-
Announcing SecTemplates.com release #6: Security Partner Program Pack v1
I have built several security partner programs at companies such as Box Inc. and Coinbase, with over 8 years of experience leading them. I have consistently observed the benefits of a partner-focused model versus a classical consultancy model within medium to large enterprises. I’m pleased to announce our 6th program pack, the Security Partners Program…
-
Announcing SecTemplates.com release #5: Security Exception Program Pack 1.0
The goal of this release is to provide all the necessary resources to establish and set up a fully functioning security exceptions program at your company. – Robert Auger (@robertauger) In this pack, we cover: Security Exception Definitions: This document describes common terminology used in an exceptions process, outlines definitions for the various stakeholders participating in…
-
Announcing SecTemplates.com release #4: Vulnerability Management Program Release Pack 1.0
I’m pleased to announce our fourth release, the Vulnerability Management Program Pack. The goal of this release is to provide everything you’d need to establish and setup a fully functioning vulnerability management program at your company. – Robert Auger (@robertauger) In this pack, we cover: Vulnerability Level Definitions: This document outlines vulnerability severity levels to help your…
-
Announcing SecTemplates.com release #3: Bug bounty program pack 1.0
Introduction There are numerous considerations beyond selecting a provider, many of which are often overlooked in public documentation. The goal of the Bug Bounty Program pack is to help people quickly ramp up on the topic, providing them with the necessary information to begin their journey and ultimately launch a program.– Robert Auger (@robertauger) Announcement:https://www.sectemplates.com/2024/07/announcing-the-bug-bounty-program-pack-10.html…
-
Announcing SecTemplates.com release #2: External penetration testing program pack 1.0
In addition to CGISecurity I work on other side projects from time to time. Below is my second announcement from my latest project. Introduction I have built out several penetration testing programs, both internally and externally at companies such as eBay, Paypal, and Box to name a few. Before you have the resources for an…
-
Announcing SecTemplates.com and the incident response program pack 1.0
In addition to CGISecurity I work on other side projects from time to time. Below is an announcement about my latest project. IntroductionI’ve worked in the security industry for over 20 years and, during this time, have built and shaped many security programs. At every company I join, I find myself recreating or developing security…
-
20 years of CGISecurity: What appsec looked like in the year 2000
Just realized that 20 years have passed since I started this site to learn more about web security threats. What 'appsec' looked like in 2000 OWASP didn't exist yet, nor did WASC Vulnerability disclosure was the wild west. Rain forest puppy (RFP) (that guy who discovered sqli) had just created the first attempt at…
-
Red and Blue team postmortems
If you haven't run a joint exercise with red/blue, you can setup time to perform a postmortem of what happened during a previous red team engagement. Walk step by step over the engagement, and review the steps performed (kill chain) For each step ensure you can answer the following If you can't answer the…
-
My experience coleading purple team
I've been fortunate enough to manage a red team program for several years and since it's inception it has gone through many changes. What started out as adhoc engagements trying to see how far we could get/what problems we could find, turned into a mechanism to work more closely, and regularly with operations/it teams. More…
-
Joint blue team and red team exercises
Having regular (probably monthly for most) red team engagements where the red teamers and incident response/monitoring teams sit in a room while the engagement occurs is a must. Everytime the red teamer executes a command that advances them, blue should be asked: If they detected it If not, could they have detected it? If unsure,…
-
oAuth nightmares talk
Two of my co workers have presented at HackMiami on flaws people implement in their oauth implementations. The talk summary is below "OAuth is one of the most popular authorization frameworks in use today. All major platforms such as Google, Facebook, Box etc support it and you are probably thinking of implementing OAuth for your…
-
Extensive IOS hacking guide released by Security Innovation
Security Innovation has published a very extensive guide to IOS hacking that's worth checking out. Here's the table of contents 1. Setting Up iOS Pentest Lab……………… 51.1 Get an iOS Device……………….5 1.2 Jailbreaking an iOS Device……………… 7 1.3 Installing Required Software and Utilities ……………… 102. Acquiring iOS Binaries……………… 133. Generating iOS Binary (.IPA file) from…
-
Presentation: Problems you’ll face when building a software security program
A video for a talk I gave at LASCON last year made it online that some folks may find interesting. I rarely give public talks, but felt this information would have been useful to learn earlier in my career. Basically it goes through problems I've had to deal with building out appsec programs at companies…
-
Google’s intentions are good, but implementation leave MORE users vulnerable to hacking than before
In 2010 I wrote an article about a flaw Google discovered, and published working exploit code when no fix or mitigation existed. This allowed attackers to immediately start using the flaw to hack Google's own users (in this case, the world). Since then Google has announced a new program 'Project Zero' which from the project…
-
My experience with developer security training
I've been busy this past year which has resulted in almost no updates to this site. Consider this one of many rants/posts of my experience/s in the industry during this time. This post covers a topic I think many people implement poorly, which is security training targeting developers. How most people implement developer focused…
-
A reminder that what you say at events may show up in unexpected places (like the news)
Last week I was fortunate enough to be invited to a Yahoo event discussing bug bounty programs where all the organizers of these bounties were discussing their experiences. I attended this conference because years earlier I was involved in creating PayPal's bug bounty program and wanted to ask a panel of people currently running a…
-
Malicious CA’s continue to cause headaches
Google published today that yet another CA has been caught generating certs for Google's domains. This problem is likely occuring on a much larger scale and seems to be detected by chance. Some have suggested crawling the internet and starting a DB, and while this may detect some issues it's limited for the following reasons…
-
WASC Announcement: Static Analysis Technologies Evaluation Criteria Published
The Web Application Security Consortium (WASC) is pleased to announce the Static Analysis Technologies Evaluation Criteria. The goal of the SATEC project is to create a vendor-neutral set of criteria to help guide application security professionals during the process of acquiring a static code analysis technology that is intended to be used during source-code driven…
-
Jacking out of the metaverse: Retaliating to cyberwar in the real world
I've been chatting with some folks in infosec about the escalation of 'cyber attacks' sponsored by governments which target other governments, and private corporations. There's uneasyness in the security industry about possible overeactions and restrictions of freedom as a result of this growing concern. This entry will attempt to break down some of these concerns,…
-
Poll: How do you rank the importance of a vulnerability?
I've added a new poll to the WASC linkedin group that a few of you may be interested in. Specifically asking how people rank the importance of vulnerabilities. Poll Linkhttp://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840
-
Five pieces of advice for those new to the infosec industry
I've worked in the security field in various roles (script kiddie, security researcher, incident response, application security engineer, security consultant, strategy, etc..) and thought I'd share a few points to those of you starting out in the security industry. Things are worse than you expect The reality is that companies, even large ones, are…
-
Security Industry Plagiarism: Finding 3 examples in 5 minutes with Google
UPDATE: One of the authors has posted two responses including an apology (accepted). I was taught in grade school that if you plan on writing something, never plagiarize. If you want to republish portions of existing content ensure you properly quote/reference them, and never represent this content as your own original work. Unfortunately it seems…
-
Updating the WASC Threat Classification
I've been pretty busy the past few months which has resulted in zero site updates. The good news is I've kicked off the next phase of the WASC Threat Classification and our first update is the completion of the TC's missing crypto section.
-
Quick defcon/blackhat preparation list
A couple of people had asked me what are some things that you can do prior to attending hacker cons such as Blackhat and Defcon. Kurt Cobain said it best "Just because you're paranoid, doesn't mean they're not after you'. Here's a short list (albeit not complete as I don't plan to publish all…
-
Summary of Google+ browser security protections
Ray "Vanhalen" Kelly has written a post describing the security mechanisms used by Google+, as well as compares them to facebook. In particular he reviews each HTTP protection header and provides a good explanation of the purpose of each protection. Link: https://www.barracudanetworks.com/blogs/labsblog?bid=1743
-
Paper: Web Application finger printing Methods/Techniques and Prevention
Anant Shrivastava has posted a whitepaper providing a rundown of application fingerprinting methodologies, as well as comparisons of various tools such as W3af, BlindElephant, and Wapplyzer. "This Paper discusses about a relatively nascent field of Web Applicationfinger printing, how automated web application fingerprinting is performedin the current scenarios, what are the visible shortcomings in the…
-
Oracle website vulnerable to SQL Injection
Someone has published a SQL Injection in labs.oracle.com at http://www.thehackernews.com/2011/07/oracle-website-vulnerable-to-sql.html . That is all.
-
WASC Announcement: ‘Static Analysis Tool Evaluation Criteria’ Call For Participants
I sent the following out to The Web Security Mailing List (which I moderate) announcing a new WASC Project. "The Web Application Security Consortium is pleased to announce a new project "Static Analysis Tool Evaluation Criteria (SATEC)". Currently WASC is seeking volunteers from various sections of the community including security researchers, academics, vendors, software developers…
-
Results of internet SSL usage published by SSL Labs
Ivan Ristic (of modsecurity fame) has published the results of an evaluation against over 900,000 websites supporting SSL. The goal of this evaluation was to see how people really use/misuse ssl in the wild, as well as report on the usage of browser protections such as the Secure cookie flag, and Strict-Transport-Security. Details can be…
-
Another use of Clickjacking, Cookiejacking!
Rosario Valotta has published an interesting attack against IE that takes advantage of clickjacking. In a nutshell it combines origin flaws within IE with clickjacking to trick a user into copying/pasting their own cookies from any site! Demonstration below The technical details can be found at https://sites.google.com/site/tentacoloviola/cookiejacking and his slides at https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnx0ZW50YWNvbG92aW9sYXxneDoxMWJlZTI5ZjVhYjdiODQx
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack
- June 2025 (1)
- September 2024 (1)
- August 2024 (1)
- July 2024 (1)
- June 2024 (2)
- November 2020 (1)
- June 2018 (1)
- May 2018 (2)
- May 2017 (2)
- December 2016 (1)
- January 2015 (2)
- November 2014 (1)
- July 2014 (1)
- May 2013 (1)
- February 2013 (1)
- January 2013 (1)
- October 2012 (1)
- January 2012 (1)
- October 2011 (1)
- July 2011 (4)
- June 2011 (1)
- May 2011 (2)
- March 2011 (3)
- February 2011 (1)
- January 2011 (3)
- December 2010 (2)
- November 2010 (4)
- September 2010 (4)
- August 2010 (2)
- July 2010 (1)
- June 2010 (1)
- May 2010 (4)
- April 2010 (5)
- March 2010 (7)
- February 2010 (7)
- January 2010 (6)
- December 2009 (7)
- November 2009 (9)
- October 2009 (10)
- September 2009 (11)
- August 2009 (12)
- July 2009 (20)
- June 2009 (26)
- May 2009 (21)
- April 2009 (23)
- March 2009 (28)
- February 2009 (34)
- January 2009 (66)
- December 2008 (55)
- November 2008 (47)
- October 2008 (37)
- September 2008 (27)
- August 2008 (10)
- July 2008 (24)
- June 2008 (15)
- May 2008 (14)
- April 2008 (17)
- March 2008 (12)
- February 2008 (5)
- January 2008 (17)
- December 2007 (21)
- November 2007 (9)
- October 2007 (18)
- September 2007 (23)
- August 2007 (22)
- July 2007 (31)
- June 2007 (27)
- May 2007 (30)
- April 2007 (16)
- March 2007 (14)
- February 2007 (19)
- January 2007 (15)
- December 2006 (12)
- November 2006 (13)
- October 2006 (19)
- September 2006 (9)
- August 2006 (10)
- July 2006 (11)
- June 2006 (14)
- April 2006 (9)
- January 2006 (12)
- December 2005 (9)
- November 2005 (4)
- August 2004 (2)
- June 2004 (3)
- February 2004 (3)
- November 2003 (3)
- September 2003 (3)
- August 2003 (7)
- June 2003 (2)
- May 2003 (4)
- May 2002 (2)
- March 2002 (2)
- January 2002 (2)
- November 2001 (4)
- October 2001 (1)
- August 2001 (5)
- July 2001 (3)