Published on August 10, 2017 by Jonn Callahan
Published on August 8, 2017 by Rich Grimes
While in the process of migrating our ASP.NET on-demand training course to ASP.NET Core, I noticed ASP.NET Core 1.0 did not include a similar feature to ASP.NET’s Request Validation.
Given that ASP.NET Core has some significant changes from ASP.NET, it doesn’t surprise me to find a feature missing. As ASP.NET Core is supposed to be the leaner cross-platform version, namespaces, classes, and features are going to change. However, what concerns me, is on a routine basis we perform security assessments on ASP.NET applications where the only protection against Cross-Site Scripting (XSS) is the Request Validation feature.
So, this got me thinking. Will developers know Request Validation is missing? How many ASP.NET projects will be migrated with the assumption that Request Validation is present? Why hasn’t Microsoft made this change more obvious? How do we get the word out?
Published on August 3, 2017 by Amy McElroy and Clea Ostendorf
This year marks my third working in Business Development at nVisium, and until now, I'd strategically avoided the infamous Black Hat and DEF CON industry conferences. Like many first-time DEF CON attendees, I really had no idea what to expect.
Published on July 18, 2017 by Stefan Edwards
I was in a car accident the last year, and was talking with our CEO Jack after the fact. He asked if the air bags had deployed, which I said they didn't (in fact, if they had, I probably wouldn't have been injured). Jack responded with:
That's the thing with air bags, you assume they work and they'll save your life until they don't.
Now, being the jerk that I am, I responded:
Basically like all security controls?
Published on July 12, 2017 by Kevin Cody
As more and more applications and manufactures upgrade their Android APIs or device software versions, many security testers will face an interesting dilemma. The days of simply trusting a supplied Certificate Authority (CA) and forwarding all device traffic to an HTTPS proxy are gone. This is due to some major trust changes made in the plumbing of Android N and beyond.
Published on June 29, 2017 by Brian Glas
After I returned home from the OWASP Summit last week, I started with my typical valuation of my time. I asked myself whether or not this was a good use of a week, did I contribute, what did I learn, and most importantly, would I do it again? The answer to the first and last question was an emphatic "YES!". After further introspection (completing the feedback loop!), I realized there were three primary reasons I was planning to return for the next summit.