Opinion: Do you leave your car keys in the ignition just because it’s easier than securing your vehicle? If not, why do you come up with similar excuses when making decisions about the security of your sensitive data and your business reputation? In the cybersecurity…
The effect of President Biden’s security order on web application vendors
Do you want to sell your web applications to US government agencies? We have bad news and good news. The bad news is: President Biden just made it more difficult for you. The good news is: Acunetix® can make it much easier. The SolarWinds breach…
Why most application security measures fail and what must be done about it
In business, you’re only as good as the things that you have control over. And the only things that you can have control over are the things that you proactively measure and manage. If application security is an important part of your overall security program…
How to avoid web supply chain attacks
In early 2021, attackers infiltrated SolarWinds software used by thousands of major businesses and organizations worldwide. This allowed malicious parties to access data owned by not just SolarWinds but everyone who used the SolarWinds solution. Such attacks are called supply chain attacks and yes, they…
Sensitive data exposure – how breaches happen
The term sensitive data exposure means letting unauthorized parties access stored or transmitted sensitive information such as credit card numbers or passwords. Most major security breaches worldwide result in some kind of sensitive data exposure. Exploiting an attack vector such as a web vulnerability is…
Ad-hoc scanning is not enough
A web vulnerability scanner is usually perceived as an ad-hoc tool. Initially, all vulnerability scanners were such tools and current open-source web application security solutions still follow that model. However, with a major increase in the complexity and availability of web technologies, the ad-hoc model…
Are you afraid of security testing in the SDLC?
Opinion: DevOps are simply afraid of trying something new. They are used to Selenium tests that hog the pipelines and provide hard-to-interpret results but at the same time they often shun DAST testing, which is nowhere near as troublesome. Recently, I had an interesting discussion…
Miscommunication is at the heart of AppSec challenges
Miscommunication breaks things in business. Whether it’s unintentional – based on assumptions or intentional – driven by political motivations, miscommunication is at the heart of most challenges in business today. In our line of work, there’s hardly any more obvious form of miscommunication than what…
Remote debuggers as an attack vector
Over the course of the past year, our team added many new checks to the Acunetix scanner. Several of these checks were related to the debug modes of web applications as well as components/panels used for debugging. These debug modes and components/panels often have misconfigurations,…