Clik here to view.
Cracking and Fixing REST APIs
REpresentational State Transfer, or REST, is more of a force on the web than most think. It is essentially a Web Service implementation of the HTTP protocol that runs the entire world wide web. I’m not...
View ArticleWe want YOU at the CodeMash Security Track
Earlier this year I was asked by the incomparable Rob Gillen to manage the Security track at CodeMash 2.0.1.5. That's a pretty big deal, seeing as how developer outreach is such a big deal for the...
View ArticleClik here to view.
Crushing bugs in OWASP ZAProxy
At the latest OWASP meeting in Columbus, we got set up to crush some bugs in ZAProzy, the OWASP attack proxy project. ZAP is written in Java, and the project is run by Simon Bennetts and sponsored by...
View ArticleTaking it to the people
This has been quite a year of community. I have been honored to present at a load of user groups and OWASP meetups this year, and I still have quite a few to go. Here's been some of the talks I have...
View ArticleWikistrat predictions for 2016
Some of you know that I am the curator of the Information Security desk at Wikistrat, a virtual strategy consulting company. We have fun over there, and a recent project was collating some predictions...
View ArticleABC interviewed me about being on the good guys team
Bryant Maddrik at ABC6 interviewed me and Todd Whittaker at Franklin about the plight of the good guys in the information security wars. Here's the link to the...
View ArticleOn Application Vulnerability Analysis
We live in a world where applications run the technology that we all use. There was, once, a time where hardware was custom developed to solve certain problems, but these days we have general use...
View ArticleInformation Organization in Vulnerability Analysis
All of this fancy organization and lists are just tools for the goal - making a list of everything that is wrong with an application. When I start a test, I get a URL, a description of how the...
View ArticleClik here to view.
Reconnaissance
Reconnaissance means something different for pentesters as it does from vulnerability analysts. It is, truthfully, the first obvious break between the two forms of testing. For vulnerability...
View ArticleDay 6 of C# Advent - Coding for an encrypted service
Welcome to the 6th day of the C# Advent! Let's encrypt some malware.That sounds horrible, but in security testing, sometimes you have to use the tools of the bad guy to make sure you aren't likely to...
View ArticleABC interviewed me about being on the good guys team
Bryant Maddrik at ABC6 interviewed me and Todd Whittaker at Franklin about the plight of the good guys in the information security wars. Here's the link to the...
View ArticleOn Application Vulnerability Analysis
We live in a world where applications run the technology that we all use. There was, once, a time where hardware was custom developed to solve certain problems, but these days we have general use...
View ArticleInformation Organization in Vulnerability Analysis
All of this fancy organization and lists are just tools for the goal - making a list of everything that is wrong with an application. When I start a test, I get a URL, a description of how the...
View ArticleClik here to view.
Reconnaissance
Reconnaissance means something different for pentesters as it does from vulnerability analysts. It is, truthfully, the first obvious break between the two forms of testing. For vulnerability...
View ArticleDay 6 of C# Advent - Coding for an encrypted service
Welcome to the 6th day of the C# Advent! Let's encrypt some malware.That sounds horrible, but in security testing, sometimes you have to use the tools of the bad guy to make sure you aren't likely to...
View ArticleLive Webinar: Come talk Application Vulnerability Analysis with me and...
I'll be doing a live webinar on Application Vulnerability Analysis on February 8 at 2PM EST - 1 month from today - and it will be a lot of fun! You can hang out in the afternoon and hack some stuff, at...
View ArticleA new blog series: Application Security Weekly
No, I haven't given up on my OTHER blog series about application vulnerability assessment but an opportunity opened up to start publishing my client newsletter on my blog. It's just usually four...
View ArticleClik here to view.
Proxy Fiddler Through Burp
I am testing an application that only works on Internet Explorer in compatibility mode. Before you laugh, it's is EXACTLY these legacy applications that get us into trouble, and they should be tested...
View ArticleSome neat events I'll be participating in this spring
There are some neat developer and security events this spring that I'll be speaking at or otherwise participating in, and I'd love to see all of you there!On the morning of the 18th, I'll be talking...
View ArticleApplication Security Weekly for April 15
The Verizon Data Breach Investigations Report is out. It's a good read.https://www.verizonenterprise.com/verizon-insights-lab/dbir/ DARPA (the government organization that created the Internet) is...
View Article