In an increasingly digital world, the importance of quality and security cannot be overstated. Sentrium Security Ltd is excited to share our recent achievement – obtaining ISO 9001 and ISO 27001 certifications. These certifications showcase our unwavering commitment to enhancing quality and security for our valued clients.

This is the second article in our Application Security 101 mini-series. Read our first blog on how to configure HTTP response headers with security best practices. This time we’re going to discuss another misconfiguration that we often find during website penetration testing. This is not necessarily a ‘vulnerability’, however information disclosure via HTTP response headers can provide exact version information of the web server or web technologies in use on the underlying host.

As digital business becomes more widespread, the need to ensure data security increases. One way to test its effectiveness is through penetration testing. Penetration tests are performed by ‘ethical hackers’ who attempt to gain access to systems and data to find vulnerabilities. By doing so, businesses can then take steps to mitigate these risks. Companies should consider penetration testing as an essential part of their overall security strategy.

Phishing attacks have been increasing rapidly year on year, and surged as a result of COVID-19. Research shows that 96% of phishing attacks are sent by email. A common technique used in these attacks is to impersonate well known or trusted brands to entice users to open links and attachments. One way to achieve this is to “spoof” the email address that is shown to users in their email client.

This article provides a breakdown of the most important Terraform security best practices to consider when implementing an Infrastructure as Code (IaC) environment. Terraform is a highly popular IaC tool offering multi-cloud support. IaC means that infrastructure is deployed automatically and configured at scale, which has immediate benefits for efficiency and consistency.

This article provides a synopsis of the Follina exploit and simple steps you can take to mitigate this severe remote code execution vulnerability within Microsoft Support Diagnostic Tool (MSDT). This vulnerability is triggered via common Windows applications such as Microsoft Word and is being actively exploited by known hacking groups.

This article is the first in a series that will discuss some of the most common issues with HTTP security headers, which are often relatively easy to implement and can have a significant impact on the overall security posture of your application. We’ve previously talked about the proactive and reactive styles of application development and security testing. In this article, we discuss HTTP headers which are a common misconfiguration.

Exchange admins now have another exploit to deal with despite still reeling from a number of high profile attacks this year including ProxyLogon and ProxyShell. A new high severity Remote Code Execution (RCE) exploit for on-premise Exchange Servers has been published and is being actively exploited in the wild.

We’ve recently discussed application security and the trend we’re seeing in which companies are increasingly implementing security early on in the Software Development Life Cycle (SDLC). In our blog post exploring the impact of adopting application security, we described a common scenario involving assessing an application that was ready for release. Through the assessment, critical vulnerabilities were identified, such as an SQL injection, close to the go-live deadline.

There is a movement in the IT security world that is gaining traction, and it is based around the implementation of security within applications from the beginning. You may have heard buzzwords like “AppSec”, “DevSecOps” and “Shift Left”, but what do they actually mean? What does it take to “Shift Left” when developing a secure application? You can read about dealing with dependencies in our blog post.