Proteggere i dati della tua attività e dei tuoi utenti
è un obiettivo principe nella nostre attività di sviluppo
per il quale non abbiamo compromessi
Integriamo la sicurezza delle applicazioni e dell'infrastruttura
nell'intero ciclo di sviluppo
Rileviamo la vulnerabilità di un'applicazione analizzando il codice sorgente, il codice bytecode o il codice binario durante tutte le fasi di sviluppo
Analizziamo in modo dinamico il funzionamento delle applicazioni sia durante le fasi di test che durante le fasi operative. L'attività prevede simulazioni di attacchi contro l'applicazione
Combiniamo elementi del SAST e del DAST contemporaneamente.
In genere viene implementata come agente nel momento in cui un'applicazione viene eseguita in fase di test
Eseguiamo analisi SAST, DAST, IAST e/o comportamentali su codice byte o binario per identificare le vulnerabilità nelle applicazioni mobile
Prima di cominciare lo sviluppo della tua applicazione ne analizziamo tutte le componenti per adottare la migliore strategia di sicurezza possibile
In caso di attacco è importante mettere in atto procedure di ripristino e messa in sicurezza dei dati, attività che pianifichiamo sin dal principio
Utilizziamo le migliori tecniche di crittografia per proteggere i dati sul database, in transito tra il client e il server e anche nelle variabili del nostro codice
Per ogni rilascio abbiamo una procedura automatica che esegue i test di sicurezza della tua applicazione, che pubblichiamo solo in caso di esito positivo
Tutte le componenti della tua applicazione vengono sviluppate, rilasciate, monitorate ed aggiornate continuamente, per garantire la copertura alle vulnerabilità più recenti.
La sicurezza non è più una feature, ma fondamento della nostra vita digitale, e per questo motivo ci aggiorniamo continuamente su nuove tecniche, tecnologie e tools che il mercato mette a disposizione.
Per le applicazioni che sviluppiamo, e che rilasciamo sulla nostra infrastruttura, configuriamo dal principio le procedure di backup automatiche e continue sia per i dati che per i files.
Inoltre, configuriamo l'infrastruttura di rete per limitare l'accesso solo ad alcuni indirizzi IP (es: nel caso di API o Microservizi abilitiamo solo gli IP del servizio specifico), monitoriamo l'applicazione nel primo periodo per "normalizzare" il suo comportamento e sulla base del quale configuriamo degli alert attivi che ci avvisano nel caso di comportamenti anomali.
Sia il database che i files sono soggetti ad un backup continuo ed incrementale, consentendoci così di ripristinare i servizi alla versione più recente
Per i database configuriamo una replica geografica che ci consente di avere un "Failover" nel caso in cui il database principale risultasse irragiungibile o compromesso
Sull'infrastruttura implementiamo restrizioni basate su IP, firewall e monitoraggio attivo con relativi alert in caso di comportamenti anomali nel traffico di rete o nell'utilizzo dell'applicazione
L'NVD è il repository del governo USA che gestisce i dati relativi alle vulnerabilità software e hardware
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
Pubblicata Friday, September 23, 2022 alle ore 4:15:00 PM
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
Pubblicata Monday, December 5, 2022 alle ore 11:15:00 PM
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
Pubblicata Thursday, June 2, 2022 alle ore 4:15:00 PM
A vulnerability classified as problematic has been found in PHPGurukul Bank Locker Management System 1.0. This affects an unknown part of the file add-locker-form.php of the component Assign Locker. The manipulation of the argument ahname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-219717 was assigned to this vulnerability.
Pubblicata Sunday, January 29, 2023 alle ore 12:15:00 AM
A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file index.php of the component Login. The manipulation of the argument username leads to sql injection. The attack may be launched remotely. The identifier of this vulnerability is VDB-219716.
Pubblicata Sunday, January 29, 2023 alle ore 12:15:00 AM
A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and classified as critical. This vulnerability affects unknown code of the file psiturk/experiment.py. The manipulation of the argument mode leads to improper neutralization of special elements used in a template engine. The exploit has been disclosed to the public and may be used. Upgrading to version 3.2.1 is able to address this issue. The name of the patch is 47787e15cecd66f2aa87687bf852ae0194a4335f. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-219676.
Pubblicata Sunday, January 29, 2023 alle ore 12:15:00 AM
In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used.
Pubblicata Monday, July 18, 2022 alle ore 2:15:00 AM
A vulnerability, which was classified as critical, was found in SourceCodester Online Tours & Travels Management System 1.0. Affected is an unknown function of the file /user/s.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-219702 is the identifier assigned to this vulnerability.
Pubblicata Saturday, January 28, 2023 alle ore 6:15:00 PM
A vulnerability, which was classified as critical, has been found in SourceCodester Online Tours & Travels Management System 1.0. This issue affects some unknown processing of the file admin/practice_pdf.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-219701 was assigned to this vulnerability.
Pubblicata Saturday, January 28, 2023 alle ore 6:15:00 PM
The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002.
Pubblicata Saturday, January 14, 2023 alle ore 2:15:00 AM
In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.
Pubblicata Friday, January 27, 2023 alle ore 6:15:00 AM
In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.
Pubblicata Friday, January 27, 2023 alle ore 6:15:00 AM
This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of TIF files. Crafted data in a TIF file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18703.
Pubblicata Thursday, January 26, 2023 alle ore 7:59:00 PM
This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of TIF files. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18677.
Pubblicata Thursday, January 26, 2023 alle ore 7:59:00 PM
This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of TIF files. Crafted data in a TIF file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18700.
Pubblicata Thursday, January 26, 2023 alle ore 7:59:00 PM
This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of TIF files. Crafted data in a TIF file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18686.
Pubblicata Thursday, January 26, 2023 alle ore 7:59:00 PM
This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of TIF files. Crafted data in a TIF file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18716.
Pubblicata Thursday, January 26, 2023 alle ore 7:59:00 PM
This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EMF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-18543.
Pubblicata Thursday, January 26, 2023 alle ore 7:59:00 PM
This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-18326.
Pubblicata Thursday, January 26, 2023 alle ore 7:59:00 PM
This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 files. Crafted data in a JP2 file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18366.
Pubblicata Thursday, January 26, 2023 alle ore 7:59:00 PM
Parlarne di persona aiuta a comprendere meglio le tue esigenze
ed avere un'idea chiara di cosa possiamo fare per te
Via Monte Napoleone, 8