My Security 101 - 2018 update

In a post from 2015,, I write about some of the “Security 101” issues I considered to be fundamental. Since 2015, I’ve been exposed to several environments where I have seen the same basic security fails. In addition to my previous Security 101 items (2FA, avoiding password reuse, using a password manager, being mindful of what gets posted on social media, and inspecting email links) I would like to add the following new items to my “Security 101”:...

August 2, 2018 · 2 min · Chris

DevTube

I found this DevTube on HackerNews the other day and I want to save it for later.

July 10, 2018 · 1 min · Chris

Lisp on MacOS

Towards a working LISP environment on macOS

July 6, 2018 · 5 min · Chris

MacOS open source apps

I found this MacOS Open Source apps list on HackerNews the other day and I want to save it for later.

July 3, 2018 · 1 min · Chris

Static Analysis with Burp Suite

I’m so far behind the times, it’s sad. Burp Suite gained the ability to perform static analysis on JavaScript libraries back in 2014. Some sites and authors have already blogged about what their approach is for implementing this.I’d like to echo Lukas’s method, but with an easier setup. Simply navigate to the local directory containing the app and serve it using Python’s built-in HTTP server. python2 syntax: python -m SimpleHTTPServer <port> python3 syntax: python3 -m http....

April 10, 2018 · 1 min · Chris

Cross-Account file access on AWS S3

The Problem Secure file sharing using AWS S3: I upload a file to an S3 bucket with restricted permissions The client downloads the file and processes it The client uploads the results to the S3 bucket I download the processed file and the transaction is complete I thought setting the permissions on the bucket would be enough. I was wrong. The Setup I use a federated login to AWS and assume a role under a corporate account....

March 30, 2018 · 3 min · Chris

Hands on with Brave Browser

Brave, the new Firefox? I’ve been using the Brave browser as my full-time web browser for two weeks now, primarily version 0.21.18. It’s easy to tell the software is not yet at version 1.0, and although I’m not ready for this to replace Vivaldi, I really want it to. Brave is fast. Really fast. It has built-in adblocking and anti-fingerprinting technology. Previously, I’ve relied on uBlock Origin and Privacy Badger for adblocking and anti-fingerprinting....

March 6, 2018 · 4 min · Chris

A Lesson for Bug Bounty Researchers

I’m managing a bug bounty program that has shown tremendous benefit so far. Several findings have been extremely clever, and I’ve been fortunate enough to have good interactions with the vulnerability researchers. However, I’ve also had a few unsatisfactory interactions with researchers. This post is directed at Bug Bounty researchers that do not have much experience in corporate environments. I think a list of do’s and don’ts is appropriate for this breakdown....

October 20, 2017 · 4 min · Chris

iOS and Android Native Code Protections

iOS Secure Boot Chain Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust. This includes the bootloaders, kernel, kernel extensions, and baseband firmware. This secure boot chain helps ensure that the lowest levels of software aren’t tampered with. When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM....

June 19, 2017 · 27 min · Chris

Self Evaluation

Recently, work hosted an event designed to bring my team closer together. Using the Surepeople PRISM, we spent the morning discussing our dominant psychological traits and how we can use them to better interact as a team. I thought the exercise was brilliant, and it led me to seek out other tools to broaden my self awareness. The first such tool I uncovered was the Johari Window. Johari Window My ultimate self awareness goal is to shrink the “Blind Spot” window as much as possible....

June 15, 2017 · 2 min · Chris

Metaworking

Trello fascinated me upon its release in 2011. I’ve written before about my time management (lack of) skills, and Trello appeared to be my solution - it offered a sleek view of all of my outstanding tasks. Try as I might, I could not make Trello work for me. Over and over again, I would fail to use it. I just could not make myself stick with it. There was a captivating quality about Trello, however, because it was constantly mentioned in tweets, blogs, and articles....

May 15, 2017 · 2 min · Chris

Password Manager Advice

A developer at work asked a general question to the group: “I’m thinking about using either LastPass or 1Password, anything I should know?” As the team’s newest “Security Guy”, I answered with this brief response: LastPass is easier to get started with as someone who’s never used a password manager before. Their product is seamlessly >integrated into browsers and mobile devices, although it’s not the prettiest. LastPass stores your encrypted password vault on their servers....

April 17, 2017 · 3 min · Chris

Developing an Application Security Program

Since my last post, I’ve left my position with the consultancy. I’m now working for a medium-sized corporation in a senior application security role. One of my many tasks is to contribute to the development of an Application Security program. This post will serve as my thoughts on setting up an AppSec Program. Measuring current performance The Building Security In Maturity Model (BSIMM) is a study of existing software security initiatives used by 95 companies of varying size across six verticals....

March 21, 2017 · 2 min · Chris

Fix AWS SSL Certificate error in Burpsuite

This morning, while I was trying to proxy traffic to this site in Burpsuite, I ran across an SSL handshake error. Googling the issue returned this helpful article that got me started on the right path. The crux of the problem was that the JRE didn’t have the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files installed. However, since this article was published, Portswigger began bundling the JRE with Burpsuite itself....

January 11, 2017 · 2 min · Chris

Birthday - Asteroids

Recently, I celebrated a birthday. Typically, this is a joyous time, and I have many things to be grateful for. However, this birthday comes during a difficult year. As my wife and I were discussing this the other day, I realized that life can be a lot like the Atari game ‘Asteroids’. Atari Asteroids You, as the ship, must be able to re-orient and overcome challenges (blast asteroids) frequently and rapidly....

October 5, 2016 · 2 min · Chris

Static Sites in 2016 - Updated

In a previous post I discussed the complicated process of configuring S3 to use Letsencrypt to obtain a TLS certificate. That post served as a reference for me to re-implement Letsencrypt every 90 days. Since then, my 90-day Letsencrypt certificate expired, and I was at a loss for how to re-instate it. Using my own post as a reference didn’t help me with the arcane letsencrypt errors I was encountering....

October 3, 2016 · 3 min · Chris

The Management Feedback Cycle

I planned a post covering the Manager Feedback Cycle, but this blog post at Effective Managers covers most of what I was going to communicate. One thing I would add to this resource, is that both managers and subordinates should strike a balance in communications frequency: If communications are infrequent, important details can get overlooked, and it becomes harder to resolve conflicts. If communications are too frequent, the subordinate will feel like they’re being micro-managed while the manager will feel like the subordinate can’t solve problems on their own....

April 15, 2016 · 1 min · Chris

Apple VS FBI

Apple gets a lot of flak in the InfoSec community, even though it’s an open secret that much of the InfoSec community has begun to use Apple products. I myself have been using a Mac laptop for the past ten years because they produced the first laptop I thought was worth spending money on. A lot of money. I’m a fan of Apple for more than just their products, however. I admire their stance on social issues that I care about....

March 28, 2016 · 4 min · Chris

Static Sites in 2016

It’s early 2016, and there are a multitude of content management systems and blog platforms out there: Wikipedia’s List of Content Management Systems The security blog I contribute to, Penetrate.IO runs on the venerable Wordpress and requires constant updates to stay one step ahead of attackers. This becomes tiresome after a while, especially since the only thing I’m interested in hosting is a series of articles. These don’t require server-side computation, simply hosting....

March 25, 2016 · 7 min · Chris

Configure an Upstream Proxy for Burpsuite

I had the need to proxy traffic from Burpsuite to another proxy during web app testing this week. There are a few ways to do this, but this method was the easiest since I already had Burpsuite’s TLS certificate installed. For more information on this, see the Burpsuite help. To configure an upstream proxy for Burpsuite, such as OWASP ZAP, follow these steps: First, configure your upstream proxy that will sit between Burpsuite and the web application to listen on a different port since they both bind TCP 8080 by default....

November 5, 2015 · 1 min · Chris