This is going to be painful, so hold on.
Instead of mumbling short tweets about things I think that suck, I decided to
keep everything in and just formulate a post on it.
This post is a rant. It’s a complicated rant by an “old” guy (my excuse
for cynicism) in the industry who’s had a chance to see a lot going.
Disclaimer: I’m going to give some examples here, real life examples from
my own experience in the security industry. Some are from my consulting days,
some from the vendor days, some from freelance and other gig days. If you
think you are someone who I’m describing here – you probably aren’t. On
the other hand, if you can recall some snotty smart-ass dude come into your
company wearing orange bermuda pants (swear to god) sandals and (hold it)
silver toenail polish (I was going through something back then), telling you
how badly your security sucks and leave... (more)
Here’s a common question I get asked a lot: “What technology should I use
to secure my server/network/[some technology]?”
The question is usually presented by someone who’s in charge of
“Security” in an organization. Now, I wouldn’t have had a problem with
this if this was a technician, or a pen-tester of sorts, but I get really
nervous when the CISO/CIO/Security manager is the one asking.
I think that this question is highly inappropriate for two reasons:
You should not be looking for “technology”. Buying a product is not going
to make you more secure or less secure. You should n... (more)
Long time no post. Sorry about that .
Anyway, as you can probably imagine, here’s another rant brewing. We have
been dealing with a barrage of mobile application security issues lately, and
although I had the feeling that there was a lot wrong with the industry back
there I haven’t realized it was that bad.
I mean – it’s supposedly almost the same developers, right? Some Java,
Objective C, a little JS/Json/GUI/, the concepts are still the same. Oh, was
I wrong. When testing some of these applications, and looking at how they are
(much easier BTW that with ... (more)
So you thought you had everything nailed down. You might have even gone past
the “best practice” (which would have driven you to compliance, and your
security to the gutter), and focused on protecting your assets by applying
the right … Continue reading →
This paper has been published in several security conferences during 2011,
and is now being made fully available (as well as a PDF version for
Penetration testing and red-team exercises have been running for years using
the same methodology and techniques. Nevertheless, modern attacks do not
conform to what the industry has been preparing for, and do not utilize the
same tools and techniques employed by such tests. This paper discusses the
different ways that attacks should be emulated, and focuses mainly on data
The ability to “break into” a... (more)