1. Swift.nV Tutorial Part I: Setup, Insecure Data Storage, and Unintended Data Leakage

    The vulnerabilities associated with mobile applications have been well documented over the last couple of years; and while developers are aware of the issues, new languages often introduce new ways of performing actions that expose old vulnerabilities.

    This video explores Insecure Data Storage and Unintended Data Leakage, two common security mistakes in mobile applications. I use Swift.nV, nVisium’s open source training tool, to examine these issues in Swift, Apple’s new programming language.

    For more security-related videos, visit SecCasts

    Seth Law is the Director of Research & Development of nVisium and wrangles the internal and external research efforts to improve understanding of application security. He spends the majority of his time thinking up new ways to secure web and mobile applications, but has been known to code when the need arises.

    For the past 12 years, Seth has been worked within multiple disciplines in the security field, from software development to network protection, both as a manager and individual contributor. During the last few years, Seth has honed his application security skills using offensive and defensive techniques, including tool development.
  2. Understanding Rails' protect_from_forgery

    This blog post will attempt to explain how Rails applications can protect themselves from Cross-Site Request Forgery (CSRF) by looking at the details of the built-in protection mechanisms.

    Cross-Site Request Forgery is a serious vulnerability that stems from the trust that web applications place on the session identification cookies that are being passed between browser and server. For a more detailed explanation of CSRF, I suggest looking at the OWASP guide on Cross-Site Request Forgery.

    Rails includes a built-in mechanism for preventing CSRF, protect_from_forgery, which is included by default in the application_controller.rb controller when generating new applications. This protect_from_forgery method leverages magic to ensure that your application is protected from hackers!

    Seriously though, many developers hardly recognize the threat imposed by CSRF, let alone the implementation details of the protect_from_forgery method.

    So, first things first, just to be clear, protect_from_forgery is not magic! There are implementation details which are important to understand. This is one of the cases where “the devil is in the details.”

  3. 10 Indicators You Know You Work for nVisium

    When I first stepped into nVisium’s office earlier this summer, I had a feeling something was a little off. There was an open room lined with Macs, a video game machine where a corner office should be, and tons of candy bars and chips in the kitchen. Where were the cubicles? And the hovering supervisor? Clearly my internship at this tech company was going to be an experience unlike any other.

    In the two months that followed I quickly realized I hadn’t just stepped into some fleeting dream world. The age-old image of corporate offices paints a picture of sterile, concentrated productivity. But efficient workspaces and genuine social interaction don’t have to be mutually exclusive. In fact, it’s probably better if they’re not. At nVisium, my coworkers constantly exhibited humor and gave words of encouragement. Over time, I began to realize the importance of a company's culture and how much it can affect one's job satisfaction. A job doesn't have to feel like work. In fact, a job can and should be a place that lets you grow amongst a group of friends that share similar interests. I could tell you about nVisium's culture to no end, but the only real way to understand it is to see it for yourself. That's why I've created a list of 10 Indicators You Know You Work for nVisium. Happy reading!

  4. xssValidator v1.2.0 Released

    It has been quite a while since you’ve heard anything new about xssValidator, but today we bring good news! Version 1.2.0 has been released with some significant modifications.

  5. The AppSec Newb’s Journey Part I: Welcome to AppSec

    Welcome to the incredible and exciting world of Application Security (AppSec).

    In The AppSec Newb’s Journey series I want to provide a starting point for those interested in AppSec but may not know where to start. I am new to the industry myself, so I wanted to share some of the resources and tactics that have helped me along my journey. It should be noted that I decided to go down the self-learning path, so many of these resources are dependent on taking the time and effort to learn on your own. This doesn’t mean that you shouldn’t ask for help from anybody; there are plenty of people out there eager to help you!

  6. nVisium Announces Swift.nV

    Herndon, VA--(August 20, 2014) - nVisium, the leading provider of application security tools, services and research for software development, released Swift.nV, a new training tool for identifying and testing vulnerabilities in the Swift programming language today.

  7. Intro to BurpSuite V: Extracting Intrusions

    Hi, Folks,

    Since the last post on Intruder, I've been seeing questions come up on how to pull out data from a large number of results. I wanted to take some time to throw a quick post on how you can leverage some of the more advanced options in Intruder to automatically pull some information out. One of the suggestions that comes straight from PortSwigger is to use the Grep Extract option to pull data from responses.

    Today, I'm going to demonstrate this functionality using WebGOAT.NET, a project that's freely available on OWASP and Github so you can follow along.