http://twitter.com/miscsecurity
Security Researcher
Areas of Expertise:
- security
- hacker
- infosec
- blogging
- blogger
- consulting
- speaking
- training
Biography
Books
|
|
Blog
Brett's blog posts are hosted at:
http://misc-security.com
http://misc-security.com
Failure to Restrict URL Access
November 19 2009
This is the last-part in a ten-part-series describing the OWASP Top 10. (See the entire OWASP Top 10) What is the problem with Failing to Restrict URL Access A common problem in web applications, failing to restrict URL access typically happens when a page doesn’t have the correct access control policy in… read moreNovember 13 2009
While attending OWASP AppSec DC this week, I was able to see the preliminary release of the OWASP top 10 for 2010. This is the first release candidate and the 2010 top 10 are now available for public comment. We will soon see what the security community thinks of it,… read moreConfidentiality, Integrity, and Availability
November 04 2009
Being security aware and security conscious often boils down to understanding three key concepts that are common to risk management These security concepts have been around since the inception of information security. Although, these are high-level generalizations, they are important for everyone to know about. This article is focused on understanding how… read moreOctober 28 2009
In the book, Hacking: The Next Generation, I cover a topic referred to as DNS cache snooping. Cache snooping is not a new attack and has been around for quite a while [PDF]. However, I couldn’t find a good piece of code that would interrogate DNS servers, so I created… read moreOctober 21 2009
I recently did a presentation on the OWASP Top 10 for SecurityStreams. Nitesh Dhanjani of SecurityStreams was nice enough to allow me to embed the videos of the presentations on this site. If you are new to the OWASP Top 10, I highly suggest to watch this presentation, it is about… read moreOctober 12 2009
This is the ninth-part in a ten-part-series describing the OWASP Top 10. (See all the OWASP Top 10) What are Insecure Communications Insecure communications is when a client and server communicate over a n0n-secure (non-encrypted) channel. By doing this, the developer are ensuring that their communication channel can be viewed by… read moreSeptember 24 2009
If you are a developer, I guarantee that you have written insecure code. Universities train people to write code, but very little time is taken to help them focus on writing secure code. As with anything, being able to identify security vulnerabilities and writing code securely takes practice. But how does… read moreInsecure Cryptographic Storage
September 16 2009
This is the eighth-part in a ten-part-series describing the OWASP Top 10. (See all the OWASP Top 10) What is Insecure Cryptographic Storage Insecure cryptographic storage occurs when an application doesn’t securely encrypt it’s sensitive data when it is stored into a database. This definition is similar to the picture above,… read moreInsecure Cryptographic Storage
September 16 2009
This is the eighth-part in a ten-part-series describing the OWASP Top 10. (See all the OWASP Top 10) What is Insecure Cryptographic Storage Insecure cryptographic storage occurs when an application doesn’t securely encrypt it’s sensitive data when it is stored into a database. This definition is similar to the picture above,… read moreSeptember 10 2009
My first book Hacking: The Next Generation is now available in electronic format. The physical version should be available on Amazon and in book stores in the next few days on October 15th. I want to thank Mike Loukides of O’Reilly, and my co-authors Billy Rios and Nitesh Dhanjani. A special… read moreSeptember 10 2009
My first book Hacking: The Next Generation is now available in electronic format. The physical version should be available on Amazon and in book stores in the next few days. I want to thank Mike Loukides of O’Reilly, and my co-authors Billy Rios and Nitesh Dhanjani. A special thanks to Nitesh… read moreSeptember 02 2009
When testing web applications, penetration testers should look at how the session is handled. Session management is commonly overlooked by developers and system administrators. It is so often overlooked that it is one of the OWASP Top 10, refereed to as “Broken Authentication and Session Management.” This article will cover certain… read moreSeptember 02 2009
When testing web applications, penetration testers should look at how the session is handled. Session management is commonly overlooked by developers and system administrators. It is so often overlooked that it is one of the OWASP Top 10, refereed to as “Broken Authentication and Session Management.” This article will cover certain… read moreSeptember 02 2009
When testing web applications, penetration testers should look at how the session is handled. Session management is commonly overlooked by developers and system administrators. It is so often overlooked that it is one of the OWASP Top 10, refereed to as “Broken Authentication and Session Management.” This article will cover certain… read moreBroken Authentication and Session Management
August 26 2009
This is the seventh-part in a ten-part-series describing the OWASP Top 10. (See all the OWASP Top 10) What is Broken Authentication and Session Management When developers are programming web application based solutions they rarely focus on how the user’s session is managed. Failing to keep this in mind can lead… read more
