Tag Archive for: Greenbone

Markus Feilner

Municipalities, authorities and companies under pressure: serious attacks on the rise, NIS2 becomes mandatory

After experts noticed a rapid increase in cyberattacks on local authorities and government agencies in 2023, the horror stories don’t stop in 2024. The pressure to act is enormous, as the EU’s NIS2 Directive will come into force in October and makes risk and vulnerability management mandatory.

“The threat level is higher than ever,” said Claudia Plattner, President of the German Federal Office for Information Security (BSI), at Bitkom in early March. The question is not whether an attack will be successful, but only when. The BSI’s annual reports, for example the most recent report from 2023, also speak volumes in this regard. However, according to Plattner, it is striking how often local authorities, hospitals and other public institutions are at the centre of attacks. There is “not a problem with measures but with implementation in companies and authorities”, said Plattner. One thing is clear: vulnerability management such as Greenbone’s can provide protection and help to avoid the worst.

US authorities infiltrated by Chinese hackers

In view of the numerous serious security incidents, vulnerability management is becoming more important every year. Almost 70 new security vulnerabilities have been added every day in recent months. Some of them opened the door to attackers deep inside US authorities, as reported in the Greenbone Enterprise Blog:

According to the media, US authorities have been infiltrated by Chinese hacker groups such as the probably state-sponsored “Volt Typhoon” for years via serious security gaps. The fact that Volt Typhoon and similar groups are a major problem was even confirmed by Microsoft itself in a blog back in May 2023. But that’s not all: German media reported that Volt Typhoon is taking advantage of the abundant vulnerabilities in VPN gateways and routers from FortiNet, Ivanti, Netgear, Citrix and Cisco. These are currently considered to be particularly vulnerable.

The fact that the quasi-monopolist in Office, groupware, operating systems and various cloud services also had to admit in 2023 that it had the master key for large parts of its Microsoft cloud let stolen destroyed trust in the Redmond software manufacturer in many places. Anyone who has this key doesn’t need a backdoor for Microsoft systems any longer. Chinese hackers are also suspected in this case.

Software manufacturers and suppliers

The supply chain for software manufacturers has been under particular scrutiny by manufacturers and users not only since log4j or the European Cyber Resilience Act. The recent example of the attack on the XZ compression algorithm in Linux also shows the vulnerability of manufacturers. In the case of the “#xzbackdoor”, a combination of pure coincidence and the activities of Andres Freund, a German developer of open source software for Microsoft with a strong focus on performance, prevented the worst from happening.

An abyss opened up here: It was only thanks to open source development and a joint effort by the community that it came to light that actors had been using changing fake names with various accounts for years with a high level of criminal energy and with methods that would otherwise be more likely to be used by secret services. With little or no user history, they used sophisticated social scams, exploited the notorious overload of operators and gained the trust of freelance developers. This enabled them to introduce malicious code into software almost unnoticed. In the end, it was only thanks to Freund’s interest in performance that the attack was discovered and the attempt to insert a backdoor into a tool failed.

US officials also see authorities and institutions as being particularly threatened in this case, even if the attack appears to be rather untargeted and designed for mass use. The issue is complex and far from over, let alone fully understood. One thing is certain: the usernames of the accounts used by the attackers were deliberately falsified. We will continue to report on this in the Greenbone blog.

European legislators react

Vulnerability management cannot prevent such attacks, but it provides indispensable services by proactively warning and alerting administrators as soon as such an attack becomes known – usually before an attacker has been able to compromise systems. In view of all the difficulties and dramatic incidents, it is not surprising that legislators have also recognised the magnitude of the problem and are declaring vulnerability management to be standard and best practice in more and more scenarios.

Laws and regulations such as the EU’s new NIS2 directive make the use of vulnerability management mandatory, including in the software supply chain. Even if NIS2 only actually applies to around 180,000 organisations and companies in the critical infrastructure (KRITIS) or “particularly important” or “significant” companies in Europe, the regulations are fundamentally sensible – and will be mandatory from October. The EU Commission emphasises that “operators of essential services” must “take appropriate security measures and inform the competent national authorities of serious incidents”. Important providers of digital services such as search engines, cloud computing services and online marketplaces must fulfil the security and notification requirements of the directive.”

Mandatory from October: A “minimum set of cyber security measures”

The “Directive on measures for a high common level of cybersecurity across the Union (NIS2)” forces companies in the European Union to “implement a benchmark of minimum cybersecurity measures”, including risk management, training, policies and procedures, also and especially in cooperation with software suppliers. In Germany, the federal states are to define the exact implementation of the NIS2 regulations.

Do you have any questions about NIS2, the Cyber Resilience Act (CRA), vulnerability management in general or the security incidents described? Write to us! We look forward to working with you to find the right compliance solution and give your IT infrastructure the protection it needs in the face of today’s serious attacks.

To make our ecological progress even more sustainable, we keep up to date with regular internal training courses on energy efficiency. In this way, we are helping to make the world even “greener” outside of Greenbone.

Contact Free Trial Buy Here Back to Overview

/by
Andreas Bergler

Greenbone All in Green: ISO 14001 Certification

It doesn’t get any greener? Not at all! We have just completed certification of our environmental management system in accordance with ISO 14001. And we have realised: There is always room for getting “greener” – you just have to be committed and willing to drive this commitment forward in measurable progress.

Greenbone passes ISO 14001 Certification.

The international standard ISO 14001 defines requirements that companies can use to achieve environmental goals and fulfil legal obligations. Because the environmental niche is different for every organisation, the standard does not specify absolute values and targets, but it does emphasise integration into quality management, C-level responsibility for environmental management and the elimination of ambiguity regarding environmental targets.

Targets, objectives, key figures: A dry framework for green growth

The current German version of the standard, DIN EN ISO 14001:2015, places particular emphasis on “environmental performance improvement” and its measurement using appropriate indicators. The ecological objectives thus relate to the upstream and downstream environmental impact of products and services as well as the consideration of opportunities and risks in day-to-day business. The whole process is to be set up as part of a continuous improvement process (CIP) so that the effects of each new measure can be monitored and adapted accordingly. With this certification, we are proud to be able to announce another important step towards a company that is not only “green” on the outside, in the company logo, but also on the inside.

Back in autumn 2023, when the “Environmental Management System” was introduced, it was clear to us: we may not be able to save the world, but every step in this direction is important to us! So, step by step, we started by collecting all aspects that could have an impact on the environment. After ranking the factors and prioritising them, eleven areas emerged in which Greenbone can become ecologically effective and active: Starting with electricity consumption, cooling servers, heating offices and dispatching goods, through to waste separation and the energy efficiency of our appliances.

And again and again: measure…

As a company that emphasises the realisation and clear presentation of objectives, Greenbone is already certified according to ISO 9001:2015 (quality management) and ISO 27001:2017 (information security) as well as within the framework of TISAX for the Information Security Management System (ISMS). For ISO 14001, we have concretised our objectives in clearly defined key performance indicators (KPIs) in order to make them available for subsequent measurements. This allows us to readjust existing measures and introduce further improvements. What initially sounds dry is already bearing its first “green” fruits

  • Our electricity has been supplied entirely from renewable energy sources since the company was founded. Total consumption – including clients and servers – is set to be reduced by a further 3% in the near future.
  • Whenever we purchase new equipment, we pay particular attention to sustainability and energy efficiency.
  • Since 2020, we have only used electric cars as company vehicles.
  • We have switched to digital payroll accounting.
  • The server room is regularly checked for potential savings.
  • We also prioritise environmental protection on a small scale: Waste is only collected centrally and packaging material is reused as a matter of principle.

To make our ecological progress even more sustainable, we keep up to date with regular internal training courses on energy efficiency. In this way, we are helping to make the world even “greener” outside of Greenbone.

Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

CISA warning: Serious Security Vulnerability in MS Sharepoint

Two security vulnerabilities in Sharepoint – both from last year – are currently causing trouble for Sharepoint administrators. Because attackers are increasingly exploiting a combination of the two vulnerabilities, the Cybersecurity Infrastructure Security Agency CISA is now also issuing a warning. Affected customers of the Greenbone Enterprise Feed have been warned since June 2023.

Tracking-News: Critical Vunerability in MS Sharepoint

Remote Privilege Execution

The two vulnerabilities CVE-2023-29357 and CVE-2023-24955 together allow attackers to remotely gain administrator rights in a company’s SharePoint server. Details of the attack were published back in September 2023 at the Pwn2Own conference in Vancouver 2023 and can be found on the Singapore Starlabs blog, for example.

Massive attacks have now led to CISA recently issuing a warning about these vulnerabilities and including CVE-2023-29357 in its catalog of known exploited vulnerabilities. However, Greenbone has already had authenticated version checks for both CVEs since around June 2023 and an active check for CVE-2023-29357 since October 2023. Customers of the enterprise products have been receiving these CVEs as a threat for several months – in authenticated and unauthenticated scan mode.

Microsoft advises its customers on its website to update to the SharePoint Server 2019 version of June 13, 2023, (KB5002402), which fixes five critical vulnerabilities, including the first CVE mentioned by CISA. Furthermore, all administrators should install the antivirus software AMSI and activate Microsoft Defender in the SharePoint server. Otherwise, attackers could bypass authentication with fake authentication tokens and gain administrator rights.

Recognising and detecting vulnerabilities in the company at an early stage is important, as the many reports of damaging vulnerabilities show. Greenbone products can take on a lot of work here and ensure security – as a hardware- or virtual appliance or as a cloud service. The Greenbone Enterprise Feed, which feeds all Greenbone security products, receives daily updates and therefore covers a high percentage of risks.

Contact Free Trial Buy Here Back to Overview

/by
Greenbone AG

Tracking News: Juniper Junos Vulnerabilities

5 Known Juniper Junos Vulnerabilities Being Actively Exploited

CISA has added 5 CVEs relating to Juniper Junos (aka Junos OS), to its Known Exploited Vulnerabilities (KEV) catalog. The full exploit chain involves combining several lower-severity CVEs to achieve pre-authentication remote code execution (RCE). The 5 CVEs range in severity from CVSS 9.8 Critical to CVSS 5.3 Medium. Greenbone is equipped with vulnerability tests to identify affected systems.

Understanding the timeline of events should help network defenders grasp how rapidly cyber threats can escalate. In this case a proof-of-concept (PoC) was published just 8 days after the vendor Juniper released its security advisory. Security researchers observed active exploitation just 12 days after the disclosure. Still, it was not until several months later that CISA acknowledged active exploitation. Greenbone Enterprise vulnerability feed added detection tests [1][2] for all impacted versions of the two affected product lines (EX Series Series Ethernet Switches and SRX Series Series Services Gateways) on August 18, 2023, immediately after they were disclosed.

Here is a brief description of each CVE:

  • CVE-2023-36844 (CVSS 5.3 Medium): A PHP External Variable Modification [CWE-473] vulnerability exists in J-Web, a tool used for remote configuration and management of Junos OS. The vulnerability allows an unauthenticated, network-based attacker to modify sensitive PHP environment variables. CVE-2023-36844 allows chaining to other vulnerabilities that lead to unauthenticated RCE.
  • CVE-2023-36845 (CVSS 9.8 Critical): A PHP External Variable Modification vulnerability [CWE-473] in J-Web allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request that sets the variable PHPRC an attacker is able to modify the PHP execution environment to inject and execute code.
  • CVE-2023-36846 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity with a specific request to user.php via J-Web. Without authentication, an attacker is able to upload arbitrary files [CWE-434] which allows chaining to other vulnerabilities including unauthenticated RCE.
  • CVE-2023-36847 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity. With a malicious request to installAppPackage.php via J-Web an attacker is able to upload arbitrary files [CWE-434] without authentication, which may allow chaining to other vulnerabilities that lead to RCE.
  • CVE-2023-36851 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity. With a specific request to webauth_operation.php that doesn’t require authentication, an attacker is able to upload arbitrary files via J-Web [CWE-434], leading to a loss of integrity for a certain part of the file system and chaining to other vulnerabilities.

Understanding The Attack Trajectory

Several of the CVEs listed above are classified as Missing Authentication for Critical Function [CWE-306] vulnerabilities meaning that various functions of the J-Web device management web application do not implement proper authentication checks.

Here is a summary of how these vulnerabilities were chained together for unauthenticated RCE:

The J-Web application is written in PHP which, as the watchTowr researchers noted, is known for its usability at the cost of security. In the case of CVE-2023-36846, J-web’s `webauth_operation.php` file implemented a different method for authentication than the rest of the application. This file instead invokes the `sajax_handle_client_request()` function and submits the value of ‘false’ as the `doauth` parameter, resulting in no authentication being performed. The aforementioned `sajax_handle_client_request()` function is designed to execute J-web’s built-in functions by specifying them as a $_POST variable, including the `do_upload()` function, used to upload files.

CVE-2023-36845 is a vulnerability in the Junos web server that allows system environment variables to be set via the `name` field of an HTTP POST request when a`Content-Type: multipart/form-data` header is used. Two exploits matching the description of CVE-2023-36845 were previously disclosed for the GoAhead IoT web server and tracked as CVE-2017-17562 and CVE-2021-42342, indicating that the Junos web server likely implements the GoAhead proprietary web-server.

Executing the uploaded file is possible by setting the PHPRC environment variable, using it to load an unauthorized PHP configuration `php.ini` file also uploaded via CVE-2023-36846 that contains a malicious `auto_prepend_file` setting directing PHP to execute the first uploaded file every time a page is loaded. Here is the complete example chain

Mitigation Of Recent Juniper Junos Vulnerabilities

The 5 new CVEs affect Juniper Networks Junos OS on EX Series Series Ethernet Switches and SRX Series Series Services Gateways. Specifically Junos OS version 20.4 and prior, 21.1, 21.2, 21.3, 21.4, 22.1, 22.2, 22.3, 22.4 and 23.2 on the EX and SRX Series appliances.

The best mitigation option is to install the security patches to Junos OS. If you cannot install the official provided security patches, completely disabling the J-Web interface, or configuring firewalls with an accept list to restrict access to only trusted hosts can prevent exploitation. In general, strictly limiting access to critical servers and network appliances to only client IP addresses that require access can prevent exploitation of similar yet undiscovered remotely exploitable zero-day vulnerabilities.

Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

“Vulnerability management is becoming increasingly important” – Greenbone CEO Dr. Jan-Oliver Wagner at PITS Congress

Every year, IT and cyber security experts from public authorities, federal, state and local governments as well as the armed forces, police and intelligence services meet for the cyber security congress “Public IT Security” (PITS), initiated by Behoerdenspiegel. In 2023, the topic of vulnerabilities was once again at the top of the agenda.

This year, our CEO Dr. Jan-Oliver Wagner was invited as an expert to take part in the panel discussion “Putting a finger on a wound – managing or closing vulnerabilities?” Moderated by Katharina Sook Hee Koch from the Federal Office for Information Security (BSI), the panel included representatives from the German Informatics Society (Nikolas Becker, Head of Policy & Science), the Bundestag Committee on Digital Affairs (MdB Catarina dos Santos-Wintz, CDU/CSU), the BSI itself (Dr. Dirk Häger, Head of Department Operative Cyber Security) for an exchange of views. Dirk Kunze from the North Rhine-Westphalia State Criminal Police Office (Head of the Cybercrime/Cyber Investigations Department in the Research and Investigation Centre) was present on behalf of the executive.

from left: Catarina dos Santos-Wintz, Dirk Kunze, Katharina Sook Hee Koch, Dr. Dirk Häger, Dr. Jan Oliver Wagner, Nikolas Becker (Photo: Greenbone AG)

Should vulnerabilities be closed? By all means!

The debate quickly centered on the question of whether and how (quickly) vulnerabilities in software should be closed and/or whether this would impair the work of investigative authorities. There was great unanimity among those present that the security of citizens had the highest priority. Keeping vulnerabilities open, even for political reasons, is hardly an option, both for cost reasons (exploits are expensive) and in risk assessment.

On the contrary, open-source software should be strengthened and more rewards (bug bounties) should be offered to experts who actively search for vulnerabilities. The BSI is also firmly convinced: “Basically, vulnerabilities must be closed.” (Häger). In criminal practice, the topic apparently plays a subordinate role anyway: the police, according to the LKA in North Rhine-Westphalia, know of only a few cases where it could have helped to keep vulnerabilities open. However, open vulnerabilities are still seen as a possible element for investigations. But of course, the decision of the politicians will be followed.

Dr. Jan-Oliver Wagner: “Vulnerability management is becoming increasingly important!”

Greenbone CEO Wagner warns that the number of open vulnerabilities will increase rather than decrease in the coming years. This is despite the fact that good progress is being made with regard to security in software development. However, the regulations and thus the pressure on companies by the legislator are also becoming stricter – not necessarily a bad thing, but it does create a need for action: “The upcoming Common Security Advisory Framework (CSAF 2.0) and the EU’s Cyber Resilience Act (CRA), will significantly increase the number of known vulnerabilities.”

The CSAF makes it easier for manufacturers to report vulnerabilities, while the Cyber Resilience Act also brings responsibility to the hoover manufacturer, i.e. to all parts of the economy. If you don’t want to lose track of this, you need vulnerability management like Greenbone’s, explains Wagner. “Upcoming regulations bring the issue of vulnerabilities into all parts of the economy, as now every manufacturer is responsible for the security of the devices and their software, including, for example, manufacturers for hoover robots or other smart household appliances – For the entire life of the product!”

Vulnerability management is risk management

Vulnerability management today is pure risk management for the professional user, as it is already practiced in insurance companies – decisions are made about which vulnerabilities need to be closed and which can or must wait (triage).

This is exactly where our vulnerability management products come in – as a hardware or virtual appliance or in the Greenbone Cloud Service. Greenbone develops an open source vulnerability management and allows users to detect vulnerabilities in their own network infrastructure within a few steps. Our products generate reports with concrete instructions for action that you can implement immediately.

We work strictly according GDPR Compliance and offer an open source solution. This means best data protection compliance and is thus guaranteed free of backdoors.


Contact Free Trial Buy Here Back to Overview

/by
Jan-Oliver Wagner

The key to quality for your vulnerability status

The job to protect from cyberattacks by minimizing your attack surface demands three essential pillars:

Vulnerability Intelligence
Know everything about vulnerabilities and risks immediately.

Asset Intelligence
Scan all the TCP/IP protocols, dive deep into assets and use other sources of asset details.

Vulnerability Scanning
Create, deploy, and execute vulnerability tests fast and by priority.

Vulnerability Intelligence

Vulnerability Intelligence helps doing two jobs: First you must make a priority decision about what attack vectors you should address and which ones you accept. This decision is not easy and may have a far-reaching impact. Even worse, it has to be made under time pressure and with limited resources. In other words, this decision is (sometimes) a triage. The better the information about the vulnerability the better will be the decision. And the more evidence you get, the less personal educated guess you have to add. Once you decided which attack vectors to address, technical details about the vulnerability intelligence will help as a guide for an efficient remediation. Knowing how easy or complicated a remediation is supports you already during the priority decision.

Asset Intelligence

Asset Intelligence is about knowing as much as possible about the assets that you have to protect from cyber-attacks. It may sound strange but the first part of this is to know which assets you have. Networks can be pretty dynamic because your people are very dynamic about extending and connecting services and devices. Scanning for existence of and scanning into assets is equally important. Both builds your inventory which you will later compare with the incoming vulnerability intelligence on new attack vectors. There are expected details like product versions and there are unexpected details determined only when a security advisory is published. For the first case you build a database allowing quick offline scans upon new advisories. For the latter case you need the ability to use arbitrary TCP/IP protocols to collect the information that are required to determine the presence of a vulnerability. A special case are fictive assets represented by inventories or a Software Bill of Materials, representing for example devices that are subject to the EU Cyber Resilience Act.

Vulnerability Scanning

The art of Vulnerability Scanning begins with the creation of tests, usually derived from Vulnerability Intelligence, and verified thoroughly. The growing number of security advisories makes this also a business of priority decision about which advisories to address first. Learning about the asset inventories of our customer helps us to make this job even better for them. After rapid deployment of the tests the art of vulnerability scanning finishes with a fast, powerful, and easy to deploy set of scanners. In simple words those scanners compare the vulnerability intelligence with asset intelligence to list up the current attack surface. Scanning can be as simple a comparing a version number or as complex as a multi-stage exploit via TCP/IP. In the end of the day the result is a vulnerability status with high relevance and high quality of detection, and so will be your vulnerability remediation and vulnerability reporting.


Contact Free Trial Buy Here Back to Overview

 

/by
Markus Feilner

Master’s thesis: Automated vulnerability detection and response in the network perimeter

The long-standing cooperation between Greenbone AG and the University of Osnabrück has once again resulted in a successful master’s thesis.

Under the title “Development of an Automated Network Perimeter Threat Prevention System (DETERRERS)”, Nikolas Wintering wrote his master’s thesis in the Mathematics, Physics, and Computer Science working group of the Department of Mathematics/Computer Science at the University of Osnabrück, developing a system for automated threat prevention at the network perimeter of a university campus network.

Particularly at risk: universities

Universities are vibrant centers of information exchange and collaboration; with their numerous hosts and a multitude of services, they offer a large attack surface for cyber threats. It is therefore enormously important for educational institutions to identify vulnerable points and automatically isolate them from the internet.

Automated vulnerability management

By automating the interactions between administrators, vulnerability scanners, and perimeter firewalls, administrators are thus supported in their work, and the university IT network is protected. Part of the system developed in the master’s thesis is also the automation of the risk assessment of the vulnerability scan results and the generation of host-based firewall configurations.

“Through the use of DETERRERS and the associated adaptation of the release processes, the security in the university network could be massively improved with very little additional effort for administrators. With the automated mitigation, it is also possible to react to new threats at short notice and thus quickly close a potential new attack surface without long manual runtimes.”
Eric Lanfer, M. Sc. (Osnabrück Computing Center, Networks Group)

Practical application and a free demonstrator

Based on a practical application in a campus network, Wintering evaluates how the risk assessment works, how the attack surface is reduced, and what effects the system has on the work of administrators. In the process, a demonstrator was also created, whose source code and functionality can be viewed and tested by interested parties on GitHub. In the long term, a continuation as an open-source project is planned.

“This is a very successful work with clear added value for practice. Making efficient security mechanisms usable in everyday life is often a big challenge, and this master’s thesis makes very convincing contributions to this.”
Prof. Dr. rer. nat. Nils Aschenbruck (University of Osnabrück, Institute of Computer Science, Distributed Systems Group)

Greenbone: experts for universities and more

Greenbone has been supplying numerous customers in the university environment with vulnerability management products for many years. Thanks to this extensive experience, we have always been able to identify and collect industry-specific requirements and incorporate them into the further development of our products.

The University of Osnabrück uses the Greenbone Enterprise Appliance 450, and we very much welcome the fact that this solution has now become part of a master’s thesis. We congratulate Nikolas Wintering on this successful scientific evaluation.


Contact Free Trial Buy Here Back to Overview

/by
Britta Zurborn

PITS 2023 Public IT Security

20 – 21 September 2023 | Berlin.

This year we are participating in Germany’s specialist congress for IT and cyber security for the state and administration.

Dr. Jan-Oliver Wagner, Greenbone, will speak together with

Dr. Dirk Häger, Head of Operational Cybersecurity Department, Federal Office for Information Security
Carsten Meywirth, Head of Cybercrime Department, Federal Criminal Police Office
Nikolas Becker, Head of Policy & Science, German Informatics Society and
Catarina dos Santos-Wintz, Member of the German Bundestag (CDU/CSU) and member of the Committee for Digital Affairs

on: 21.09.2023
at: 9:20 am

in the main program about the topic: Putting a finger in the wound – managing or closing vulnerabilities?

Visit us in our lounge at stand 43 and exchange views with our experts on vulnerability management and cyber security.

More: https://www.public-it-security.de/anmeldung/


Contact Free Trial Buy Here Back to Overview

/by
Elmar Geese

Cyber Resilience Act makes vulnerability management mandatory

We live and work in the digital world. The issue of cybersecurity therefore affects us all – both companies and government administrations, as well as each and every one of us. This applies not only to our own direct use of digital systems, but also – sometimes even in particular – where others provide us with digitalized services that are sometimes desirable, but also irreplaceable. It becomes existential at the latest where we depend on critical infrastructure: Water, electricity, health, security and some more.

As technical networking increase, nearly every digital device becomes a potential gateway for cyberattacks. Cybersecurity is therefore a technical, social and consumer issue.

The German government sensibly relies on (quote from the coalition agreement of the SPD, Bündnis 90 / Die Grünen and the FDP) “effective vulnerability management, with the aim of closing security gaps”. To establish a general resilience against cyber-attacks in Europe, the EU has launched the Cyber Resilience Act (CRA)

Cyber Resilience Act makes vulnerability management mandatory

In the Cyber Resilience Act (CRA), the EU member states have agreed on a common position – this was announced by the Council of the EU in a press release at the end of July and reports optimistically:
“An agreement that advances EU’s commitment towards a safe and secure digital single market. IoT and other connected objects need to come with a baseline level of cybersecurity when they are sold in the EU, ensuring that businesses and consumers are effectively protected against cyber threats. This is an important milestone for the Spanish presidency, and we hope to bring forward negotiations with the Parliament as much as possible.”
(https://www.consilium.europa.eu/en/press/press-releases/2023/07/19/cyber-resilience-act-member-states-agree-common-position-on-security-requirements-for-digital-products/)

The CRA is intended to anchor digital security sustainably in Europe through common cybersecurity standards for networked devices and services. Thus, the CRA not only has a high impact on the manufacturers of digital devices, the EU is also creating a new, norm-setting standard. As an IT security company, we have been supporting our customers in achieving the best possible security standard for 15 years. We see the new standardization by the CRA as an opportunity and are happy to help our customers to use it for even more security.

Continuously demonstrate safety

The new CRA regulations on vulnerability handling and detection, which are intended to “ensure the cybersecurity of digital products … and regulate obligations of economic operators such as importers or distributors with regard to these procedures”, pose challenges for many companies. Using tools such as Greenbone’s vulnerability management makes it much easier to comply with the new requirements. This also goes as far as checking whether suppliers, for example, meet the required and assured safety standards.

More responsibility

Companies are called upon by the CRA to carry out regular, permanent and sustainable vulnerability analyses and to have external audits carried out for products classified as “critical”. This can be especially difficult for older products. Greenbone also helps because we can examine such products, which are often imperfectly documented, even while they are in operation.

Where our customers already do this regularly, they are able to act quickly and gain valuable time to mitigate potential risks.

Become active now

The CRA introduces rules to protect digital products that were not previously covered by law, so companies face new and major challenges that affect the entire supply chain.

We can help you meet the requirements. the Greenbone Vulnerability Management product series, the Greenbone Enterprise Appliances enable compliance with the CRA – on premise or from the cloud. Our experts will be happy to advise you.


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

Greenbone tests your web applications

Reduce the risk of an attack from the internet on your servers: Take advantage of Greenbone’s latest offer: With our Pentesting Web Applications, we help you to get the best possible security for your web applications.

The numbers speak for themselves: attacks on web applications are on the rise, have been for years, and there is no end in sight. The complexity of modern web presences and services requires a high level of security measures and cannot be managed without testing by experts.

The only thing that helps here is the technique of so-called “pentesting” of web applications, or more precisely “web application penetration testing”. With this attempt to penetrate protected systems from the outside (“penetration”), Greenbone’s experts create an active analysis of vulnerabilities and can thus evaluate the security of a web application. Although there are guidelines such as the highly recommended one from the German Federal Office for Information Security (BSI), which describes the procedure for testing, nothing can replace the expert who puts your system under the microscope himself. In this video you will get a first impression of the work of our security experts. 

Greenbone acts strictly according to the regulations of the DSGVO, is certified according to ISO 27001/9001. As with its vulnerability management products, with the web application pentests you also receive detailed reports on your security situation with clear instructions for action, which the Greenbone experts are happy to help you implement. The offer covers both the client and server side of your web applications and is based on the most modern and up-to-date guidelines, for example the OWASP Top 10 or the OWASP Risk Assessment Framework (RAF). Whether it is cross-site scripting (XSS), SQL injection, information disclosure or command injection, whether there are gaps in the authentication mechanisms of your servers or websockets are the source of danger – Greenbone’s experts will find the vulnerabilities.

As the world’s leading provider of open source vulnerability management products, Greenbone always has the latest expertise in dealing with vulnerabilities and security risks, including here in “black box testing”, when our experts take a close look at your systems from the outside, just as an attacker would: with the perspective of a potential attacker, you will ideally find every existing vulnerability in your IT infrastructure and can take care of fixing them. Only those who know their vulnerabilities can implement security measures in a targeted manner. Find out more about Greenbone AG’s products and services here.

Contact Free Trial Buy Here Back to Overview

/by