The Automation of Web Security Assessments in 2017

Like in most professional sectors, penetration testers ask themselves whether machines are capable of taking over their job. In many sales speechs, customers are saying that you no longer need manual web security assessments because automated tools will the same job cheaper. Customers refer to so-called Web Application Security Scanners. These are programs that automatically scan web applications for security vulnerabilities. In the post, we will review the effectiveness and accuracy of web application scanner.

Continue reading The Automation of Web Security Assessments in 2017

Do you know your network?

Can you tell how many devices are connected to your internal network at this moment? If so, how much do you know about these devices? Do you know which operating system is running on a specific IP address? Or when did this device first appear on the network? Which client has an important security patch missing?

This post is about identifying your IT assets (hardware, software, data), detecting unwanted devices and what Shadow IT means.

Continue reading Do you know your network?

Security in distributed Computing

Distributed computing is an awesome approach to distribute workload of huge tasks and easily outsource them, if needed. It makes computing tasks scalable and cheap, as cloud computing is involved. Computing time can be rent, which is mostly cheaper compared to buying the necessary hardware. However, outsourcing into foreign networks comes with the advantages and drawbacks of public infrastructure. Public networks cannot be trusted, therefore, traffic should be encrypted and connections should be authorized, which sounds easier than it is when using Python frameworks such as Dispy, Celery or Twisted.

Although implemented in the core of the frameworks I used, security is optional, sometimes flawed (e.g asynchronous cryptography in Dispy which uses the same private as well as public key on client as well as on server side, otherwise it will not work) and often with lack of good documentation.

The main priority of official tutorials is to make it work, period – so developers test the shown code and use it, without bothering about further security steps. Tutorials showing working code with all needed encryption and authorization steps are rare. Often framework developers are showing the needed parts separated, but not the complete setup. So developers have to spend a lot of time puzzling all needed steps together. Security should be implemented by default, which unfortunately is not often the case in official framework tutorials. It was therefore not easy to find documented literature to implement the frameworks in a secure way. Sometimes, the frameworks did not even offer complete secure solutions. Let us have look at a framework called Twisted in combination with a JSON-RPC server and how to secure it. There is still room for improvement, but I hope this blog-post will help developers hardening and securing their software a little bit more.

The example code can be found here.

Continue reading Security in distributed Computing