The Threat Landscape

80 per cent of web applications contain at least one security bug, with an average of 45 vulnerabilities per application. 

OWASP, an international non-profit organization dedicated to web application security, have a top 10 vulnerability list. 

An SQL injection, malware code injected into a database to copy, corrupt, re-purpose data use, or destroy data, is still the number one risk for an enterprise.

Criminals Follow the Money 

For the last seven and a half years, the Uleska team has seen a common theme – criminals follow the money. Since consumers are buying and selling online, then the criminals have naturally moved online too.

In 2017, at Digital DNA, there was a panel giving cyber security tips for local businesses – a pro bono consultancy workshop on how to best protect their digital assets from threat actors. 

What made the Uleska team concerned was how many other local businesses had been through a damaging experience and how many more will.

After the panel, several business owners said, they too, had been the victims of hacks/breaches and what should they do? The correct response is to contact the ICO.

Formjacking 

Also remember, this panel was one year before the legislation would penalise companies for data breaches and hacks – GDPR. 

We live in different times now, post GDPR and we are already seeing the size of fines imposed on companies by the Information Commissioner’s Office (ICO) skyrocket – it is more like a hockey stick increase. 

Let’s take one example – British Airways – their data breach took place last summer and was a formjacking compromise – malicious code was injected into a form on their website to scrape user’s details, including credit card numbers.

BA R U GDPR OK?

The ICO has just levied a fine of BA of £183m – Yes, you read that correctly, one hundred and eighty-three million pounds. The previous maximum fine in the UK under the Data Protection Act (1998) was a more modest £500k. 

One interesting thing to point out was that the BA hack was a supply-chain hack – one of their suppliers was compromised, not BA directly, but the ICO ruled that BA was responsible for end-user data and not the third party.

“Death and taxes” are only certainties in life? Add to that “Data breaches and ICO fines” in this post-GDPR world.

Information Commissioner Elizabeth Denham said: 

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. 

Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

BA fined record amount for data breach.

A Strong Message to all Data Controllers

Therefore, the industry has seen a change – the fine imposed was for a lack of preparation, rather than lack of response to an attack. The ICO did not impose the maximum fine at their disposal, BA was charged one and a half per cent of their global annual turnover for the year ending 31 December 2018.

Diane Yarrow, partner and commercial solicitor at award-winning law firm Gardner Leader solicitors commented: 

The penalty is substantial. There are various factors considered when setting the level of the fine which includes; the number of people affected and the level of damage suffered, the negligent character of the infringement, degree of responsibility of the controller and the categories of personal data affected by the infringement amongst other things. 

Evidently, given the vast number of customers affected and the details compromised, the ICO deemed it fit to order a substantial penalty sending a strong message to all data controllers.”

Your Supply Chain – “their risk is your risk”

In recent years we have seen multiple talks from academics about the threat to businesses from their own supply chains, a topic to be discussed in greater detail in a future blog post.

How can you be sure of the uniqueness of your code? Most code is not custom code (built by your own team), it comes from code libraries.

This is where the vulnerabilities are introduced. This is how the BA hack happened in 2018. The hacker’s strategy was to target the smaller supplier (code library), a software component to get to the actual target (BA).

The website was hacked and replaced with something that collected the personal and financial information of the user.

Uleska, your comfort blanket

Wrapping up, Uleska is here to help your business with your application security scalability challenge.

Uleska can remove the repetitive, manual configuration for each scan and automate this.

By scanning code to match your software deployment schedule; testing more frequently removing more of the vulnerabilities than waiting until the end of your SDLC, you can bolster your organisation’s security scope. Uleska can recommend fixes for your development teams, on-site, offshore or suppliers.

Uleska will also give you your value at risk – how much each vulnerability will cost you, in the event of a data breach, based on information from the FAIR Institute, in conjunction with one of the big four. 

Uleska News 

Before getting into some of the latest industry news, Uleska is delighted to announce the newest member of the team, Ed Montgomery. Ed has a wealth of experience in the cyber security industry and is the new Account Director for Uleska, as well as an editorial contributor. 

Ed has expressed his excitement about Uleska’s unique value at risk reporting, with the translation of vulnerabilities put into financial value to help companies prioritise the triage of web apps, he can’t wait to immerse himself within the ever-expanding Uleska community. 

So, if you have a question about any of the Uleska products or any of the topics discussed then please contact edward.montgomery@uleska.com.

Uleska can help you continously secure your software whilst also


With the recent news of BA facing a record fine of £183m for last year’s data breach, 1.5 per cent of its revenue, organisations need to consider how to avoid a similar fate.

It is believed that the way the hackers accessed the information of an estimated half a million people, according to the Information Commissioner’s Office (ICO), was through a vulnerability in third party JavaScript used on the website.

Third party failure is also widely accepted as the reason for the Ticketmaster data breach that occurred in 2018. So, as we can see, this kind of attack can have major financial consequences when it comes to infiltrating huge organisations. And of course, the damage to the brand and reputation.

BA may be surprised and disappointed by the recent decision, however, the real question is how can we prevent such an attack, and the resulting fine happening again when organisations rely on third party vendors?

A recent Freedom of Information request to the Financial Conduct Authority (FCA) revealed that between January 2018 and December 2018 there were 174 third party failures for businesses in the UK.

The figure has already soared to 79 between January 2019 to May 2019, with some also suggesting that under reporting of issues still makes these figures inaccurate.

BA may have acted quickly when the breach came to light, but unfortunately the ICO doesn’t care how quickly you react. The regulation is in place so customers can safely enter credit card details and personal information on a site or app and not have a malicious JavaScript code potentially harvest their sensitive data.

One of the points of introducing GDPR was so that businesses act proactively regarding cyber security, creating a way to suppress third party attacks, but unfortunately the frequency of these has not stalled.

There are tremendous benefits to be gained from embracing supply chain methods for your organisation and customers. Today’s competitive business environment demands it. But strong governance is a must when it comes to sourcing and using third parties.

Some of the way’s practitioners have advised defending against third party attacks comes in the form of credit card processing, cloud storage, document management software and single sign-on solutions.

Evaluating the security and privacy policies of all third-party suppliers, means the likelihood of a breach falls dramatically. Once you understand all the vendors and which of them have access to sensitive data, a variety of tools are available to help assess the level of their security.

Uleska has been able to defend against third party failures by orchestrating security tools to check all third party code, even if changes have been made to it. This means that all third party vendors can sell with confidence to major clients knowing that their code is continuously being checked, and the relevant people are being notified about any new, or existing, vulnerabilities.  

This method has allowed us to continually secure from third party attacks in an efficient manner, conducive with reducing the number of serious data breaches that can affect some of the world’s top organisations.

Understanding where risks lie within your digital ecosystem, tailoring controls according to those risks, and collaborating with their third parties to remediate and mitigate those risks could be just one of the many ways that your organisation combats third party failures.

For further information on third party attacks and failures you can join us at the next Uleska webinar, which will be covering the topic in more depth. Contact info@uleska.com for full details of the registration process.

A recent report by the Center for Cyber Safety and Education showed unfilled cyber security jobs are expected to reach 1.8 million by 2022.

It is no secret that the cyber security skills gap has hindered organisations’ security protocols and scope tremendously over the last few years.

Local, national and global businesses need security teams and they, in turn, need resources. Increasingly more complex cyber attacks have been driving up the demand for qualified professionals to help defend businesses. And a shift towards DevOps – organisations releasing software at a daily rate – is only compounding this further.

Educating people to the standard of cyber security proficiency we need right now would be a long, arduous and expensive task. And we need 1.8 million of them in less than 3 years!

Adding to this, less than 6% of cyber security practitioners have learned hacking skills in a classroom. This showcases that educational processes, whilst having merit, may not be the solution when it comes to securing sensitive data.

It’s clear the industry has to look at this problem from a new perspective. There isn’t enough resource (people, time, money) to address the growing problem.

The answer to the skills gap?

A practical way to solve the cyber security skills gap involves automating software security tools in a centralised platform. By combing multiple tools, you can cover a wider security scope and continually monitor your software security during the software development lifecycle (SDLC).

This solution offers, not only more secure software at greater pace, but puts security at the start of the SDLC, and forces security strategy to be proactive.  

Automating means better communication between teams when prioritising issues, and allows metrics and trends to be captured over time – they’re more effective and efficient. And, automation also means no more personnel need to be added to a software security team.

This solution is, simply, a way to automate and orchestrate an area of software and application security that is obviously struggling to cope with the frequency of breaches and the demand for software.

As an industry, we still should rally together to embrace emerging cyber security talent, creativity, and curiosity and push for more understanding of the importance of cyber security in stopping sensitive data breaches. But cyber security needs to find an innovative technique that can safeguard customers on a global scale. Automation and orchestration of security testing tools point towards that all-encompassing security.