In one of my previous roles, I had the great opportunity to travel around the world meeting customers to understand their challenges in vulnerability management. The two biggest challenges they wanted solved were: Help me prioritize which of these vulnerabilities are most critical, and Help me close the loop with my patching solutions to remediate […]
We’re all familiar with the Open Web Application Security Project (OWASP) Top 10 Web Application Security Risks. Not only have organizations used this list to adopt new development practices to produce more secure code, but security vendors have built products to detect and prevent these top attacks. But what happens when an attacker uses your […]
We’ve been scanning for vulnerabilities for a very long time (over 20 years for me), but the shift away from device vulnerabilities to application vulnerabilities creates some new challenges. Applications in the modern, digitally transformed world are much more complex. They include open source components and custom code, are deployed in containers, and run in […]
The integration of development, security, and operations, known as DevSecOps, has been a hot topic over the past few years. The benefits of implementing DevSecOps, such as better code quality, increased velocity, and reduced risk, has its advantages, but how do you effectively integrate security into the existing DevOps process? Shifting security left is easier […]
We hear a lot about security orchestration, automation, and response. It will help us with our security skills gap. It will improve our operational efficiency, thus reducing mean time to detect and respond to incidents. It will give us more time for threat hunting. But how much is really being automated? In sponsorship with ServiceNow, […]
In PowerShell there are 2 main ways to extend the shell this are: * Modules – A package that contains Windows PowerShell commands int he form of functions, cmdlerts and worksflows, in addition it may contain variables, aliases and providers. Modules can be written in PowerShell and/or compiled as DLLs. * Snap-Ins – Are compiled […]
I encountered something on a penetration test today that I thought was kinda neat. I’m sure that others have encountered this before, but it was the first time I stumbled upon it and thought that this might be a good place to share the experience and keep notes for future use. The scenario goes like […]
This post comes to you from Lamar Spells of http://foxtrot7security.blogspot.com/. ==================== As more companies fall victim to hacks based on SQL Injection and as the regulatory environment becomes more stringent, more and more companies are implementing network-based Web Application Firewalls (WAFs). Shares of one Web Application Firewall maker Imperva (NYSE: IMPV) are up about 40% […]
Reading this article was an exercise in frustration. Mass SQL Injection Attack Hits 1 Million Sites. The sum of it is that over a million ASP.Net websites were written and put online after someone had deliberately disabled input validation. This isn’t an insecure default. Folks turned off the security feature on purpose! I’ve worked on […]
By Mark Baggett The Ethical Hacker Challenges are always a lot of fun. They are usually wrapped in a creative and entertaining movie theme (as if hacking something wasn’t entertaining enough) and always present an interesting technical challenge. I always learn something new with each new challenge. Over the Christmas break I took some time […]
