New Years has come and gone but the air is still filled with expectations that this year will be the best. If you are an online business owner and have suffered security hacks, liabilities and losses last year – 2017 is the time to redeem yourself in the eyes of customers. Keeping with tradition, did you write down a list of New Year’s resolutions that you intend to follow to the letter? Did those resolutions include web application pentesting? More importantly – isn’t it time to resolve and code review your business’s IT infrastructure and web applications via manual/automatic penetration testing?

Understanding the Real Value of a Penetration Test

Very few businesses with an online presence realize the importance and value of penetration testing, for their web/mobile applications and software security. There are a lot of misconceptions about this, like:

• My IT infrastructure will be safe after pentesting
• All vulnerabilities within application will be found

Penetration testing conducted due to the above mentioned reasons don’t explore the full capacity of the security testing service. There are actually other benefits of pentesting that you can enjoy!

Pentesting Reveals a Set of Vulnerabilities

Not all of them though! In fact, number of found vulnerabilities is connected to certain factors namely:

• Time length of the test
• Skills, experience, credentials, certifications of testers
• Network connectivity
• Active web application firewalls
• System changes during testing
• Application instability

Moreover, high risk vulnerabilities are focused first then medium-low risk ones (if none found). This is why for maximum results; a combination of automatic and manual pentesting should be performed. Some additional benefits of pentesting from a certified and experienced vendor are:

• Shows ‘real risk’ of vulnerabilities
• Offers third party’s expert opinion
• Tests cyber-defence capability of your IT infrastructure
• Helps comply with industry certifications and regulations

Businesses often question the best way to conduct pentesting of software, web applications and the rest of their IT infrastructure. What they forget is penetration testing should accomplish placed business goals and objectives, not merely check for random holes in security.

Here Is How to Conduct a Successful Security Evaluation Test

Choosing a good or right pentesting vendor is only half of the battle. Make sure the security assessment is conducted properly by:

• Establishing security baseline through annual tests
• Spell out your company’s security objectives and requirements
• Choose auditors that have ‘real’ security experience
• Involve business unity managers early on
• Make sure reliance is on experience, not just prepared checklists
• Ensure finished report reflects all organization’s security risks

Now that you know the importance of penetration testing for your web application’s or IT infrastructure’s security evaluation, are you going to scour the market for a pentesting software that doesn’t offer accurate results or are you choosing Lean Security?

When was the last time your company’s IT department conducted a security compliance and audit on infrastructure, web applications and software? Why is this necessary? Explained in simple terms – a security audit is usually carried out to ensure full working capability of your security systems and IT infrastructure.

A compliance audit on the other hand is a comprehensive review detailing adherence to regulatory guidelines of a company. Independent security or IT consultants offer compliance audits to clients, who then fix the gap holes in their security with the help of finished report. These professionals review user access controls, risk management procedures, and security policies over the course of the audit.

There are a few points that you should know about choosing security compliance and audits for your IT infrastructure for better results. Keep the following in mind:  

An Audit Isn’t a Design Session  

Does your security program’s design rely heavily on initial audit gap report? If yes, the programs might not be sustainable. In the end your auditor will try and target a specific requirement first which means compliance and security audits don’t deal with sustainability, holistic approaches, and existing business requirements integration.

Don’t Conduct Audit If Not 100% Ready

An audit is strictly conducted in accordance with independent review of your existent security program. There is no need to go through if you feel your organization doesn’t meet all aspects of the security audit. In fact, discrepancies and vulnerabilities within the IT framework should be fixed first! Remember, security and compliance audit results shouldn’t be measured but this evaluation does help fix issues.    

Always Aim Higher Than What Compliance Requirements Prefer

Going above and beyond when it comes to IT security can be a good thing. Requirements are placed at a minimum standard, by which businesses with an online presence can operate and work to exceed in. When making the budget for security and compliance audit, don’t just focus on meeting the standard requirement but try to provide everything that is needed by your organization to effectively mitigate risk.

Identify vulnerabilities and fix your web application’s security by effective assessment of IT infrastructure with the help of advance web security testing. Security and compliance will follow automatically afterwards. Lean on Lean Security for your entire web and mobile application’s security needs.   

When it comes to IT infrastructure’s and web application’s security, there are two ways businesses and companies with an online presence can establish thorough security. The good and bad way, i.e. you can either wait for your organization’s web application and IT infrastructure to get hacked or work with a professional penetration testing service before disaster strikes. The latter is the better option.

Penetration Testing Will Safeguard Your IT Infrastructure against Vulnerabilities

Contrary to belief, penetration testing is utilized to scan and find existing vulnerabilities within the framework of a web application. This vulnerability is then addressed and duly removed. Evaluation and penetration scanning is carried out by pentesting companies or individuals. The exact same techniques as ones used by hackers and cyber criminals are used by these professionals, to safely exploit vulnerabilities and highlight issues within infrastructure’s security. With pentest vendors operating in Australia (Lean Security is of them) how will you know you have partnered with the right one?

Look For Technical Capabilities

Extensive training and experience are two important factors all the best pentesters have in common. Your chosen penetration testing vendor must have the following certifications that promise both training and experience. There are:

• CISSP – Certified Information Systems Security Professional
• CEH – Certified Ethical Hacker
• GWAPT – GIAC Web Application Penetration Tester
• OSCE – Offensive Security Certified Expert
• OSCP – Offensive Security Certified Professional

Additional credentials to look out for are pentest’s background in network, systems management or developing applications before moving into this field.

Pricing Of Penetration Testing

You must get at least three quotes or recommendations for pentest vendors or companies, with complete information about services. This will help determine if the asked price package is worth the service. In any case, knowing what you are paying for will help.

Not all pentest companies are equal, either with services or certification. Don’t forget, you will get what you pay for which means choosing a low priced service will offer nothing but under qualified or inexperienced pentesting professionals.

Ask a Potential Pentesting Vendor These Questions

Choosing the right pentesting vendor has been made easy with the following summation of important questions to ask:

• How many pentesters do you employ? What are their qualifications?
• What assistance can you provide in scoping the tests?
• Do you offer phishing testing and social engineering?
• How is the pentest carried out and to what time scale?
• What steps are taken to minimize possible effects on the business?
• Will there be any reports and security recommendations provided after the test?
• Can you provide references or testimonials for other existing customers?

With help from the above, finding the right pentesting vendor for your online business or web application will become easier. Just know what you want done i.e. security assessment and evaluation only or something concrete. Look at what Lean Security has to offer when it comes to Penetration testing services.

Companies and businesses with online presences are more vulnerable than ever, to exploitation and hacking. Today’s rapid explosion of internet-based commerce guarantees it. Besides various aspects of a corporate network that are vulnerable to attack, web application servers and their managed transitions are especially open to criminal hackers. Web application security has become even more important than ever however traditional testing of security controls (firewalls) are no longer sufficient or efficient in protecting organizations and companies doing business on the internet.

Yes – it goes without saying that businesses today need something extra when it comes to managing their web application security. Now the mantra for effective web application for companies has changed. Now the e-commerce sector believes simply ‘avoid being hacked’ isn’t enough especially when failure to properly manage security is linked to serious liabilities such as: 

• Cross-site request forgery
• Un-validated redirects and forwards
• Sensitive data exposure
• Security misconfiguration
• SQL injection
• Cross-site scripting
• Session management and broken authentication

 What type of security assessment you should look into for you IT infrastructure. There are commonly three types, i.e. penetration test, vulnerability assessment, and security audit.

What Is A Security Audit?

It simply refers to evaluating an application or system’s risk level, against certain set standards or baselines. Standards are actually mandatory or compulsory compliance rules while even minimal effort is an acceptable level of security for baselines. What do they do? Both standards and baselines help achieve a certain level of consistency when it comes to security implementation. These set of rules can also be specific to industries, technologies and processes.

Important Note:

Security audits in any cases give businesses a false sense of security as most rules for both standards and baselines are unable to keep up with rapid changes in cyber security, vulnerabilities and threats.

What Is A Vulnerability Assessment?

Also know as vulnerability analysis, it’s a process through which security holes or vulnerabilities are defined, identified and classified in a computer, network, or IT infrastructure. Most people don’t know this but assessment is stopped once vulnerability is found. This means a full-fledged attack against the vulnerability doesn’t follow, to verify if it is a legitimate threat or a false positive.

What Is Penetration Testing?

Pen tests are conducted to simply evaluate an IT infrastructure’s security. This is done by safely or ‘ethically’ exploiting vulnerabilities within a web application, operating system, improper configurations, or even due to risky end-user behavior.

 Important Note:

A popular misconception about pen testing services is that web application security is enhanced since these services are more expensive than others. It is important to remember penetration testing doesn’t make IT networks and applications more secure since existing security is evaluated only.

 Whether you choose pen testing, security audit, or website evaluation and assessment from Lean Security, know this that we will offer the very best in managed security services and advanced web security testing. Try it out today! 

How secure is your business’s mobile application? This question is important for peace of mind of your customers—and to an extent—your IT department as well.

We live in the mobile age of technology, i.e. every service that we can ever hope for can be easily accessed with our mobile devices.

In fact, customers (and employees) today have come to expect the very best in mobile services and applications.

With increasing popularity of BYOD devices and use of mobile services to conduct just about anything, companies should be trying to find out how much secure their mobile applications and related systems really are?

Increasing Need for Mobile Security Assessments

You have a lot to learn about mobile security and why it’s important (including the use of web application penetration testing). Here are some questions you should be asking:

·         What are the potential vulnerabilities in my mobile application that attackers could exploit?

·         Is there any way to project mobile applications from malicious activity?

·         What should be done to protect users from hackers and cyber criminals?

Mobile security assessment is the answer. They are often triggered by the developer’s need to meet compliance requirements. However, you should undergo mobile security assessment of your application in order to identify and remove all security risks.   

Mobile Security Assessment – What Should You Focus On?

Following are three highly important points for mobile application security that you must look into when running the assessment.

1.     The Code

Mobile malware works by exploiting bugs or vulnerabilities that are already found in the code. Since app deployment to specific devices cannot be controlled by mobile app developers, steps must be taken during app development.

Security testing and assessment should be carried regularly of all stages of software development. Ensure everyone in your team (involved in web application development) is given basic security and penetration testing training.

2.     The Data

There has been an increased use of BYOD for work purposes, in recent years. This has increased chances of non-deliberate exposure of company data by employees themselves!

Common sources of data leakage that is exploited by cyber criminals are:

o   Data logging

o   Cookies

o   Caching through HTTP

o   HTML5 local

o   Buffering through copy/paste data

Data encryption is the obvious solution to secure important information.

3.     The Device

A mobile application is only as secure as the smartphone the app is stored on. What this means is: a mobile device poses an increased risk when it comes to malware.

The obvious solution to this security problem is to make the mobile application stored in the mobile, secure and risk-aware. This can be done by implementing risk-based authentication on mobile applications that would prevent access on certain devices. In addition, transactions conducted by the user can be silently flagged (for review and follow-up on any suspicious activity) before the command is executed.

Mobile Security Assessment – What Is The Bottom Line?

All focus levels, i.e. the code, the data, and the device must be met for your mobile applications to be considered secure. Regular and dynamic risk assessment is an important part for the process. What is it? Learn more about dynamic risk assessment and penetration testing from Lean Security. You can even opt for our free website health security check!      

Australia has seen some of the worst examples of cybercrime to hit web and mobile applications; not just the average user in the country, but big businesses (and even government agencies)! August 9, 2016 was one such an event, when a series of malicious attacks targeted the Australian Bureau of Statistics. The deliberate attempt was carried out to sabotage the national survey.

With cyber attacks becoming the norm more than ever, it’s important to review the cyber health of your web and mobile application.

How can this be done? Regular penetration testing will help identify vulnerabilities within the system that can be exploited by cyber criminals and hackers. 

Penetration Testing – What Is It?

This kind of testing will dig deep into your system, find vulnerabilities and try to exploit them. The intent of penetration testing isn’t to hack into a system, but try to determine whether it can be done, and more importantly, and how. The testing is often stopped once the objective is received.

Lean Security offers two types of penetration testing—automated and manual. Which one is better? Let’s find out.

What Is Automated Testing?

Automatic penetration testing provides broad testing during the security assessment of a computer system. This significantly reduces the time and effort otherwise required to find and report issues.

What Happens During Testing?

In addition to highly able and qualified penetration testers, Lean Security also offers a plethora of automatic security testing tools. They help find vulnerabilities (in the shortest time possible and a variety of target systems) in an internal network when performing onsite security assessment.

How Does Manual Testing Differ?

Sadly, all software vulnerabilities can’t be assessed for vulnerabilities using the help of a simple scanning tool. Automated penetration tests are great when it comes to testing of common, well-known vulnerabilities. However, they lack in one important detail: the inability to scan for domain specific vulnerabilities! This is where manual penetration testing comes in the picture.

This type of penetration testing is led by experiences (of the penetration tester) and intelligence. Skilled testers will find the exact same vulnerabilities in disparate systems, shown by automatic testing.

However, manual penetration testing is also able to pick up vulnerabilities that aren’t identified by automatic web application scanning. This uncanny ability to pick up false positives is what makes manual pen testing an invaluable service. 

Automatic vs. Manual Pen Testing – Which Do You Need?

Realistically speaking, you will need a little bit of both in order to keep your web application security sound and healthy.

In fact, businesses cannot afford to just employ one type of penetration service! The solution that makes the most sense is: use automatic web security scanning for major vulnerability testing, then complete the penetration test by running a manual check (for logical vulnerabilities). This will ensure:

o   Increased accuracy of security audits

o   Detection of more vulnerabilities

o   Decreased costs

o   Save time

Penetration testing for your web application is important. Identify and safeguard your web application against malicious activity by signing up for one of the best advanced web application security penetration testing services by Lean Security.

More and more businesses are turning their business operations online due to the many advantages of online businesses. Just as sharks are attracted to the smell of blood, the same is with hackers and cyber criminals who have increased their significantly increased their attacks.

The digital world has now become a hacker’s paradise. 

Businesses usually hire chief information security officers and penetration testing companies to combat this threat. However, there’s a lot more to information and web application security.

Web Application Vulnerability Assessment – A New Type of Security

Offered by Lean Security, the web application penetration testing and vulnerability assessment is a testing tool that enables businesses with:

Vulnerabilities Identification

With the help of this tool, you can identify vulnerabilities within your web application and computer system’s framework. Additionally, the tool will help uncover potential (negative) impact to the application, infrastructure and operational levels.

Security Posture

The tool will also let you know how your website security posture is presented to potential attackers. Knowing just how hackers view security of your web application will give you an idea of what step should be taken to ensure high security.

Following are some steps that you can take in order to review and fix your web application’s security.

Assess the Web Application Security Your Company

Majority of cyber attacks take place because of basic security vulnerabilities that often go unnoticed. Take care of this when assessing your web application for vulnerabilities. What to look out for?

o   Poor patch management procedures

o   Web-based personal email services

o   Weak passwords

o   A lack of end-user education

o   Sound security polices

Remember: unknown vulnerabilities can wreak havoc to even the most secure network!

Pinpoint Applications and Data Important To Business Processes

Identify and rank each business process according to its importance and sensitivity. Once this step is completed, identify data and web applications over which the above processes depend.

This step is made easier with the collaborated help of your IT department and other business players. In time, you will find out there are far more critical process than previously identified.

Find Hidden Data Sources

Take mobile devices (smartphones and tablets) and desktop PCs into account as well when searching out data sources and application. Why? These devices contain collective, most recent and sensitive data processed by your organisation.

Try and understand how data flows between these devices and the data centre applications (as well as storage). Find out how your employees are sending important business emails that might contain sensitive information.

Determine What Hardware Runs Applications and Data

You will find all layers of your system’s infrastructure as you continue to follow the above step. This identification process of servers (both virtual and physical) is important. There will be three or more sets to look out for when it comes to web/database based applications – web, application, and database.

Interlink the Network Infrastructure with Connecting Hardware

In this step, web application developers must know all there is about routers and other network devices which enable your applications and hardware to operate fast and provide a secure performance.

Identify Controls That Are Already In Place

Let’s take a look at the security continuity measures you already have in place. These measures will include application firewalls, IDP systems, virtual private networks, polices and firewalls, data loss prevention systems and encryption.

You will have to understand important qualities and capabilities that each protection provide to all addressed vulnerabilities.   

You should run vulnerability scans only after every step is addressed. Small businesses (with a less structured IT department) can have trouble with this procedure.

Having trouble securing your web operations? There are a very few web application vulnerability scanners in the market that can help identify all false positives within an application. Save the hassle and contact Lean Security for that job.

Cloud computing – it’s everywhere these days. Based on the hype of this computing system, it would make sense to assume you should move to the cloud as well, no? Not before you understand the pros and cons of cloud computing first!

There are many benefits of cloud computing for businesses. Moving servers and storage to the cloud proves us with simplified management and administration, ever-present access, and even enables more efficient business operations while cutting costs!

Yes, it certainly sounds idealistic. However, moving to the cloud has one pitfall that should be considered fully when moving servers or storage.

Why Should You Think Before You Leap with Cloud Computing?

Storing data on the internet (which is done in cloud computing) increases risk of exposure. Cloud computing also requires businesses to trust third party managed service vendors when it comes to providing security and privacy of data over the cloud. Yes, you can hire a dedicated penetration testing service provider to carry out all vulnerability assessment and testing as well.

If you think switching to the cloud is one-step forward to success of your business and increased productivity, take care of these considerations:

1.     Performance

You might not have any control over the applications running on the cloud, as they in turn run on hardware. Ensuring performance and required scalability is therefore extremely important!

This can be done by testing performance of applications that you will be using in production, in a cloud environment first. Running load tests on applications that share the same resources (under your control) is another way to see if applications affect each other or not.

Doing the above can prove costly, hence identify under load breakpoint and monitor to see how close you are. This will help make up the budget for your infrastructure needs. 

2.     Security

You will have to address access control issues and data privacy when allocating resources and infrastructure to your cloud network. Ask these questions:

o   Is sensitive data being encrypted at the time of storage?

o   Are access control mechanisms embedded for all possible situations (at at all levels)?

The same questions need to be considered when moving your applications to a private cloud network.

3.      Third-Party Dependencies

Cloud applications provide most of their functionality by consuming external APIs and services. Proper cloud networking testing and monitoring should be conducted before any kind of implementation.

Want to know why your cloud network and applications aren’t working as they should? Contact Lean Security for cloud infrastructure and web application penetration testing today.

There is no need to develop a web or mobile application if it’s going to be offline most of the time. In addition to inconveniencing your customers, the web application won’t generate anything of value for your business!

Yes, you can select a web application support vendor who will oversee security objectives of your business, but what should you look for in such a professional?

Features, brand, and price are some common selection criteria. However, you must also explore several specific capabilities that will bring positive impact on the end-solution.

Following are 5 critical factors that should be kept in mind when choosing a managed service provider for you web application.  

False Positive Removal

Most managed services use automated vulnerability scanners to test applications (for vulnerabilities). While automated scanners do work, it’s the same as casting a large net into the ocean. These automated scanners help identify relevant, ‘real’ vulnerabilities; however, some false positives will show up as well.

It’s up to your IT and security department to sift through all vulnerabilities and find the real ones! The chosen managed service vendor therefore should be equipped to removal false positives as well.

Continuous Assessment

New zero day vulnerabilities pop up every week. If not tested regularly, the vulnerabilities can take root in your web applications and possibly wreak havoc. Continuous assessment and testing therefore is absolutely necessary, especially if you are thinking of integrating security into the software development lifecycle.

Remediation Guidance

What feature separates an excellent application security testing provider from the rest? It’s the remediation guidance.

A good remediation guidance feature will let you know the best ways to clean up your application to ensure a seamless operation. Choose your vendor based on how much remediation guidance they provide and their responsiveness towards your queries.

Risk Management Capabilities

You won’t have the important resources at your disposal to fix all vulnerabilities that crop up, especially if you operate a small scale organisation. This is one reason why choosing a professional managed service provider based on their risk monitoring and management capability is a good idea. You’ll also be able to address critical vulnerabilities in a timely fashion, before they can do much damage.

Vulnerability Risk Ratings

An important role is played by vulnerability risk ratings especially when it comes to the prioritisation and remediation process. It doesn’t matter how your organisation manages risks as your chosen vendor will be keeping a close eye on how vulnerabilities evolve in the first place. This will;

Ø  Accurately reflect potential impact

Ø  Associated damage risk

Ø  Likelihood of exploitation

Why are you wasting time and money if your current managed security service vendor doesn’t offer all of the above? Take a look at how Lean Security can help!

Human error is the single reason why 52% of security breaches occur in the world.

This is why Lean Security is the biggest advocate of employee training when it comes to web applications and implementation of proper security protocols.

We’ve established the importance of educating employees on security breaches.

Here, we discuss how costly security breaches can be avoided altogether!  

Emphasize the Importance of Security to Employees

Employees, both new and old, should realize risks associated with poor security practices, i.e. what will happen if they were applied in the website’s framework. Cyber criminals head straight to identity or financial theft, which holds dire consequences for everyone involved.  

Always Protect Sensitive Information

Cyber criminals and hackers are constantly on the lookout for confidential user data, in the form of email addresses, payment card numbers, and social security numbers.

They can easily gain access to this financial information, without much effort on their part. Why? The data and information is right there for access!

Most of the time it’s the user who shares such information via email. To make sure this doesn’t happen, install a secure file transfer system which encrypts data and information first before sending.

Enforce Strong Passwords on All Web Applications

This is the obvious way to protect information from getting into the wrong hands. Web applications and platforms ask users to utilize strong passwords when signing up for a site or service. We really don’t pay attention and create passwords that are easy and simple to crack.

Characteristics of a strong password are;

Ø  At least 8 characters long

Ø  Containing numbers, symbols, and capital letters

Ø  Password not created with help of a dictionary

Help Identify Phishing and Other Scams

Do your employees understand that clicking on phishing emails can cause the system to become infected with vulnerabilities? Did you know the only way to make sure vulnerabilities and viruses don’t affect web applications and an internet system is by spotting them?

Cybercriminals make use of well crafted emails by which users can be tricked. The emails contain links and attachments which can either collect data or introduce malware to the system, when clicked.

Update All Systems to the Newest System Software

Thousands of websites are scanned by hackers by the hour, in search of vulnerabilities. Upon discovery of security holes and bugs, hackers are quick to attack that software. This is why users must make sure their plugin themes and platform installations are updated and only the latest versions are installed.

Professional help can also be found in the form of Lean Security’s advanced web security testing and assessment services. Get in touch with us today and know more about the service that’s going to help make your web application more secure.