Before starting a pentest, should you present your product or solution to pentesters? It all depends on your situation and on your objectives!
If there is one myth about
cybersecurity that we hear regularly and that absolutely needs to be busted, it
is this one. “Why would anyone attack us? We’re too small, too young,
no one knows us, we have nothing online… We’re not interesting to hack.”
Actually, yes, you are interesting.
Let’s take each point
– Why would anyone attack us? No one knows us
Christmas is right around the corner and winter sales are arriving too. Online shopping is planned. Your banners, packaging and special offers are ready, but did you think of your website’s security?
We won’t remember you to update and install patches or to watch suspicious operations (what you are already doing), but we concentrate on three elements to protect your client data and to reassure them about your security level.
1/ HTTPS certificate
Using HTTPS is indispensable for an e-commerce website. Users expect to see the well-known padlock on pages where they give their information. Many people only rely on an URL starting with HTTPS and the padlock to judge the reliability of a website.
However, malicious hackers do know it too. Now they create websites with an HTTPS certificate to deceive users. A study from Phishlabs estimates that in the 3rd quarter 2018, 49% of phishing websites are using an HTTPS certificate.
(We detail here how to identify suspicious emails to avoid phishing attacks, which can be tricky even for experienced users.)
It is a question that we often hear. Sorry, we don’t have a formula ROI=… to reveal. The return on investment of penetration testing is complex to measure, but we are giving you 4 keys to demonstrate the financial benefits of pentest. Security is not only useful to avoid potential problems, it mostly creates value encouraging sales.
1/ Investing to avoid a loss or a higher future expense
Penetration tests are a preventive action. Pentests, by simulating realistic attacks of malicious hackers, enables to detect security flaws, technical as well as logic (this article explains more precisely what logic flaws are).
Digital technologies offer great possibilities for the everyday life and for businesses. Websites, emails, applications, connected devices…
But, if business people are enjoying digital tools as an opportunity for their activities, can you imagine how happier are malicious hackers?
Direct attacks, phishing, intercepting information, stealing data… So many possibilities from their point of view, as the growing use of digital technologies is making the attack surface growing too.
What can you do to protect your activity from malicious hackers’ attacks? Do you know ethical hacking?
Digitalisation, Ecommerce & Security
Companies’ digitalisation, a buzzword or a real opportunity? According to the European Commission, 62% of the French population buys on the internet whereas only 16% of the French companies have online sale activity (1). This figure clearly underlines the “digital” opportunity that French company have. Whether it is a showcase website, an online sales platform, or local marketing, each option is an opportunity and does represent a competitive advantage over other companies that do not dare to digitalise their businesses.
Digital marketing agencies, freelances specialized in e-commerce, CMS, there are many different offers to facilitate the creation of a website. The competition on this market is fierce and prices often comes as a decisive factor for SMBs wishing to have their own sales platform. However, if the delivered website meets the expectations of the customers in terms of functionalities or design, it shouldn’t stop there, as hacking risks of a website are high (even for “small” websites”.)
What about cybersecurity?
For companies that decide to work with external web professionals (either freelances or agencies), it is necessary to understand what preparation and construction implies the creation of a website worthy of the name. This means setting up a budget to invest in the website’s construction. Its “size”, functionalities, design, maintenance fees (meaning the necessary updates on the website) and also cybersecurity will have an impact on the overall budget. Cybersecurity is too often ignored to offer cheaper prices, and yet it is a major issue.
It is crucial to understand that being a web developer, as good as one can be, does not necessarily means being an expert in cybersecurity. The two distinct jobs correspond to very different skills. It is fundamental to understand this distinction to be ready to question your developers on the topic. What security guarantees can they provide? Have they planned to run security audits? Who will be liable if the website gets hacked? This is where the issue lies: if there is no mention of security in the technical specifications or in the maintenance contract, then it is your responsibility when you get hacked.
Security is now part of procurement checklists within companies (especially large ones) when buying a software solution.
What security commitment can be given to them ? How to promote a software security process?
Achieving a certification is a must to show the level of cyber security of a software company. There are plenty of standards : ISO 27001 (for information security management), PCI-DSS (for payment data security)… Each one is more or less appropriate to a specific industry or a specific geographical area.
Starting a certification process is quite a heavy and long-term project. It is also worth noting that the impact on your products can be important. If there is no compulsory security certification for running a business in your industry (unlike the payment industry), starting such a process depends on your company’s maturity: it is recommended for mature companies rather than startups.
Furthermore, reaching a partial compliance with a standard can be a viable alternative to a full compliance. This is a compromise to value security efforts, even if it does not result in certification. Security professionals (like Vaadata) can assist you in that kind of process.
Big Data has a huge impact on marketing with powerful technologies for collecting, organizing and processing huge amounts of data. It allows online advertising to become more friendly and personal for digital consumers. But it also increases the responsibility of companies towards the security of the massively collected data.
Marketing teams are usually in charge of processing these data, while IT departments are responsible for security related topics. However, can Marketers working on sensitive data unintentionally put their own companies at risk?
If you have a website, you have probably heard of HTTPS. It is a data exchange protocol on the Internet. Is this necessary for your website? Please read the following lines and make your own judgement.
How does HTTPS work?
HTTPS provides authentication of the website and associated web server that one is communicating with, which protects against man-in-the-middle attacks (a common type of cyber attack).
HTTPS also provides bidirectional encryption of communications between a client and server, which ensures that the contents of communications between the user and site cannot be read by any third party.
Here is a simple example for a traveller who is using an online hotel booking website with a login and password:
- If the website does not use HTTPS, the login and password are not encrypted. If the traveller uses a public internet connexion (such as a wifi hotspot) the data can be intercepted and re-used by malicious persons.
- But if the website uses HTTPS, the login and password are encrypted, which means that they cannot be read by people who would intercept the data.
Just as food or car buyers do, digital consumers need reassurance about the security of products they use.
Displaying the “country of origin”, especially for meat, has become a quality standard in many restaurants. Not labelling food can make clients run away, afraid by the lack of transparency.
There is a similar trend on the Internet, focusing this time on personal and banking data. With all the scandals that recently came to light about hacking, data stolen and resold on black markets, security on the Internet has become a criterion of trust and success.
Communicating on security
As soon as a web application (website or mobile app) processes data, users are looking for signs of security, showing that the application is trustworthy.
This quest for signs of security is more or less conscious but, in any case, a lack of confidence results in shopping or subscription dropouts.