The nVisium Blog

Lambda@Edge, CloudFront, and Custom Response Headers

Published on August 10, 2017 by Jonn Callahan

Back in early 2017, AWS released a preview of the new Lambda@Edge functionality. This allowed Lambda triggers to be set on CloudFront and Origin sources requests and responses. Leveraging this functionality, it is now possible to set custom headers on resources cached via CloudFront.

Read more...

Dude, Where’s My Request Validation?

Published on August 8, 2017 by Rich Grimes

While in the process of migrating our ASP.NET on-demand training course to ASP.NET Core, I noticed ASP.NET Core 1.0 did not include a similar feature to ASP.NET’s Request Validation.

Given that ASP.NET Core has some significant changes from ASP.NET, it doesn’t surprise me to find a feature missing. As ASP.NET Core is supposed to be the leaner cross-platform version, namespaces, classes, and features are going to change. However, what concerns me, is on a routine basis we perform security assessments on ASP.NET applications where the only protection against Cross-Site Scripting (XSS) is the Request Validation feature.

So, this got me thinking. Will developers know Request Validation is missing? How many ASP.NET projects will be migrated with the assumption that Request Validation is present? Why hasn’t Microsoft made this change more obvious? How do we get the word out?

Read more...

DEF CON - Is It Really That Scary?

Published on August 3, 2017 by Amy McElroy and Clea Ostendorf

This year marks my third working in Business Development at nVisium, and until now, I'd strategically avoided the infamous Black Hat and DEF CON industry conferences. Like many first-time DEF CON attendees, I really had no idea what to expect.

Read more...

Of Airbags and Modeling, Part 0

Published on July 18, 2017 by Stefan Edwards

I was in a car accident the last year, and was talking with our CEO Jack after the fact. He asked if the air bags had deployed, which I said they didn't (in fact, if they had, I probably wouldn't have been injured). Jack responded with:

That's the thing with air bags, you assume they work and they'll save your life until they don't.

Now, being the jerk that I am, I responded:

Basically like all security controls?

Read more...

Advantages and Disadvantages of Android N+ Network Security Configuration

Published on July 12, 2017 by Kevin Cody

As more and more applications and manufactures upgrade their Android APIs or device software versions, many security testers will face an interesting dilemma. The days of simply trusting a supplied Certificate Authority (CA) and forwarding all device traffic to an HTTPS proxy are gone. This is due to some major trust changes made in the plumbing of Android N and beyond.

Read more...

Three Reasons Why You Should Consider Attending the OWASP Summit 2018

Published on June 29, 2017 by Brian Glas

After I returned home from the OWASP Summit last week, I started with my typical valuation of my time. I asked myself whether or not this was a good use of a week, did I contribute, what did I learn, and most importantly, would I do it again? The answer to the first and last question was an emphatic "YES!". After further introspection (completing the feedback loop!), I realized there were three primary reasons I was planning to return for the next summit.

Read more...