Successful mitigation of today’s security threats requires an approach that is both on the offensive and on the defensive. Here, we give our take on how to approach and handle specific security challenges, as well as our reaction to some of the latest industry topics.
10.10.16
Can you believe it’s already October? We have to wait until the 31st to celebrate Halloween, but October 1st kicked off “National Cyber Security Awareness Month (NCSAM)”. National Cyber Security Alliance, in partnership with the Department of Homeland Security, runs this annual campaign in an effort to “engage and educate public and private sector partners… Read more »
05.27.16
PCI Scope reduction is a great way to make PCI compliance simpler and to reduce risk. Scope reduction reduces the attack surface area and the number of systems that must be maintained to the PCI standards…. “Less is more.” This blog post discusses web page redirects, which are an excellent method to get many systems… Read more »
04.25.16
As penetration testers, through the years, we have learned one indisputable fact: There is no such thing as a 100% secure network. Sure, we have encountered wide variances in the maturity level and effectiveness of information security programs of various organizations, but we have yet to encounter an organization that is impenetrable – not even… Read more »
03.28.16
Tokenization techniques are rapidly evolving to address PCI scope reduction efforts and securing cardholder data from breaches. PCI scope reduction is integral in simplifying PCI compliance and reducing risk overall in the environment. Scope reduction effectively minimizes attack surface area and limits the number of systems that must be assessed to the PCI standards. Regardless… Read more »
Almost two years ago, Royce Davis (@r3dy__) published an article about leveraging a Jenkins application, which contained no password, to successfully compromise a system on an organization’s internal network environment. This was accomplished by using a functionality within the application to execute operating system commands. You can find more information about this post here: https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password/. To… Read more »
12.26.15
It is that time of the year again, when we force ourselves to stop for a moment and reflect on the events and technologies that we have encountered over the past year then adjust our service offerings to better meet the needs of our clients and the information security industry as a whole. In our… Read more »
12.05.15
Definitively Identifying Java Deserialization Vulnerabilities [Part 1 of this blog series can be found here: Deserialization Passive Detection] To help our customers and readers definitively identify Java Deserialization vulnerabilities, we have created an additional Burp Suite Extender called “SuperSerial-Active” to complement our previous release of “SuperSerial-Passive” (https://github.com/DirectDefense/SuperSerial). Unlike the previous extender, which only passively identifies potential instances… Read more »
11.09.15
Locating your Java Deserializaiton Issues [UPDATE: Part 2 of this blog series can be found here: Deserialization Active Identification] The weekend started off with a bang for some when Foxglove Security posted a blog pertaining to Java Deserialization issues. For application security folks, we just have to shake our heads once more. It comes as no surprise that… Read more »
12.22.14
As we wind down yet another year here at DirectDefense, we’d like to take a moment to reflect on the big stories and security themes of this year and provide some recommendations for the coming new year. If we can say one thing about the state of security this past year, it is that many organizations… Read more »
10.15.14
Boy what a year 2014 is turning out to be. First we had Heartbleed turn the Internet upside-down. Last month, we had Shellshock shock the industry. And now we have POODLE. POODLE, unlike Heartbleed and Shellshock, is going after clients and not servers this time. More specifically, POODLE is taking advantage of the fifteen year… Read more »
