Posts Categorized: Penetration Testing

Penetration Test Versus Vulnerability Scan

ambersail security awareness

  When someone poses the question – Penetration Test Versus Vulnerability Scan – we answer by describing what each test is. Also, what each is designed to do. One of the key differences between a penetration test and a vulnerability scan lies in the amount of human time and skill needed to perform it. This influences… Read more »

I, Penetration Tester: Ethics in Cyber Security

Indulge me for a minute. Ethics in cyber security is a discussion that continues to develop. There are numerous ethical standards out there, but can all of this be summarised neatly in once place? I think it can, possibly…   Way back in 1942, during the first Golden Age of Science Fiction, Isaac Asimov proposed the… Read more »

Cryptographic Weakness: No Trust Without Security

Are You Talking To Me? I had a conversation with a client recently. We’d just conducted a penetration test for his organisation and a number of cryptographic weakness findings had come up. “These issues aren’t normally significant” he said. “Why are we failing now, when we were okay before?”. A fair question, and one that deserves an answer. Here’s… Read more »

Blocking Your Penetration Tester is a Bad Idea

GDPR Basics

What’s wrong with blocking your penetration tester? You’ve invested in technologies that prevent the bad guys from scanning your site and finding problems that they might be able to exploit. To be sure things are working, you commission a penetration test, and ask the penetration tester to see if the defences can be defeated. You block… Read more »

What is SQL Injection?

What is it? Put simply, SQL or sometimes “sequel” injection is a web site security fault that enables a hacker to steal the private or confidential data that you have available on your web site. It is surprisingly common, can have a devastating business impact, and is easy to prevent. Now you too can answer the question “What… Read more »

PCI Penetration Testing Policies. Just Like Buses

    … nothing for a few weeks and then three come at once.   Last Friday afternoon at the office turned into a somewhat sedate – and welcome – end to the working week. Until I took three sales calls one after each other. Nothing notable about that. What was significant was that all asked about how… Read more »

PCI: Your eCommerce Web Sites Are In Scope

“Essentially, all merchant eCommerce sites that previously escaped mandatory security assessment can no longer be overlooked.” We now anticipate that many small merchants will find their web sites in scope for PCI compliance under PCI DSS v3. We wrote earlier this year concerning the potential for scope changes brought about by PCI DSS v3. Now that the official v3 SAQ documents… Read more »

Apple Secure Coding Guide

We note that Apple has just released a document entitled “Secure Coding Guide” and it covers OSX and iOS development. >From the intro: “Secure coding is important for all software; if you write any code that runs on Macintosh computers or on iOS devices, from scripts for your own use to commercial software applications, you… Read more »

PCI: Web Redirection Servers In Scope?

It is possible that web applications previously considered out-of-scope for PCI DSS could now be in-scope under PCI DSS v3. The impact of this could be significant depending on your existing card data environment (CDE). It has long been accepted practice that any component that stores, processes or transmits cardholder data is in scope for… Read more »