The Philippines’ first and only cybersecurity testing platform, Secuna reported the detection of 494 vulnerabilities across 21 private local firms last year, accounting for 45.57% of the total number of flaws fixed by the company since it started operations.
The company noted that 58.89% of vulnerabilities they identified came from the enterprise technology sector in which 30 were classified as critical, 56 were high, and 152 were medium-risk severity. Financial services companies saw the second-highest portion of medium-risk vulnerabilities covering 20% of the total cyber weaknesses discovered. Out of the vulnerabilities disclosed, 15.78% of medium, high, or critical-risk vulnerabilities affect the health sector, while 5.33% of high and medium-risk vulnerabilities affect other organizations.
Among the top three critical vulnerabilities unveiled by Secuna’s certified cybersecurity testers are remote code execution (RCE) flaws, SQL injection flaws, and exposed Git repositories. The RCE vulnerability can be exploited to remotely control the target server, retrieve the whole source code, access the database, and even delete the whole filesystem of the server.
The Filipino cybersecurity firm explained that the SQL injection vulnerabilities found by its penetration testers can be exploited by malicious users to obtain full access to the database and cause massive data breaches depending on their privilege. Meanwhile, exposed Git repositories allow hackers to retrieve the source code of the target application along with sensitive keys, passphrases, and tokens among others.
Their platform’s vulnerability assessment and penetration testing services have also discovered security weaknesses including zero-day security flaws, cross-site scripting (XSS) gaps, insecure direct object reference (IDOR) vulnerabilities, and missing security and privacy best practices, which if neglected could lead to terrifying cyber consequences among many cybersecurity issues haunting Philippine companies and organizations.
“Secuna encourages companies to review their assets for these security gaps and take measures to eliminate known vulnerabilities. Cybercriminals are already testing your app to find potential loopholes that will allow them to compromise your application or server. Having no BBP will leave you clueless about potential vulnerabilities in your application. BBP solves this problem by allowing good hackers to report those potential vulnerabilities and allow you to resolve this before cybercriminals exploited those vulnerabilities for their personal gain. BBP also helps clients to maintain compliance by regularly testing their applications,” according to AJ Dumanhug, CEO and Co-founder of Secuna.
As for the company’s bug bounty payouts, an increase to US$24,045 for valid bug reports from its thousands of ethical hackers was recorded. Secuna’s bug bounty program (BBP) service allows its clients compliant with the Bangko Sentral ng Pilipinas (BSP) and National Privacy Commission (NPC) to collaborate with vetted security researchers around the world to identify potential security threats in their applications.
According to Dumahug, for every valid bug submission from Secuna researchers, the program owners reward them depending on the severity of the vulnerability discovered. Without a proper policy in place, security researchers might be less inclined to report a vulnerability, or cybercriminals might join the hunt.
Secuna requires a KYC (Know Your Customer) check for hackers wanting to join their BBP before they could hunt vulnerabilities. The company currently offers a free subscription, and only adds a 10% commission on top of every rewarded bug report.