You think your web/mobile applications are safe? Think again! 10 misconceptions about web application security. Come & Meet us at #CeBIT !
1. Only big companies are threatened by hackers
We cannot even tell you how many times we have heard that. The problem is: hackers do not care about the size of your company. They don’t go around looking for how many employees you have, or what’s your turnover. They seize every opportunity they get. Of course multinationals are more visible thus more susceptible to be hacked. Therefore, they are more prepared and SMEs become easier targets for hackers. One of our client who own a small digital business learned it the hard way when he discovered that all the online payments on his website were hijacked to a foreign bank account.
Moreover, have you ever thought that your competitors could be interested in what you have?
2. I have the best developers on the market
Super developers have to code fast, and deliver both powerful and user-friendly applications. Unfortunately, they are generally not security experts. Building a software and hacking it are two distinct expertise. Hence the crucial importance to test their work – security wise – with a pentest. They will learn from the experience and you can also train them more specifically on the topic.
Let’s put it that way: the finest paintwork will always need a paint coating to protect it.
3. I use robust frameworks, so I’m safe
Robust frameworks do help to build secure code. However this is not just a question of choosing a framework: it is all about how to use the framework properly with regards to security needs. We often see that developers disable some protections that are embedded in the framework because they want to speed up their development process. This is why security testing is always necessary.
4. We don’t collect sensitive data, so why bother?
Sensitive customers’ data are obviously and rightfully one of the main thing to secure on an application. Nevertheless, it is just the tip of the iceberg. Let’s say that you run an Ecommerce website, how would you react if your platform was down for 2 days? Or think about your reputation, even information that many do not consider as « sensitive », are in fact sensitive. I am sure that your clients would not appreciate that their email & passwords leaked on the internet. Continue reading
Your company’s IT security is not only a matter of firewalls and security staff. You, as a non-security person can do a lot to avoid data and sensitive information leakage.
Through our security audit experience we have learned that in most companies the staff unconsciously leaves a big amount of elements that is available on the internet to anyone.
These unknown elements can be of many types, like contact details, credentials, technical information or business data. All of them are “unknown” because they are not part of any process : they have been left unconsciously and without any follow-up. Attackers are fond of this data, which they can use for technical or social engineering attacks.
How can you avoid leaking such precious information? Here are some bad habits that you should definitely get rid of.
1. Using your professional contact details for personal things
The quite recent data leakage on Ashley Madison confirmed what we already knew: many people use they professional address (email) to register on websites. Probably because some of them don’t want to receive notifications on their personal emails (and risking direct exposure with their spouse).
Websites often get hacked, which leads to information disclosure such as the entire list of users’ logins and passwords. And many people tend to use the same passwords on different websites (including professional ones) because they find it hard to remember many different passwords. So if you use your professional email and same password on different websites, your company is at risk …
But even when the password is not similar or does not get disclosed, using your professional email on a website that get hacked is dangerous. When Ashley Madison got hacked, attackers had the users’ email addresses. Then they used these addresses to send phishing emails about help from lawyers after people’s accounts had been hacked. This relevant pretext led to many people clicking on links or opening attached files … that could compromise their company’s information system.
The darknet is the hidden face of the web. It contains pages which are not indexed by search engines, many of them providing illegal information or services. On the darknet you can find stolen data or sensitive data that could be used for massive cyberattacks. So, could your company’s data be found on the darknet?
Deep web or Dark web?
First, there is a distinction between deep web and dark web (or darknet). The web can be compared to an iceberg:
– some part can be reached by search engines such as Google: the visible web (the tip of the iceberg)
– some part contains a vast amount of non indexed websites: the deep web (the hidden part of the iceberg)
– the most hidden part especially contains pages concerning illegal activities such as mafia, crime or terrorism : the darknet (the bottom of the iceberg)
To access hidden websites, you need to access an anonymous network such as Tor, through a specific browser. The Tor network enables you to access websites which top level domain is .onion.
Surfing on Tor is completely anonymous, which explains why this underground network is used by criminals but also by activists and people living in countries censuring the Internet.
MALWEAR – (n) a malicious software category causing a failure to dress properly amongst infected individuals.
DEVFLAWPER – (n) an individual who develops software, websites or apps but repeatedly adds security flaws into their code.
HACKOHOLIC – (n) an individual who surfs the World Wide Web and cannot help from hacking websites.