WAFalyzer is a small python script I wrote due to the need of analysing requests captured by a F5 BIG IP Web Application Firewall. This analysis was more related to traffic as to security, but I thought it would be...

Amazon Alexa is a realy cool device. I use it for the following tasks: First of all for listening to music. Remembering the days of last.fm, Alexa is perfect for listening to music by artist or genre while cooking, cleaning...

Kali Linux has been my go-to linux distribution for penetration testing. Normally I do use it as a virtual machine on my laptop. However there are a few situation where you need such a distro on something smaller. Here’s where...

Recently I stumbled upon a paper by John Scott-Railton from Citizen Lab in which he discusses a study conducted by him with the help of the university of Toronto focussing on the security of high risk users. To be honest...

To much SOAP will not clean but kill you - no seriously within the last months I did way to many pentests of SOAP web services. It is nothing new and SOAP service have been around for quite some years...

Docker containers are an easy and in many cases more secure approach to establishing an flexible and even agile production environment. The community around this products now starts to solve and old problem of every production installation of any software....

The last post described some overall aspects of docker security. Today I would like to dive a little bit deeper and discuss a few additional technical aspects. As mentioned in the previous post docker is based on shared resources especially...

Containerizing your applications has many advantages. Not only can you achieve a higher degree of separation you also simplify updates, upgrades and the gain a lot of stability for your environment. On the other hand using containers comes with its...

Feeding The Phish - Part III - it’s all about communication. Yeah, really? I choose to close the series on phishing on this topic because it is the most complicated and a non technical. A few things came to mind...

Hey! Welcome to part II of “Feeding The Phish”. Now your emails are arriving in the victims inbox? Great! People will be coming back to you and giving you feedback - even if you have not asked about it. Honestly,...

Feeding The Phish? Have you ever conducted a phishing campaign at your company or workplace? It is an interesting exercise. After a few campaigns I decided to reflect on them and share what went good and what went wrong.

First...

As we packed our things for a beach holiday, I was looking for something to shield my laptop and smart phone from the wireless access we booked together with our cottage at the sea. It should be small, fast and...

How not to pay for your data? Seriously? What is that about? Crypto Ransomware has been on the rise for quite a while and it is getting better and more aggressive every day. Not only individuals, police stations and smaller...

The Flintstones always remind me that you can find some very old framework in nearly every application. A couple of times I stumbled on Velocity during penetration tests and so I thought about blowing off the dust from this “stone...

Have you ever done code review and regretted that you have no tool like HPs Fortify? Well, there are alternatives, but at the end of the day - Fortify is the way to go. Luckily InteliJ produces its IDE called...

Code review is often called boring and for loosers. However, depending on how you do it - you may save time and energy which means more money for less work. Here is how to do it without kicking of a...

Have you being using ZAP - OWASP’s ZAProxy? It is an intercepting proxy combined with a fuzzer, a vuln-scanner and many other features that come in very handy, when you are into analysing and testing web, mobile or any other...

Automating web application scans - why? Simply to improve the quality of your product and catch vulnerabilities as early as possible. There are several tools to do it. You may either use ZAP, Burp, Nikto or similar suspects. Within this...

The battle of Machines or how to bring automated pentesting into your development life cycle - this is what I will talk about today. But what drives someone to such an idea? There are a few factors. On the one...

Have you seen Bruce Schneiers post in January this year about deanonymizing programmers by their style of writing code? Within this post he talks about two papers which show approaches to tell apart 20 programmers with an accuracy of...

Web sites are everywhere and get powned within seconds. Http headers will not protect you against rudimentary flaws within the code of your side. However they serve two purposes. They add an extra level of security to your side on...

The OAuth protocol has been around now for some time. It get heavily deployed within mobile apps and web applications that “mash up” other services. REST based web services also rely on it. To summarize it at a high level....

A secure development life cycle has been a well known term for quite a while. Despite the fact that not every software company has deployed such an approach there is no the ‘secure development life cycle’. Many variations exist ranging...

One time passwords are mainly based on two triggers - either time or a counter of events. Combined with a pre-shared secret you can build an OTP-Generator like Google-Authenticator. Both ways (time or counter) you do not have any context...

Finical industry has long learned a lesson I miss when we talk about IT- and Information security. In IT-Security we spend a lot of time and effort to detect a possible breach as well as to harden our systems. However...

CVSS as vulnerability rating score has been around for some time now. Currently it is in version 2 and version 3 is reaching the final reviews. Therefore I will focus on version 3. CVSS provides you with three different...

Based on the research paper by Sooel Son and Vitaly Shmatikov from University of Texas at Austin or this slightly older one from Stanford I started playing with Iframes and the HTML5 postMessage function. What is postMessage actually...

Phishing is a social engineering attack targeting everyone. Clearly the border between spam and phishing is vanishing. So what are left with? Emails with malicious links and / or attachments. Both trying to make you hand over credentials and install...

What is privacy and where does our need for it come from?
To answer that question we need to go way back in history. In the medieval times there has been no privacy for you unless...

Multi Factor Authentication (MFA) has become popular during the last months even in the non tech-savy user base. On the one hand this is due to an increase in media attention: reports on bad password leading to breaches as well...

How do you measure security? What are indicators which tell you that how secure you really are?

These two questions bother nearly every security professional. Especially when he needs to talk to higher management to explain the situation and his...

How do you handle security related issues as a release manager? What if you’re in an agile world as a product owner?

What options for releasing software do we have?

1. Agile

You release minor increments on a frequent...

The previous post I argued why a Secure Development Life Cycle (SDL) is important. Besides a few ideas were pointed out how to start with the team - the most important asset you have in your company.

Integration of...

What is a Secure Development Life Cycle? What are we talking here about? Basically it’s changing the way you develop your product into a way to avoid security wholes in every step: From the conceptional to the design phase and...

Many projects suffer from the lack of tooling to keep track of findings from penetration tests. Also pentesters do like to deliver the reports in an incompatible fashion with respect to tracking tools. Where do we end up with this?...

Frequently I got asked about the security considerations regarding iframes - so I decided to write up my opinion on them. When you search for “iframe” and “security” you’ll find quite a lot of links dealing with possible usage of...

Secure data storage on mobile devices is the most common thread today. This problem is not limited to iOS. It affects android as well. Considering jail-broken devices it becomes even more evident, that the developer should take good care in...