Security
intelligence

The revised nDSG, effective September 2023, fundamentally changed the accountability model. Key changes include: personal criminal fines up to CHF 250,000 (not the company — the individual), mandatory breach notification within 72 hours, data protection impact assessments for high-risk processing, and strengthened requirements for cross-border data transfers. Board members and CTOs who fail to implement adequate technical and organizational measures face personal liability. We recommend: a data mapping exercise, a gap analysis against nDSG requirements, and a security assessment of all systems processing personal data.

When a user places a bet, the system must: check balance, validate odds, create the bet, and deduct the balance — atomically. If these steps aren't properly serialized, an attacker can send 50 concurrent requests in a 100ms window, each passing the balance check before any deduction occurs. Result: 50 bets placed with funds for 1. We've seen this pattern across live betting, payment gateways, and bonus redemption flows. Automated scanners cannot detect race conditions — they require manual testing with precision timing tools. Our approach: we identify all state-changing endpoints, map the transaction flow, and test with concurrent requests at varying timing windows.

What's real: AI-generated phishing emails that pass human detection, automated reconnaissance at scale, and LLM-assisted code analysis for vulnerability discovery. What's hype: fully autonomous hacking agents (still unreliable), AI-generated zero-days (requires human expertise to weaponize). What to prepare for: improved social engineering attacks, faster exploitation of known vulnerabilities, and AI-powered credential stuffing with context-aware password guessing. Our recommendation: focus on fundamentals — patch management, strong authentication, input validation, and security awareness training that accounts for AI-generated content.

MGA (Malta): requires annual penetration testing, RNG certification, and data protection audits. The most prescriptive framework. UKGC (UK): requires operators to demonstrate "appropriate security measures" but provides less specific technical guidance. Focuses on customer fund protection and fair gaming. BGS (Switzerland): newer framework with strong data protection requirements aligned with nDSG. Requires operators to demonstrate security testing but allows flexibility in methodology. Common gaps across all three: race condition testing in live betting, payment webhook validation, and KYC/AML bypass testing. Most operators meet minimum compliance but miss the business-logic vulnerabilities that cause actual financial losses.

IDOR occurs when an API uses user-supplied identifiers (IDs, filenames, keys) to access objects without verifying that the requesting user is authorized to access that specific object. Example: GET /api/users/1234/invoices — change 1234 to 1235 and see another user's invoices. Why it persists: frameworks don't enforce object-level authorization by default, developers focus on authentication (who are you?) but forget authorization (can you access THIS?), and automated scanners can't detect it without understanding business context. Prevention: implement object-level authorization checks on every endpoint, use UUIDs instead of sequential IDs, and include IDOR testing in every security assessment.

The average web application depends on 200+ third-party packages. Each is a potential entry point. Our supply chain assessment methodology: inventory all dependencies (direct and transitive), check for known CVEs, verify package integrity (signatures, checksums), test third-party API integrations for data leakage, assess SaaS provider security posture, and map the blast radius of a compromised dependency. Recent incidents: the XZ Utils backdoor demonstrated that even critical infrastructure libraries can be compromised through social engineering of maintainers. We recommend: dependency pinning, automated vulnerability scanning in CI/CD, and regular third-party security reviews.