Articles about penetration testing

The Debian-derived Kali Linux is a distro used primarily for digital forensics and penetration testing and comes with wide range of tools to help in investigations and incident responses.

Users of the distribution will be pleased to know that its developer, Offensive Security, has just pushed out the first new release of 2022, and this brings with it various visual updates and tweaks to existing features.

Continue reading →

Most applications are now security scanned around three times a week, compared to just two or three times a year a decade ago.

A new report from Veracode also shows developers now testing more than 17 new applications per quarter -- more than triple the number of apps scanned over the same period a decade ago.

Continue reading →

Taking proactive measures like updating and patching systems promptly and undertaking penetration testing improves the ability to withstand a targeted attack.

But when security teams are flooded with non-critical alerts 'vulnerability fatigue' can set in. We spoke to Amitai Ratzon, CEO of penetration testing specialist Pentera, to find out how enterprises can avoid this and improve their ransomware readiness.

Continue reading →

Everyone knows that businesses systems are a target for a range of attackers. But it's easy to become complacent about security and finding vulnerabilities can be difficult.

Testing your security is therefore vital, and can uncover things that you might not otherwise be aware of.

Continue reading →

As the speed and complexity of software development increases, security and development teams have seen the need to integrate and automate security testing within their development workflows.

But doing this can slow development pipelines and overwhelm teams with large volumes of testing results, many of which don't require immediate attention. To address this Synopsys is unveiling its new Intelligent Orchestration solution at the RSA Conference later this month.

Continue reading →

COVID-19 threw the spotlight on cybersecurity like never before. The unprecedented global shift to remote working and subsequent surge in cyber crime, drove a priority focus amongst business leaders to ensure a robust cybersecurity posture across every part of their newly extended network. Many organizations had to make this transition rapidly, which increased the likelihood of misconfigurations and other errors, while the drastically increased attack surface presented fresh cybersecurity challenges around remote network connections, VPN connections, phishing, and many other types of network attacks.

Ensuring adequate protection against this wave of new security threats facing every size and shape of business became paramount and challenged CISOs to balance reduced budgets and staff against the requirement for increased technology investment.

Continue reading →

Security testing has gained in visibility in recent years and can undoubtedly help improve the security posture of a business.

But cybercriminals frequently shift tactics and develop new ideas, so testers can’t afford to stand still and must keep up with and anticipate trends.

Continue reading →

Research from Coalfire Labs based on over 800 penetration tests finds that company size has a direct bearing on how effectively a business is able to fend off would-be attackers.

The study shows large and small companies see more than three times the year-on-year improvement of medium-sized companies. Although mid-size companies hit the cybersecurity sweet spot in 2018, they scrambled to keep up last year, and in 2020, improving only four percent year-on-year in fending off attackers compared to their bigger and smaller counterparts.

Continue reading →

During the pandemic, video conferencing app Zoom found itself at the center of several security and privacy issues. In response it has boosted its security program, including aggregating reports from Bugcrowd.

But what's driving organizations like Zoom choose crowdsourced security approaches? We spoke to Ashish Gupta, CEO of Bugcrowd to find out.

Continue reading →

The cloud is taking over the IT industry. Any organization housing a large amount of data or a large infrastructure has started moving cloud-ward -- and AWS rules the roost when it comes to cloud service providers, with its closest competitor having less than half of its market share. This highlights the importance of security on the cloud, especially on AWS. While a lot has been said (and written) about how cloud environments can be secured, performing external security assessments in the form of pentests on AWS is still seen as a dark art.

Hands-On AWS Penetration Testing with Kali Linux aims to help pentesters as well as seasoned system administrators with a hands-on approach to pentesting the various cloud services provided by Amazon through AWS using Kali Linux. To make things easier for novice pentesters, the book focuses on building a practice lab and refining penetration testing with Kali Linux on the cloud.

Continue reading →

Almost half of all actions by attackers are identical to the normal activities of the users and admins, and in most companies even a low-skilled hacker can obtain control of the infrastructure.

These are among the findings of a new study from penetration testing specialist Positive Technologies. Testers, acting as internal attackers, managed to obtain full control of infrastructure at 23 tested companies usually within three days.

Continue reading →

Traditional penetration testing solutions often fail to provide the rapid, reliable and fully integrated security testing that fits with businesses' go-to-market timelines.

Crowdsourced security company Bugcrowd is looking to change this with the launch of its Classic Pen Test, powered by the Bugcrowd platform and focused on providing customers with on-demand access to methodology-driven pen testing at a fixed price.

Continue reading →

Protect the web by learning the tools and the tricks of the web application attacker.

Becoming the Hacker will teach you how to approach web penetration testing with an attacker's mindset. While testing web applications for performance is common, the ever-changing threat landscape makes security testing much more difficult for the defender. There are many web application tools that claim to provide a complete survey and defense against potential threats, but they must be analyzed in line with the security needs of each web application or service. We must understand how an attacker approaches a web application and the implications of breaching its defenses.

Continue reading →

Most people who keep relatively up to date on security lingo easily understand the concepts of the basics, such as "compliance," "edge security," and "incident response." But when you bring penetration testing into the conversation, you lose half your audience. A much smaller percentage of the population knows what it is, and even fewer understand how it is done or the significant value it adds to the security tool chest.

While some enterprises may contract a third party to conduct penetration testing because it is required for a variety of reasons (part of an industry framework such as PCI-DSS or FedRAMP, or a prospective customer demands it), many don’t understand the techniques involved or are surprised by the depth of the activity. The client may not actively engage in the "scoping" calls to review and set parameters around what will be done and then are surprised by the more rigorous techniques involved, especially if those techniques unsuspectingly bring down client systems temporarily. The testers themselves, shrouded in misperceptions, may evoke images of donning hoodies and barely skimming the line between criminality and service. Recent news of penetration testers being whisked off to jail during a client assignment in Iowa hasn’t helped. It’s time to set the record straight.

Continue reading →