Security Blog – Ryan Armstrong

Challenges in Scoring Application Security Test Findings

March 25, 2024 / Ryan Armstrong

A simplified description of application security testing (or penetration testing) is a task that involves identifying application vulnerabilities and reporting how they were identified such that they can be replicated and ultimately remediated. I would like to complicate (refine) this definition to discuss two very important missing components: The distinction between vulnerabilities and weaknesses is […]

Challenges in Scoring Application Security Test Findings Read More »

Why Test an Administrative Application Account?

September 25, 2023 / Ryan Armstrong

A question that often arises when considering what authenticated roles to include for application security/penetration testing is whether administrative roles should be included. After all, should it not be assumed that an attacker with an administrative role could do major damage to the application and its stakeholders regardless of vulnerabilities that might be present? Of

Why Test an Administrative Application Account? Read More »

IBM Uses Bad Science While Pushing “AI”

July 31, 2023 / Ryan Armstrong

There are two general claims I would like to make about the state of cybersecurity that I believe to be true and connected. The first is that the field is rife with pseudoscience and lacks an appreciation for empirical methods. The second is that much of the bad information in the field has originated from

IBM Uses Bad Science While Pushing “AI” Read More »

Preparing a Mobile Application for Security Testing

June 29, 2023 / Ryan Armstrong

Security testing comes in many forms. For our purposes, we will consider manually-driven, black-box testing that aims to identify the maximal set of vulnerabilities that can be identified within an application. Terminology can be contentious, but this is widely referred to as an application penetration test, which includes an attempt to exploit identified vulnerabilities, demonstrating

Preparing a Mobile Application for Security Testing Read More »

The Widespread Misunderstanding of the OWASP Top 10

June 22, 2023 / Ryan Armstrong

As an application penetration tester, it is not uncommon when scoping an engagement for a prospective client to ask if we test “according to an OWASP Top 10 Methodology.” To this I answer “yes, of course,” but what I would really like to do is explain why the question does not make sense. Hopefully, this

The Widespread Misunderstanding of the OWASP Top 10 Read More »

Getting Started in Web Application Penetration Testing

December 22, 2022 / Ryan Armstrong

As the complexity and diversity of our connected systems expand, the need for specialized offensive security skills is increasing. In particular, specialization in application security has been forecast to drive the growth in penetration testing services. Combined with the allure that comes with breaking into systems as a career, it’s no surprise there are many

Getting Started in Web Application Penetration Testing Read More »

Pentesting Silverlight in 2021

January 8, 2021 / Ryan Armstrong

Performing some Silverlight penetration testing? I’m sorry for your luck. If you’re like me, you’ve invested some time into investigating just which tools and techniques are currently available and functioning. If not, I hope to save you some time by describing my approach. Of course, it should go without saying that your client/developers should be

Pentesting Silverlight in 2021 Read More »