usd HeroLab Annual Report 2020: Risks. Consequences. More Security

11. February 2021

2020 was a year of special threats – even in the world of IT security. The HeroLab Annual Report reviews the year from the perspective of our security analysts. Matthias Göhring, Co-Head of usd HeroLab, and Tobias Neitzel, usd Managing Consultant IT Security, talk about the backgrounds.

What contents can we expect in the annual report?

TN: In our pentests, we increasingly identify the same vulnerabilities in different IT systems. In the annual report, we have prepared the most notable vulnerabilities to show how hackers proceed and how companies can better protect themselves. It is alarming to us that we keep finding vulnerabilities that have been known for years, such as cross-site scripting, in many systems and applications.

MG: Not only do we find these vulnerabilities in software our clients have developed in-house, we often find them in purchased software products as well. Vulnerabilities that are not publicly known by the time we discover them, are called zero-day vulnerabilities. We take a very responsible approach in such cases, in accordance with our Responsible Disclosure Policy, and work with the software vendors who close this vulnerability with the help of updates. We then publish the details in the form of “Security Advisories” on our website – 43 in the past year alone. This high number shows how important it is to work with vendors to find solutions to better protect businesses and users. The top 3 are listed in our annual report.

What prompted you to publish your first annual report now?

MG: 2020 was a special year for our clients and for us, in which we mastered many challenges. More than ever, we were there for our clients and also contributed to continuous development in different areas: we made great progress in the further development of our tool landscape, the usd HeroLab Toolchain, which helps us to support our clients with even more transparency, efficiency and highest quality. We invested more in the optimization of our internal training program, which new team members graduate from as “usd HeroLab Certified Professional”, UCP for short. At the same time, we intensified our university cooperation with the TU Darmstadt with the digital Hacker Contest and held the online event “usd Hacking Night” with over 100 participants.

TN: Our mission drives us forward – the toolchain helps us assess the individual threat situation of our clients and create a meaningful overview of all identified vulnerabilities. We are really very proud of what we have already achieved with our toolchain. It is important to us that with the help of the usd HeroLab annual report we provide insights into the general threat situation and show what consequences we draw from it.


icon symbol orange 007 1

You can download the usd HeroLab Annual Report 2020 here.

Learn more about our toolchain here.

Also interesting:

usd PCI Best Practice Workshop 2021

usd PCI Best Practice Workshop 2021

For many years, the usd PCI Best Practice Workshop has brought together responsible PCI personnel from companies of all sizes and from all industries to discuss current topics from the world of payment card industry together with PCI experts from usd. The interactive...

Security Advisory 09/2021

Security Advisory 09/2021

The usd HeroLabs pentesters have identified vulnerabilites in the products of the manufacturers Matrix42 and Themeco while conducting their security analyses. Specifically, this is a Stored Cross-Site Scripting and a Symlink vulnerability. The disclosure of...

3 Reasons for a Cloud Security Audit

3 Reasons for a Cloud Security Audit

Outsourcing applications and data to the cloud brings significant benefits for companies, but at the same time also new challenges for the corresponding IT departments. The technologies and processes of a cloud environment differ from those of local data centers....

Categories

Categories