My (IN)SECURE Magazine Article

Hi everybody,

The September edition of (IN)SECURE Magazine has been published and contains my article on Secure Web Application Development.

You can download the magazine here.

As always feedback is more than welcome!

My Burp Suite tutorial is still work in progress, I have had a few requests to include more content than I originally planned so hold tight everyone!

Dave

Burp Suite Tutorial

Just a quick note to say the tutorial for Burp Suite is in progress.

I have been in contact with Portswigger who is the developer behind the Burp Suite so the tutorial will have his input as well as mine.

Dave

SCADA system vulnerability and exploit code

For those of you who don't know what a SCADA system is think core backbone systems for a country or countries. Power grids, water systems and defense systems to name just a few. A brief overview can be found here.

Often these systems have operated on very old (Win 3.x and OS2) systems which people are to scared to update. The defense has always been "oh we don't connect this core systems to the internet so we are fine". That isn't always the case anymore, more and more SCADA systems are getting internet access whether it is authorised or not. A penetration tester friend of mine recently told me how he was auditing a SCADA infrastructure that had 5 connections to the internet that had never been authorised. Normally I wouldn't have paid much attention but these are systems which control almost everything we use and rely upon delay, cyber warfare anyone?

So why should I write this post now? Well a recent vulnerability discovered by Core Technologies has had exploit code written for it. This exploit code has been made available as a module for Metasploit for anyone to download. I do not encourage any kind of unlawful hacking but surely someone will take advantage of this and take something very important down?

I won't reproduce someone else's work so here is the paper written by the exploit writer Kevin Finisterre.

As always if you have any questions or comments then fire away.

Dave

A few updates....

A bit apology for the amount time that has elapsed since my last post. Moving house took up more of my time than I had planned!!

I'm moved and settled so back to business as usual from today on.

Whilst I have been away I have agreed to become a columnist with bloginfosec and my first article should be posted in the next couple of weeks. I recommend anyone who reads this blog to also take a look at the content over at bloginfosec.

Secondly my article I have written for (in)secure magazine which discusses secure web application development and integrating security into a dvelopment lifecycle will be published this month. You can subscribe to the magazine for free at net-security.

Last but not least on the updates. OWASP have announced that an EU Summit will be held in Portugal this November and will be discussing many important issues! More information can be found here. I will be going along to the summit so if any readers on going along then drop me a line and we can hook up.

I thought I would let you all know what content I plan to add to the blog in the coming weeks. Some of it is based on my own interests and some of it is based on the search queries that people are using to land of my little corner of the web!

Burp Suite Tutorial

Grendel Scan Tutorial

Metasploit Tutorial

Samurai Live CD Review

Backtrack 3 Review

SQL Ninja Tutorial

Those will be the more technical posts that are coming up in the short term. I will be posting my usual comments on the news and security vulnerabilities.

Dave