Archive for 2016

Stratgies to Stay Safe from Cyber Attacks

Cyber security is vital for businesses, especially small and medium sized ones. Why? Because they often don’t have the cyber security infrastructure or staff that large companies have to ensure that files and bank accounts aren’t left susceptible to being compromised.
At first, for anyone, cyber security can feel very complex – and it is! But to make is easier, here are three proven strategies that companies of all sizes can implement to make sure they are keeping themselves safe from cyber-attacks.
Use these tips to educate yourself and others on what is necessary to stay safe and, for some businesses, compliant with regulation, with sensitive information.
  1. Use a layered defensive security approach.
    • Using software or other solutions at different points in and around a given network.
    • Layered defenses are important because they can often (depending on the amount of layers) prevent a breach from happening at all.
  2. Train employees (not just lower level employees, but employers and management as well).
    • Employees are most often the weakest link in any business’ security.
    • This is the easiest way for attackers to bypass many or all of the technical procedures put in place.
  3. Monitor and maintain network security all the time (24/7).
    • Trouble never sleeps, and there is always someone in the world who will want to attack your company or personal information.
Thursday, 15 September 2016
Posted by Siva Priya

New Malware Allows Full Access to Mac Systems

Recently the internet security software company Bitdefender found that Apple computer systems, Mac OS X, faces a new threat that allows attackers to take full control of the system imperceptibly and collect all the sensitive information from the infected computers.



New Malware Allows Full Access to Mac Systems

Recently Bitdefender found a new malware that installs backdoors into the Mac operating system which grants attackers full access to Mac Systems. The malware has been called “Backdoor.MAC.Elanor” and has been discovered by researchers at Bitdefender security.

As we have already mentioned that we are dedicated to installing backdoors in the operating system so that the attackers may have full access, including user data or can take control of the webcam, execute arbitrary code and much more.


As a means of distribution used a false file conversion application known as EasyDoc Converter.app, which can be found in places widely used by Mac users when seeking applications to install, according to the Bitdefender security.

Initially, the researchers found it difficult to accurately determine the means by which infection occurs. Most likely, the backdoor is distributed via spam messages, but it can also get on the system through applications downloaded from untrusted sources. As explained by the experts, one of the loader components distributed via ZIP-file.

As the ZIP-file contains the executable file in the Mach-O format, which disguised as a text or JPEG-file. However, at the end of the expansion, there is a space, when you double click on the “ZIP-file” the file opens it in the Terminal, and not in TextEdit or Preview as regular files. Since the Finder file manager identifies the icon of the executable file as a JPEG or TXT, the user is unlikely to suspect that something was wrong and are likely to open it.

The backdoor, packed with a modified version of the UPX, seeking persistence on the system, setting PLIST-file in the “/Library/LaunchAgents/(if available superuser) or $ USER” and “/Library/ LaunchAgents/ (without root access)”. The Icloudsyncd executable file is stored in the “Library/Application Support/com.apple.iCloud.sync.daemon directory”.

However, the Mac have an increased security step known as “Gatekeeper”, which is located in the System Preferences under Security & Privacy. By default, it prevents running any unsigned applications from the unidentified sources or developers. So, if you download an unsigned application from any unidentified source then the Mac App Store will try to run it, but, ultimately you will get a message that “stating the application cannot be opened”. Hence, the Gatekeeper would have blocked the malware, if it is enabled.

Tuesday, 19 July 2016
Posted by Siva Priya

Hackers Show How To Hack Anyone’s Facebook Account Just By Knowing Phone Number

By exploiting the SS7 flaw, a hacker can hack someone’s Facebook account just by knowing the associated phone number. This flaw allows a hacker to divert the OTP code to his/her own phone and use it to access the victim’s Facebook account. The security researchers, who have explained the hack in a video, advise the users to avoid adding their phone numbers to the public services.

Facebook hacking is also one of the most commonly searched terms on the internet. However, very often people become a victim of malware while searching for Facebook hacking tools.
As we continue to deploy new safety measures to secure our online accounts, hackers and security researchers continue to find new ways to control Facebook accounts.

Recently, we told you how an Indian security researcher spotted a bug in the Facebook website and got $15,000 bug bounty.

Today, we are going to tell you how hackers can hack any Facebook account just by knowing the associated phone number and exploiting an issue with SS7 network.

For those who don’t know, SS7 network (Signalling System Number 7) is a communication protocol that’s used worldwide by the cellphone carriers.

Using a flaw in SS7, hackers can divert the text messages and calls to their own devices. This hacking technique has been shared as a proof-of-concept video by the security researchers from Positive Technologies.

How To  Facebook Account By Knowing Phone Number (Video):
This flaw affects all Facebook users who have associated a phone number with their Facebook accounts.

https://www.youtube.com/watch?v=wc72mmsR6bM
In the demonstration video, the security researchers show that as the first step of the hack, the attacker needs to click on the “Forgot account?” button on Facebook.com website’s homepage.

When Facebook prompts the hacker to enter an email address or phone number, he/she should enter the correct number associated with the account.

By exploiting the SS7 flaw, the hacker is able to divert the OTP message from Facebook to his/her own computer and use it to login to the victim’s Facebook.

The researchers list some measures that a user can take to secure his/her Facebook account. They advise people to avoid adding their phone numbers to public services and rely on email for recovery purposes.

The users are also advised to use 2-factor authentication methods that don’t use SMS texts for sending OTP.
Thursday, 16 June 2016
Posted by Siva Priya

Ethical Hacking Course in Vellore

Ethical Hacking Course in Vellore | Kanchipuram | Gudiyatham

hacking course in Chennai
Ethical Hacking! An action performed by a hacker to malfunction a system or an entire network with an intention to interrupt or crash the framework bypassing all the security issues such as a strong password set by the owner of the Network. Whereas a company look into this technique in a different way i.e; the companies uses these strategies in order to increase their security in a hacker point of view. This is what you will be learning at our ethical hacking course in Vellore. The training offered here will make you face the obstacles that are posted in the real time hacking industries.
According to an old saying “Be a roman, when you are in roman”, to become an ethical hacker you should turn in to one. The demand for ethical hacker is increasing worldwide, though it is the highest paid job in India as well as abroad. Unhappily there are less number of ethical hackers are available to fill out the opened positions in leading companies in the world. Our ethical hacking course would act as a gateway for you to enter in to a reputed concern. For this all you have to do is to join Redback Academy and pursue your ethical hacking training.
Our procedure lies in training our students in all the perspective that a professional hacker would thick. Since our trainers are present employees of foremost hacking companies, they would give you real time training on how to hack tiny network. Through which you will be gaining the knowledge of how to face an actual work environment. This includes, understanding the tools required for hacking and pace of environment where all the action will be held. These are our talent that we are implementing in teaching hacking course in Vellore for a long time.
Our teaching would be completely a practical one, with minimal number of theory classes. Students are allowed to take advantage of our Lab facility at the time we are opened. We do provide an International certification to our students on successful completion of the training and that would be from EC council. You can contact us at any time for a free demo class to get an in depth knowledge about the course that you are about to learn. We are ready to help you with all our effort to make you a ethical hacker as soon as possible. Don’t just wait anymore, call us now to enroll for the course.
Ethical Hacking Course Syllabus:
  • Introduction to Ethical Hacking
  • Footprinting and Reconnaissance
  • Scanning Networks
  • Enumeration
  • System Hacking
  • Trojans and Backdoors
  • Viruses and Worms
  • Sniffers
  • Social Engineering
  • Denial of Service
  • Session Hijacking
  • Hacking Webservers
  • Hacking Web Applications
  • SQL Injection
  • Hacking Wireless Networks
  • Hacking Mobile Platforms
  • Evading IDS, Firewalls, and Honeypots
  • Buffer Overflow
  • Cryptography
  • Penetration Testing
Why Ethical Hacking Course in Vellore at Redbakacademy?
  • We provide innovative and practical teaching methods in attempt to make learning more interactive.
  • We are open 7 days a week. You can enjoy the flexibility of weekday and weekend schedules based on your convenience.
  • At the end of the course, each student will be assigned with mini project. In addition, we also give the opportunity of working in real time projects based on their ability.
  • Our training institute is facilitated with high-end infrastructure and lab facility.
  • Intensive training through certified by ethical hackers working in leading MNCs
  • In depth subject coverage and excellent training
  • We also offer 100% placement assistance to our students to make impressive presence in reputed web design industries.
Looking for best Ethical Hacking Training Course in Chennai? Enroll in FITA. Get Trained by Certified Ethical Hacker and become one!
Related search terms: Ethical hacking course in Vellore, kanchipuram, Chittor, Gudiyatham, Chennai, Ethical hacking course, Hacking course in Vellore, kanchipuram, Chittor, Gudiyatham, Chennai, Ethical hacker course in Vellore, kanchipuram, Chittor, Gudiyatham,Chennai, Ethical hacking training in Chennai, Ethical hacker training in Chennai, Ethical hacking course in Vellore, kanchipuram, Chittor, Gudiyatham,Chennai, Best ethical hacking institute in Vellore,kanchipuram, Chittor, Gudiyatham,Chennai, Ethical hacking training center in Vellore, kanchipuram,Chittor, Gudiyatham,Chennai, Ethical hacking training institutes in Vellore,kanchipuram,Chittor,Gudiyatham,Chennai, Ethical Hacking Course in Vellore,kanchipuram,Chittor,Gudiyatham,Chennai, Ethical Hacking Course in Chennai, Ethical Hacking Course in vellore.
Sunday, 22 May 2016
Posted by RISC

Learn Hacking


www.redbackacademy.com | www.redbackcouncil.org


Wednesday, 11 May 2016
Posted by RISC

IRCTC website hacked, information of lakhs feared stolen.

The website of the Indian Railways Catering and Tourism Corporation (IRCTC) was hacked and the personal information of around 1 crore users is feared to be leaked, said reports on Thursday. The official website of the Indian Railways, IRCTC is the biggest travel e commerce website in India and lakhs of transactions are conducted by the site everyday. With the reported leak, safety and security questions about the customers’ personal information like PAN card numbers and other details have arisen.

The hacking occurred late on Tuesday night and the site has now been brought under control. But the fears of personal information of thousands of customers being misused still remain. A high-level meeting took place in Delhi regarding the hacking. Senior IRCTC officials discussed what measures could be taken to ascertain how far the hackers had gone. Speaking to Mumbai Mirror,  AK Manocha, Managing Director of IRCTC revealed that so far, there has been no complaint from any customer, but Delhi police’s cyber cell has been informed. 


Customers have to fill in important information for online reservations and when stolen, the same can be used by miscreants to create forged documents. ”The data is a valuable asset and can be sold to corporations who may use it for targeting potential consumers,” an IRCTC source was quoted as saying by TOI. Personal data of the users like email ids and mobile numbers which are also filled in, while making online bookings, can be used by telemarketers for promoting their respective products or services and spamming the customers with unwanted messages.

However, sources said that it was unlikely that bank details or credit card details are leaked since the website, since the payment gateway takes the customer out of the website during the online payment. Once the user is directed to the bank site, there are less chances of information getting leaked as these have better security. The hacking occurred even after the Railways reportedly spent Rs. 100 crores last year, for the upgrading of the website.



Thursday, 5 May 2016
Posted by Siva Priya

How to Become an Ethical Hacker

Cyber-security is one of the major concerns of online users these days and hackers are an inevitable part of this discussion. Every part of our cyber world is influenced by hackers and they exploit the vulnerabilities of systems to gain unauthorized access. While numerous people are confused between the terms hackers and cyber-criminals, many of you are willing to know more about hackers and how to become one.

Have you ever considered hacking as a career? There are few things that should be considered to figure out if hacking is the right job for you.

As I’ve discussed in my earlier article, there is great confusion among people when it comes to things like cyber criminals, hackers, ethical hacking, black hat hacking, white hat hacking and more.

Who is an ethical hacker?
Ethical hacker performs hacking to help an individual or company and identifies the potential risks. An ethical hacker is a good guy and sometimes the term is used synonymously White Hats. They work to improve the overall internet security and search for weak points that could be exploited by the black hats – the bad guys.
Take a look at these points and you will understand what constitutes ethical hacking! These are “guidelines” that an ethical hacker must follow!
1.     Respect an individual’s or company’s privacy.
2.     Having a permission (expressed – often written) to break into a network and look for the loopholes.
3.     After finding the vulnerabilities, you tell your employer about the unknown flaws.
4.     After finishing the work, you must not anything open for later exploitation by you or someone else.
5.     Do not take any kind of advantage of the permission and access granted to you.
Now, take a look , It’s a very well represented career path. For choosing this career as an ethical hacker, you can start by becoming an Information Security analyst or by becoming a computer programmer.

Learn more about this career path in the info-graphic given below:
To Build a best Career as Security Professional :
Contact :
Redback IT Academy 
#AL 24, TNHB , PHASE III,
Sathuvacheri,
Near Vallalar Water Tank ,
Vellore. 

Call us @ : 8189985551

Tuesday, 26 April 2016
Posted by Siva Priya

The 7 Most Wanted Iranian Hackers By the FBI

The Federal Bureau of Investigation (FBI) has lengthened its Most Wanted List by adding seven Iranian hackers who are accused of attacking a range of US banks and a New York dam.

The United States Department of Justice (DoJ) charged seven Iranian hackers with a slew of computer hacking offences for breaking into computer systems of dozens of US banks, causing Millions of dollars in damages, and tried to shut down a New York dam.

The individual hackers, who allegedly worked for computer security companies linked to the Iranian government, were indicted for an "extensive campaign" of cyber-attacks against the US financial sector.

All the seven hackers have been added to the FBI's Most Wanted list, and their names are:
1.      Ahmad Fathi, 37
2.      Hamid Firoozi, 34
3.      Amin Shokohi, 25
4.      Sadegh Ahmadzadegan (aka Nitr0jen26), 23
5.      Omid Ghaffarinia (aka PLuS), 25
6.      Sina Keissar, 25
7.      Nader Saedi (aka Turk Server), 26
All the hackers have been charged with conducting numerous Distributed Denial-of-Service (DDoS) attacks on major U.S. banks, with Firoozi separately gaining unauthorized access to a New York dam's industrial automation control (SCADA) system in August and September of 2013.
"This unauthorized access allowed [Firoozi] to repeatedly obtain information regarding the status and operation of the dam, including information about the water levels, temperature, and status of the sluice gate, which is responsible for controlling water levels and flow rates," a DoJ statement reads.
Luckily, the sluice gate had already been manually disconnected for the purpose of maintenance at the time Firoozi attacked.

The hackers' work allegedly involved Botnets – networks of compromised machines – that hit major American banks, including Bank of America and J.P. Morgan Chase, as well as the Nasdaq stock exchange with floods of traffics measuring up to 140Gbps and knocked them offline.

The Iranian hackers targeted more than 46 financial institutions and financial sector companies, costing them "tens of Millions of dollars in remediation costs" in preventing the attacks in various incidents spanning 2011 to 2013.

All the seven hackers will face up to 10 years in prison on computer hacking charges while Firoozi faces an additional 5-year prison sentence for breaking into a dam in Bowman Avenue Dam in Rye Brook, New York.

Friday, 22 April 2016
Posted by Siva Priya

WhatsApp’s end-to-end encryption: How to enable and what it means.

WhatsApp is now end-to-end encrypted at all times. This will ensure that a user’s messages, videos, photos sent over WhatsApp, can’t be read by anyone else; not WhatsApp, not cyber-criminals, not law-enforcement agencies. Even calls and group chats will be encrypted.


WhatsApp co-founder Jan Koum announced the update on his Facebook page, stating that the company has been working on the feature for the last two years.

Koum wrote, “We’ve been working for the past two years to give people better security over their conversations on WhatsApp… People deserve security. It makes it possible for us to connect with our loved ones. It gives us the confidence to speak our minds. It allows us to communicate sensitive information with colleagues, friends, and others. We’re glad to do our part in keeping people’s information out of the hands of hackers and cyber-criminals.”

So what is end-to-end encryption and how exactly does it work in WhatsApp?

WhatsApp is using “The Signal Protocol”, designed by Open Whisper Systems, for its encryption.
In its White Paper, explaining the technical details of the end-to-end encryption, WhatsApp says that “once the session is established, clients do not need to rebuild a new session with each other until the existing session state is lost through an external event such as an app reinstall or device change.”

The post explains how messages are encrypted as well. It reads, “clients exchange messages that are protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication. The Message Key changes for each message transmitted, and is ephemeral, such that the Message Key used to encrypt a message cannot be reconstructed from the session.” It also says that calls, large file attachments are end-to-end encrypted as well. 

Note the ever-changing message key can mean a delay in some messages getting delivered, according to the paper. It should be noted that feature is enabled by default in WhatsApp, which means that if you and your friends are on the latest version of the app, all chats will be end-to-end encrypted. Unlike say Telegram where users have to start a secret chat to enable the feature, WhatsApp has the feature on at all times. Users don’t have the option of switching off end-to-end encryption.


Users need to be on the same versions of WhatsApp to ensure that their chats get end-to-end encrypted. If you’ve recently updated the app, and you start a chat with someone else (also on the new version) you are likely to see a message saying, “Messages you send to this chat and calls are now secured with end-to-end encryption.

Once you tap on the message, WhatsApp has a pop-up menu explaining what end-to-end encryption means. Users can verify if the encryption is working as well. If a user taps on verify, they will taken to a page with a QR code, followed by a string of 60 numbers. If your friend is nearby, take their phone scan the code from your phone (the option is there at the bottom of the same page) and if the QR code matches, then the chat is encrypted. When the codes match, a green tick appears; when it doesn’t there’s an exclamation mark in red alerting a user that the chat is not secure. So does the end-to-end encryption work all the time?   We tried verifying some chats that had the message saying encryption was enabled. In some cases, the verification failed for us. In the first case, we tried to verify a chat between an Android and iPhone 6s device (running iOS 9.3.1), and the QR codes didn’t match. We also tried matching QR codes on an two Android phones, and once again we got the red alert indicating no end-to-end encryption
.
Android phones are on the latest version of the app from the Google Play Store. However a verification between a chat on two iOS devices, (iPhone 6s, iPhone 5s) worked for us and showed the green tick. We’re not sure why the verification failed, even though the chat says it is end-to-end encrypted. We might have to wait for another app update that could fix this issue.
Wednesday, 6 April 2016
Posted by Siva Priya

Penetration testing for your organization has never been easier.


Reback council offers a simple, easy-to-understand suite of penetration testing services to commercial organizations throughout the India. Reback council is a commercial product offering of Chameleon Integrated Services, and can demonstrate a strong track record of IT security systems past performance that includes work for the Indian government and a diverse group of commercial customers (small and large).

We make the process of executing the most critical elements of penetration testing available in an easy to implement and easy to afford manner. We offer four separate services individually and as a bundle, that we believe are critical to establishing IT system security for your organization.

Our service offerings include:

Internal Penetration Testing
External Penetration Testing
Wireless Penetration Testing
Spear Phishing Campaigns

These services can be performed quickly and easily by our team anywhere in the India. Reback council uses top pen. testing experts from across the India to implement our security procedures. You can rest-assured that all work performed will be completed by a verifiable and accredited IT security expert. Additionally, all of our service offerings include deliverables and reports following all of our security protocols.



Sunday, 13 March 2016
Posted by RISC

HORNET is New Tor-like Anonymity Network With Superfast Speeds

The Deep Web is a place that is hidden from the ordinary world because the browsers used to access the Deep Web, continuously encrypt user data. Due to this constant data encryption, the browsing speeds are slow. Our beloved Tor network has more than 2 million daily users that slow down its performance. To counter this speed issue, five researchers have developed a new Tor-style anonymity network called HORNET: High-Speed Onion Routing at Network Layer.  


Compared to anonymity networks like Tor, the HORNET system is more resistant to attacks and it delivers faster node speeds. The researcher team writes, “unlike other onion routing implementations, HORNET routers do not keep per-flow state or perform computationally expensive operations for data forwarding, allowing the system to scale as new clients are added.”

This paper “Hornet: High-Speed Onion Routing at Network Layer” was written by researchers Chen Chen of Carnegie Mellon University, along with David Barrera, Enrico Asoni, and Adrian Perrig of Zurich’s Federal Institute of Technology, and George Danezis from University College of London. Here’s the research paper.

To achieve speeds higher than Tor, HORNET doesn’t encrypt data as often- instead it encrypts just the personal stuff. In Tor, anonymity comes at the price of speed. To provide anonymity, Tor takes data and passes it through series of computers before the final destination. Each time, it passes from one computer to the other, the encryption exists and IP addresses change. Thus, it forms a time-taking multilayer network (hence “The Onion Router”).

HORNET nodes process the anonymous traffic at more than 93Gb/s speed.

The basic architecture of Tor and HORNET is same(onion routing). HORNET creates an encryption key set along with the routing info (connection state) on your system. Thus, the intermediate nodes don’t need to build this information each time, as these keys and connection state info is carried within packet headers (anonymous header or AHDR).

According to the research paper, it makes the whole system more secure as the other intermediate computers don’t waste time playing with the sender’s and receiver’s packets. Thus, the whole process becomes more fast and secure.

It is worth mentioning that HORNET is not yet tested at a large scale, it’s just these 5 researchers. Thus, extensive peer review is needed to adopt systems like HORNET.
Saturday, 12 March 2016
Posted by Siva Priya

Top 10 safe computing TIPS


1.Patch, Patch, PATCH!
Set up your computer for automatic software and operating system updates. An unpatched machine is more likely to have software vulnerabilities that can be exploited.

2.Install protective software.
Sophos is available as a free download for Windows, Macintosh, and Linux from IS&T's software page. When installed, the software should be set to scan your files and update your virus definitions on a regular basis.

3.Choose strong passwords.
Choose strong passwords with letters, numbers, and special characters to create a mental image or an acronym that is easy for you to remember. Create a different password for each important account, and change passwords regularly.

4.Backup, Backup, BACKUP!
Backing up your machine regularly can protect you from the unexpected. Keep a few months' worth of backups and make sure the files can be retrieved if needed. Learn more about TSM and how to backup your system.

5.Control access to your machine.
Don't leave your computer in an unsecured area, or unattended and logged on, especially in public places - including Athena clusters and Quickstations. The physical security of your machine is just as important as its technical security.

6.Use email and the Internet safely.
Ignore unsolicited emails, and be wary of attachments, links and forms in emails that come from people you don't know, or which seem "phishy." Avoid untrustworthy (often free) downloads from freeware or shareware sites. Learn more about spam filtering.

7.Use secure connections.
When connected to the Internet, your data can be vulnerable while in transit. Use remote connectivity and secure file transfer options when off campus.

8.Protect sensitive data.
Reduce the risk of identity theft. Securely remove sensitive data files from your hard drive, which is also recommended when recycling or repurposing your computer. Use the encryption tools built into your operating system to protect sensitive files you need to retain.

9.Use desktop firewalls.
Macintosh and Windows computers have basic desktop firewalls as part of their operating systems. When set up properly, these firewalls protect your computer files from being scanned.

10.Most importantly, stay informed.
Stay current with the latest developments for Windows, Macintosh Linux, and Unix systems. 
Tuesday, 8 March 2016
Posted by Siva Priya

6 Statistics that Prove You Need Application Security Training

As well as protecting your applications and the sensitive data they contain, improving your application security can save your organisation a great deal of time and expense.


Good application security training is a crucial first step to improving your organisation’s application security.  Today, I’m looking at 6 statistics that demonstrate why application security training is essential for protecting your organisation and its data.
1) At Least 70% of Vulnerabilities Exist in the Application Layer
Gartner has estimated that 70% of all vulnerabilities are caused by poor application security – and other researchers have estimated the figure to be as high as 90%.
While many organisations assume that the network layer of their infrastructure is the primary source of security vulnerabilities, it’s actually the application layer that poses the biggest threat.
2) Only 1 in 40 Web Applications has a Web Application Firewall
Web application firewalls (WAFs) inspect all traffic flowing to web applications for common attacks, such as cross-site scripting, SQL injection, and command injection.
Despite WAFs being able to detect many of the most common web application vulnerabilities, on average only 1 in 40 applications in a recent study was found to use a web application firewall to protect against common attacks.
3) 71% of Developers Believe Security is Not Addressed During the SDLC
The sooner you catch a vulnerability during the SDLC, the easier (and cheaper) it is to fix.
Despite the exponentially growing cost and complexity of fixing application vulnerabilities after deployment, more than two thirds of developers believe that their organisations make no efforts to address security during the development life-cycle.
4) Only 22% of Developers Have Any Role in Testing Application Security
Less than a quarter of software developers have any active role in testing application security during the SDLC.
This is because in most organisations, security is a separate department and the development team has very little security knowledge, making it harder to identify and remediate vulnerabilities, and prevent them from making it into the finished product.
5) 47% of Developers Have No Mandate to Fix Vulnerable Code
Even worse: once a vulnerability is detected, almost half of developers lack the authority to fix them. Instead it is normally passed over to the security team, making the remediation process longer and allowing more time for the vulnerability to be exploited.
If security isn’t prioritised during the SDLC and developers aren’t involved in security testing for their applications, they will make the same mistakes over and over, and without mandate to remediate these vulnerabilities, this can cause significant friction between your development and security teams.
6) 89% of Application Vulnerabilities Are in the Software Code
This is compared with only 11% that are caused by application misconfiguration. This highlights the importance of educating your development team in secure coding best practices, to guard against the most common application vulnerabilities such as those listed in the OWASP Top 10.
By teaching your developers defensive coding, your organisation can reduce vulnerabilities at the source, reducing the number of mistakes and loopholes that make it into the finished code.
Friday, 26 February 2016
Posted by Siva Priya

Follow by Email

Total Pageviews

- Copyright © REDBACK COUNCIL - RISC -- Powered by Redback - Designed by Redback Council -