Pentest – What analysis approaches are there?

usd AG News, usd HeroLab

Attackers gaining unauthorized access to IT systems and applications has severe consequences for companies. Pentests identify possible gateways hackers could exploit and show ways to sustainably raise the IT security level of a company. This makes pentesting one of the most effective methods of security analyses companies can employ to proactively protect themselves against hacking attacks. The security analyst (pentester) …

Security Advisory 01/2020

usd AG News, Security Research, usd HeroLab

usd HeroLab penetration testers have identified several security vulnerabilities during security analyses. These vulnerabilities affect the products Dolibarr ERP/CRM and Codiad Web IDE. The following vulnerability classes were identified: Reflected XSS Stored XSS SQL Injection PHP Code Injection In accordance with usd HeroLabs Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities. For more detailed …

Top 7 Quality Criteria for a Pentest Partner

usd AG News, usd HeroLab

In the era of digitalization, the question of whether systems and applications are effectively protected from attackers is business critical for many companies. The right choice of analysis methods is just as relevant as is choosing a competent partner. In this series, we present you the seven most important criteria you should consider when choosing a suitable partner for pentests, …

What If a Gateway for Hackers Was Hidden in Your Source Code?

usd AG News, usd HeroLab

Code Review – the Supreme Discipline of Security Analyses Businesses today invest a lot in a wide range of security measures to protect their infrastructures from attacks. These include working with certified vendors, ensuring secure business operations, training employees to increase their security awareness, implementing an incident response process and much more. But what if the affected application already has …

Security Advisory 10/2019

usd AG News, Security Research, usd HeroLab

usd HeroLab penetration testers have identified several security vulnerabilities during security analyses. These vulnerabilities affect the Bitbucket, PhpSpreadsheet and XClarity. The following vulnerability classes were identified: Broken Access Control XML External Entity (XXE) Processing In accordance with usd HeroLabs Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities. For more detailed information on the identified …

usd HeroLab „Summerschool 2019“ completed

usd AG Life@usd, News, usd HeroLab

In addition to university courses, the usd HeroLab training program „Become a HeroLab Professional“, or “Become a HeroLabber” for short, is another investment in qualified young talent by usd AG. Experienced usd HeroLab security analysts systematically prepare the students of this year’s “Summerschool” for their involvement in pentesting projects. Julian Brecht, student at Technische Universität Darmstadt, about this year’s Summerschool: …

Top 5 Quality Criteria for an Approved Scanning Vendor (ASV)

usd AG News, PCI Security Services, usd HeroLab

Corinna Reinheimer, who is in charge of ASV scans at usd AG, tells us the five most important characteristics you should consider when choosing your PCI scanning partner. Top 1: Comprehensive experience Employees in the fields of security analyses and vulnerability management require comprehensive professional experience in order to ensure they can propose proper solutions to security findings. Top 2: …

Security Advisory 07/2019

usd AG News, Security Research, usd HeroLab

by Stefan Schmer, Managing Consultant at usd HeroLab. Vulnerability Disclosure usd HeroLab penetration testers have identified several security vulnerabilities during security analyses. These vulnerabilities affect the products Adobe Experience Manager (AEM), Bitbucket, feeling4design Super Forms and Oracle Transportation Management (OTM). The following vulnerability classes were identified: Cross Site Scripting (XSS) Username/Filename Enumeration Sensitive Data disclosure Code Injection Broken Access Control …