Security Blog

Asset Inventories: Stay Up to Date!

Asset InventoriesHaving an asset inventory is a common security practice. Yet, keeping that inventory up to date seems to be less common. GoSecure penetration testers report encountering unmaintained asset inventories quite often, allowing them to exploit forgotten servers hosting known vulnerabilities. This blog post highlights findings related to asset inventory maintenance uncovered through our research on Cybersecurity Perceptions Versus Reality.

read more

The Easy Way In: Products’ Features Vulnerable by Default!

Product FeaturesAs part of our research on Cybersecurity Perceptions Versus Reality, we developed a survey in collaboration with Serene-risc, a knowledge mobilization network in cybersecurity based in Canada, on the perceptions and practices of cybersecurity professionals. The survey aimed at understanding how defenders perceive specific security measures and whether these measures were implemented in their respective organizations. We then combined the survey results with our penetration testing experience to confront two perspectives: the defenders’ and the pentesters’, the latter standing as proxies for real attackers. This blog post summarizes the results related to products’ features enabled by default that could represent a security risk.

read more

Patch Management: A Cybersecurity Priority Yet to be Fully Implemented

Patch ManagementAs part of our research on Cybersecurity Perceptions Versus Reality, we developed a survey in collaboration with Serene-risc, a knowledge mobilization network in cybersecurity based in Canada, on the perceptions and practices of cybersecurity professionals. The survey aimed at understanding how defenders perceive specific security measures and whether these measures were implemented in their respective organizations. We then combined the survey results with our penetration testing experience to confront two perspectives: the defenders’ and the pentesters’, the latter standing as proxies for real attackers. This blog post summarizes the results related to patch management.

read more

Unicode for Security Professionals

Unicode for Security ProfessionalsUnicode is the de-facto standard for multilingual character encoding. UTF-8 is the most popular encoding used that supports its hundreds of thousands of characters. Aside from the encoding (byte representation of characters), Unicode defines multiple transformations that can be applied to characters. For instance, it describes the behavior of transformations such as Uppercase. The character known as Long S “ſ” (U+017F) will become a regular uppercase S “S” (U+0053). Unexpected behavior for developers can often lead to security issues. Today, we will dive into the case mapping and normalization transformations. You will see how they can contribute to logic flaws in code.

read more

The Easy Way in for Attackers: Passwords

PasswordsAs part of our research on Cybersecurity Perceptions Versus Reality, we developed a survey in collaboration with Serene-risc, a knowledge mobilization network in cybersecurity based in Canada, on the perceptions and practices of cybersecurity professionals. The survey aimed at understanding how defenders perceive specific security measures and whether these measures were implemented in their respective organizations. We then combined the survey results with our penetration testing experience to confront two perspectives: the defenders’ and the pentesters’, the latter standing as proxies for real attackers. This blog post summarizes the results related to password policies.

read more

Categories

Pin It on Pinterest