DevSecOps

La nostra pipeline
di sviluppo sicura

Integriamo la sicurezza delle applicazioni e dell'infrastruttura
nell'intero ciclo di sviluppo

SAST
Static Application
Security Testing

Rileviamo la vulnerabilità di un'applicazione analizzando il codice sorgente, il codice bytecode o il codice binario durante tutte le fasi di sviluppo

DAST
Dynamic Application
Security Testing

Analizziamo in modo dinamico il funzionamento delle applicazioni sia durante le fasi di test che durante le fasi operative. L'attività prevede simulazioni di attacchi contro l'applicazione

IAST
Interactive Application
Security Testing

Combiniamo elementi del SAST e del DAST contemporaneamente.
In genere viene implementata come agente nel momento in cui un'applicazione viene eseguita in fase di test

MAST
Mobile Application
Security Testing

Eseguiamo analisi SAST, DAST, IAST e/o comportamentali su codice byte o binario per identificare le vulnerabilità nelle applicazioni mobile

pattern-lines
wave-down
Analisi

Prima di cominciare lo sviluppo della tua applicazione ne analizziamo tutte le componenti per adottare la migliore strategia di sicurezza possibile

Strategia

In caso di attacco è importante mettere in atto procedure di ripristino e messa in sicurezza dei dati, attività che pianifichiamo sin dal principio

Crittografia

Utilizziamo le migliori tecniche di crittografia per proteggere i dati sul database, in transito tra il client e il server e anche nelle variabili del nostro codice

Rilascio

Per ogni rilascio abbiamo una procedura automatica che esegue i test di sicurezza della tua applicazione, che pubblichiamo solo in caso di esito positivo

Applicazioni sempre sicure

Tutte le componenti della tua applicazione vengono sviluppate, rilasciate, monitorate ed aggiornate continuamente, per garantire la copertura alle vulnerabilità più recenti.

La sicurezza non è più una feature, ma fondamento della nostra vita digitale, e per questo motivo ci aggiorniamo continuamente su nuove tecniche, tecnologie e tools che il mercato mette a disposizione.

wave-up

Backup dei dati

continuo ed automatico

Per le applicazioni che sviluppiamo, e che rilasciamo sulla nostra infrastruttura, configuriamo dal principio le procedure di backup automatiche e continue sia per i dati che per i files.

Inoltre, configuriamo l'infrastruttura di rete per limitare l'accesso solo ad alcuni indirizzi IP (es: nel caso di API o Microservizi abilitiamo solo gli IP del servizio specifico), monitoriamo l'applicazione nel primo periodo per "normalizzare" il suo comportamento e sulla base del quale configuriamo degli alert attivi che ci avvisano nel caso di comportamenti anomali.

Backup continui

Sia il database che i files sono soggetti ad un backup continuo ed incrementale, consentendoci così di ripristinare i servizi alla versione più recente

Replica geografica

Per i database configuriamo una replica geografica che ci consente di avere un "Failover" nel caso in cui il database principale risultasse irragiungibile o compromesso

Protezione della rete

Sull'infrastruttura implementiamo restrizioni basate su IP, firewall e monitoraggio attivo con relativi alert in caso di comportamenti anomali nel traffico di rete o nell'utilizzo dell'applicazione

National Vulnerability Database

Le ultime 20 vulnerabilità

L'NVD è il repository del governo USA che gestisce i dati relativi alle vulnerabilità software e hardware

CVE-2023-31826

Skyscreamer Open Source Nevado JMS v1.3.2 does not perform security checks when receiving messages. This allows attackers to execute arbitrary commands via supplying crafted data.

Pubblicata Tuesday, May 23, 2023 alle ore 3:15:00 AM


7.8 HIGH

CVSS V3.1

N/A

CVSS V2.0

CVE-2022-4240

Missing Authentication for Critical Function vulnerability in Honeywell OneWireless allows Authentication Bypass. This issue affects OneWireless version 322.1

Pubblicata Tuesday, May 30, 2023 alle ore 7:15:00 PM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2022-43485

Use of Insufficiently Random Values in Honeywell OneWireless. This vulnerability may allow attacker to manipulate claims in client's JWT token. This issue affects OneWireless version 322.1

Pubblicata Tuesday, May 30, 2023 alle ore 7:15:00 PM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2022-46361

An attacker having physical access to WDM can plug USB device to gain access and execute unwanted commands. A malicious user could enter a system command along with a backup configuration, which could result in the execution of unwanted commands. This issue affects OneWireless all versions up to 322.1 and fixed in version 322.2.

Pubblicata Tuesday, May 30, 2023 alle ore 7:15:00 PM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2023-23754

An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen.

Pubblicata Tuesday, May 30, 2023 alle ore 7:15:00 PM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2023-23755

An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.

Pubblicata Tuesday, May 30, 2023 alle ore 7:15:00 PM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2023-24826

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2023.04, an attacker can send crafted frames to the device to trigger the usage of an uninitialized object leading to denial of service. This issue is fixed in version 2023.04. As a workaround, disable fragment forwarding or SFR.

Pubblicata Tuesday, May 30, 2023 alle ore 7:15:00 PM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2023-2968

A remote attacker can trigger a denial of service in the socket.remoteAddress variable, by sending a crafted HTTP request. Usage of the undefined variable raises a TypeError exception.

Pubblicata Tuesday, May 30, 2023 alle ore 8:15:00 PM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2023-29737

An issue found in Wave Animated Keyboard Emoji v.1.70.7 for Android allows a local attacker to cause a denial of service via the database files.

Pubblicata Tuesday, May 30, 2023 alle ore 7:15:00 PM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2023-32684

Lima launches Linux virtual machines, typically on macOS, for running containerd. Prior to version 0.16.0, a virtual machine instance with a malicious disk image could read a single file on the host filesystem, even when no filesystem is mounted from the host. The official templates of Lima and the well-known third party products (Colima, Rancher Desktop, and Finch) are unlikely to be affected by this issue. To exploit this issue, the attacker has to embed the target file path (an absolute or a relative path from the instance directory) in a malicious disk image, as the qcow2 (or vmdk) backing file path string. As Lima refuses to run as the root, it is practically impossible for the attacker to read the entire host disk via `/dev/rdiskN`. Also, practically, the attacker cannot read at least the first 512 bytes (MBR) of the target file. The issue has been patched in Lima in version 0.16.0 by prohibiting using a backing file path in the VM base image.

Pubblicata Tuesday, May 30, 2023 alle ore 8:15:00 PM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2023-32689

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it is served under the internet domain where Parse Server is hosted, which may be the same as a company's official website domain. An additional security issue arises when the Parse JavaScript SDK is used. The SDK stores sessions in the internet browser's local storage, which usually restricts data access depending on the internet domain. A malicious HTML file could contain a script that retrieves the user's session token from local storage and then share it with the attacker. The fix included in versions 5.4.4 and 6.1.1 adds a new Parse Server option `fileUpload.fileExtensions` to restrict file upload on Parse Server by file extension. It is recommended to restrict file upload for HTML file extensions, which this fix disables by default. If an app requires upload of files with HTML file extensions, the option can be set to `['.*']` or another custom value to override the default.

Pubblicata Tuesday, May 30, 2023 alle ore 8:15:00 PM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2023-33656

A memory leak vulnerability exists in NanoMQ 0.17.2. The vulnerability is located in the file message.c. An attacker could exploit this vulnerability to cause a denial of service attack by causing the program to consume all available memory resources.

Pubblicata Tuesday, May 30, 2023 alle ore 8:15:00 PM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2023-33973

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. In versions 2023.01 and prior, an attacker can send a crafted frame which is forwarded by the device. During encoding of the packet a NULL pointer dereference occurs. This crashes the device leading to denial of service. A patch is available at pull request 19678. There are no known workarounds.

Pubblicata Tuesday, May 30, 2023 alle ore 7:15:00 PM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2023-33974

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. In versions 2023.01 and prior, an attacker can send multiple crafted frames to the device to trigger a race condition. The race condition invalidates assumptions about the program state and leads to an invalid memory access resulting in denial of service. This issue is patched in pull request 19679. There are no known workarounds.

Pubblicata Tuesday, May 30, 2023 alle ore 7:15:00 PM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2023-33975

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. In version 2023.01 and prior, an attacker can send a crafted frame to the device resulting in an out of bounds write in the packet buffer. The overflow can be used to corrupt other packets and the allocator metadata. Corrupting a pointer will easily lead to denial of service. While carefully manipulating the allocator metadata gives an attacker the possibility to write data to arbitrary locations and thus execute arbitrary code. This issue is fixed in pull request 19680. As a workaround, disable support for fragmented IP datagrams.

Pubblicata Tuesday, May 30, 2023 alle ore 8:15:00 PM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2023-31664

A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter.

Pubblicata Tuesday, May 23, 2023 alle ore 3:15:00 AM


6.1 MEDIUM

CVSS V3.1

N/A

CVSS V2.0

CVE-2023-31995

Hanwha IP Camera ANE-L7012R 1.41.01 is vulnerable to Cross Site Scripting (XSS).

Pubblicata Tuesday, May 23, 2023 alle ore 3:15:00 AM


5.4 MEDIUM

CVSS V3.1

N/A

CVSS V2.0

CVE-2023-29919

SolarView Compact <= 6.0 is vulnerable to Insecure Permissions. Any file on the server can be read or modified because texteditor.php is not restricted.

Pubblicata Tuesday, May 23, 2023 alle ore 3:15:00 AM


9.1 CRITICAL

CVSS V3.1

N/A

CVSS V2.0

CVE-2023-27068

Deserialization of Untrusted Data in Sitecore Experience Platform through 10.2 allows remote attackers to run arbitrary code via ValidationResult.aspx.

Pubblicata Tuesday, May 23, 2023 alle ore 3:15:00 AM


9.8 CRITICAL

CVSS V3.1

N/A

CVSS V2.0

CVE-2020-20012

WebPlus Pro v1.4.7.8.4-01 is vulnerable to Incorrect Access Control.

Pubblicata Tuesday, May 23, 2023 alle ore 3:15:00 AM


9.8 CRITICAL

CVSS V3.1

N/A

CVSS V2.0

Milano

Via Monte Napoleone, 8


Prima di continuare con la navigazione ti chiediamo di prendere visione della nostra Cookie Policy