tssci security

Archive for Work

What makes a solid security program?

In my most recent post, I identified the direction and state-of-the-art in application security. We all know of the importance of application security in today's environments. However, finding out where to fit application security policies and programs [...]

Writing a web services fuzzer in 5 minutes to SQL injection

This week, I was doing an internal penetration test for a client of a web service, which is used by applications loaded on kiosk machines around the country. I didn't have much time to do the test, so I had a couple advantages, like having network access [...]

Decreasing Security for Perceived Security -- all in the name of compliance

Today I ran into a little setback for an issue I did not foresee. For the past several months, I've been on a PCI remediation project, of which one of my tasks was to implement a web application firewall to address PCI requirement 6.6. Now, for everyone [...]

Happy Two-Year Anniversary

Yesterday we celebrated tssci-security.com's two-year anniversary. I started this site on August 23rd, 2006 during my first internship, and oh my, how the time flew by. A lot of good things have come my way -- most as a direct result of this blog. The [...]

Web application firewalls: A slight change of heart

We've been beating the drum for some time now, expressing our opinions of web application firewalls (WAFs). You might have sided with us on this issue, are against us, or are just tired from it all by now. This post is about to change all that, and show [...]


We all know about the CISSP. You've heard the whispered hallway conversations. You've seen the business cards, the email signatures, and the government contract requirements. You might even know the secret handshake, or have the magical letters attached [...]

Lucky for NSM -- Extracting files from TFTP packets in Wireshark

So the other day I get a call from the forensics team at work asking for help with some packet analysis. A client's users had reported phishing activity, so they decided to run a full-content capture using Wireshark on the external and internal network [...]

Qualities of good pen-testers

Taking care of business Before I get into this post, I wanted to give you some updates on progress of other projects here at TS/SCI Security. First off, I've been working on the OWASP Evaluation and Certification Criteria Project and hope to announce [...]

Collaborative systems and Ajax/RIA security

Office collaboration services look like 1985 Microsoft Outlook and Exchange server have been the staple for office collaboration for over 10 years, with a model that has been around since Novell and Lotus in the mid-80's. Collaboration services are [...]

Building a security plan

An audit framework for evaluating structured security program frameworks How many readers implemented a new security plan for 2006 or 2007? How many had clients that implemented a new security program? Which frameworks were involved? Possible frameworks [...]

Wikis at work

I love wikis. I've been working on a security portal at work and it just got so much better with the addition of embedded RSS feeds. With this extension, I've embedded the Security Whitelist and Aggregated Vendor and Security News Sites pipes on the [...]

Scan hostnames efficiently with Nmap

So your DNS team sends you the company's entire domain name inventory in a CSV (comma-separated values) file. You're tasked with port scanning those hosts, to perform a network inventory, discover rogue services and other policy violations. It's simple [...]

Got pwned today

Several people in the corporate IT security group where I'm interning this summer have been working hard on creating a program to educate users on the company's acceptable use policies and some basic security awareness. They've done a great job and the [...]

What makes a security project fail?

I started working on a project that has no doubt, been done before. It's something no one has publicly posted information on and it's not new -- something everybody wants yet every vendor says is impossible. The problem with this project, is it can't be [...]

Vulnerabilities of low probability bring about devestating impact

(Continued from Consumerization of IT and state of the security industry and a reply to Low probability but a devestating impact.) After lunch, we broke up into several groups and I headed to the discussion on "next generation threat analysis," which [...]

Consumerization of IT and state of the security industry

Yesterday was a bit of a surprise for me, I met someone I never would have expected to meet and be an actual co-worker too. There were several talks today, focusing on the "consumerization" of IT, the state of the security industry from a Wall Street [...]

Low probability but a devestating impact

I've been too busy to blog this week and haven't had any ideas for any new topics. Tomorrow (Wednesday and Thursday) I'll be attending my company's internal security "conference" to discuss the issues and projects IT Security faces. I'm interning at this [...]

20 years old and [in] security (part 1)

A thread that has gotten some attention and even sparked some bloggers to tag each other with their own stories, I thought I'd post my own "how I got started." I'm twenty years old and my area of study since I graduated high school has been network [...]

Security Internships

In a month, I begin a new internship for a Fortune 100 company. Having already spoken with a member of the security team, I can expect to be placed in one of four areas in IT security, including web application security and forensics/incident response. I [...]
blog comments powered by Disqus