Interview with Carrie Roberts

InfoSec Career Podcast – Episode 11 Carrie Roberts shares some incredible experiences that she has had moving into security. She has gone from being a mechanical engineer for HP to now working for Walmart on their blue team. The changes that she has made have had a huge impact on her and her family. You will definitely want to listen … Read More

Interview with Tom Eston

InfoSec Career Podcast – Episode 6 I got really excited when Tom Eston and I started talking about him coming on the show. Tom has a wealth of experience in penetration testing and security. Now he applies his technical experience to managing a team of penetration testers. The best managers that I’ve worked for have always spent their time in … Read More

Building Custom Box Images for Vagrant

When I started working on Breaking Web App Security, I knew I was going to need a lab environment for the students to use. I considered using Docker images with instructions on how to set up the target sites. It didn’t take very long to decide to drop this idea due to the variances that would occur between each student’s … Read More

CSRF and Cross Origin Request Sharing

Cross Site Request Forgery (CSRF) is a pretty straightforward flaw to take advantage of.  Explaining it can be more difficult, due to the number of conditions that have to be met.  This post isn’t meant to be a primer on CSRF, but here are the conditions that must occur. The targeted app has a critical transaction that uses predictable inputs … Read More

Perils in Session Management: JWT Edition

Session management is a critical area to get right in developing a web application.  The developer has to get it right or the entire app is risk of being compromised.  Fortunately, the development frameworks have attempted to make this an implementation issue rather than a development issue.  A developer just has to pick the mechanism for session management and implement … Read More

The First Year of Being a Penetration Tester – The Year of Terror

This month marks my sixth year working as a professional penetration tester and all the experiences that have gone along with it.  Its been an interesting experience and has taken a lot of twists and turns.  I was already familiar with doing vulnerability assessments and light penetration testing as a security engineer.  I’d like to say I had lots of … Read More

Webcast: High Noon in the Juice Shop

Attacking Single Page Web Apps You get asked if you can test the security of a JavaScript single page web application and you confidently say that you can. After all, testing web apps is something you’ve done a number of times. Burp Suite gets fired up and you start checking out the latest victim… and you think, “What the heck … Read More

Make Security Awareness Training Real

Think about the last security awareness training that you were forced to sit through by your employer.  Do you remember anything specific from it?  Neither can I.  Why is that?  Personally I believe it is because most of our awareness training is boring and isn’t written in a way that’s interesting at all.  They dump tons of information at us, … Read More

Prepare Your Security Testing Program

Most of us would agree that planning ahead beats reacting to developing and unexpected situations.  The nice thing about security testing is that it isn’t hard to plan for.  Even if you aren’t able to schedule a test right now, you can start preparing for when one is needed.  Let’s take a look at a few things you can do right … Read More

Security Testing Blog Post and Video Series

Planning for Security Testing Security testing is critical component of a security program and needs to be done on a regular basis.  However, I’ve noticed that how companies use security testing varies wildly.  Some companies have their testing integrated into their plans for the year.  Their tests are scheduled in advance and they know what needs to be focused on. … Read More