Application Security This Week for August 30

by Bill Sempf 30. August 2020 12:43

Monsoon is a fast HTTP request enumerator that allows you to run a large number of tests to try out potential findings.


Python devs: Don't run the executable in your downloads folder! Python isn't designed for that and there are vulnerabilities.


A really fantastic list of Android security resources.


That's the latest, folks! Have a great week.


Appliocation Security This Week for August 23

by Bill Sempf 23. August 2020 12:41

Update Jenkins - there is a flaw in the HTTP renderer.


Pretty cool article about attacking the MS Exchange web interface


Don't usually talk locksport here but it's a slow news week and this is pretty cool - creating a key based on the sound of the original entering the lock.


That's the news!


Application Security This Week for August 16

by Bill Sempf 16. August 2020 09:37

Microsoft pushed a change to ASP.NET for a DoS vulnerability.  Not only should you patch, but looking at the change control is worth your time.


Speaking of .NET, Adam Chester has an awesome article about the debugger that is worth a look.


Sonatype has their annual report on the Software Supply Chain ready, which is a topic near and dear to my heart. You have to give them your email, but it is worth it.

I spoke to the .NET Dev Group in Columbus about this topic in March and it got a little spicy.


 Finally, here is another good analysis paper on the application security development lifecycle.


Stay safe and well.



Application Security This Week for August 9

by Bill Sempf 9. August 2020 08:27

The new Open Source Security Foundation is trying to broaden the reach of information security best practice.


Four new variants of HTTP Request Smuggling were published, and they are pretty cool.


A really cool XMLK External Entity flaw was used to get RCE in the latest Pwn2Own competition.


That's the news, folks.



Application Security This Week for August 2nd

by Bill Sempf 2. August 2020 07:23

Check your Docker API permissions.  A new piece of malware has been turning cloud hosted containers into mining rigs.


Remember when I told you that Microsoft is dropping support for TLS 1.0 and 1.1?  Well, SHA-1 is next.


1d8 posted a good primer on setting up an android security analysis lab.  It's pretty solid.

I did a talk on a similar topic at GrrCon a few years back


Finally, I'll be at the OWASP Booth at Virtual BlackHat Wednesday afternoon (3-7 EDT). I have no idea how it will work yet, but it should be fun! Come have a virtual beer with me.


That's the news.  Stay safe out there.


Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

Find me on Mastodon

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites