Optiv Blog

Quick Tips for Building an Effective AppSec Program – Part 2

· By Shawn Asmus ·

In my last blog post, I talked about what an application security (AppSec) program is and how an organization would go about building a formal program to secure their internally-developed applications, as well as third-party applications they have or will be deploying. I touched on the importance of creating an application catalog, aligning with one of several industry AppSec frameworks, and having a solid understanding of your application architecture, that, together, can form the necessary foundation for a formal program.

Continue reading

Thoughts on Breach of Trust vs. a Breach of Security

· By Peter Gregory, James Robinson ·

General thought: A breach of trust is different than a breach of security. Trust and security, while related, are very different from each other. In recent years, we have seen information security continuing to be defined with strong frameworks, guidelines, and support from regulators to security offices, while the concept of “trust” has just begun to emerge. In recent years we have seen Offices of Trust being defined in companies with the role of Chief Trust Officer.

Continue reading

Five Application Security Best Practices for Serverless Applications

· By Kat Cummings ·

Serverless architecture enables applications to be developed and deployed without management of the underlying host or operating system. Instead of a traditional host, serverless applications run on abstract serverless platforms which are managed by cloud providers. This architecture offers advantages over other architectures, such as scalability, but also has its own unique security risks. The following best practices will help ensure these applications are properly secured.

Continue reading

Customization of IAM Solutions: Risks of Having it Your Way

· By Dusty Anderson ·

Forty years ago Burger King launched a revolution in customization, declaring that they could provide you the power of creating your perfect burger combo. Made to order, fresh, fast and no extra cost. The slogan “Have it Your Way” (replaced now by “Be Your Way”) has more than impacted our drive thru satisfaction, it has become a way of applying customization to anything and everything.

Continue reading

Testing Password Reset Token Predictability with the Reset-A-Tron Burp Extension

· By Optiv AppSec Team ·

Most web applications provide a 'forgot my password' feature where a recovery or reset token is delivered to the associated account email address. Usually these emails contain a link with a random-looking token that, once clicked, results in the user being able to proceed with the recovery process. It is important to test the randomness of these reset tokens to ensure that attackers cannot forge their own and take over accounts they do not own.

Continue reading

Observations on Smoke Tests – Part 2

· By Raina Chen ·

There are a variety of scanning tools in the market today, from commercial to open source. Some are intended only for identifying a particular vulnerability or class of vulnerabilities, such as weak encryption settings for SSL/TLS. Other scanners are designed for comprehensive, deep-dive web application assessments or for ongoing application vulnerability management. Most commercial application scanners can be divided into two categories according to the environment from which they execute: cloud-based and desktop-based. Both have pros and cons.

Continue reading

Quick Tips for Building an Effective AppSec Program – Part 1

· By Shawn Asmus ·

An application security (AppSec) program can be defined as the set of risk mitigating controls and business functions that support the discovery, remediation and prevention of application vulnerabilities. Controls take the form of written policies, procedures, guidelines and standards for ensuring secure development practices, along with technology and operational processes that implement them. Focus is typically on internal software development capabilities, but may also encompass applications developed by external third parties and those from commercial vendors.

Continue reading

The Business Trusts the Third Party – Should You?

· By James Robinson, Jeff Wichman ·

In this day and age we are faced with some hard facts within information security. One of those facts is that breaches are imminent and we must be prepared. Watching events unfold around us, organizations have taken to heart that breaches and incidents are a top priority, not only to prevent but to have a plan ready to respond if they are impacted. As a result, an increased number of organizations have invested in incident response (IR) tools, processes, skilled resources, as well as retainer and managed services. However, we still find there is progress to be made.

Continue reading

Escape and Evasion Egressing Restricted Networks – Part 2

· By Mike Hodges, Jason Doelger, Curtis Fechner, Brian Payne ·

Attackers and security assessors alike are utilizing a technique called domain fronting, which masks malicious command and control (C2) traffic. This blog post revisits this type of evasive offensive cyber operations, which we first covered in a previous post. In this follow-up, we will discuss and demonstrate a nuance to domain fronting, which establishes command and control (C2) channels directly to inbox.google.com as well as other *.google.com applications, and the C2 channel is even encrypted with the legitimate Google SSL Certificate for that application. We'll further share some detection techniques that can be employed in an effort to identify this type of malicious traffic.

Continue reading

Mobile App Testing With Automation Trickery in Frida

· By John Labelle ·

When you spend a lot of time doing security testing on mobile apps like I do, you begin to worry that a large part of your life will be spent rebooting mobile apps that have stopped responding. Frida is a powerful testing tool and I love using it, but something I have had to come to terms with is: Stomping your way through an application's runtime is occasionally going to provoke its ire. And programming defensively is one thing, but I can't exactly blame a developer for not thinking, "How do I handle it if every parameter in this function is passed a null reference, instead of the data I painstakingly parsed from the server?"

Continue reading
(694 Results)