A New Tool for Finding Malicious JavaScript and Securely Using External Libraries

September 2019 Update: This JavaScript Security extension has been published by Burp Suite! You can install it directly within Burp, via the BApp Store feature in the Burp Extender tool. Why compromise just one website when you can compromise a whole bunch of them all at once? I'm sure that's what attackers were thinking in 2018 as they compromised content delivery networks (CDNs) and used them to host malicious JavaScript. And it’s a genius strategy! Compromised companies will unwittingly feed them sensitive customer data (e.g., credit card numbers), will never have any evidence of the attack, and will never know anything has changed. Meanwhile, their customers will receive malicious JavaScript libraries that the "victim" companies require them to load for a smooth customer experience. Then the sensitive information will be fed directly from the user to the attacker. Why is this so easy? Today, more sites are relying on JavaScript to enhance the user experience, and they are doing it in a way that makes it harder to evaluate referenced JavaScript libraries: they are using JavaScript libraries to load other JavaScript libraries into the Document Object Model (DOM). It can be challenging to track these issues down during a penetration test, especially when you have limited time and you want to deliver the highest quality results possible. To assist our partners, clients, and the security community in identifying these issues, we developed a Burp Suite extension. Burp Suite is a Java-based tool used by many security teams for web-application testing. This extension helps Burp Suite users evaluate JavaScript in use in web applications for subresource integrity and content security policy protections while comparing observed resources against threat intelligence feeds. You can download the extension for free via the BApp Store.

Boosting Organizational Success by Advancing Data Quality

This guide dissects the root causes of poor data quality and provides a step-by-step approach to achieving high data quality.
News Article

Focal Point Adds New Sales Leader to Accelerate Growth

Focal Point today announced the addition of Dan DeSantis as its Senior Vice President of Sales and Business Development. Dan joins Focal Point from Cisco Systems,

8 Areas to Include in SAP Access Control Testing

Information Technology General Controls (ITGC) are the basic controls that can be applied to IT systems such as applications, operating systems, databases, and supporting IT infrastructure. The objective of ITGCs is to ensure the integrity of the data and processes the systems support. Your SAP ERP applications cross all four systems: IT Infrastructure Applications, Databases, Operating Systems, and the Application Layer. Access control tests, our central focus for this post, are targeted at the Application Layer of your SAP applications. In a recent post, we discussed the importance of security health checks in monitoring SAP access, and today we want to continue the access security conversation by examining the importance of ITGC Access Controls testing in an SAP environment.

Implementing SailPoint IdentityNow at a Global Pharmaceutical Company

Focal Point’s IAM services client is a leading global pharmaceutical company, with more than 20 years of experience and operating…

Let’s Get Cracking: A Beginner’s Guide to Password Analysis

The Focal Point Attack & Penetration team performs many internal penetration tests that culminate in a compromise of Windows Active Directory domains and access to the password hashes of all domain users. Like many teams that provide pen testing services, we have a high-powered GPU-based password-cracking rig that we use to recover high-value or time-sensitive passwords. But sometimes we’re on-site without access to our VPN or we’re in the the reporting window following a test, and someone is using the rig for an active test. Whatever the reason, we still get a lot of mileage from the classic password cracker, john, even in this age of GPU-based cracking with hashcat (which we also love but is not the focus of this post).

Data Quality Assessment and Data Warehouse Design Assessment at a Growing Tech Company

A leading technology company engaged the Focal Point Data Analytics team to perform a data quality assessment for their 11…

Leading Global Call Center Achieves Compliance with PCI Risk Assessment and Roadmap

One of the world’s leading global call centers, with contact centers in over 15 countries, support in roughly 30 languages,…

5 Things to Consider before Upgrading from SAP GRC 10.x to GRC 12.0

SAP released a new version of Access Control in March 2018. It became generally available in September 2018, and in January 2019, support pack 3 was issued. In this release, SAP added some new functionality and improved some of the existing functionality. These updates include integration with cloud platforms, enhanced emergency access management, a more robust UI, and more support for Identity Access Governance (IAG). Some of these changes are significant and will require some technical steps before you can upgrade. In this post, we’ll take a look at the increased functionality you’ll gain by moving to v12 and how you can prepare for this upgrade.
New Search