Around 494 vulnerabilities across 21 private local firms — mostly enterprise technology and financial services companies — were detected last year in a 2022 study by Philippine cybersecurity testing platform provider Secuna.
Of the cyber weaknesses detected, 58.89% came from the enterprise technology sector in which 30 were classified as critical-risk, 56 as high-risk, and 152 as medium-risk. Meanwhile, about 20% of the vulnerabilities came from the financial services sector.
The top three critical weaknesses found by Secuna were “remote code execution (RCE) flaws, SQL (structured query language) injection flaws, andexposed .git repositories,” it said in its report.
RCE can be used to remotely control a target server, retrieve the source code, access the database, and even delete the server’s filesystem. SQL injection vulnerabilities can allow full access to a database and massive data breaches. Exposed .git repositories can be exploited to retrieve the source code of a target app, Secuna explained.
In 2021, the Bankers Association of the Philippines (BAP) revealed that unauthorized withdrawals and transfers reached more than P1 billion for that year, amid a rise in cybercrime along with the rise in digital transactions due to the pandemic.
“We encourage companies to review their assets for these security gaps and take measures to eliminate known vulnerabilities,” said AJ Dumanhug,Secuna’s chief executive officer and co-founder, in a statement.
He added that every valid bug submitted by their ethical hackers and researchers merit a reward depending on the severity of the cyber weakness discovered. Along with the report, Secuna announced that its bug bounty payouts have increased to $24,045.
The cybersecurity platform also has a bug bounty program (BBP) service that allows its clients compliant with the Bangko Sentral ng Pilipinas and National Privacy Commission to work with security researchers around the world to identify security threats.
“Cybercriminals are already testing your app to find potential loopholes that will allow them to compromise your application or server. Having no BBP will leave you clueless about potential vulnerabilities in your application. BBP solves this problem by allowing good hackers to report those potential vulnerabilities,” said Mr. Dumanhug.
In March, he said that Secuna is looking into a partnership with the Philippine government for a free cyberattack simulation, in order to improve the country’s capacity to defend against cybercrime. — Bronte H. Lacsamana