Coming into effect in May 2018, the General Data Protection Regulation will give EU data protection legislation a much-needed update and simplify data protection routines for businesses operating in the EU. For some companies, preparing for GDPR compliance entails a review of security practices, while others need to completely realign their focus and begin by putting security first. In this blog post, we explain what the GDPR means for your business and how Detectify can help you start working with security.
The eighth vulnerability on the list is Cross-site Request Forgery, a vulnerability that allows an attacker to make requests on behalf of a user. CSRF can lead to a wide range of state-changing requests such as changing credentials, transferring funds, and modifying settings being executed on the user’s behalf.
Security is not only a competitive edge, it’s a must. Companies will soon be compelled to implement a holistic security approach to keep up with the user demand of more secure services. But staying on top of web security in an ever-changing environment can be a great challenge for anyone. We believe that the most successful way to stay safe as a company is to integrate security into the development process. Follow our step-by-step-guide to more security-focused work routines with the help of Detectify!
Our next update is here! Two weeks ago we released the new target overview to make it easier for you to work with security over time; we’re now proud to present our new dashboard and navigation. The release also simplifies working with findings and flagging as the findings count is now affected by tags like “accepted risk” and “false positive”.
Missing SPF records are a common and long-standing security issue that puts sensitive information at risk. To get a better idea of just how widespread the problem is, the Detectify team decided to scan the 500 top-ranked Alexa sites for it. We found that less than half of those domains have configured email authentication correctly to prevent spoofed emails being sent from their domains, which means that users are at risk of receiving false emails appearing to come from domains that they trust. To prevent spoofed emails, all systems must be manually configured correctly to the highest standard of authentication. Unfortunately, the process is complicated, and often servers are misconfigured. The Detectify team has put together an extensive guide to help you check if your domain is at risk of forced spoofed emails, and also give you the tools to configure the authentication correctly.
The fifth vulnerability category on the list is called Security Misconfiguration. If a component is susceptible to attack due to an insecure configuration it would classify as security misconfiguration. This is considered the same vulnerability regardless if the misconfiguration happens in the web server, database or, for that matter, custom code.