LATEST POST

20 Results tagged on "security":

Don't be a security snob. Support your business team!

There have been many a times that access controls have been discussed in the meetings related to web development. With an interconnected world of APIs it is very important to understand the authentication of these end-points. One of the best approach I always vouch for is mutual authentication on SSL certificates (or 2 way SSL). Most of the times it is viable but it fails when either of party couldn't support it (hence not...
Read more

WAF and IPS. Does your environment need both?

I have been in fair amount of discussions with management on the need for WAF, and IPS; they often confuse them and their basic purpose. It has been usually discussed after a pentest or vulnerability assessment, that if I can't fix this vulnerability - shall I just put an IPS or WAF to protect the intrusion/ exploitation? Or, sometimes they are considered as the silver bullet to thwart off the attackers instead of fixing...
Read more

I know I haven't patched yet, and there's a zero-day knocking at my door

Patching is important, but let's agree it takes time. It takes time to test & validate the patch in your environment, check the application compatibility with the software and the underlying services. And then, one fine day, an adversary just hacks your server due to this un-patched code while you are testing it. It breaks my heart and I wonder "what can be done in the delta period while the team is testing...
Read more

Tools tools everywhere, not a single one they look

The Rime of the Ancient Mariner, a poem by Samuel Taylor Coleridge about an old sailor who is compelled to tell strangers about the supernatural adventures that befell him at sea after he killed an albatross, a friendly sea bird. Water water everywhere, not any drop to drink. This metaphor was so apt in the middle of the sea; so it is in the middle of thousands of logging events. Most of the security...
Read more

Satellite beams 'unbreakable' cipher from space

If you are closely following the Quantum advancements, you would have come across the news of Chinese satellite "Mozi" launch in August, 2016. With this successful launch, Chinese proved they are way ahead (atleast per the public information) and are taking quantum-communication seriously. Mozi is dedicated to understand and test the phenomenon of Quantum entanglement. Mozi, a 500Kg satellite derived it's name from the 5th century BC chinese scientist and is motivated...
Read more

Need for WAF in the world of Secure SDLC

You have a secure development lifecycle, and you do perform a pen-test before going live, or rolling out an application in production; then why do you need a Web Application Firewall? At the end, it is one more security product where ROI is difficult to prove. This is one of the most common question I have been asked when talking about application security. People are still conservative when it comes to buying a good...
Read more

Jump Air-gap, Low Level C&C

The threat landscape is very dynamic, and new threat vectors are exploiting vulnerabilities for fun and profit. The whitehat security community is having a race against time with their counterparts. And, often the companies are becoming a target to spear phishing, APT and bots. Some institutions like financial sector, insurance sector, defense etc. have strong regulations to protect the perimeter. But, often these sectors have people working on their modern laptops with different adaptors...
Read more

Revamp of OWASP Top 10 for 2017

Yes, the OWASP 2017 is coming but that doesn't mean it's your bible. Finally OWASP is performing a revamp of the Top 10 web-vulnerabilities as per the inputs received from the community. For the first time the OWASP community have also shared the inputs received from different Security consulting/ services firms. Reading through the list, it gives a good idea on what kind of vulnerabilities are more common in the industry, and the ones...
Read more