Cyberis Blog
Reassuringly clear thinking.
- Penetration testing
Application testing and the OWASP Top 10
Quite often, a customer will ask us to "test our application against the OWASP Top 10". I'm going to start by saying that the OWASP Top 10 is a wonderful tool which has helped improve web application security globally since it first launched. But although it’s a common request to test applications against it, I think it's helpful to explain why it might not give you the security outcomes you want from a web application penetration test.
- Penetration testing
Accounting for key business security concerns in penetration testing
When it comes to penetration testing, if you have a good idea what you are really worried about as a business, you can get better results. The more we know about you, your business and your security concerns when we conduct your pentest, the more focussed and accurate our risk ratings can be, and the more tailored to your environment our advice can be.
- Penetration testing
- Red teaming
Using penetration testing to achieve different assurance outcomes
Penetration testing can be used in many different ways to meet different goals, and there are several different types of penetration test. We’re always trying to understand our customer’s goals so that we can make sure we’re applying the right methodology to your penetration test to achieve the outcomes you want.
- Penetration testing
Common TLS/SSL Issues And What They Mean
Whilst it may be tempting to support older protocol versions, such as TLS 1.0 or even SSLv3, to maximise compatibility with legacy systems, this does not come without serious security compromises. Older protocol implementations can have inherent weaknesses that undermine the security they offer. They can lack support for modern encryption algorithms used in more secure cipher suites and may be missing features implemented in later versions, specifically designed to mitigate against the shortcomings of the older protocol.
- Penetration testing
Building long term partnerships with our customers to deliver the best outcomes from penetration testing programmes
We are a security partner of choice for many of our customers, and we love building long term relationships with our clients. We appreciate that every business has its unique operational challenges, its own priorities and its own threat environment. When we work closely with a client over the long term, we get to know what makes them tick and understand the nuances of their environment. This is a story of how, working with a customer over the long term, we're able to bring extra benefits to the table.
- Penetration testing
- Tools and techniques
Online Password Auditing Of A Domain Controller
Password auditing of a domain traditionally involves obtaining copy of the ntds.dit and performing some offline analysis which can be time consuming. The DSInternals PowerShell Module has an Active Directory password auditing cmdlet which performs checks for default, duplicate, empty and weak passwords. The audit can be performed against a domain online via DCSync, saving the need to obtain a copy of the ntds.dit. This can be of benefit if regular password audits are being performed.
- Penetration testing
The Dangers Of Vulnerability Scoring Dependency
Vulnerability scanning has an important role in most enterprise threat & vulnerability management programmes – it provides multiple benefits to internal security teams as they identify vulnerabilities and it can also help verify control performance. Associated vulnerability scoring systems, such as the Common Vulnerability Scoring System (CVSS), have also gained widespread industry adoption, as they are simple to understand and usually produce repeatable results.
- Penetration testing
Changing Approaches To Penetration Testing
As a security consultancy, Cyberis undertakes penetration testing for organisations of all sizes, and in many verticals. This testing is often a function of regulatory or compliance requirements, and for some customers' operational teams is viewed as a necessary evil. Given time and resource pressures, and the prioritisation of business functions for internal ops teams, devops teams and other support staff, it can prove difficult for security teams to encourage engagement, and traction, for fixing identified vulnerabilities in existing systems and drive progress in internal security programs. This leads inevitably to stagnation and increased risk over time due to system obsolescence and poor standards.
Improve your security
Our experienced team will identify and address your most critical information security concerns.