penetration testing

Application security beyond the scanner monkey November 13

Matt Fisher of Piscis Security gave a discussion about security beyond the "scanner monkey" phase. Scanner monkeys being people who run a scanner tool, get the output, and think they are done with a vulnerability assessment. There are more and more scanners - commercial, proprietary, and open source - and yet they are no longer good enough.

The scanners only start the process, they don't end it.
The person running the scanner is likely not talented enough to configure it properly.

Using Watcher to make pen testing more efficient November 12

The Watcher session was basically a sales pitch and demo for the Watcher tool, though it's a free tool so "sales pitch" is not exactly right. Watcher is an open source tool that sites inside of Fiddler which is a web proxy useful for debugging web applications.

The application is a windows only tool.

The Book, The Report

Cracking Drupal: A Drop in the Bucket

Written by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal and how to prevent them from continuing.

Get your copy now.

Drupal Security White Paper

Curious about Drupal's security? Consider Drupal but want to make sure it's good enough? Read the Drupal Security Report

Security Review Service

If you are concerned about whether your site is secure, consider using the Security Review Module to get an initial sense. If you're looking for something much more in depth than a module or a book, Growing Venture Solutions offers a Security Review Service for Drupal Sites.

Recent Blog Posts

Anything you can do XSS can do better

Posted by Ben Jeavons

6 comments
Mitigation against CVE-2010-1584 Drupal Context Module XSS

Posted by greggles

4 comments
Zerodayscan and Drupal: finding bugs for fame

Posted by greggles

0 comments