Five Eyes Governments: Weaken Encryption or Else

The other day I was reading through blogs that I follow and found a couple of concerning stories about government efforts to weaken encryption. The FBI and Department of Justice have long complained about encryption being used by criminals and terrorists to aid their activities. The efforts to weaken encryption are not being driven solely by the US government. Security … Read More

Pro Bono Penetration Tests for Open Source Projects

Today I was hanging out in one of my favorite Slack servers and I decided to drop a small pitch for Paladin Security in the vendor related channel.  (Yes, I checked with the admin before I did so.) Someone popped up and asked me if I gave discounts for open source web apps.  Huh… do I?  I hadn’t really thought … Read More

CSRF and Cross Origin Request Sharing

Cross Site Request Forgery (CSRF) is a pretty straightforward flaw to take advantage of.  Explaining it can be more difficult, due to the number of conditions that have to be met.  This post isn’t meant to be a primer on CSRF, but here are the conditions that must occur. The targeted app has a critical transaction that uses predictable inputs … Read More

Perils in Session Management: JWT Edition

Session management is a critical area to get right in developing a web application.  The developer has to get it right or the entire app is risk of being compromised.  Fortunately, the development frameworks have attempted to make this an implementation issue rather than a development issue.  A developer just has to pick the mechanism for session management and implement … Read More

Scoping a Penetration Test

Last week I recorded a module about working with clients ahead of a penetration test for my upcoming online course, Breaking Web App Security.  The module is a fairly straight forward discussion about the things we need to do as penetration testers before beginning any engagement.  The section that I spent the most time on was scoping a penetration test.  … Read More

The First Year of Being a Penetration Tester – The Year of Terror

This month marks my sixth year working as a professional penetration tester and all the experiences that have gone along with it.  Its been an interesting experience and has taken a lot of twists and turns.  I was already familiar with doing vulnerability assessments and light penetration testing as a security engineer.  I’d like to say I had lots of … Read More

Webcast: High Noon in the Juice Shop

Attacking Single Page Web Apps You get asked if you can test the security of a JavaScript single page web application and you confidently say that you can. After all, testing web apps is something you’ve done a number of times. Burp Suite gets fired up and you start checking out the latest victim… and you think, “What the heck … Read More

Make Security Awareness Training Real

Think about the last security awareness training that you were forced to sit through by your employer.  Do you remember anything specific from it?  Neither can I.  Why is that?  Personally I believe it is because most of our awareness training is boring and isn’t written in a way that’s interesting at all.  They dump tons of information at us, … Read More

Win a free RetroPie gaming system!

Paladin Security is running a drawing for a free RetroPie gaming system running on a Raspberry Pi 3. The drawing is being done on July 31, 2017, so get your entry in now!  Good luck to everyone that enters.  It should be a fun little box to play on. Retro Pi Drawing

Vulnerability Assessment Versus a Penetration Test

The question of whether to do a vulnerability assessment versus a penetration test will probably come up as you look at your security testing plans.  Some folks have a strong preference of one over the other, but both are valid if used appropriately and in the right situation.  Deciding which to use is pretty straight forward.  Let’s just jump into it. Vulnerability Assessment … Read More