How many of your projects include open source software? Maybe it is better to call it free software. As a person who has spent time in the corporate world, I get the idea of using open source software. Much of it is free or at very low cost. However, is it secure and how do you go about proving that it is secure? For example, OpenSSL had the Heartbleed vulnerability in it for some time before it was discovered and disclosed.
If you are using a piece of software that was not written by your own company, how do you not realize that this software may have vulnerabilities in it that have not been discovered or disclosed? Make sure you find out, either by doing the work yourself or through a third party. We have had many companies tell us not to worry about the results from the open source software because it was not their software and they cannot or will not fix it. If you find vulnerabilities in this open source software, make sure you address them or at least mitigate them.
Right now, I am in the middle of a code review for a company that is using an open source framework. I looked it up and the framework has not been modified since July 2012. The framework they are using is full of vulnerabilities, including SQL Injection and cross-site scripting (both persistent and stored). If the person who wrote this code could do it wrong, they did. Out of the 10,000+ vulnerabilities found by the automated code review tool, almost 80% were for the framework.
For this company I am doing the code review for, I am going to recommend working with the framework’s author to address these vulnerabilities or to try to find a different framework. Maybe one that has been updated recently. I am also going to recommend they look at implementing a web application firewall. If not, they are going to have problems.
This framework is a good example of what not to do. Security vulnerabilities, attacks, programming languages, and tools have evolved to make your application much more secure, but your developers need to understand the concepts of secure coding techniques. You also need to evaluate the frameworks you are using and not assume they are safe.
PTaaS is NetSPI’s delivery model for penetration testing. It enables customers to simplify the scoping of new engagements, view their testing results in real time, orchestrate faster remediation, perform always-on continuous testing, and more - all through the Resolve™ vulnerability management and orchestration platform.
We help organizations defend against adversaries by being the best at simulating real-world, sophisticated adversaries with the products, services, and training we provide. We know how attackers think and operate, allowing us to help our customers better defend against the threats they face daily.
At NetSPI, we believe that there is simply no replacement for human-led manual deep dive testing. Our Resolve platform delivers automation to ensure our people spend time looking for the critical vulnerabilities that tools miss. We provide automated and manual testing of all aspects of an organization’s entire attack surface, including external and internal network, application, cloud, and physical security.
Our proven methodology ensures that the client experience and our findings aren’t only as good as the latest tester assigned to your project. That consistency gives our customers assurance that if vulnerabilities exist, we will find them.
Is your organization prepared for a ransomware attack? Explore our Ransomware Attack Simulation service.