Yearly Archives: 2013

Post: How much time does application security remediation take?

This is almost entirely dependent on an organization’s staff availability and the severity and scope of the vulnerabilities identified. Depending on the organization, remediation efforts can take anywhere from one to two months to over a year. Denim Group typically recommends a phased, risk-based approach to remediation where serious vulnerabilities that are comparatively easy to […]

Post: Let’s Talk About Application Attack Surface

Have you ever wondered about your application’s attack surface? What URLs will respond to requests? And what HTTP methods will they respond to? And what parameters can be passed in? You probably think you know what is exposed but do you really? Why is this something you should even care about? I’d suggest a couple of reasons: […]

Post: Asymmetric-Key Algorithms vs Symmetric-Key Algorithms

Asymmetric-key algorithms and symmetric-key algorithms are basic forms of cryptography. Symmetric-Key Algorithms The symmetry of the algorithm comes from the fact that both parties involved share the same key for both encryption and decryption. It works similar to a physical door where everyone uses a copy of the same key to both lock and unlock […]

Post: What’s the difference between static and dynamic analysis?

Black Box Testing (or Dynamic Reviews) Black box testing (or dynamic testing) begins with automated scans, which can be valuable for getting a quick read of the security state of an application through a catalog of technical vulnerabilities. These scans, however, are not complete, and they do not identify where in the code the problem […]

Post: What is a Penetration Test (or a “pen test”)?

Penetration testing simulates a malicious attack in order to perform in-depth business logic testing and determine the feasibility and impact of an attack. The testing is performed internally and externally to the system. “Pen Test” is often used incorrectly when customer wants any form of an application security scan.

Post: The PHP Protocol, Filters and Local File Inclusion

Andrew wrote up some notes for our internal blog about an experience he had on a recent Capture the Flag (CTF) event. I thought they were interesting so we talked and decided to republish them here. <Andrew> I came across an interesting twist on exploiting a PHP local file inclusion vulnerability while participating in a CTF. […]