InfoSec Career Podcast – Episode 2 In this episode of the show, Jason speaks with Kevin Johnson, CEO of Secure Ideas. Kevin shares how his career developed, the benefits of networking, and more. Please subscribe and share with others! iTunes Google Play Music
Conversation with Michael Santarcangelo
It’s funny how you can sit right there and be part of a conversation and think you learned a lot from it. Then you go back and listen to that conversation and you realize how much more you missed the first time around. Such was the result of my conversation with Michael Santarcangelo during the first episode of The InfoSec … Read More
InfoSec Career Podcast – Episode 1
Interview with Michael Santarcangelo In this episode of the show, Jason speaks with Michael Santarcangelo, the owner of Security Catalyst. Michael has a number of great insights to share as we discuss his experiences and observations from working in security. I always enjoy talking to Michael because of his method of asking questions to find answers and his willingness to … Read More
Building Custom Box Images for Vagrant
When I started working on Breaking Web App Security, I knew I was going to need a lab environment for the students to use. I considered using Docker images with instructions on how to set up the target sites. It didn’t take very long to decide to drop this idea due to the variances that would occur between each student’s … Read More
Five Eyes Governments: Weaken Encryption or Else
The other day I was reading through blogs that I follow and found a couple of concerning stories about government efforts to weaken encryption. The FBI and Department of Justice have long complained about encryption being used by criminals and terrorists to aid their activities. The efforts to weaken encryption are not being driven solely by the US government. Security … Read More
Pro Bono Penetration Tests for Open Source Projects
Today I was hanging out in one of my favorite Slack servers and I decided to drop a small pitch for Paladin Security in the vendor related channel. (Yes, I checked with the admin before I did so.) Someone popped up and asked me if I gave discounts for open source web apps. Huh… do I? I hadn’t really thought … Read More
CSRF and Cross Origin Request Sharing
Cross Site Request Forgery (CSRF) is a pretty straightforward flaw to take advantage of. Explaining it can be more difficult, due to the number of conditions that have to be met. This post isn’t meant to be a primer on CSRF, but here are the conditions that must occur. The targeted app has a critical transaction that uses predictable inputs … Read More
Perils in Session Management: JWT Edition
Session management is a critical area to get right in developing a web application. The developer has to get it right or the entire app is risk of being compromised. Fortunately, the development frameworks have attempted to make this an implementation issue rather than a development issue. A developer just has to pick the mechanism for session management and implement … Read More
Scoping a Penetration Test
Last week I recorded a module about working with clients ahead of a penetration test for my upcoming online course, Breaking Web App Security. The module is a fairly straight forward discussion about the things we need to do as penetration testers before beginning any engagement. The section that I spent the most time on was scoping a penetration test. … Read More
The First Year of Being a Penetration Tester – The Year of Terror
This month marks my sixth year working as a professional penetration tester and all the experiences that have gone along with it. Its been an interesting experience and has taken a lot of twists and turns. I was already familiar with doing vulnerability assessments and light penetration testing as a security engineer. I’d like to say I had lots of … Read More