usd HeroLab Annual Report 2020: Risks. Consequences. More Security

11. February 2021

2020 was a year of special threats – even in the world of IT security. The HeroLab Annual Report reviews the year from the perspective of our security analysts. Matthias Göhring, Co-Head of usd HeroLab, and Tobias Neitzel, usd Managing Consultant IT Security, talk about the backgrounds.

What contents can we expect in the annual report?

TN: In our pentests, we increasingly identify the same vulnerabilities in different IT systems. In the annual report, we have prepared the most notable vulnerabilities to show how hackers proceed and how companies can better protect themselves. It is alarming to us that we keep finding vulnerabilities that have been known for years, such as cross-site scripting, in many systems and applications.

MG: Not only do we find these vulnerabilities in software our clients have developed in-house, we often find them in purchased software products as well. Vulnerabilities that are not publicly known by the time we discover them, are called zero-day vulnerabilities. We take a very responsible approach in such cases, in accordance with our Responsible Disclosure Policy, and work with the software vendors who close this vulnerability with the help of updates. We then publish the details in the form of “Security Advisories” on our website – 43 in the past year alone. This high number shows how important it is to work with vendors to find solutions to better protect businesses and users. The top 3 are listed in our annual report.

What prompted you to publish your first annual report now?

MG: 2020 was a special year for our clients and for us, in which we mastered many challenges. More than ever, we were there for our clients and also contributed to continuous development in different areas: we made great progress in the further development of our tool landscape, the usd HeroLab Toolchain, which helps us to support our clients with even more transparency, efficiency and highest quality. We invested more in the optimization of our internal training program, which new team members graduate from as “usd HeroLab Certified Professional”, UCP for short. At the same time, we intensified our university cooperation with the TU Darmstadt with the digital Hacker Contest and held the online event “usd Hacking Night” with over 100 participants.

TN: Our mission drives us forward – the toolchain helps us assess the individual threat situation of our clients and create a meaningful overview of all identified vulnerabilities. We are really very proud of what we have already achieved with our toolchain. It is important to us that with the help of the usd HeroLab annual report we provide insights into the general threat situation and show what consequences we draw from it.

You can download the usd HeroLab Annual Report 2020 here.

Learn more about our toolchain here.

Also interesting:

Security Advisories for Apache Tomcat

Security Advisories for Apache Tomcat

The analysts at usd HeroLab examined the popular Open Source Web Server Apache Tomcat as part of their security analyses. Two vulnerabilities were identified, which made it possible to obtain restricted write permissions and to perform XML External Entity Injection...