Cyberis Blog
Reassuringly clear thinking.
- Penetration testing
Application testing and the OWASP Top 10
Quite often, a customer will ask us to "test our application against the OWASP Top 10". I'm going to start by saying that the OWASP Top 10 is a wonderful tool which has helped improve web application security globally since it first launched. But although it’s a common request to test applications against it, I think it's helpful to explain why it might not give you the security outcomes you want from a web application penetration test.
- News
We're rebranding!
We're excited to announce that we're rebranding Cyberis as of 1 March 2022. We've created a whole new brand identity, including a new logo, a refreshed colour palette and new brand pillars which represent who we are, and what we do for our customers. This was a big decision, and it's been a complex journey for us as a team. So where did we start, and how did we get where we are now?
- Detect and respond
- Red teaming
Using Red Teaming to upskill detection and response teams
When we talk about red teaming, it's quite easy for people to understand the benefits of using attacker techniques in our approach when it comes to exploring a particular attack pathway and to see the benefits of identifying the chains of vulnerabilities that allow a compromise to happen. Quite frequently, though, people underestimate how effective red teaming can be when it comes to upskilling detection and response teams. I'd like to give an example of how - run well - red teaming can be used to improve detection and response outcomes. This is, of course, an anecdote, but it certainly gives an idea of how performance changes when teams are challenged in the right way.
- Red teaming
How Red Teaming can help you identify systemic weaknesses and control gaps
Working with mature organisations, we use full chain attack simulations to identify high level weaknesses and control gaps that simply aren’t highlighted by standard approaches such as traditional penetration testing.
- Research
CVE-2021-20047: DLL Search Order Hijacking Vulnerability
When looking for methods of execution in controlled environments, software components are an essential area of review. With the implementation of controls such as AppLocker, running arbitrary executables becomes more difficult. In most environments we test, AppLocker is now a common configuration implementation which serves to reduce the attack surface by defining the permitted locations an executable is allowed to run from.
- Penetration testing
Accounting for key business security concerns in penetration testing
When it comes to penetration testing, if you have a good idea what you are really worried about as a business, you can get better results. The more we know about you, your business and your security concerns when we conduct your pentest, the more focussed and accurate our risk ratings can be, and the more tailored to your environment our advice can be.
- Penetration testing
- Red teaming
Using penetration testing to achieve different assurance outcomes
Penetration testing can be used in many different ways to meet different goals, and there are several different types of penetration test. We’re always trying to understand our customer’s goals so that we can make sure we’re applying the right methodology to your penetration test to achieve the outcomes you want.
- Detect and respond
- Red teaming
Using Red Teaming to validate the performance of an outsourced managed service provider
Red teaming can provide assurance within a wide range of business scenarios. One interesting scenario we explored recently with a customer, a firm within the education sector, involved a situation where they had outsourced detection of security incidents to an external MSSP. As a result of a governance audit, our customer needed to determine whether the detective and corrective capabilities of the managed security services and associated internal technical controls functioned as expected across several lesser-seen compromise scenarios.
Improve your security
Our experienced team will identify and address your most critical information security concerns.