Home / Companies / Detectify / Blog / May 2019

May 2019 Summaries

4 posts from Detectify

Filter
Month: Year:
Post Summaries Back to Blog
As companies strive to release new digital features and products swiftly, the integration of security within the DevOps framework is often neglected, particularly during the build and testing phases of the Continuous Integration and Continuous Delivery (CI/CD) pipeline. While automated security testing is commonly applied in production, this text argues for its necessity throughout the entire development process. Tools like Detectify's web app scanner can help identify and address vulnerabilities early, preventing sensitive information from being exposed. The convergence of development and operations roles has led to a DevSecOps approach that automates security testing, thus alleviating the burden on developers who are pressured to deliver quickly. Ethical hacking and bug bounty programs are highlighted as valuable resources in identifying vulnerabilities, and automated security solutions that leverage this expertise are recommended to ensure continuous monitoring and security. The text promotes the idea of shifting security "left" in the development process, advocating for security to be seen as a proactive business enabler rather than a hindrance, ultimately allowing developers to push code live with greater confidence.
May 28, 2019 1,013 words in the original blog post.
Detectify, a company specializing in web app security, leverages automation and crowd-sourced knowledge from ethical hackers to address vulnerabilities like open redirects, which occur when a web page improperly allows redirection to another URL. These vulnerabilities can be exploited in various ways beyond phishing, such as enabling attackers to bypass security measures like OAuth, SSRF, and XSS-auditor protections, or facilitating CSRF attacks by manipulating referrer headers. Open redirects are often dismissed as minor threats because their primary association is with phishing, but they can significantly amplify the impact of other vulnerabilities when combined. Detectify offers services to identify and mitigate these risks, including a free trial to test web applications against numerous known vulnerabilities, such as those listed in the OWASP Top 10.
May 16, 2019 1,150 words in the original blog post.
Inti De Ceukelaire, a prominent figure in the bug bounty community, shares his unconventional journey into hacking and bug bounty hunting, which began with a fascination for video game cheats and evolved into discovering significant vulnerabilities. Starting in 2011, Inti's approach focuses on finding unique, logical flaws rather than common technical vulnerabilities, allowing him to carve a niche in the field. He emphasizes the importance of understanding application context and business logic, which often eludes automated scanners, and highlights the significant opportunities present in the European market for bug bounty hunters. Inti's work extends beyond bug hunting as he now manages the Intigriti platform, aiming to balance fairness and transparency between researchers and companies. He discusses the challenges of aligning bug bounty programs with corporate expectations and the nuances of operating within the European context. Inti's philosophy encourages new talent to pursue creative and original approaches to bug hunting, advocating for a mindset that seeks out logical flaws overlooked by others, rather than following conventional methodologies that lead to duplicated efforts.
May 03, 2019 3,554 words in the original blog post.
Detectify regularly updates its security tool every two weeks with new findings, features, and improvements from its security researchers and the Crowdsource ethical hacker community, although specific updates cannot always be publicized due to confidentiality agreements. Recently, the tool has been enhanced with tests for vulnerabilities reported by ethical hackers, including CVE-2019-3799, which involves a directory traversal vulnerability in Spring Cloud Config that allows attackers to read local files, and CVE-2018-19439, an XSS vulnerability in Oracle Secure Global Desktop due to improper escaping of GET-parameters. Additionally, CVE-2011-4367, another directory traversal issue in Apache MyFaces, has been addressed, along with an open redirect vulnerability in the Oracle Discoverer Viewer BI, where a GET-parameter value is used to create redirects. These updates have been integrated into the Detectify scanner to enhance its security coverage.
May 02, 2019 214 words in the original blog post.