DevSecOps

La nostra pipeline
di sviluppo sicura

Integriamo la sicurezza delle applicazioni e dell'infrastruttura
nell'intero ciclo di sviluppo

SAST
Static Application
Security Testing

Rileviamo la vulnerabilità di un'applicazione analizzando il codice sorgente, il codice bytecode o il codice binario durante tutte le fasi di sviluppo

DAST
Dynamic Application
Security Testing

Analizziamo in modo dinamico il funzionamento delle applicazioni sia durante le fasi di test che durante le fasi operative. L'attività prevede simulazioni di attacchi contro l'applicazione

IAST
Interactive Application
Security Testing

Combiniamo elementi del SAST e del DAST contemporaneamente.
In genere viene implementata come agente nel momento in cui un'applicazione viene eseguita in fase di test

MAST
Mobile Application
Security Testing

Eseguiamo analisi SAST, DAST, IAST e/o comportamentali su codice byte o binario per identificare le vulnerabilità nelle applicazioni mobile

pattern-lines
wave-down
Analisi

Prima di cominciare lo sviluppo della tua applicazione ne analizziamo tutte le componenti per adottare la migliore strategia di sicurezza possibile

Strategia

In caso di attacco è importante mettere in atto procedure di ripristino e messa in sicurezza dei dati, attività che pianifichiamo sin dal principio

Crittografia

Utilizziamo le migliori tecniche di crittografia per proteggere i dati sul database, in transito tra il client e il server e anche nelle variabili del nostro codice

Rilascio

Per ogni rilascio abbiamo una procedura automatica che esegue i test di sicurezza della tua applicazione, che pubblichiamo solo in caso di esito positivo

Applicazioni sempre sicure

Tutte le componenti della tua applicazione vengono sviluppate, rilasciate, monitorate ed aggiornate continuamente, per garantire la copertura alle vulnerabilità più recenti.

La sicurezza non è più una feature, ma fondamento della nostra vita digitale, e per questo motivo ci aggiorniamo continuamente su nuove tecniche, tecnologie e tools che il mercato mette a disposizione.

wave-up

Backup dei dati

continuo ed automatico

Per le applicazioni che sviluppiamo, e che rilasciamo sulla nostra infrastruttura, configuriamo dal principio le procedure di backup automatiche e continue sia per i dati che per i files.

Inoltre, configuriamo l'infrastruttura di rete per limitare l'accesso solo ad alcuni indirizzi IP (es: nel caso di API o Microservizi abilitiamo solo gli IP del servizio specifico), monitoriamo l'applicazione nel primo periodo per "normalizzare" il suo comportamento e sulla base del quale configuriamo degli alert attivi che ci avvisano nel caso di comportamenti anomali.

Backup continui

Sia il database che i files sono soggetti ad un backup continuo ed incrementale, consentendoci così di ripristinare i servizi alla versione più recente

Replica geografica

Per i database configuriamo una replica geografica che ci consente di avere un "Failover" nel caso in cui il database principale risultasse irragiungibile o compromesso

Protezione della rete

Sull'infrastruttura implementiamo restrizioni basate su IP, firewall e monitoraggio attivo con relativi alert in caso di comportamenti anomali nel traffico di rete o nell'utilizzo dell'applicazione

National Vulnerability Database

Le ultime 20 vulnerabilità

L'NVD è il repository del governo USA che gestisce i dati relativi alle vulnerabilità software e hardware

CVE-2022-41672

In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.

Pubblicata Friday, October 7, 2022 alle ore 9:15:00 AM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2022-3414

A vulnerability was found in SourceCodester Web-Based Student Clearance System. It has been classified as critical. Affected is an unknown function of the file /Admin/login.php of the component POST Parameter Handler. The manipulation of the argument txtusername leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-210246 is the identifier assigned to this vulnerability.

Pubblicata Friday, October 7, 2022 alle ore 8:15:00 AM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2022-2929

In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the server to run out of memory.

Pubblicata Friday, October 7, 2022 alle ore 7:15:00 AM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2022-2928

In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.

Pubblicata Friday, October 7, 2022 alle ore 7:15:00 AM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2022-24780

Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.

Pubblicata Tuesday, April 5, 2022 alle ore 9:15:00 PM


8.8 HIGH

CVSS V3.1

6.5 MEDIUM

CVSS V2.0

CVE-2021-32503

Unauthenticated users can access sensitive web URLs through GET request, which should be restricted to maintenance users only. A malicious attacker could use this sensitive information’s to launch further attacks on the system.

Pubblicata Saturday, April 2, 2022 alle ore 1:15:00 AM


4.9 MEDIUM

CVSS V3.1

4 MEDIUM

CVSS V2.0

CVE-2021-41657

SmartBear CodeCollaborator v6.1.6102 was discovered to contain a vulnerability in the web UI which would allow an attacker to conduct a clickjacking attack.

Pubblicata Thursday, March 10, 2022 alle ore 6:44:00 PM


6.1 MEDIUM

CVSS V3.1

4.3 MEDIUM

CVSS V2.0

CVE-2021-20269

A flaw was found in the permissions of a log file created by kexec-tools. This flaw allows a local unprivileged user to read this file and leak kernel internal information from a previous panic. The highest threat from this vulnerability is to confidentiality. This flaw affects kexec-tools shipped by Fedora versions prior to 2.0.21-8 and RHEL versions prior to 2.0.20-47.

Pubblicata Thursday, March 10, 2022 alle ore 6:41:00 PM


5.5 MEDIUM

CVSS V3.1

2.1 LOW

CVSS V2.0

CVE-2021-3623

A flaw was found in libtpms. The flaw can be triggered by specially-crafted TPM 2 command packets containing illegal values and may lead to an out-of-bounds access when the volatile state of the TPM 2 is marshalled/written or unmarshalled/read. The highest threat from this vulnerability is to system availability.

Pubblicata Thursday, March 3, 2022 alle ore 12:15:00 AM


8.2 HIGH

CVSS V3.1

6.4 MEDIUM

CVSS V2.0

CVE-2022-22794

Cybonet - PineApp Mail Relay Unauthenticated Sql Injection. Attacker can send a request to: /manage/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /manage/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 and by doing that, the attacker can run Remote Code Execution in one liner.

Pubblicata Thursday, February 24, 2022 alle ore 6:15:00 PM


9.8 CRITICAL

CVSS V3.1

7.5 HIGH

CVSS V2.0

CVE-2022-22793

Cybonet - PineApp Mail Relay Local File Inclusion. Attacker can send a request to : /manage/mailpolicymtm/log/eml_viewer/email.content.body.php?filesystem_path=ENCDODED PATH and by doing that, the attacker can read Local Files inside the server.

Pubblicata Thursday, February 24, 2022 alle ore 6:15:00 PM


7.5 HIGH

CVSS V3.1

5 MEDIUM

CVSS V2.0

CVE-2022-20625

A vulnerability in the Cisco Discovery Protocol service of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause the service to restart, resulting in a denial of service (DoS) condition. This vulnerability is due to improper handling of Cisco Discovery Protocol messages that are processed by the Cisco Discovery Protocol service. An attacker could exploit this vulnerability by sending a series of malicious Cisco Discovery Protocol messages to an affected device. A successful exploit could allow the attacker to cause the Cisco Discovery Protocol service to fail and restart. In rare conditions, repeated failures of the process could occur, which could cause the entire device to restart.

Pubblicata Wednesday, February 23, 2022 alle ore 7:15:00 PM


4.3 MEDIUM

CVSS V3.1

6.1 MEDIUM

CVSS V2.0

CVE-2022-23626

m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions `imagecreatefrom*` and `image*` have not been checked properly. Although PHP issued warnings and the upload function returned `false`, the original file (that could contain a malicious payload) was kept on the disk. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Pubblicata Tuesday, February 8, 2022 alle ore 11:15:00 PM


8.8 HIGH

CVSS V3.1

6.5 MEDIUM

CVSS V2.0

CVE-2021-23146

An Incomplete Comparison with Missing Factors vulnerability in the Gallagher Controller allows an attacker to bypass PIV verification. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); 8.10 versions prior to 8.10.1284 (MR7); version 8.00 and prior versions.

Pubblicata Thursday, November 18, 2021 alle ore 7:15:00 PM


7.5 HIGH

CVSS V3.1

5 MEDIUM

CVSS V2.0

CVE-2021-20267

A flaw was found in openstack-neutron's default Open vSwitch firewall rules. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the IPv6 addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations. Only deployments using the Open vSwitch driver are affected. Source: OpenStack project. Versions before openstack-neutron 15.3.3, openstack-neutron 16.3.1 and openstack-neutron 17.1.1 are affected.

Pubblicata Friday, May 28, 2021 alle ore 9:15:00 PM


7.1 HIGH

CVSS V3.1

5.5 MEDIUM

CVSS V2.0

CVE-2020-26555

Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN.

Pubblicata Monday, May 24, 2021 alle ore 8:15:00 PM


5.4 MEDIUM

CVSS V3.1

4.8 MEDIUM

CVSS V2.0

CVE-2020-13529

An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.

Pubblicata Monday, May 10, 2021 alle ore 6:15:00 PM


6.1 MEDIUM

CVSS V3.1

2.9 LOW

CVSS V2.0

CVE-2021-31583

Sipwise C5 NGCP WWW Admin version 3.6.7 up to and including platform version NGCP CE 3.0 has multiple authenticated stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user: Stored XSS in callforward/time/set/save (POST tsetname); Reflected XSS in addressbook (GET filter); Stored XSS in addressbook/save (POST firstname, lastname, company); and Reflected XSS in statistics/versions (GET lang).

Pubblicata Friday, April 23, 2021 alle ore 11:15:00 PM


5.4 MEDIUM

CVSS V3.1

3.5 LOW

CVSS V2.0

CVE-2021-23133

A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.

Pubblicata Thursday, April 22, 2021 alle ore 8:15:00 PM


7 HIGH

CVSS V3.1

6.9 MEDIUM

CVSS V2.0

CVE-2020-28872

An authorization bypass vulnerability in Monitorr v1.7.6m in Monitorr/assets/config/_installation/_register.php allows an unauthorized person to create valid credentials.

Pubblicata Monday, April 12, 2021 alle ore 4:15:00 PM


9.8 CRITICAL

CVSS V3.1

7.5 HIGH

CVSS V2.0

Milano

Via Monte Napoleone, 8


Prima di continuare con la navigazione ti chiediamo di prendere visione della nostra Cookie Policy