• 12 Feb 2013

    Mobile app security testing – are you checking for all the flaws?

    I plan to write a related post soon on my mobile app security assessments. In the meantime, I wanted to share a tool with you that plays a key role in mobile app security: Checkmarx CxDeveloper (or perhaps more appropriately called CxSuite).If you're a developer, QA professional, security manager, or IT generalist, this is a good tool to have for all of those gotta-have-now apps that everyone is throwing together ...

    Continue Reading...
  • 21 Jan 2013

    Student information systems rife with security flaws

    Here's an interesting story from Slashdot today about a college student being expelled after pointing out flaws in his college's student information system.What he's seeing is no surprise. Starting with my days working for IBM's EduQuest division, for the past 20 years or so I've seen numerous K-12 and higher education student information systems chock full of security flaws. Stupid, silly security flaws like SQL injection, cross-site request forgery, URL ...

    Continue Reading...
  • 26 Nov 2012

    Fix for painful authenticated web vulnerability scans requiring MFA

    Authenticated web security scans are one of the most frustrating parts of web security assessments. I mean they're downright painful, oftentimes seemingly impossible - especially if multi-factor authentication (MFA) technology is in use. Yet authenticated scans are critically important. It's scary how many times I uncover serious flaws (i.e. SQL injection) while logged-in as a typical user of a web site/application. That is if I can get my web vulnerability ...

    Continue Reading...
  • 09 Jul 2012

    What NTOSpider offers the appsec world

    I feel like I've said it a million times: you cannot rely on just one Web vulnerability scanner. There are simply too many vendors doing too many checks across too many websites and applications. The complexity of what needs to be tested is enormous not to mention the quality of the Web vulnerability scanners on the market (tip: you get what you pay for). Well, NTObjectives' NTOSpider is a perfect ...

    Continue Reading...
  • 11 May 2012

    Web application security assessment war stories

    I spend a lot of time performing Web security assessments and every project is a neat learning experience for me. I'm always eager to share my Web security war stories, what to do and what NOT to do so here are some new pieces you may be interested in...From exploiting Web vulnerabilities to IT geek speak and a bunch of stuff in between, I hope there's something here for you:The ...

    Continue Reading...
  • 25 Apr 2012

    My webcast on software source code analysis

    Here's a recent webcast I put together with the folks at Checkmarx (makers of a dandy source code analyzer) that you may be interested in:The business value of partial code scanningEnjoy!...

    Continue Reading...
  • 16 Apr 2012

    Basic features of WebInspect – the kind of stuff great scanners are made of

    Wondering what helps minimize the pain, stress and time required to run effective Web vulnerability scans? It's the things you can see in the toolbar of HP's WebInspect: Start/Resume, Pause - because you're going to need to pause and resume your scans at some point.Rescan - because you're going to want to re-run the scan again or re-test for the flaws uncovered previously.Compare - because you're going to have a ...

    Continue Reading...
  • 14 Mar 2012

    My upcoming webcast with Checkmarx: How to Use Source Code Analysis to Improve Information Security

    Join me next week, Thursday March 22, for a quick webcast where I'll be co-presenting on the topic of source code analysis and how it can improve your information security over time. I'm convinced that source code analysis is one of the missing links in the overall security process. As I say all the time: you cannot secure what you don't acknowledge. Ignoring security flaws at the source can be ...

    Continue Reading...
  • 12 Feb 2012

    SQL injection cheatsheet & tips for getting management on board

    Here's a neat "cheatsheet" on SQL injection by NTObjectives that outlines some common attack strings, commands and so forth. Their SQL Invader SQL injection tool is worth checking out as well. If you're having trouble selling management on the dangers of SQL injection, check out this piece I wrote about it not long ago:SQL Injection – The Web Flaw That Keeps on GivingTen Ways to Sell Security to Management Happy ...

    Continue Reading...
  • 08 Feb 2012

    What’s it going to take for police departments to secure their websites?

    Here's yet another story about a police department website being compromised by criminal hackers. When a regular citizen's home address is exposed, that's one thing. But when the addresses of police chiefs are published online, that opens up an entirely new set of risks for their personal safety. Sad. Hey, at least the police chiefs I know are armed and well-trained experts. Would be pretty foolish to try and attack ...

    Continue Reading...

Resources

view all

Client Testimonials

“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.

His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”

(IT managed services firm)
Read More

 

I’ve written/co-written 12 books on information security including:

 

Tags

application security appsec basics books careers censorship CISO CISSP cities compliance coronavirus covid-19 cybersecurity data breaches hacking Hacking For Dummies heads in sand health incident response information risk keynote speaker leadership macOS networked cameras passwords patching racing resilience Russian hacking SDLC security culture security leadership security program management security speaker selling security social engineering speaking engagements spec miata sql injection tiktok time management training vulnerability and penetration testing web security

© Copyright 2001-present, Principle Logic, LLC - All Rights Reserved.

For your convenience I accept