Burp and Postman

Better API Penetration Testing with Postman – Part 2

In Part 1 of this series, I walked through an introduction to Postman, a popular tool for API developers that makes it easier to test API calls. We created a collection, and added a request to it. We also talked about how Postman handles cookies – which is essentially the same way a browser does. …

Better API Penetration Testing with Postman – Part 2 Read More »

Security Misconfigurations

The configuration of web and application servers is a very important aspect of web applications. Often times, failure to manage proper configurations can lead to a wide variety of security vulnerabilities within servers and environments. When these configurations are not properly addressed or ignored, the overall security posture can suffer. Sometimes the biggest problem that …

Security Misconfigurations Read More »

Better API Penetration Testing with Postman – Part 1

This is the first of a multi-part series on testing with Postman. I originally planned for it to be one post, but it ended up being so much content that it would likely be overwhelming if not divided into multiple parts. So here’s the plan: In this post, I’ll give you an introduction to setting …

Better API Penetration Testing with Postman – Part 1 Read More »

Android App Testing on Chromebooks

Part of testing Android mobile applications is proxying traffic, just like other web applications.  However, since Android Nougat (back in 2016), user or admin-added CAs are no longer trusted for secure connections.  Unless the application was written to trust these CAs, we have no way of viewing the https traffic being passed between the client …

Android App Testing on Chromebooks Read More »

OWASP’s Most Wanted

So you ask who is this OWASP and why do I care? Well, let’s hear it directly from them:  “Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software.  Our mission is to make software security visible, so that individuals and organizations are able to …

OWASP’s Most Wanted Read More »

How to Test Your Security Controls for Small/Medium Businesses

We often get contacted by small businesses requesting their first penetration test because of compliance reasons, or because of “industry best practices,” or just to get an idea of how bad things really are. In many of those cases, their environment isn’t nearly mature enough to make a pentest worthwhile. Sometimes they’re insistent and we …

How to Test Your Security Controls for Small/Medium Businesses Read More »

HIMSS 2019 – Champions of Security Unite

Organizations of all sizes and industries face increasing challenges in safeguarding vast amounts of sensitive data, with Health Care being no different. The loss of Protected Health Information (PHI) incurs not only heavy fines and brand damage, but potentially everlasting damage to affected patients. According to the Ponemon Institute: The average total cost of a …

HIMSS 2019 – Champions of Security Unite Read More »

Three C-Words of Web App Security: Part 3 – Clickjacking

This is the third and final part in this three-part series, Three C-Words of Web Application Security. I wrote a sort of prologue back in April, called A Brief Evolution of Web Apps, just to set the scene for those less versed in web application history. The first part, which was on CORS (Cross-Origin Resource …

Three C-Words of Web App Security: Part 3 – Clickjacking Read More »

Scroll to Top