development and application security align. Organizations need software and security to operate. But at the micro level, each team has very different objectives that don’t align.

Development teams are measured on delivering functional code on time and on budget, yet development teams regularly struggle to meet release deadlines. There are various reasons as to why, some avoidable and some not. Common reasons include scope creep, scope underestimation, unforeseen roadblocks, and bad planning.

The application security team is at least partially measured on how many vulnerabilities they find. If they don’t find vulnerabilities, that means the development team did a good job, but the security team has a hard time justifying the value they provide. Security teams scrutinize applications deeply because their reputation depends on what they can find. More often than not, they succeed in doing their jobs. The vulnerabilities they find have to be fixed.

The application security testing (AST) process further increases the deadline pressure experienced by development teams. Fixing vulnerabilities takes time and delays code pushes. The outcome is a double whammy. First, development team’s ability to deliver on time is put in jeopardy. Second, the developers feel as though their own reputations have been tarnished if their code is found to have flaws.

It’s no wonder development teams often chafe, drag their feet, or otherwise hinder the application security testing process. They submit to testing because it’s required, but they are generally not willing participants.

Evaluating Possible Solutions

Rational arguments for application security are already well understood by developers. Training and explanations do nothing to align the conflicting objectives and outcome of application security testing. Reasoning and rationale can only increase willingness so much.

Some organizations try to bake security into the software development lifecycle (SDLC). Time is allocated for application security testing between the release date and the production target. As development projects slip, security is often the first thing to be pushed out so the deadline can be met. Development teams would rather get all the features in and risk an unknown number of security flaws, hoping none exist. This reasoning leads back to the conflicting objectives.

Automation built in during the SDLC to help catch problems early can reduce the findings during a pentest. There is a diminishing return, though. More scanners will not eliminate all of the vulnerabilities found during a pentest. And this does not solve the conflicting objectives.

Five Steps to Buy in

The best security solutions are also the most convenient. Security is often viewed as a necessary evil by those burdened by the requirements. Reducing the effort needed is the best way to improve buy-in and willingness.

Application security testing orchestration (ASTO) delivers on convenience in many ways:

Step 1

Test scheduling should be as simple as possible. Ideally it should be possible to allow self-service for development teams to view, filter, and schedule security testing slots based on the availability of application security testing resources. This approach reduces the human effort needed to coordinate and schedule tests.

Software delivery dates often slip. Rescheduling pentesting at the last minute can cause a great deal of disruption to the security team. In this case, a backlog of scheduled tests can provide a buffer. For the backlog to work, scoping information for scheduled tests must be ready well ahead of time.

Step 2

Make the process of scoping security testing as seamless and convenient as possible. Your application security testing orchestration tool should track the application scope information on an ongoing basis. Annual application security tests should allow for development stakeholders to carry over prior information. Stakeholders should review and revise it prior to testing, but it’s much easier to revise than to write the entire form again.

Passing a Word document back and forth with comments and track changes gets messy and is hard to manage. Scoping questionnaires should be collaborative web interfaces where security and development can both participate. After the development team has submitted revised scoping information, the security team should review it quickly and verify it from a queue.

If any errors or discrepancies are found, communication should be easy to follow and track. Comments and markup on the scoping form are an ideal way to enable the communication flow. The web form can be mapped into a database in a standardized way and used in automated processes, which is something a Word document cannot do.

Step 3

Vulnerabilities will be found during testing. Providing full context of how to fix the vulnerabilities with high-quality remediation instructions can save the developers much time. Avoid making the developers work to figure out how to fix the problem by providing a remediation instructions library with vetted content. Sure, pentesters can write instructions, but consistency and quality will come from a standard library.

Step 4

Developers work in their own tools. Giving them a laundry list .CSV file of vulnerabilities or a static report is not going to make it easy for them. Don’t make them load the list into their tool or force them to track on a spreadsheet. Manual processes risk losing track of vulnerabilities and increasing developers’ workloads.

Integrate directly with the development SCRUM tool. Push vulnerabilities into developers’ existing workflow with the included remediation instructions to save them time and effort . Having a bidirectional sync with the SCRUM tool also makes it much easier to track remediation.

Step 5

Retesting and verifying that vulnerabilities have been fixed should be expedient and as automated as possible. Waiting to retest for weeks or months after a developer has fixed the problem will only increase the frustration the developers feel. Some scanners can automatically verify a vulnerability has been fixed, which can be triggered based on an application security testing orchestration process. Adding retest tasks to a queue for the application security team and having a service level agreement (SLA) on the task will also ensure that the security team is following up on the fix in a timely fashion.

Conclusion

While it may not be possible to entirely remove the conflict between application security and software development, it’s certainly possible to ease the inconvenience. Development teams understand the need for security. The experience is generally the problem. Improve the user experience for your developers, just like you would for any customer, and you will have a much easier time getting buy-in for the application security testing process.

[post_title] => Make it Easy on the Development Team [post_excerpt] => Software development teams are often at odds with application security teams, specifically penetesting teams. In this post we explore why this happens and what five steps you can take to improve participation in security testing by the development team in your organization. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => make-it-easy-on-the-devs [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:57:20 [post_modified_gmt] => 2021-04-14 00:57:20 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1809 [menu_order] => 191 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [28] => WP_Post Object ( [ID] => 13200 [post_author] => 91 [post_date] => 2018-12-03 07:00:56 [post_date_gmt] => 2018-12-03 07:00:56 [post_content] => Minneapolis, Minnesota  –  NetSPI LLC,  the leader in orchestrated vulnerability management and security testing, has named Bill Carver as the company’s first Chief Information Security Officer (CISO). As NetSPI’s top security officer, Carver will do for NetSPI what we already do for our clients: ensure our data, communications, systems, assets, and vulnerability orchestration solutions are secure.    Additionally, Carver will leverage his experience managing diverse and complex cybersecurity strategies to safeguard both NetSPI and its global customers from new types of attacks and vulnerabilities. “As an organization, we are committed to being a leader in information security and protection. By creating this role, we are demonstrating that security is embedded in every aspect of our business, from IT architecture and software development to operations, policies, and procedures,” said Aaron Shilts, President and COO. “And Bill is perfect for the role. His passion for helping organizations improve their security posture will benefit not only NetSPI, but our clients as well.” Carver, previously NetSPI’s practice director for advisory services, has more than two decades of information security experience. Prior to joining NetSPI, he helped establish consulting services capabilities at Optiv and FishNet Security, focusing on the evaluation and improvement of information security programs. He has also held information security roles at Merck and CitiFinancial. “In today’s globally connected society, cybersecurity is more critical than ever. I am thrilled to contribute to NetSPI’s vision both in leading our internal cybersecurity efforts as well as providing strategic direction to help support our client’s threat and vulnerability management programs,” Carver said.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that support organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes program development, security testing, and a software platform for application and infrastructure vulnerability orchestration. Trusted by seven of the top 10 United States banks, two global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. NetSPI is headquartered in Minneapolis, Minnesota with additional offices in Dallas, Denver, Portland, and New York. For more information about NetSPI, please visit netspi.com. [post_title] => NetSPI Names Bill Carver as New Chief Information Security Officer [post_excerpt] => NetSPI LLC, the leader in orchestrated vulnerability management and security testing, has named Bill Carver as the company’s first Chief Information Security Officer (CISO). [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-names-bill-carver-as-new-chief-information-security-officer [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:40 [post_modified_gmt] => 2021-04-14 06:54:40 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13200 [menu_order] => 193 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [29] => WP_Post Object ( [ID] => 1773 [post_author] => 91 [post_date] => 2018-11-16 07:00:05 [post_date_gmt] => 2018-11-16 07:00:05 [post_content] =>

Many organizations use manually intensive processes when onboarding their application security assessments. Compare the following process with your own experience:

  • Schedule the application security assessment.
  • Assign internal/external penetration testers to conduct the test.
  • Conduct the application security assessment and/or vulnerability scan.
  • Report application vulnerabilities to the remediation team using a method of copy-and-paste. from various systems.
  • Report multiple duplicates and false positives that had been verified previously.

With a process like the one above, your organization will struggle with delayed timelines and duplicate efforts. And because the process is manual, each step in your lifecycle is prone to human-error. In highly regulated industries, this wasteful approach consumes valuable resources, when resources are already lacking.

Ask the following five questions to assess the strength of your organization’s vulnerability management program:

  • Does your organization have multiple ways for application owners to request application assessments?
  • Do you struggle to scope the assessment properly?  For example, can you acquire details such as how dynamic pages are within your web app, the number of user roles, the application’s code language, etc.?
  • Do you have to follow-up with the application owners for more information or direction after the scoping questionnaires are emailed to the pentesting team?
  • After receiving completed questionnaires, do you send login credentials via email to conduct authenticated application security tests?
  • Do you email the pentesting team a copy of the concluded assessment results, regardless of the type of test: static application security testing (SAST), dynamic application security testing (DAST) or a manual penetration test?

If you rely on email and manual processes like these for your vulnerability management program, it is probably time for a vulnerability management program overhaul!

Reduce Your Administrative Overhead by 40% to 60%

Even without the headache of sifting through duplicate findings and incurring delays, we have found that organizations can spend a from 6 to 10 hours onboarding applications into the vulnerability assessment process. Organizations we’ve interviewed say this massive administrative overhead is reduced by 40%-60% with NetSPI Resolve™, the first commercially available security testing automation and vulnerability correlation software platform.

NetSPI Resolve reduces the time required to identify and remediate vulnerabilities, providing pentesters and their teams with comprehensive automated reporting, ticketing, and SLA management. By utilizing these Resolve features, along with the automation of questionnaire publication, organizations achieve streamlined communication and can complete vulnerability assessments faster, without sacrificing the quality of assessment results.

By reducing – and in some cases, even eliminating – the time needed for administrative tasks, pentesters are able to focus more on what they do best: test.

[post_title] => Five Signs Your Application Security Assessment Process Needs a Reboot [post_excerpt] => With a process like the one above, your organization will struggle with delayed timelines and duplicate efforts. And because the process is manual, each step in your lifecycle is prone to human-error. In highly regulated industries, this wasteful approach consumes valuable resources, when resources are already lacking. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => five-signs-your-application-security-assessment-process-needs-reboot [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:41:56 [post_modified_gmt] => 2021-04-14 06:41:56 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1773 [menu_order] => 195 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [30] => WP_Post Object ( [ID] => 1745 [post_author] => 91 [post_date] => 2018-10-31 07:00:03 [post_date_gmt] => 2018-10-31 07:00:03 [post_content] =>

Data silos happen naturally for many reasons. As an organization grows and their security maturity evolves, they’ll likely end up with one or more of these scenarios.

Using multiple security testing scanners: As the security landscape evolves, so does the need for security testing tools, including SAST and DAST/IAST tools, network perimeter tools, internal or third-party penetration testing, and adversarial attack simulation. Companies that were once functioning with one SAST, DAST and network tool each will begin to add others to the toolkit, possibly along with additional pentesting companies and ticketing and/or GRC platforms.

Tracking remediation across multiple tools: One business unit’s development team could be on a single instance of JIRA, for example, while another business unit is using a separate instance, or even using a completely different ticketing system.

What Problems Do Data Silos Create in a Security Testing Environment?

Data silos can create several problems in a security testing environment. Two common challenges we see are duplicate vulnerabilities and false positives.

Let’s take a look at each one:

Duplicate vulnerabilities: This happens so easily. You’re using a SAST and a DAST tool for scanners. Your SAST and DAST tools both report an XSS vulnerability on the same asset, so your team receives multiples tickets for the same issue. Or, let’s say you run a perimeter scan and PCI penetration test on the same IP range as your vulnerability management team. Both report the same missing patch, and your organization receives duplicate tickets for remediation. If this only happened once, no big deal. But when scaled to multiple sites and thousands of vulnerabilities identified, duplicate vulnerabilities create significant excess labor for already busy remediation teams. The result: contention across departments and slower remediation.

False positives: False positives create extra work, can cause teams to feel they’re chasing ghosts, and reduce confidence in security testing reports. Couple them with duplicate vulnerabilities, and the problems multiply. For example, say your security team reports a vulnerability from their SAST tool. The development team researches it and provides verification information as to why this vulnerability is a false positive. The security team marks it as a false positive, and everyone moves on. Then your security team runs their DAST tool. The same vulnerability is found and reported to the development team who then does the same research and provides the same information as to why this same vulnerability is still a false positive. Now you have extra work as well as the possibility of animosity between security and development teams.

Why Do These Problems Happen—And How Can You Stop It?

The answer that many security scanners offer is a walled garden solution, or closed platforms. In other words, these security tools cannot ingest vulnerabilities outside of their solution suite. This approach may benefit the security solution vendor, but it hamstrings your security teams. Organizations reliant on these platforms are unable to select among best-in-breed security tools for specific purposes, or they risk losing a single, coherent view of their vulnerabilities enterprise wide.

NetSPI recommends finding a vulnerability orchestration platform provider that can ensure choice while still delivering a single source of record for all vulnerabilities. Using a platform that can automatically aggregate, normalize, correlate and prioritize vulnerabilities allows organizations to retain the agility to test emerging technologies using commercially owned, open source, or even home-grown security tools. Not only will this minimize the challenges caused by data silos, but it can allow security teams to get more testing done, more quickly.

When we built NetSPI Resolve™, our own vulnerability orchestration platform, we built it to eliminate walled gardens. The development of the platform began almost twenty years ago and is the first commercially available security testing automation and vulnerability correlation software platform that empowers you to reduce the time required to identify and remediate vulnerabilities. As a technology-enabled service provider, we didn’t want to limit our testers to specific tools. NetSPI Resolve empowers our testers to choose the best tools and technology. More than that, because NetSPI Resolve can ingest and integrate data from multiple tools, it also provides our testers with comprehensive, automated reporting, ticketing, and SLA management. By reducing or eliminating the time for these kinds of tasks,

NetSPI Resolve allowed testers to do what they do best – test.

Data silos aren’t inevitable, but they are common. Knocking them down will go a long way towards reducing your organization’s cybersecurity risk posture by decreasing your overall time to remediate.

Learn more about vulnerability orchestration and NetSPI Resolve:

[post_title] => Data Silos: Are They Really a Problem? [post_excerpt] => Data silos happen naturally for many reasons. As an organization grows and their security maturity evolves, they’ll likely end up with one or more of these scenarios. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => data-silos-are-they-really-a-problem [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:57:36 [post_modified_gmt] => 2021-04-14 00:57:36 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1745 [menu_order] => 198 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [31] => WP_Post Object ( [ID] => 1718 [post_author] => 91 [post_date] => 2018-10-15 07:00:43 [post_date_gmt] => 2018-10-15 07:00:43 [post_content] =>

Stories of new data breaches grab headlines again and again. Many of these breaches are the result of known vulnerabilities left un-remediated, and in some cases, organizations have been aware of these vulnerabilities for years. Why weren’t these problems fixed sooner? Wouldn't organizations try to fix them as soon as possible to avoid a breach?

Every organization strives to fix vulnerabilities rapidly. Unfortunately, fixing vulnerabilities is a complex task.

First, organizations are flooded with vulnerabilities. New vulnerabilities are reported daily and the volume is only increasing. Keeping pace is tough.

Second, there's no single pane of glass for tracking all vulnerabilities. Organizations use multiple scanners to detect vulnerabilities, each living in its own walled garden. Application and network vulnerabilities are treated separately, typically in disconnected systems. Vulnerabilities discovered via pentesting may only reside in reports. Detective control tests find weaknesses in security tools, and auditing tools find vulnerabilities in configurations – and these results may not align with scan results. Unifying multiple sources in a central location, and normalizing the results for accurate tracking, is a big challenge.

Third, even if you have all vulnerabilities in a single pane, remediation processes vary and take time. Application vulnerabilities must go through the software development life cycle (SDLC), while network vulnerabilities have their own workflow. Identifying the right asset owner can be a challenge because CMDB information is often inaccurate. Configuration changes usually need to go through a change control board process, and patches need to be widely deployed across a large number of devices. There is little margin for error: fixing 99% of your vulnerabilities is great, but all it takes is that last 1% to cause a major breach.

On average, for every vulnerability patched, organizations lose 12 days coordinating across multiple teams. Contributing factors include:

  • Use of emails and spreadsheets to manage patching processes (57%)
  • No common view of systems and applications to be patched (73%)
  • No easy way to track if patching occurs in a timely manner (62%)

Fourth, many security organizations spend an inordinate amount of time focused on regulatory compliance. It’s critically important for your organization to build a strong, business-aligned security program that meets regulatory compliance standards. When a program is built to simply “check the box” of compliance, the results are inefficient, insecure, and not aligned with the business.

Finally, and most importantly, sheer human effort is not enough to overcome the vulnerability challenge because organizations don't have enough talent or resources. A solid vulnerability management program requires talent focused on security, development, and operations – three skill-sets that are in high demand. Cybersecurity is experiencing negative unemployment; IT operations is fully occupied maintaining up-time; and developers are immersed in the agile SDLC.

We see common challenges in organizations of all sizes and across many industries. In the coming articles in this series, we'll share our experiences and provide suggestions on how you can solve these challenges!

[post_title] => Recurring Vulnerability Management Challenges That Can't Be Ignored [post_excerpt] => Stories of new data breaches grab headlines again and again. Many of these breaches are the result of known vulnerabilities left un-remediated, and in some cases, organizations have been aware of these vulnerabilities for years. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => recurring-vulnerability-management-challenges [to_ping] => [pinged] => [post_modified] => 2021-04-14 10:37:41 [post_modified_gmt] => 2021-04-14 10:37:41 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1718 [menu_order] => 200 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [32] => WP_Post Object ( [ID] => 1697 [post_author] => 91 [post_date] => 2018-09-28 07:00:14 [post_date_gmt] => 2018-09-28 07:00:14 [post_content] =>

Here at NetSPI, we see firsthand the struggles enterprises face to fix vulnerabilities. It’s concerning when our pentesters and customers continue to find the same vulnerabilities that have yet to be remediated – at the same client, year after year.

The struggle faced by enterprises in managing vulnerabilities is not limited to manual penetration testing results. Scanners find millions of vulnerabilities in our customer environments, and we see the sheer volume overwhelming their remediation efforts. Even if 99% of assets can be fixed within a reasonable time-frame, a dangerous window of opportunity is allowed to persist if the last 1% lingers.

We're taking action to help our customers solve this challenge. Fortunately, we have a solid foundation from which to tackle the problem.

Our own penetration testing platform, NetSPI Resolve 6, was built for the purpose of managing our own penetration testing process. The Resolve software platform has given NetSPI the competitive edge in pentesting by allowing our pentesters to spend more time on testing and less time on overhead tasks.

Resolve works by:

  1. Ingesting vulnerabilities from any source: scanners and manual pentesting reports
  2. Normalizing the definition of the vulnerabilities to a standard rubric
  3. Correlating the vulnerabilities to de-duplicate and compress the findings
  4. Automatically generating reports

Customers have approached us about whether they could use Resolve in their own environments to help them conquer their challenges. We agreed. Since that time, we've licensed the use of the Resolve platform to the benefit many organizations, especially those with pentesters.

Now we're taking the next step. You see, Resolve wasn't built for vulnerability management and orchestration, which is the key need facing the majority of our customers.

So we're leveraging the great features of Resolve 6 we at NetSPI use to manage pentesting and expanding the platform to serve the larger vulnerability management and orchestration market. For the past year, we've been rebuilding the Resolve platform for the next generation, Resolve 7.

Resolve 7 will be a service-oriented architecture that scales to the massive data needs of our customers. It will be web-based, using a virtual appliance for easy deployment. We are adding more administration features, such as field-level role-based access control (RBAC) permissions, granular security groups, and single-sign on (SSO) support, to make the platform enterprise-ready out of the box. We've added a vulnerability orchestration component with an integration engine to complement the powerful vulnerability correlation engine. And we're building a new user interface with expanded capabilities for reporting and business intelligence visualizations.

We're building Resolve 7 for you - so you can help stem the tide of your vulnerability flood. We'll showcase new features of Resolve in coming posts, so stay tuned.

Contact us for more information about the availability of NetSPI Resolve 7.0.

[post_title] => What's Next and New with NetSPI Resolve [post_excerpt] => Here at NetSPI, we see firsthand the struggles enterprises face to fix vulnerabilities. It’s concerning when our pentesters and customers continue to find the same vulnerabilities that have yet to be remediated – at the same client, year after year. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => whats-next-and-new-with-netspi-resolve [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:57:49 [post_modified_gmt] => 2021-04-14 00:57:49 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1697 [menu_order] => 202 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [33] => WP_Post Object ( [ID] => 1670 [post_author] => 91 [post_date] => 2018-09-14 07:00:42 [post_date_gmt] => 2018-09-14 07:00:42 [post_content] =>

Previously, we discussed best practices for tracking vulnerability data through to remediation. In this post, we're explore the challenge of streamlining human penetration testing (pentesting) data into the vulnerability orchestration process. We provide three best practices you can use when engaging a third-party pentesting company to ensure the pentesting data is delivered in a way that is compatible with your security orchestration process.

Pentesting is an essential threat and vulnerability management process used to discover some of the most important vulnerabilities in your environment. Human pentesters find vulnerabilities that scanners can't catch, but an attacker will find. The challenge often becomes how to track and remediate those vulnerabilities after the test is complete.

Two Challenges of Pentesting Data for Security Orchestration

Vulnerability scanners use known data formats that don't change often, which is easy to incorporate into security orchestration tools. Once you've integrated your scan results into a vulnerability orchestration process and normalized them, you have some confidence that the process will continue to work as designed. In comparison, pentesters often do not follow a known data format and may add information to the report, in addition to the specific findings.

Findings from third-party penetration testing companies often arrive as a static report in PDF format. This format makes it difficult to streamline those results in an automated way when you expect a standard input. Some reports may come with a CSV file of the findings, which provides a more structured data format, but correlating those findings with existing vulnerabilities may require manual review.

The pentesting company’s report may include custom information. This documents the vendor's work and shows they did more than a scan, it presents problems for streamlining that data into an orchestrated process - especially if the information must be enriched before sending it to the remediation resources. For instance, the remediation recommendations or the described business impact may not align with your corporate policy. You may disagree with their severity assessment, for example, because you have more knowledge of the asset's importance or mitigating factors in your environment.

Three Best Practices for Pentest Data Compatibility

Receiving formatted, structured pentest results from a penetration testing company allows you to streamline your vulnerability orchestration process and track the findings through to remediation. The following three best practices can help align the pentest data with your organization’s process.

Provide a template for your expected data format. The data format for the pentest findings must be predefined for your vulnerability orchestration and automation to work properly. You know your format, but the pentesting company doesn't. Share your format prior to engaging the vendor to ensure they will accommodate your requirements. The best pentesting company will be able to deliver the results in a structured format that's customized for you.

Provide a reference rubric with IDs for your common vulnerability types. Consider your normalization requirements for vulnerability definitions. If you've standardized the common ones, provide a reference rubric that can be added to the results. This rubric will allow you to correlate the test results with an associated reference directly to an existing definition. Once you've put the formatted, structured pentest results into your orchestration process, you can track to remediation.

Provide a retest template. When submitting a retest request, ensure that the vendor's output matches an expected format so you can automate the data marking for closing the vulnerabilities that have been verified. This might be the same format you started with, or it might be a simpler retest template for the vendor to fill out.

These three best practices can help you ensure the pentesting data is compatible with your vulnerability orchestration process.

Next Steps

Read the earlier posts in this series:

[post_title] => How to Streamline Pentest Data to Security Orchestration [post_excerpt] => Previously, we discussed best practices for tracking vulnerability data through to remediation. In this post, we're explore the challenge of streamlining human penetration testing (pentesting) data into the vulnerability orchestration process. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => how-to-streamline-penetest-data-to-security-orchestration [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:57:44 [post_modified_gmt] => 2021-04-14 00:57:44 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1670 [menu_order] => 206 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [34] => WP_Post Object ( [ID] => 1654 [post_author] => 91 [post_date] => 2018-08-31 07:00:53 [post_date_gmt] => 2018-08-31 07:00:53 [post_content] =>

Vulnerability data must be tracked in order to ensure remediation - or vulnerabilities can fall through the cracks leaving your organization exposed. Most vulnerability data comes from scanners, though the most important vulnerability data often comes from humans. In this third post of a four-part series on threat and vulnerability management tools, we provide guidance on how to effectively track vulnerability data in the context of orchestration.

Several non-optimized tools commonly used for tracking vulnerability remediation include the following, each of which has significant limitations:

Excel and SharePoint: Companies often use Excel or SharePoint to track remediation from a central list of findings - a single spreadsheet file where dozens of users comb through thousands of vulnerabilities. Tracking remediation this way certainly presents challenges, because spreadsheet tools are not designed to help manage such complicated data sets and team collaboration. The information often gets overwritten or marked improperly. The accuracy of the data is questionable, making reporting difficult.

JIRA: Alternately, some companies use JIRA for tracking software vulnerabilities, which helps ensure that processes are followed. Unfortunately, most organizations have many JIRA instances across their development environments. Distributing the results across many JIRA instances leads to an inability to effectively report on the data. Storing the results in a central JIRA system has advantages, but getting stakeholders to take the time to login and review the findings in a different system than they use daily can be difficult.

ServiceNow: Some companies attempt to use ServiceNow, which has the advantage of more robust ticketing, to track vulnerabilities on the networking side. Unfortunately, some of the same ingestion challenges exist, and you lose the fidelity of having all of the vulnerabilities in a single place.

Home-built: Other companies have built systems that connect to other internal systems. While they work, home-built tools are difficult to maintain and often are maintained less formally than normal development efforts, as they are unrelated to the core business purpose. These systems are often just databases with a minimal user interface, not fully optimized for the purpose.

Best Practices Checklist: Security Orchestration for Vulnerability Remediation

Best practices for threat and vulnerability management require a system for remediation workflows that can handle the following seven tasks:

  1. Ingestion of various data formats with flexible normalization
  2. Reviewing of normalized data for changes and modifications as needed
  3. Distribution of normalized data to various external systems
  4. Tracking the data distributed externally to keep a central listing up to date
  5. Ensuring policy is adhered to across the various systems where the data is tracked
  6. Sending notifications for users and keeping humans involved in the process, especially when vulnerabilities become overdue
  7. Reporting on the outcome of vulnerabilities by group, business unit, or globally across the organization

As a result, a checklist for a security orchestration tool for vulnerability remediation includes these six capabilities:

  1. Serve as a central clearinghouse of vulnerability data
  2. Automate many steps of the remediation process
  3. Coordinate varying processes based on the organization's internal structure and environment
  4. Integrate with a large number of systems via API
  5. Define a workflow with decision points based on data criteria
  6. Notify key users when something is not right

Make sure any threat and vulnerability management tool you consider can check these six boxes before you try it out.

Next Steps

Read the earlier posts in this series:

[post_title] => How to Track Vulnerability Data and Remediation Workflow [post_excerpt] => Vulnerability data must be tracked in order to ensure remediation - or vulnerabilities can fall through the cracks leaving your organization exposed. Most vulnerability data comes from scanners, though the most important vulnerability data often comes from humans. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => how-to-track-vulnerability-data-and-remediation-workflow [to_ping] => [pinged] => [post_modified] => 2021-04-14 07:02:15 [post_modified_gmt] => 2021-04-14 07:02:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1654 [menu_order] => 208 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [35] => WP_Post Object ( [ID] => 1644 [post_author] => 91 [post_date] => 2018-08-17 07:00:57 [post_date_gmt] => 2018-08-17 07:00:57 [post_content] =>

In the post Are You Flooded with Vulnerabilities?, we explored the ever-growing mountain of data that organizations face in managing their vulnerabilities. While software is at the root of the vulnerability problem, it's also the solution. As individuals approach large volumes of data, software can support better decision making, collaboration, tracking, and visualization.

The key to a mature threat and vulnerability management program is to set up and consistently follow an established process that tracks each vulnerability throughout its life cycle. Given a best-practices process, the challenge becomes its real-world implementation. Two important capabilities work together to help you implement your process in the real world: automation and security orchestration.

Watch Our Webinar

How Does Automation Work?

Automation eliminates the normal human effort to accomplish a task. Simple, commonplace tasks, such as retrieving data or opening a ticket can be automated. A script encodes a task for software to complete.

However, automation is not a complete solution. When humans operate automation routines, the process tends to break down quickly - and the cost of overhead adds up. Clunky, manual steps may remain, and humans running the automation routines make mistakes. Tribal knowledge tends to get lost over time and consistency is difficult to achieve. This is where security orchestration comes to the rescue.

What is Security Orchestration?

Let's first explore the term. Security orchestration connects multiple systems and automation in a way that provides a consistent process for data to follow. Orchestration is, for example, an automated car assembly line where multiple robots each help build the vehicle as it advances through the manufacturing process. But robots alone are not enough. Like an automation script, each robot only does a specific task. Building a reliable car also requires the overall coordination of individual tasks, which is called orchestration.

At inflection points, decisions can be made on individual records automatically, based on data. Automation scripts can be triggered to perform complex data-parsing tasks. Tool integrations allow for automated data retrieval and synchronization among systems. When human analysis is needed, the process can wait for human input.

Beyond consistent implementation, an even greater benefit of a security orchestration platform is that it allows you to minimize the human overhead and maximize the human capacity for analysis.

Differences Between Security Orchestration and Automation

In review of the differences, here are the points you need to understand when determining if a tool does orchestration, automation, or both:

AutomationSecurity Orchestration
  • The tool can be configured to calculate values based on input variables
  • The tool can make decisions and perform different actions based on those decisions
  • The tool can connect to various external system APIs
  • The tool can pause and wait
  • The tool can create or update large data sets from various sources
  • The tool can execute sequential automation routines over a time period
  • The tool can run scripts or routines in some format
  • The tool allows configuration of automation steps, decisions, and pauses within a custom workflow
[post_title] => Security Orchestration vs. Automation: What's the Difference? [post_excerpt] => In the post Are You Flooded with Vulnerabilities?, we explored the ever-growing mountain of data that organizations face in managing their vulnerabilities. While software is at the root of the vulnerability problem, it's also the solution. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => orchestration-vs-automation-whats-the-difference [to_ping] => [pinged] => [post_modified] => 2021-04-14 07:02:23 [post_modified_gmt] => 2021-04-14 07:02:23 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1644 [menu_order] => 210 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [36] => WP_Post Object ( [ID] => 13198 [post_author] => 91 [post_date] => 2018-08-03 07:00:25 [post_date_gmt] => 2018-08-03 07:00:25 [post_content] => NetSPI LLC, the leader in orchestrated vulnerability management and security testing, announced today its participation at Black Hat USA 2018, Aug. 8-9 (booth 1643) in Las Vegas, NV. NetSPI will both present and exhibit at the conference to showcase their solutions that improve an organization’s security posture. Event attendees will have the opportunity to see first-hand how NetSPI’s portfolio is designed to address the most critical vulnerability challenges that security organizations face. NetSPI’s security experts will be providing best practices and insights during their presentations and will also be available to meet 1:1. To schedule your sessions, click here. NetSPI’s presentations at Black Hat USA include: PowerUpSQL: A PowerShell Tooklit for Attacking SQL Servers in Enterprise Environments: When:  Thursday, Aug. 9, 2018 at 10:00 a.m. Where:  Business Hall (Oceanside), Arsenal Station 4 Who: Scott Sutherland and Antti Rantasaari of NetSPI Session Summary: This session includes training on functions supporting SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. The tool includes additional functions used by administrators to quickly inventory the SQL Servers in their Active Directory Server (ADS) domains, and perform common threat hunting tasks related to SQL Server. PowerUpSQL enables red, blue, and purple team in automating day to day tasks involving SQL Server. Mainframe [z/OS] Reverse Engineering and Exploit Development: When:  Thursday, Aug. 9, 2018 at 3:50 p.m. Where:  Jasmine Ballroom Who:  Chad Rikansrud, NetSPI’s Mainframe Partner of RSM Partners Session Summary: Talk to a Fortune 500® who is running mainframe and they'll tell you two things: (1) without their mainframes they'd be out of business, and (2) they do not conduct any security research on them, let alone vulnerability scans. This session is focused on providing various tools that exist on the platform to help you in doing your own reverse engineering, followed by detailed steps on how to start your own exploit development. In addition to these presentations, attendees will have the opportunity to learn more about the following: Application & Infrastructure Security Testing Services:  See how NetSPI’s security testing services are designed to address bandwidth, expertise gaps, and compliance needs. NetSPI provides penetration testing services encompassing everything from mobile and web apps to cloud, network, mainframe, IoT, and more. Additional strategic services include Threat & Vulnerability Management Assessments, and attack simulation services which encompasses red team, social engineering, detective controls testing, and more. NetSPI Resolve™ Vulnerability Orchestration Software: Learn how NetSPI Resolve removes the risk of managing vulnerabilities in spreadsheets, and arduous administrative tasks that cause large-scale inefficiencies. The software provides a system of record for all application and infrastructure vulnerabilities through its scanner-agnostic integration engine that also brokers cross-departmental workflow and communications. NetSPI Resolve reduces your risk by providing the visibility needed to actively manage your remediation efforts while increasing your security testing coverage by over fifty percent without adding additional staff. Click here to sign up for a 1:1 security advisory session or a software demo.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that support organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes program development, security testing, and a software platform for application and infrastructure vulnerability orchestration. Trusted by seven of the top 10 United States banks, two global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. NetSPI is headquartered in Minneapolis, Minnesota with additional offices in Dallas, Denver, Portland, and New York. For more information about NetSPI, please visit netspi.com. [post_title] => NetSPI to Present and Exhibit at Black Hat USA 2018 [post_excerpt] => NetSPI LLC, the leader in orchestrated vulnerability management and security testing, announced today its participation at Black Hat USA 2018, Aug. 8-9 (booth 1643) in Las Vegas, NV. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-to-present-and-exhibit-at-black-hat-usa-2018 [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:54:05 [post_modified_gmt] => 2021-04-14 06:54:05 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13198 [menu_order] => 212 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [37] => WP_Post Object ( [ID] => 1609 [post_author] => 91 [post_date] => 2018-07-27 07:00:02 [post_date_gmt] => 2018-07-27 07:00:02 [post_content] =>

Most organizations have more vulnerabilities than can be fixed at current resource levels. Halfway through 2018 the NVD is on pace to match the historic 20,000 published CVEs in 2017.

A perfect storm of circumstances can make it difficult for your threat and vulnerability management program to maintain a good security posture. Multiple scanners are required to get full coverage, which in turn piles on the work. The sheer quantity of patches, configuration changes, and code changes is daunting. Automated patch management solutions are limited by the risk of downtime, so human intervention is required for many configuration and code changes.

The growth of the cybercrime industry requires companies to accelerate the vulnerability fix cycle. Exploits come out ever faster, as malicious actors take advantage of known vulnerabilities that organizations have not yet fixed.

Organizations that prioritize vulnerabilities based on risk will maximize security resources. There's no perfect intelligence on new exploits, and lessening the risk doesn't mean the risk is gone. However, risk-based approaches to threat and vulnerability management offer the best path forward when vulnerabilities pile up and resources are limited.

Keeping up with a blizzard of vulnerabilities and exploits requires closing the remediation gap, or the time to remediation. The fundamental challenge lies in expedient remediation for every fix. Your organization will want to get through a litany of remediation workflows quickly to minimize effort. Nonetheless, every vulnerability requires decision and possible subsequent effort.

Five Phases of the Vulnerability Management Process

We recommend your organization implement the following five-phase vulnerability management process in managing the vulnerability life cycle:

  1. Discovery
  2. Correlation & enrichment
  3. Verification
  4. Prioritization
  5. Remediation

In addition, these five goals help document each phase of the vulnerability management lifecycle:

  • Identify the key stakeholders and systems involved
  • Determine what policies have bearing in each phase
  • Define the inflection points where a decision must be made
  • Define the junctures where communication must occur
  • Establish output destinations for the data flow

Move a Mountain of Vulnerabilities

Processes that look good on paper may break down in the face of real world challenges. In your organization, different departments may own responsibility for remediation, and they each may use separate systems. Uptime may be prioritized quietly over patch management without notification of exception requests. Code changes need to be vetted in the software development life cycle (SDLC) before being released into production. Configuration changes need to be evaluated for potential impact to running systems.

Implementation of a complete vulnerability management process is a challenge that is made easier by security orchestration tools – a topic for a future post. Defining a complete security orchestration process will help you move mountains.

[post_title] => Are You Flooded With Vulnerabilities? [post_excerpt] => Do you have more vulnerabilities piling up than you can fix with current resources? Time to remediation lengthens as volume grows. Organizations that prioritize vulnerabilities based on risk will maximize security resources and results, so we recommend this five-phase process to manage the vulnerability life cycle. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => flooded-with-vulnerabilities [to_ping] => [pinged] => [post_modified] => 2021-04-14 07:02:30 [post_modified_gmt] => 2021-04-14 07:02:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspi.staging.wpengine.com/?p=1609 [menu_order] => 213 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [38] => WP_Post Object ( [ID] => 13190 [post_author] => 91 [post_date] => 2018-03-07 07:00:59 [post_date_gmt] => 2018-03-07 07:00:59 [post_content] =>

NetSPI LLC, the leading security testing and vulnerability orchestration company, today announced a new professional services line delivering Threat and Vulnerability Management Program Development. This new offering expands NetSPI’s professional services and leverages the power of the NetSPI Resolve™ software platform.

As the threat landscape grows in complexity, NetSPI remains committed to helping clients solve the vulnerability management challenge. Enterprises are overwhelmed with application and infrastructure vulnerabilities and have identified the need for a solution that expands beyond technical testing. NetSPI’s solution helps customers evolve from tactical and reactive penetration testing to a proactive program that reduces risk to their business.

“Our clients are faced with a constantly changing attack surface and new emerging threats every day. We created this offering to help them build a program to quickly identify and fix the vulnerabilities most impactful to their business,” said Charles Horton, senior vice president of professional services.

While many service providers offer solutions focusing broadly on overall security strategy or narrowly focused segments of the challenge, we address vulnerability management holistically.

Deke George
CEO

NetSPI’s service is designed to help clients evaluate and understand how well they are managing technical vulnerabilities and reducing risk. Their Threat and Vulnerability Management Program Framework evaluates programs in a consistent manner, providing maturity evaluation and a roadmap for continuous improvement. NetSPI focuses on seven foundational elements that must work in concert to address the vulnerability management challenge and reduce risk:

  • Asset Management
  • Configuration Management
  • Secure Software Development
  • Vulnerability and Patch Management
  • Technical Testing
  • Threat Intelligence and Monitoring
  • Incident Response

“While many service providers offer solutions focusing broadly on overall security strategy or narrowly focused segments of the challenge, we address vulnerability management holistically,” said Deke George, NetSPI chief executive officer. “NetSPI is an industry leader in the technical testing space, and this service builds upon that expertise to better strategically serve our clients.”

To learn more about this service, more information can be found here.  On March 8, 2018 at 1:00 p.m. CST NetSPI is hosting an educational webinar on this topic and will provide attendees tools, techniques and best practices for assessing their organization’s security maturity. Register today at https://www.netsp.com/research/cybersecurity-webinars.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that support organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes program development, security testing, and a software platform for application and infrastructure vulnerability orchestration. Trusted by seven of the top 10 United States banks, two global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. NetSPI is headquartered in Minneapolis, Minnesota with additional offices in Dallas, Denver, Portland, and New York. For more information about NetSPI, please visit netspi.com.

[post_title] => NetSPI Announces New Advisory Services Focused on Threat and Vulnerability Management [post_excerpt] => Empowering organizations with a pragmatic approach to address their vulnerability management challenges across their entire environment. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-announces-new-advisory-services-focused-on-threat-and-vulnerability-management [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:56:43 [post_modified_gmt] => 2021-04-14 06:56:43 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13190 [menu_order] => 230 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [39] => WP_Post Object ( [ID] => 13188 [post_author] => 91 [post_date] => 2017-11-20 07:00:28 [post_date_gmt] => 2017-11-20 07:00:28 [post_content] =>

Minneapolis, Minnesota  –  ​​​​NetSPI LLC, the leading​ provider of enterprise security testing and vulnerability correlation software, announced leadership appointments and restructuring initiatives today to accelerate product innovation and strategic growth. NetSPI is intensifying its focus in high-growth security and vulnerability management areas while positioning to accelerate long-term market growth, driving customer value, and ultimately making the company more efficient and profitable.

“The announcements today are critical in NetSPI’s transformational journey,” said Deke George, CEO, NetSPI. “Our transformation began with our new logo and website design acting as visual cues letting our employees, clients, and partners know that it is a new day at NetSPI. These key leadership appointments create the foundation needed for the next iteration of growth.”

In addition to the new brand, NetSPI appointed leadership talent to strengthen the structure for exponential growth and long-term market adoption. Ensuring an innovative, customer-centric approach, NetSPI announced president and chief operating officer, Aaron Shilts. With 20 years of experience in cybersecurity and operations, Shilts brings valuable leadership during a period of rapid transformation. Prior to joining NetSPI, Shilts led worldwide services for Optiv and FishNet Security. Over his 14-year tenure, he steered the organization to deliver customer success, sustained growth and profitability. Shilts’ leadership team includes Pavan Gorakavi as senior vice president of software engineering, Steve Antone as vice president of sales, Mary Braunwarth as vice president of marketing, and Joshua Scott as vice president of product management. These structural changes highlight NetSPI’s commitment to drive the evolution of their world-class threat and vulnerability portfolio, while demonstrating foundational measurements of client success.

Our transformation began with our new logo and website design acting as visual cues letting our employees, clients, and partners know that it is a new day at NetSPI. These key leadership appointments create the foundation needed for the next iteration of growth.

Deke George
CEO, NetSPI

Among those praising these changes is NetSPI’s executive chairman of the board, Scott Hammack. “Myself and Sunstone commend Deke and the team on what they’ve built,” Hammack stated. “We are looking forward to building on the established blueprint and enhancing the vision and strategy of the organization to maximize the organization’s growth.”

Read more about NetSPI’s leadership team.

About NetSPI

NetSPI is the leading provider of application and network security testing solutions that support organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes both security testing services and a software platform for application and infrastructure vulnerability orchestration. Trusted by seven of the top 10 United States banks, two global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. NetSPI is headquartered in Minneapolis, MN with additional offices in Dallas, Denver, Portland, and New York.  For more information about NetSPI, please visit netspi.com.

About Sunstone Partners

Sunstone Partners is a private equity firm focused on growth equity and growth buyout investments in technology-enabled services businesses. The firm was formed by the spin-out of the growth equity team of Trident Capital, an investment firm with $1.9 billion of capital under management, since 1993. The firm is currently investing out of Sunstone Partners I, LP, a $310 million fund. For more information visit http://www.sunstonepartners.com.

[post_title] => NetSPI Announces Senior Leadership Appointments to Catapult Growth [post_excerpt] => NetSPI is intensifying its focus in high-growth security and vulnerability management areas while positioning to accelerate long-term market growth. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-announces-senior-leadership-appointments-to-catapult-growth [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:56:50 [post_modified_gmt] => 2021-04-14 06:56:50 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13188 [menu_order] => 241 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [40] => WP_Post Object ( [ID] => 13181 [post_author] => 91 [post_date] => 2017-04-18 07:00:42 [post_date_gmt] => 2017-04-18 07:00:42 [post_content] =>

Minneapolis, Minnesota  –  ​​​​NetSPI LLC, the leading security testing and vulnerability correlation company, today announced the completion of a strategic growth equity financing led by Sunstone Partners. The investment will allow NetSPI to accelerate development of new products and service offerings, penetrate new verticals, and expand geographically.

NetSPI has grown profitably every year since its founding in 2001, and this financing marks the first institutional capital ever raised by the company. NetSPI currently supports many of the top 10 financial institutions, healthcare providers, and technology companies.

"Our clients are under intense pressure from business, regulatory, and governance perspectives to partner with cybersecurity experts to increase their security posture to safeguard their organization against the volatile and ever-evolving threat landscape.  Our solution portfolio comprises of a world-class proprietary software platform, CorrelatedVM®, encapsulated with deep professional services expertise which is empowering global organizations to scale and operationalize their security programs," said Deke George, NetSPI's Co-Founder and CEO. "We are looking forward to our partnership with Sunstone Partners given their team's successful track record and experience in cybersecurity."

According to the report, "Penetration Testing Market by Testing Service (Network, Web, Mobile, Social Engineering, Wireless, Embedded Devices and Industrial Control System), Deployment Mode (Cloud and On-Premises), Organization Size, Vertical, and Region - Global Forecast to 2021," published by MarketsandMarkets, penetration testing market size is estimated to grow from USD 594.7 Million in 2016 to USD 1,724.3 Million by 2021, at a Compound Annual Growth Rate (CAGR) of 23.7% during the forecast period. 2015 is considered to be the base year while the forecast period is 2016–2021.

"We have known NetSPI for several years and have been consistently impressed by the team's culture, product offering, and loyal customer base," said Gustavo Alberelli, Managing Director at Sunstone Partners. "NetSPI's enterprise customers repeatedly stress their satisfaction and growing need for NetSPI's differentiated solutions, especially given the increasing number of connected applications susceptible to vulnerabilities and advanced persistent threats. Security testing continues to be the fastest-growing subsegment within cybersecurity, and we are excited to partner with the NetSPI team to maximize the company's full potential."

As part of the investment, the new board of directors will include Gustavo Alberelli and Michael Biggee, Managing Directors at Sunstone Partners, Scott Hammack, and Stuart Scholly joined by Deke George. Hammack will serve as NetSPI's Executive Chairman. Hammack and Scholly most recently worked with the Sunstone Partners team while serving as CEO and President respectively of Prolexic Technologies, the leading Distributed Denial of Service (DDoS) mitigation provider, which Akamai acquired in February 2014 for $415 million. Mooreland Partners LLC acted as exclusive financial advisor to NetSPI LLC in connection with this transaction.

About NetSPI

NetSPI is the leading provider of application and network security testing solutions that support organizations in scaling and operationalizing their threat and vulnerability management programs.  The solution portfolio includes both security testing services and a software platform, CorrelatedVM®, trusted by many of the Fortune 250. NetSPI's clients consist of financial institutions, healthcare providers, retailers, and technology companies.  NetSPI is based in Minneapolis and has additional offices in New York and Portland.

About Sunstone Partners

Sunstone Partners is an investment firm focused on growth equity investments and majority buyouts in technology businesses. The firm is a spin-out of the growth equity team of Trident Capital, a multi-stage investment firm with seven funds and $1.9 billion of capital under management since 1993. The firm is currently investing out of Sunstone Partners I, LP, a fund with $310 million of committed capital. Sunstone Partners is headquartered in the San Francisco Bay Area.

[post_title] => NetSPI Raises Growth Capital From Sunstone Partners [post_excerpt] => NetSPI LLC, the leading security testing and vulnerability correlation company, today announced the completion of a strategic growth equity financing led by Sunstone Partners. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => netspi-raises-growth-capital-from-sunstone-partners [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:56:55 [post_modified_gmt] => 2021-04-14 06:56:55 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=netspi_news&p=13181 [menu_order] => 258 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [41] => WP_Post Object ( [ID] => 2968 [post_author] => 91 [post_date] => 2015-03-09 07:00:56 [post_date_gmt] => 2015-03-09 07:00:56 [post_content] =>

In my previous blog, iOS Tutorial – Dumping the Application Heap from Memory, I covered how to dump sensitive information from the heap of an iOS application using GDB. This time we will be covering how to use Cycript to accomplish the same goal but using the class-dump-z output to specifically pull out properties or instance variables. This round will be in a more automated fashion by automatically parsing a class dump of the binary and generating the necessary Cycript scripts to pull the specific properties from memory. I will also be releasing another tool to do all of this for you in the near future. Keep an eye on our NetSPI GitHub repo for the latest tools and scripts for when we release it.

If we do not have access to the source code then we must first decrypt the binary. We do this first to dump the class information about the binary. There are several guides out there for decryption but Clutch is my go-to tool for ease of use as it also regenerates an IPA file with the decrypted binary in it so you can install it again on a different device if you have to. After we extract/install the new decrypted binary, we can now run class-dump-z to get the header information with all the classes, properties, class methods, instance methods, etc.

MAPen-iPad-000314:~ root# ./class-dump-z -z TestApp

[TRUNCATED]

@interface CryptoManager : XXUnknownSuperclass {
@private
	NSData* key;
}
@property(retain, nonatomic) NSData* key;
+(id)CryptoManager;
-(id)init;
-(id)cipher:(id)cipher key:(id)key context:(unsigned)context;
-(id)cipher:(id)cipher key:(id)key context:(unsigned)context withIV:(BOOL)iv;
-(id)cipher:(id)cipher key:(id)key context:(unsigned)context withIV:(BOOL)iv usingIV:(id)iv5;
-(id)cipher:(id)cipher key:(id)key context:(unsigned)context withIV:(BOOL)iv usingIV:(id)iv5 withPad-ding:(BOOL)padding;
-(void)clearKey;
-(void)dealloc;
-(id)decryptData:(id)data;
-(id)decryptData:(id)data usingIV:(id)iv;
-(id)decryptData:(id)data usingIV:(id)iv withPadding:(BOOL)padding;
-(id)decryptData:(id)data withIV:(BOOL)iv;
-(id)decryptData:(id)data withIV:(BOOL)iv withHeader:(BOOL)header;
-(id)decryptData:(id)data withKey:(id)key;
-(id)decryptString:(id)string;
-(id)decryptString:(id)string withIV:(BOOL)iv;
-(id)decryptString:(id)string withIV:(BOOL)iv withHeader:(BOOL)header;
-(id)decryptString:(id)string withIV:(BOOL)iv withHeader:(BOOL)header withKey:(id)key;
-(id)decryptString:(id)string withKey:(id)key;
-(id)encryptData:(id)data;
-(int)encryptData:(id)data AndAppendToFileAtPath:(id)path initiatedByUnlockOperation:(BOOL)operation error:(id*)error;
-(id)encryptData:(id)data usingIV:(id)iv;
-(id)encryptData:(id)data withKey:(id)key;
-(id)encryptString:(id)string;
-(id)encryptString:(id)string withKey:(id)key;
-(id)hashString:(id)string;
-(id)hashString:(id)string salt:(id)salt;
-(BOOL)isHashOfString:(id)string equalToHash:(id)hash;
-(BOOL)isHeaderValid:(id)valid;
-(id)newHeader;
-(unsigned long)readEncryptedData:(void**)data atPath:(id)path offset:(long)offset length:(unsigned long)length initiatedByUnlockOperation:(BOOL)operation error:(id*)error;
@end

[TRUNCATED]

So you can see above that TestApp has a class called "CryptoManager" and has a property called "key". This looks interesting as there could be an encryption key sitting there in memory. We will now use Cycript to grab that specific property from memory. Note during runtime, the "CryptoManager" class is instantiated before login but only after a valid user has successfully logged in once before on the device. Also, the class is never cleared out even when it is no longer needed, such as a user logged out, which is where the vulnerability lies. In this instance, we have already logged in successfully during a previous session and therefore the class is already in memory before the user logs in.

First we will hook into the running TestApp process from an SSH session so we can leave the application running on the iOS device.

MAPen-iPad-000314:~ root# cycript -p TestApp
cy#

Now that we are hooked in, let's go ahead and talk about the "choose" method in cycript. The "choose" method scans the heap for the matching class name and returns an array of objects that match that class' structure. So, if we type "choose(MyClass)". It is going to contain an indexed array of all instantiated classes of MyClass that are currently in memory (or that match that structure). The below output is just calling out the first indexed object which is index "0" and storing it into a variable called "a". If you like GDB more, we can also take the memory location returned and go back to GDB for dumping out everything from that sub-region in memory or set breakpoints and watch the registers. See my previous blog on how to scan the heap here (https://blog.netspi.com/ios-tutorial-dumping-the-application-heap-from-memory/). Note however, that there can be more than one class instantiated in this array and you will to go through each index to get the properties of that instantiated class.

cy# a=choose(CryptoManager)
[#"< CryptoManager: 0x17dcc340&gt;",#"&lt; CryptoManager: 0x17f42ba0>"] 

Now let's dump the "key" property from memory so we can grab the key and decrypt any data in the app later on.

cy# a[0].key.hexString
@"6D2268CFFDDC16E890B365910543833190C9C02C4DCA2342A9AEED68428EF9B6"

Bingo! We now have the hexadecimal of the key we need to decrypt anything this application wants to keep encrypted.

Now let's talk about how to automate this and go over what we know and what we have to figure out programmatically as we go. We know that the class-dump-z output contains the output of all the classes and their properties. What we don't know is whether or not those classes are currently instantiated or not. We also don't know how many times the classes are instantiated in memory. What we can do is parse the class-dump-z output and create a map of classes and their properties. Now that we have a map we can now create Cycript scripts to pull the information out for us. Note however, that this technique is for classes that are already instantiated and we won't be covering how to make a new instance of an object in Cycript as there are many tutorials and books on how to do this.

So we have to read Cycript's output from the choose method to figure out how many times the object is instantiated in memory. To do that we can use JavaScript to get the array length:

cy# choose(CryptoManager).length
2
cy#

Cool, now we know how many times to loop through the array to pull out all instantiated "CryptoManager" objects. Now let's move on to cycript scripting.

Cycript can take a script as a parameter and a basic script just has to contain the commands we want to run like so:

MAPen-iPad-000314:~ root# cat dump.cy
a=choose(CryptoManager)[0]
a.key.hexString

MAPen-iPad-000314:~ root# cycript -p TestApp dump.cy
@"6D2268CFFDDC16E890B365910543833190C9C02C4DCA2342A9AEED68428EF9B6"

One issue that I can't seem to figure out is Cycript only returns the last line of output to the terminal when you run a script and doesn't return all output. So to pull out multiple classes and their properties from the terminal, you have to create a new script for each class and property combination.  If anyone knows how to get around this limitation, please feel free to reach out to me on how to accomplish this. Or you can write everything in Cycript JavaScript if that is your preferred language.

Thanks for reading and hack responsibly

[post_title] => iOS Tutorial - Dumping the Application Memory Part 2 [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => ios-tutorial-dumping-the-application-memory-part-2 [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:30 [post_modified_gmt] => 2021-04-13 00:05:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=2968 [menu_order] => 311 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [42] => WP_Post Object ( [ID] => 2156 [post_author] => 91 [post_date] => 2015-01-05 07:00:47 [post_date_gmt] => 2015-01-05 07:00:47 [post_content] => An essential part of pentesting iOS applications is analyzing the runtime of the application. In this blog, I will be covering how to dump the heap from an iOS application. I will also be releasing a little script to run on the iOS device to dump the heap of a specified application for you. You can download the script from the NetSPI Git Hub. The script basically wraps around GDB, but only dumps the ranges in memory that have "sub-regions". These sub-regions are usually where I find active credentials, anything that is currently being used in the UI, or instantiated class properties. This technique currently only works for iOS 7 and lower or until there is a working GDB version for iOS 8. You also cannot use the version GDB from the default Cydia repositories. You have to use the fixed version in this repository here: "http://cydia.radare.org" or here is a direct link to the deb package: "http://cydia.radare.org/debs/gdb_1708_iphoneos-arm.deb". Below are a few screenshots of the process, and how the script works. First, we launch the application that we want to capture the heap for and log in. MB_iOS_Dump_1 After we log into the app, we will keep it at the first main screen which in this case is the user's timeline. Now we will SSH into the device, so that we can leave the application running without the app being put in the background by iOS. MB_iOS_Dump_2.png Above is the output that the script provides during runtime. Here we are giving the binary name that we want the script to dump. MB_iOS_Dump_3 Above are all the .dmp files that we can now start searching through for the credentials or any other sensitive data. You can usually find encryption keys or passwords from any instantiated classes that use encryption or contain the login process. I personally use a combination of the "strings" command and "xxd" as a hex dumper but you can use any hex editor that works for you. This technique can be used to determine if the application is not removing sensitive information from memory once the instantiated classes are done with the data. All applications should deallocate spaces in memory that deal with classes and methods that were used to handle sensitive information, otherwise you run the risk of the information sitting available in memory for an attacker to see. I've included the GDB commands that are used in the script:
  • gdb --pid="<PID>"
  • info mach-regions (look for sub-regions)
  • dump binary memory heap1.dmp <sub-region range from above>
[post_title] => iOS Tutorial – Dumping the Application Heap from Memory [post_excerpt] => Using GDB to dump the runtime heap from memory to gain access to sensitive information that should’ve been removed. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => ios-tutorial-dumping-the-application-heap-from-memory [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:30 [post_modified_gmt] => 2021-04-13 00:05:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=2156 [menu_order] => 319 [post_type] => post [post_mime_type] => [comment_count] => 10 [filter] => raw ) [43] => WP_Post Object ( [ID] => 1113 [post_author] => 91 [post_date] => 2014-06-30 07:00:00 [post_date_gmt] => 2014-06-30 07:00:00 [post_content] => How many of your projects include open source software? Maybe it is better to call it free software. As a person who has spent time in the corporate world, I get the idea of using open source software. Much of it is free or at very low cost. However, is it secure and how do you go about proving that it is secure? For example, OpenSSL had the Heartbleed vulnerability in it for some time before it was discovered and disclosed. If you are using a piece of software that was not written by your own company, how do you not realize that this software may have vulnerabilities in it that have not been discovered or disclosed? Make sure you find out, either by doing the work yourself or through a third party. We have had many companies tell us not to worry about the results from the open source software because it was not their software and they cannot or will not fix it. If you find vulnerabilities in this open source software, make sure you address them or at least mitigate them. Right now, I am in the middle of a code review for a company that is using an open source framework. I looked it up and the framework has not been modified since July 2012. The framework they are using is full of vulnerabilities, including SQL Injection and cross-site scripting (both persistent and stored). If the person who wrote this code could do it wrong, they did. Out of the 10,000+ vulnerabilities found by the automated code review tool, almost 80% were for the framework. For this company I am doing the code review for, I am going to recommend working with the framework's author to address these vulnerabilities or to try to find a different framework. Maybe one that has been updated recently. I am also going to recommend they look at implementing a web application firewall. If not, they are going to have problems. This framework is a good example of what not to do. Security vulnerabilities, attacks, programming languages, and tools have evolved to make your application much more secure, but your developers need to understand the concepts of secure coding techniques. You also need to evaluate the frameworks you are using and not assume they are safe. [post_title] => Open Source Frameworks - How secure are they? [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => open-source-frameworks-how-secure-are-they [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:09 [post_modified_gmt] => 2021-04-13 00:06:09 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1113 [menu_order] => 334 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [44] => WP_Post Object ( [ID] => 1154 [post_author] => 91 [post_date] => 2013-07-08 07:00:25 [post_date_gmt] => 2013-07-08 07:00:25 [post_content] =>

When assessing an application, one may run into files that have strange or unknown extensions or files not readily consumed by applications associated with those extensions. In these cases it can be helpful to look for tell-tale file format signatures and inferring how the application is using them based on these signatures, as well as how these formats may be abused to provoke undefined behavior within the application. To identify these common file format signatures one typically only need look as far as the first few bytes of the file in question. This is what's often called "magic bytes", a term referring to a block of arcane byte values used to designate a filetype in order for applications to be able to detect whether or not the file they plan to parse and consume is of the proper format. The easiest way to inspect the file in question will be to examine it with a hex editor. Personally for this task I prefer HxD for windows or hexdump under Linux, but really any hex editor should do just fine. With a few exceptions file format signatures are located at offset zero and generally occupy the first two to four bytes starting from the offset. Another notable detail is that these initial sequences of bytes are generally not chosen at random; that is most developers of a given format will choose a file signature whose ASCII representation will be fairly recognizable at a glance as well as unique to the format. This allows us to use the known ASCII representations of these signatures as a sort of mnemonic device to quickly identify a given file's format. Here's a few examples of common file signatures and their accompanying mnemonics:

Executable Binaries Mnemonic Signature
DOS Executable
"MZ"
0x4D 0x5A
PE32 Executable
"MZ"...."PE.."
0x4D 0x5A ... 0x50 0x45 0x00 0x00
Mach-O Executable (32 bit)
"FEEDFACE"
0xFE 0xED 0xFA 0xCE
Mach-O Executable (64 bit)
"FEEDFACF"
0xFE 0xED 0xFA 0xCF
ELF Executable
".ELF"
0x7F 0x45 0x4C 0x46
Compressed Archives Mnemonic Signature
Zip Archive
"PK.."
0x50 0x4B 0x03 0x04
Rar Archive
"Rar!...."
0x52 0x61 0x72 0x21 0x1A 0x07 0x01 0x00
Ogg Container
"OggS"
0x4F 0x67 0x67 0x53
Matroska/EBML Container
N/A
0x45 0x1A 0xA3 0xDF
Image File Formats Mnemonic Signature
PNG Image
".PNG...."
0x89 0x50 0x4E 0x47 0x0D 0x0A 0x1A 0x0A
BMP Image
"BM"
0x42 0x4D
GIF Image
"GIF87a"
0x47 0x49 0x46 0x38 0x37 0x61
 
"GIF89a"
0x47 0x49 0x46 0x38 0x39 0x61

Let's take what we’ve learned so far and apply it toward an "unknown" file, calc.exe.

Justin Bytes Blog

To avoid confusion it's worth noting that the PE32 executable format actually contains at minimum two sets of magic bytes: one set for the DOS executable header for DOS system compatibility and the other set to mark the beginning of the PE32 executable header. In this screenshot I've highlighted the DOS header, where we can see that the beginning of said header is marked with "MZ". Another characteristic of the DOS header that's an immediate give-away is the text "This program cannot be run in DOS mode.", which some may recognize as the error text displayed when one attempts to run a windows application in DOS mode.

Justin Bytes Blog

Following the DOS header and preceding the PE header is what's known as the rich header and is represented in our mnemonic list as the "..." between the DOS and PE magic bytes. This header remains largely undocumented, however, so examining it at length is unlikely to yield any insightful information.

Justin Bytes Blog

Finally, following the DOS and rich headers comes the PE header marked by "PE..", or the byte sequence x50x45x00x00 which indicates that this file is a PE32 executable. Identifying other formats will follow the same principle, only one will generally only need the first step of the above process to identify the file format.

[post_title] => Magic Bytes - Identifying Common File Formats at a Glance [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => magic-bytes-identifying-common-file-formats-at-a-glance [to_ping] => [pinged] => [post_modified] => 2021-06-08 21:49:46 [post_modified_gmt] => 2021-06-08 21:49:46 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1154 [menu_order] => 373 [post_type] => post [post_mime_type] => [comment_count] => 1 [filter] => raw ) [45] => WP_Post Object ( [ID] => 1155 [post_author] => 91 [post_date] => 2013-07-08 07:00:05 [post_date_gmt] => 2013-07-08 07:00:05 [post_content] => When assessing an application for weaknesses in a linux environment, we won't always have the luxury of freely available source code or documentation. As a result, these situations require more of a black box approach where much of the information about the application will be revealed by attempting to monitor things such as network communications, calls to cryptographic functions, and file I/O. One method of monitoring applications to extract information is to attach a debugger, such as GDB, to the process and to dump register or stack values as breakpoints are hit for the desired function calls. While this has the advantage of giving fine grained control over things such as code flow and register contents, it is also a cumbersome process compared to hooking the function calls of interest to modify their behavior. Function call hooking refers to a range of techniques used to intercept calls to pre-existing functions and wrap around them to modify the function's behavior at runtime. In this article we'll be focusing on function hooking in linux using the dynamic loader API, which allows us to dynamically load and execute calls from shared libraries on the system at runtime, and allows us to wrap around existing functions by making use of the LD_PRELOAD environment variable. The LD_PRELOAD environment variable is used to specify a shared library that is to be loaded first by the loader. Loading our shared library first enables us to intercept function calls and using the dynamic loader API we can bind the originally intended function to a function pointer and pass the original arguments through it, effectively wrapping the function call. Let's use the ubiquitous “hello world” demonstration as an example. In this example we'll intercept the puts function and change the output. Here's our helloworld.c file:
#include <stdio.h>
#include <unistd.h>
int main()
{
puts("Hello world!n");
return 0;
}
Here's our libexample.c file:
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
int puts(const char *message)
{
int (*new_puts)(const char *message);
int result;
new_puts = dlsym(RTLD_NEXT, "puts");
if(strcmp(message, "Hello world!n") == 0)
{
result = new_puts("Goodbye, cruel world!n");
}
else
{
result = new_puts(message);
}
return result;
}
Let's take a moment to examine what's going on here in our libexample.c file:
  • Line 5 contains our puts function declaration. To intercept the original puts we define a function with the exact same name and function signature as the original libc puts function.
  • Line 7 declares the function pointer new_puts that will point to the originally intended puts function. As before with the intercepting function declaration this pointer's function signature must match the function signature of puts.
  • Line 10 initializes our function pointer using the dlsym() function. The RTLD_NEXT enum tells the dynamic loader API that we want to return the next instance of the function associated with the second argument (in this case puts) in the load order.
  • We compare the argument passed to our puts hook against "Hello world!n" on line 12 and if it matches, we replace it with "Goodbye, cruel world!n". If the two strings do not match we simply pass the original message on to puts on line 14.
Now let's build everything and test it out:
sigma@ubuntu:~/code$ gcc helloworld.c -o helloworld
sigma@ubuntu:~/code$ gcc libexample.c -o libexample.so -fPIC -shared -ldl -D_GNU_SOURCE
sigma@ubuntu:~/code$
First we compile helloworld.c as one normally would. Next we compile libexample.c into a shared library by specifying the -shared and -fPIC compile flags and link against libdl using the -ldl flag. The -D_GNU_SOURCE flag is specified to satisfy #ifdef conditions that allow us to use the RTLD_NEXT enum. Optionally this flag can be replaced by adding "#define _GNU_SOURCE" somewhere near the top of our libexample.c file. After compiling our source files, we set the LD_PRELOAD environment variable to point to the location of our newly created shared library.
sigma@ubuntu:~/code$ export LD_PRELOAD="/home/sigma/code/libexample.so"
After setting LD_PRELOAD we're ready to run our helloworld binary. Executing the binary produces the following output:
sigma@ubuntu:~/code$ ./helloworld
Goodbye, cruel world!
sigma@ubuntu:~/code$
As expected, when our helloworld binary is executed the puts function is intercepted and "Goodbye, cruel world!" rather than the original "Hello world!" string is displayed. Now that we're familiar with the process of hooking function calls let's apply it towards a bit more practical example. Let's pretend for a moment that we have an application that we are assessing and that this application uses OpenSSL to encrypt communications of sensitive data. Let’s also assume that attempts to man-in-the-middle these communications at the network level have been fruitless. To get at this sensitive data we will intercept calls to SSL_write, the function responsible for encrypting then sending data over a socket. Intercepting SSL_write will allow us to log the string sent to the function and pass the original parameters along, effectively bypassing the encryption protections while allowing the application to run normally. To get started let's take a look at the SSL_write function definition:
int SSL_write(SSL *ssl, const void *buf, int num);
Here's the code I’ve written to intercept SSL_write in hook.c:
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
#include <openssl/ssl.h>
int SSL_write(SSL *context, const void *buffer, int bytes)
{
int (*new_ssl_write)(SSL *context, const void *buffer, int bytes);
new_ssl_write = dlsym(RTLD_NEXT, "SSL_write");
FILE *logfile = fopen("logfile", "a+");
fprintf(logfile, "Process %d:nn%snnn", getpid(), (char *)buffer);
fclose(logfile);
return new_ssl_write(context, buffer, bytes);
}
As we can see our function definition needs to return an integer and take three arguments: a pointer to an SSL context, a pointer to a buffer containing the string to encrypt, and the number of bytes to write. In addition to our intercepting function definition we define a matching function pointer that will point to the originally intended SSL_write function and initialize it with the dlsym function. After pointing our pointer to the original function, we log the process ID of the process calling SSL_write, and the string sent to it. Next we compile our source to a shared library:
sigma@ubuntu:~/code$ gcc hook.c -o libhook.so -fPIC -shared -lssl -D_GNU_SOURCE
sigma@ubuntu:~/code$
The only difference between this compilation and last is the -lssl flag, which we specify in order to link our code against the OpenSSL library. Now let's go ahead and set LD_PRELOAD to point to our newly created libhook library:
sigma@ubuntu:~/code$ export LD_PRELOAD="/home/sigma/code/libhook.so"
sigma@ubuntu:~/code$
Now that LD_PRELOAD is set we're ready to start intercepting calls to SSL_write on processes executed from here onward. To test this let's go ahead and use the curl utility over HTTPS and intercept the HTTPS request.
sigma@ubuntu:~/code$ curl https://www.netspi.com > /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed
100 19086 0 19086 0 0 37437 0 --:--:-- --:--:-- --:--:-- 60590
sigma@ubuntu:~/code$
After successful completion of the command there should be a log file that we can examine:
sigma@ubuntu:~/code$ cat logfile
Process 11423:
GET / HTTP/1.1
User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: www.netspi.com
Accept: */*
sigma@ubuntu:~/code$
As we can see the request has been logged in plaintext, while the application was allowed to function normally. Had this been a scenario where data integrity relied heavily upon SSL encryption and the assumption that man-in-the-middle attacks would be occurring only at the network level, any such integrity would have been compromised. These are really just a few examples of what's possible using the dynamic loader API and LD_PRELOAD. Since the shared library we create will be loaded into the running process' memory space we could do things like dump the memory of the process to examine the memory at runtime or tamper with runtime variables. Other uses for this method of function call hooking and loading generally fall under the use case of user-land rootkits and malware, which will be the focus on the next article in this series. [post_title] => Function Hooking Part I: Hooking Shared Library Function Calls in Linux [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => function-hooking-part-i-hooking-shared-library-function-calls-in-linux [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:44 [post_modified_gmt] => 2021-04-13 00:05:44 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1155 [menu_order] => 372 [post_type] => post [post_mime_type] => [comment_count] => 5 [filter] => raw ) [46] => WP_Post Object ( [ID] => 1156 [post_author] => 91 [post_date] => 2013-06-24 07:00:43 [post_date_gmt] => 2013-06-24 07:00:43 [post_content] => Let’s go back in time to June, 2012. LinkedIn was compromised and 6.5 million password hashes were released to the internet. Everyone changed their password (right?) and it wasn't *that* big a deal. Now, let’s jump forward in time, to sometime when biometric authentication becomes more common. In this new era, LinkedIn gets compromised, and 6.5 million hashed fingerprints are released to the internet…so everyone does what? Do users switch the fingers they use for authentication? Biometric authentication is a great idea that, unfortunately, suffers from some serious drawbacks, especially when deployed in the cloud.  Biometric authentication’s greatest weakness is immutability. Your fingerprints aren’t going to change, and failing some pretty major plastic surgery, your face won’t either. This basically means one big problem: You can’t change a compromised biometric. Do you have any publicly accessible pictures on Facebook? What about videos? Could those be used to hack facial recognition, even with liveness detection? The way your biometric features are set in stone mean there is a much greater responsibility to protect them, and unfortunately you aren’t the only one who bears that responsibility. Cloud services that leverage biometrics aren’t super common yet, but assuming biometrics catch on, it’s only a matter of time before the marketing types make it happen. How is that data stored? Can you really trust your service provider to take better care of your fingerprint than your password? Millions of passwords get exposed by hacks like the LinkedIn hack every year. Most services require users to register at least two fingerprints to use fingerprint-based auth; that gives users at MAX 10 password resets for an entire lifetime. After that, the data used for authentication starts repeating: which fingers you use for authentication may change, but if an attacker has compromised a fingerprint, they can use that fingerprint to bruteforce any authentication schema that relies on the compromised finger’s data – a kind of known-plaintext attack. That isn’t the only issue with immutability, either. There is a reason best practices recommend using separate passwords for separate services. If you use biometric authentication for multiple services, the security of your access to those services is linked (just like with a normal password). Basically, you’re trusting every service provider with the password to your other accounts. Maybe that’s okay with you; you’re fine if some social network knows your bank account password. Unfortunately for you, it isn’t that simple. If that social network ever gets compromised, within hours your bank account password will be on Pastebin, and I’ll eat my hat if some enterprising script kiddie doesn’t have a bot testing out username/fingerprint combinations to every bank service they can find. This only gets worse once you run out of fingers to authenticate with. If anyone ever associates all ten fingerprints with your identity, no account you ever create will be safe with biometric authentication again. Maybe I’m being a little histrionic. That would be totally fair. There are a bunch of practices that could (maybe not totally) mitigate these issues. And, after all, biometrics are supposed to be part of a dual-factor authentication scheme, right? So we’ll at least have a password in addition to our fingerprints. And any serious company who deploys biometric authentication will surely encrypt the data, and keep it somewhere safe, away from the key. Then again, take a look at biometric authentication right now. My coworker Karl wrote a blog about consumer grade fingerprint readers in Lenovo laptops. His conclusion was that the software was pretty lax about storing sensitive data. What happens when practices like that move into realms like banking and health care? Truth be told, I don’t think this problem is unsolvable. It’s always possible to simply not use biometrics! For anyone who still wants to use biometric authentication, just take this warning and exercise real caution in the storage of your users’ data, and keep in mind that the technology needs some serious refinement before consumer-grade biometric scanners provide any real protection. [post_title] => Biometrics in the age of Pastebin [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => biometrics-in-the-age-of-pastebin [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:35 [post_modified_gmt] => 2021-04-13 00:05:35 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1156 [menu_order] => 374 [post_type] => post [post_mime_type] => [comment_count] => 1 [filter] => raw ) [47] => WP_Post Object ( [ID] => 1157 [post_author] => 91 [post_date] => 2013-06-17 07:00:17 [post_date_gmt] => 2013-06-17 07:00:17 [post_content] => CA SiteMinder is a secure Single Sign-On (SSO) and Web access management product that is used to authenticate users and control access to web applications and portals. Your company may be considering purchasing SiteMinder or a similar product, or may have already deployed a solution like SiteMinder in your environment. Out of the box, CA SiteMinder can prevent some of the typical OWASP Top 10 vulnerabilities. These include SQL Injection and Cross-site scripting (XSS). I worked with it a few years ago in my previous job and it worked well,.  That is until the developers got involved. Their business requirements had them pass full SQL statements from the browser to their application. Additionally, many of them think they needed to also pass in the “” to the Web application. We had to tweak CA SiteMinder to allow these types of requests. As you may have guessed, their application was now potentially vulnerable to SQL Injection and XSS. These dangerous configurations also make some of CA SiteMinder’s standard web pages vulnerable to XSS. CA SiteMinder comes with some standard web pages and executables that you can use in your Web application. These include loginandregister-dms.fcc, loginandregisterwithforgottenpassword-dms.fcc, login.fcc and smpwservicescgi.exe. By not allowing CA SiteMinder to stop the XSS attacks, these Web pages also become vulnerable. NetSPI has performed application penetration tests in the last few months where the applications were using CA SiteMinder. The applications we were testing were vulnerable to XSS; both the application itself and the CA SiteMinder files. SiteMinder is intended to reduce risk, not expand it. These vulnerabilities could have been prevented by not configuring CA SiteMinder so it does not block XSS. Do not allow the developers to dictate that the security be weakened; work with them and reduce their requests to the most basic requirements and figure out how to securely deliver what they need. Remember, security and development should be partners, not bitter rivals. You want multiple layers of prevention, so if your application is vulnerable, CA SiteMinder will prevent the vulnerability from being exploited. [post_title] => Great, you use CA SiteMinder, but you broke it! [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => great-you-use-ca-siteminder-but-you-broke-it [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:25 [post_modified_gmt] => 2021-04-13 00:06:25 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1157 [menu_order] => 375 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [48] => WP_Post Object ( [ID] => 1167 [post_author] => 91 [post_date] => 2013-04-11 07:00:33 [post_date_gmt] => 2013-04-11 07:00:33 [post_content] => Many times during our mobile application penetration testing, we are finding the applications are vulnerable to man-in-the-middle attacks (MITM). Certificate pinning is one part of the answer to MITM attacks in a mobile application. For those who do not know about certificate pinning, this is not pinning your CISSP certificate to the wall.

What is it?

Certificate pinning is hardcoding or storing the information for digital certificates/public keys in a mobile application. Since the predefined certificates are used for secure communication, all others will fail, even if the user trusted other certificates. In a mobile application, the application knows what servers they will connect to, so that the application can check for those specific certificates. A browser cannot implement certificate pinning, since it is designed for general-purpose communication.

What happens during an SSL Connection?

When an application sees an SSL certificate from a server, it should verify two things:
  1. The certificate signed by a root certificate authority (CA)
  2. The server’s name (via DNS) matches the Common Name (CN) presented in the SSL certificate
In the case where these do not match, the application (or browser) throws up a warning and lets the user decide what to do. In many cases, the general user population will not understand the warning and just decide to accept the invalid certificate.

What are we trying to do by certificate pinning?

The idea is to prevent a man in the middle attack. This allows the attacker to get in the middle of the conversation between a client and server. They could be just eavesdropping on the conversation or could be changing the data as it moves to the client or server. An attacker who gains control of a user’s operating system can install trusted root Certificate Authorities. These root CAs will be able to sign new certificates, which will satisfy SSL validation procedures. Certificate pinning prevents this by ensuring a specific server public key is used to initiate secured traffic.

How do we implement certificate pinning?

Distribute the server’s public key with the application. Any time the application begins an SSL exchange with the server, validate that the traffic has been encrypted with the same key that matches the public key included with the app. This takes the CA system out of the equation and assuming it is the correct certificate, the names do match.

Is there a way to break certificate pinning?

An attacker would have to decompile the application, change the code, rebuild it and redeploy the application. Another option would be to run the application in a debugger. For Android, you can obfuscate your code. You can also check to see if the application is running in a debugger. Code signing will also make it more difficult for an attacker to create an unauthorized patch for your application. For iOS, see Detecting the Debugger For Android, see Securing Android LVL Applications Neither of the above options are perfect, but they do help. Both of these methods make the attacker’s job harder, but not impossible.

Where else can I find information on this?

OWASP provides some information and sample code: User Privacy Protection Cheat Sheet and Pinning Cheat Sheet Moxie Marlinspike provides good information for an Android on his blog: Your app shouldn’t suffer SSL’s problems iSecPartners provides other information for iOS: SSL Pinning on iOS —— Be sure to check out author Steve Kern’s webinar on Assessing the Security of Your Mobile Applications [post_title] => Certificate Pinning in a Mobile Application [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => certificate-pinning-in-a-mobile-application [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:23 [post_modified_gmt] => 2021-04-13 00:05:23 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1167 [menu_order] => 384 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [49] => WP_Post Object ( [ID] => 1169 [post_author] => 91 [post_date] => 2013-03-25 07:00:50 [post_date_gmt] => 2013-03-25 07:00:50 [post_content] => Lately, I've been working with some older technologies, and I've gotten to play with some of the restricted access shells that used to be popular. Many older appliances used to include an sshd that allowed users into a chroot jail with restricted access to binaries. This was done in an attempt to allow the user to access the appliance’s functionality without exposing the internal workings of the application. Fortunately, many chroot jails fail to properly set some essential security bits, assuming that restricting binaries is enough to keep users out of the real filesystem, while also giving users root access to their chroot jail. With just these three things, you can break out of any chroot jail:
  1. Root access – you’ll need root access *inside* your chroot jail to execute a breakout. This is the weakest link here, but many chroot jails have been improperly configured, as root privileges are used to access the application functionality that the shell is supposed to expose.
  2. The echo utility – this is built in to several shells, so you can rely on this in many situations.
  3. A file that you have both write and execute privileges on – if the chroot jail has been properly secured you won’t have access to chmod, but check the filesystem for these privileges. This will allow you to get your breakout on the filesystem and to execute it.
Now for the juicy bit. To break out of your jail, the basic steps are pretty simple. Determine if you have chmod available inside your chroot jail. If you don’t, search for a file with both write and execute privileges . You can use find –executable –writable or ls –lR / | grep wx to search entire partitions for these files. This might be difficult if you don’t have find or grep, but you can check common locations for executables like /bin/. Remember the path of this file, as you’ll have to overwrite it later. Spin up a VM with the same kernel as the machine hosting the chroot jail you’re targeting. Grab code for a chroot jail (there are examples all over the internet). For the purposes of this demonstration, I’ve put my code into breakout.c. All this code does is create a file descriptor for the current directory and then makes a new chroot jail in a subdirectory. Since the program has saved a file descriptor to a directory outside this new sub-chroot jail, the program will use fchdir to hop back out of the new chroot jail and onto the main directory structure. Then it cd’s all the way back up to the real root where it execs a new shell. Use gcc to compile the code into a binary on your VM. Use hexdump with the command below to dump the binary into the format you’ll need. This command works just like a C printf statement:

hexdump -ve '"\x" 1/1 "%02x"' bin.o > echo_this

Copy the contents of the file echo_this, and paste them into an echo command inside the chroot jail:

Echo –ne x7fx45x4cx46… > name_of_file_from_first_step (ie: /bin/writeableBinary)

Finally, you can just execute the file you've just overwritten to escape the jail. This will provide you with a root shell on the complete file system of the machine you were jailed in earlier. Preventing this is actually pretty simple, and just relies on some linux security basics that sometimes get neglected in these chroot jails. Don’t let the user run as root, if you can avoid it. If a user has to run as root, restrict access to binaries, and make sure there aren't any files that they have both write and execute permissions on. [post_title] => Attacking Restricted Linux Shells [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => attacking-restricted-linux-shells [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:34 [post_modified_gmt] => 2021-04-13 00:05:34 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1169 [menu_order] => 387 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [50] => WP_Post Object ( [ID] => 1188 [post_author] => 91 [post_date] => 2012-10-16 07:00:50 [post_date_gmt] => 2012-10-16 07:00:50 [post_content] => I’ve been playing around with some Android exploitation lately, and I wanted to clarify the risks associated with storing domain credentials anywhere on a mobile device. Obviously, gaining access to your email or calendar could expose some sensitive information, or could allow for password resets via email or some social engineering, but I feel like the real risk lay elsewhere. Most mobile devices when associated with an Exchange server will store credentials in cleartext. This means that any malicious attacker who can get root access to your phone can gain access to your domain credentials. The risk this presents is dependent on your organization, but if your organization has any external resources accessible via RDP or uses AD authentication on the VPN, an attacker can just hop right into your environment. This is true on Android and iOS for sure; to prove it to you, my technical paper has practical guidelines on how to extract credentials from a mobile phone. Check it out! Download "Dark Harvest - Active Directory Credentials on Mobile Devices" [post_title] => Android Exploitation Technical Paper Release [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => android-exploitation-technical-paper-release [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:22 [post_modified_gmt] => 2021-04-13 00:05:22 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1188 [menu_order] => 409 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [51] => WP_Post Object ( [ID] => 1205 [post_author] => 91 [post_date] => 2012-06-07 07:00:50 [post_date_gmt] => 2012-06-07 07:00:50 [post_content] =>

Pattern unlock sucks. Everyone knows it. Pattern unlock provides security benefits that are dubious at best. Anyone can shoulder surf your pattern, or even your PIN, since most PINs are displayed at least momentarily in cleartext. Phone manufacturers have noticed the problem, and tried to create new lock technologies that don’t suck: Motorola had a fingerprint reader on the Atrix, and Google’s ICS includes face-unlock. While either of these options are better than PIN or pattern unlock, I think we can do better. Every day there are new gadgets released to work with smartphones. Mostly, these devices are curiosities or toys; smart balls that can be controlled by phone, or remote control airplanes. All of these toys include the raw components to fix the problem with PIN/pattern unlocks forever. Combine a wireless interface (Bluetooth, NFC, or WIFI) with certificate based authentication, and we’ve just created a second factor for authenticating to your phone. Multi-factor authentication relies on two different pieces to prove your identity: something you have (a physical device, which will authenticate your phone) and something you know (your pin or gesture).  Actually, this technology is pretty similar to modern cars that don’t have a key, but rather radio keys that allow the car to be started whenever the key is inside the cab. Imagine that instead of/addition to unlocking your phone with a PIN or pattern, you had a keychain dongle to activate. Press a button, or pass the phone within NFC distance, and the phone and your new authentication device exchange cryptographic signatures to validate each other’s presence. Your phone now knows with some degree of certainty that it’s in the presence of a physical token separate from your phone. Using modern cryptographic signatures, this process wouldn’t be vulnerable to mere replay attacks; using encryption with signatures can prevent Man-in-the-middle attacks. That isn’t to say this system wouldn’t have any issues at all. Obviously, if someone steals your phone, there is potential for them to steal your keys. Especially if you’re robbed, mugged or your house is broken into. I’m not super sure that the security of your phone should be your top priority in those instances, however. Luckily, since your phone has a constant internet connection, it’s even possible to create a method for deactivating an authentication token remotely. Much like how SSL certificates can be revoked, if the authentication device is designed correctly a central authority may be able to prevent a stolen token from authentication to your phone.

[post_title] => Smartphone Pattern Unlock Sucks [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => smartphone-pattern-unlock-sucks [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:59 [post_modified_gmt] => 2021-04-13 00:05:59 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1205 [menu_order] => 426 [post_type] => post [post_mime_type] => [comment_count] => 1 [filter] => raw ) [52] => WP_Post Object ( [ID] => 1211 [post_author] => 91 [post_date] => 2012-04-02 07:00:50 [post_date_gmt] => 2012-04-02 07:00:50 [post_content] => Mobile security is the new hotness.  The conventional wisdom hasn’t yet been established, but many security proponents are gunning for users who jailbreak or root their devices.  Symantec and Good both offer enterprise solutions that include features to manage root privileges on employee devices.  Unfortunately, malware engineers just changed their approach. As background, many approaches to mobile security rely on preventing users from gaining root access.  Root access allows a user ultimate control over the phone, regardless of the inherent protections built into the device’s operating system.  Many users who go about acquiring root access do so in order to harmlessly customize their device.  Some users leverage root privileges to subvert controls on functionality like mobile tethering.  In any case, this process is seen as a risk since a user who roots their phone is capable of granting these enhanced privileges to any application that requests escalation.  If a user inadvertently grants root privileges to a piece of malware, that malware could access any data on the phone, including potentially protected, corporate information. In August, a piece of malware called GingerMaster was found to escalate to root privileges on any device compromised.  From a management perspective, it no longer matters whether or not users in a given environment have rooted handsets.  At this point, a user with a rooted device who installs a malicious app is just as likely to expose sensitive or controlled information as a user without a rooted device. This means there isn’t a technical control that can prevent a given user from installing a malicious app and accidentally compromising anything from their email to their entire corporate environment. Just like with SSL certificates, users will have to learn to differentiate between helpful apps and malicious ones.  Thankfully, attackers are still disguising most of their malware pretty poorly.  The cutting edge malware GingerMaster, for example, was disguised as “Beauty of the Day.” [post_title] => Mobile security is the new hotness [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => mobile-security-is-the-new-hotness [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:31 [post_modified_gmt] => 2021-04-13 00:05:31 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1211 [menu_order] => 432 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [53] => WP_Post Object ( [ID] => 1230 [post_author] => 91 [post_date] => 2011-09-29 07:00:18 [post_date_gmt] => 2011-09-29 07:00:18 [post_content] => We all want to believe that our co-workers will do the right thing.  That we need to focus our security efforts on the bad guys "out there."  However the insider threat is one of the worst incidents that an organization can withstand.  Carnegie Mellon's CERT® Coordination Center  has launched the CERT Insider Threat Database.  They have collected approximately 700 cases of insider activity that "resulted in the disruption of an organization's critical information technology (IT) services."   I realize that 700 cases since they started collecting data in 2001 seems like a drop in the bucket but it's important to remember that these are cases involving the critical IT services, and were reported to CERT.  Many incidents are not reported as the organization doesn't want the negative publicity, or in even worse cases, the perpetrator hasn't been caught (yet).  In many discussions about Insider Threats I've referred to the San Francisco IT Administrator charged with holding the city's network hostage.  In this particular case he didn't give the administrative credentials back to his employer but kept the systems operational.  It was a good example but is now a bit dated (2008) but it was only a matter of time before another one emerged. With a roar, it did.  An IT Administrator has recently pleaded guilty to crippling his former employer's network.  Now some have dubbed this a "hacking spree" but I would like to differentiate this as not a hack, but an individual that had elevated privileges that became so disgruntled that he lashed out.  When he did so, he didn't use specialized hacking tools or techniques, instead he used a common administrative tool to delete critical IT systems causing in excess of $800,000 in damages according to court documents.  What makes this example worse is that this individual resigned before the attack, but the organization kept him on as a consultant "due to this extensive knowledge of the company's network."  He performed his attacks with valid user credentials and common support tools.  Why am I trying to draw such a distinction whether this is hacking or not?  When discussing risks as either part of your normal risk assessments, Risk Management Program, etc. I think it is important to draw the distinction as it relates to policies and implementable controls.  There is usually a lot of effort put into place to protect against malicious and unauthorized attacks (i.e., hacking) compared to disgruntled individuals with elevated privileges.  Malicious?  Yes.  Unauthorized?  No.  That's the scary part and the one that needs to be addressed by each and every organization. The take away here is to ensure that segregation of duties is followed so not one person has keys to the kingdom and disgruntled employees are not retained where they can cause extensive damage to the organization. [post_title] => Insider Threats [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => insider-threats [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:07 [post_modified_gmt] => 2021-04-13 00:06:07 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1230 [menu_order] => 452 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [54] => WP_Post Object ( [ID] => 1253 [post_author] => 91 [post_date] => 2010-12-30 07:00:50 [post_date_gmt] => 2010-12-30 07:00:50 [post_content] => Does your phone have a firewall?  Does it have antivirus?  Should it?  I'll wager your laptop does.  That's because your laptop faces the looming threat of attackers from the internet every time to connect to a network.  Additionally, any time you use a network, you expose yourself to the potential for a network level attack.  Everyone knows that an unprotected computer is pwnage waiting to happen.   So what about your phone? Your phone is connected to the internet 24/7.  What's more, it lacks a lot of the controls that would normally be applied to a network computing device.  It has no firewall, no antivirus, and most users can't even kill processes or modify the file system without voiding their warranty.  The user has to rely on the closed nature of the device, and hope there are no exploits roaming the wild.  This is paper-thin security at best, especially when you consider the trends in modern phone usage are pushing for more devices containing more sensitive data. So how does an attacker target a mobile device?  They don't have to: given some recent developments in the Metasploit framework, they can initiate wide ranging automated attacks against anyone they can connect to.  Consider the open Wi-Fi network, such as at a coffee shop.  As customers sit down, and link up laptops and phones, an attacker keeps track of hosts joining the network.  Then, leveraging the power of the autopwn feature of Metasploit, an attacker can attempt any number of exploits against any number of hosts, smartphone or not.   Your laptop might withstand automated attacks because it has a firewall and antivirus.  Your phone doesn't.  There is no "Do you want to allow this app to run?" There is no "Would you like Windows Firewall to allow access to this program?" That's it.  An attacker now has access to your phone's audio, camera, data access, and any stored credentials or other sensitive data.  Metasploit has payloads in development for both the iPhone and Android platforms that will give root access to the phone, pending a successful exploit.  Finding more exploits is only a matter of time.  So this brings me to my point: Should your phone have a firewall? [post_title] => In Which a Smartphone is Pwnt, Thoroughly and Without Reason [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => in-which-a-smartphone-is-pwnt-thoroughly-and-without-reason [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:30 [post_modified_gmt] => 2021-04-13 00:05:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1253 [menu_order] => 478 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [55] => WP_Post Object ( [ID] => 1288 [post_author] => 91 [post_date] => 2010-01-07 07:00:41 [post_date_gmt] => 2010-01-07 07:00:41 [post_content] =>

Application security attacks are increasing

According to Gartner, 75% of the attacks are coming though web applications and not through the network. This means greater emphasis needs to be placed on application security. However, this does not appear to be happening.

Application security vulnerabilities are increasing

For the first half of 2009, Cenzic identified about 3,100 total vulnerabilities, which is an increase of over 10 percent from the second half of 2008.  (http://www.cenzic.com).  Another revealing piece of data: WhiteHat Security has stated that in 83% of the 1,300 websites they scan have had at least one serious vulnerability (http://www.whitehatsec.com). Of the projects NetSPI has done in the application security area, 83% of these projects also had serious findings (serious vulnerabilities are those of HIGH, CRITICAL, or URGENT severity as defined by PCI DSS naming conventions).

What can happen if you do not fix the problems?

The first real risk is the theft of your data or your customers’ data. If applications are not done right, SQL Injection can allow a person (or persons) access to your database. Think TJX and all of the problems they had. Another risk is to your company’s reputation. Given the right situation, a user could be redirected to a site that is not under your control. It could be a porn site or even a site that looks like yours; it just exists to steal your users’ credentials. Your reputation will take years to repair, and the cost to your company may be insurmountable.

What can you do?

Many of the problems can be fixed by training. These do not have to be external training courses; they could just be brown bag lunches that cover specific secure coding techniques. A good place to start is the OWASP web site (http://www.owasp.org ). This site gives good information on detecting and preventing these vulnerabilities.

Perform code reviews and application vulnerability assessments on a regular basis. Code reviews need to be performed every time the code changes. Application vulnerability assessments need to be done at least annually.

By doing code reviews, and vulnerability assessments, you are helping both your company and your customers.

[post_title] => What's Happening in the Application Security Arena? [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => whats-happening-in-the-application-security-arena [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:17 [post_modified_gmt] => 2021-04-13 00:06:17 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1288 [menu_order] => 506 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [56] => WP_Post Object ( [ID] => 1294 [post_author] => 91 [post_date] => 2009-11-16 07:00:41 [post_date_gmt] => 2009-11-16 07:00:41 [post_content] =>

Let's talk about application vulnerability assessments, penetration testing, and code reviews. How effective they are depends on a number of factors: the education and experience of the testers, the tools used, the restrictions put on the testers, or even the environment in which the testing is done. This post focuses on the education and experience of the testers.

Consider the well-known recent case of the Heartland breach. Robert O. Carr, Chairman and CEO of Heartland Payment Systems, was quoted as saying the following: "In early 2008 we hired a QSA to perform a penetration test which found nothing. On April 30, 2008, we were deemed PCI-compliant" (http://www.infosecurity-us.com/view/4562/qsa-system-is-broken-says-heartland-ceo/).

I wonder if Heartland Payment Systems queried the QSA company on the background of the pen tester. Yes, the company was QSA-certified, but did the person or persons actually doing the penetration test have the education and experience needed to perform a pen test well? Not everyone does. This also goes for application vulnerability assessments and code review. Just because you hire a company that sells itself as having experts on staff does not always mean you get the top dog or even the middle dog. You might be getting a puppy. If the company performing the testing uses a team approach, the team's collective knowledge might be as good as or better than that of the top dog.

Find out who will be performing your tests and get their resumes, or at least ask them about their background. What kind of training and experience do they have in this area? Are they right out of school or do they have at least a couple of years of experience? Does the firm employ a team of specialists? Is their work process mature and well defined?

These are not hard questions to ask or answer. Making this small effort could make a big difference in the effectiveness of your application security assessments, and your organization's overall information security.

[post_title] => How Good Are Your Application Security Assessments? [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => how-good-are-your-application-security-assessments [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:06 [post_modified_gmt] => 2021-04-13 00:06:06 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1294 [menu_order] => 512 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [57] => WP_Post Object ( [ID] => 1308 [post_author] => 91 [post_date] => 2009-10-20 07:00:50 [post_date_gmt] => 2009-10-20 07:00:50 [post_content] =>

The Internet is a vast and unforgiving wilderness; every day, some new monstrous beast rears its ugly head and threatens the hapless denizens of networks everywhere. The only thing standing between those Internet citizens and complete ownage is the security industry. This means that we have to adapt to the newest and biggest threats on the Internet. Recently, the industry has shown its vulnerability to a particularly nasty threat: botnets. This malware is dangerous because it is difficult to detect before some workstations start broadcasting administrator passwords, online credentials, or even credit card and social security numbers. What's more, botnets can adapt to hide from common detection techniques and antivirus configurations. Prevention is, of course, the best answer, but it can't be the only line of defense. Pfizer lost some serious credibility when its networks started uncontrollably spamming people with offers for Viagra (a product they make), and as recently as September it was revealed that over half of Fortune 100 companies had networks infected with a botnet called Mariposa. The problem isn't a simple one.

More recent approaches to botnet detection have come in the form of network-based detection. Many botnets rely on dynamic DNS solutions to obfuscate data collection centers, and David Dagon wrote an interesting presentation on DNS-based detection of forming botnets. These dynamic DNS solutions tend to be abused by botnet owners, allowing them to hijack hundreds of third-level domains from dynamic DNS servers for use in controlling botnets or aggregating data. Fortunately, this means that the botnet will require a lot of DNS traffic during formation, and this footprint allows for easily isolation of the infected hosts, before they transform into a rampaging swarm of zerglings and spew your data all across the Internet. It won't save anyone from an already formed botnet, and it won't prevent a distributed denial of service attack that originates externally, but it's another layer of protection for internal data.

[post_title] => Botnet Detection and Dynamic DNS [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => botnet-detection-and-dynamic-dns [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:05:15 [post_modified_gmt] => 2021-04-13 00:05:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://netspiblogdev.wpengine.com/?p=1308 [menu_order] => 524 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 58 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 25909 [post_author] => 91 [post_date] => 2021-07-14 13:06:23 [post_date_gmt] => 2021-07-14 18:06:23 [post_content] =>
Celebrating the 35th class of unstoppable entrepreneurs who transform the Heartland Region and beyond.

Minneapolis, Minnesota  –  Ernst & Young LLP (EY US) announced that NetSPI CEO and President Aaron Shilts was named an Entrepreneur Of The Year® 2021 Heartland Award finalist. Now in its 35th year, the Entrepreneur Of The Year program honors unstoppable business leaders whose ambition, ingenuity and courage in the face of adversity help catapult us from the now to next and beyond. 

Shilts was selected by a panel of independent judges. Award winners will be announced during a special virtual celebration on Tuesday, July 27, 2021, becoming lifetime members of an esteemed community of Entrepreneur Of The Year alumni from around the world.

Entrepreneur Of The Year is one of the preeminent competitive award programs for entrepreneurs and leaders of high-growth companies. The nominees are evaluated based on six criteria: entrepreneurial leadership; talent management; degree of difficulty; financial performance; societal impact and building a values-based company; and originality, innovation, and future plans. Since its launch, the program has expanded to recognize business leaders in more than 145 cities in over 60 countries around the world.

“This recognition validates the incredible work our team is doing,” said Shilts. “NetSPI team members operate as entrepreneurs every day and it’s an honor to help lead and support some of the most brilliant people in cybersecurity.”

Regional award winners are eligible for consideration for the Entrepreneur Of The Year National Awards, to be announced in November 2021 at the Strategic Growth Forum®, one of the nation’s most prestigious gatherings of high-growth, market-leading companies. The Entrepreneur Of The Year National Overall Award winner will then move on to compete for the EY World Entrepreneur Of The Year™ Award in June 2022.

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

Sponsors

Founded and produced by Ernst & Young LLP, the Entrepreneur Of The Year Awards are nationally sponsored by SAP America and The Kauffman Foundation. In the Heartland Region sponsors also include Colliers International, Padilla, PNC Bank, SALO, LLC, and Twin Cities Business.

About Entrepreneur Of The Year®

Entrepreneur Of The Year® is the world’s most prestigious business awards program for unstoppable entrepreneurs. These visionary leaders deliver innovation, growth and prosperity that transform our world. The program engages entrepreneurs with insights and experiences that foster growth. It connects them with their peers to strengthen entrepreneurship around the world. Entrepreneur Of The Year is the first and only truly global awards program of its kind. It celebrates entrepreneurs through regional and national awards programs in more than 145 cities in over 60 countries. National Overall winners go on to compete for the EY World Entrepreneur Of The Year™ title. Visit ey.com/us/eoy

About EY Private

As Advisors to the ambitious™, EY Private professionals possess the experience and passion to support private businesses and their owners in unlocking the full potential of their ambitions. EY Private teams offer distinct insights born from the long EY history of working with business owners and entrepreneurs. These teams support the full spectrum of private enterprises including private capital managers and investors and the portfolio businesses they fund, business owners, family businesses, family offices and entrepreneurs. Visit ey.com/us/private

About EY

EY exists to build a better working world, helping create long-term value for clients, people and society and build trust in the capital markets. 

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform, and operate.

Working across assurance, consulting, law, strategy, tax, and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst& Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.

Contact:
Tori Norris, NetSPI
victoria.norris@netspi.com
(630) 258-0277

[post_title] => EY US Announces NetSPI CEO Aaron Shilts as an Entrepreneur Of The Year 2021® Heartland Award Finalist [post_excerpt] => The award celebrates unstoppable entrepreneurs who transform the Heartland Region and beyond. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => entrepreneur-of-the-year-2021-heartland-award-finalist [to_ping] => [pinged] => [post_modified] => 2021-07-15 12:00:01 [post_modified_gmt] => 2021-07-15 17:00:01 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25909 [menu_order] => 5 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 58 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 963f2e5eb8e0eac4d7dd161115b2c195 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )
NetSPI Response to COVID-19
Team NetSPI