-
03 Jun 2009Neat (and free) tool for finding Flash flaws
HP's Application Security Center recently released SWFScan - a standalone tool that decompiles Flash applications and searches for security holes inside the code. Very cool.It's pretty surprising how many vulnerabilities Flash files can contain including XSS, embedded SQL statements, encryption keys, login credentials and more. Definitely worth downloading and taking it for a spin. Here's a screenshot of the interface and some findings:Also, check out Billy Hoffman's video walkthrough of ...
Continue Reading... -
26 May 2009
Perfect example of an unknown app becoming a known target
A while back I wrote about a great email server called Icewarp. It wasn't bloatware - it had just what SMBs needed in an email server...Oh, and it wasn't a target for security exploits - an obvious added benefit. But as with anything else, you grow bigger, your app becomes more complex, and you'll no doubt become a bigger target for attacks. As of late Icewarp has grown a lot ...
Continue Reading... -
12 May 2009
New version of Acunetix WVS is coming
I just downloaded and am eager to try out the latest from the guys at Acunetix: Acunetix Web Vulnerability Scanner version 6.5 beta. It seems like they just came out with version 6.0! My last post on it was only a couple of months ago.Acunetix WVS 6.5 beta has a new feature called "file upload forms vulnerability checks" which they claim is an industry first. This is interesting because I ...
Continue Reading... -
20 Apr 2009
Neat open source SIM tool
I attended a local networking event here in town last week where a representative from AlienVault presented their open source security incident/event management tool called OSSIM. I had to endure a painful sales pitch (that wasn't supposed to be a sales pitch, mind you) and a simple-minded "use this product for all your needs" approach to information security...but the tool actually looks promising. It's a "free" way to pull together ...
Continue Reading... -
16 Apr 2009
What to look for in a security scanner
Since I'm on the subject of talking about security scanners, here's a link to an article I wrote a couple of years ago that's still very relevant. Check it out:What to look for in a Web application security testing toolSome of what I say in this piece supports my stance in the previous blog that you cannot automate this stuff and assume you've done your due diligence....
Continue Reading... -
16 Apr 2009
Someting you need to know about all-in-one scanners
I've been approached a couple of times in the past few weeks regarding the "scanner" and "vulnerability management" vendors that are touting their all-in-one approach to security vulnerability assessments and compliance scans. The interest has been around PCI DSS and specifically Rapid7's solutions (apparently their marketing folks are doing a good job). There are other vendors coming into the space as well including a big one being announced at RSA ...
Continue Reading... -
01 Apr 2009
WebInspect – the Mac Daddy Web app scanner?
I've recently covered two of my favorite, yet lesser-known, Web vulnerability scanners: Acunetix Web Vulnerability Scanner and N-Stalker Web Application Security Scanner. Two worthy products indeed. Now I'd like to shed some light on HP's WebInspect. I've been using WebInspect since before testing Web sites/apps was cool. In fact, WebInspect was one the original commercial Web scanners. It may have even been the first. Anyway, I started a relationship with ...
Continue Reading... -
10 Mar 2009
My latest security content
I have some new information security content that you may be interested in. First, here's an article I wrote for SearchSQLServer.com:The fine line between not encrypting your databases and breach notification...and two articles I wrote for SearchSoftwareQuality.com:Using the Firefox Web Developer extension to find security flawsCloud computing and application security: Issues and risksEnjoy!Also, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, screencasts and ...
Continue Reading... -
10 Mar 2009
Using AirMagnet WiFi Analyzer for security assessments
While I'm on a roll testing out the latest security tools (can you tell I'm finally getting caught up on things?!) I wanted to write the follow-up to this previous post I promised regarding AirMagnet's wireless network analyzer (now dubbed WiFi Analyzer).I've been using WiFi Analyzer for years...it now supports 802.11n for those of you on the "bleeding edge" and it even has some automated security checks for "n". As ...
Continue Reading... -
05 Mar 2009
Acunetix – a very good Web scanner that keeps getting better
OK, it didn't *just* get better...it's been out for several months - but I've just now gotten a chance to really sit down with it and take it for a spin and write a post about it. I'm talking about Acunetix Web Vulnerability Scanner version 6.NOTE_BEFORE_I_BEGIN: I don't do formal "reviews" but you know how excited I get over cool tools. I found something in this one that I thought ...
Continue Reading...
Resources
Client Testimonials
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”
(IT managed services firm)
Kevin has written/co-written 12 books on information security including one of the best-sellers of all time:
