BSG Blog — Cybersecurity Insights

What Makes a Boutique Cybersecurity Firm Different?

Mon, 30 Mar 2026 09:00:00 +0000

Here’s something most security buyers learn the hard way: the firm you hire and the people who do the work are often not the same.

At large consultancies, a senior partner sells the engagement. A project manager scopes it. Then the actual testing gets handed to whoever is available — often a junior analyst running automated scans and filling in report templates. You pay for brand recognition, not expertise.

Mobile App Security Testing: iOS and Android Pentest Guide

Mon, 23 Mar 2026 09:00:00 +0000

Your mobile app runs on devices you don’t control, in environments you can’t predict. That binary sitting on a user’s phone — with its local storage, hardcoded configuration, and network calls — is an entirely different attack surface from your web application. It demands a different testing approach.

Penetration Testing Cost in 2026: What You'll Actually Pay

Tue, 17 Mar 2026 09:00:00 +0000

If you’re searching for “how much does a penetration test cost,” you want numbers — not vague marketing. Here’s the direct answer: most penetration tests cost between $4,000 and $25,000, with complex enterprise engagements reaching $100,000 or more. But that range is meaningless without understanding what drives the price.

AI Is Changing AppSec: Agentic Security Tools in 2026

Wed, 04 Mar 2026 11:56:21 +0000

February 2026 was a month that made the application security world pay attention. Anthropic launched Claude Code Security — a system that had already found over 500 zero-day vulnerabilities in production open-source codebases before it shipped. Days earlier, the open-source Raptor framework showed that a properly orchestrated LLM could autonomously run Semgrep scans, execute CodeQL queries, validate whether findings are exploitable, generate proof-of-concept exploits, and produce patches. All in a single workflow.

Cloud Penetration Testing: AWS, Azure & GCP Security Assessment

Thu, 19 Feb 2026 16:40:30 +0000

Migrating to the cloud does not eliminate security risk — it transforms it. AWS, Azure, and GCP handle infrastructure-level protections, but the responsibility for securing configurations, identities, data, and workloads still falls on your organisation.

Cloud penetration testing is a controlled security assessment that simulates real-world attacks against your cloud environment. Unlike automated scanning, a cloud pentest uses manual techniques to chain together misconfigurations, overly permissive IAM policies, and exposed services into attack paths that actually compromise data.

From Developer to AppSec Engineer: Career Path Guide

Thu, 05 Feb 2026 23:02:15 +0000

You spend your days building software. You understand how systems are architected, how data flows between components, and how features go from a pull request to production. Now consider this: that same knowledge makes you one of the strongest candidates for a career in application security.

MITRE D3FEND Framework: Complete Guide for Defensive Security

Thu, 29 Jan 2026 17:00:00 +0000

MITRE D3FEND is a knowledge graph of cybersecurity countermeasures that gives defenders a structured way to select, organize, and communicate defensive techniques. While MITRE ATT&CK catalogs how adversaries attack, D3FEND answers the follow-up question every blue team asks: what exactly should we do about it?

AI Agent Security: Malicious Skills Threatening Dev Environments

Sat, 24 Jan 2026 14:57:24 +0000

AI coding assistants like Claude, GitHub Copilot, and Cursor have transformed how developers work. But with great power comes a new attack surface: executable skills that can turn your trusted AI assistant into a threat actor.

Recent security research has uncovered a concerning pattern. Skills—the plugins and extensions that give AI agents their capabilities—can harbor malicious code that executes with your permissions, accesses your credentials, and spreads across your infrastructure. This isn’t theoretical: researchers have demonstrated skill worms that propagate through SSH configurations, exfiltrate secrets via base64-encoded curl commands, and persist across sessions.

Black Box vs White Box vs Grey Box Pentest

Fri, 23 Jan 2026 15:36:12 +0000

What’s the difference between black box, white box, and grey box penetration testing? If you think it’s about access levels, you’re wrong—and you’re not alone.

Most cybersecurity professionals, vendors, and even some pentest firms get this fundamentally wrong. The confusion costs companies money, weakens security assessments, and leads to compliance issues.

Small Business Cybersecurity: Essential Checklist

Fri, 16 Jan 2026 16:07:54 +0000

These cyber security for small business recommendations focus on the conventional Small and Medium Enterprise organizations. This text does not cover startup specifics or the application security needs of software development companies. This is just a checklist of the most crucial cyber security measures every small business owner can and must implement.

API Security Testing Methodology: OWASP Top 10 Walkthrough (2026)

Wed, 14 Jan 2026 21:56:37 +0000

Introduction

APIs (Application Programming Interfaces) have become the backbone of modern software architecture. From mobile apps to microservices, organisations rely on APIs to connect systems, share data, and deliver functionality. But this connectivity comes with risk.

In 2026, APIs represent one of the most common attack vectors in web applications. According to industry data, 57% of organisations experienced an API-related data breach in the past year, with 73% of those facing three or more separate incidents. Major breaches continue to be traced back to insecure API endpoints.

OWASP LLM Top 10 (2025): Security Risks for AI Applications

Mon, 12 Jan 2026 18:20:19 +0000

Every organisation seems to be integrating large language models into their products and workflows. Chatbots, code assistants, document analysers, customer service agents—generative AI is everywhere. But security hasn’t kept pace with adoption.

OWASP recognised this gap and released a dedicated Top 10 for LLM Applications. Unlike traditional web vulnerabilities that developers have been battling for decades, LLM risks are fundamentally different. These systems process natural language, generate unpredictable outputs, and often have access to sensitive data and powerful actions. The attack surface is unlike anything we’ve seen before.

OWASP Top 10 2025: What Changed and Why It Matters

Mon, 12 Jan 2026 01:23:41 +0000

The OWASP Top 10 is the definitive benchmark for web application security. The 2025 release brings the most significant changes in years: two entirely new vulnerability categories and major ranking shifts that reflect how modern attacks have evolved.

These changes aren’t academic—they shape security policies, penetration testing requirements, and development practices across the industry. Understanding what changed helps security teams prioritise resources and protect what matters most.

DevSecOps Pipeline Security: Essential Guide | BSG

Fri, 09 Jan 2026 16:28:38 +0000

Your CI/CD pipeline has become one of the most valuable targets in your organization. It has access to source code, production credentials, deployment keys, and the ability to push code directly to your customers. If attackers compromise your pipeline, they compromise everything downstream.

Why Every Developer Should Learn Secure Coding in 2026

Thu, 08 Jan 2026 13:57:23 +0000

Security vulnerabilities cost businesses billions annually. From the Bybit crypto heist to countless data breaches affecting millions of users, the pattern is clear: most security incidents trace back to preventable coding mistakes. Yet despite this, secure coding remains an afterthought in most development workflows.

EU Radio Equipment Directive 2025: RED & EN 18031 Guide

Sun, 23 Nov 2025 14:36:33 +0000

From 2025, the European Union is raising the bar for cybersecurity in every connected device that uses radio technologies. If your product communicates via Wi-Fi, Bluetooth, cellular, Zigbee, LoRa, or any other radio interface, its path to the EU market now runs through a new compliance regime: RED cybersecurity requirements, the EN 18031 harmonised standards, and the Delegated Regulation (EU) 2022/30.

Cybersecurity Professional Standards

Tue, 29 Jul 2025 13:41:52 +0000

The latest NCSC Cyber Series podcast gathers three voices who know the battlefield from different angles:

Tracey Jones, Senior Analyst at the Bank of England; Gian Andrea Padovani, Senior Manager in the PRA’s Cyber-Resilience team; and Chris Ensor, Deputy Director for Cyber Growth at the NCSC. Their discussion turns a spotlight on an issue that rarely makes headlines yet shapes every breach report we read: professional standards.

TLPT: Threat Led Penetration Testing Explained

Fri, 20 Jun 2025 10:00:00 +0000

Threat Led Penetration Testing (TLPT), also known as threat-led pentesting, is the gold standard for realistic cybersecurity validation. TLPT combines the latest threat intelligence, red teaming tactics, and business risk analysis to simulate attacks that your organization is most likely to face. Unlike generic pentesting, TLPT tests not just your systems for vulnerabilities, but also your ability to detect, respond to, and contain those attacks in real time.

EUVD Database: Europe’s CVE Alternative Explained | BSG

Wed, 14 May 2025 11:11:06 +0000

As the MITRE-run CVE program faces operational challenges, Europe has quietly launched a significant alternative. The European Vulnerability Database (EUVD), developed by ENISA, officially went live in April 2025.

Though some viewed it as a reaction to MITRE’s instability, the EUVD was long in the making. Its creation was mandated under the NIS2 Directive (Articles 62–63), adopted in 2022, which required ENISA to develop a vulnerability database serving the EU digital ecosystem.

Cyber Incident Response Plan for Small Business [2025]

Sat, 03 May 2025 16:06:58 +0000

In today’s volatile cyber landscape, even small businesses are not immune to disruptive cyberattacks. Ransomware, phishing, and data breaches increasingly target companies of all sizes, and the ability to respond effectively can mean the difference between recovery and ruin. Interestingly, a valuable resource developed for UK local governments offers practical lessons for the private sector: the Local Government Association’s “Cyber Incident Grab Bag.”

CVE Under Threat: What You Need to Know

Wed, 16 Apr 2025 17:01:36 +0000

The Common Vulnerabilities and Exposures (CVE) program is one of the most critical pillars of modern cybersecurity. Without it, organizations around the world would struggle to identify, track, and prioritize vulnerabilities in software and hardware. But as of April 16, 2025, this essential system is facing a major disruption: the expiration of MITRE’s federal contract to operate the CVE program. Here’s what’s happening—and why you should care.

Unforgivable Software Vulnerabilities

Fri, 04 Apr 2025 16:27:14 +0000

Every piece of software has bugs. Many have vulnerabilities. But not all software vulnerabilities are created equal.

Some are complicated, buried deep in obscure logic, or made possible by bleeding-edge exploit techniques. Others—well, others are glaringly obvious. These are the ones that make security professionals shake their heads and ask: How did this ever make it to production?

Preventing Crypto Exchange Hacks: Lessons from Bybit Heist

Wed, 26 Feb 2025 11:27:46 +0000

Bybit, a cryptocurrency exchange, recently suffered one of the largest crypto thefts in history, with attackers making off with $1.4 billion. The attack, attributed to North Korean cybercriminals, exploited vulnerabilities in Bybit’s security processes, leveraging malware and social engineering to bypass multi-signature protections. This blog post breaks down how the attack occurred, the techniques used by the attackers, and lessons for the crypto industry.

Cyber Kill Chain & MITRE ATT&CK Defense Guide | BSG

Thu, 06 Feb 2025 15:41:48 +0000

In today’s threat landscape, cyberattacks are more sophisticated and persistent than ever. Organizations need structured approaches to detect, analyze, and respond to threats effectively. Two critical frameworks that have shaped modern cybersecurity defense are the Cyber Kill Chain and the MITRE ATT&CK Framework. Understanding these models can significantly improve threat detection, incident response, and overall cybersecurity resilience.

The Future of Authentication: Passkeys vs Passwords and 2FA

Wed, 22 Jan 2025 11:22:47 +0000

Passwords have been around for decades, but they come with plenty of headaches. Many people use weak passwords or reuse the same ones across different sites. This makes them easy targets for hackers. Phishing attacks, where scammers trick you into giving up your password, are still very common. And even if you have a strong password, it’s no good if it gets stolen in a data breach.

2024’s Worst Cyberattacks: Security Lessons & Tips | BSG

Mon, 13 Jan 2025 23:47:29 +0000

2024 was a challenging year for cybersecurity, with some of the most significant data breaches and cyberattacks making headlines. In this article, we analyze the key breaches outlined in Wired’s article, “The Worst Hacks of 2024,” along with high-value reference sources to dive deeper into the methods attackers used and the lessons we can learn. For each breach, we summarize the incident, highlight the vulnerabilities exploited, and recommend actionable countermeasures to strengthen defenses.

Salt Typhoon: A Wake-Up Call for Telecom User Privacy

Mon, 30 Dec 2024 11:29:47 +0000

In late 2024, cybersecurity headlines were dominated by Salt Typhoon—a sophisticated cyber-espionage campaign attributed to Chinese state-sponsored actors. The attack targeted global telecommunications providers, exposing critical vulnerabilities in telecom infrastructure and endangering the privacy of millions. This campaign, while technically impressive, serves as a dire warning of how weaknesses in critical industries can have far-reaching implications for user privacy, corporate security, and even national resilience.

2024 EU Cybersecurity Insights

Mon, 09 Dec 2024 11:55:52 +0000

The 2024 EU Cybersecurity Report provides a detailed overview of the Union’s digital security challenges, key areas for improvement, and actionable strategies for stakeholders. As threats grow in complexity, this report highlights critical findings, emerging trends, and strategic recommendations to bolster the EU’s cybersecurity posture.

End-to-End Encrypted Messaging for Business Security

Fri, 06 Dec 2024 21:10:51 +0000

As cyber threats evolve, secure communication is becoming a cornerstone of both personal privacy and organizational security. In late 2024, the FBI and CISA explicitly urged Americans to use encrypted messaging apps after the Salt Typhoon campaign compromised major U.S. telecommunications providers, exposing real-time calls and text messages to Chinese intelligence. Their message was clear: if your communications aren’t encrypted, they’re vulnerable.

Enhancing Cybersecurity to Align with NIS2 Directive

Mon, 02 Dec 2024 16:11:58 +0000

The European Union’s NIS2 Directive, reinforced by ENISA’s 2024 Implementation Guidance, sets a comprehensive standard for [cybersecurity](https://bsg.tech/cyber-security/) across critical and digital service providers. For business leaders, adopting these practices ensures regulatory compliance and builds organizational resilience.

Understanding the NIS2 Directive and ENISA’s Guidance

The NIS2 Directive mandates robust cybersecurity measures for entities across sectors such as cloud computing and online platforms. ENISA’s guidance provides actionable steps to implement these measures effectively, emphasizing risk management, incident handling, and supply chain security.

Empowering Cybersecurity Governance: NCSC’s Board Toolkit

Sun, 01 Dec 2024 12:07:28 +0000

Cybersecurity is no longer just a technical issue; it’s a critical business risk that directly impacts organizational stability, reputation, and financial health. As digital dependency increases, so does exposure to cyber threats, from data breaches to ransomware attacks and supply chain vulnerabilities. For board members, addressing cybersecurity is not optional—it’s essential.

Security Awareness Training: Does It Actually Work?

Mon, 25 Nov 2024 16:48:56 +0000

Phishing attacks remain the top cybersecurity threat globally, accounting for 33% of data breaches in small and medium businesses according to Verizon’s 2025 Data Breach Investigation Report. Despite investing heavily in employee training programs, organizations often find themselves repeatedly compromised. This raises a critical question: How effective are these phishing training programs in preventing real-world attacks?

Zero-Day Vulnerabilities: A Growing Threat in Cyberattacks

Sat, 16 Nov 2024 14:07:05 +0000

A Shift in Cyberattack Tactics

The UK National Cyber Security Centre (NCSC), together with its counterparts from the US, Australia, Canada, and New Zealand, recently released a joint advisory warning about a growing trend among cyber attackers: the exploitation of zero-day vulnerabilities. These vulnerabilities, which are unknown to software vendors and developers at the time of the attack, present a unique and significant risk because they are exploited before a patch or fix is available. The advisory lists the top 15 vulnerabilities most frequently targeted in 2023, many of which were zero-days, highlighting a shift in the methods used by threat actors.

Celebrating 10 Years of Cybersecurity Excellence at BSG

Tue, 12 Nov 2024 12:00:06 +0000

In November 2024, Berezha Security Group (BSG) celebrates a decade of commitment to cybersecurity, safeguarding organizations, and assisting businesses in adapting to the changing threat environment. Starting as a modest consultancy, we have transformed into one of Ukraine’s premier cybersecurity companies, experiencing significant growth, resilience, and an unwavering dedication to quality throughout our journey.

SAMMY: Free Tool to Implement OWASP SAMM Security

Mon, 04 Nov 2024 16:48:46 +0000

In today’s rapidly evolving digital landscape, ensuring the security of software applications is paramount. The OWASP Software Assurance Maturity Model (SAMM) provides organizations with a structured framework to assess and enhance their software security practices. To effectively implement SAMM, organizations can leverage SAMMY, a comprehensive management tool developed by Codific.

How to Show Return on Cyber Security Investment

Thu, 28 Dec 2023 12:00:00 +0000

Demonstrating your return on cybersecurity investment to investors, boards, and top managers is one of the hardest challenges a CISO faces. Yet ROSI (Return on Security Investment) has become a non-negotiable KPI — especially since the SEC’s 2023 cybersecurity disclosure rules now require public companies to report board oversight of cyber risk.

CVE-2022-0271: Leaflet Maps Marker SQL Injection Exploit

Mon, 08 Aug 2022 13:42:00 +0000

Introduction

In the ever-evolving landscape of cybersecurity, vulnerabilities can emerge in the most unexpected places. Recently, our team at BSG made a significant discovery: a SQL Injection vulnerability in the popular Leaflet Maps Marker plugin for WordPress (CVE-2022-1123). As with the previous discovery of CVE-2022-25854, Ihor Bliumental was directly involved. This discovery underscores the importance of proactive security measures and the need to address vulnerabilities promptly to safeguard WordPress websites.

CVE-2022-25854: Tagify npm Stored XSS Vulnerability

Tue, 10 May 2022 16:01:51 +0000

Preface

Due to the russian war on Ukraine, we are much less active on this blog and social media. However, some events make us hit the dust off the keyboard and share some information. For instance, a vulnerability is worth a CVE. We found this one in February 2022, and a few others are under review. Meanwhile, all BSG team members are safe, and we stay operational.

BSG Wins SANS NetWars: Ukraine’s First CTF Champions

Thu, 02 Dec 2021 22:23:39 +0000

Today BSG has participated in the first-ever SANS NetWars tournament brought to Ukraine by USAID Cybersecurity Activity, the Ukrainian National Security Council, and the Service of Information Protection. To our immense surprise, we have won in this cyber range competition!

Why Is Software Supply Chain Security Important?

Tue, 02 Nov 2021 20:47:26 +0000

Supply chain cyber security is so hot right now. According to the ENISA Threat Landscape 2021 report, software supply chain attacks are at #9 of the most common cyberattack vectors. CISA and NIST have issued guidance on Defending Against Software Supply Chain Attacks.

BSG provides UMBDR a Pro Bono Application Pentest

Fri, 08 Oct 2021 09:00:00 +0000

Supporting Humanitarian Efforts Through Cybersecurity

At Berezha Security Group (BSG), we conduct over fifty [application security assessments](https://bsg.tech/application-security/) and penetration tests each year. While most projects remain confidential, we’re taking a moment to share one particularly meaningful engagement. Recently, BSG provided an application security assessment and code review for the Ukrainian Bone Marrow Donor Registry (UMBDR), a non-profit organization making strides to connect bone marrow donors with patients in need.

Software Product Security: Where To Start?

Wed, 29 Sep 2021 17:37:12 +0000

There is plenty of publicly available information about how software development teams can make their products more secure. However, this knowledge is often obscure to software engineers. Developers get stuck in their routine jobs following the usual development cycle with no incentive to learn about security. From initial design specifications to basic functionality and prototype, to an MVP, to regular customer feature requests, to fixing bugs… On and on goes the feature-centric development cycle, with little or no effort for securing the product. Until there is a breach, or the regulator unleashes wrath on the management, a big client demands the actual proof of product security, or an M&A requires a demonstration of due diligence, etc.

How to Choose a Penetration Testing Company?

Wed, 29 Sep 2021 07:57:12 +0000

Today is a time of frequent data breaches, automated hacking systems, and all types of consumer protection regulations like DSS, PCI, and GDPR. Because of this, penetration testing is now considered an essential security requirement for all types and sizes of businesses, not just governments and banks.

Social Engineering: What It Is and How to Prevent It?

Fri, 24 Sep 2021 07:29:48 +0000

Social engineering, according to its basic meaning, is the psychological manipulation of people with the primary goal of acquiring and disclosing confidential business and personal information.

It’s unnerving to think social engineering can happen anywhere and to anyone, but you can take steps to protect yourself and your business’s confidential sensitive data.

Announcing the Web Application Pentester Training

Thu, 05 Aug 2021 09:08:14 +0000

We are happy to announce that registration for the BSG web application pentester training is now open, and the new group starts the pentester training in autumn 2021. If you plan to reach new career horizons in cybersecurity, we will help you to consider a proper decision by answering the most frequently asked questions.

10 Steps to Protect Your Small Business from Cyber Attacks

Wed, 26 May 2021 18:37:12 +0000

Small businesses often assume they are too insignificant to be targeted by cyberattacks, but the truth is starkly different. In fact, 81% of cybersecurity breaches affect small and medium-sized businesses (SMBs). Cybercriminals see these companies as easier targets because they usually lack the robust defenses that larger organizations have in place. Many SMBs hold sensitive customer data, payment information, and proprietary details, making them attractive to attackers. Without strong cybersecurity measures, these businesses face a higher risk of data breaches, ransomware attacks, and financial loss. Recognizing these threats and taking proactive steps is essential for protection.

Berezha Security Becomes BSG: New Identity Unveiled | BSG

Thu, 20 May 2021 18:11:15 +0000

Berezha Security has rebranded to BSG – Berezha Security Group – and we are happy to present our new identity, which better reflects our company’s philosophy and values we carry in the world.

“Defeating tomorrow’s security challenges – today” became the BSG mission.

Penetration Testing Grows Due to Remote Work

Tue, 13 Apr 2021 18:16:48 +0000

Cybersecurity professionals are requested to conduct more penetration testing and security assessments focusing on remote work during the COVID-19 pandemic than ever before.

With the rapid transition to work from home during the COVID-19 pandemic, the organizations’ attack surface has evolved, and security measures could not remain unchanged. Businesses that care about their cybersecurity have shifted priorities to protect their network infrastructure, focusing on the growing risks of remote work, with pentesting as the means of immediate improvement.

BSG becomes an OWASP corporate member!

Tue, 08 Dec 2020 09:00:00 +0000

OWASP is the most known global non-commercial organization dealing with software security. It was established in 2001 and had been publishing its famous application security risks rating – the OWASP Top 10 – since 2003. The number of OWASP initiatives and chapters is continuously growing, making it the leading contributor in application security methodologies and a prominent industry think tank. Do you feel like Berezha Security has a strong connection with OWASP? That’s correct, and here’s why.

Remote Work Security Audit – a Need or a Habit?

Tue, 10 Nov 2020 09:00:00 +0000

A year ago, before the COVID-19 pandemic, probably very few people could imagine how the world would change. Working from home, remote business meetings, online events, and digital concerts are only some new normal examples. The things we could not imagine going virtual very much did, to everyone’s surprise. One of the areas that tended to be very onsite and face-to-face was conducting a security audit – remote work security assessment.

Bringing Your Appsec Report To The Next Level

Thu, 30 Jul 2020 10:00:10 +0000

It’s pretty understandable that a tech person likes hands-on work and doesn’t like any related overhead, including documentation. Similarly, penetration testers love finding vulnerabilities and much less like reporting them. However, the business value comes not from the finding itself, but from its proper communication to the client and actionable remediation measures that may help fix it. So, the report is as important as the finding, not saying that it’s, in fact, the only tangible deliverable of an appsec assessment.

How to check your website security online

Sat, 27 Jun 2020 14:00:33 +0000

In Berezha Security, we provide high-quality Application Security services, and web application security assessments are a large portion of what we do. However, a full-scale web app pentest is not what all our website visitors seek; some are looking for a quick and straightforward way to check their website security without the need to hire security experts. It may seem that we are in a position to ignore those requests; however, we think it would be irresponsible. Here you are with a bunch of simple tips and tricks you can use to quickly check your website security.

How to write a CV in cybersecurity

Thu, 28 May 2020 10:11:25 +0000

Each time after hosting a Nonamecon or OWASP Kyiv event, my mailbox is flooded by messages from people asking if we have job openings. How can one join our company? Here is my CV! And after getting a response, they ask how they can improve it.

The Difference Between Organization and Product Security

Sat, 13 Jul 2019 18:41:39 +0000

Among Ukrainian organization, we get the most requests from IT companies, and in this post, I want to talk about some accumulated experience. Quite possibly, it will be useful to other organizations in this business, and maybe organizations from different sectors. So if you know a CIO/CTO from an IT-firm, show them this text. It was written for them.