2 min
Nexpose
Changes to OVAL in Nexpose 6.0.6
Rapid7 has made it a priority to support security industry standards, including
the Open Vulnerability and Assessment Language (OVAL). Those of you who use
Nexpose to measure policy compliance, either by using the built-in CIS, DISA,
and USGCB policies, or by writing your own custom policies, are using OVAL for
these policies.
A decision by the National Institute of Standards and Technology (NIST) has made
it necessary for us to make changes in our OVAL implementation. These changes
affect po
2 min
Nexpose
Update Tuesday, November 2015
November sees a mix of remote code execution and elevation of privilege
vulnerabilities enabling an attacker to gain the same rights as the user when
the victim opens specially crafted content, such as a webpage, journal file or
document containing embedded fonts. These vulnerabilities affect Internet
Explorer (7 and onwards), Edge, and Windows (Vista and onwards). It is
advisable for users and administrators to patch the affected platforms.
Microsoft includes 12 security bulletins, a third of
1 min
Verizon DBIR
Getting Started with VERIS
We did a webcast with @hrbrmstr @gdbassett from the Verizon team last week,
discussing how to get started VERIS, the Vocabulary for Event Recording and
Incident Sharing.
If you joined us, thanks for coming out. We've attached an Excel spreadsheet
with a couple of examples to help you get started at VERIS level 2, a couple of
layouts to consider using... and we will be providing some updates. Special
thanks to Judy Nowak for her hard work on the spreadsheet -- be looking for a
blog post from her
4 min
Replacing Pedantry with Positive Interaction
The recent vBulletin hack is the most recent case of a compromise being labeled
as a ‘sophisticated attack.' Predictably, the internet exploded with people
complaining about this label, stating that it was just SQL Injection. The same
thing occurred with the news of the TalkTalk breach. Before that, the
Playstation Network breach comes to mind, although there have surely been many
in between. I will issue my mea culpa right now. I have publically blasted
people for this in the past. But today I
7 min
CISOs
Security Budget Tips, from CISOs, for CISOs
CISO Series: Budgeting
I have provided a brief overview of the genesis of the CISO series
, and now it is time to tackle our
first topic: security budgets. Whether you're the CISO of a large public company
or leading security at an early-stage startup, rich in headcount or forced to be
tight with the purse strings, reporting into the CIO, COO, or elsewhere in the
organization, the fact remains that budget conversations are among the most
critical and
4 min
IT Ops
Unleash the power of node.js for Shell Scripting (Part 2)
Ready for our first proper node.js Script!
In a previous post
, we
learned about some tools that helped us create a script in node.js. It is now
time to put this into practice by implementing a script that connects to a few
online newspapers, searches in the news for specific keywords and returns those
articles.
Our new script will need to accept the following parameters:
* A file with the list of newspapers (one URL per li
2 min
Verizon DBIR
What is VERIS?
Data driven security is all the rage, and laughably few of us encode and analyze
our programs… and for good reason. It isn't easy. This post will talk about
VERIS, a framework for describing security incidents in a precise way.
We all have a plan, a security program, compliance regulations, and super busy
calendars—but what is working? The answer is hidden in plain sight, it just
needs to be analyzed. And this is why we all love the DBIR.
If you aren't familiar with Verizon's DBIR (Data Breach
8 min
IT Ops
Java 8: A quick introduction to Parallelism and the Spliterator
Introduction
With the release of Java 8 a number of new language features were introduced
. These included lambda functions, streams and completable futures. Colleagues
of mine have already reviewed these features in previous articles on this blog,
which I recommend reading as part of this topic . In this article I will
touch on an aspect of the Java 8 release that relates to the push towards
exploiting parallelism, in the context of the existing Collections Framework –
specifically
5 min
Public Policy
New DMCA Exemption is a Positive Step for Security Researchers
Today the Library of Congress officially publishes its rule-making for the
latest round of exemption requests for the Digital Millennium Copyright Act
(DMCA). The advance notice of its findings
revealed some good news for security researchers as the rule-making includes a
new exemption to the DMCA for security research:
“(i) Computer programs, where the circumvention is undertaken on a lawfully
acquired device or
2 min
Exploits
8 Reasons Why SQL Injection Vulnerabilities Still Exist
Knowing how to prevent a SQL injection vulnerability
is only half the
web application security battle. A multitude of factors come into play when it
comes to writing secure code, many of which are out of the developers' direct
control. That's why common vulnerabilities like SQL injection continue to plague
today's applications, and why application security testing software is so
important. These problems can be overcome – with a little
3 min
AppSpider
Mobile application security: Lock the back door!
Mobile application security
A few years ago, Sean Gallagher wrote this article that we believe outlines one
of the most important areas of application security risk today, mobile
application security. In his article for Ars Technica, “Mobile Application
Security: Always Keep the Back Door Locked,” Gallagher outlines that its
important to address mobile application security because many of the mobile
applications we use today access backend middleware and corporate data sources.
We have email app
1 min
5 Tips for Dealing with Unusual Traffic Detected Notifications
If you get an "unusual traffic detected" notification from Google, here are five ways to troubleshoot the issue. Learn more.
5 min
IT Ops
Unleash the power of node.js for Shell Scripting (Part 1)
Setting Up
Running a Node Script
We are going to talk about creating shell scripts with node.js. The first thing
that you need to do is install node.js. You can get the installers from
https://nodejs.org/en/download/, or use your favorite package manager.
Let’s go straight in and write our first script.
The first thing to do is to create a file called script.js with the following
code:
console.log('hello world')
We can now execute this script by running the following command in our shell:
3 min
IT Ops
Logging from Tableau for Successful DataOps
Lately, we’ve been seeing a growing number of customers using Logentries in
support of DataOps – the practice of collecting, normalizing and redistributing
data throughout an organization so teams can make smarter business decisions.
With teams ranging from engineers to support to marketing & sales relying on
data for every day decision making, a critical requirement of those within a
DataOps role is to actively monitor their organization’s data platforms.
I recently had the pleasure of chatt
1 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrapup for 2015-10-15
Welcome to this week's Metasploit Wrapup. I'm your host Brent Cook, tagging in
for egypt who just finished speaking about
Metasploit at the Texas DIR Telecommunications Forum
. This week was largely focused on bug fixes and refinements.
In the fixes bucket, PowerShell sessions now properly upgrade with the 'sessions
-u' command. Fixing this also revealed some general proble