Secuna, the Philippines’ first and only cybersecurity testing platform, has reported that it has detected and resolved 494 vulnerabilities across 21 private local firms in 2021. This accounts for 45.57% of the total number of cybersecurity flaws fixed by the company since its inception.
According to Secuna’s report, 58.89% of vulnerabilities they identified came from the enterprise technology sector in which 30 were classified as critical, 56 were high, and 152 were medium-risk severity. Financial services companies saw the second-highest portion of medium-risk vulnerabilities covering 20% of the total cyber weaknesses discovered. Out of the vulnerabilities disclosed, 15.78% of medium, high, or critical-risk vulnerabilities affect the health sector, while 5.33% high and medium risk vulnerabilities affect other organizations.
The top three “critical” vulnerabilities unveiled by Secuna’s certified cybersecurity testers are remote code execution flaws, SQL injection flaws, and exposed .git repositories. Remote code execution (RCE) vulnerability can be exploited to remotely control the target server, retrieve the whole source code, access the database, and even delete the whole filesystem of the server.
Secuna explained that the SQL injection vulnerabilities found by its penetration testers can be exploited by malicious users to obtain full access to the database and cause massive data breaches depending on their privilege. Meanwhile, exposed .git repositories allow hackers to retrieve the source code of the target application along with sensitive keys, passphrases, and tokens among others.
The platform’s vulnerability assessment and penetration testing services have also discovered security weaknesses including zero-day security flaws, cross-site scripting (XSS) gaps, insecure direct object reference (IDOR) vulnerabilities, and missing security and privacy best practices, which if neglected could lead to terrifying cyber consequences.
“Secuna encourages companies to review their assets for these security gaps and take measures to eliminate known vulnerabilities,” said CEO and Co-Founder AJ Dumanhug.
On the other hand, Secuna’s bug bounty payouts increased to $24,045 for valid bug reports from its thousands of ethical hackers. Secuna’s bug bounty program (BBP) service allows its clients compliant with Bangko Sentral ng Pilipinas and National Privacy Commission to collaborate with vetted security researchers around the world to identify potential security threats in their applications.
According to Dumahug, for every valid bug submission from Secuna researchers, the program owners reward them depending on the severity of the vulnerability discovered.
“Cybercriminals are already testing your app to find potential loopholes that will allow them to compromise your application or server. Having no BBP will leave you clueless about potential vulnerabilities in your application. BBP solves this problem by allowing good hackers to report those potential vulnerabilities and allow you to resolve this before cybercriminals exploited those vulnerabilities for their personal gain. BBP also helps clients to maintain compliance by regularly testing their applications,” said Dumanhug.
Without a proper policy in place, security researchers might be less inclined to report a vulnerability, or cybercriminals might join the hunt.
Secuna requires a KYC (know your customer) check for hackers before they could hunt vulnerabilities. The company currently offers a free subscription, and only adds a 10% commission on top of every rewarded bug report.