We hit upon an interesting SAAS offering in the last few months that a client had engaged us to test for them before they started using it. This is nothing new, it’s what we do everyday. We report back the results to our clients, our clients raise the issues with the developer/service provider and then they’re fixed and we retest to confirm. (All under NDAs and thus why you never see “security advisories” come out). The reason this one stood out was as it turns out, a lot of our other clients use this service also. We know, because during the testing, we could see their information.

I suppose the point we’re trying to re-enforce here is to make sure you are testing all new third-party services and continue to do so on an ongoing basis. Unfortunately, you cannot take the word of the service provider that they have security under control. We see this situation all the time and while yes, there may well be providers that “get” security, their good work is tarnished by those that don’t.

Even then, you have to be careful who you trust to do this testing for you. And be warned, here’s a plug for our team but this also highlights the differences between testing organisations. This is part of an email we got from the ex-CSO of a large US based services provider that has clients all over the world. We didn’t ask for this reference. He sent us this on his departure to another company as a thank you:

“We managed over 80 customer sponsored pen tests against the environment, and from my experience, Securus had the most skilled testers (and that's against approx 30 outsourced pentesting teams)”.

So the message is test, test, test (before you deploy/commit). Know your security before you potentially lose valuable information to unauthorised parties.

Now onto some other things...

A big congratulations to the team at University of New South Wales that ran the first Australia-wide education sector Computer Security Competition. Here are the final results:
https://ctf.k17.org/home

The team has plans to run future competitions and potentially open them up to others in non-education sectors. A great initiative and a great way to raise awareness of our industry and to encourage more people to enter it!

One of the biggest areas in penetration/security testing we are seeing is inline with industry trends in regards to growth of mobile applications. But keep in mind, don’t test in silos. View all your applications from a “systems view” and take into consideration how your mobile applications fit into the broader picture of the “system” they exist in. There’s always many entry points to information and while one may be as secure as Fort Knox, a simple backdoor can render all your positive good work and investment useless. Securus Global has helped many of Australia’s largest banks and organisations in most industry sectors with securing their mobile application systems. Contact us for more information.

On a related note, checkout this recent release from the Australia Government; “Mobile privacy - A better practice guide for mobile app developers”:
http://www.oaic.gov.au/images/documents/privacy/privacy-resources/privacy-guides/better-practice-guide-for-mobile-developers.pdf

QualysGuard has 2 online certification courses coming up later this month. They are free for all of our Qualys customers and demonstrate Qualys’ commitment to our clients.

Vulnerability Management - 29th Oct.
Policy Compliance and Web Application Scanning - 30th Oct.

Further details and registration can be found here:
https://community.qualys.com/community/training

If you are not yet a Qualys customer and are planning to implement a vulnerability management program, please contact us to set you up with a trial. This takes literally only a few minutes and you can start seeing the results of how your Internet security is performing.

But, Qualys is more these days than just vulnerability management. Contact us to see how Qualys is now providing a whole suite of platform security services for clients all over there world:
http://www.qualys.com/

For those of you that have a company requirement for certification programs, Securus Global is now Crest Approved, along with being approved PCI DSS Qualified Assessors and PA DSS Qualified Assessors.

CREST Certification requires dual-factor recognition that both our organisation meets certain criteria to support the delivery of penetration testing services and that individuals performing the testing have CREST certifications.

As well as helping to keep our customers' data secure (despite the best efforts of their suppliers sometimes!) we provide all of our team members with the opportunity to actively engage in research.

Sometimes we start down a particular path and nothing comes out of it, sometimes our methodologies and testing processes are improved and sometimes our team comes out of their shell and talks publicly about what they've been up to.

On the latter point, our newest recruit (Andy Yang) will be presenting at Kiwicon and talking about the types of information that the popular Firefox web browser can yield as part of a forensic investigation. He'll also be introducing attendees to a tool that he's written (f0xchas3r) that makes gathering this information much easier than it could be.

OWASP Sydney and the UNSW Security Society have been working together to bring interesting technical content to people, starting with a trial run consisting of Kaan Kivilcim (Senior Researcher at BAE Systems Detica) delivering a short talk on code injection in malware.

Given the success of this trial run, OWASP Sydney and the UNSW Security Society will be looking to follow this up with more talks (and other content, which is already in the pipeline!).

This is a great opportunity to meet interesting people, brush up on your presentation skills and to talk about security without any sales pitches attached. If you have a cool topic that you would be interested in presenting at such an event, please contact Norman Yue (norman.yue@securusglobal.com or norman.yue@owasp.org). If you're interested in attending these events, please subscribe to the OWASP Sydney mailing list.

Checkout other industry news that we publish regularly on our website here:
https://www.securusglobal.com/community/