7 min
DevOps
Honing Your Application Security Chops on DevSecOps
Integrating Application Security with Rapid Delivery
Any development shop worth its salt has been honing their chops on DevOps tools
and technologies lately, either sharpening an already practiced skill set or
brushing up on new tips, tricks, and best practices. In this blog, we'll examine
how the rise of DevOps and DevSecOps
have helped to speed
application development while simultaneously enabling teams to embed application
security earlier into
1 min
Metasploit
Announcement: End-of-Life Metasploit 32-Bit Versions
UPDATE: With the release of version 4.15 on July 19, 2017, commercial Metasploit
32-bit platforms (Metasploit Pro, Metasploit Express, and Metasploit Community)
no longer receive future product or content updates. These platforms are now
obsolete and are no longer supported.
Rapid7 announced the end of life of Metasploit Pro 32-bit versions for both
Windows and Linux operating systems on July 5th, 2017. This announcement
applies to all editions: Metasploit Pro, Metasploit Express and Metasploi
9 min
IT Ops
Self-describing Logging Using Log4J
UPDATE POSTED 12.12.21: If you are using Log4j, please be aware that on December
10, 2021, Apache released
version 2.15.0 of their Log4j framework, which included a fix for CVE-2021-44228
, a critical (CVSSv3
10) remote code execution (RCE) vulnerability affecting Apache Log4j 2.14.1 and
earlier versions. This is a critical vulnerability, and we strongly urge you t
9 min
Automation and Orchestration
The Best Strategies for a Successful Security Operations Center Explained by 4 Security Experts
The threats we all hear about today aren’t new. They also aren’t going away, but
they are evolving. Hackers have existed for many years, and so too have our
defenders. What has and is changing is the tactics used to defend against
increasingly complex threats. And it’s on our security operations centers (SOCs)
to batten down
the hatches and sound the alarms, but are they enabled and prepared to do so?
While we have many ideas on
4 min
IT Ops
How Audit Logs Help Confirm and Correct Security Policy
There are many possible definitions for the term “security policy,” but all of
them share certain elements in common. A security policy should lay out what
assets, both physical and digital, an organization wishes to protect. It should
explain what it means to be secure and to behave securely. In short, a security
policy identifies what assets are to be protected, what kinds of risks such
protection is meant to defeat or mitigate, and how security can be established,
measured, and monitored. A
6 min
IT Ops
Signal AND Noise The Best of All Worlds for Logging
One of the absolute, classic pieces of advice that you’ll hear when it comes to
logging is what I think of as the iconic Goldilocks logging advice. It goes
something like this.
When it comes to logging, you don’t want to miss anything important because
logging helps you understand your application’s behavior. But youalsodon’t want
to log too much. If you log too much, the log becomes useless. You want to log
just the right amount.
Sage advice, to be sure. Right?
Or, maybe, when you sto
6 min
Project Sonar
Digging for Clam[AV]s with Project Sonar
A little over a week ago some keen-eyed folks discovered a
feature/configuration
weakness in the popular ClamAV
malware scanner that makes it possible to issue administrative commands such as
SCAN or SHUTDOWN remotely—and without authentication—if the daemon happens to be
running on an accessible TCP port. Shortly thereafter, Robert Graham unholstered
his masscan tool and did a s
ummary blog post
5 min
Automation and Orchestration
AWS Series: Creating a Privoxy, Tor Instance
Synopsis:
If you want to increase your privacy or perform security research with Tor
, Privoxy , etc. a virtual
server is an excellent choice. I’m using Amazon EC2 which provides a years worth
of a VM with limited resources for free. A few benefits are listed below
1. Low cost
2. Access from just about anywhere
3. Low resource allocation
4. Easy to spin up
Creating the Cloud Instance:
After logging into your Amazon cloud account select
6 min
Automation and Orchestration
AWS Series: OpenSWAN L2TP over IPSEC VPN Configuration
Synopsis:
We will look at how to configure an L2TP over IPSEC VPN using OpenSWAN
and how to connect to it using Mac OSX. This guide
is written for running the VPN software on a CentOS 7 x86_64 EC2 instance
(ami-6d1c2007) provided by Amazon Web Services. The VPN will be configured to
use local authentication and a pre-shared key. This is a great way to allow
access into your AWS VPC.
Procedure:
The procedure is broken into 3 parts:
* AWS – Create an EC2 instance
*
5 min
Automation and Orchestration
Bro Series: Creating a Bro Cluster
Synopsis:
This short article will demonstrate how to setup a minimal Bro cluster
for testing. Because of its
minimal nature, this article will exclude discussion of load balancing traffic
across multiple bro workers (processes), security conscious permissions, and
other bro related tuning and features such as sending e-mail. Its purpose is to
get a Bro cluster up and running as quickly as possible so you can begin
familiarizing yourself with cluste
4 min
Penetration Testing
Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues
In a fight between pirates and ninjas, who would win? I know what you are
thinking. “What in the world does this have to do with security?” Read on to
find out but first, make a choice: Pirates or Ninjas?
Before making that choice, we must know what the strengths and weaknesses are
for each:
Pirates
Strengths
Weaknesses
StrongLoudBrute-Force AttackDrunk (Some say this could be a strength too)Great
at PlunderingCan be CarelessLong-Range CombatNinjas
Strengths
Weaknesses
FastNo ArmorStealthySmal
5 min
Vulnerability Disclosure
R7-2016-06: Remote Code Execution via Swagger Parameter Injection (CVE-2016-5641)
This disclosure will address a class of vulnerabilities in a Swagger Code
Generator in which injectable
parameters in a Swagger JSON or YAML file facilitate remote code execution. This
vulnerability applies to NodeJS , PHP, Ruby
, and Java and
probably other languages as well. Other code generation tools
may also be vulnerable to paramete
2 min
Nexpose
Vulnerability Regression Monitoring With Nexpose
Recently I've been diving into some advanced
and targeted
analysis features. Today I'd
like to keep things simple while still addressing a significant use case -
Vulnerability Regression. Often times the immediate response to high visibility
vulnerabilities does not involve setting up future monitoring, leaving the door
open for the same vulnerabilities to show back up time and again.
4 min
IT Ops
Migrating a web app to Angular
At some point many applications get to a state in which a large refactoring or
in some cases a complete rewrite needs to happen. The decision to do so can be
driven by many factors. For example, the code base is growing rapidly and the
current architecture cannot support the growth, components are becoming too
tightly coupled and need to be split, new and better technology becomes
available which offers significant improvements or due to other factors the
current code base is just not maintain
4 min
InsightIDR
Seven Ways InsightIDR Helps Maintain PCI Compliance
If your company processes credit card transactions, you must be compliant with
the Payment Card Industry Data Security Standard, or PCI DSS
.
Any entity that stores, processes, or transmits cardholder data must abide by
these requirements, which provide best practices for securing your cardholder
data environment (CDE) .
Rapid7 InsightVM, InsightAppSec, and Metasploi