Handling Missed Vulnerabilities

Robin “digininja” Wood wrote this interesting article about the impact of missing vulnerabilities during security assessments. He makes a lot of good points, and the reality is, it’s something we all deal with. Robin talks about how missing a vulnerability can be the end of one’s career, or at least a large step backward. While this is true, his article only addresses the impact at a micro level. I’d like to expand on that.

BLOG Feb 24

xssValidator v1.3.0 Released

I’m proud to announce the release of xssValidator 1.3.0 with some exciting new improvements!

BLOG Feb 17

Why Mobile Application Security?

In an era of constant, persistent connectivity, our relationships are becoming increasingly managed by instant communication channels, powered by mobile technologies. There are now more cellular subscriptions than there are people in the world and an estimated 10 billion mobile connected devices in use. The demarcation between business and personal time is no longer clear. We can use FaceTime, Slack, or have a GoToMeeting with clients on our smartphones, all while taking notes, sending emails, and even perhaps playing a little Trivia Crack on the side. We still love to go on vacations, yet, we still want to remain reachable during our downtime. Since carrying a laptop to the beach is a bit of a pain, we can just throw an iPad or Pixel C device into our beach bag. Our circles, both personal and professional, can now see the stunning backdrop with aquamarine water, sun-drenched sand, or a colorful, tall drink embellished by exotic fruits and a paper umbrella – all thanks to Instagram. Mobile technology enables us to respond from wherever we are, no matter what other things we may be doing. By having this latitude, we are forced into being connected, available, and productive in both our personal and business lives.

BLOG Feb 10

Crossed by Cross-Site-Scripting: Exploring the Impact of XSS

When I started my summer internship at nVisium, I was very new to the world of application security. One of my first tasks was to become familiar with the OWASP Top Ten. It took some time for me to understand the impact of these vulnerabilities, but XSS seemed rather harmless given that all the proof-of-concept exploits were simply alert boxes saying “xss.” It turns out, however, that XSS is far more dangerous than it appeared at first glance.

BLOG Feb 03

Adapting Agile for Internal Security Operations

How we do software development have been evolving. This is not just because we no longer have to worry about maintaining clunky on-prem servers and can instead write serverless applications and push code to a cloud service like AWS or Azure. How we collaborate with other developers, plan, and schedule work has been changing as well. As more companies are adopting new technologies, so are they making agile the default methodology for getting work done, even if agile means something slightly different to everybody. However, despite all the talk about DevOps and agile, most security teams of any size are still operating in the same waterfall fashion.

BLOG Jan 27

Secure Mobile Development Training - On-Demand, Gamified, and Engaging

Since nVisium first launched its On-Demand Training Platform to educate software developers on secure coding in 2016, we have received some incredible and valuable feedback from our users. We’ve taken a great deal of that feedback and have incorporated it directly into the product to improve it. Software developers love learning with nVisium because they are immersed in an environment that is relevant to them, which is writing code, rather than watching boring computer-based training (CBT) videos. Our initial courses focused on web applications and frameworks including Spring, ASP.NET, and Django. The number one question over the past year has been “When will you release secure mobile development courses that we can use to educate our developers?”. The answer to that, my friends, is now.

BLOG Jan 20

Deobfuscate Client Side Cookies

This post provides code snippets that allow you to deobfuscate client-side cookies in Rails and Django.

BLOG Jan 13

Time-Based Username Enumeration: Practical or Not?

Username enumeration is one of those vulnerabilities that appear to be everywhere. Facebook has it, Twitter has it, and basically every default Wordpress installation has it. Companies don’t appear to see the risk associated with the vulnerability.

BLOG Jan 06

CAPTCHA: What? Why? Build. Break.

Love them, hate them, or otherwise in this day and age, CAPTCHAs are a part of everyday life on the web. In this blog we will dig a little deeper into the technology behind CAPTCHAs to find out what they are, why they are used, and how they are created, implemented, bypassed and broken.
What are these things, and why are they everywhere?

BLOG Dec 30

The Evil Side of JavaScript: Server-Side JavaScript Injection

Ever since its humble inception, JavaScript has gained a lot of traction in the world of software development. What originally started as an experimental language meant to increase responsiveness in the browser has evolved into a full-fledged language with the capability to produce full stack web applications.

BLOG Dec 16