603 matches found
Applied ThreadFix: Seeding Your Application Portfolio with OWASP Amass
OWASP Amass is a great tool for asset discovery and enterprise attack surface mapping. It pulls data from a number of different data sources and identifies potential hosts and applications associated with organizations, domains, IP CIDRs and other identifiers. As we have noted, having a solid...
Applied ThreadFix: Application Portfolio Tracking
Asset management is a serious issue across the information security space. A very common challenge we see for organizations running an application security program is just getting an idea of what applications they have available and what infrastructure has been deployed to support them. You cant...
The Basics of Exploit Development 5: x86-64 Buffer Overflows
In this article we will be covering a technique similar to the one in the first installment of this series, however, with the twist in that this exploit will be of a 64-bit process running on Windows 10. Due to the nature of modern operating systems and the exploit mitigation techniques they...
Offensive Security Testing Using Cloud Tools
When performing offensive security testing, assessors sometimes run into issues where their source IP address gets blacklisted. For example, we might be performing a web application test and, due to the many suspicious queries being performed, our IP address is suddenly blocked. While on the...
Reflections on Women in Cybersecurity
I joined Coalfire in 2014. At the time, there were very few women in cyber, much less in leadership roles. As it sometimes happens, I found myself in an elevator with Tom McAndrew, who is now our CEO. We started talking about the direction of my career and plans for my role as Director of Coalfir...
The impact of Covid-19 on SOC reporting
The audit cycle for organizations that receive SOC reports includes new challenges related to Covid-19. Remote workforces are now the norm throughout the world, which introduces new risks. For example, connecting to corporate networks using personal computers that may be infected with malware is...
FedRAMP 101: How to get listed as “In Process”
Are you a cloud service provider working on a federal contract and need a FedRAMP authorization - but dont have a sponsor yet? Acquiring a committed government agency sponsor early in the FedRAMP process is crucial to your success and will ensure a smoother process. A major role for an agency...
Chasing doorbells: Finding IoT vulnerabilities in embedded devices
The goal of this research project was to see if we could find any vulnerabilities and obtain full persistence on an IoT device, while learning about embedded devices in general. This post will take you through our journey to find vulnerabilities in a common, reasonably priced IoT device. For our...
New OCR-ready risk analysis: Why the confusion?
Are you ready for an Office for Civil Rights OCR investigation? Will your risk analysis and risk management methodologies and documents be sufficient to meet the HIPAA Security Rule?...
Key scoping factors when pursuing ISO 27001 certification
Service providers that seek the most recognized implementation of an information security baseline and governance structure should consider the ISO/IEC 27001:2013 "ISO 27001" standard. The information security management system ISMS prescribed by this widely adopted publication engages personnel ...
P2PE v3.0 – Why organizations should prepare now
The Payment Card Industry Security Standards Council PCI SSC published version 3.0 of the Point-To-Point Encryption P2PE standard back in December 2019. The new version simplifies and adds flexibility to the process for component and solution providers to validate their P2PE products for cardhold...
So Long, Privacy Shield
In whats rapidly becoming the splashiest news to hit the privacy space in years, the Court of Justice of the EU CJEU, the highest court in the European Union, invalidated the U.S. Privacy Shield, a legal instrument that made it possible for organizations operating in the United States to transfer...
So much compliance to do…so little time (and people!)
In my seven years at Coalfire I've had the pleasure of working with dedicated compliance professionals at organizations of all shapes and sizes. Over time I've seen the pressure on these fine folks increase tenfold as the stream of new compliance obligations jumps its banks and becomes a flood. T...
Please Stop Managing Vulnerabilities in Excel Spreadsheets
Do your best Excel users work in application security? Are you trying to manage thousands of vulnerabilities across hundreds of applications in an increasingly elaborate series of Excel spreadsheets? Most companies are using multiple scanning technologies as well as a variety of manual testing...
State privacy laws: 2020 highs and lows
2020 is shaping up to be another interesting year for data privacy, especially given that public health agencies, private companies, and states are now working feverishly to create contact tracing apps and programs while still preserving privacy. Being thoughtful and accountable about data privac...
The Basics of Exploit Development 4: Unicode Overflows
If you have read the previous articles in this series, welcome back and keep reading. If not, I would encourage you to read those first before proceeding, as this article builds on concepts laid down in the previous installments. In this article, we will be covering a technique similar to the one...
Successful DevSecOps begins with a cultural shift
A successful DevSecOps approach fosters cohesive collaboration between Development, Security, and Operations teams for the cultivation of outcomes that improve security while also maintaining the goals of DevOps. Within DevSecOps, security is an additional foundational component in the process...
What’s in a Name? – Why Gartner Picking “Application Vulnerability Correlation” is an Important Step for the Application Security Market
If you havent seen it yet, Gartner just published its "Hype Cycle for Application Security, 2016" written by Gartner Analyst Ayal Tirosh with support from colleague Lawrence Pingree Gartner clients can view it at https://www.gartner.com/doc/3376617/hype-cycle-application-security-. This is...
Baselining PassGAN: Adventures in the rhubarb
Cracking is a complex topic full of misunderstandings, confusing terminology and weird people. This blog post is front-loaded with some terminology, some explanations, and maybe some apologies. Password cracking: This is fundamentally one thing: guessing. Were not reversing, or talking to spirits...
IoT Part 3: Fire!
When we left off in Part 2 of our blog series, we had just identified the max temperature variable and set it to a much higher number. Our celebrations quickly ended, however. Upon flashing the firmware with the new edited max temperature variable, we realized that the printer would get up to...
Coalfire statement on racial injustice
In honor of Juneteenth, I wanted to reflect and share my thoughts. At Coalfire, we are committed to living our values: Respect, Excellence, Leadership, Integrity, Teamwork, and Enthusiasm. As a result, Coalfire stands against racism, violence, and hate. We stand with fairness, equity, and justice...
A strategy for cybersecurity strategy
Let's start with an assumption: Having a cybersecurity strategy is best practice. So, what makes a good cybersecurity strategy? You'd be surprised how this answer varies across the security industry, especially from seasoned CISOs of Fortune 500 companies...
New HC3 report defines security assessments needed for healthcare organizations during and after COVID-19
The Health Sector Cybersecurity Coordination Center HC3 recently delivered a report that defines and articulates the security assessments and information technology audits that should be considered during and after the COVID-19 pandemic...
Using DAST to Expand DevOps Security Coverage
The state of application security is constantly evolving with changing web architectures and approaches. These changes are making security teams employ a wider range of techniques and toolsets to find vulnerabilities within their applications. Web and mobile applications each present their own...
Headless, Unattended Scanning in Burp Suite Professional 2.0 with Seltzer
Burp Suite Professional Burp is one of the best tools available for penetration testers. It is feature-rich, intuitive, well-supported, and customizable. However, it can be difficult to use Burp for headless, unattended scanning. Alternatives such as Burp Suite Enterprise exist, but those of us...
A new way to manage supply chain risk – Introducing the AICPA SOC for Supply Chain report
With the continuation of its System and Organization Controls SOC suite of services SOC 2®, SOC for Cybersecurity, etc., the American Institute of Certified Public Accountants AICPA has released a new report format that focuses on manufacturing and distribution supply chains. The AICPAs SOC for...
Planning Ahead to Prevent Vulnerabilities
The cost to remediate vulnerabilities increases as those vulnerabilities make it further into the development process. If they make it into a final release, those vulnerabilities can leave organizations vulnerable to attacks, costing time and resources to address, as well as causing damage to the...
Establishing risk appetite is key to effective risk management
The mission of an enterprise risk management program is to respond to and monitor risks to the enterprises operations and objectives. In order to properly respond to and monitor risks, the enterprise must establish risk appetite thresholds. Well-established and well-communicated risk appetite...
Establishing risk appetite is key to effective risk management
The mission of an enterprise risk management program is to respond to and monitor risks to the enterprises operations and objectives. In order to properly respond to and monitor risks, the enterprise must establish risk appetite thresholds. Well-established and well-communicated risk appetite...
Establishing risk appetite is key to effective risk management
The mission of an enterprise risk management program is to respond to and monitor risks to the enterprises operations and objectives. In order to properly respond to and monitor risks, the enterprise must establish risk appetite thresholds. Well-established and well-communicated risk appetite...
Establishing risk appetite is key to effective risk management
The mission of an enterprise risk management program is to respond to and monitor risks to the enterprises operations and objectives. In order to properly respond to and monitor risks, the enterprise must establish risk appetite thresholds. Well-established and well-communicated risk appetite...
Establishing risk appetite is key to effective risk management
The mission of an enterprise risk management program is to respond to and monitor risks to the enterprises operations and objectives. In order to properly respond to and monitor risks, the enterprise must establish risk appetite thresholds. Well-established and well-communicated risk appetite...
Managing Vulnerabilities Introduced from Open Source Code Libraries
Modern development architectures are commonly based around open source components. Using open source components helps organizations lower their overall development cost while improving the time to market for new applications. Introducing these components however, can lead to serious consequences...
Remote Workforce is NOT the New Norm, but “Secure Work Anywhere” Should Be
Secure Work Anywhere SWA is a new term for an old idea that is quickly becoming an industry standard. The overall principles of SWA are not new, but the risks associated with increased rates of workers connecting from potentially unsecure networks highlight the importance of those principles now...
Am I doing it right? An introspective look at "why it's like this"
Cybersecurity, as a practice within organizations, has existed for decades. Larger or government organizations have had dedicated cybersecurity functions in place since at least the 90s. By the early 2000s, organizations were appointing CISOs, and by the end of that decade over 85% of large...
What to Expect in the initial FedRAMP briefing with your Agency Sponsor and the PMO
Most people who have spent any time researching the FedRAMP authorization process know there are two routes for a Cloud Service Provider CSP to become FedRAMP authorized: Agency and Joint Authorization Board JAB. Because of the limited number of CSPs selected each quarter for the JAB authorizatio...
FedRAMP – 8 years in and 100 assessments achieved
Back in 2011, if you had asked me what cloud computing was, I would have looked at you with a blank look on my face. At the time, I was supporting a Federal client when my boss asked me to assist in applying to become a 3PAO. I had no clue what 3PAO even stood for it stands for Third-Party...
Cybersecurity Risk Management – From HIPAA to HITRUST
Cybersecurity risk management for healthcare organizations continues to be a perplexing issue. While it is explicit in the security management standard of the HIPAA Security Rule that a Covered Entity and their Business Associates must conduct an "accurate and thorough" risk analysis teamed with ...
Cloud Transformation and the Shared Security Model
For many organizations, the lure of the cloud is very strong. Large enterprises usually have several justifications for adopting cloud-based services including preserving capital, adding scalability to applications, and minimizing IT staffing needs. Small- to medium-sized organizations often look...
The Basics of Exploit Development 3: Egg Hunters
Hello dear reader. If you have read the other articles in this series, welcome back! If not I encourage you to read the previous installments before proceeding with this post. This post covers a surprisingly useful technique in exploit development called Egg Hunters. In order to demonstrate how E...
What to Expect When You are Expecting… Your CISO to Leave
"The CISO is leaving the company. What are the next steps?" No executive likes to hear that a key member of the business is leaving the organization. Turnover among key business leaders isnt unusual, but as a factual matter, CISO average tenure is relatively short - approximately 24 to 48 months...
Part two: Reverse engineering and patching with Ghidra
In the first installment of our three-part blog series we learned how to root the Flashforge Finder 3D printer and acquire its firmware. In this post, we will delve into reverse engineering and patching the software using the new open source NSA tool Ghidra, which rivals its expensive competitors...
Applied ThreadFix: Security teams collaborating with development teams
Modern enterprises are distributed. Most ThreadFix deployments have stakeholders spanning development and security teams and those team members are spread around the globe. To support these distributed organizations, ThreadFix has a number of collaboration features that make teams more efficient...
So your company has decided to do FedRAMP - What does that mean?
The exponential increase in cloud adoption in recent years has led to a dramatic increase in technology companies evolving from software and application companies to Software as a Service SaaS, Platform as a Service PaaS or Infrastructure as a Service IaaS providers. The 2011 release of the Cloud...
So your company has decided to do FedRAMP - What does that mean?
The exponential increase in cloud adoption in recent years has led to a dramatic increase in technology companies evolving from software and application companies to Software as a Service SaaS, Platform as a Service PaaS or Infrastructure as a Service IaaS providers. The 2011 release of the Cloud...
So your company has decided to do FedRAMP - What does that mean?
The exponential increase in cloud adoption in recent years has led to a dramatic increase in technology companies evolving from software and application companies to Software as a Service SaaS, Platform as a Service PaaS or Infrastructure as a Service IaaS providers. The 2011 release of the Cloud...
So your company has decided to do FedRAMP - What does that mean?
The exponential increase in cloud adoption in recent years has led to a dramatic increase in technology companies evolving from software and application companies to Software as a Service SaaS, Platform as a Service PaaS or Infrastructure as a Service IaaS providers. The 2011 release of the Cloud...
How to strengthen your cybersecurity program
The first step toward becoming physically fit is looking in the mirror, acknowledging your weaknesses, and making a commitment that youll do whatever it takes to improve yourself. This is true for personal fitness, but can this approach also apply to the cybersecurity program at your growing...
Applied ThreadFix: Effective security team collaboration
Modern enterprises are distributed. Most ThreadFix deployments have stakeholders spanning development and security teams and those team members are spread around the globe. To support these distributed organizations, ThreadFix has a number of collaboration features that make teams more efficient...
Updated: COVID-19 incites crimes of opportunity
On April 21, 2020, Mike Weber, vice president of innovation, updated his blog covering some of the top scams cybercriminals are unleashing on businesses as well as identifying the newest targets for those crimes. In the current panicked state of the economy, understanding the attack vectors is th...