One year anniversary of Heartbleed’s announcement, a new report shows that most large companies have not fully addressed the issue. According to a scan of Forbes Global 2000 companies, 74% of Forbes Global 2000 companies with public-facing systems vulnerable to Heartbleed (that’s 1,642 companies) have not taken every step to remediate the problem across all servers. “That’s 1,223 of the world’s largest and most valuable businesses still exposed to attacks,” the report says. (Source: Venafi)

System Engineers architects solutions, prepare and monitor production environments to deploy developers' code. This production setup can also introduce vulnerabilities that may leave the server vulnerable to a point that application security falls to earth.

Network devices threats include:

• Unnecessary port exposure: processes that are meant to listen on localhost, e.g., database, may be exposed unauthenticated to the internet-facing interface;
• Outdated and vulnerable packages: certain packages may not be up-to-date at the time of deploy and ignored during monitoring that may lead to remote code execution, deny of service and other vulnerabilities;
• Not hardened packages: packages by default usually are not secure. They need to be configured before being used, e.g., remove the web server banner to prevent the web server and its version from being identified. In case it is identified, cyber criminals can look for known exploits to compromise the entire server using the web server as the entrance point.

Gauntlet to the rescue

That said, we can help you many ways, including:

• Check for vulnerabilities in your servers and applications: You can use our cloud-based platform to check for outdated and vulnerable packages and unnecessary ports exposure in your servers;
• Review Server Recipes: in case you're using recipes on Ansible, Chef or Puppet for example to create your servers we can manually review them for security checks;
• Server Hardened Baseline: if you need to create a new secure baseline from the ground up to achieve your deployment needs, we have a service for that;
• Security training for system engineers: we have a security training tailored for you. An instructor that walks in your shoes and is extremely qualified to teach cybersecurity will pass his knowledge for you;
• Create/Improve Application Security Program Management: we can also develop or improve your application security program to guarantee that each phase of the software development life cycle (SDLC) is not introduzing vulnerabilities unnecessarily.

More things you'd like

Our cloud-based platform is:

• REST API Oriented: everything you can do using the web interface you can do using the API. The API Keys also can have a granular authorization;
• Role-Based Access Control: all the users must be inside a group and the group has the permissions. Those permission are to the level of methods and classes;
• Internal Testing: we can test your internal applications and servers either using SSH Tunnels or by deploying our Virtual Scan Appliance that will perform the scan and is integrated with our platform.