MASSIVE LIST – $78 IN SAVINGS! 8 awesome paid iPhone apps that are free for a limited time
We’re starting off February with a bang on Monday, bringing you a terrific list of paid iPhone and iPad apps that are currently on sale for free. It would normally cost you $78 in total to download all of the nifty apps on today’s list, but each and every one of them is on sale for free right now for a limited time. As always, these sales could end at any minute so be sure to hurry up and grab anything that looks appealing as soon as you can.
Read more here:: Boy Genius Report
HERE WE GO!! Samsung teases all-new Galaxy S6 design in invite to MWC press conference
Samsung has apparently started sending out press invites for its next Unpacked event, which will take place at this year’s Mobile World Congress in Barcelona, Spain. Scheduled for March 1st, the press conference is supposed to star Samsung’s top 2015 handset, the Galaxy S6 that has been detailed so far in a variety of rumors and reports.
Read more here:: Boy Genius Report
The Best Form of Web Application Security Scans
Automatic versus manual. A heavily debated subject whatever you speak of, and it is no different in the web application security industry. Should you do a manual penetration test or automatically scan all your websites with an automated web application security scanner? With which process you would find most vulnerabilities and which one has the best return on investment?
In reality you need a bit of both. Actually, with today’s complex web application you cannot do without automation. By automating the majority of a penetration test, i.e. scan your website with a web vulnerability scanner you ensure that the security audits are more accurate, detect more vulnerabilities and save time. And when you save time you keep costs lows and have enough time to finalize the penetration test with a manual check for logical vulnerabilities.
In this article I will walk you through the different stages of a web application penetration test which help in highlighting the fact that automation is a must in web application security.
Web Application Coverage – Identifying the Attack Surface
The first thing you do before auditing the security of a website is find all the possible attack surfaces, or as they are also called possible point of entries. Attack surfaces can be input fields such as those found in contact forms, shopping carts and login forms, parameters in the URL and also hidden parameters in the code. Now let’s keep in mind that a typical medium sized modern web application can have hundreds or even thousands of such inputs and many of which are very difficult to identify.
An automated web application security scanner such as Netsparker has a crawler component which is specifically built for this purpose; to crawl the web application and identify all possible attack surfaces so they can be checked if they are vulnerable to cross-site scripting, SQL injectionand other type of web application vulnerabilities and security issues. Typically the scanner crawls such a website in less than an hour and automatically identifies all attack surfaces. Would you do this manually? In theory yes you can. In practise? Definitely not! It would take days, even weeks for a seasoned penetration tester to accomplish such a task, not to mention the high chances of missing input fields.
It is very important to identify all possible attack surfaces, else not all can be tested. And a malicious attacker only needs to find one vulnerable input field to hack a web application.
Identifying Vulnerabilities and Security Flaws in a Timely Manner
During an automated web application security scan each possible attack surface is checked for hundreds of different vulnerabilities within a few hours. The same as with the crawling, it is impossible to do such task manually.
A typical modern and small web application can contain at least 100 possible attack surfaces. If it takes a security professional at least a minute to complete each test (and he needs to be really good and quick to do it that fast) it will still take him around 83 working hours to test each input parameter for at least 50 different vulnerability variants. That is roughly 10 man days of checking for routine things. This is an unsustainable amount of time, and task.
We humans are prone to make mistakes especially when we do repetitive but yet complex work, while automated tools are build to do exactly that. Take advantage of such tools and alwaysautomated the repetitive in web application security.
Identifying More Web Application Vulnerabilities
If a web application is audited manually, the security audit is limited to the knowledge of the penetration tester. On the other hand, a heuristic web application security scanner has a vast list of web application vulnerabilities and security checks that is backed by a whole team of security engineers and researchers that regularly update it to include new attack vectors, bypasses and security checks.
Identifying Low Hanging Fruit Vulnerabilities
Many security professionals claim that automated tools will only identify low hanging fruit and technical vulnerabilities. True, but history has showed us that the majority of successful web application attacks exploited a technical vulnerability such as an SQL Injection or Cross-site Scripting. Very rarely attackers exploited logical vulnerabilities.
This does not mean you should ignore logical vulnerabilities, but you should automate the repetitive and use the saved up time to identify logical vulnerabilities. If you try to do both manually you will not manage to keep up with the development of the web application and the myriad of new attack variants.
Identifying Logical Vulnerabilities
There are two types of web application vulnerabilities, logical and technical vulnerabilities. Technical vulnerabilities are vulnerabilities in the code which can be identified by automated tools, such as the popular SQL Injection and Cross-site Scripting vulnerabilities. Logical vulnerabilities are vulnerabilities in the logic of the web application and not the code, hence only a person who is familiar with the scope of the web application can identify such vulnerabilities.
What is a Logical Vulnerability?
An advertising agency launches a promotion that gives away $100 to anyone who buys $100 worth of adverts. Though even when users buy less than $100 worth of advertising, the web application still gives away the free $100. Even though this is not a vulnerability in the code of the web application this is still a vulnerability which attackers can abuse.
Scanning Many Web Applications and Keeping Them Secure
The problem of identifying vulnerabilities and security flaws in web applications can get really worse when you have tens or even hundreds of web applications. In such cases it is not viable nor practical to do manual penetration tests. How can you quickly identify all the vulnerable web applications in case of a vulnerability outbreak, such as heartbleed? A desktop based web application security scanner will not scale up and do the job. Instead you should look into an online web application security scanner, which is purposely built to scale up and has the necessary tools to allow teams to collaborate and ensure all vulnerabilities are remediated before they are exploited by malicious hackers.
Web Application Security Convenience
Nowadays businesses heavily depend on web applications. New functionality is frequently being added to web applications to keep up with the business requirements. Every change that is applied should be tested prior to being implemented on the live servers. If you have an easy to use web application security scanner your own employees can scan the new web application changes and remediate any vulnerabilities the scanner reports prior to it being used in a live environment, without slowing down the deployment process.
You Need Automated Web Security Tools to Complete the Job
The benefits of automated tools can be many when it comes to web application security. Apart from saving time and ensuring accurate penetration tests, you can also save on budget too. If you use an easy to use and false positive free web application security scanner your own QA and testing teams can do the vulnerability scans, even if they are not web security experts. Since the scanner’s results are accurate they do not have to verify its findings so no training is required.
Emulate Malicious Hackers – Hack Your Website
Malicious hackers do not have access to the web applications’ code therefore they use automated black box scanners to scan websites in the hope of identifying vulnerabilities. Unfortunately most of the time they do identify vulnerabilities. As a matter of fact many internet security and monitoring organizations claim that at least a website is hacked every five seconds.
Therefore by emulating malicious hackers and using a web application security scanner to identify web application vulnerabilities in your websites and web applications is the best way to go about it. There is definitely no better way to secure your web applications.
Web Application Security Done Right
To recap it all, It is humanly impossible and unsustainable to manually audit a modern web application and check if it is vulnerable for every type of known and unknown vulnerability without making a mistake or within a respectable time frame. At the same time it is impossible for an automated tool to find all vulnerabilities. A perfect example is the OWASP Top 10 list. As explained in An Automated Scanner That Finds All OWASP Top 10 Security Flaws you have to do both automated scans and manual audits to identify all the vulnerabilities listed in the OWASP Top 10. Therefore even if you are thinking of hiring a penetration tester rather than doing the job yourself, If they do not use automated web security tools I recommend you to look somewhere else.
In web application security automated tools should not and will not replace the human factor, but the human alone cannot do a good job without using automated web security tools.
The post The Best Form of Web Application Security Scans appeared first on SecurityProNews.
Read more here:: Security Pro News
Spy shots of people wearing the Apple Watch are already hitting the web
In 2015, nothing is safe. Everyone carries a smartphone, every smartphone packs a camera, and everything that happens in public is fair game. If you do something that might be considered even the least bit interesting by anyone, you can expect photos or even a video to appear on the web within minutes. And since the upcoming new Apple Watch is Apple’s most exciting new product in years, wearing it public will inevitably draw attention and turn every gadget fan in the immediate vicinity into amateur paparazzi.
With the Apple Watch’s release just a few short months away, spy shots of Apple workers testing the sleek new smartwatch in public are now starting to hit the Internet.
Read more here:: Boy Genius Report
Super Bowl XLIX’s biggest hits came during a Twitter fight between T-Mobile and Sprint CEOs
T-Mobile CEO John Legere is widely known for two things: talking a ridiculous amount of trash about rival wireless carriers, and delivering on all of his talk with monster subscriber additions each quarter. On Sunday night, Legere was shooting par for the course on his Twitter account during Super Bowl XLIX, supplying his standard running commentary about the competition.
This time, however, Sprint CEO Marcelo Claure hit back, and the two exchanged a few entertaining blows before attention finally turning back to the big game.
Read more here:: Boy Genius Report
HUGE LEAK: If this is Samsung’s new Galaxy S6 design, we need it IMMEDIATELY!
Many leaked pictures of the Galaxy S6 have been published online, including case designs for the unannounced handset, though Samsung’s final design for the upcoming flagship is yet to be confirmed. Meanwhile, an Italian journalist published on Twitter a schematic that could be showing the Galaxy S6, with SamMobile saying the image might give us the first real look at the handset.
Read more here:: Boy Genius Report
Madden 2015 amazingly got its Super Bowl prediction exactly right
If you had money on the Super Bowl, you would have cleaned up if you based your bet on the simulation conducted before the game by Madden NFL 2015. As USA Today’s Brett Molina notes, Madden’s official simulation got the score of the game exactly right since it correctly predicted the Patriots would beat the Seahawks 28 to 24. And that’s not the only thing Madden got right.
Read more here:: Boy Genius Report
A new Raspberry Pi computer is in town, faster than ever but just as cheap
The Raspberry Pi Foundation and element14 on Monday announced a brand new version of their extremely popular and very affordable computer. The Raspberry Pi 2 Model B is even more powerful than the previous models, but it’s just as cheap, costing just $35. More interestingly, the Raspberry Pi 2 Model B is fully backward compatible to first-gen Model A and Model B designs, meaning that users can just replace the old versions with the faster computer.
Read more here:: Boy Genius Report
The Pirate Bay is officially back up
After a month of teasing its return, The Pirate Bay team on Saturday finally brought back online the immensely popular torrent download service, almost a day before the planned February 1st relaunch, and users can now enjoy a fully functional website.
Read more here:: Boy Genius Report
These are all the crazy things you can hire a hacker to do for you
Ever wanted to get access to your spouse’s Facebook account without them knowing? Are you looking to order some shady products from the “deep web?” Interested in clearing your record, or improving your grades? There’s a hacker for that, or at least a site where you can list such requests and appropriate rewards, hoping that hackers will be interested in helping out.
Read more here:: Boy Genius Report