-
07 Oct 2013Experiencing problems with authenticated web vulnerability scans? Try NTOSpider.
You're performing authenticated web vulnerability scans, right? If you're not, you're missing out...big time. When performing authenticated scans, you'll find a whole different set of security flaws likely consisting of session fixation, SQL injection (that often differs among user role levels), weak passwords, login mechanism flaws, and perhaps...just maybe that beloved cross-site request forgery flaw that may or may not be exploitable or even matter in the context of what ...
Continue Reading... -
18 May 2013
Web security answers are changing – a frustrating, challenging, and humbling journey
In reading one of Brian Tracy's books, Brian discusses a story of Albert Einstein and an exam he gave to his graduate physics class at Princeton University. After the exam, Dr. Einstein was approached by a student who asked: "Dr. Einstein, wasn't that the same exam that you gave to this physics class last year?" Dr. Einstein replied "Yes, it was the same exam as last year." The student then ...
Continue Reading... -
02 May 2013
Is your approach to application security based in reality?
I know I say this a lot here - I've been so busy writing that I've been remiss in posting my actual content. So...I've got some content on web and mobile application security and penetration testing this time around.You see, there are so many researchers, theories, and academic approaches to web and mobile security that it's simply overwhelming. Much of it doesn't apply to what businesses really need to be ...
Continue Reading... -
28 Feb 2013
Mobile app security assessments
I wrote recently about performing source code analysis for mobile apps. I'm seeing some crazy stuff that I didn't think I'd see in mobile apps (but I'm not really surprised) related to session manipulation, hard-coded cryptographic keys and the like which underscores the importance of the exercise.But there's another side to mobile app security assessments - it's simply manual analysis. That is poking around with the apps and the mobile ...
Continue Reading... -
29 Jan 2013
Introducing the brand new Hacking For Dummies, 4th edition
Well, it's here...the fourth edition of my book Hacking For Dummies is officially available today!Starting summer of 2012 and ending just before Christmas, I put in over 200 hours of blood, sweat, tears, and occasional cussing into this edition...more than any previous updates to the book. That said, my savvy technical editor, Peter Davis, and the wonderful editors at Wiley, Becky Huehls, Virginia Sanders, and Amy Fandrei were the real ...
Continue Reading... -
26 Nov 2012
Fix for painful authenticated web vulnerability scans requiring MFA
Authenticated web security scans are one of the most frustrating parts of web security assessments. I mean they're downright painful, oftentimes seemingly impossible - especially if multi-factor authentication (MFA) technology is in use. Yet authenticated scans are critically important. It's scary how many times I uncover serious flaws (i.e. SQL injection) while logged-in as a typical user of a web site/application. That is if I can get my web vulnerability ...
Continue Reading... -
09 Jul 2012
What NTOSpider offers the appsec world
I feel like I've said it a million times: you cannot rely on just one Web vulnerability scanner. There are simply too many vendors doing too many checks across too many websites and applications. The complexity of what needs to be tested is enormous not to mention the quality of the Web vulnerability scanners on the market (tip: you get what you pay for). Well, NTObjectives' NTOSpider is a perfect ...
Continue Reading... -
11 May 2012
Web application security assessment war stories
I spend a lot of time performing Web security assessments and every project is a neat learning experience for me. I'm always eager to share my Web security war stories, what to do and what NOT to do so here are some new pieces you may be interested in...From exploiting Web vulnerabilities to IT geek speak and a bunch of stuff in between, I hope there's something here for you:The ...
Continue Reading... -
19 Mar 2012
Neat tools to seek out sensitive files on laptops & websites
"Oh yeah, I forgot about all of those files." I've never had a security tool lead to these predictable words regarding sensitive files being stored on unencrypted laptops as much as Identity Finder has. You may have seen Identity Finder in my previous post and related articles and presentations where I've mentioned or demonstrated it. Identity Finder is a commercial product that IT and information security professionals can use to ...
Continue Reading... -
08 Feb 2012
What’s it going to take for police departments to secure their websites?
Here's yet another story about a police department website being compromised by criminal hackers. When a regular citizen's home address is exposed, that's one thing. But when the addresses of police chiefs are published online, that opens up an entirely new set of risks for their personal safety. Sad. Hey, at least the police chiefs I know are armed and well-trained experts. Would be pretty foolish to try and attack ...
Continue Reading...
Resources
Client Testimonials
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”
(IT managed services firm)
Kevin has written/co-written 12 books on information security including one of the best-sellers of all time:
