Security Penetration Testing Blog

7 Signs That Your Website Has Been Hacked
Mar 03, 2019 / Felix Brombacher

The times when hacking attacks were unusual and only happened to big companies are over. Hacking private and small or medium-sized companies has become a lucrative environment for many people with sufficient IT knowledge. That is why hacking is an issue facing almost everybody in the modern world. Often companies recognize the problem when it’s already too late, and valuable data (or even money) is lost. I want to show you how you can detect that your website has been hacked and what you can do to prevent such vulnerabilities.

SecDevOps  -  No Agility Without Security
Mar 01, 2019 / Felix Brombacher

The concept of DevOps and agility is nothing new for most companies and developers circling the sun. The most well-known frameworks (e.g. Scrum, XP etc.) are applied in many development teams and lead to many benefits for teams, companies and customers. Evidence shows that agile methods cause better performances in comparison to the outdated waterfall method. For many companies, the outdated waterfall method is the largest contributor to project failure. Another problem with traditional step-by-step programming is that products do not exactly meet customers’ demand and need to be redesigned, which takes time and costs money. Through DevOps, development teams work closely with the customer and adjust fewer things at the end of the project.

How You Can Generate a Positive ROI through Web Application Security
Feb 27, 2019 / Felix Brombacher

Cyber Crime is a serious threat and is becoming more and more costly and dangerous for companies is widely known by now. Most companies know that cybersecurity is an issue; however, cybercrime’s annual revenue still exceeds the investments in cybersecurity.

Lambda@Edge to Configure HTTP Security Headers for CloudFront
/ Felix Brombacher

During the deployment of our frontend to CloudFront we encountered the problem of not being able to configure the HTTP Security Headers, which is an essential configuration for reducing the attack surface of web applications. We resolved this issue using Amazon’s new Lambda@Edge functions to attach the headers before the response is sent to the clients.

Domain Providers and CAA
/ Felix Brombacher

To increase SSL/TLS encryption security on the internet, website administrators can set Certificate Authority Authorization (CAA) records. These DNS records determine which certificate authority (CA) is allowed to issue certificates for this domain. Since September 8th, it is mandatory for CAs to check the existence of an ACC record and comply with its content.

Digitalisation in Germany — Is there still hope?
Feb 21, 2019 / Felix Brombacher

Digitalisation in Germany has become a trend. The coalition contract of the newly formed German government has a whole chapter on the topic, and digitalisation was mentioned in every speaker headline at “Digitaler Staat 2018”. A two-day conference, which some call the public sector’s CeBIT, I attended earlier this month. Now that everyone is talking about the topic let’s do a quick reality check of what has happened in Germany.

How to Choose and Implement a Great Vulnerability Assessment Tool
Feb 20, 2019 / Felix Brombacher

The sheer range of solutions for web application security can be intimidating for CISOs, Development Managers or basically anyone dealing with vulnerable web applications

The 5 Data Breach Stages
Feb 15, 2019 / Felix Brombacher

According to the 2018 Global Risk Report, the World Economic Forum released this year, and Cyberattacks are amongst the Top 5 Risks for Global Stability in terms of Likelihood and Impact. A data breach caused by a cyberattack can indeed have an incredible impact on any country, corporation or a business owner.

What Can We Learn: Hacking Attacks On Politicians & Public Figures
Feb 13, 2019 / Felix Brombacher

Politicians seem to enjoy the new ways of communication they can have through the internet. Communication is no longer a one way street from politicians to the public but more of a town hall meeting where everyone is invited to share their opinion. Of course, this is mostly good, but this virtual proximity doesn’t come without downside risk.

Terraform Security: Resource Does Not Have Attribute
Nov 29, 2018 / Felix Brombacher

At Crashtest Security, we provision our infrastructure using Terraform. Therefore we can recreate whole Kubernetes clusters within minutes. We use our Terraform setup also to integrate some external tools such as Vault within our cluster.