Run as Admin: Executive Order on Cybersecurity
On May 12, 2021, President Biden issued an executive order on cybersecurity. This new order combines many trends we’re already seeing in the Fortune 500 and bringing that into the public sector as well. President Trump issued similar executive orders in 2017, 2018, two in 2019 and three in 2020, ... Read More
AppSec Cheat Code: Shift Left, Shift Right, Up, Down & Start
Seamless and unobtrusive security is the future. We are huge advocates of shifting left and moving security testing earlier in the development process. Leif Dreizler wrote a great article suggesting that not only do we need to shift security left, but shift engineering right. I agree, but why stop there ... Read More
3 Reasons to Pentest with Brave
Penetration testing is a race against the clock. Often, we only have a few days to examine all the functionality of a web application or an API. That is why we spend a lot of time refining and modifying our pentesting workflow to shave off any inefficiencies. This process often ... Read More
3 Reasons to Pentest with Brave
Penetration testing is a race against the clock. Often, we only have a few days to examine all the functionality of a web application or an API. That is why we spend a lot of time refining and modifying our pentesting workflow to shave off any inefficiencies. This process often ... Read More
The OPSEC of Protesting
For the past three months thousands of people have been protesting in the United States due to the deaths of George Floyd, Breonna Taylor, Tony McDade, and others. Many of the protesters are posting, recording, and streaming live while demonstrating. This begs the question… How do I protect myself online ... Read More
Using Components with Known Vulnerabilities
When an organization has a breach, you would like to imagine that the attacker crafted a new exploit, leveraging a zero-day vulnerability that no one has any protection against. However, It is far more likely that the attacker exploited well-known vulnerabilities that may have been residing within their systems for ... Read More
Fiddling with Windows: Proxy tools for Win10
If you have been following along with us, you know how to set up a Windows 10 Virtual Machine (VM) for web app pentesting. But now we have run into another problem. Let’s say that same client throws in a Windows 10 desktop app in scope. (You know, cause last ... Read More
In Case of Fire: Break Windows
When a client calls us to pentest a web application that is only available in Internet Explorer. I cringe. I don’t know if it’s flashbacks from the countless hours spent getting a website compatible with IE, or the trauma from bad UX growing up. Just mentioning the browser leaves a ... Read More
IAM Access Analyzer Review
TL;DR – This is a free tool that helps solve one of the biggest security problems when working in AWS. Turn it on. Turn it on now! Instructions are here. AWS misconfigurations are costly and difficult problems to solve. A lot of what goes wrong in with S3 and IAM ... Read More
IAM Root: AWS IAM Simulator Tutorial
If you needed yet another reason to be paranoid about your personal information being exposed, the recent Capital One breach should be sufficient nightmare fuel for you. This is even more supporting evidence that your SSN isn’t secret anymore. Sensitive information of over 100 million people was exposed during this ... Read More
