Category Methodology

(Paper) Pentesting Adobe Flex Applications (introducing new tool Blazentoo)

Marcin Wielgoszewski from Gotham Digital Science gave a keynote at the OWASP NY session (http://www.owasp.org/index.php/NYNJMetro) where he exhibited intrusion techniques on application based on Adobe AIR. Indeed, with the integration of RIA in the client side, we tend to forget that the beauty of things can hide a real threat.

Read More

CWE/SANS Top 25 list updated to v1.0.3

The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most significant programming errors that can lead to serious software vulnerabilities. They occur frequently, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at al

Read More

FireCAT v1.6 updated with 2 new extensions

FireCAT (Firefox Catalog of Auditing exTension) is a mindmap collection of the most efficient and useful firefox extensions oriented application security auditing and assessment. FireCAT is not a remplacement of other security utilities and softwares as well as fuzzers, proxies and application vulnerabilities scanners.

Read More

Two methodologies for physical penetration testing using social engineering

During a penetration test on the physical security of an organization, if social engineering is used, the penetration tester directly interacts with the employees.
These interactions are usually based on deception and if not done properly can upset the employees, violate their privacy or damage their trust towards the organization, leading to law suits and loss of productivity of the organization.

Read More

Cloud Computing Risk Assessment methodology available

ENISA -the European Network and Information Security Agency, working for the EU Institutions and Member States. ENISA is the EU’s response to security issues of the European Union. As such, it is the ’pacemaker’ for Information Security in Europe.
The objective is to make ENISA’s web site the European ‘hub’ for exchange of information, best practices and knowledge in the field of Information Security.

Read More

OWASP TOP 10 2010 French version released

The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.

Read More

Penetration Testing Framework v0.57 released

The PTF (pentestration tests framework) enumerates the stages one’s should perform during a test (as described in the OSSTMM manual)

  • Network footprinting
  • Discovery & Probing
  • Enumeration
  • Vulnerability assessment
  • Penetration (or exploitation)
  • Plus other tests as well as physical, wireless assessment...
Read More

Advanced Mac OS X Rootkits released

At BlackHat USA 2009, Dino Zovi presented “Advanced Mac OS X Rootkits†covering a number of Mach-based rootkit techniques and some tools that he has developed to demonstrate them. While the majority of Mac OS X rootkits employ known and traditional Unix-based rootkit techniques, these Mach-based techniques show what else is possible using the powerful Mach abstractions in Mac OS X.

Read More

OWASP Security Spending Benchmarks reports available

Ludovic Petit (OWASP France Leader and Vice-Chair) has just sent to France OWASP mailing list a note about the OWASP SSB project.
The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc

Read More

PTF (Penetration Testing Framework) 0.54 released

The PTF (pentestration tests framework) enumerates the stages one’s should perform during a test (as described in the OSSTMM manual)

  • Network footprinting
  • Discovery & Probing
  • Enumeration
  • Vulnerability assessment
  • Penetration (or exploitation)
  • Plus other tests as well as physical, wireless assessment....
Read More

SAMM (Software Assurance Maturity Model ) v1.0 released

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:

  • Evaluating an organization’s existing software security practices
  • Building a balanced software security assurance program in well-defined iterations
  • Demonstrating concrete improvements to a security assurance program
  • Defining and measuring security-related activities throughout an organization
Read More

CWE/SANS Top 25 Most Dangerous Programming Errors

The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most significant programming errors that can lead to serious software vulnerabilities. They occur frequently, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

Read More

OWASP Testing Guide version 3.0 released

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.

Read More

Citrix security testing map released

As a part of the awful PTF (pentesting framework), Kevin Orrey did it (again). The citrix section has finally seen the day. A must read for Citrix security testers.

Read More

PTF (Penetration Testing Framework) 0.51 released

The PTF (pentestration tests framework) enumerates the stages one’s should perform during a test (as described in the OSSTMM manual) Network footprinting Discovery & Probing Enumeration Vulnerability assessment Penetration (or exploitation) Plus other tests as well as physical, wireless assessment....

Read More

PTF (Penetration Testing Framework) 0.5 released

The PTF (pentestration tests framework) enumerates the stages one’s should perform during a test (as described in the OSSTMM manual) Network footprinting Discovery & Probing Enumeration Vulnerability assessment Penetration (or exploitation) Plus other tests as well as physical, wireless assessment....

Read More

CVSS V2.0 Web based calculator released

CVSS stands for Common vulnerability Scoring System. It helps to score vulnerabilities severity and determine urgency of response and patch management. For more advanced information about CVSS Scoring metrics, please refer to http://www.first.org/cvss/.

Read More

CCWAPSS Methodology updated to v1.1

CCWAPSS (Common Criteria Web Application Security Scoring ) is a comprehensive security scoring methodolody dedicated to web application pentests.

This scale aims to sharing a common, open and documented evaluation
methodology between security auditors and the end-customers.

Read More

Focus on CCWAPSS Web Application Scoring Scale Version 1.0

A friend of mine Frederic Charpentier (senior security consultant) developed a good new web application scoring scale called CCWAPSS. CCWAPSS stands for Common Criteria Web Application Security and it aims to share a common evaluation method for web application security assessments/pentests between security auditors and final customers.

Read More

OWASP CLASP V 1.2 : Integrating security approach in software development

CLASP (Comprehensive, Lightweight Application Security Process) provides a well-organized and structured approach for moving security concerns into the early stages of the software development lifecycle, whenever possible

Read More