The nVisium Blog

Play 2.6 Security Analysis

Published on October 4, 2017 by Jack Mannino

Play 2.6 final was recently released and it includes a ton of awesome new features. Some of the most exciting features include: replacing Netty with Akka HTTP Server as the default backend as well as shipping with experimental HTTP/2 support (finally!). From a security perspective, Play 2.6 introduces new features and settings you want to take advantage of. Read more...

I presented my first talk at an InfoSec conference and lived to tell the tale

Published on September 27, 2017 by Ryan Reid

In this post, I'll discuss my recent adventure regarding my first InfoSec con presentation. Hopefully, you'll find the tips littered throughout this blog helpful as you prepare to present for your first time. Read more...

Lambda@Edge, CloudFront, and Custom Response Headers

Published on August 10, 2017 by Jonn Callahan

Back in early 2017, AWS released a preview of the new Lambda@Edge functionality. This allowed Lambda triggers to be set on CloudFront and Origin sources requests and responses. Leveraging this functionality, it is now possible to set custom headers on resources cached via CloudFront.

Read more...

Dude, Where’s My Request Validation?

Published on August 8, 2017 by Rich Grimes

While in the process of migrating our ASP.NET on-demand training course to ASP.NET Core, I noticed ASP.NET Core 1.0 did not include a similar feature to ASP.NET’s Request Validation.

Given that ASP.NET Core has some significant changes from ASP.NET, it doesn’t surprise me to find a feature missing. As ASP.NET Core is supposed to be the leaner cross-platform version, namespaces, classes, and features are going to change. However, what concerns me, is on a routine basis we perform security assessments on ASP.NET applications where the only protection against Cross-Site Scripting (XSS) is the Request Validation feature.

So, this got me thinking. Will developers know Request Validation is missing? How many ASP.NET projects will be migrated with the assumption that Request Validation is present? Why hasn’t Microsoft made this change more obvious? How do we get the word out?

Read more...

DEF CON - Is It Really That Scary?

Published on August 3, 2017 by Amy McElroy and Clea Ostendorf

This year marks my third working in Business Development at nVisium, and until now, I'd strategically avoided the infamous Black Hat and DEF CON industry conferences. Like many first-time DEF CON attendees, I really had no idea what to expect.

Read more...

Of Airbags and Modeling, Part 0

Published on July 18, 2017 by Stefan Edwards

I was in a car accident the last year, and was talking with our CEO Jack after the fact. He asked if the air bags had deployed, which I said they didn't (in fact, if they had, I probably wouldn't have been injured). Jack responded with:

That's the thing with air bags, you assume they work and they'll save your life until they don't.

Now, being the jerk that I am, I responded:

Basically like all security controls?

Read more...