Vaadata’s Blog - Website and mobile app security

Solutions May 12, 2020

Penetration Testing: Approach, Methodology, Types of Tests and Rates

Cybersecurity Issues for Businesses in 2020

The current trend is to strengthen the security requirements for customers, partners and investors. Security audits have been democratised to small and medium-sized companies, for whom they represent a prerequisite to be able to collaborate on IT issues with large companies. In fact, large accounts almost systematically integrate requests for security audit reports into their purchasing processes. The introduction of the GDPR 2 years ago also enabled companies to become aware of data security issues in business sectors where risk awareness was previously low. Security certifications (ISO 27001, HDS, PCI-DSS, SOC2, etc.) are increasingly popular among small and medium-sized companies, as a way of differentiating themselves and making security a quality issue.

Solutions April 28, 2020

Doing a Pentest for Less Than €1,500

Conducting a security audit has a cost. When companies are asked about the budget they devoted it, we often hear “between €10k and €20k”, sometimes a little more, sometimes a little less. However, there isn’t really a standard price for this type of service: it all depends on what is done, how, and by whom. If the main objective is to be able to show that a pentest has been done less than 6 months ago, it is possible to make concessions to respect an extremely limited budget.

Solutions March 12, 2020

How to Know Your Attack Surface (And to Reduce it)

Abraham Lincoln (repeating a woodsman) would have answered the question: what would you do if you had just six hours to chop down a tree? I would spend the first four hours sharpening my axe.

What does it tell us? That preparation is key.
You cannot protect what you don’t know, therefore knowing your attack surface is the first essential step to protect it efficiently.

Solutions February 25, 2020

Should You Perform a Pentest On a Production Environment?

Once you have decided to go for a penetration test, you may wonder if it should target your production environment.

Depending on the risks, it can be appropriate to perform the security audit either on a production environment or a test environment. Below is a summary of the pros and cons for each alternative.

Solutions February 5, 2020

White paper: Security of IoT Wireless Technologies

25 pages to know the existing and exploitable vulnerabilities on these technologies, as well as the means to counter or reduce the risks.

Download

Solutions January 21, 2020

Logging & Monitoring: definitions and best practices

The OWASP Top 10 2017 introduces the risk of insufficient logging and monitoring. Indeed, inherent problems in this practice are often underestimated and misunderstood. But why is a seemingly simple task ending up being a crucial point of information system security?

Technical December 10, 2019

Certificate and Public Key Pinning

Introduction to Public Key Certificate

A digital certificate is a data file that allow, on the one hand, the non-repudiation and the integrity of data, and on the other hand, to identify and to authenticate a person or an organization and also to encode communications.

A digital certificate includes several information, as:

A public key
Authentication information
A validity time
An issuer that signs the certificate

This last point is crucial to verify the trustworthiness of a certificate. For this, when a certificate is received, a chain of trust is built to a certificate authority.

To explain the working of the chain of trust, let’s present some notions:

Technical November 20, 2019

How to optimise your use of Metasploit

The Metasploit framework is an open source tool, allowing searching, analysing and exploiting vulnerabilities. It has many modules and tools that can be very useful during intrusion tests, whether on Web applications or on a company’s information system.
Although often used relatively basically, for example to launch a simple exploitation module on a target, this framework has options and tools that make it a key ally for a pentest. We will therefore see here how to use the Metasploit framework in an optimized way.

Solutions November 5, 2019

Should you do a demonstration of your solution to pentesters before a penetration test?

Before starting a penetration test (pentest), should you present your product or solution to pentesters? It all depends on your situation and on your objectives!

Technical October 14, 2019

Exploiting the SSRF vulnerability (2/2)

In this previous article, we have seen what a SSRF vulnerability is, and how, in general, it can be exploited. We had placed ourselves in a quite simple theoretical framework, but various elements (either due to the vulnerability itself or due to security implementations) can make the task more complicated.

In this article, we will have a look at various methods to go further. On
the agenda:

Various methods for manually bypassing filters;
SSRFMap: a semi-automatic operating tool.

Technical September 3, 2019

Burp’s Functionalities and Extensions to Gain Efficiency

Now that we have introduced four main functionalities of Burp Suite in the previous article, we will go a bit further with some functionalities and extensions that can increase the quality of an audit and your efficacy.

Functionalities and extensions of Burp Suite

Functionalities and screenshots presented in this article are from the version Professional 2.1.01.

Technical August 8, 2019

Bluetooth Low Energy & Security of Connected Devices

Alternative to classic Bluetooth, Bluetooth Low Energy is chosen increasingly for the IoT. This technology, also known as the abbreviation BLE, is establishing itself for connected devices, as it is ideal to send small amounts of data between devices and to preserve the battery; which matches the IoT’s needs perfectly. Classic Bluetooth, on its side, is used to send large amounts of data between a device and a user (wireless headphones and speakers are using Bluetooth for example).

Solutions May 28, 2019

Internal Pentest: What You Need to Know About this Type of Security Audit

When we talk about cyberattacks, we often think of malicious activities coming from external attackers, while internal attacks are on the rise. In the Insider Threat Report 2019, it is reported that 59% of the companies surveyed had suffered such an attack in the past year.

Protecting yourself from the inside against these attacks is therefore just as important as defending yourself from the outside.