Collaborate Disseminate
In my server logs, I invariably come across entries such as these
198.235.24.43 – – [`timestamp` +0000] "GET / HTTP/1.1" 200 10940 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space m… Continue reading Should I allow security firms to perform unauthorized vulnerability scans? [closed]
Scenario:
There is a network infrastructure with IT and OT subnets and DMZ. I can only place 2 scanners in the whole infrastructure. Are there any recommendations or best practices for how to plan the scanner placement? (maybe guides/books… Continue reading Network vulnerability scanner optimal positioning in network
In an environment where some computers can’t be updated due to legacy software (think air traffic control) an automated vulnerability scanner finds an old machine with an obsolete OS.
The sheer presence of the old OS is listed by the vulne… Continue reading How do I secure a host with an old OS without upgrading?
I have a website that is not using Wordpress, and which is on a shared hosting running Apache.
The .htaccess file already has already has around 300 rules, denying IP and unwanted user agents, but there is still place for optimization.
I h… Continue reading Blocking vulnerability sniffers on shared hosting through .htaccess file
I am reasoning about how to form a policy on CVEs found in software components that do not come from the software itself, but comes in a built-in dependency of that software.
Take the example of a software component built on Java maintaine… Continue reading How to reason about CVEs packaged in other open source software
We use latest ose-cli from RedHat official repository, which claims there are no security issues and rating is "A: This image does not contain known unapplied security advisories.":
https://catalog.redhat.com/software/containers/… Continue reading Which vulnerability scanner is correct?
I’m doing a CASA Tier 2 security self-assessment for an app as required by Google, since the app requests permission from users to access sensitive data from their Google account via OAuth. I’m using the Fluid Attacks standalone scanning t… Continue reading Fluid Attacks SATS Scan Taking a Very Long Time
Is there an nmap vulnerability scanning script (vuln, vulscan, nmap-vulners etc) for scanning target Android devices on the network?
If not, is there any specific scanning tool that scans for CVE on target Android devices?
Continue reading Vulnerability scanning on target Android device
Scanning all of spidered URLs with a tool such as OWASP Zap can be computationally expensive on large apps. Have there been any studies on the adequate number of URLs (just the unique resources) to scan to have, let’s say, 95% confidence l… Continue reading Web app vulnerability scanning: how many URLs to check?
OWASP ZAP is used to scan vulnerability on web application but its site says " Because this is a simulation that acts like a real attack, actual damage can be done to a site’s functionality, data, etc."
So why would someone use i… Continue reading Why use OWASP ZAP when it could damage the web application?