Prepara tu startup para cumplir con regulaciones de ciberseguridad

Cómo afrontar el cumplimiento normativo y crear tu programa de seguridad de la información de forma sencilla

Tiempo de lectura: 5 minutos.

El gran desafío con el que se encuentran las startups en crecimiento cumplir con normativas y regulaciones de seguridad. Y suele serlo por tres sencillas razones: falta de tiempo, poco conocimiento y escasez de recursos para hacerlo.

Read more

Protección de datos: ¿Cómo proteger los de mi startup?

La protección de los datos es un habilitador de negocios. Descubre cómo proteger el activo más grande de tu startup, cumplir las regulaciones y crecer sin límites.

Tiempo de lectura: 5 minutos

Si trabajas en la industria fintech o con instituciones financieras (lo que es muy probable), seguro que tu preocupación principal es el incremento de las ventas y la satisfacción de tus clientes. 

Read more

What is RCE (Remote Code Execution)?

Like its name very well says, Remote Code Execution (also known as Remote Code Evaluation) is a vulnerability that allows attackers to access a third party’s systems and read or delete their contents, make changes, or otherwise take advantage of their computers by running code on them – regardless of where they are physically located.

Read more

Using Cyber Security to Maximize Your Company Profits

(and create very happy customers)

There are certain universal truths about how to build a successful business and create happy customers: Have a clear and impactful mission statement. Offer products and solutions that add value. Listen to the customer and address their needs. Be one step ahead of the ever-changing tide that is innovation.

Read more

How to Hire a Cybersecurity Expert (Before It’s Too Late)

In the game of supply and demand, quality cybersecurity experts can be tricky to find. Market data has shown that the need for cybersecurity experts in the workforce has grown 53% through 2018, and there is a predicted shortfall of 1.5 million cybersecurity professionals in the near future.

Read more

Dependencies: It’s not just your code you need to secure.

The EQUIFAX USA event of 2017 put into the spotlight an underconsidered aspect of software security: It’s not just our code that we need to secure. The facts of the case are widely known, but, its cause? Not so much. Little is said about the fact that this leak would not have taken place if the developers of the EQUIFAX application had upgraded their Apache Struts web framework to a more secure version.

We developers are not creating applications based only on our code. We rely on servers, programming languages, frameworks, libraries (wheels, gems, JARs…) and we need to secure all that, even that code we copy-paste from Stack Overflow.

When we create applications, we are not just writing code, we are building a house with Lego blocks, and our code is just a part of that house. In fact, our code is on the top of that house. All that other stuff we depend on, is underneath, it’s our software’s foundations, and if it is not secured, our house will fall apart, just like EQUIFAX’s did.

One notable thing to mention in this issue is the fact that this kind of vulnerability is listed in OWASP Top 10 2017.

OWASP Top 10 2017 entry.

Project support

The good news is that some developers have begun to take notice on the issue. There are projects available that aim to help developers to take care of dependency security even before their code reaches the CI/CD (Continuous Integration/Continuous Delivery) server.

These tools are continuously updated, based on security data obtained from CVE (Common Vulnerabilities and Exposures) data and developer reports, and can be used in CI/CD servers as well.

Here are some of them:

OWASP Dependency Check (Java, multilanguage)

The main reference when it comes to dependency security checking is

OWASP’s dependency checking tool

Read more

GDPR Compliance: How Continuous Vulnerability Scanning is Key

Even months after interest in GDPR compliance peaked, some companies are struggling to make sure they comply with this new set of regulations aimed at protecting the privacy and security of European citizens. The regulation applies to businesses anywhere as long as their users are in the EU, and with the highest penalties potentially reaching the millions of euros, they’re right to worry.

Take the case of British Airways for example. On September 6th, 2018 the airline announced that it had suffered a breach that affected around 380,000 users, and that part of the stolen data included personal and payment information.

Now, although we don’t know the fine that will be levied on British Airways, under GDPR a violation such as this one may lead to a fine of 20 million or up to 4% of a company’s annual turnover in the previous year (whichever is higher), which for BA could reach about £489 million (US$633 million) based on 2017 figures.

A similar case is that of Marriott. In November 2018 they announced that they had been a victim of an attack that compromised the data of 500 million users. Marriott’s annual turnover in 2017 was US$22.9 billion.

More recently, Google has been the target of a 50 million fine in France for failing to provide enough information to users about its data consent policies and not giving them enough control over how their information is used.

Often when we read about GDPR, it may sound like it’s all about notifications (letting users know what kind of data the company is using and how it will be used and notifying them of security breaches in a timely fashion), but if these cases show us anything it’s that companies will be under scrutiny not only for how they use their customer’s data but also how they protect it. This is where early detection and prevention of security vulnerabilities is key.

Article 32 of the GDPR provides that businesses must

“implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including […] as appropriate: […] a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

Read more

These are the 10 web vulnerabilities most frequently found by Hackmetrix

After having run thousands of scans on Hackmetrix we can finally say we officially know the 10 most common vulnerabilities we’ve found across every site we scanned.

The purpose of the article is to be a source of information for users who have found any of these on their sites, to encourage site owners to check their online properties for any of these, and to provide a line or two on how to fix them wherever possible.

If you’re not sure how to check your site for any of the vulnerabilities mentioned here, then a free Hackmetrix account could be a good start. It only takes a minute to sign up and you’ll have your first report in just a couple hours.

As time goes by we’ll also be expanding on each of these with more in-depth guides explaining each of these issues and how to solve them.

Let’s get to it!

  1. Absence of Anti-CSRF Tokens – Risk: Low

Our most frequently found vulnerability is (luckily?) not a high risk one. Cross Site Request Forgery (CSRF), is a type of attack that tricks a user’s browser into performing an unwanted action on a trusted site where the user is authenticated, and it works even if the user doesn’t have that site open at the time.

This works because of the trusting nature of web browsers. A browser doesn’t check to see if an outgoing request is going out from a specific domain, and so in a similar way you might be able to tweet or check an Instagram post from an external website, a more ill-meaning site could use an open session in one of those sites to post, or take some other action, on your account without you ever noticing.

For example, let’s say you regularly check Twitter and so your session on that site remains open (an open session is what makes it possible for you to open a new tab and go to and see your feed without having to log in every time). While you’re checking your friends’ tweets you click on a very enticing link to a questionnaire to find out what kind of fast food you are. Irresistible.

That questionnaire though, holds hidden and nefarious intentions, and as soon as you click a button on it to see the results it takes advantage of your open session on Twitter to tweet on your behalf a link to itself and follow a bunch of unknown accounts. This without you ever consenting, or finding out until you look at your own feed.

Now take that and imagine it being used on, instead of Twitter, a bank account. CSRF is a common problem, and one of the ways it can be prevented is by using =&2=&.

Using an anti-CSRF token would mean that each time a website loads it includes a unique string of characters, then when a request is made (in our example that would be each time you try perform some action on Twitter), the server expects to receive that same token back, and if it doesn’t then it will refuse to perform the action requested. You can see then why it’s highly recommended to implement an Anti-CSRF Token, and why not doing so is considered a vulnerability.

=&3=&=&4=& Read more

Backed by

Hackmetrix startup chile