Proteggere i dati della tua attività e dei tuoi utenti
è un obiettivo principe nella nostre attività di sviluppo
per il quale non abbiamo compromessi
Integriamo la sicurezza delle applicazioni e dell'infrastruttura
nell'intero ciclo di sviluppo
Rileviamo la vulnerabilità di un'applicazione analizzando il codice sorgente, il codice bytecode o il codice binario durante tutte le fasi di sviluppo
Analizziamo in modo dinamico il funzionamento delle applicazioni sia durante le fasi di test che durante le fasi operative. L'attività prevede simulazioni di attacchi contro l'applicazione
Combiniamo elementi del SAST e del DAST contemporaneamente.
In genere viene implementata come agente nel momento in cui un'applicazione viene eseguita in fase di test
Eseguiamo analisi SAST, DAST, IAST e/o comportamentali su codice byte o binario per identificare le vulnerabilità nelle applicazioni mobile
Prima di cominciare lo sviluppo della tua applicazione ne analizziamo tutte le componenti per adottare la migliore strategia di sicurezza possibile
In caso di attacco è importante mettere in atto procedure di ripristino e messa in sicurezza dei dati, attività che pianifichiamo sin dal principio
Utilizziamo le migliori tecniche di crittografia per proteggere i dati sul database, in transito tra il client e il server e anche nelle variabili del nostro codice
Per ogni rilascio abbiamo una procedura automatica che esegue i test di sicurezza della tua applicazione, che pubblichiamo solo in caso di esito positivo
Tutte le componenti della tua applicazione vengono sviluppate, rilasciate, monitorate ed aggiornate continuamente, per garantire la copertura alle vulnerabilità più recenti.
La sicurezza non è più una feature, ma fondamento della nostra vita digitale, e per questo motivo ci aggiorniamo continuamente su nuove tecniche, tecnologie e tools che il mercato mette a disposizione.
Per le applicazioni che sviluppiamo, e che rilasciamo sulla nostra infrastruttura, configuriamo dal principio le procedure di backup automatiche e continue sia per i dati che per i files.
Inoltre, configuriamo l'infrastruttura di rete per limitare l'accesso solo ad alcuni indirizzi IP (es: nel caso di API o Microservizi abilitiamo solo gli IP del servizio specifico), monitoriamo l'applicazione nel primo periodo per "normalizzare" il suo comportamento e sulla base del quale configuriamo degli alert attivi che ci avvisano nel caso di comportamenti anomali.
Sia il database che i files sono soggetti ad un backup continuo ed incrementale, consentendoci così di ripristinare i servizi alla versione più recente
Per i database configuriamo una replica geografica che ci consente di avere un "Failover" nel caso in cui il database principale risultasse irragiungibile o compromesso
Sull'infrastruttura implementiamo restrizioni basate su IP, firewall e monitoraggio attivo con relativi alert in caso di comportamenti anomali nel traffico di rete o nell'utilizzo dell'applicazione
L'NVD è il repository del governo USA che gestisce i dati relativi alle vulnerabilità software e hardware
NestJS Proxy is a NestJS module to decorate and proxy calls. Prior to version 0.7.0, the nestjs-proxy library did not have a way to block sensitive cookies (e.g. session cookies) from being forwarded to backend services configured by the application developer. This could have led to sensitive cookies being inadvertently exposed to such services that should not see them. The patched version now blocks cookies from being forwarded by default. However developers can configure an allow-list of cookie names by using the `allowedCookies` config setting. This issue has been fixed in version 0.7.0 of `@finastra/nestjs-proxy`. Users of `@ffdc/nestjs-proxy` are advised that this package has been deprecated and is no longer being maintained or receiving updates. Such users should update their package.json file to use `@finastra/nestjs-proxy` instead.
Pubblicata Wednesday, June 15, 2022 alle ore 9:15:00 PM
NestJS Proxy is a NestJS module to decorate and proxy calls. Prior to version 0.7.0, the nestjs-proxy library did not have a way to control when Authorization headers should should be forwarded for specific backend services configured by the application developer. This could have resulted in sensitive information such as OAuth bearer access tokens being inadvertently exposed to such services that should not see them. A new feature has been introduced in the patched version of nestjs-proxy that allows application developers to opt out of forwarding the Authorization headers on a per service basis using the `forwardToken` config setting. Developers are advised to review the README for this library on Github or NPM for further details on how this configuration can be applied. This issue has been fixed in version 0.7.0 of `@finastra/nestjs-proxy`. Users of `@ffdc/nestjs-proxy` are advised that this package has been deprecated and is no longer being maintained or receiving updates. Such users should update their package.json file to use `@finastra/nestjs-proxy` instead.
Pubblicata Wednesday, June 15, 2022 alle ore 9:15:00 PM
A local privilege escalation vulnerability was identified within the "luminati_net_updater_win_eagleget_com" service in EagleGet Downloader version 2.1.5.20 Stable. This issue allows authenticated non-administrative user to escalate their privilege and conduct code execution as a SYSTEM privilege.
Pubblicata Friday, June 24, 2022 alle ore 6:15:00 PM
Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.
Pubblicata Friday, June 17, 2022 alle ore 3:15:00 PM
XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting
Pubblicata Friday, June 24, 2022 alle ore 5:15:00 PM
XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting.
Pubblicata Friday, June 24, 2022 alle ore 5:15:00 PM
The watools package in PyPI v0.0.1 to v0.0.8 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.
Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM
The KGExplore package in PyPI v0.1.1 to v0.1.2 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.
Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM
The AAmiles package in PyPI v0.1.0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.
Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM
The ML-Scanner package in PyPI v0.1.0 to v0.1.5 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.
Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM
The cloudlabeling package in PyPI v0.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.
Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM
The Beginner package in PyPI v0.0.2 to v0.0.4 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.
Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM
The DR-Web-Engine package in PyPI v0.2.0b0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.
Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM
The Perdido package in PyPI v0.0.1 to v0.0.2 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.
Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM
The drxhello package in PyPI v0.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.
Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM
The Watertools package in PyPI v0.0.0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.
Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM
Login Bruteforce attacks
Pubblicata Tuesday, July 5, 2022 alle ore 9:15:00 PM
Seyeon Tech Co., Ltd FlexWATCH FW3170-PS-E Network Video System 4.23-3000_GY allows attackers to access sensitive information.
Pubblicata Tuesday, April 5, 2022 alle ore 3:15:00 AM
An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c, tainted variable cnt is too large, that makes pointer sptr read beyond heap bound.
Pubblicata Thursday, March 10, 2022 alle ore 6:44:00 PM
Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.
Pubblicata Thursday, July 21, 2016 alle ore 12:12:00 PM
Parlarne di persona aiuta a comprendere meglio le tue esigenze
ed avere un'idea chiara di cosa possiamo fare per te
Via Monte Napoleone, 8