Blog

Jan 20th

2011

By scotsts_admin
Category: Penetration Testing
Comments 0

Just the Facts Ma’am

Sometimes when you’re testing it’s good to be able to quickly get a feel for where to focus your attention or to get an overview of all the ports you’ve got open, so you can be sure you investigate all of them. Once you’ve done several scans as part of a job, you end up […]

Oct 25th

2010

By scotsts_admin
Category: Penetration Testing
Comments 0

Creating a Simple Vulnerability Database – Part 2

We left off last time having created a simple vulnerability database using Ruby on Rails. So the next piece of the puzzle is getting that data into Dradis. Luckily Dradis has a nice plugin system which is designed to ease the process of importing and exporting data from Dradis, so this isn’t too tricky. Creating […]

Oct 20th

2010

By scotsts_admin
Category: Penetration Testing
Comments 0

Creating a Simple Vulnerability Database – Part 1

One of the main tools that I’ve found useful in pen. testing is the Dradis Framework, it’s a good way of keeping track of findings and notes during a test and I’ve also found it’s template feature is good for keeping a list of things to remember during a test. One of the features available […]

Jul 17th

2010

By scotsts_admin
Category: Uncategorized
Comments 2

Wireless Scanning and a new tool

I had some cause to do some wireless work recently, which got me interested in doing some more war-walking (and hey, the weathers actually been nice enough to make it pleasant recently). It was interesting to see the density of wireless networks in the suburban area near where I live, a quick 30 minute walk […]

Jun 1st

2010

By scotsts_admin
Category: Uncategorized
Comments 0

Using WMI for Security Build Reviews

I’ve been spending some time looking at whether it’s possible to use WMI to automate build security reviews on windows systems. Build reviews should be a relatively mechanistic area of security (check settings on a system against a company or industry list of “good” values), and a ripe area for automation. So it would seem […]

May 19th

2010

By scotsts_admin
Category: Uncategorized
Comments 0

Interesting Example of Cloud Computing Risks

One of the aspects of the move to cloud computing I find most interesting is the new and emergent risks that come with the move of services from a traditional networked IT environment, to being hosted “out in the open” of the cloud. Whilst attention gets paid to some of the technical risks, I don’t […]

Apr 1st

2010

By scotsts_admin
Category: Ruby On Rails
Comments 0

Scottish Ruby Conference follow-up – 2 – Securing your app.

Most of the questions I got after my talk were around how people can look to secure their application. I mentioned a couple of sites and it’s probably worth expanding on the points made. Web Application Security For people looking to understand how to secure their web applications, in my opinion the best source of […]

Mar 26th

2010

By scotsts_admin
Category: Metasploit
Comments 1

Scottish Ruby Conference & Breaking things with Ruby

Just had the first day of the Scottish Ruby Conference. The venue was awesome, there’ll doubtless be lots of good pictures up on places like flickr in due course, but here’s a couple I snapped with my Nokia n900. The three track rooms were the Conference Hall, the Great Hall and my personal favourite the […]

Feb 15th

2010

By scotsts_admin
Category: Uncategorized
Comments 0

Scottish Ruby Conference

If you’ve not already heard about it, the Scottish Ruby Conference is coming up in March in Edinburgh. There’s a really interesting set of presentations lined up for this years conference, and the hardest thing, I reckon, will be picking between the three tracks! I’ve been very lucky to get my talk accepted for this […]

Jan 4th

2010

By scotsts_admin
Category: Uncategorized
Comments 0

Ruby SSL Checker

After reading a post by Gursev Kalra here, I decided to have a shot at putting together a slightly expanded version of his ssl Cipher suite checking code in ruby. I’ve got it working reasonably well in my tests and it can chuck out reports in text and XML . The code for the main […]