How to build a good security testing strategy

Ten years ago, you could kind of get away with not paying much attention to security. This worked if you were not in certain sectors or didn’t have a certain...Read more...

client reading securify report

Blogs

  • Hoe DORA de digitale weerbaarheid gaat verhogen

    De Digital Operations Resilience Act (DORA), die op 17 januari 2025 in werking treedt, heeft als doel de financiële wereld weerbaarder te maken tegen eventuele cyberaanvallen. Dit gebeurt op basis van vijf pijlers, waarvan één, ‘Digital Operational Resilience Testing’, voor veel bedrijven nog veel voeten in aarde zal...Read more...

  • Security assessing gRPC & gRPC-web services

    gRPC is getting increasingly popular and as a result, it is encountered more often during security assessments. In this blog post, I explain the different approaches to security test gRPC services depending on the type of assessment. At the end, I will show how to extend the blackboxprotobuf Burp extension to support...Read more...

  • Session poisoning Zen Cart for a free discount

    Web applications often keep state corresponding to the current user. The user gets a cookie with an opaque token, the session token. The browser includes this cookie in each request. The web application uses this token to retrieve the corresponding data from the database, which can be used by the web application.
    In...
    Read more...

  • BOFRyptor: Encrypting Your Beacon During BOF Execution to Avoid Memory Scanners

    While the sleep mask kit is doing a great job at encrypting the beacon at rest, the beacon resides unencrypted in memory during the execution of BOFs. This leads to detection if a memory scan is performed during the execution of the BOF. To overcome this, we encrypt the beacon memory and configuration block at the...Read more...

  • Pentesting and third-party developers

    What if your external developer won’t let you share the code of an application with us for a pentest, even though the application was made specifically for you? This is problematic because it forces you to accept a less effective test of your application: one in which we cannot look at the code while we carry out the...Read more...

Questions or feedback?