Uncovering Security Vulnerabilities Before You Become A Headline

Some believe that “what you don’t know won’t hurt you.” Others emphatically proclaim that “what you don’t know can (and will) hurt you.” While we would all like to believe the former, the reality is that the latter has proven time and time again to be the case, especially when it comes to security vulnerabilities inadvertently coded into applications, networks, IoT, mobile and cloud infrastructure.

BLOG Jun 01

DevSec Mentoring From Home

The failure to recognize and remediate any critical security vulnerabilities, design flaws or privacy and compliance issues across any platform can be detrimental to an organization’s productivity, profitability and reputation. This means that something is needed to ensure developers and engineers are security-savvy, utilizing leading-edge assessment and training tools with proven agility and knowledge of next generation security programs. But how do you ensure your team has the latest information relative to each programming language or development environment?

BLOG May 25

What Is DevSecOps and Why Should You Care?

Increasingly sophisticated and ever-changing cyber threats require new levels of security assessment, software code development and integration design, oversight, and penetration testing across applications, operating systems, networks, mobile, cloud and the Internet of Things (IoT). This has given rise to a new variation of DevOps that accommodates security. While some call it SecDevOPs and some call it DevOpsSec, the majority have settled on calling it DevSecOps.

BLOG May 18

Advanced SQL Injection

Ah, SQL injection. Probably one of the most iconic vulnerabilities in the web appsec sphere. Even given how easy it is to fix (parameterize your queries please, none of this blacklisting garbage), it’s still found in the wild on a regular basis. While there are a million posts out there detailing vanilla exploitation, this post is going to delve into more advanced attacks. Specifically, I’m going to discuss enumerating the schema of a database in a single payload, greatly reducing the number of queries required to exfiltrate data via bit shifting, and viable attacks in a blind and asynchronous situation. The focus will revolve around a SQL Server context, but most if not all of these techniques should transfer to exploitation of other databases.

BLOG May 04

Understanding Rails' protect_from_forgery

This blog post will attempt to explain how Rails applications can protect themselves from Cross-Site Request Forgery (CSRF) by looking at the details of the built-in protection mechanisms.

BLOG Apr 27

Migrating to Microservices: Securely & Safely

Microservices allow you to build your applications as services that are deployed and maintained independently. While many software organizations have been using microservices and containers for years, a considerable amount are still in the early phases of adopting and migrating their legacy architectures heading into 2018. Microservices have a lot in common with Service-Oriented Architectures (SOA), but have their own unique properties too. Compared to traditional monolithic software development, microservices speed up our deployments, let us iterate faster, and take full advantage of modern computing platforms. There are great benefits to using microservices, but there are also many architectural complexities to consider as well as cultural and procedural issues to solve. Keeping your architecture secure with decentralized governance can be challenging and requires us to think carefully upfront about how to scaffold security within our core design and habits.

BLOG Apr 20

5 Tips for Secure, Online Shopping

With the holiday season in full swing, more folks are shopping online than any other time of the year. With the recent breaches of Target and Home Depot, many consumers are beginning to understand the need for exercising caution when shopping online.

BLOG Apr 13

A More Secure Development Lifecycle III: Requirements Gathering Techniques

In my last post, I identified security requirements that need to be addressed in any software development project. These requirements are important to building a more secure application. This post will discuss several techniques that are useful in eliciting the security requirements information. My last post in this series will discuss techniques that can be used in the design phase to design a more secure application.

BLOG Apr 06

Dev Secrets and the ASP.NET Core Secret Manager

When performing an application security assessment, one of the things we look for are sensitive secrets committed to source control. Most web applications rely on secrets to perform security operations. Those secrets could include API keys, database credentials, third-party service credentials, encryption keys, and more. The disclosure of these secrets could lead to unauthorized third-party service access or even complete system compromise.

BLOG Mar 30

Introducing Django.nV: An Intentionally Vulnerable Django Application

nVisium is proud to announce the release of Django.nV, an intentionally vulnerable project management application. As with all of the ‘nV’ suite of applications, Django.nV demonstrates a series of common vulnerabilities in the context of a modern application. The flaws within the application include vulnerabilities ranging from the OWASP Top 10 (Injection, Insecure Direct Object Reference) to some Django-specific issues (Mass Assignment and Insecure Settings).

BLOG Mar 23