The Security Maturity Checklist

A year ago I founded a conference, and this weekend was the fourth iteration of it, adaconf3 (the first was adaconf0).

I am really happy about the awesome lineup, and I also did a lightning talk, beta testing a small part of an upcoming talk called Why Penetration Testing Sucks – Finding a more efficient road to Security Maturity.

Continue reading “The Security Maturity Checklist”

Penetration Testing without Risk Analysis

A few years back, in a room full of practicing penetration testers. I am listening in to them talking about the problems they perceive in their working environment. I get a bit confused and asked an inconspicuous question:

“How much of your work is risk analysis?”

Ten pairs of eyes looking back at me, with the same look of confusion that I assume I display.

“What do you mean? We don’t do risk analysis.”

Continue reading “Penetration Testing without Risk Analysis”

Penetration Testing is a Bad Word

As a female penetration tester, I have had a fair deal of jokes thrown at me.

People outside the IT industry get shocked and confused.

People inside the industry try to quench their nervous laughs.

It’s gone to the point where I have formulated a number of scripted comebacks to common reactions. Most people are polite enough not to verbally say what they think, and get very relieved when I myself crack a stupid joke about the word.

Continue reading “Penetration Testing is a Bad Word”

I failed my OSCP exam, and I am so proud of myself!

Two days ago I did my first attempt at the OSCP exam. I have not passed -YET.

The exam is a 24 hour exam where I was expected to gain reverse shell on three or four out of six machines that I’ve never had contact with before. It was a lot of fun mapping them, finding their weak spots and figuring out which one of the numerous weaknesses could be exploited. However, I wasn’t able to exploit any of them end to end.
Continue reading “I failed my OSCP exam, and I am so proud of myself!”

How does security testing differ from testing?

You guessed it from the title, but security testing is really just another type of testing. Secure development is not rocket science, but a mindset inside of the scope of any development.

Security is essentially to know your product, both how it’s designed to work (happy path) and how it can be broken (exception paths). If you build a skyscraper, you do not only build it for sunny weather but also for hurricanes. If you’re building software that you sell, the customer expects the software to enable their business, not to block it.

Security is to find bugs and be able to perform good triage on them.

Security is also to have a prestigeless, nonblaming working environment where found bugs actually can be fixed.

Continue reading “How does security testing differ from testing?”

Byt lösenord när du byter partner

This article in Swedish has previously been published on my Linkedin site.

Internetstiftelsen i Sverige gav i september ut en rapport om svenskars lösenordsvanor. Jag vet inte om jag vill rekommendera läsning eller ej. Tycker du som jag att lösenord och informationssäkerhet är intressant? Då är det en lättläst och matnyttig översikt för den intresserade. Tycker du att lösenord ett frustrerande gissel? Hoppa detta.

Continue reading “Byt lösenord när du byter partner”

The User Experience of a Watermelon — What secure design is all about

This article was previuosly published on my Medium blog.

Reading the UX of a Banana — What UX design is all about, I realized that user security has the user experience of a watermelon.

Mmm… watermelons! Tasty, but yet so hard to get.

I have a strong preference for watermelons, but due to their UX, the typical fruit I eat is a banana. (OT: botanically speaking, the watermelon is a berry, but so is the banana.)

Continue reading “The User Experience of a Watermelon — What secure design is all about”

Exploiting my own WordPress part 4 – Attack surface

TL;DR:
I rerun ZAP and wpscan online password attack against a presumably less defended target, and realize that sometimes just talking to people is the best trouble shooting methodology

Before leaving ZAP and trying out new tools, I do a scan of this blog, emalstm.tech.

My hypothesis is that ZAP will find more flags on this WordPress. The only protective measure I’ve implemented on this site is secure ssh connection, disallowing root login and putting up a firewall including fail2ban.
Continue reading “Exploiting my own WordPress part 4 – Attack surface”

Exploiting my own WordPress part 3 – ZAP and Securityheaders.io

TL;DR: 
ZAP find  almost a 1000 potential vulns in my site. I patch them with a plugin – or so I thought – and get MORE vulnerabilities – or do I? 

ZAP is a Flagship Project from OWASP. I adore OWASP for its work on Top 10 lists for Web and Mobile Vulnerabilities, and their Cheat Sheets for defense. I know it is in every pen testers arsenal, so let’s go look at it!

Continue reading “Exploiting my own WordPress part 3 – ZAP and Securityheaders.io”

Exploiting my own WordPress part 2 – online password attack

TL;DR:

When attempting an online password attack, I find that wpscan gives me false positive and false negative results . Also I find my defenses work, but not as I expect them to.

 

This is part 2 of my attempt to hack myself. After successfully DoSing my own site using a vulnerability I found with wpscan, I decide to try out wpscan’s password guessing feature. I do not expect this to be successful. An online password guessing attack will be prohibitively expensive, because I’m using a computer generated, long password that I store in my password vault. Also I only allow three login attempts and my login page is not called /wp-admin or /wp-login.php.

Continue reading “Exploiting my own WordPress part 2 – online password attack”

Usability versus security, or: Why I decided to become a cyborg

This article had previously been published on my Linkedin.

Some months ago, I attended an after work event where one could choose to get implanted with an nfc chip, the kind of chip that you carry on your gym card or your credit card. I went there thinking that I would never, ever do such a foolish thing. I left the place with an urge to get the implant.

What had changed?

Continue reading “Usability versus security, or: Why I decided to become a cyborg”