Interview with Ed Skoudis

InfoSec Career Podcast – Episode 4 This episode was really exciting for me to record! Ed Skoudis joined me during this episode of the show and we covered a whole range of fun topics. Some things that Ed shared were the need to pick an area of focus in security, the necessity of continuously learning, and how to learn more … Read More

Interview with Robin Wood

InfoSec Career Podcast – Episode 3 In this episode, Jason speaks with Robin Wood, aka @DigiNinja. Robin shares his path from developer to becoming a penetration tester. This included being told no several times when he got started and how he kept going. He also explains how he learns new things by developing tools and writing some excellent blog posts. … Read More

Interview with Kevin Johnson

InfoSec Career Podcast – Episode 2 In this episode of the show, Jason speaks with Kevin Johnson, CEO of Secure Ideas.  Kevin shares how his career developed, the benefits of networking, and more. Please subscribe and share with others! iTunes Google Play Music

Conversation with Michael Santarcangelo

It’s funny how you can sit right there and be part of a conversation and think you learned a lot from it.  Then you go back and listen to that conversation and you realize how much more you missed the first time around.  Such was the result of my conversation with Michael Santarcangelo during the first episode of The InfoSec … Read More

InfoSec Career Podcast – Episode 1

Interview with Michael Santarcangelo In this episode of the show, Jason speaks with Michael Santarcangelo, the owner of Security Catalyst. Michael has a number of great insights to share as we discuss his experiences and observations from working in security. I always enjoy talking to Michael because of his method of asking questions to find answers and his willingness to … Read More

Building Custom Box Images for Vagrant

When I started working on Breaking Web App Security, I knew I was going to need a lab environment for the students to use. I considered using Docker images with instructions on how to set up the target sites. It didn’t take very long to decide to drop this idea due to the variances that would occur between each student’s … Read More

Five Eyes Governments: Weaken Encryption or Else

The other day I was reading through blogs that I follow and found a couple of concerning stories about government efforts to weaken encryption. The FBI and Department of Justice have long complained about encryption being used by criminals and terrorists to aid their activities. The efforts to weaken encryption are not being driven solely by the US government. Security … Read More

Pro Bono Penetration Tests for Open Source Projects

Today I was hanging out in one of my favorite Slack servers and I decided to drop a small pitch for Paladin Security in the vendor related channel.  (Yes, I checked with the admin before I did so.) Someone popped up and asked me if I gave discounts for open source web apps.  Huh… do I?  I hadn’t really thought … Read More

CSRF and Cross Origin Request Sharing

Cross Site Request Forgery (CSRF) is a pretty straightforward flaw to take advantage of.  Explaining it can be more difficult, due to the number of conditions that have to be met.  This post isn’t meant to be a primer on CSRF, but here are the conditions that must occur. The targeted app has a critical transaction that uses predictable inputs … Read More

Perils in Session Management: JWT Edition

Session management is a critical area to get right in developing a web application.  The developer has to get it right or the entire app is risk of being compromised.  Fortunately, the development frameworks have attempted to make this an implementation issue rather than a development issue.  A developer just has to pick the mechanism for session management and implement … Read More