This is Joe Basirico's Typepad Profile.
Join Typepad and start following Joe Basirico's activity
Join Now!
Already a member? Sign In
Joe Basirico
Recent Activity
I've written before about how important responsible disclosure is for Security Researchers, and that responsibility for an effective process for notification and remediation falls on both the security researcher and the vendor itself. When researchers find a vulnerability, they should work with the vendor to disclose it properly and to... Continue reading
Posted Jun 17, 2014 at Application & Cyber Security Blog
There are almost always multiple sides to any debate in software security. For that reason I find myself saying "It depends" far more than I may expect. I came across a couple days ago and the question of whether this would help or hurt security popped into my mind.... Continue reading
Posted Dec 10, 2013 at Application & Cyber Security Blog
The recent wave of DDoS attacks on banking web sites, and the Spamhaus DDoS attack (which was three to five times greater than the biggest attacks against U.S. banks) is reinforcing that, while the attacks aren’t particularly sophisticated, they do warrant our attention. If targeted the attacks can be extremely... Continue reading
Posted Apr 9, 2013 at Application & Cyber Security Blog
In the wake of the latest Yahoo password breach, I scratched my head and thought to myself “are we REALLY still talking about this, especially at big companies like Yahoo”? According to data published from (download the .csv file), SQL injection was the means used to extract 83 percent... Continue reading
Posted Aug 28, 2012 at Application & Cyber Security Blog
Not so Fast and Not the Point In a recent interview, Eugene Kasperky (founder, Kasperky Labs) said that Apple is 10 years behind Microsoft in terms of security. I use Apple products, but I am first and foremost a security professional. While I agree that Apple lags Microsoft, I don’t... Continue reading
Posted Jun 21, 2012 at Application & Cyber Security Blog
By now, you've probably heard that LinkedIn's passwords have been allegedly compromised. I first heard about this from a Norwegian website earlier today. Here is what we know now: LinkedIn has not confirmed the leak and currently doesn't understand how the hack could have happened, but there is a 271... Continue reading
Posted Jun 7, 2012 at Application & Cyber Security Blog
Great Idea - but they’ll need a lot more than TWO! Boeing’s systems need to be capable of staving off hackers, and for more than two years, the company has been employed two cyber security specialists (“hackers”) to test the security of its computer systems. I like it, but there’s... Continue reading
Posted May 3, 2012 at Application & Cyber Security Blog
We've made it to the last part of my four part series on what makes a great security tester or hacker. Even though this fourth piece is what I consider to be the most important and exciting quality of a hacker, I do recommend you go back and read the... Continue reading
Posted Apr 17, 2012 at Application & Cyber Security Blog
Thanks! Glad you found it useful!
You are correct that some of this information will be discovered during reconnaissance, and certainly we will be using all of this information to create a mental model that will give us a clearer picture of how the system is built and designed. However, there are always certain things that we aren't able to discover through reconnoissance. For example, we may know _that a list of integers is sorted, but we may not know the algorithm used. Depending on the algorithm used there may be disk, memory or processor denial of service opportunities. A good example of this kind of implementation attack is the HashDoS issue released at CCC a few months ago. This attacked an implementation detail on how the hash table was created, different hashing algorithms would respond differently and would be exploited differently. For more information see their slides, which are a good read (warning: PDF): I don't mean to imply that an imagination will help you discover DoS issues only, but those are two easy examples. We can discover how validators work (bypassing validators may allow for code injection vulnerabilities, improper error handling, and more) and more. I hope this helps, if you have any other questions feel free to post another followup comment.
In my previous posts I talked about an overview of what makes a great security tester, and in-depth about what it means to have complete knowledge of the system. If you haven’t read those yet, I suggest you do so now, that’ll help set the stage for the following post.... Continue reading
Posted Apr 10, 2012 at Application & Cyber Security Blog
In the previous post I described an overview of the three traits I look for in great security testers: Complete Knoweldge of the System, A Good Imagination, and An Evil Streak. In this post I describe, in detail, what I mean by the first trait, "Complete Knowledge of the System."... Continue reading
Posted Mar 27, 2012 at Application & Cyber Security Blog
As a Security Tester, or hacker, I have one of the most exciting and creative jobs in the industry. We are asked to find as many critical security vulnerabilities in complex software systems with limited resources - before the application is released or shipped. We have the challenge of knowing... Continue reading
Posted Mar 15, 2012 at Application & Cyber Security Blog
I wrote earlier about Security Innovation’s policy on Responsible Disclosure over Open or Full Disclosure. It wasn’t my intention in that piece to discuss how responsible disclosure happens or what companies can do to help make responsible disclosure the easy choice for hackers and security researchers. As a vendor it... Continue reading
Posted Oct 10, 2011 at Application & Cyber Security Blog
As a security researcher, I regularly come across software applications that are susceptible to a few basic types of attacks – and I struggle to understand how these can continue to slip through each phase of development and into production. There are a handful of vulnerabilities that fit into this group; cross-site scripting (XSS) being one of them – and we find them in just about every application we test. Continue reading
Posted Sep 16, 2011 at Application & Cyber Security Blog
Joe Basirico is now following The Typepad Team
Mar 15, 2010