Lesson 12: Yesterday, I shamelessly recommended to ditch all commercial networking gear. In the same breath, I also made several Cisco configuration recommendations. This is just the way that I work. The idea is that network appliances increase risk, but at the same time — they also allow you to connect to […]

Lesson 11: Welcome back! I know that the last few weeks have been a lull, and even before ShmooCon there wasn’t a lot going on our security blog. However, you’re in for a real treat since I’m back with the daily ITSM Vulnerability Assessment techniques!
It’s no longer Spring break (well it is Spring […]

Before Mike Rothman posted something about the WhiteHatSec and F5 announcement, I really wasn’t going to say anything negative or positive.  Integrating web application security scanners with web application firewalls at first seems like a good idea.  However, it appears that most people forgot about the issues with WAF’s: they only prevent very few kinds […]

Lesson 10: You could say I’m a little late on posting something. However, we’ve been up to a lot of great research, hopefully much of which we’ll publish here over the next few weeks.
We had a few posts lately, some of with a change of heart. The latest must-read from the blog world […]

Lesson 9: Yesterday was a bit of a whirlwind, discussing BGP, Whois/RWhois, and the DOM all in one big post. I’ll try and keep it short and sweet today.
Arshan Dabirsiaghi (leader of the OWASP Anti-Samy Project), commented on yesterday’s post regarding how web application security scanners are immature. He thinks they are immature because of […]