Here we identify 4 practical steps SMEs can plan for and implement when they become a victim of a website hack. With the massive growth in cyber-crime, it’s a sad fact that it’s highly likely to become a question of ‘when’ rather than ‘if’. Below…
Author Archives Ian Muscat
THE AUTHOR
Ian Muscat
Defence in Depth – Final Part – Update software, Isolate services
Update software and components Whether it’s a server’s operating system, a web server, a database server or even a client-side JavaScript library, an application should not be running software with known vulnerabilities. Updating, removing or replacing software or components with known vulnerabilities sounds obvious, but…
Defence in Depth – Part 4 – Validate everything, Parameterize SQL queries
Trust no one, validate everything Unfortunately, most vulnerabilities at the application layer can’t simply be patched by applying an update. In order to fix web application vulnerabilities, software engineers often need to correct mistakes within the application code. It’s therefore ideal for software engineers to…
New Acunetix update includes security checks for Joomla! Core RCE, improved XXE tests and more
New updates have been released that test for a new Joomla! remote code execution vulnerability affecting versions 1.5.0 through 3.4.5 CVE-2015-8562. Other updates also include improved XML External Entity (XXE) testing, multiple Cross-site Scripting tests in commonly used libraries and other improvements/bug fixes. Below is the…
Defence in Depth – Part 3 – The Least Privilege Principle
An application does not need to use the root (MySQL), sa (Microsoft SQL Server), postgres (PostgreSQL) or SYSDBA (Oracle Database) to connect to the database. Likewise, it’s a bad idea to run daemons or services as root (Linux) or Administrator (Microsoft Windows), unless there is…
Takeaways from the VTech Hack, and the Vigilante Side of Security Breaches
Anyone following the news this week likely learned of the massive breach exposing the personal data of millions of parents and their children. VTech, a Hong Kong-based toy maker was hacked, exposing everything from children’s names and home addresses, to pictures (reportedly, 190GB worth of…
Defence in depth – Part 2 – Security before obscurity
Fail-safe defaults Software is bound to fail. Try as we might to create perfect, failure-resistant software, bugs will always exist that might cause software to fail. Notwithstanding this, it is important that this potential failure does not expose an application to a security risk. An…
Defence in depth and how it applies to web applications – Part 1
Information security generally refers to defending information from unauthorized access, use, disclosure, disruption, modification or deletion from threats. Organizations are constantly facing threats that exist both externally as well as internally — be they from nation states, political activists, corporate competitors or even disgruntled employees….
SQLi part 6: Out-of-band SQLi
Out-of-band SQL injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather…