GDS gains CBEST & CREST STAR Accreditation
In early February 2015, GDS was accredited by the Bank of England as a CBEST Approved Penetration Testing Provider - one of only six organisations to have achieved this status so far globally.
scheme, a regulatory scheme run by the Bank of England through the information security industry body CREST
, delivers intelligence-led penetration tests against the critical systems of financial institutions in order to evaluate the institution's susceptibility and cyber response capability against Advanced Persistent Threat (APT) attackers. GDS had also earlier achieved the status of a CREST STAR (Simulated Target Attack & Response) penetration testing provider, which is the equivalent commercial penetration testing offering for worldwide organisations, and for UK organisations not regulated by the Prudential Regulation Authority of the Bank of England.
By replicating the tactics, techniques and procedures of known threat actors that are posing a significant and specific threat to financial institutions, CBEST and CREST STAR testing is the most realistic type of test of an organisation’s overall cyber defence capability against the types of attacks being conducted by cyber criminals today.
We at GDS are delighted that we've achieved CBEST and CREST STAR accreditation and can now supply penetration testing services to organisations under both these schemes. We're also excited about the opportunities this gives us for our financial services clients with operations on both sides of the Atlantic, as this uniquely positions GDS as the only CBEST/CREST STAR testing provider who can deploy CREST certified staff on both sides of the Atlantic.
If you're interested in finding out more details on CBEST or CREST STAR testing with GDS, please send us an email
, or give us a call
The Latest from GDS Labs
The research team at GDS has been busy in Q1, with research released to both help enterprises better secure their infrastructure and solutions, as well as working with vendors on responsibly disclosing vulnerabilities that we had found in their products.
As always, details were released on the GDS Blog
, however here are some of the highlights:
- Mobile Application Management (MAM) Security Checklist And Whitepaper - Building on Ron Gutierrez’s talk at BlackHat 2014 in Las Vegas, Ron released a detailed checklist intended to be used as a baseline for assessing, designing, and testing the security of a Mobile Application Management (MAM) or “Application Wrapping” solution. This list was constructed from GDS’s extensive experience and research assessing a wide variety of the MAM solutions in the marketplace today.
- Docker Secure Deployment Guidelines - Docker is a virtualisation technology that many of our clients are either deploying, or are looking at deploying to allow developers and system administrators to seamlessly deploy containers for applications and services required for business operations. However, as containers can be exposed to significant security risks if not adequately configured, GDS released this set of secure deployment guidelines to provide a single source of where to start on securing them.
In addition, the research team worked with software and hardware vendors on responsibly disclosing the following vulnerabilities in widely deployed software and hardware solutions:
- WebLogic SSRF And XSS (CVE-2014-4241, CVE-2014-4210, CVE-2014-4242) - GDS discovered a number of application layer vulnerabilities in services that shipped with Oracle WebLogic, specifically on Oracle Fusion Middleware. These were patched by Oracle in the July 2014 CPU.
- SmartThings SSL Certificate Validation Vulnerability - GDS discovered an Internet of Things (IoT) encryption issue with the communications between SmartThings Hubs and the SmartThings backend servers, which could lead to an attacker being able to monitor and intercept traffic. As SmartThings can be used as part of a wider security system for a home, this could lead to scenarios where access to a home could be gained. This vulnerability was patched by Samsung/SmartThings on the 29th of January 2015.
- JetLeak Vulnerability: Remote Leakage Of Shared Buffers In Jetty Web Server [CVE-2015-2080] - GDS discovered a critical information leakage vulnerability in the Jetty web server (versions 9.2.3 to 9.2.8) that allows an unauthenticated remote attacker to read arbitrary data from previous requests submitted to the server by other users. This vulnerability has a similar impact to Heartbleed with regards to exposing the data of other users of an application, however as Jetty is a web server commonly packaged as part of another software package the impact was far ranging. These were patched by the vendor in version 9.2.9, released 24th of February 2015.