Blog

May 13th

2013

By scotsts_admin
Category: Uncategorized
Comments 0

Scottish Ruby Conference Talk – Your Framework Will Fail You

I was presenting yesterday at the Scottish Ruby Conference, and given that the talk is relatively high-level as it covers a lot of ground, I thought it would be a good idea to do a series of blog posts to provide some more details and resources (link to the presentation here.) The title of my […]

May 6th

2013

By scotsts_admin
Category: Uncategorized
Comments 0

“Performing a DIY Security Review” Workshop at BSides London

We had a great time doing our workshop at BSides London recently.  In fact we had a great time in general – the conference was lots of fun. This was the first long(ish) workshop I had ever prepared for a conference, and I was surprised at how much work was involved in it (compared to […]

Apr 25th

2013

By scotsts_admin
Category: Uncategorized
Comments 0

Can’t we do better than “We use SSL”?

I was reading the security page for another new product today and it struck my how amazingly disappointed I am that we’re still at the stage that the best companies can say about their security is “Trust us we hold all your data securely, and we use military grade SSL” or words to that effect. […]

Apr 25th

2013

By scotsts_admin
Category: Uncategorized
Comments 0

B-Sides Pentest Automation Talk

We were at B-Sides London yesterday.  It all went really well and had a great turn out.  The new venue was good as well.  We didn’t get to see too many of the talks unfortunately as we were delivering a Workshop in the morning and I had my talk in the afternoon. As with most […]

Mar 24th

2013

By scotsts_admin
Category: Uncategorized
Comments 0

Three Lines

We’ve decided that the results/recommendations coming out of most of the Internal Security Reviews we do can be summarised in three lines. a)  Patch everything.  Not just Windows – everything. b)  Change default credentials.  Don’t leave your main router with creds of admin/admin c) Get rid of clear text protocols.  Ditch telnet for SSH and […]

Mar 21st

2013

By scotsts_admin
Category: Penetration Testing
Comments 0

Tools of the trade – USB powered Switches

As a bit of a tech geek I have a tendency to pick up a variety of pieces of hardware and software to see if they’ll be useful on tests.  One of my more successful purchases has been a USB powered Ethernet switch that handles PoE pass-through and has a couple of mirrored ports. It’s pretty compact so it goes easily […]

Mar 19th

2013

By scotsts_admin
Category: Uncategorized
Comments 0

Workshop at BSides London

As well as Rory’s talk on pentest automation at BSides London – we will both be doing a workshop “Performing a DIY Security Review”.  It is aimed at IT Professionals and shows the basics of how to prepare for a Security Review (“pentest”).  This is something that is dear to our hearts because writing about […]

Mar 12th

2013

By scotsts_admin
Category: Uncategorized
Comments 0

Review of Surface Pro

I just got my Surface Pro a few days ago – albeit I had to import it from US with the help of a friend over there.  I’ve not had it for long so these are initial impressions I will add to later, but so far I am very pleased with it and think it […]

Feb 10th

2013

By scotsts_admin
Category: Uncategorized
Comments 0

Securi-Tay Videos and Pentest Automation Presentation

Following up on our previous post about the Securi-Tay conference , the videos are up online at youtube now. Marion’s one about the Surface as a pentesting tool is here and my one about Pen Test Automation is here.

Feb 10th

2013

By scotsts_admin
Category: Uncategorized
Comments 0

Request Validation in ASP.NET

We test a lot of ASP.NET web applications.  On about 40% of them, we notice when testing for cross-site scripting that the only thing protecting against it is the framework’s own Request Validation.  In other words, when you enter a basic XSS vector – you get a Yellow Screen warning that your input has been […]