Posts Categorized: Application Penetration Testing

Application Penetration Testing

"Years of experience have taught me that it’s not easy to find a Pen Testing service which provides insightful advice in an engaging way, whilst providing value for money. Discovering Ambersail has certainly proven to be the exception that proves the rule! I won’t be looking elsewhere in a hurry." Head of ICT - Hillarys... Read more »

What is SQL Injection?

What is it? Put simply, SQL or sometimes “sequel” injection is a web site security fault that enables a hacker to steal the private or confidential data that you have available on your web site. It is surprisingly common, can have a devastating business impact, and is easy to prevent. Now you too can answer the question “What… Read more »

Apple Secure Coding Guide

We note that Apple has just released a document entitled “Secure Coding Guide” and it covers OSX and iOS development. >From the intro: “Secure coding is important for all software; if you write any code that runs on Macintosh computers or on iOS devices, from scripts for your own use to commercial software applications, you… Read more »

Security & The Short Road To Legacy Systems

“Information security means working with how things are, rather than how you want them to be.”     We’ve all heard the apocryphal tale about the lost traveler asking for directions in a remote country village. You know the one: our traveler is hopelessly lost, the streets are empty. Just as his frustration seems complete, an elderly… Read more »

5 Constraints To Security Innovation

“We now have a massive security industry, and hacking and data loss is a bigger issue than ever before”   The great thing about the information security field is that it constantly re-invents itself, or at least it tries to. In truth, real innovation is rare, and recyling is common. Developments in information security are… Read more »

Cheat Sheet: Virtual Web Application Patching

Do you operate public-facing web applications in your card data environment? Here’s a pointer to a great source of information from the Open Web Application Security Project (OWASP) on the subject of virtual patching. What is virtual patching? Within the context of web vulnerabilities, this refers to the practice of applying a defensive layer to intercept… Read more »

Security News Roundup: Chinese Take-away

The biggest story this week. Chinese military unit behind ‘prolific and sustained hacking’ says security report.  A highly-skilled team of intelligence gatherers working systematically to steal confidential information from organisations around the globe?  Shocking stuff – we can’t imagine for a moment that our government is doing the same thing. But things move fast in the murky… Read more »

Logging & Top 20 Default Username Attempts

 It’s true to say that default or weak passwords remain a significant cause of compromise and data loss for many organisations. For years, lists of default usernames and passwords have been widely available (and indeed are a useful resource for penetration testers as well as the less ethically motivated). Whilst it’s great to focus on… Read more »

Apple iOS Security Guide

Apple has (somewhat quietly) published a guide to iOS security. If you’re building apps on the iOS platform (iPhone, iPad, iPod touch) then this document will certainly be of interest to you. For example there are details of the platform’s data protection and encryption mechanisms. Download the PDF from http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf  

What Isn’t 2-Factor Authentication?

We’re often presented with environments where the PCI DSS mandates that two-factor authentication (2FA) is required. Sometimes, we see implementations that sound like 2FA, but aren’t. What is 2FA? Two factor authentication is a generic term describing a system that strongly confirms the identity of the person trying to gain access. It does this by… Read more »