4 reasons why developers don’t read secure programming guides

posted on Jan 26, 2015 by Rohit Sethi

At Security Compass, we had the experience of building secure programming guideline documents for a number of clients. Unfortunately, we found that in many cases the documents became shelfware and were rarely read by developers. If you’re a security Subject Matter Expert (SME) who has built a secure programming guide, there’s a good chance you’ve experienced…

Getting Things Done for Geeks

posted on Jan 15, 2015 by Rohit Sethi

I wrote this post for our internal team and some of my colleagues suggested that it might be useful to others. It’s a bit of a departure from our normal appsec posts. Let us know if you find it useful! Background New employees at Security Compass often feel overwhelmed by the sheer number of things…

The Escape

posted on Dec 15, 2014 by Geoffrey Vaughan

The hacker mindset is one of curiosity and intrigue into how systems and various things work. We try to understand how a particular system works and then look for ways that it could be manipulated, repurposed, improved, or exploited. This curiosity is not limited to computer systems but encompasses all things we may have the…

Women in Tech: Sintia Maria Sanches

posted on Dec 8, 2014 by Niyosha Freydooni

These blogs are about remarkable employees that contribute to Security Compass’s culture in more ways than one. I will be writing about another fabulous, hard-working woman in tech. This second edition will focus on a member who helps keep the work environment enjoyable and routinely safe; she is technically a computer genius. Meet Sintia Maria Sanches…

The more the merrier, right?

posted on Dec 4, 2014 by Michael Bennett

Our society has been raised to believe that more is always better. That holds especially true when it comes to tech devices. Everyone wants more devices capable of doing more things and offering more control and of course everything needs to be more connected. But what if there aren’t appropriate security protocols to handle the…

Implications of Internet of Things

posted on Nov 19, 2014 by Michael Bennett

The Internet of Things (IoT) is a rapidly growing phenomenon where device makers are building Internet connectivity into every device they produce. The ability to connect to the Internet brings with it the potential of connecting and using your device in new and exciting ways. Devices can gain access to a wealth of information available…

Pwning Networks Through Vulnerable Applications

posted on Nov 11, 2014 by saurabh

If you are a pentester, you would agree that one of the most common ways of compromising a network is through vulnerable 3rd-party applications. I am talking about Apache tomcat, JBoss jmx-console, Hudson-Jenkins and such. I do a lot of internal network pentests and it seldom (more like, never) happens that I do not find…

Whiteboard Wednesday: Using Mimikatz From a JSP shell

posted on Oct 22, 2014 by stephen

A while back I was messing around with Tomcat and it got me thinking when I come across Tomcat during assessments it is normally running as system or some kind of admin account. Sometimes I don’t want to/cant use metasploit and I just have the web shell. I could create a user and log in…

Firewall, Router and Switch Configuration Review

posted on Sep 23, 2014 by ted

The presentation provides a topical overview of the areas to be looked at when conducting a Firewall, Router, or Switch configuration review. This presentation is based on a slide deck I prepared for an internal Learning & Growth session in March of 2014.  More detailed material is available from the “References” slide.

Digging and Clicking: How I Learned Lock Picking

posted on Aug 25, 2014 by Niyosha Freydooni

 I arrived to work on Monday August 11, 2014 tired from the weekend, a morning I was anything but excited for. Little did I know that within minutes I would be awakened with power. The Hack We had started setting up the Battle School hacking booth at the office the week before. As I approached…