May 28, 2019 | Compliance
When the technology industry is not inventing new gadgets, it is inventing new words, such as a next-generation firewall. This contrived word ultimately reshaped an entire market segment. The newest word on the market is Compliance Automation. Which is near and dear...
Dec 12, 2018 | Business of Security, Compliance, Opinion, Security Leadership
“Four years!” As soon as the words left my mouth, I regretted saying them. Not because they were wrong, rather the incredulousness in my voice was instantly met with furrowed brows and folded arms. Across the table was a potential customer, and thanks to my lack of...
Oct 13, 2018 | Application Security, Vulnerabilities, Vulnerability Management, Vulnerability Research
Exploiting a SAML Implementation During a recent web application test, I discovered a bug in a Security Assertion Markup Language (SAML) implementation. This bug involved an insecure implementation of a SAML feature combined with a custom authentication mechanism our...
Sep 14, 2018 | Breaches, Compliance, Human Factors, Opinion, RSA Conference, RSAC 2018, Security Leadership, Security Management
In her keynote at the RSA Conference this year, futurist and game designer Jane McGonigal said: any useful statement about the future should at first seem ridiculous. In the post-RSAC recovery period, I pondered the future trends in information security and built my...
Aug 10, 2018 | Business of Security, Opinion, UTM / NGFW
Let’s get this out of the way: the next-generation firewall (NGFW) is dead. The cause of death: cloud. However, this is not an execution, rather a slow, decline into irrelevance in the face of a more agile competitor. The shroud of death and decay are all around the...
Apr 25, 2018 | RSA Conference, RSAC 2018
RSA Conference is fertile ground for buzzwords. Remember “Big Data” or “threat intelligence” from years past? Well, this year things are getting a little weirder. Here are some buzzwords that were tossed around at RSA, with my thoughts on their real meanings....
Apr 19, 2018 | RSA Conference, RSAC 2018
If there is one thing RSA does well, its chaos. However, this is partially because San Francisco is a giant, elegant, stinky, haphazardly-engineered, cacophony of chaos. From the pungent weed clouds to the automated compute clouds, San Francisco has mastered chaos....
Apr 17, 2018 | RSA Conference, RSAC 2018
While I wandered through RSA today, a song came to mind. You might recognize it, especially if you wore a lot of black clothes in the 1980s. It’s Panic. RSA 2018 is all about panic. Enjoy my new lyrics to this Smiths song. Panic on the streets of Frisco...
Apr 2, 2018 | Application Security, Penetration Testing, Vulnerabilities
Welcome to Part 2 of this 2-part blog series looking at the details of exploring and validating an exploit! If you liked this series, I bet you’d be interested in our webinar on How to Think Like A Hacker, check it out! Now on to Part 2: Taking it to the Next...
Mar 27, 2018 | Application Security, Penetration Testing, Vulnerabilities
A Study in Exploit Development: Easychat SEH exploit A typical penetration test involves automated scanning to identify vulnerabilities, followed by a more manual testing process where the tester attempts to validate and exploit those vulnerabilities. Many times, we...
