Why I didn't budget for a penetration test in 2024

BLUF Competing priorities, cost-consciousness, and lower-hanging security fruit were the reasons penetration didn’t make it into my AOP this year. I’m not in a highly regulated environment, though, so if regular penetration testing is a requirement, then your options are limited, but here are some things to consider. Analysis Each offensive security consultancy and penetration tester has their own methodlogy. Penetration testing isn’t guaranteed to find your most prevalent vulnerability, nor your most difficult, movie-plot security threat....

May 21, 2024 · 3 min · 570 words · Chris

The XZ Utils Vulnerability

CVE-2024-3094 highlights the strengths and weaknesses of Open Source.

April 2, 2024 · 2 min · 365 words · Chris

Add MFA to Fedora with Yubikey

Add MFA to sudo and gnome in Fedora using a Yubikey and authselect

May 3, 2021 · 3 min · Chris

Grabbag

RMS, Dan Kaminsky, FLoCS, Fedora

May 1, 2021 · 3 min · Chris

Use AWS Config To Hunt Public S3 Buckets

This post covers using AWS Config as a starting point to find public s3 buckets in your organization.

November 2, 2020 · 2 min · Chris

Set Security Headers using Cloudflare Workers

This article covers previous work and introduces a warning

October 9, 2020 · 2 min · Chris

Aws S3 Cloudfront Cloudflare Https

This post covers increasing security for a static site hosted on s3 using cloudfront and cloudflare

October 2, 2020 · 2 min · Chris

Find Resources With AWS Config

Use AWS Config to locate AWS resources

August 12, 2020 · 3 min · Chris

How to Securely Configure CloudFlare with S3

This post covers how to secure an S3 bucket serving content through Cloudflare

April 17, 2020 · 4 min · Chris

Site Update: Cloudflare

This site now uses CloudFlare

April 16, 2020 · 2 min · Chris

AWS Cloudwatch

AWS CloudWatch enables monitoring and alerting on cloud events.

April 3, 2020 · 4 min · Chris

AWS Security Hub

AWS Security Hub eases the pain of cloud monitoring

February 21, 2020 · 4 min · Chris

Protect AWS API Gateway with AWS WAF

Help protect APIGW from attackers with AWS WAF

January 31, 2020 · 5 min · Chris

AWS CloudTrail

AWS CloudTrail is the cornerstone of cloud SECOPS

January 30, 2020 · 3 min · Chris

Public Bug Bounty Rules of Engagement

I share my experience and lessons learned from operating a public bug bounty.

April 9, 2019 · 2 min · Chris

Extract files from network capture

Extract files from tcpdump or wireshark captures

January 24, 2019 · 2 min · Chris

Decrypting Java TLS to View in Wireshark

Use this to recover TLS session keys for a java program.

October 26, 2018 · 1 min · Chris

Mallory in the Mobile

Use mallory proxy to view non-https encrypted mobile traffic

October 15, 2018 · 8 min · Chris

The new face of the security team DoS

Nearly a year ago, I wrote about an emerging trend I observed with some of the bounty researchers I was interacting with. This screed can be considered an extension of that article. There an emerging trend I’m noticing - I’ve been receiving more messages like the following: Hey , I found Security Vulnerability in your web application ,which can damage site as well as users too.For security purpose can we report vulnerability here,then will i get bounty bounty reward in PayPal or Bitcoin for Security bug ?...

September 14, 2018 · 2 min · Chris

My Security 101 - 2018 update

In a post from 2015,, I write about some of the “Security 101” issues I considered to be fundamental. Since 2015, I’ve been exposed to several environments where I have seen the same basic security fails. In addition to my previous Security 101 items (2FA, avoiding password reuse, using a password manager, being mindful of what gets posted on social media, and inspecting email links) I would like to add the following new items to my “Security 101”:...

August 2, 2018 · 2 min · Chris