-
04 Oct 2010Beware of the oversights w/default policies in Web vuln scanners
I just ran some Web vulnerability scans against an app I'm testing using a couple of default/benign scan policies. Nothing big turned up. I re-ran the scan using a full scan policy that checks for everything and the new MS10-070 ASP.NET padding oracle vulnerability reared its ugly head...BIG difference in the outcome.Keep this in mind when checking for Web security flaws with your automated scanners and never ever completely rely ...
Continue Reading... -
14 Sep 2010
Preventing email denial of service when scanning Web apps
Here's a new piece I've written that outlines one of those pesky Web scanning problems most of us have been affected by in some way or another:Ways to avoid email floods when running Web vulnerability scansHope this helps!...
Continue Reading... -
07 Sep 2010
The key to accurate and insightful Web security scans
You've likely found that Web vulnerability scanners aren't just point-and-click. Maybe so for relatively simplistic marketing websites but not for complex applications. In fact, one of the greatest ways to get a grand false sense of security is to turn a Web vulnerability scanner loose on your site/application and assume everything of consequence has been discovered and audited.The thing is we're now seeing an entirely new set of Web applications ...
Continue Reading... -
30 Aug 2010
“New” Web security content to check out
Here are several new links to some recent (and, due to my crazy year, not so recent) articles I've written for various TechTarget sites on the subjects of Web application and server security:Web server weaknesses you don't want to overlook (the "rest of the story" of Web flaws)SQL injection tools for automated testing (a must-have for your toolkit)Beefing up SSL to ensure your applications are locked down (good for some ...
Continue Reading... -
26 Aug 2010
Acunetix WVS v7 – grand improvements in the making
When I find a good security tool I not only love using it but I love telling everyone about it. Having gone down this road many times myself, I understand the time, money, and hassle associated with investing in security tools that aren't all that. Well, here's one for you: Acunetix Web Vulnerability Scanner (AWVS) version 7 (it's currently in beta and free for you to try).The folks at at ...
Continue Reading... -
12 Aug 2010
Metasploit enters the Web arena
OK, Metasploit has had several Web-related exploits for years but HD and company are now getting serious about taking Web application scanning and exploitation to the next level.As with Metasploit and Metasploit Express, there's only so much you can do with scanner and exploit tools so the verdict is still out. I love this innovation nonetheless....
Continue Reading... -
09 Aug 2010
How you can get developers on board with security starting today
Some people - including a brilliant colleague of mine - think security is not the job of software developers. In the grand scheme of things I think such an approach is shortsighted and bad for business. It's kind of like an auto assembly line worker not being responsible for the quality of his work or citizens not being responsible for their own healthcare (oh wait!) or why the bottom 50% ...
Continue Reading... -
29 Jul 2010
Neat demo of XSS on Facebook
Here's an informative video and accompanying article by the folks at Acunetix showing the exploitation of XSS on Facebook. It demonstrates how XSS can not only be made into a serious flaw but also how it's carried out in the background without the user ever knowing about it....
Continue Reading... -
21 Jul 2010
Good Web application security resource
In typical monster corporation style, Hewlett-Packard's Web site is painfully difficult to browse around, much less find what you're looking for when it comes to, well, pretty much anything. There is an exception however that benefits all of us in information security. It's HP's Application Security Center Resource Library. It's chock full of goodies from HP (and former SPI Dynamics) engineers, developers, and Web security evangelists.In addition to more recent ...
Continue Reading... -
20 Jul 2010
Sometimes it’s the little things that’ll get you
If you're like me you've likely experienced in your daily life how something seemingly innocuous or too simple can create a big problem. Here's a new piece I wrote where I talk about this issue with regards to Web security:Web security oversights: Don’t overlook the “small” stuffWith information security there's usually no need to sweat the small stuff....just don't overlook it altogether!...
Continue Reading...
Resources
Client Testimonials
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”
(IT managed services firm)
Kevin has written/co-written 12 books on information security including one of the best-sellers of all time:
