The value of a pentest

Pentesting is a typical cybersecurity process. It is an activity by which an analyst, with the least information possible about a target, tries to find security vulnerabilities on it. The target is defined by a scope, which can be one or more web applications, mobile apps, IP ranges, or any other different list of assets.

An analyst or a team of analysts execute a pentest following similar steps that would be followed by a real attacker: gather information, map the attack surface, identify vulnerabilities, and exploit them.

Continue reading “The value of a pentest”

Off the top of my head: About having everything green in Qualys

traffic light at green
Photo by Carlos Alberto Gómez Iñiguez

Vulnerability management is difficult. Many organizations aim to fix all the security vulnerabilities they can identify. They want to run a scan like Qualys and that everything come up green. In my opinion, it is a good and ambitious objective, but that strategy can be counter-productive.

Continue reading “Off the top of my head: About having everything green in Qualys”

Information security requirements on the US “Executive Order on Improving the Nation’s Cybersecurity”

The 12th of May, 2022, the United Stated of America (US) published the “Executive Order on Improving the Nation’s Cybersecurity“. This executive order was a direct consequence of the infamous SolarWinds incident that allegedly affected the US government. This regulation tries to unify, establish, and improve the cybersecurity policies and processes of the whole US Federal Government.

Continue reading “Information security requirements on the US “Executive Order on Improving the Nation’s Cybersecurity””

How to find OpenSSL in our infrastructure

Today, 1st of November, many teams will be upgrading OpenSSL to fix the critical vulnerability that will be announced between 13:00 and 17:00 UTC. That will be possible only if they know where they have OpenSSL installed in their infrastructure. Organizations know that an inventory of assets is essential for security, however, few have one up-to-date. Even in the case a company has an inventory of assets and it is up-to-date, it might not include information about packages installed on operative systems, containers and container images.

Continue reading “How to find OpenSSL in our infrastructure”

The bodyguards of the Pope

Sometimes we think that the cybersecurity team should be like controllers or powerful people that can say to the rest of the company what they can do or not. That’s not how cybersecurity works and that’s not the best thing for the business. The cybersecurity team should not act as the police. They are more like the bodyguards that protect the Pope: they cannot tell the Pope where he can go or not; they can recommend the Pope not to do something, but they can’t force the Pope to do what they want; if the Pope wants to talk with that many people at this moment, the bodyguards can tell him what they think (if they react really fast), but they can’t forbid the Pope to get closer to the people, if he wants.

Continue reading “The bodyguards of the Pope”

The importance of segregation in cybersecurity

Segregation is one of those strategies that, when used well, can improve your security posture much more than any shinny expensive security solution. It is a key security concept. It is one of the main strategies that we can embrace to obtain real security, however, very frequently we don’t consider it. We apply segregation when we separate the asset from the threat. We implement segregation, for example, when we put a firewall between two networks. This is the most clear example, but we also apply segregation in many other situations: when we use containers; when we use virtual machines; when we close open ports; when we use different roles with different authorization levels; etc.

Continue reading “The importance of segregation in cybersecurity”

Any SaaS solution is a n-tier system where all layers have to be protected, not only the application and its code

Any SaaS solution is a n-tier system, and as such, all the tiers should be protected, not only the application layer. If we put all our effort in the application and its code, we might miss important vulnerabilities in other parts of the attack surface.

Continue reading “Any SaaS solution is a n-tier system where all layers have to be protected, not only the application and its code”