• 22 Dec 2014

    Some vulnerability + penetration testing content to send off 2014

    Here are some pieces I've written recently on determining just how "fit" your network and application environment really is. Whether you're an IT auditor, penetration tester, IT admin, or security consultant, there's some stuff for you:How to perform a (next-generation) network security audit Don’t overlook details when scoping your Web application security assessmentsTop gotchas when performing email phishing tests How to take a measured approach to automated penetration testingFive steps ...

    Continue Reading...
  • 27 Aug 2014

    My new webcast on securing your Web environment against denial of service attacks

    I saw a recent study that found that distributed denial of service attacks are getting larger and larger.The thing you need to be thinking about is how you're going to prevent and respond when your Web presence becomes a target.Well, good timing, because I just recorded a new webcast for my friends at SearchSecurity.com on this very topic...In Proven Practices for Securing Your Website Against DDoS Attacks, I have a ...

    Continue Reading...
  • 18 Jul 2014

    How to communicate Web security to management, must-have security testing tools, and compliance in the cloud

    Check out these new pieces I've written and recorded on Web application and cloud security. If you follow the things I recommend on communication (first three links), you can absolutely transform your information security program and the way that people perceive you as an IT professional.Communicating with Management about Web Security, Part 1 - Knowing What You're Up AgainstCommunicating with Management about Web Security, Part 2 - Prioritization and Sending ...

    Continue Reading...
  • 04 Jun 2014

    More Web security vulnerability assessment, audit, and pen testing resources

    I've been busy in the world of Web security testing - both with work and with writing. Check out these new pieces on the subject. I suspect I'll tick off a "researcher" or two given my business angle and 80/20 Rule-approach of focusing on the most problematic areas of Web security...Still, I hope that these are beneficial to you and what you're trying to accomplish in your organization:Key Web application ...

    Continue Reading...
  • 14 May 2014

    Web security vulnerability testing and management resources you need

    Here are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpufHere are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpufHere are some recent pieces I've written that can make or break your success in information security: - See more at: http://securityonwheels.blogspot.com/#sthash.YEhOcnEF.dpufHere are some recent pieces I've written ...

    Continue Reading...
  • 11 Nov 2013

    My latest security content (lots of stuff on application security)

    I thought you might be interested in my latest articles/tips on web and mobile application security:Why you need to pay attention to the slow HTTP attackLessons learned from a web security breachApplication security calls for a proactive approachUnderstanding the value of the OWASP Top 10 2013The Role Of An Automated Web Vulnerability Scanner In A Holistic Web Security AuditAre Obamacare’s health insurance exchanges secured? Likely not. Can software quality pros ...

    Continue Reading...
  • 07 Oct 2013

    Experiencing problems with authenticated web vulnerability scans? Try NTOSpider.

    You're performing authenticated web vulnerability scans, right? If you're not, you're missing out...big time.When performing authenticated scans, you'll find a whole different set of security flaws likely consisting of session fixation, SQL injection (that often differs among user role levels), weak passwords, login mechanism flaws, and perhaps...just maybe that beloved cross-site request forgery flaw that may or may not be exploitable or even matter in the context of what you're ...

    Continue Reading...
  • 18 May 2013

    Web security answers are changing – a frustrating, challenging, and humbling journey

    In reading one of Brian Tracy's books, Brian discusses a story of Albert Einstein and an exam he gave to his graduate physics class at Princeton University. After the exam, Dr. Einstein was approached by a student who asked: "Dr. Einstein, wasn't that the same exam that you gave to this physics class last year?" Dr. Einstein replied "Yes, it was the same exam as last year." The student then ...

    Continue Reading...
  • 02 May 2013

    Is your approach to application security based in reality?

    I know I say this a lot here - I've been so busy writing that I've been remiss in posting my actual content. So...I've got some content on web and mobile application security and penetration testing this time around.You see, there are so many researchers, theories, and academic approaches to web and mobile security that it's simply overwhelming. Much of it doesn't apply to what businesses really need to be ...

    Continue Reading...
  • 01 Mar 2013

    Got WordPress? You’d better secure it.

    If you use WordPress, take note. My colleague Robert Abela, one of the foremost experts on WordPress security, has a new course at Udemy.com on Securing a WordPress Blog or Website for Beginners that you should check out. The course costs $15. When you use the coupon code OnWheels, you'll receive a $5 (33%) discount. Don't let your guard down because "it's just a marketing site". WordPress-based sites can have ...

    Continue Reading...