• Vulnerability management: not just for scanning known vulnerabilities

    Posted April 8, 2011 - 3:16 pm

    Proactively searching and fixing the unknown zero-day vulnerabilities saves time and money for everyone. And it is easy! Proactive testing is the most effective form of vulnerability management, because the earlier vulnerabilities are discovered, the easier and cheaper it is to fix them. Do not wait for the hackers to find the vulnerabilities!
  • Microsoft, Googler tussle over bug timeline

    Posted January 5, 2011 - 2:52 pm

    Microsoft and a Google security engineer are sparring over a bug the researcher reported to Microsoft last July.
  • Security Testing: It Is About Coverage

    Posted February 1, 2010 - 7:19 pm

    It is easy to do pentetration testing. My two year daughter can do it (well at least she broke through a screen-lock). But doing it well is the challenge. That is what coverage is about. Security test coverage, like any test coverage, is measuring how much of all the possible sensible options you cover with your testing. Let's dig into this topic a bit more, and perhaps next time someone comes offering you pentesting services, you will have a few new questions to ask the auditors.
  • Fuzzing and Product Security

    Posted March 18, 2009 - 4:40 am

    Finally, some real data on the usage of fuzzing is emerging. Who is using fuzzing? How do people see fuzzing being used in the product security process? Forrester has included questions regarding use of fuzzing in to their questionnaire that they send to key industry CIOs, CSOs and CISOs. Security companies such as Cigital are publishing their findings. I have talked with these organizations and will be discussing my findings in this blog and the upcoming webinar.
  • Fuzzing Is Still Widely Unknown

    Posted January 19, 2009 - 10:18 am

    Based on a recent study by Gary McGraw and other well known security gurus, all major product security teams apparently use fuzzing. But most (even security specialists) still seem to misunderstand what fuzzing really is about. Enter the world of fuzzing!
  • VoIP Still Not Ready For Carrier-Grade Networks

    Posted October 2, 2008 - 1:22 pm

    After a quick tour of some Really Talented Groups dedicated to fuzzing research, I noticed three things: 1) Most teams are focused on fuzzing VoIP 2) Most if not all VoIP devices still break with fuzzing 3) Most VoIP vendors still do not get it. The tour continues...
  • (Is There) Motivation for VoIP Fuzzing

    Posted September 4, 2008 - 3:06 am

    What have we learned during these six or so years of proactive security work with VoIP fuzzing? Here is my top ten discoveries.
  • VoIP security auditing is becoming more and more complex ... Not!

    Posted August 15, 2008 - 7:14 am

    I am curious how people can conduct penetration tests of a complex VoIP system when they barely understand how VoIP infrastructure works. Today, security people are still stuck to auditing practices from 1990s. When asked to do a penetration test, a consultant often is only looking at past issues that can be detected using various vulnerability scanners. Very few of them know that vulnerability scanners have extremely bad coverage of vulnerabilities in VoIP solutions. And even if the tools did know VoIP, who really cares about past issues that might have been relevant several years ago.
Join us:






Join today!

See more content
Ask a Question