DevSecOps

La nostra pipeline
di sviluppo sicura

Integriamo la sicurezza delle applicazioni e dell'infrastruttura
nell'intero ciclo di sviluppo

SAST
Static Application
Security Testing

Rileviamo la vulnerabilità di un'applicazione analizzando il codice sorgente, il codice bytecode o il codice binario durante tutte le fasi di sviluppo

DAST
Dynamic Application
Security Testing

Analizziamo in modo dinamico il funzionamento delle applicazioni sia durante le fasi di test che durante le fasi operative. L'attività prevede simulazioni di attacchi contro l'applicazione

IAST
Interactive Application
Security Testing

Combiniamo elementi del SAST e del DAST contemporaneamente.
In genere viene implementata come agente nel momento in cui un'applicazione viene eseguita in fase di test

MAST
Mobile Application
Security Testing

Eseguiamo analisi SAST, DAST, IAST e/o comportamentali su codice byte o binario per identificare le vulnerabilità nelle applicazioni mobile

pattern-lines
wave-down
Analisi

Prima di cominciare lo sviluppo della tua applicazione ne analizziamo tutte le componenti per adottare la migliore strategia di sicurezza possibile

Strategia

In caso di attacco è importante mettere in atto procedure di ripristino e messa in sicurezza dei dati, attività che pianifichiamo sin dal principio

Crittografia

Utilizziamo le migliori tecniche di crittografia per proteggere i dati sul database, in transito tra il client e il server e anche nelle variabili del nostro codice

Rilascio

Per ogni rilascio abbiamo una procedura automatica che esegue i test di sicurezza della tua applicazione, che pubblichiamo solo in caso di esito positivo

Applicazioni sempre sicure

Tutte le componenti della tua applicazione vengono sviluppate, rilasciate, monitorate ed aggiornate continuamente, per garantire la copertura alle vulnerabilità più recenti.

La sicurezza non è più una feature, ma fondamento della nostra vita digitale, e per questo motivo ci aggiorniamo continuamente su nuove tecniche, tecnologie e tools che il mercato mette a disposizione.

wave-up

Backup dei dati

continuo ed automatico

Per le applicazioni che sviluppiamo, e che rilasciamo sulla nostra infrastruttura, configuriamo dal principio le procedure di backup automatiche e continue sia per i dati che per i files.

Inoltre, configuriamo l'infrastruttura di rete per limitare l'accesso solo ad alcuni indirizzi IP (es: nel caso di API o Microservizi abilitiamo solo gli IP del servizio specifico), monitoriamo l'applicazione nel primo periodo per "normalizzare" il suo comportamento e sulla base del quale configuriamo degli alert attivi che ci avvisano nel caso di comportamenti anomali.

Backup continui

Sia il database che i files sono soggetti ad un backup continuo ed incrementale, consentendoci così di ripristinare i servizi alla versione più recente

Replica geografica

Per i database configuriamo una replica geografica che ci consente di avere un "Failover" nel caso in cui il database principale risultasse irragiungibile o compromesso

Protezione della rete

Sull'infrastruttura implementiamo restrizioni basate su IP, firewall e monitoraggio attivo con relativi alert in caso di comportamenti anomali nel traffico di rete o nell'utilizzo dell'applicazione

National Vulnerability Database

Le ultime 20 vulnerabilità

L'NVD è il repository del governo USA che gestisce i dati relativi alle vulnerabilità software e hardware

CVE-2022-31070

NestJS Proxy is a NestJS module to decorate and proxy calls. Prior to version 0.7.0, the nestjs-proxy library did not have a way to block sensitive cookies (e.g. session cookies) from being forwarded to backend services configured by the application developer. This could have led to sensitive cookies being inadvertently exposed to such services that should not see them. The patched version now blocks cookies from being forwarded by default. However developers can configure an allow-list of cookie names by using the `allowedCookies` config setting. This issue has been fixed in version 0.7.0 of `@finastra/nestjs-proxy`. Users of `@ffdc/nestjs-proxy` are advised that this package has been deprecated and is no longer being maintained or receiving updates. Such users should update their package.json file to use `@finastra/nestjs-proxy` instead.

Pubblicata Wednesday, June 15, 2022 alle ore 9:15:00 PM


7.5 HIGH

CVSS V3.1

5 MEDIUM

CVSS V2.0

CVE-2022-31069

NestJS Proxy is a NestJS module to decorate and proxy calls. Prior to version 0.7.0, the nestjs-proxy library did not have a way to control when Authorization headers should should be forwarded for specific backend services configured by the application developer. This could have resulted in sensitive information such as OAuth bearer access tokens being inadvertently exposed to such services that should not see them. A new feature has been introduced in the patched version of nestjs-proxy that allows application developers to opt out of forwarding the Authorization headers on a per service basis using the `forwardToken` config setting. Developers are advised to review the README for this library on Github or NPM for further details on how this configuration can be applied. This issue has been fixed in version 0.7.0 of `@finastra/nestjs-proxy`. Users of `@ffdc/nestjs-proxy` are advised that this package has been deprecated and is no longer being maintained or receiving updates. Such users should update their package.json file to use `@finastra/nestjs-proxy` instead.

Pubblicata Wednesday, June 15, 2022 alle ore 9:15:00 PM


7.5 HIGH

CVSS V3.1

5 MEDIUM

CVSS V2.0

CVE-2020-21046

A local privilege escalation vulnerability was identified within the "luminati_net_updater_win_eagleget_com" service in EagleGet Downloader version 2.1.5.20 Stable. This issue allows authenticated non-administrative user to escalate their privilege and conduct code execution as a SYSTEM privilege.

Pubblicata Friday, June 24, 2022 alle ore 6:15:00 PM


7.8 HIGH

CVSS V3.1

7.2 HIGH

CVSS V2.0

CVE-2022-33915

Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.

Pubblicata Friday, June 17, 2022 alle ore 3:15:00 PM


7 HIGH

CVSS V3.1

4.4 MEDIUM

CVSS V2.0

CVE-2022-30120

XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting

Pubblicata Friday, June 24, 2022 alle ore 5:15:00 PM


6.1 MEDIUM

CVSS V3.1

4.3 MEDIUM

CVSS V2.0

CVE-2022-30119

XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting.

Pubblicata Friday, June 24, 2022 alle ore 5:15:00 PM


6.1 MEDIUM

CVSS V3.1

4.3 MEDIUM

CVSS V2.0

CVE-2022-33003

The watools package in PyPI v0.0.1 to v0.0.8 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM


9.8 CRITICAL

CVSS V3.1

7.5 HIGH

CVSS V2.0

CVE-2022-33002

The KGExplore package in PyPI v0.1.1 to v0.1.2 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM


9.8 CRITICAL

CVSS V3.1

7.5 HIGH

CVSS V2.0

CVE-2022-33001

The AAmiles package in PyPI v0.1.0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM


9.8 CRITICAL

CVSS V3.1

7.5 HIGH

CVSS V2.0

CVE-2022-33000

The ML-Scanner package in PyPI v0.1.0 to v0.1.5 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM


9.8 CRITICAL

CVSS V3.1

7.5 HIGH

CVSS V2.0

CVE-2022-32999

The cloudlabeling package in PyPI v0.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM


9.8 CRITICAL

CVSS V3.1

7.5 HIGH

CVSS V2.0

CVE-2022-33004

The Beginner package in PyPI v0.0.2 to v0.0.4 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM


9.8 CRITICAL

CVSS V3.1

7.5 HIGH

CVSS V2.0

CVE-2022-34053

The DR-Web-Engine package in PyPI v0.2.0b0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM


9.8 CRITICAL

CVSS V3.1

7.5 HIGH

CVSS V2.0

CVE-2022-34054

The Perdido package in PyPI v0.0.1 to v0.0.2 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM


9.8 CRITICAL

CVSS V3.1

7.5 HIGH

CVSS V2.0

CVE-2022-34055

The drxhello package in PyPI v0.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM


9.8 CRITICAL

CVSS V3.1

7.5 HIGH

CVSS V2.0

CVE-2022-34056

The Watertools package in PyPI v0.0.0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

Pubblicata Friday, June 24, 2022 alle ore 11:15:00 PM


9.8 CRITICAL

CVSS V3.1

7.5 HIGH

CVSS V2.0

CVE-2022-2321

Login Bruteforce attacks

Pubblicata Tuesday, July 5, 2022 alle ore 9:15:00 PM


N/A

CVSS V3.1

N/A

CVSS V2.0

CVE-2022-25584

Seyeon Tech Co., Ltd FlexWATCH FW3170-PS-E Network Video System 4.23-3000_GY allows attackers to access sensitive information.

Pubblicata Tuesday, April 5, 2022 alle ore 3:15:00 AM


7.5 HIGH

CVSS V3.1

5 MEDIUM

CVSS V2.0

CVE-2021-44269

An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c, tainted variable cnt is too large, that makes pointer sptr read beyond heap bound.

Pubblicata Thursday, March 10, 2022 alle ore 6:44:00 PM


5.5 MEDIUM

CVSS V3.1

4.3 MEDIUM

CVSS V2.0

CVE-2016-3471

Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option.

Pubblicata Thursday, July 21, 2016 alle ore 12:12:00 PM


7.5 HIGH

CVSS V3.1

6.2 MEDIUM

CVSS V2.0

Milano

Via Monte Napoleone, 8


Prima di continuare con la navigazione ti chiediamo di prendere visione della nostra Cookie Policy