We’ve recently seen an uptick in vendor security assessment questionnaires (VSAQs) that are requiring organizations to do white box application penetration testing. Obviously this may be anecdotal, but we thought it would be a good opportunity to discuss what is being asked of you when it comes to white box or clear box testing, and […]
In the past, we have explored how to find penetration testing Requests For Proposals or RFPs. Today, we are going to explore how to effectively write a penetration testing RFP. Often times, government entities or commercial industry companies are forced to leverage an RFP process to ensure a fair and objective assessment of vendors for […]
One of the most helpful things an organization can do when it comes to security is understanding what needs to be protected. An asset inventory is a great starting point, as it should include all of our hardware and the software you’re running. But perhaps more importantly, you really need to know where your sensitive […]
This blog is intended to help merchants understand the various roles in PCI compliance. Specifically, we are going to look at perhaps the most important role: the role of your acquiring bank. Simply put, your acquiring bank is the judge and jury when it comes to meeting PCI compliance. Let’s discuss. Who is My Acquiring […]
In light of COVID-19 and the toll it is taking on the business community, today we will discuss the types of remote security assessments that can be performed and some alternative tweaks to assessments to ensure your security program is still evaluated and working properly. Unfortunately with all of the chaos, attackers know that they […]
In today’s blog, we’ll be taking a look at Palo Alto Traps, how it compares to traditional signature-based endpoint security, and how Triaxiom fared against it during a recent engagement. Limitations of traditional endpoint security Every piece of malware has what’s known as a ‘digital signature’ (i.e. a digital footprint) and traditional antivirus (AV) products […]
This is officially blog number 300! Just to have some fun and learn a few lessons, let’s look at the movie ‘300’ and see if there are any lessons learned we can apply to information security. While this is more of a fun blog than anything else, there a few nuggets we can take away […]
Today’s security quick tip is brought to you by some API penetration tests I’ve completed over the past few weeks. One of the things I’ve noticed more and more as organizations are developing and implementing APIs as part of their overall application infrastructure is the presence of “greedy” or overly verbose JSON objects in HTTP […]
Back in September, we wrote a blog on the importance of using two separate accounts for administrators, one user-level and one administrative. If you haven’t read it yet, it does a great job of explaining why it is necessary and why it’s a security best practice. The lower-level user account should have limited permission and […]
Today we’re going to put a bow on our series covering different checklists for things you should be thinking about during each of the 5 primary phases of security incident response. We started with the identification phase and how to adequately capture information about a potential security incident to launch an investigation. We then covered […]
