As application security professionals, we want to get as much as possible out of our security assessments. We’re not only expected to but we’re proud of our work and want to provide the best results and most value possible. As I’ve written in a previous…
6.5 Million LinkedIn Hacked Passwords
LinkedIn, one of the biggest professional social networks, has suffered a major breach of its user password database. The attack was confirmed on Wednesday afternoon by Vicente Silveira, Director at LinkedIn, and was followed by an apology to the affected LinkedIn users who now have…
Web Security is Still a Problem…but It’s Not What You Think
Since I first got involved with information security I’ve been a strong proponent of focusing on the common sense basics. We all know what needs to be done yet I see fundamental web security problems in practically every assessment I perform. From passwords to patches…
Using Acunetix Web Vulnerability Scanner as a Proxy Server
Among many advanced penetration testing tools provided, Acunetix Web Vulnerability Scanner (WVS) offers you the HTTP Sniffer tool. With the HTTP Sniffer you can capture, trap, analyze and even modify any HTTP traffic that the sniffer is listening to, e.g. port 8080. The Acunetix HTTP…
Mac Malware Underscores Why You Can’t Ignore Web Security Threats
Looks like the Mac is finally getting what’s been coming: Mac Malware. And lots of it just recently with the Flashback infection that apparently impacted up to 700,000 Macs. We’ve all heard it from the Mac bigots: One of the main reasons I use a…
Web Application Firewall (WAF) and the false sense of security
A Web Application Firewall (WAF) is an excellent last line of defense. Based on what I see in my testing they’re great at blocking both automated scans and granular exploits like Cross-Site Scripting and SQL injection. I recommend WAFs to clients all the time. But…there’s…
Not All Web Vulnerabilities Are What They Appear to Be
When performing web security assessments, it’s easy for us to feel confident in what we see. Take Cross-Site Scripting (XSS) for instance. Your scanner finds this web vulnerability. You validate that it does indeed exist. What more is there to do? Well, it depends on…
The Value of Web Exploitation
Is the exploitation of web vulnerabilities worth the trouble? Does it create unnecessary risks that should be avoided? Why exploit flaws anyway? This is not a black and white circumstance. Every situation is unique. But here’s what I know. The exploitation of web security flaws…
IT Geek Speak and What Management Really Needs to Hear
Gerald Ford once said “Nothing in life is more important than the ability to communicate effectively.” What a profound statement that not only applies to our personal lives but also how far we go in our IT careers. There’s hardly anything that can cause IT…