Collaborate Disseminate
I bumped across a request via Traffic analysis through Burp Suite Proxy & it looked like a 3DS Authentication.
Sample below:
My question was if this authentication could be intercepted, decoded or tampered with using any attack vector… Continue reading Possibility of EMVCO 3DS Authentication Decoding
As per latest OWASP Guidelines (2019) – a security assessor has to test against application platform configuration dubbed as OTG-CONFIG-002 in OWASP Testing Guide v4.
Since OWASP is a Security Principle Guide rather than bei… Continue reading Application Security – Security Testing Log files?
I had been tasked with automating application api security testing for proof of concept project which requires me to propose a tool. Now this tool has to provide data results as json/xml or otherwise in order for Jenkins to consume & g… Continue reading OpenSource API Security Testing Automation?
I had been studying Cyber Ranges for a while & found out there applicability in defense, military control systems, enterprise & in medical. I’m interested to know if the stimulation which is carried out by these Cyber… Continue reading Do Cyber Range(s) detect Business Logic Security Failures?
Recently, OWASP introduced two new set of categories as of 2017, April – to it’s OWASP Top 10:
I understand, Unprotected APIs does have an immediate risk which involves proving a huge attack surface along with possibilities of data leakages, however, I fail to understand how Insufficient Attack Protection is any threat or a risk for a category?
Improving my focus, I would summarize quoted from scamdemy:
Insufficient Attack Protection refers to the inability to detect, prevent and respond to various kinds of attacks against the application as a whole. This – due to the large number of unaudited third-party components that may contain critical vulnerabilities – necessitates the use of generic security tools such as intrusion detection systems (IDS), and web application firewalls (WAF) that can identify an ongoing attack such as SQL injection. It focuses on the consequences instead of the root causes of the weaknesses.
Does this imply to having WAF set-up in direct connect to having a great attack surface area without the presence of Firewalls? If absence of a component is an immediate categorization need on OWASP Top 10. Not sure, how other’s aren’t affected by the same?
e.g. By not having WAF, certain levels of Injection(s) will be evident given that their is a flaw in application code.
Do i presume, this is a move for the security audit team to market their Firewall products keeping OWASP Top 10 as a reference? Or was it really necessary technically?
Continue reading How is Insufficient Attack Protection a Definite Threat/Risk to an Organization?
One of our infrastructure lead had decided to re-frame the whole question/answer forum open to the public so that they could interact with public opinions as well. This is a finance stock market answering/questioning system m… Continue reading Need Secure Architectural Advice related to New Set-up over an Existing Question/Answer Forum
First Hand Details: TEG (The Equation Group) is NSA’s team of hackers who’d write code to exploit systems worldwide. Some of the private files were recently dropped by a group called Shadow Brokers & they’ve auctioned it … Continue reading What does the NSA’s Recently Leaked "The Equation Group" Files do?
First Hand Details
TEG (The Equation Group) is NSA’s team of hackers who’d write code to exploit systems worldwide. Some of the private files were recently dropped by a group called Shadow Brokers and they’ve auctioned it in exchange for B… Continue reading What does the NSA’s Recently Leaked "The Equation Group" Files do?
What should be the questions asked to assess a company on web app security?
Our company is in process of partnering with another company in order to outsource web app security work to them. For us to make sure they would deliver the righ… Continue reading Questions to confirm a good standpoint on web app security?