Password Manager Advice
Apr 17, 2017
A developer at work asked a general question to the group: “I’m thinking about using either LastPass or 1Password, anything I should know?” As the team’s newest “Security Guy”, I answered with this brief response:
LastPass is easier to get started with as someone who’s never used a password manager before. Their product is seamlessly >integrated into browsers and mobile devices, although it’s not the prettiest. LastPass stores your encrypted password vault on their servers.
Developing an Application Security Program
Mar 21, 2017
Since my last post, I’ve left my position with the consultancy. I’m now working for a medium-sized corporation in a senior application security role. One of my many tasks is to contribute to the development of an Application Security program. This post will serve as my thoughts on setting up an AppSec Program.
Measuring current performance The Building Security In Maturity Model (BSIMM) is a study of existing software security initiatives used by 95 companies of varying size across six verticals.
Fix AWS SSL Certificate error in Burpsuite
Jan 11, 2017
This morning, while I was trying to proxy traffic to this site in Burpsuite, I ran across an SSL handshake error. Googling the issue returned this helpful article that got me started on the right path. The crux of the problem was that the JRE didn’t have the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files installed. However, since this article was published, Portswigger began bundling the JRE with Burpsuite itself.
Birthday - Asteroids
Oct 5, 2016
Recently, I celebrated a birthday. Typically, this is a joyous time, and I have many things to be grateful for. However, this birthday comes during a difficult year. As my wife and I were discussing this the other day, I realized that life can be a lot like the Atari game ‘Asteroids’.
You, as the ship, must be able to re-orient and overcome challenges (blast asteroids) frequently and rapidly.
Static Sites in 2016 - Updated
Oct 3, 2016
In a previous post I discussed the complicated process of configuring S3 to use Letsencrypt to obtain a TLS certificate. That post served as a reference for me to re-implement Letsencrypt every 90 days. Since then, my 90-day Letsencrypt certificate expired, and I was at a loss for how to re-instate it. Using my own post as a reference didn’t help me with the arcane letsencrypt errors I was encountering.
The Management Feedback Cycle
Apr 15, 2016
I planned a post covering the Manager Feedback Cycle, but this blog post at Effective Managers covers most of what I was going to communicate.
One thing I would add to this resource, is that both managers and subordinates should strike a balance in communications frequency:
If communications are infrequent, important details can get overlooked, and it becomes harder to resolve conflicts. If communications are too frequent, the subordinate will feel like they’re being micro-managed while the manager will feel like the subordinate can’t solve problems on their own.
Apple VS FBI
Mar 28, 2016
Apple gets a lot of flak in the InfoSec community, even though it’s an open secret that much of the InfoSec community has begun to use Apple products. I myself have been using a Mac laptop for the past ten years because they produced the first laptop I thought was worth spending money on. A lot of money.
I’m a fan of Apple for more than just their products, however. I admire their stance on social issues that I care about.
Static Sites in 2016
Mar 25, 2016
It’s early 2016, and there are a multitude of content management systems and blog platforms out there:
Wikipedia’s List of Content Management Systems The security blog I contribute to, Penetrate.IO runs on the venerable Wordpress and requires constant updates to stay one step ahead of attackers. This becomes tiresome after a while, especially since the only thing I’m interested in hosting is a series of articles. These don’t require server-side computation, simply hosting.
Configure an Upstream Proxy for Burpsuite
Nov 5, 2015
I had the need to proxy traffic from Burpsuite to another proxy during web app testing this week. There are a few ways to do this, but this method was the easiest since I already had Burpsuite’s TLS certificate installed. For more information on this, see the Burpsuite help. To configure an upstream proxy for Burpsuite, such as OWASP ZAP, follow these steps:
First, configure your upstream proxy that will sit between Burpsuite and the web application to listen on a different port since they both bind TCP 8080 by default.
Make a connection
Sep 18, 2015
This post was inspired by a client who came to me and said “I do not understand all of these findings, can you explain them to me?”, referring to my web application penetration test deliverable. We spoke for an hour, as I described the various findings to him. I corrected him when his understanding was shaky, and I confirmed where his understanding was solid. He had a development background, and was studying for a security certification, but he was managing a large security project for a well-known company and I was surprised to learn he was a security newbie.