Click to get Security Testing Quote

How sensitive data leaks out...
by Nilesh Chaudhari  | 58 days ago

I am surprised by the ways sensitive data can leak out. Belarc advisor is a system information collection program for Windows. As innocuous a program as that can leak out a lot of information. Search for “Windows XP Professional” “Belarc Advisor Current Profile” key: in google and you will be surprised!


Sunday cartoon - Infosec is hype
by Roshen Chandran  | 88 days ago

Information security is over rated. ;)

How to train large teams in application security
by Jose Varghese  | 92 days ago

We’re often asked how large software companies can train their developers and testers in application security.

We find a two step approach yields best results if your team is too large to train everybody on security:

  • A basic Security Awareness Workshop for the entire development team

  • An advanced Security Boot Camp for a smaller team

The awareness workshop can be a 2 - 3 hour program that illustrates the threats to applications, and the origin of vulnerabilities. It ensures that all team members are familiar with the risks and recognize the importance of safer coding practices.

The objective of the Boot Camp is to quickly inject vital security expertise into the veins of the organization. A team of designers, developers and testers from different groups should be brought together for this more intense training program. After the Boot Camp, the participants become champions for spreading the security knowledge within the team.

We describe this in greater detail in Training your Developers. We also share our strategies for training security testers in the Palisade interview What works in Training Security Testers.

What has been your experience?

Switch proxy editors in 2-clicks
by Roshen Chandran  | 94 days ago | Comments (1)

Do your internal security testers lose time when they have to change their browser’s proxy settings frequently? Tell them about SwitchProxy, a nifty add-on for Firefox. We use it daily to switch quickly between web proxy editors.

[Web proxy editors are used in penetration testing to intercept traffic, inspect it and modify requests. We configure the browser’s proxy settings to point to the proxy editor. Then, all requests from the browser go via the proxy editor. That’s when we inspect it and tweak some values. Paros and Burp are two popular proxy editors.]

Every time we want to route the traffic via a proxy editor, we have to configure the browser’s proxy settings. Then re-configure it back when we want to bypass the proxy. In the middle of a test, this can be valuable time lost.
ProxySettings.png

Enter SwitchProxy, a Firefox add-on that lets you switch between proxies in 2-clicks. You can setup SwitchProxy for the various proxies you use. When you want to switch, click on the SwitchProxy label in the status bar, and chose your proxy. Selecting “None” lets you bypass all the proxies.

switch_proxy1.PNG

To configure proxies the first time, select the “Manage proxies” item from the menu. Here’re the screen shots.


switch_proxy3.png


switch_proxy4.png


There’s a similar add on for Internet Explorer - Proxy Switcher.


Earlier Posts