Why You Should Be Looking for Zero Day Vulnerabilities During Pen Tests

Penetration testing is a creative endeavor: The goal is to find vulnerabilities an attacker would exploit, using the same tools and methods the attacker would use. Experienced attackers don't shy a...

Soft Token Cloning Attacks and Mitigations

Two-factor authentication (2FA) is a technology that authenticates users by means of two different factors. Soft token apps for Android and iOS are modern implementations of the second factor. Many...

Does Security by Obscurity Work?

No, it doesn't. This is what common security wisdom says and I belonged to that school of thought for most of my security expert life. That said, in the 2000s I did my fair share of malware analysi...

OWASP TOP 10 Data Call Submission

The OWASP community is in the process of finalising its effort to update the TOP 10 since its last publication in 2013. It's a perfect opportunity for us to contribute back to the community. We had...

3 Key Security Concepts From The State of DevOps Report 2016

Recently, the long awaited 5th edition of the 2016 state of DevOps report was released by Puppet.  More than 4,600 technical professionals completed the survey this year and the report offers a ...

Security and ATMs - Part 1: Software, Hardware and Attack Surface.

For the last eight years I have worked on various consumer banking ATM deployments for international banks in the Asia / Pacific region, including New Zealand, Singapore, Indonesia and Taiwan. This...

Security Features & Design (BSIMM6 Part 6)

"If I have seen further than others, it is by standing upon the shoulders of giants." - Isaac Newton TL;DR: The Security Features & Design practice is the second of three practices in the...

4 Common Mistakes Developers Make When Implementing Authentication and Session Management

Authentication, authorization and session management are obviously key elements in securing a web application. With proper planning, these areas are actually comparably easy to get right - ideally,...

The OWASP MSTG: Towards a Standard Methodology for Mobile App Security Testing

The software security testing landscape has changed. A few years ago, we were testing web apps, web apps and... more web apps. Some of us already got a little bored with testing all those web apps....

Secure Coding 101: Remediating CSRF Vulnerabilites

Cross-Site Request Forgery (CSRF) attacks have been around for a long time, but even today some frameworks and web applications do not implement measures to mitigate this attack vector. From an att...