Last year, we heard a lot of new buzzwords that global security leaders and practitioners used to describe a current cybersecurity landscape. Despite the growing security concerns and strict measures adopted by countries and corporations to minimise cyber threats and the level of their impact on people and systems, cyber-attacks keep increasing and becoming more and more sophisticated.
New types of attacks can do greater damage in a much shorter time. Formjacking attacks, i.e., when cybercriminals load malicious code into websites of eCommerce providers and retailers to steal users’ credit card details, compromise more than 5,000 unique websites each month.
Supply chain attacks ballooned by 78% in 2019, while LotL (living off the land) attacks have become a cybercrime mainstay by allowing crooks to hide inside legitimate processes. For instance, the use of malicious PowerShell scripts increased by 1,000% last year. Their goal is to gather intelligence while destroying and disrupting business operations. Attackers have also increased their use of more traditional methods like spear-fishing to infiltrate companies and steal sensitive information. Such attacks increased by 25% in 2019.
Cloud is endangered indeed with 70 million records having been stolen from poorly configured S3 buckets last year. Misconfigured cloud workloads can cost organisations millions in lost money and cause a compliance nightmare. Off-the-shelf web products are now more vulnerable than ever before and are used by criminals to identify misconfigured cloud resources.
Hardware chip vulnerabilities such as Spectre, Foreshadow or Meltdown, let intruders access firms’ protected memory spaces on cloud services hosted in the same physical server. Routers and connected cameras account for 90% of all infected devices, so almost every IoT device is vulnerable to savvy targeted attacks.
How Evolve Teamed Up With Arcturus To Integrate Pentesting Into Our SDLC
For Evolve, as a software development company, the cybersecurity of bespoke applications we deliver to our clients is our top priority. Therefore, we ensure that software developers working on client-tailored extended teams in our Ukraine-based R&D Centre are trained on the cybersecurity essentials. In January 2019, we sent a team of our Ukrainian software developers to attend a comprehensive penetration testing workshop held by our security partner Arcturus. Here’s their feedback on key takeaways from the workshop.
“I’m now well aware of the OWASP top 10 principles and will make sure to apply them in my daily development activities,”
Konstantin, senior PHP developer, Pro-Evaluate/Incident Reporting project.
“I never thought about vulnerabilities in very popular and most used libraries and frameworks. So after this workshop, I will pay more attention to new vulnerabilities that can impact our projects.”
Alex, senior .Net developer, e-bate project.
“Having attended the workshop, I became more aware of risks related to exposure of technical server-side information to common users,”
Andrii, .Net developer, e-bate project.
“The workshop was very helpful to me as a senior .net developer. The guys showed me some vulnerabilities in pretty unpredictable places and really good practices of secure software development and maintenance. I’m sure it will help a lot to avoid problems in long term product development.”
Andrey, senior .Net developer, Zeux Extended Team.
Besides, we’ve commissioned Arcturus to perform a pentest on our proprietary web applications and one of our clients’ software products. Their penetration services simulate the techniques of criminal hackers and malicious insiders to identify any vulnerabilities in your online-facing or internal applications.
Having performed pentests, Arcturus sent us a detailed report with the following conclusion:
“As a software development organisation, Evolve understands that it is important for the applications developed by them to be developed to a high standard. This includes being bulletproof in terms of security, to ensure the business maintains a great image & reputation. Because of this, they have incorporated a penetration test into their software development lifecycle and have commissioned Arcturus to perform a penetration test on their web application and associated infrastructure.
It is evident from the small number of findings that Evolve has implemented many good security practices. The recommendations in this report will further improve the overall security posture of the network infrastructure. There were no findings of a severe nature, this is partly due to the simple by design functionality of the application, but we would also like to believe your developers have benefited greatly from the Secure Coding Workshop held earlier this year.”
Now when our Ukraine-based software developers have completed cybersecurity and penetration testing training, and since we’ve incorporated this type of security testing into our software development life cycle (SDLC), we recommend all of our clients to have their applications pen tested to ensure they’re well-protected against the most dangerous cyber threats and viruses.
Are you looking to hire a professional team of cybersecurity experts to pentest your web or mobile application? Request a callback from us to discuss how Evolve can assist with your security needs!