Home / Companies / Detectify / Blog / April 2019

April 2019 Summaries

4 posts from Detectify

Filter
Month: Year:
Post Summaries Back to Blog
The Payment Card Industry Data Security Standard (PCI DSS) outlines comprehensive guidelines for companies that handle cardholder data, emphasizing the importance of maintaining secure systems and applications. Requirement 6, a crucial part of PCI DSS, focuses on software development and vulnerability management, encouraging organizations to establish processes for identifying and addressing security vulnerabilities through automated tools like Detectify. Detectify offers automated web application scanning services that help identify vulnerabilities, assign risk rankings, and provide remediation strategies, while also integrating security measures into the software development life cycle (SDLC) through DevSecOps practices. These automated security solutions are updated bi-weekly and supported by crowdsourced research from white-hat hackers, ensuring organizations stay ahead of evolving cybersecurity threats. While Detectify is not a PCI Approved Scanning Vendor, its tools complement PCI compliance efforts by providing valuable security insights, educational resources, and fostering a culture of continuous security within organizations.
Apr 18, 2019 1,586 words in the original blog post.
Detectify releases major security updates every two weeks, incorporating new findings and enhancements from its security researchers and the Crowdsource ethical hacker community, although confidentiality agreements prevent disclosure of all updates. Recently added to the Detectify scanner are tests for several vulnerabilities reported by Crowdsource researchers, including an Apache Tomcat remote code execution (RCE) vulnerability when "enableCmdLineArguments" is enabled on Windows, and a server-side template injection vulnerability in the Confluence Widget Connector allowing path traversal and RCE. Additionally, a backdoor was identified in the bootstrap-sass gem version 3.2.0.3, which allows crafted cookies to be executed as code. Detectify has also improved its tool's ability to handle embedded metadata in Office files, which can reveal unintended information about the document's authors or creation systems.
Apr 18, 2019 297 words in the original blog post.
Detectify regularly updates its security tool every two weeks with contributions from its security researchers and the Crowdsource ethical hacker community, although confidentiality agreements limit the disclosure of all updates. Recent improvements include added tests for vulnerabilities such as the Magento unauthenticated SQL injection, which now allows for more accurate testing and reporting by minimizing false positives. Also addressed is the WordPress wp-google-maps SQL injection, which saw a rapid response from the plugin vendor to patch the issue. Another highlighted vulnerability is the Google Maps unrestricted API key exposure, which can result in unauthorized usage and financial costs if not correctly configured. Additionally, Git Daemon exposure remains a concern, as it can lead to unauthorized access and downloading of source code from exposed configuration files.
Apr 04, 2019 334 words in the original blog post.
Automation in software development, particularly in quality assurance (QA) and security testing, offers significant benefits such as faster production, consistent quality, and the ability for developers to focus on creative tasks, which are essential as product complexity and market competition increase. The integration of automated security checks into continuous integration and continuous development (CI/CD) processes is crucial for keeping up with the speed of automated hacker attacks, with tools like SAST and DAST providing instant feedback on code vulnerabilities throughout the development cycle. The adoption of DevOps and Agile methodologies has expedited market delivery but sometimes prioritizes speed over security; however, automation ensures that security and QA are consistently embedded into workflows, reducing bugs and vulnerabilities in live products. Despite 87% of developers lacking confidence in their code, automation tools like debricked and Detectify facilitate on-the-job learning and rapid remediation of vulnerabilities, thus enhancing developers' confidence and performance. As companies scale, security automation becomes an integral part of the development pipeline, enabling secure, efficient, and high-quality product releases.
Apr 03, 2019 879 words in the original blog post.