Posts Categorized: Penetration Testing

Cheat Sheet: Virtual Web Application Patching

Do you operate public-facing web applications in your card data environment? Here’s a pointer to a great source of information from the Open Web Application Security Project (OWASP) on the subject of virtual patching. What is virtual patching? Within the context of web vulnerabilities, this refers to the practice of applying a defensive layer to intercept… Read more »

Security News Roundup: Chinese Take-away

The biggest story this week. Chinese military unit behind ‘prolific and sustained hacking’ says security report.  A highly-skilled team of intelligence gatherers working systematically to steal confidential information from organisations around the globe?  Shocking stuff – we can’t imagine for a moment that our government is doing the same thing. But things move fast in the murky… Read more »

ATM & E-Commerce Security Guidelines

A couple of new information supplements have been released by the PCI SSC, covering E-commerce and ATM PIN security. “PCI DSS E-commerce Guidelines”  contains a nice summary of common E-commerce models, vulnerabilities and some recommendations too. From the intro: “This Information Supplement is intended for merchants who use or are considering the use of e-commerce technologies in… Read more »

Video: Penetration Testing & The Cloud

Here’s our short video (less than 10 minutes), ideal for project managers who need to know more about how penetration testing can be used to effectively gauge the security of outsourced cloud environments. Find out more about our penetration testing services.   Related reading: Tips for better mobile app penetration testing.

Taming The BEAST

This is a follow-up post to our previous article on the subject. Here we offer technical assistance to those of you trying to fix the BEAST vulnerability, and offer some mitigation practices. The problem revolves around a vulnerability identified years ago in TLSv1 and SSLv3 protocol CBC mode ciphers (the stronger ciphers). This issue was fixed in… Read more »

Apple iOS Security Guide

Apple has (somewhat quietly) published a guide to iOS security. If you’re building apps on the iOS platform then this document will certainly be of interest to you. For example there are details of the platform’s data protection and encryption mechanisms. Download the PDF from here. Useful links: https://www.ambersail.com/what-is-sequel-injection/  

PCI DSS Vulnerability & Penetration Testing

As a standard that pays a lot of attention to practical activities, the PCI Security Testing includes a range of activities. We frequently see confusion about what needs to be tested, how and when. At the end of this post is a link to our short guide to all PCI DSS testing requirements. Some key… Read more »

RSA SecurID Token Attack

You may recall reading in the press a while ago about an attack against RSA’s servers where confidential data concerning two-factor authentication keys was compromised. Originally, RSA seemed confident that this theft would not result in a realistic attack on the SecurID two-factor authentication system, but now it appears that at least one major client… Read more »