Most Popular
(Paper) Pentesting Adobe Flex Applications (introducing new tool Blazentoo)
Marcin Wielgoszewski from Gotham Digital Science gave a keynote at the OWASP NY session (http://www.owasp.org/index.php/NYNJMetro) where he exhibited intrusion techniques on application based on Adobe AIR. Indeed, with the integration of RIA in the client side, we tend to forget that the beauty of things can hide a real threat.
CWE/SANS Top 25 list updated to v1.0.3
The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most significant programming errors that can lead to serious software vulnerabilities. They occur frequently, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at al
FireCAT v1.6 updated with 2 new extensions
FireCAT (Firefox Catalog of Auditing exTension) is a mindmap collection of the most efficient and useful firefox extensions oriented application security auditing and assessment. FireCAT is not a remplacement of other security utilities and softwares as well as fuzzers, proxies and application vulnerabilities scanners.
Two methodologies for physical penetration testing using social engineering
During a penetration test on the physical security of an organization, if social engineering is used, the penetration tester directly interacts with the employees.
These interactions are usually based on deception and if not done properly can upset the employees, violate their privacy or damage their trust towards the organization, leading to law suits and loss of productivity of the organization.
Cloud Computing Risk Assessment methodology available
ENISA -the European Network and Information Security Agency, working for the EU Institutions and Member States. ENISA is the EU’s response to security issues of the European Union. As such, it is the ’pacemaker’ for Information Security in Europe.
The objective is to make ENISA’s web site the European ‘hub’ for exchange of information, best practices and knowledge in the field of Information Security.
OWASP TOP 10 2010 French version released
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
Penetration Testing Framework v0.57 released
The PTF (pentestration tests framework) enumerates the stages one’s should perform during a test (as described in the OSSTMM manual)
- Network footprinting
- Discovery & Probing
- Enumeration
- Vulnerability assessment
- Penetration (or exploitation)
- Plus other tests as well as physical, wireless assessment...
Advanced Mac OS X Rootkits released
At BlackHat USA 2009, Dino Zovi presented “Advanced Mac OS X Rootkits†covering a number of Mach-based rootkit techniques and some tools that he has developed to demonstrate them. While the majority of Mac OS X rootkits employ known and traditional Unix-based rootkit techniques, these Mach-based techniques show what else is possible using the powerful Mach abstractions in Mac OS X.
OWASP Security Spending Benchmarks reports available
Ludovic Petit (OWASP France Leader and Vice-Chair) has just sent to France OWASP mailing list a note about the OWASP SSB project.
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc
PTF (Penetration Testing Framework) 0.54 released
The PTF (pentestration tests framework) enumerates the stages one’s should perform during a test (as described in the OSSTMM manual)
- Network footprinting
- Discovery & Probing
- Enumeration
- Vulnerability assessment
- Penetration (or exploitation)
- Plus other tests as well as physical, wireless assessment....
SAMM (Software Assurance Maturity Model ) v1.0 released
The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:
- Evaluating an organization’s existing software security practices
- Building a balanced software security assurance program in well-defined iterations
- Demonstrating concrete improvements to a security assurance program
- Defining and measuring security-related activities throughout an organization
CWE/SANS Top 25 Most Dangerous Programming Errors
The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most significant programming errors that can lead to serious software vulnerabilities. They occur frequently, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
OWASP Testing Guide version 3.0 released
The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.
Citrix security testing map released
As a part of the awful PTF (pentesting framework), Kevin Orrey did it (again). The citrix section has finally seen the day. A must read for Citrix security testers.
PTF (Penetration Testing Framework) 0.51 released
The PTF (pentestration tests framework) enumerates the stages one’s should perform during a test (as described in the OSSTMM manual) Network footprinting Discovery & Probing Enumeration Vulnerability assessment Penetration (or exploitation) Plus other tests as well as physical, wireless assessment....
PTF (Penetration Testing Framework) 0.5 released
The PTF (pentestration tests framework) enumerates the stages one’s should perform during a test (as described in the OSSTMM manual) Network footprinting Discovery & Probing Enumeration Vulnerability assessment Penetration (or exploitation) Plus other tests as well as physical, wireless assessment....
CVSS V2.0 Web based calculator released
CVSS stands for Common vulnerability Scoring System. It helps to score vulnerabilities severity and determine urgency of response and patch management. For more advanced information about CVSS Scoring metrics, please refer to http://www.first.org/cvss/.
CCWAPSS Methodology updated to v1.1
CCWAPSS (Common Criteria Web Application Security Scoring ) is a comprehensive security scoring methodolody dedicated to web application pentests.
This scale aims to sharing a common, open and documented evaluation
methodology between security auditors and the end-customers.
Focus on CCWAPSS Web Application Scoring Scale Version 1.0
A friend of mine Frederic Charpentier (senior security consultant) developed a good new web application scoring scale called CCWAPSS. CCWAPSS stands for Common Criteria Web Application Security and it aims to share a common evaluation method for web application security assessments/pentests between security auditors and final customers.
OWASP CLASP V 1.2 : Integrating security approach in software development
CLASP (Comprehensive, Lightweight Application Security Process) provides a well-organized and structured approach for moving security concerns into the early stages of the software development lifecycle, whenever possible