Whether you’re looking to train staff on OWASP training and/or Security Awareness training, at some point you will need to decide what kind of computer based training product to purchase.  In developing a vendor criteria, it may seem like it makes sense to purchase training with a LOT of  content, but let me tell you…

This year at the RSA Conference HP officially released its annual Cyber Risk Report. This report is one among many industry reports that individuals and companies who are concerned about security should pay attention to. By paying attention to these trends your company will be better able to secure your IT assets and more effectively allocate IT…

It is easy to be skeptical about PCI Compliance and the requirement to deploy Training to satisfy a checklist item. This idea that a checklist approach cannot help with security is not new. But I’d like to propose the idea that if we have an opportunity to educate teams about Security through an audit approach,…

We love meeting up with security people within the local Toronto community, but there’s a big world out there!  So we’re going a bit more social this year. Follow us, link and share with us your interesting security stories and stay tuned for more exciting tools and resources for the community. Twitter Google+

We work on security assessments daily and see common trends on every engagement.  Recognizing these changes helps us keep on the edge of the security assessments and provides us the insight to give back to the community including our research in Mobile tools (ExploitMe Mobile) and NFC. I’m extremely pleased to say that this year,…

Salut à tous, We are pleased to announce that we will be presenting our “Exploiting and Defending Mobile” training course @CanSecWest. Our “Exploiting and Defending Mobile” training will provide you with two days of insight into the world of mobile hacking. The course is designed to keep a balance between theoretical knowledge & practical experience….

By Nish Bhalla and Nima Dezhkam There are many frameworks that industry has and regulations have tried to put together to help organizations follow and succeed in securing their environment. Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the…

Nish Bhalla and I were at Countermeasure 2012 conference in Ottawa. Please click here to download the presentation.

By Ehsan Foroughi and Nima Dezhkam In the past few months we have evidenced frequent news headlines on password breaches at major websites such as LinkedIn, Yahoo! Voices, DropBox, Gamigo, and Phandroid, an Android Forum. The list does not stop there. These incidents motivated us to perform some high-level analysis on the leaked data, review…

TL;DR: We thought we found arbitrary command execution due to an absence of class-whitelisting. We actually found several un-hardened Hudson deployments. Hudson/Jenkins CI instances are deployed insecure by default, with opt-into hardening. The operational reality of opt-in hardening is that it doesn’t happen nearly as much as it should.   In broad and liberally scoped…