After the completeness of over 50 Penetration Testing and Application Security projects during the 2020 year and many more since 2014, the BSG team shares its expertise in finding security vulnerabilities across many business verticals and industries. On the webinar, we will talk about: 1. Typical threat model of a modern business organization. 2. How the COVID-19 pandemic has changed that threat model? 3. What is Threat Modeling, and how it works for the BSG clients? 4. What is DARTS and how we secure sensitive customer data? 5. What is the BSG Web Application Pentester Training and why? 6. Top 10 critical cybersecurity vulnerabilities we found in 2020. We help our customers address their future security challenges: prevent data breaches and achieve compliance. *Slides - English language *Webinar - Ukrainian language The link on the webinar: https://youtu.be/fkdafStSgZE BSG 2020 Business Outcomes and Security Vulnerabilities Report: https://bit.ly/bsg2020report Contact details: https://bsg.tech hello@bsg.tech

1. Cybersecurity Vulnerabilities
of Your Business
https://bsg.tech
hello@bsg.tech

2. Over 15 years in cybersecurity
OSCP, CISSP, CISA
Blogger, podcaster, and conference speaker
Provides consulting services in software security,
cybersecurity awareness, strategy, and investment.
sapran@bsg.tech
Vlad
Styran

3. varusha@bsg.tech
10+ years of experience in IT-audit and
consulting, IT project management
Experiences in leading large outsourcing teams
in Ukraine, Poland, and USA
Experiences in building customer relationships
within the US, UK, and Western Europe
geographies.
Leads the BSG advisory practice and consults
large development teams in all aspects of
cybersecurity.
Andriy
Varusha

4. 8+ years in Application Security & Penetration
Testing
OSCP, eWPTX, eMAPT
BSG Training Lead
OWASP Kyiv chapter leader
Consults on getting started in application security, leads
application pentests, helps plan and implement
application security programs.
Serhii
Korolenko
pntstr@bsg.tech

5. Our job is to help companies in all aspects
of cybersecurity. We complete more than 50
Penetration Testing and Application Security
projects yearly. And we are aware of the
business security vulnerabilities across the
verticals.
We help our customers address their future
security challenges: prevent data breaches
and achieve compliance.
About BSG

6. 1. Typical threat model of a modern business organization.
2. How the COVID-19 pandemic has changed that threat model?
3. What is Threat Modeling, and how it works for the BSG clients?
4. What is DARTS and how we secure sensitive customer data?
5. What is the BSG Web Application Pentester Training and why?
6. Top 10 critical cybersecurity vulnerabilities we found in 2020.
7. Discussion and Q&A
Plan for Today

7. 1. Typical Business
Threat Model
Get done or get out
Get done or get hacked
Get done or get broke
Compliance
Security
Business model
Why others want our stuff
How others get our stuff
Who create our stuff
Market
Technology
People

8. 2. How COVID-19 Changed
All That in 2020
Compliance
Security
Business model
Relaxed, but regulators flex their muscle.
Went to hell and back. Ransomware is at all
times high. State cyber ops are booming.
Not much change or we do not see it.

9. 2. How COVID-19 Changed
All That in 2020
Market
Technology
People
A general decline in demand. Massive
supply chain disruptions.
Massive digitalization and migration to the
cloud.
Work from Home (or rather shelter from the
global catastrophe and try to do some work)

10. 3. What is Threat Modeling, and How
it Works for the BSG Clients?
https://youtu.be/u2tmLrwv-nc

11. 4. Dynamic Application
Red Team Simulation (DARTS)
Secure and efficient work with customer data
Appsec and pentest data sharing in a team
and with clients
Automated, template-based routines for
repated tasks
What we needed and could not find:
What would you choose:
security or effectiveness?

12. 5. Web Application
Pentester Training
Training as a new business
direction
The value of training program
Experience of the entire team
Two modules: beginner and
advanced
Real-world practical exam
BWAPT certificate

13. Projects and Clients
Review
BSG Security
Findings
https://bit.ly/bsg2020report

14. Top 10 Critical
Cybersecurity Vulnerabilities
When we find a critical vulnerability, we report it out immediately. It means that our client
does not have to wait for the pentest to end to start fixing the bug.
Criticals are the most dramatic and exciting encounters for us during the year.
Here is the list of the riskiest ones.

15. Insecure configuration means that admins or
DevOps could do something right, but for some
reason, did not.
From the Active Directory domain configuration to
the Amazon Web Services account policy, insecure
settings can lead to devastating incidents.
It does not relate to software updates, though, as
they usually open avenues for attacks that use other
types of critical vulnerabilities.
Insecure
Configuration
A rare, elite bug that allows us to make the
server-side of the app do things we tell it to
do.
As the RCE, although less often, it can lead to
a complete compromise. We can usually at
least map internal network segments and try
to exfiltrate sensitive data from the otherwise
unreachable locations. But when we can do
more, it becomes critical very quickly.
Server-Side
Request Forgery (SSRF)
01 02
Top 10 Critical Bugs

16. This type of bugs makes news only if there
is a way to abuse it to cause a Denial of
Service condition or, as in the critical case,
brute force username, password, or two-
factor authentication code.
This threat is relevant to most apps we test,
and we simulate it quite successfully. When
we can use this issue to gain access to a
high-privilege account, it is critical.
Lack of API
Rate Limits
When one user, say patient, can suddenly
read the data of other users, such as other
patients and even doctors, often en masse.
The prevalence of this bug is surprising for
many, but for us, it is rarely unexpected.
In most cases, developers just turn off the
authorization checks in a test software
version to speed up the testing procedures
and then forget to turn it back on before
moving to production.
Insecure Direct
Object Reference (IDOR)
03 04

17. 05 06
Broken
Business Logic
Broken
Access Control
Unlike most vulnerabilities usually exploited
by malicious hackers, business logic bugs are
discrepancies in application checks and
balances that could be abused by its regular
users. Security against your own customers is
a real thing, and it costs real money.
Last year we could manipulate the price of
goods, transfer negative amounts of money,
and create tens of users in the subscription
plans that allowed just a few.
Access control is key to any security policy,
and it very often goes wrong. Usually, the
developers or admins simply allow excessive
permissions to an unnecessarily wide variety
of subjects.
As a result, anyone logged into the cloud
platform can read, write, or otherwise access
the restricted areas. When these areas store
sensitive data, such as software updates or
legal documents, the issue becomes critical.

18. 08
07
Cross-Site
Scripting (XSS)
Broken
Authentication
Although it is a client-side bug that targets the
web application users and not the app owner,
critical XSS can lead to a user account takeover
and an ability to run arbitrary JavaScript code
with that user’s permissions.
When the target user is an admin or another
high-profile account, the XSS is critical.
Broken authentication always means a way
to circumvent some part of it: guess
usernames, pick passwords, turn off two-
factor authentication, etc.
Critical cases include complete
authentication bypass or anonymous
access to critical data or functions.

19. 09 10
Sensitive Information
Disclosure
Remote Code
Execution (RCE)
It comes in many forms but always means
that we have managed to access some
secrets lying around.
When we discovered logins and passwords
to highly privileged accounts or confidential
databases, some of these cases were
critical. And the majority of critical bugs were
of this type.
RCE is a type of bug that every pentester
and bug hunter dreams of.
Finding it means there is a way to
compromise not only the application we are
testing but the infrastructure below it, which
in most cases bears the highest risk and
pays out pretty well in bug bounties. Last
year we found a few.

20. Top 10 Popular Bugs
Bugs’ popularity may look like irrelevant
data that does not carry much business
sense.
But in fact, knowing what bugs are
more widespread can help you align
expectations of security threats.
Which in turn could help chose and
implement relevant countermeasures.

21. Our company name will change soon from Berezha
Security to an extended form of Berezha Security
Group, abbreviated as BSG. Shortly, you will start
seeing updates to our identity on the website, social
media, and elsewhere.
We believe Berezha Security’s rebranding will enable
our expansion and help us deliver a more fruitful
customer experience.
The New Brand

22. Stay in Touch With
If you have any questions,
please contact us at:
https://bsg.tech
hello@bsg.tech