There are two general claims I would like to make about the state of cybersecurity that I believe to be true and connected. The first is that the field is rife with pseudoscience and lacks an appreciation for empirical methods. The second is that much of the bad information in the field has originated from …
Security testing comes in many forms. For our purposes, we will consider manually-driven, black-box testing that aims to identify the maximal set of vulnerabilities that can be identified within an application. Terminology can be contentious, but this is widely referred to as an application penetration test, which includes an attempt to exploit identified vulnerabilities, demonstrating …
Preparing a Mobile Application for Security Testing Read More »
As an application penetration tester, it is not uncommon when scoping an engagement for a prospective client to ask if we test “according to an OWASP Top 10 Methodology.” To this I answer “yes, of course,” but what I would really like to do is explain why the question does not make sense. Hopefully, this …
The Widespread Misunderstanding of the OWASP Top 10 Read More »
As the complexity and diversity of our connected systems expand, the need for specialized offensive security skills is increasing. In particular, specialization in application security has been forecast to drive the growth in penetration testing services. Combined with the allure that comes with breaking into systems as a career, it’s no surprise there are many …
Getting Started in Web Application Penetration Testing Read More »
Performing some Silverlight penetration testing? I’m sorry for your luck. If you’re like me, you’ve invested some time into investigating just which tools and techniques are currently available and functioning. If not, I hope to save you some time by describing my approach. Of course, it should go without saying that your client/developers should be …