Application Security - Security Boulevard https://securityboulevard.com/category/blogs/application-security/ The Home of the Security Bloggers Network Fri, 30 Aug 2024 20:28:48 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.1 https://securityboulevard.com/wp-content/uploads/2021/10/android-chrome-256x256-1-32x32.png Application Security - Security Boulevard https://securityboulevard.com/category/blogs/application-security/ 32 32 133346385 ASPM and Modern Application Security https://securityboulevard.com/2024/08/aspm-and-modern-application-security/ https://securityboulevard.com/2024/08/aspm-and-modern-application-security/#respond Fri, 30 Aug 2024 20:28:48 +0000 https://www.mend.io/?p=11030 Gartner's 2024 Hype Cycle for Application Security: ASPM moves from peak to trough.

The post ASPM and Modern Application Security appeared first on Security Boulevard.

]]>
https://securityboulevard.com/2024/08/aspm-and-modern-application-security/feed/ 0 2029391
Veeam Widens Beam to MongoDB, Nutanix & Proxmox VE https://securityboulevard.com/2024/08/veeam-widens-beam-to-mongodb-nutanix-proxmox-ve/ Fri, 30 Aug 2024 10:44:51 +0000 https://securityboulevard.com/?p=2029255 Veeam, recovery, sensitive, data, cyber resilience, ransomware loanDepot financial services

Veeam has shown evidence of its capabilities to provide backup, recovery and cybersecurity across an increasing number of heavyweight cloud platforms, databases and service layers including MongoDB and Nutanix.

The post Veeam Widens Beam to MongoDB, Nutanix & Proxmox VE appeared first on Security Boulevard.

]]>
2029255
China Cyberwar Coming? Versa’s Vice: Volt Typhoon’s Target https://securityboulevard.com/2024/08/china-cyberwar-coming-versas-vice-volt-typhoons-target/ Wed, 28 Aug 2024 16:57:30 +0000 https://securityboulevard.com/?p=2029126 A Chinese flag flies on a high pole

Xi whiz: Versa Networks criticized for swerving the blame.

The post China Cyberwar Coming? Versa’s Vice: Volt Typhoon’s Target appeared first on Security Boulevard.

]]>
2029126
Miggo Uncovers AWS Load Balancer Security Flaw https://securityboulevard.com/2024/08/miggio-uncovers-aws-load-balancer-security-flaw/ Mon, 26 Aug 2024 11:08:57 +0000 https://securityboulevard.com/?p=2028829 AWS, APIs Cyera AWS logs Druva vulnerabilities eBay cyberstalking

Miggio has discovered a configuration-based vulnerability that enables cybercriminals to bypass authentication and authorization services provided by the Application Load Balancer (ALB) from Amazon Web Services (AWS) that could affect more than 15,000 potentially vulnerable applications.

The post Miggo Uncovers AWS Load Balancer Security Flaw appeared first on Security Boulevard.

]]>
2028829
Escape vs Rapid7 https://securityboulevard.com/2024/08/escape-vs-rapid7/ https://securityboulevard.com/2024/08/escape-vs-rapid7/#respond Fri, 23 Aug 2024 09:23:02 +0000 http://securityboulevard.com/?guid=91eb473aea255cb92146bcd042496a36 Discover why Escape is a better API security solution.

The post Escape vs Rapid7 appeared first on Security Boulevard.

]]>
https://securityboulevard.com/2024/08/escape-vs-rapid7/feed/ 0 2028722
The Risks of Running an End Of Life OS – And How To Manage It https://securityboulevard.com/2024/08/the-risks-of-running-an-end-of-life-os-and-how-to-manage-it/ https://securityboulevard.com/2024/08/the-risks-of-running-an-end-of-life-os-and-how-to-manage-it/#respond Fri, 23 Aug 2024 08:00:51 +0000 https://tuxcare.com/?p=1045 EOL operating systems no longer receive critical security updates, leaving them highly vulnerable to evolving cybersecurity threats. End-of-life OSs often struggle to run modern software and hardware, resulting in compatibility issues, reduced performance, and lower productivity. Organizations using EOL systems face increased legal and financial risks due to non-compliance with regulations and the high costs […]

The post The Risks of Running an End Of Life OS – And How To Manage It appeared first on TuxCare.

The post The Risks of Running an End Of Life OS – And How To Manage It appeared first on Security Boulevard.

]]>
https://securityboulevard.com/2024/08/the-risks-of-running-an-end-of-life-os-and-how-to-manage-it/feed/ 0 2028712
CNAPP and ASPM — Friends or Foes? https://securityboulevard.com/2024/08/cnapp-and-aspm-friends-or-foes/ https://securityboulevard.com/2024/08/cnapp-and-aspm-friends-or-foes/#respond Thu, 22 Aug 2024 13:33:47 +0000 https://www.ox.security/?p=5762 The backstories of AppSec and cloud security In an industry that moves so quickly and pivots so frequently, it’s easy to forget that the term and discipline of application security (AppSec) emerged in the late 1990s and early 2000s. Driven by what was considered rapid web application growth at the time, the Open Web Application […]

The post CNAPP and ASPM — Friends or Foes? appeared first on OX Security.

The post CNAPP and ASPM — Friends or Foes? appeared first on Security Boulevard.

]]>
https://securityboulevard.com/2024/08/cnapp-and-aspm-friends-or-foes/feed/ 0 2028606
Palo Alto Networks Shines Light on Application Services Security Challenge https://securityboulevard.com/2024/08/palo-alto-networks-shines-light-on-application-services-security-challenge/ Thu, 22 Aug 2024 05:12:07 +0000 https://securityboulevard.com/?p=2028508 services, Palo Alto, AD Active Directory microservices

An analysis published by Palo Alto Networks finds a typical large organization adds or updates over 300 services every month, with those new and updated services being responsible for approximately 32% of new high or critical cloud exposures.

The post Palo Alto Networks Shines Light on Application Services Security Challenge appeared first on Security Boulevard.

]]>
2028508
WAF Cloud Authentication Issue Troubleshooting https://securityboulevard.com/2024/08/waf-cloud-authentication-issue-troubleshooting/ https://securityboulevard.com/2024/08/waf-cloud-authentication-issue-troubleshooting/#respond Thu, 22 Aug 2024 01:46:39 +0000 https://nsfocusglobal.com/?p=30361 If the virtual product uses cloud authentication, it needs to communicate with the cloud authentication center periodically every day to complete the authentication and ensure availability. You can confirm the authorization mode under System Management -> System Tools -> License -> Authorized by. For example, in the image below, the device uses cloud authorization. If […]

The post WAF Cloud Authentication Issue Troubleshooting appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post WAF Cloud Authentication Issue Troubleshooting appeared first on Security Boulevard.

]]>
https://securityboulevard.com/2024/08/waf-cloud-authentication-issue-troubleshooting/feed/ 0 2028536
Life at SpecterOps: The Red Team Dream https://securityboulevard.com/2024/08/life-at-specterops-the-red-team-dream/ https://securityboulevard.com/2024/08/life-at-specterops-the-red-team-dream/#respond Wed, 21 Aug 2024 16:26:44 +0000 https://medium.com/p/0713b1c59ae1 TL;DR

We are hiring consultants at various levels. The job posting can be found under the Consultant opening here: https://specterops.io/careers/#careers

Introduction

Hey there! I’m Duane Michael, a Managing Consultant and red teamer at SpecterOps. Over the past four years, I’ve had a front-row seat to the company’s incredible journey. In that time, we’ve grown by almost 100 employees, built a product, created new teams and capabilities, trained thousands of students, and performed countless unique and challenging penetration tests and red team exercises.

I’m always chatting with applicants, friends, and fellow security geeks about SpecterOps and the unique blend of challenges and opportunities we offer. There’s a certain SpecterOps “sparkle” that’s hard to define but easy to recognize — a passion for pushing the boundaries of security, a collaborative spirit, and a commitment to growth. I find myself wishing I could bottle this essence and share it with a wider audience, hoping to attract more individuals who can contribute to and benefit from this special culture. This blog aims to illuminate some facets of the SpecterOps sparkle that red teamers will find particularly appealing.

The list is not comprehensive and there are many additional benefits and perks to working here that I won’t cover in this blog.

Focus on Personal Sustainability

Burnout is real in this industry. Most of our leadership, all the way to the top, including our CEO and COO, are former operators and understand the importance of sustainability. We know how easy it is to get sucked down the rabbit hole researching the latest technique or Windows bug (feature). We have a flexible time off policy and we will strongly encourage you to take at least four weeks off during the year.

We also recognize that “utilization” is not the consultant’s responsibility; it’s a function of the sales pipeline and scheduling. While we track time to ensure projects are scoped and effectively resourced, you won’t be stressed about meeting arbitrary utilization targets. Your job is to do your best work.

Consultancies are known for their high travel cadence. That was certainly true before 2020, but on-site assessment requirements have significantly decreased post-COVID. An unfortunate side effect of reduced client travel is reduced face-to-face interactions and collaboration. Do you like to travel occasionally to meet up with your team? We offer a “discretionary travel” benefit, where you can optionally fly out to one of our offices for one week per quarter to collaborate with your project team face-to-face. We also coordinate larger department events, where we run hackathons and play mini-golf. Regardless of your travel appetite, we have something for everyone.

Pro-tip: Instructing our training courses is a great way to travel, especially internationally. I’ve had the privilege to take four trips to Europe in two years to teach Adversary Tactics: Red Team Operations.

Professional Development

Our people are what makes us unique, so we invest in you! The most obvious way we invest in our people is through monetary budget benefits, such as our $5000/year professional development (PD) budget and our $5250/year higher education budget. Still, there’s so much more. Money is only half of the equation. PD requires time and a lot of it. We provide all Specters three weeks of PD time to spend in flexible ways, including (but not limited to) training courses, research, tool development, and blog or conference talk creation.

Most recently, I used some of my PD time to develop the Misconfiguration Manager project, blog, and SO-CON and Troopers conference talks. Other Specters commonly use this time for training or progress toward their professional goals.

Details

In addition to personal PD time, we offer various opportunities for consultants to get hands-on experience for one to six months in other areas of the company outside of consulting. We refer to these temporary assignments as “details.” Some teams you may be assigned or request a detail on include:

Internal and Community Products (ICP): The development team responsible for many of the open-source projects SpecterOps is known for, such as Mythic and Ghostwriter. A detail to this team entails development on one of the projects and serves as a great way to flex and build your development muscles.

Earlier this year, Jonathan Owens, one of our Consultants, spent two months detailed to the ICP team to work on the C# Mythic agent, Apollo.

Research and Development (R&D): Our R&D team focuses on large-scale, open-ended research problems and they’re always looking for more. If you have a research idea, you can submit a proposal and you may earn a detail to the team to research and flesh out your idea!

In 2023, Evan McBroom spent three months with the R&D team to research Windows authentication packages and develop the LSA Whisperer tool. Max Harley also spent three months with the R&D team to help build Nemesis.

Internal Product Discovery: Think R&D but specifically working on creating and proving new attack paths in BloodHound!

Our offensive Principal Consultant, Hope Walker, is working with the Product Discovery team to build additional Azure attack paths into BloodHound.

While not officially a “detail,” we also have ample opportunity to make short-form improvements for Consulting Services, which we call “service improvement.” These assignments may include updates to tradecraft, improvements to our offensive CI/CD pipeline, or new tool features.

Lastly, we offer an awesome program called “ICP Sponsorship” where you can submit a project, tool, or idea for sponsorship under the ICP department. This is official backing of your project by SpecterOps and warrants four weeks of development time and a budget for marketing material or development costs. You retain all intellectual property (see below).

Some recent highlights of our ICP Sponsorship program are Nemesis, HardHatC2, SCCMHunter, Maestro, Misconfiguration Manager, and SharpSCCM.

Operations

At SpecterOps, we like challenges and every assessment is different. Our clients are extremely mature and you may find yourself attacking or evading new technology that you’ve never encountered before. That’s OK because we don’t hire for specific skill sets; we hire for aptitude, ability to adapt, and passionate curiosity. We welcome and encourage failure, as that helps us grow. We require humility in the form of requesting help when you need it. We have a culture of supporting one another where everyone is a resource to everyone else. This approach puts the collective knowledge of SpecterOps behind every operation.

Our project managers handle much of the administrative heavy lifting so you can focus on the technical work. Our projects typically span two weeks or more, giving you time to dive deep. And when it’s time to document your findings, we’ll give you an entire week dedicated solely to reporting. Our awesome Technical Editor will ensure your report has that “SpecterOps Sparkle” so you’re not bogged down by style guide rules.

Our infrastructure deployment automation and offensive CI/CD pipeline streamline operations so you can focus on operating, not setup and deployment. Our Technical Services team serves as our “special operations,” providing support on engagements when you get stuck or need advice. You’ll always have a teammate to collaborate with, as we have a two-person integrity requirement for all operations.

Career Progression

At SpecterOps, your technical skills should continue to grow, regardless of your role. Unlike traditional paths that often lead consultants away from hands-on work, we foster a culture where technical expertise is valued at every level. Whether you’re drawn to management, consulting, tool development, or deep technical specialization, your passion for hacking will always have a home here. Our Managers have experience operating in the trenches and understand the importance of career progression. They serve as advocates for Consultants, attempting to align the individual with the projects or focus areas they’re interested in.

Our Associate Consultant position is focused on learning and growth. The manager’s responsibility is to help you develop and evolve into a Consultant and Senior Consultant.

Our Consultant position focuses on being a strong individual contributor. A Consultant can be assigned to any project while developing into a project lead for some service lines.

The Senior Consultant position is meant to be terminal, meaning you don’t have to progress beyond that level if you don’t want to while still earning annual merit salary increases. However, if you do want to progress beyond Senior Consultant, we have three paths available: Principal Consultant, Service Architect, and Managing Consultant.

  • Principal Consultants continue consulting while managing client partnerships and performing scoping. They are the people we rely on to solve nebulous consulting-related problems.
  • Service Architects are the special operators I mentioned above. In addition to providing technical support on operations, they architect new services and improve existing ones.
  • Managing Consultants are the first level of leadership. They manage other consultants of all levels while still performing operations and client projects.

Build Your Brand

Ok, you’re sold, but let me drive the point home…

Remember how I said we invest in you? Much of our marketing material and value comes from our open-source tools, blog posts, research, etc., but we want you to build your own personal brand. SpecterOps will pay the travel costs associated with conference presentations. Want to submit to a CFP in Switzerland? We got you.

We want our Specters to do these things, but we want them to remain yours. SpecterOps has a highly unique open intellectual property (IP) policy. If you perform research or develop an open-source tool, it remains yours. You will publish tools on your personal code repository and blogs on your personal blog of choice.

Take the Next Step

In closing, SpecterOps truly takes a unique approach to employee growth and development. We focus on balance, support, and interesting work.

We are hiring consultants at various levels and would love to hear from you. The job posting (including salary bands) can be found under the Consultant openings here: https://specterops.io/careers/#careers

As a follow-up to this blog, I will publish another short blog about our interview process, what we look for, and the keys to success!

Please feel free to reach out to me on X or LinkedIn if you have any questions about SpecterOps or the role, or directly to careers@specterops.io.


Life at SpecterOps: The Red Team Dream was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Life at SpecterOps: The Red Team Dream appeared first on Security Boulevard.

]]>
https://securityboulevard.com/2024/08/life-at-specterops-the-red-team-dream/feed/ 0 2028555