Category Archives: Application Security

Web Application Pen testing with OWASP ZAP (liking it)

Penetration testing is one of the methods used to validate a security posture of a network or application. While not all pentests can discover everything they are good at testing what you like and sometimes what you didn’t know existed. OWASP ZAP (Zed Attack Proxy) is just one ofthe Java based tools that you can fire up fast enough and get cracking. This review isn’t going to be technical in steps and methods, at least not too deep, but will reflect on the kind of functionality and purpose you are looking for in a tool.

OWASP ZAP can be used with its proxy settings enabled so you can view, review, edit or modify text as it goes towards the target. Great for testing local encryption, SQL injection, and XSS attempts etc click jacking. When setup in the proxy settings you can test how input is sent/received and accepted and the response the server gives. A great tool for troubleshooting and hardening applications as well and testing the performance of such applications. While using this I discovered that a good youtube video showed many attacks that are possible on most database or application web sites that people just pay no mind to. It is amazing the number of subtle security flaws that if leveraged in a certain attack can lead to more and more information leakage that a cracker can grab and escalate with.

Interesting videos
OWASP ZAP Tutorials

Security Testing for Developers Using OWASP ZAP

Too Silo’d to React, Now Respond.

Ever think what would happen if you ever got hacked? Maybe you are wondering if the IPS guys or the HIPS guys are really doing their jobs? In corporate America it is real easy to overlook a lot of precautions and security because you’re just too leveraged. Today’s threats are evolving as bad actors continue to find ways inside. They utilize social sites and technology, human frailty of being needed, and work their way through with some advanced IPS and IDS and Anit-X evasion techniques. So what are you to do?

Looking at the problem in your cube doing your work on your piece of the asset. Your mind tends to think “OK this is what I have to do and I move on to the next asset and service on that asset.” That is all you can touch. You’re ethical hacking group is looking too busy or not too busy to assist and maybe they can or cannot really find all the holes in your security posture. How about a resident hacker just for that client or span of control of clients that you have. Where one can check the security by reviewing the vulnerability report made with hacking tools. However, the key difference here is not to pay for a once a year penetration test but make it so that you test regularly. Red team vs. blue team and then provide results to management. Also, just testing monthly to make sure patches and firewall rules are in place would be great. I think this would be one of the best security practices a company could get into. RedSeal is a software solution that provides visibility into an organizations security by analysing configurations and building out the network diagram. It can then import vulnerability reports and host information to really give you the what if scenario that you have been thinking about in your cube. It will also give you your list of objectives to test and make sure you that the holes found are true and need to fix.

Security is not something you buy or do once in a while. It’s a practice built by defined policies and procedures that are completed over and over again. If you think you are failing to practice the right procedures every day or that your vigilance is intermittent, then I think you are a good candidate for some building security into everyday operations 101. Yes, a bit wordy there but think about it, its not rocket science the hurdle is time, the silo, and the recognized concept.

In conclusion, the best security is a resident security expert allowed to do their job by proving tools and processes. If you cannot get a resident hacker or spend time doing this allow me to make some suggestions. Get a requirement opened from HR to fill this role or hire a service from a firm that understands vulnerability assessments and penetration testing.  Allow them to practice regularly providing results to you and maybe you can stay out of the news. Security awareness and training also helps prevent attacks because users bring the risk in from their computers. The biggest tools to get in are Adobe Flash & Reader, Java, and spear phishing.

If you have any questions or comments or looking for advice on services and where to go, feel free to contact me

Sentrix – Defending Your Web Presence


What is Sentrix ? – Sentrix is a company that provides defense for your web presence on their hardware and not yours. This includes database backend protection from having a hardened front end. In addition they provide DoS, DDoS, and web application protection. I am sure I am missing a few others but you get the point. What really makes me think this company has a sound cloud based solution is that its context aware. This is akin to being application aware like with Palo Alto firewalls.

Sentrix reviews the site and based off the context it builds a replica of the site. Proof of conepts can be built in 24 hrs for testing with no impact to production servers. It’s really worth it to go for a test drive and watch how this works. That leads us to the next topic of how it works. When Sentrix scans and reviews your site it creates two categories in which the presentation and functionality resides. One bucket is called the presentation bucket and the other bucket is called the business transaction bucket. It also builds whitelist rules that allows some transactions to go back to the original server (your server) like username/passwords and authentication. Everything else stays right there on the replica.

When a site is built you have access to a dashboard where you can start working on your field validation for what characters and actions are allowed in each field. each replica automatically provides rules for you to start with becuse its context aware. Here going forward you can edit them as well as network settings. You can also use human validation settings like captcha to help ensure people are viewing and not scripts or bots.

DoS and DDoS protection is done by creating rules for a queue if connections increase rapidly. It will also spin up more gateways as needed to service the load of connections. Also, you can just deny connection rates over a certain rate to ensure that your site stays up. So yes web application, Application DoS, and other threats can be mitigated with Sentrix. I am very impressed with the technology. Now they just need some Superbowl commercials and I think everyone will get the message.