Coming to the RSA Conference in San Francisco April 20th through 24th? Come see us at booth #2544!
Email not displaying correctly?
View it in your browser.
Follow on Twitter Friend of Facebook

What's new at GDS?

The first quarter of 2015 has been a busy one for the team at Gotham Digital Science (GDS). Here are a few of the highlights of what has been happening in Q1:

GDS will be at RSA 2015

The GDS management team will be at the RSA conference in San Francisco (between April 20th and 24th) with our colleagues from SendSafely. If you’re planning on attending, let us know and we can grab a coffee. Alternatively drop by and say hello at booth #2544 in the South Pavilion.

Also, if you or anyone on your team is interested in attending but hasn’t registered yet, please feel free to use SendSafely’s exhibitor registration code (X5ESNDSAF) to get a complimentary pass for the Exhibit Hall.

 

OpenSAMM Benchmarking

At the OWASP SAMM Summit 2015 in Dublin (27th-28th of March 2015), GDS co-announced with Denim Group, Veracode, AsTech Consulting, Aspect Security, and Security Innovation, the forthcoming release of a freely available benchmarking dataset for the OWASP OpenSAMM Software Assurance Maturity Model.

This new effort will ensure that there is an open and freely available dataset for anyone to use, helping to answer some of those age old questions of "what are my peers in the industry doing about developing their software securely?". 

Details will be coming out shortly, so keep an eye on the GDS Blog for more!

GDS gains CBEST & CREST STAR Accreditation

In early February 2015, GDS was accredited by the Bank of England as a CBEST Approved Penetration Testing Provider - one of only six organisations to have achieved this status so far globally.

The CBEST scheme, a regulatory scheme run by the Bank of England through the information security industry body CREST, delivers intelligence-led penetration tests against the critical systems of financial institutions in order to evaluate the institution's susceptibility and cyber response capability against Advanced Persistent Threat (APT) attackers. GDS had also earlier achieved the status of a CREST STAR (Simulated Target Attack & Response) penetration testing provider, which is the equivalent commercial penetration testing offering for worldwide organisations, and for UK organisations not regulated by the Prudential Regulation Authority of the Bank of England.

By replicating the tactics, techniques and procedures of known threat actors that are posing a significant and specific threat to financial institutions, CBEST and CREST STAR testing is the most realistic type of test of an organisation’s overall cyber defence capability against the types of attacks being conducted by cyber criminals today.

We at GDS are delighted that we've achieved CBEST and CREST STAR accreditation and can now supply penetration testing services to organisations under both these schemes.  We're also excited about the opportunities this gives us for our financial services clients with operations on both sides of the Atlantic, as this uniquely positions GDS as the only CBEST/CREST STAR testing provider who can deploy CREST certified staff on both sides of the Atlantic.

If you're interested in finding out more details on CBEST or CREST STAR testing with GDS, please send us an email, or give us a call.

 

The Latest from GDS Labs

The research team at GDS has been busy in Q1, with research released to both help enterprises better secure their infrastructure and solutions, as well as working with vendors on responsibly disclosing vulnerabilities that we had found in their products.

As always, details were released on the GDS Blog, however here are some of the highlights:
  • Mobile Application Management (MAM) Security Checklist And Whitepaper - Building on Ron Gutierrez’s talk at BlackHat 2014 in Las Vegas, Ron released a detailed checklist intended to be used as a baseline for assessing, designing, and testing the security of a Mobile Application Management (MAM) or “Application Wrapping” solution. This list was constructed from GDS’s extensive experience and research assessing a wide variety of the MAM solutions in the marketplace today.
  • Docker Secure Deployment Guidelines - Docker is a virtualisation technology that many of our clients are either deploying, or are looking at deploying to allow developers and system administrators to seamlessly deploy containers for applications and services required for business operations. However, as containers can be exposed to significant security risks if not adequately configured, GDS released this set of secure deployment guidelines to provide a single source of where to start on securing them.

In addition, the research team worked with software and hardware vendors on responsibly disclosing the following vulnerabilities in widely deployed software and hardware solutions:
  • WebLogic SSRF And XSS (CVE-2014-4241, CVE-2014-4210, CVE-2014-4242) - GDS discovered a number of application layer vulnerabilities in services that shipped with Oracle WebLogic, specifically on Oracle Fusion Middleware. These were patched by Oracle in the July 2014 CPU.
  • SmartThings SSL Certificate Validation Vulnerability - GDS discovered an Internet of Things (IoT) encryption issue with the communications between SmartThings Hubs and the SmartThings backend servers, which could lead to an attacker being able to monitor and intercept traffic. As SmartThings can be used as part of a wider security system for a home, this could lead to scenarios where access to a home could be gained. This vulnerability was patched by Samsung/SmartThings on the 29th of January 2015.
  • JetLeak Vulnerability: Remote Leakage Of Shared Buffers In Jetty Web Server [CVE-2015-2080] - GDS discovered a critical information leakage vulnerability in the Jetty web server (versions 9.2.3 to 9.2.8) that allows an unauthenticated remote attacker to read arbitrary data from previous requests submitted to the server by other users. This vulnerability has a similar impact to Heartbleed with regards to exposing the data of other users of an application, however as Jetty is a web server commonly packaged as part of another software package the impact was far ranging. These were patched by the vendor in version 9.2.9, released 24th of February 2015.
Copyright © 2015 Gotham Digital Science LLC, All rights reserved.