5 RESULTS IN TAG "vulnerability":

Implement "security.txt" to advocate responsible vuln. disclosures

After discussing CAA record in DNS to whitelist your certificate authorities in my previous article, do you know it's a matter of time that someone finds an issue with your web-presence, website or any front-facing application? If they do, what do you expect them to do? Keep it under the wrap, or disclose it to you "responsibly"? This article is for you if you advocate the responsible disclosure; else, you have to do catch up with reality (I shall come back to you later!). Now, while we are on responsible disclosure, the "well-behaved" hackers or security...
Read More

WAF and IPS. Does your environment need both?

I have been in fair amount of discussions with management on the need for WAF, and IPS; they often confuse them and their basic purpose. It has been usually discussed after a pentest or vulnerability assessment, that if I can't fix this vulnerability - shall I just put an IPS or WAF to protect the intrusion/ exploitation? Or, sometimes they are considered as the silver bullet to thwart off the attackers instead of fixing the bugs. So, let me tell you - This is not good! The security products are well suited to protect from something "unknown" or...
Read More

I know I haven't patched yet, and there's a zero-day knocking at my door

Patching is important, but let's agree it takes time. It takes time to test & validate the patch in your environment, check the application compatibility with the software and the underlying services. And then, one fine day, an adversary just hacks your server due to this un-patched code while you are testing it. It breaks my heart and I wonder "what can be done in the delta period while the team is testing the patch"? Adversary on the other hand is busy either reversing the patch, or using a zero-day to attack the systems! I mean once a...
Read More

You are safe! ROPEMAKER is nothing but a ruse

In last couple of days my security feed exploded with mention of ROPEMAKER (Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky) and my first reaction was "wow! someone broke the email, and that too post delivery. #WTF". I immediately opened the source i.e. the blogpost that Mimecast has posted explaining the issue. Frankly on first read, it was a disappointment! I think most of the people that are talking about it like a new, big fancy issue to panic about, do not understand the complete picture. Disclaimer: This post is not to offense Mimecast, or in...
Read More

OWASP is a cheat sheet, not Bible

First of all am sorry to all my readers/ subscribers that I haven’t been active on my blog. I know its been an year now, and the reason was silly enough – I couldn’t get hold of a good blogging client for Mac OS. But now, thanks to Blogo – I am back in business. On my windows box, Live Writer was to my rescue, but since I shifted to Mac, I couldn’t find any. Too lazy to use online web editor. blah blah … whatever. Okay, so what do I mean by "OWASP is cheat sheet and not...
Read More