Handling the results of our work in a responsible way is our highest priority. We‘ve taken a long, hard look at what this means for our behavior. We use a well-structured model of responsible disclosure to report vulnerabilities.
Knowledge from our Research
usd HeroLab Security Advisories
We analyze attack scenarios, which are changing constantly, and publish a series of Security Advisories on current vulnerabilities and security issues – always in line with our Responsible Disclosure Policy.
Commitment to teaching
Our experienced security analysts teach the course “Hacker Contest” at the Technical University Darmstadt and the University of Applied Sciences Darmstadt in the summer semester 2019. During the course students have the opportunity to experience IT security in practice. The usd HeroLab‘s own PentestLab provides the technological basis.
usd HeroLab to teach course at University of Applied Science Darmstadt in summer semester 2019.
usd HeroLab to teach course at Technical University Darmstadt in summer semester 2019.
Events for the Community
Hacker Days, Hero Nights, Cyber Security Forums or IT Security Seminars. We share our knowledge and best practices with others. Visit our CST Academy websites for more information.
References & Articles
More security for patient data: Pentest and cloud audit at medavis
The protection of patient data is a top priority for medavis. That’s the reason why they ordered a check of the IT security level of the entire cloud infrastructure in addition to the pentest.
„Made by usd HeroLab“
Tools “made by usd HeroLab”. We asked what developments the recent years have brought and how they contribute to increasing the quality and efficiency of the usd HeroLab.
Top 5 quality criteria for an approved scanning vendor
The five most important characteristics you should consider when choosing your PCI scanning partner.
Bug Bounty Programs
Bug Bounty Programs – a security building block that leverages the security awareness and expertise of an entire community.
Pentest – What you should know
Pentests: Start planning with these 4 questions
Planning penetration tests, or pentests for short, can become very complex at times. In the following, we provide you with tips that have proven to be effective in our pentest planning – based on simple questions.
usd Orangebox makes remote pentests simple
What if an on-site pentest is not possible, but the systems within the scope are located in the internal network? By using the usd OrangeBox, remote pentests can be performed more efficiently and securely.
Pentest scope: how to determine the testing scope?
Which preparation steps guarantee a pentest optimally tailored to your company? Start your pentesting project well prepared.
Pentest analysis approaches
Learn more about the different pentest analysis approaches, how they vary and how they reflect different motivations and possibilities of an attacker.
Top 7 quality criteria for a pentest partner
Penetration tests are one of the most effective security analysis methods. Read here which criteria you should consider when choosing your pentest partner.
Unknown vulnerabilities – responsibilities of the finder
usd AG accepts responsibility and takes the responsible handling of newly-discovered security vulnerabilities very seriously. Read more about our process of responsible disclosure here.
What If a Gateway for Hackers Was Hidden in Your Source Code? In a Code Review, the supreme discipline of security analyses, the source code of an application is examined.
Open source tool “bring2lite”
Open source tool for forensic data analysis at DFRWS USA, one of the leading conferences on digital forensics.
Cyber security transformation chef (CSTC)
usd Herolab proudly presents the CSTC, which is a Burp Extension for various input transformations. It implements a generic way to replace the need for numerous specialized extensions.
usd HeroLab at DEF CON 27
usd HeroLab presents the self-developed plugin CSTC for Burp Suite at DEF CON 27, one of the largest IT security conferences in the world.
How a vulnerable picture upload can be exploited using manipulated picture files
This article describes an attack which circumvents weak file name restrictions and injects PHP code through a resizing and metadata stripping process.