In this blog, let’s take a look at what is sure to be one of the biggest information security events of 2020: The Twitter Hack. While it is still very early and details are still coming out, lets take a quick look at what we know so far and some lessons we should learn from […]
Let’s say you just received a penetration test report from a company and you are working with your internal IT team or development team to triage and fix the issues raised. Someone on your team is of the mindset that fixing the medium/low priority issues in report isn’t even worth the amount of resources it […]
An integral part of any company is the IT help desk. While some people have horror stories from working with help desks in the past, they play a very important role in your overall security program. They are often the targets of sophisticated social engineering attacks and, as such, need to have strong processes in […]
In starting to prepare for the Offensive Security Advanced Web Application Exploitation (AWAE) course, I ran across a vulnerability category that I was certainly familiar with but hadn’t run across in the wild lately. Insecure deserialization is an interesting category of vulnerabilities, as it’s part of the OWASP Top 10 but usually isn’t the first […]
In today’s blog, we will do a quick introduction to Ransomware. Ransomware is a form of malware (short for malicious software) designed to deny access to the data on a user’s computer until a ransom is paid. Typically, ransomware is spread via phishing emails, users unknowingly visiting/interacting with an infected website, or weak passwords allowing an attacker […]
The Open Source Security Testing Methodology Manual, or OSSTMM, was created to: …provide a scientific methodology for the accurate characterization of operational security (OpSec) through examination and correlation of test results in a consistent and reliable way. This manual is adaptable to almost any audit type, including penetration tests, ethical hacking, security assessments, vulnerability assessments, […]
File upload filtering is an extremely important part of web application security that is also notoriously hard to get right. And unfortunately the stakes are high, as vulnerabilities associated with your file upload functionality can quickly turn into critical, exploitable issues with impacts that include remote code execution on the underlying web server. So let’s […]
Today’s blog is just a quick update on home security. As a security professional, one of the most common questions I get from friends and family revolves around concerns they have from smart devices, or Internet of Things (IoT) devices, in their home. Should they be worried about their smart lock on their front door […]
Currently and going forward, many employees may find themselves working from home temporarily or permanently. Security is still extremely important to yourself and your employer and today, we will explore tips and tricks that will help you maintain your security posture while working remotely. Working From Home Security Tips & Tricks Leverage a VPN – […]
Today, we’re going to dig into the most common methods of API authentication out there and discuss some of the security implications associated with each of them, from the perspective of a penetration tester. As Application Programming Interfaces (APIs) continue to become a more prevalent tool used in website architecture, the security associated with them […]
