For all of our assessments, one of the first questions that we tend to get asked is “How long does it take?” And while, yes, “it depends” is part of the answer, we wanted to at least give you a rough idea of how long a web application penetration test takes for planning purposes. We’ll […]
Picking the brain of a seasoned penetration tester is always fun. Getting insights into what makes them tick, what keeps them up at night, their craziest find on a penetration test, and much more. Below is a Q&A with a senior engineer at Triaxiom Security. Q: How did you get into penetration testing?A: I started […]
Just for the fun of it, I am going to do a series of blogs talking about some of the physical penetration tests I have done. War stories, if you will. Of course we will keep the clients anonymous throughout and hopefully they have fixed these items by now anyway, as it has been some […]
Unfortunately, there is no cut and dry answer to the question of “when is the best time for a penetration test“. As with many nuanced areas of life, the answer is “it depends”. There are many scenarios that could warrant the need for a penetration test and organization-specific situations that could change your needs. Let’s […]
Creating secure web applications is hard. There are a number of reasons for this, but one contributing factor is language-specific oddities. Specifically, different programming languages handle data differently and, in some cases, these differences can have a significant impact on security. Let’s take a look at one somewhat-exotic example of a language-specific idiosyncrasy within PHP, […]
In this blog, let’s take a look at what is sure to be one of the biggest information security events of 2020: The Twitter Hack. While it is still very early and details are still coming out, lets take a quick look at what we know so far and some lessons we should learn from […]
Let’s say you just received a penetration test report from a company and you are working with your internal IT team or development team to triage and fix the issues raised. Someone on your team is of the mindset that fixing the medium/low priority issues in report isn’t even worth the amount of resources it […]
An integral part of any company is the IT help desk. While some people have horror stories from working with help desks in the past, they play a very important role in your overall security program. They are often the targets of sophisticated social engineering attacks and, as such, need to have strong processes in […]
In starting to prepare for the Offensive Security Advanced Web Application Exploitation (AWAE) course, I ran across a vulnerability category that I was certainly familiar with but hadn’t run across in the wild lately. Insecure deserialization is an interesting category of vulnerabilities, as it’s part of the OWASP Top 10 but usually isn’t the first […]
In today’s blog, we will do a quick introduction to Ransomware. Ransomware is a form of malware (short for malicious software) designed to deny access to the data on a user’s computer until a ransom is paid. Typically, ransomware is spread via phishing emails, users unknowingly visiting/interacting with an infected website, or weak passwords allowing an attacker […]
