Labs Articles
-
An introduction to password security: How to crack a password
Online Password Cracking An online attack is performed in real-time, against live services or applications to compromise active user accounts. Such attacks typically occur when a malicious actor lacks direct access to the target system or application and aims to gain an initial foothold. The first step in conducting online password attacks involves establishing as…
Read more
-
Application Security 101 – HTTP Headers Information Disclosure
Server Header Information Disclosure The most common HTTP header that is enabled by default in most web servers is the ‘Server’ header, which can lead to information disclosure about the web server hosting an application and in some cases, the Operating System (OS). A quick example of the Server response header can be seen below,…
Read more
-
SPF, DKIM, DMARC and BIMI for Email Security
Sender Policy Framework Sender Policy Framework (SPF) is a DNS TXT record that is added to a domain that tells email recipients which IP addresses or mail servers are authorised to send emails for the domain. Defined in RFC7208, it is designed to prevent mail spoofing as mail servers check that incoming mail really did…
Read more
-
Terraform security best practices (2022)
The following sections discuss our most important Terraform security best practices: The importance of Terraform State Terraform must keep track of the resources created. When Terraform environments are created and deployed, Terraform tracks the resources that it created, and stores this mapping in a Terraform State File. When deploying changes to the configuration, Terraform consults…
Read more
-
Preventing exploitation of the Follina vulnerability in MSDT
The Follina Exploit A zero-click Remote Code Execution (RCE) vulnerability has started making the rounds which is leveraging functionality within applications such as Microsoft Word. This vulnerability exists when the application calls MSDT using the URL protocol and allows remote attackers to execute PowerShell code on the victim’s device, under the context of the application…
Read more
-
Application Security 101 – HTTP headers
Strict-Transport-Security The HTTP Strict Transport Security (HSTS) header forces browsers and other agents to interact with web servers over the encrypted HTTPS protocol, which secures users from Man in the Middle (MitM) attacks by protecting against protocol downgrade attacks. This header has been specified in RFC-6797. You should ensure that your site is accessible over HTTPS before this header…
Read more
-
New Exchange RCE vulnerability actively exploited
Exchange admins now have another exploit to deal with despite still reeling from a number of high profile attacks this year including ProxyLogon and ProxyShell. A new high severity Remote Code Execution (RCE) exploit for on-premise Exchange Servers has been published and is being actively exploited in the wild.
Read more
-
How effective is secure code review for discovering vulnerabilities?
We’ve recently discussed application security and the trend we’re seeing in which companies are increasingly implementing security early on in the Software Development Life Cycle (SDLC). In our blog post exploring the impact of adopting application security, we described a common scenario involving assessing an application that was ready for release. Through the assessment, critical vulnerabilities were identified, such as an SQL injection, close to the go-live deadline. This time, we’re covering how a secure code review early on in the SDLC can identify this vulnerability. This would give developers time to make changes without delaying the project, and understand the importance of security best practices when coding secure applications. In this similar scenario, the company contacted us during the early stages of development - the adoption of “Shift-Left”.
Read more
-
Application Security (AppSec)
There is a movement in the IT security world that is gaining traction, and it is based around the implementation of security within applications from the beginning. You may have heard buzzwords like “AppSec”, “DevSecOps” and “Shift Left”, but what do they actually mean? What does it take to “Shift Left” when developing a secure application? You can read about dealing with dependencies in our blog post.
Read more