2009 | SECFORCE

Home : Blog

Archive for 2009

	SECFORCE has co-authored the book “SQL Injection Attacks and Defense” Tuesday, March 31st, 2009 SECFORCE has co-authored a book fully dedicated to SQL injection attacks and published by Syngess. This book targets developers, penetration testers and security professionals. It is entirely dedicated to SQL injection attacks and defense, and it is a standalone resource with all the necessary information about the topic. SQL injection is one of the most devastating vulnerabilities affecting web applications. This book provides penetration testing professionals with all the necessary information to discover and exploit this kind of vulnerabilities. Tags: book, penetration test, Penetration Testing, sql injection, SQL injection Attacks and Defense Posted in Penetration Testing, SECFORCE, Security Books \| No Comments »
	Penetration testing - service or commodity Monday, February 23rd, 2009 We face this kind of issue everyday. There are two different approaches to web application penetration tests: An increasingly number of companies are buying automatic web scanners, run them, generate some results and put them in a report-shaped tin, ready to go to the client. No human interaction with the application is needed. Some other companies allocate X numbers of days of a highly skilled consultant to assess the security of your web application. Among many other tests the consultant will also run automatic web scanners, but that is only scratching the surface of a real penetration test. The consultant will use all his/her experience to analyse many other factors of the application. Penetration testing is all about assurance. In the first case the client will get some useful results, no doubt about it, but what level of assurance is it going to get? The report will cover the vulnerabilities discovered by XYZ software. Is that enough? I don’t think so, but that is for the client to decide. There is no question that the report will be incomplete and many issues will be missed. In the second scenario the client can get the assurance that the results obtained were the work of a motivated attacker focused on the application security for X numbers of days. Is that enough? Again, it is up to the client to decide but in my opinion it gets so much closer to an acceptable assurance level. It all depends on what do you want to be protected against. The decision in yours. Tags: information security assurance, penetest, penetration test, Penetration Testing Posted in Penetration Testing, Risk Management \| 1 Comment »
	Hackers in your network are closer than they appear Thursday, January 22nd, 2009 Our marketing department did it again! This is what happens when marketing creatives and techies get together. From this… you get a monitor mirror with this design… and then you get the real thing: If you are one of our lucky clients, you will probably never look back again to check who is looking over your shoulder. If you are not then you don’t have the assurance of having the very best security consultants looking after your infrastructure and what is more important, you will need to keep looking back. SECFORCE is an IT security consultancy specialized in providing penetration testing and IT security consultancy. Have a look to our website if you need to protect business assets. Tags: hackers, marketing, monitor mirror, SECFORCE Posted in Penetration Testing, SECFORCE \| No Comments »
	Advantages of penetration testing Wednesday, January 7th, 2009 Many times we are asked, what are the advantages of penetration testing? why should I conduct a penetration test in my business? If you find yourself wondering whether or not you should conduct a penetration test, then you should try to answer these questions: Is my system secure? How do I know it is secure? What are the consequences if someone breaks into it? We often hear people answering these questions saying “Yes, it is secure because it was designed with security in mind”. However one can argue that penetration testing doesn’t test the design of your solution, but the real implementation of it. We have found many good designs poorly implemented. Too many times the theory is too distant to the real thing. You may also answer “I don’t know if it is secure or not, but I guess no one is going to attempt breaking into it”. There are many different motivations for attacking a system and the only way of ensuring that the security of your system is not going to be compromised is by securing it. The advantage of penetration testing is that it gives you very accurate information about the real security posture of your system. Only if you answered “None” to the third question you should not consider investing your resources in a penetration test. Tags: advantages, penetration test, Penetration Testing, system security Posted in Penetration Testing \| No Comments »