Integrating Web Vulnerability Scanners in Continuous Integration: DAST for CI/CD

In this day and age having a functioning and secure Software Development Life Cycle (SDLC) process in place is becoming a key component of a successful organization. And one methodology that is becoming increasingly popular is DevOps. Mainly, because the methodology itself is designed to produce fast and robust software development. In this article, we will focus on how we can incorporate security into CI/CD and turning DevOps into DevSecOps easily and with automation in mind.

It’s quite a long article, so in case you are already familiar with some of the terms, feel free to skip to whatever part pleases your curiosity :)

Door |2024-09-30T09:39:14+00:00september 5, 2019|Article, Artikel, Engels, Nederlands, Technology|Reacties uitgeschakeld voor Integrating Web Vulnerability Scanners in Continuous Integration: DAST for CI/CD

Scaling Application Security: The issues that Appsec teams face

This post concerns application security teams, so it’s written assuming you are part of one. However, I believe it could help you understand application security a bit more even if you are not.

If you are part of an application security team, you probably struggle with the amount of work on your shoulders every day. Let’s say you have a small team of 5 people to test all web applications produced by a group of 200 developers, and you still need to provide guidance on how to fix some vulnerabilities. You try to offload some work by handing developers with security testing tools, but the learning curve is long - causing frustration. Basically, you have a scaling issue!

Door |2024-02-17T11:12:31+00:00augustus 22, 2019|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor Scaling Application Security: The issues that Appsec teams face

How to manage vulnerabilities in Jira?

Jira is one of the most widely adopted Issue and Project Tracking Software out there. Atlassian’s Jira has been named the #1 software development tool for agile teams. And Probely now allows you to synchronize your security issues into your Jira issue tracker. So, how do you manage vulnerabilities in Jira using Probely?

Door |2024-08-26T15:09:16+00:00augustus 5, 2019|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor How to manage vulnerabilities in Jira?

Abusing Exchange: One API call away from Domain Admin

In most organisations using Active Directory and Exchange, Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin. Recently I came across a blog from the ZDI, in which they detail a way to let Exchange authenticate to attackers using NTLM over HTTP. This can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Exchange. This attack is possible by default and while no patches are available at the point of writing, there are mitigations that can be applied to prevent this privilege escalation. This blog details the attack, some of the more technical details and mitigations, as well as releasing a proof-of-concept tool for this attack which I’ve dubbed “PrivExchange”.

Door |2024-08-26T15:01:42+00:00februari 7, 2019|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor Abusing Exchange: One API call away from Domain Admin

Crypto currency or ads.. Do we get to choose the lesser evil?

Since a few months now, we are confronted with a new phenomenon. Websites that are mining crypto currency using javascript and thus the processor of the person visiting the website.

As usual the vendors of security products quickly jump on this band wagon to sell their goods.

Since it is my job to keep our organisation informed of emerging security threats, I’ve also been trying to determine how much we should worry about this new trend.

To be honest. I’m not really sure…

Door |2024-02-17T12:29:15+00:00september 6, 2018|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor Crypto currency or ads.. Do we get to choose the lesser evil?

Don’t Let Crypto Ruin Your Day

A few years ago, a customer handed us a report from a Big 4 consulting firm describing how, after close to 100 person-hours of review, a team of ‘highly-qualified senior security engineers’ had failed to find any flaw in their encrypted communications product. Half a day later, I had worked out how to break the product’s encryption, and demonstrated a working exploit. The customer was confused—why hadn’t the well-dressed consultants caught the vulnerability?

Door |2024-02-17T06:32:36+00:00mei 24, 2017|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor Don’t Let Crypto Ruin Your Day

Plans for Software Liability: legally exploiting vulnerabilities

On July 6, 2016, the Dutch CPB (Bureau for Economic Policy Analysis) published a report. It describes the economic situation of various aspects of cybercrime, which resembles what is written in the 2008 Geekonomics book by David Rice. Rice’s book is not mentioned as a reference, but it is interesting to see that some of the same conclusions end up in government publications after 8 years.

Door |2024-09-30T08:32:37+00:00november 22, 2016|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor Plans for Software Liability: legally exploiting vulnerabilities

Door de bomen in het security bos

Elk bedrijf doet wel iets met security, steeds mee bedrijven laten penetratietesten uitvoeren. Waarom eigenlijk? En wat laat je nou wel en wat laat je niet testen?

Door |2024-02-17T06:32:34+00:00februari 11, 2016|Artikel, Nederlands|Reacties uitgeschakeld voor Door de bomen in het security bos

Security moet de boardroom in

Ondanks de aandacht die cybercrime krijgt, blijkt nog steeds dat het grootste probleem ligt in de bewustwording van de gebruikers over de gevaren van cybercrime. Om het onderwerp op de agenda van de leiding van de organisatie te krijgen, verdient het een vaste plek op de agenda van het bestuur te krijgen. Vooral in het kader van de nieuwe wetgeving ‘datalekken’ is er op korte termijn al snel winst te boeken.

Door |2024-02-17T06:32:32+00:00april 13, 2015|Artikel, Nederlands|Reacties uitgeschakeld voor Security moet de boardroom in

Data Risico’s: Hackers snappen het beter

Een van de grootste obstakels voor organisaties is te begrijpen waar hun kritische data werkelijk is opgeslagen en hoe dat momenteel beveiligd is. Naast productie omgevingen bevatten back-ups, datawarehouses en test omgevingen evenzo belangrijke vertrouwelijke of gevoelige data. Deze omgevingen kunnen minder beveiligd zijn dan de productie omgevingen. Data risico's zijn in toenemende mate een risico voor bedrijven en een kans voor hackers.

Door |2024-02-17T06:32:32+00:00november 18, 2014|Artikel, Nederlands|Reacties uitgeschakeld voor Data Risico’s: Hackers snappen het beter
Ga naar de bovenkant