Path traversal in Java web applications – announcing the Invicti technical paper
Path traversal attacks against Java web applications can expose sensitive information and allow escalation to more dangerous attacks. This post provides an overview of Java path traversal and announces an Invicti technical paper and open-source tool. The post Path traversal in Java web applications – announcing the Invicti technical paper ... Read More
Can you afford to cut back on web application security?
Every data breach is costly, but it doesn’t take a sophisticated attacker to get your company into big trouble. Web application security is your first line of defense – and here’s why you cannot afford to drop your guard. The post Can you afford to cut back on web application ... Read More
Why the Log4Shell vulnerability will never become yesterday’s news
On July 11, 2022, the Cyber Safety Review Board (CSRB) published a report on Log4Shelstating that organizations should be prepared to address Log4j vulnerabilities for years to come. We're taking a look at the reasons why Log4shell is not going to go away. The post Why the Log4Shell vulnerability will ... Read More
7 steps to avoid uncoordinated vulnerability disclosure
Imagine the following situation. You work as a cybersecurity manager for a company that owns the website www.example.com. One day, your sales department receives an email from an unknown individual. The sales department forwards it to you. The email has the following content: You example.com/login.php... Read more The post 7 ... Read More
Red teaming – 5 tips on how to do it safely
Red team vs blue team exercises are a very effective method to evaluate the security posture of your business. However, red teaming, due to its adversarial approach, carries certain risks that must be taken into consideration, both for the red team and the target business.... Read more The post Red ... Read More
Four ways to combat the cybersecurity skills gap
The lack of cybersecurity talent is nothing new. It’s a problem that all businesses have been facing for several years and it’s getting worse. There have been many proposals on how to narrow the gap, but so far all efforts have been futile. Let’s have... Read more The post Four ... Read More
Critical alert – Spring4Shell RCE (CVE-2022-22965 in Spring)
On March 31, 2022, a serious zero-day vulnerability was discovered in the Spring framework core, which is an open-source framework for building enterprise Java applications. The vulnerability, dubbed Spring4Shell (similar to Log4Shell) or Springshell, was identified as CVE-2022-22965 (at the time of writing, not yet... Read more The post Critical ... Read More
DevSecOps vs. SecDevOps
DevSecOps is a relatively new approach to continuous software development processes in agile environments. It is an extension of DevOps (Development + Operations) that includes the automation of security. The order of component terms in the DevSecOps name, however, may lead to incorrect application security approaches. That... Read more The post DevSecOps ... Read More
7 reasons why development teams skip security steps
The Fall 2021 Invicti AppSec Indicator has made us aware of an incredibly high percentage of development teams that have admitted to skipping security steps. There is a 70% chance that this happens in your business, leaving your web applications exposed to malicious hacker attacks.... Read more The post 7 ... Read More
2021 – the year in review
As 2021 comes to an end, it is time to sum up the year to see what it meant for Acunetix, Invicti, and the web application security industry. The rise of Invicti 2021 was the year when Acunetix became a brand of Invicti Security. The... Read more The post 2021 ... Read More