Collaborate Disseminate
When arranging a pen test it’s common practice to ask the client a set of questions, and use the answers either as the basis for further discussions, or to directly provide a test plan and quotation.
For a mobile app specifically, what que… Continue reading What questions are useful to scope a mobile app pen test?
The OWASP IoT top 10 and the ASVS appendix C warn to protect against firmware rollbacks:
C.22 – Verify that the device cannot be downgraded to old versions (anti-rollback) of valid firmware.
What is the purpose of this? In what scenario … Continue reading What is the purpose of anti-rollback protection in IoT devices?
I am currently researching threat modeling for container security, I am wondering which methods are the best for container security. Till now I got the conclusion that STRIDE is most used and it is used as well for container security becau… Continue reading What is / are the best threat modeling method(s) for container security?
The number of ways to exfiltrate data from an organization from an insider threat perspective is only limited by the imagination. Can detection teams reliably be alerted of the more unorthodox, alternate vectors ?
Continue reading feasibility of blue teams detecting insider threat data exfiltration
To sum up the methodology of ethical hacking, what you do is :
Information gathering (gets the IP, domains, etc…)
Fingerprint the IP (what OS, what services are running, etc…)
Vulnerability assessment (are any services or vulnerable … Continue reading IT security audit : is threat modelling key to reproducible success of just following a methodology (ex : ethical hacking)
My mother’s neighbor installed a strange-looking device. They don’t get along well, so she can’t just ask what it is.
What is it? Could it be a camera with microphone?
Continue reading Identify the device at the neighbor’s window [closed]
I am trying to understand threat modeling but it seems too elasti from restrictive requirements to general requirements.
Now i am trying to understand it with some realistic examples. The first example which comes to my mind is physical … Continue reading Threat modeling for visitor access control
OWASP Threat Dragon!
Big News in the Threat Modeling racket: OWASP has released version 1.0 of it’s highly awaited threat modeling platform as a free, open source and cross-platform tool. Monikered OWASP Threat Dragon, installers have been built, the … Continue reading Threat Modeling Application Released By OWASP: Threat Dragon 1.0
I asked a question on what I need to do to make my application secure, when somebody told me:
That depends on your threat model.
What is a threat model? How do I make a threat model for my application?
Continue reading What is a threat model, and how do I make one?
I’ve been using a well-known password manager to create several identities for use on each web service I sign up to.
I had the idea of creating 3+ email addresses with strong passwords consisting of 40+ random characters and signing up on… Continue reading Are password managers the best way to achieve identity compartmentalization online?