Security Management Strategies for the CIO
Email Alerts
-
Establishing an effective internal security pen testing methodology
In this month’s cover story, senior VP of research and CTO at IANS, David Shackleford, clarifies best practices for security pen testing as well as offers practical steps for building an internal testing program, how to measure success, what kinds of... E-Zine
-
PDF download: Information Security magazine November 2012
In this issue, find out who won this year’s Security 7 Award, Also, we examine the pros and cons of the Metasploit penetration testing framework. Feature
-
Metasploit Review: Ten Years Later, Are We Any More Secure?
Some say the pen testing framework is a critical tool for improving enterprise security, while others say it helps attackers. Feature
-
Information security book excerpts and reviews
Visit the Information Security Bookshelf for book reviews and free chapter downloads. Information Security Book
-
The Art of Software Security Testing
Read an excerpt from the book, The Art of Software Security Testing: Identifying Software Security Flaws. In Chapter 11, "Local Fault Injection," the authors explain the proper methods for examining file formats. chapter excerpt
-
Quiz: What's your infosec IQ?
Test your information security IQ with this short quiz. Security Quiz
-
PING with Jennifer Granick
PING with Jennifer Granick from the October 2005 issue of Information Security magazine. Information Security maga
-
Top tools for testing your online security
Learn a structured approach for Web security that can make your security management tasks easier and increase your chances of success. Security School
-
Top tools for testing your online security, part 2
Michael Cobb explains what tools are helpful in maintaining Web security, including security scanners, benchmarking tools, monitoring services and online resources. Security School
-
The Controversy of Hacking Books and Classes
Read this excerpt and download Chapter 1, Ethics of Ethical Hacking from Shon Harris' Gray Hat Hacking. Book Chapter
-
Test center: CORE IMPACT 3.1 automated pen testing tool
Numerous mistakes tarnish the benefits of CORE Security's CORE IMPACT 3.1 automated pen testing tool. Feature
-
RSA 2013: Experts struggle to define offensive security, hacking back
Is offensive security or 'hacking back' a viable cyberdefense tactic? RSA Conference 2013 experts struggled to define the terms, never mind the role they play. News | 05 Mar 2013
-
Security B-Sides presenter questions value of penetration testing
At Security B-Sides San Francisco, Brett Hardin asked why organizations hire penetration testers and assessed the value of penetration testing. News | 26 Feb 2013
-
Software development maturity driving down ZDI flaw submissions
Secure software development training is having an impact on vulnerability submissions, according to Brian Gorenc of HP TippingPoint DVLabs. News | 04 Dec 2012
-
Enterprises can obtain value from red teaming exercises, expert says
Red teaming assesses the security of an organization and can be a more effective way to assess the organization's security posture. News | 14 Nov 2012
-
Age-old vulnerabilities, attack techniques consistently trip enterprises
Windows security has improved, but longstanding Unix and network vulnerabilities remain an easy target for determined attackers. News | 02 Oct 2012
-
Pen testers should broaden scope, focus more on people, expert says
Pen testers often focus on system errors and application flaws, but employees are often an enterprise's greatest weakness, explains Chris Nickerson. News | 01 Oct 2012
-
Internet scan finds thousands of device flaws, system weaknesses
Unpatched databases, misconfigured routers and more than 1,000 passwords were exposed in an Internet probe over 20 days by Metasploit creator HD Moore. News | 29 Sep 2012
-
Oracle won’t patch four-year-old zero-day in TNS listener
Despite the accidental release of attack code for a bug in Oracle’s database, the company won’t change the code for fear of “regression.” News | 01 May 2012
-
Google Vulnerability Reward Program increases, Microsoft unfazed
Google increased the reward for a code execution bug to $20,000. Microsoft remains against a bug bounty. News | 24 Apr 2012
-
Hunting for application logic flaws requires people, expert says
Rafal Los, a software security expert and consultant with Hewlett Packard, says humans far outgun automated tools in the hunt for costly application logic flaws. News | 10 Apr 2012
- See more News on Security Testing and Ethical Hacking
-
Social engineering penetration testing: Four effective techniques
Social engineering penetration testing is now a must for enterprises. Learn about the four methods your pen tests should use. Tip
-
NMAP NSE tutorial: Network asset and vulnerability identification
In this screencast, expert Mike McLaughlin offers an NMAP NSE tutorial for enterprise network asset and vulnerability identification. Tip
-
How to use OWASP Broken Web Apps to prevent vulnerabilities
OWASP Broken Web Apps allows pen testers to attack applications that are intentionally insecure to hone their skills at securing their own apps. Tip
-
An inside look into OWASP’s Mantra tool
OWASP’s Mantra tool is being praised by security pro’s for its abundance of options and ease of use. In this screencast, Mike McLaughlin takes a look at what Mantra has to offer. Tip
-
WebScarab tutorial: Demonstration of WebScarab proxy functionalities
In this WebScarab tutorial video, get step-by-step advice on how to install and use this free tool, including the WebScarab proxy features, among others. Tip
-
Netcat tutorial: How to use the free Netcat command-line tool
Helpful for penetration testers and network admins who need to debug infected systems, the netcat command-line tool boasts many free features for enterprise use. Tip
-
XSSer demo: How to use open source penetration testing tools
In this video demo, learn how to use XSSer, open source penetration testing tools for detecting various Web application flaws and exploiting cross-site scripting (XSS) vulnerabilities against applications. Tip
-
How to use NeXpose: Free enterprise vulnerability management tools
Learn how to use NeXpose Community Edition, a free collection of vulnerability management tools that offers pre-defined scan templates, and the ability to scan networks, OSes, desktops and databases. Tip
-
Netsparker: Free Web app security testing tool
Testing Web applications is critical for maintaining a secure enterprise network. Learn how to use the community version of Netsparker for free Web app security testing capabilities. Tip
-
Detect rootkit alternate data streams (ADS) with StreamArmor
In this month's screencast, Peter Giannoulis of TheAcademyPro.com explains how to use StreamArmor, a new tool that can detect alternate data streams that may be hiding rootkit data. Tip
- See more Tips on Security Testing and Ethical Hacking
-
Web application security testing: Is a pen test or code review better?
For Web application security testing, if cash is tight, should a penetration test top an application code review? Michael Cobb explains his choice. Answer
-
How to use RAT security flaws to turn the table on attackers
Nick Lewis discusses how to learn from RAT security flaws not only for defense, but also to find out more about attackers via offensive security. Answer
-
How to build C-level support for the benefits of penetration testing
Matt Pascucci offers advice on how to justify the value and present the benefits of penetration testing to corporate executives. Answer
-
How penetration testing helps ensure a secure data store
A third-party penetration test is the best way to determine whether an online data store can be compromised. Answer
-
Securing applications with a network pen test
Network penetration testing can help protect applications by uncovering weaknesses that provide an alternate route to sensitive data. Answer
-
Software testing methodologies: Dynamic versus static application security testing
Learn about two software security testing methodologies – dynamic and static testing – in this expert response by Michael Cobb. Answer
-
Can threat modeling tools help with securing mobile applications?
When developing enterprise applications, do you know the quickest way to bridge the gap between an information security team and a development group? Answer
-
Using virtual test labs for virtual software testing
Do you know of virtualization that reduces your investment in hardware, space and general overhead? Virtual test labs can do just that. Expert Michael Cobb explains virtual software testing and how it can benefit your enterprise. Answer
-
Seeking an ethical hacking career: How to learn ethical hacking
In this expert response, Nick Lewis explains what an ethical hacker is and what skills such a hacker needs to be successful and compliant with the law. Ask the Expert
-
Static source code analysis tools: Pros and cons
Static source code analysis tools can greatly improve application security, but it takes knowledge and expertise to use them correctly. Expert Michael Cobb explains why. Ask the Expert
- See more Expert Advice on Security Testing and Ethical Hacking
-
MIEL e-Security
MIEL e-Security is a Mumbai-based organization that provides information security services and solutions to organizations worldwide. Definition
-
white hat
White hat describes a hacker (or, if you prefer, cracker) who identifies a security weakness in a computer system or network but, instead of taking malicious advantage of it, exposes the weakness in a way that will allow the system's owners to fix th... Definition
-
war dialer
A war dialer is a computer program used to identify the phone numbers that can successfully make a connection with a computer modem. Definition
-
ethical hacker
An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. Definition
-
gray hat (or grey hat)
Gray hat describes a cracker (or, if you prefer, hacker) who exploits a security weakness in a computer system or product in order to bring the weakness to the attention of the owners. Definition
-
Cyber Storm
Cyber Storm is the name of a simulated attack exercise conducted by the U.S. Department of Homeland Security (DHS) February 6-10, 2006 to evaluate whether or not the country could withstand a real attack of similar magnitude... Definition
-
honeynet
A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker's activities and methods can be studied and that information used to increase network security. Definition
-
honey pot (honeypot)
A honey pot is a computer system on the Internet that is expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems. Definition
-
ethical worm
An ethical worm is a program that automates network-based distribution of security patches for known vulnerabilities. Definition
-
Zed Attack Proxy tutorial: Uncover Web app vulnerabilities using ZAP
Video: Keith Barker of CBT Nuggets offers a OWASP Zed Attack Proxy tutorial. Learn how to find and nullify Web application vulnerabilities using ZAP. Screencast
-
Use the Android static analysis tool Dexter to safely deploy apps
Video: Keith Barker of CBT Nuggets demos Dexter, the Android static analysis tool that examines and securely deploys Android applications. Screencast
-
Brad Arkin on Adobe's vulnerability disclosure policy, Group-IB claims
Video: Adobe software security chief Brad Arkin details the software giant's policy on vulnerability disclosure and Group-IB's Reader sandbox claims. Video
-
Zenmap tutorial: Mapping networks using Zenmap profiles
Video: In this Zenmap tutorial screencast, Keith Barker of CBT Nuggets explains how to efficiently map networks graphically using Zenmap profiles. Video
-
Dave Shackleford on improving internal pen testing methodology
Video: Learn how to improve your pen testing methodology in the areas of reconnaissance, scanning, enumeration, penetration and reporting. Video
-
Screencast: Employ the FOCA tool as a metadata extractor
Mike McLaughlin demos the FOCA tool as a metadata extractor to expose the 'hidden' data users often post on their own websites. Video
-
Katie Moussouris of Microsoft on vulnerability disclosure, ISO standard
Katie Moussouris discusses coordinated vulnerability disclosure, the Microsoft Blue Hat Prize and developing an ISO vulnerability disclosure standard. Video
-
Jose Granado on the benefits of penetration testing, ‘human hacking’
Ernst & Young’s Jose Granado discusses the benefits of penetration testing and the importance of including “human hacking” as well. Video
-
Dan Guido on teaching penetration testing courses; intrusion analysis
The iSec Partners consultant talks about his penetration testing courses at NYU, his research on intrusion analysis and rethinking intrusion defense. Video
-
Adobe: Bug reporting and the sandbox
Brad Arkin talks about Adobe's policy on "bug bounties" and why it's decided to play in a "sandbox." Video
- See more Multimedia on Security Testing and Ethical Hacking
-
Zed Attack Proxy tutorial: Uncover Web app vulnerabilities using ZAP
Video: Keith Barker of CBT Nuggets offers a OWASP Zed Attack Proxy tutorial. Learn how to find and nullify Web application vulnerabilities using ZAP. Screencast
-
Web application security testing: Is a pen test or code review better?
For Web application security testing, if cash is tight, should a penetration test top an application code review? Michael Cobb explains his choice. Answer
-
Use the Android static analysis tool Dexter to safely deploy apps
Video: Keith Barker of CBT Nuggets demos Dexter, the Android static analysis tool that examines and securely deploys Android applications. Screencast
-
Brad Arkin on Adobe's vulnerability disclosure policy, Group-IB claims
Video: Adobe software security chief Brad Arkin details the software giant's policy on vulnerability disclosure and Group-IB's Reader sandbox claims. Video
-
How to use RAT security flaws to turn the table on attackers
Nick Lewis discusses how to learn from RAT security flaws not only for defense, but also to find out more about attackers via offensive security. Answer
-
RSA 2013: Experts struggle to define offensive security, hacking back
Is offensive security or 'hacking back' a viable cyberdefense tactic? RSA Conference 2013 experts struggled to define the terms, never mind the role they play. News
-
Security B-Sides presenter questions value of penetration testing
At Security B-Sides San Francisco, Brett Hardin asked why organizations hire penetration testers and assessed the value of penetration testing. News
-
Software development maturity driving down ZDI flaw submissions
Secure software development training is having an impact on vulnerability submissions, according to Brian Gorenc of HP TippingPoint DVLabs. News
-
Zenmap tutorial: Mapping networks using Zenmap profiles
Video: In this Zenmap tutorial screencast, Keith Barker of CBT Nuggets explains how to efficiently map networks graphically using Zenmap profiles. Video
-
Enterprises can obtain value from red teaming exercises, expert says
Red teaming assesses the security of an organization and can be a more effective way to assess the organization's security posture. News
- See more All on Security Testing and Ethical Hacking
About Security Testing and Ethical Hacking
In this security testing and ethical hacking guide, you will get info on how to assess the security of your network with penetration testing and ethical hacking tools and software, ethical hacker training and certifications.