BSIDES Iowa Wrap Up

I think everyone that attended would agree that BSIDES Iowa was an absolute blast! A round of applause to the organizers Ken Johnson (@patories), Tom Pohl (@tompohl), and Ryan Stillions (@ryanstillions). They did an incredible job pulling everything together and putting on a great event. I can’t wait for next year! With so many great talks all […]

Why Should We Care about Certificate Pinning Part II

In part one of this blog, we discussed the basics of public key cryptography and addressed the degree of trust that is typically placed in Certificate Authorities (CA’s).  In order to have secure communications with the intended third party, we need to be able to authenticate the intended third party’s public key.  Most of the […]

Quality Assurance: Come to the Dark Side

With SANS Orlando 2015 and BSIDES Iowa last week, I dropped the ball on posting this presentation. Without further delay… On April 8th, I had the opportunity to present some application security testing techniques to the Des Moines Area Quality Assurance Association. We discussed 3 commonly found issues from the OWASP Top 10 and how […]

PCI version 3.1 released

The Payment Card Industry Data Security Standard (PCI DSS) 3.1 was released on 4/16/2015 and shows clear reaction to some of the protocol issues that have inundated the news in the year.  Reacting to POODLE and BEAST issues that addressed the underlying protocols, PCI DSS 3.1 has removed all support for SSL and early versions of […]

Introducing The Secure SDLC

Often times, during an application security assessment I receive the following question: What is a secure software development lifecycle? Before we can answer this question, let’s quickly review the Software Development Lifecycle, also known as the SDLC. The goal of an SDLC is to provide a process for project teams to follow when developing software. […]

BSIDES Iowa: 2 Weeks Away

BSIDES Iowa is back in Des Moines April 18th – 19th, and we expect it to be an excellent opportunity to meet and learn from security experts around the Midwest. Aaron Cure and I will be presenting 2 different topics the group: Saturday April 18th From 2:00 PM – 3:00 PM, we’ll be presenting a new […]

Introduction To SSLyze

In the last 12 months, there have been several high-profile vulnerabilities in the SSL and TLS protocols such as Heartbleed or POODLE (Padding Oracle On Downgraded Legacy Encryption) that have sent administrators scrambling. There are a number of tools that can help you identify and evaluate the security of your SSL configuration. One tool, SSLyze, […]

SANS Orlando 2015: Defending .NET Applications

Aaron Cure and I will be teaching DEV544: Secure Coding in .NET in Orlando, FL from April 13th – April 16th. We’ll be working with some talented development staff from the east coast throughout the week to raise application security awareness and explore the defenses available in the .NET framework. If you’re looking for a last […]