At Syn Cubes, we recognize the importance of innovation and adaptation. That's why we're thrilled to introduce our latest suite of technical assessments and penetration testing services. But what makes these offerings stand out in a saturated market?
Executive Level
Managing Risk
Top 5 Agile Pentesting Challenges in DevOps
As the Agile software development adoption continues to grow, businesses are increasingly looking to incorporate manual human-driven penetration testing, dynamic vulnerability code analysis, and SAST tools into their CI/CD pipelines. However, it is equally important for businesses to be aware of the challenges that this approach presents in their efforts to create and deploy secure software.
Executive Level
Managing Risk
Agile Pentesting — Benefits
An Agile pen test is a new approach to pentesting that allows security professionals to adapt to changing needs and environments quickly. The takeaway from this is that organizations should benefit from staying ahead of the curve regarding security threats and effectively protecting their systems against a wide range of newly discovered attack vectors reported in the current threat landscape.
Executive Level
Managing Risk
CISA CPG Checklist v1.0
We share the following as a visual simplified version and a Word document that address the security controls in the CISA Account Security v1.0 Official Guideline.
Tutorials
Nmap
Nmap - The Security Scanner: Tips About How to Use It Efficiently
Security engineers and professional penetration testers use numerous tools to assess the security posture of their targets. But despite all of these tools, many network administrators still use Nmap to assess their network. This is not another "How to scan with Nmap" tutorial, but how it can be used efficiently.
Executive Level
Managing Risk
7 Steps to Improve Your Security Posture
Cybersecurity compliance and security posture can be difficult concepts for companies to grasp. After all, there are numerous potential threats out there, and it can be tough to know where to start in terms of protecting your business. There are some basic steps that every company can take to improve their overall security program, and we'll get into those a little later in this article.
General
Annoucement
We've Changed Our Name To SYN CUBES
When we initially started almost four years ago, our vision was to use our extensive knowledge and create the most incredible Pentest as a Service (PTaaS) solution out there. At the same time, we also wanted to approach things differently...
If you're looking to get into the world of Jenkins and CI/CD pipelines, this blog post is for you. I'll cover what Jenkins is, the benefits of using it, what are the most important CVEs affecting it, and a couple of resources worth looking into. Then you can use all this knowledge to your advantage and secure your pipeline.
Pentesting
Opinion
Pentesting in A Changing World - Where Do We Go From Here?
It's a no-brainer that any company worth its weight should have sound cybersecurity measures in place. But what's equally important and often overlooked, is that those measures should be regularly tested to inform businesses of any potential threats before they happen.
API / Misconfiguration
Google Maps
A Pentester Story - How to Increase the Impact of a Underrated Issue
Too many organizations are risking their financial stability by not implementing proper security boundaries when using the Google Maps API Key. If you're in charge of an application that needs access to this service, be sure you have configured properly and placed appropriate security controls to prevent external abuse.
If you're looking to get into the world of Jenkins and CI/CD pipelines, this blog post is for you. I'll cover what Jenkins is, the benefits of using it, what are the most important CVEs affecting it, and a couple of resources worth looking into. Then you can use all this knowledge to your advantage and secure your pipeline.
Pentesting
Opinion
Pentesting in A Changing World - Where Do We Go From Here?
It's a no-brainer that any company worth its weight should have sound cybersecurity measures in place. But what's equally important and often overlooked, is that those measures should be regularly tested to inform businesses of any potential threats before they happen.
API / Misconfiguration
Google Maps
A Pentester Story - How to Increase the Impact of a Underrated Issue
Too many organizations are risking their financial stability by not implementing proper security boundaries when using the Google Maps API Key. If you're in charge of an application that needs access to this service, be sure you have configured properly and placed appropriate security controls to prevent external abuse.
Compliance
SOC 2 Type 2
Demystifying SOC 2 Type II Compliance Audit - What a Pentester Needs to Know
Drawing an early line in the sand, an audit and security are NOT the same things. Even if a company meets defined maturity of controls that does not necessarily mean it is secure. Compliance framework relies on a solid set of standards and regulations that work on a set of assumptions.
AppSec / Java
CVE-2021-44228
Java Log4j Vulnerability (CVE-2021-44228)- Keep Your Head Cool
Java Log4j vulnerability proved one of the most severe security flows in years. Six hours later, after the initial Proof-of-Concept was published, the situation escalated quickly. The exploit was already reported to be weaponized and used at scale.
GANs emerged as a cutting-edge technology around six years ago. Using them showed that there is an endless possibility of generating realistic fake photos. In this blog I am describing my experience dealing with an unexpected situation while using a social media platform.
Security Engineering
OSINT
PDF Documents Metadata and Practical Examples of How to Handle It
In this blog post we explore and detail a couple of straightforward technical solutions that any business can consider during the process of limiting information exposure through its public documents metadata fields.
Security Engineering
C-Level
Pentesting is Just the Beginning
Security Engineering skill set gap has created a substantial market for contract-based pentesting - a gig-style, one-and-done arrangement driven by global freelancing and bug bounty platforms.
Offensive Security Testing
C-Level
Standard Pentest vs. Adversarial Simulation
Supposing you are a C-Level executive, CISO role, or holding a similar position, within this article, we tried detailing a few hints about what a mature security vendor should provide to you as part of an engagement journey.
CRM
Information Disclosure
Probing Oracle Eloqua CRM for Sensitive Information Exposure
Jon Lu discloses his steps to trigger a Sensitive Information Exposure issue by starting to analyze a couple of analytic tracking ids and then investigate further a low impact security misconfiguration.
Browser
Extensions
Microsoft Edge and the new attack surface
We narrow down an introspective into Microsoft's stunning move of launching its new Edge browser to millions of Microsoft Windows 10 users via windows update. Microsoft's new Edge browser is based on the Chromium engine, which is the same as the leading competitor browser, Chrome.
Introduction to Fuzzing JavaScriptCore on MacOS with AFL++
In this whitepaper, we'll focus on setting up a fuzzing environment on macOS 10.15.7.
Server Message Block(SMB)
Tutorials and Articles
Fuzzing Server Message Block (SMB) on macOS with Mutiny Fuzzing Framework
In this blog post, we will focus on setting up a fuzzing environment on Ubuntu 20.04.1 LTS and use macOS 10.15.7 as a target, and we will set up everything manually without the usage of The Decept Proxy.
Mobile Security Testing
iOS
Bypassing common Jailbreak detection mechanisms - Part I
For the task ahead, we are going to use a jailbroken iPhone running iOS 14.3 (the latest version as of writing), Hopper Disassembler for reverse-engineering the application and Frida (dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers).
Mobile Security Testing
iOS
Bypassing common Jailbreak detection mechanisms - Part II
Writing a jailbreak detection bypass script using Frida. Like we did with the previous one, we will try to describe a complete process of inspecting the application and writing scripts from the ground up to evading a jailbreak detection.