A flaw in any system can eat the company from the inside without you even knowing and by the time signs appear, it’s too late. However, an authenticated vulnerability scan can help in the timely detection of flaws in the system, protecting businesses and organizations from internal and external threats. While the benefits are self evident, many company’s still fail to adopt this methodology; or those that do, don’t utilize its full potential.

Ignoring the former for now, we focus on certain steps security teams and practicing companies can take to get the most from authentic vulnerability scans.

Knowing your needs

You must know what systems you want to scan with authentication. These may include systems running on a particular operating system or a reserved set of computers. Furthermore, make sure you consider network hosts, databases, relevant web applications and more that require or allow authentication via different protocols like FTP, SSH, Telnet etc. Authenticated scanning is widely used by hackers and malicious users. Therefore, it is a must for you to use it as well.

Determining what levels are to be scanned

You can determine the different user level roles for scanning like basic, managerial, administrative level and more. While you can choose any, it is highly recommended that at a minimum you at least scan at the administrative and root level. Doing so, will help you identify most of the flaws. Of course, the more users you scan the more flaws are likely to appear. We suggest that you continue to a point where results no longer vary by permissions. But then again, it depends on your preferences and needs.

Test on a few systems before opting for enterprise wide scanning

Although authenticity scans of network hosts hardly pose any problems, the same cannot be said about production environments, especially in the case of web application scanning. Nonetheless, it is advised not to take risks no matter what you are scanning, and test out the scanning process on a few systems first. The reason being; at times you may experience certain side effects like user accounts may get locked out, databases may get filled up, CPU and disk consumption might increase and more. Testing before can help you evaluate the side effects that are likely to branch out to all systems once you start scanning all.

Setting up user accounts for scanning beforehand

This may not seem very important but it can save you a lot of time and unwanted hassle. If you do this beforehand, the scanner will easily log in without being prompted to change the password. On the other hand, if you don’t, the scanner will not be able to change the password on its own. As a result, the authentication will not work, and eventually, you’ll have to run the scan again.

If you are looking for vulnerability scanning services or have any general question and queries, feel free to contact us anytime.

It is only after a system has been breached and losses have been incurred that most companies realize the importance of web security. Soon afterwards, they go around looking for the best web security service providers without realizing that the most effective, and indeed the best approach, is one that is proactive and defensive.

Hackers are always on the lookout for vulnerable systems and if yours is one, sooner or later it will get attacked. While it is recommended to maintain full security at all times, here we list a few web security vulnerabilities and fixes so you can address them instantly.

Vulnerability-Injection flaws

This is one most common type of problems and results from the failure to filter un-trustworthy input. It happens when unfiltered data is passed to the SQL server, to the browser, to the LDAP server or someplace else. Hackers can inject commands to these entities the result of which is hijacked browsers and loss of valuable data

Solution- Fortunately the solution in this case is pretty straightforward; but has a few implications of its own. While you can simply filter out input data from un-trusted sources, you have to filter it all. In a system of let’s say 10,000 inputs, filtering 9,999 is not enough. Usually, your own framework’s filtering functions do the job just fine.

Vulnerability- Sensitive or valuable data exposure

Data, whether in transit or stored is always vulnerable and therefore must be properly encrypted at all time. Moreover, sensitive information like passwords, bank account or credit card numbers and more must be hashed. In any case the algorithm must be a strong one.

Solution- In the case of stored data, encryption or hashing is the key. Make sure all payments are made using secure payment processors and any unwanted sensitive data is shredded. For transit data, using secure connections-HTTPS- along with secure flags on cookies are the way to go.

Vulnerability- Web server and application mis-configuration

This includes very basic yet very common mistakes like using default passwords or unnecessary services on the machines, running obsolete and outdated softwares, application running with debug enabled protection, having directories that leak information and more.

Solution- Using any legitimate build and deploy script or process can help you tackle almost all of these issues. If it is automated, that’s even better.

These are just a few of the hundreds and thousands of vulnerabilities that pose a 24/7 threat to your systems and, in turn, the business.

If you are looking to make your systems more secure, you should contact us. We provide comprehensive web and mobile application security testing and IT solutions for all types of businesses at affordable prices.

According to a research by comScore, the number of mobile internet users outpaced desktop internet users in 2015. As smartphones become more powerful, user-friendly and fast, this trend will likely continue in the future. As a result businesses, big and small, have now started optimizing their offerings for a more mobile friendly experience with the development of exclusive applications and responsive designs.

Consequently, the demand for more secure mobile applications, payment procedure, credential protection and more has also increased. With this, a number of new developments are taking place and new trends are emerging. Here, we shed light on a few mobile security predictions for the year 2016.

Password theft or reuse attacks will decrease

Advancement is biometric technology, coupled with the fact that more new mobile phones have finger printing scanners as a standard feature, are going to play a major role in enhancing data protection and security. Furthermore, the development of advanced password management software and backup solutions has also made it easy to access password repository quickly and safely. As a result, password theft cases and reuse attacks have decreased and will further decline in the future.

Google will step in

According to a research by Alcatel-Lucent in 2014, 0.68% of all mobile devices were infected with malware of which 99% were running on Android; the most widely used mobile operating system in the world. Considering the growing insecurities and efforts to enhancing mobile security, Google has decided to step in. In the future, it is likely to address these issues by clamping down on third party application stores, restrict permission to applications that have not undergone the proper Google Play submission process, develop security standards for apps and more.

iOS will become the next target for hackers  

As the number of iPhone users in the market increases, malware author and hackers in the very close future will turn their attention towards iOS. According to experts, the previously discovered “XcodeGhost” malware in a number of App store applications was just the beginning of what will happen. The first wave of target for these attackers will be the already vulnerable jailbroken iOS devices.

Regulatory and compliance policies will encapsulate mobile devices

Data security compliance practices in the future will include mobile devices as well. While certain countries like Canada and Hong Kong have already taken initiatives, it won’t be long till other countries catch up. Again, this is important because of the ever increasing number of smartphone users, and the rising popularity of hybrid devices- laptop/tablet, phone/tablet.

The need for mobile application security testing services will increase

As security becomes an important concern, companies will outsource and utilize web and mobile application testing and security services in the future, more than ever before. There is no doubt that consumers are becoming more conscious about safety and security of their private data. Who knows, this might just become the decisive factor as to whether a potential customer chooses to use your application or that of your competitor’s.

If you are looking to proactively adapt to the changing trends by making your mobile application more secure, contact us now because it just so happens that we are specialists in doing that.

In simple terms, web application testing is when an online business hires a security assurance service provider such as Lean Security to analyse and test their web applications for potential viruses or cyber threats – either before or during its availability to the World Wide Web.

The task of securing a web application from outside attacks is given to a professional application testing service provider for effective results. The importance of running precise security analysis on your web application shouldn’t be taken lightly; it is during this stage that major issues pertaining to web application security and its operation come are brought to light.

Web Application Testing Checklist

Security experts recommend hiring a professional for this very important job for a reason. Not only will they be better equipped in terms of automated tools, software and skilled expertise; but a professional web application testing will ensure that nothing is left to chance. They will conduct;

Functionality Testing

This is usually done to check if the specifications you intended for your product are met. The functional requirements in the web applications as per the developmental documentation are also checked. The testing analysis is done on;

v  All links (outgoing, internal, anchor, MailTo) in the web-pages to check if working correctly, with no broken links in place.

v  Forms

v  Cookies

v  HTML & CSS

v  Business Workflow

Usability Testing

This has become a vital part of any web based project and application. This is because conducting usability testing on the web application will let you know how easy it is to navigate for users and the target audience. Usability testing can either be carried out by experts, DIY testers or a small focus group that’s similar to the web application’s intended users. With the help of usability testing, online store owners and business can test;

v  Whether the web application is easy to navigate or not

v  Whether the content is easy to read/understand or not

Security Testing

This is by far the most important function carried by web application testing service providers. Why? Security testing of a web application holds vital importance for e-commerce websites as these online stores carry sensitive customer information. Lean Security conducts the analysis of and suggests businesses to keep a look at whether;

v  Unauthorized access is being given to secure pages by the current system

v  Restricted files are being downloaded without the appropriate access and authentication

v  Check sessions are killed automatically after long inactivity by users

v  Websites are being re-directed to encrypted SSL pages on usage of SSL certificates

By having a safe and secure web application, you will only be doing your online business a favour. Customers will prefer the extensive and seamless secure applications that can only be provided by a professional hand. Sign up for our services today!