CGISecurity - Website and Application Security Newstag:typepad.com,2003:weblog-16948542025-06-01T00:10:15-07:00All things related to website, database, SDL, and application security since 2000.
CGISecurityAnnouncing SecTemplates.com release #6: Security Partner Program Pack v1tag:typepad.com,2003:post-6a00e553aa1a28883302e861027458200d2025-06-01T00:10:15-07:002025-06-01T00:12:45-07:00I have built several security partner programs at companies such as Box Inc. and Coinbase, with over 8 years of experience leading them. I have consistently observed the benefits of a partner-focused model versus a classical consultancy model within medium to large enterprises. I'm pleased to announce our 6th program pack, the...Robert A.Announcing SecTemplates.com release #5: Security Exception Program Pack 1.0tag:typepad.com,2003:post-6a00e553aa1a28883302c8d3bd483b200c2024-09-21T16:33:59-07:002024-09-21T16:33:59-07:00The goal of this release is to provide all the necessary resources to establish and set up a fully functioning security exceptions program at your company. - Robert Auger (@robertauger) In this pack, we cover: Security Exception Definitions: This document describes common terminology used in an exceptions process, outlines definitions for the...Robert A.Announcing SecTemplates.com release #4: Vulnerability Management Program Release Pack 1.0tag:typepad.com,2003:post-6a00e553aa1a28883302c8d3b7a920200c2024-08-05T10:36:35-07:002024-08-05T13:44:27-07:00I'm pleased to announce our fourth release, the Vulnerability Management Program Pack. The goal of this release is to provide everything you'd need to establish and setup a fully functioning vulnerability management program at your company. - Robert Auger (@robertauger) In this pack, we cover: Vulnerability Level Definitions: This document outlines vulnerability...Robert A.Announcing SecTemplates.com release #3: Bug bounty program pack 1.0 tag:typepad.com,2003:post-6a00e553aa1a28883302c8d3b8cedd200b2024-07-08T17:13:57-07:002024-07-08T17:53:36-07:00Introduction There are numerous considerations beyond selecting a provider, many of which are often overlooked in public documentation. The goal of the Bug Bounty Program pack is to help people quickly ramp up on the topic, providing them with the necessary information to begin their journey and ultimately launch a program. -...Robert A.Announcing SecTemplates.com release #2: External penetration testing program pack 1.0tag:typepad.com,2003:post-6a00e553aa1a28883302c8d3b7887c200b2024-06-24T13:23:03-07:002024-06-24T13:26:08-07:00In addition to CGISecurity I work on other side projects from time to time. Below is my second announcement from my latest project. Introduction I have built out several penetration testing programs, both internally and externally at companies such as eBay, Paypal, and Box to name a few. Before you have the...Robert A.Announcing SecTemplates.com and the incident response program pack 1.0tag:typepad.com,2003:post-6a00e553aa1a28883302c8d3b36dc5200c2024-06-18T12:45:31-07:002024-06-18T12:47:00-07:00In addition to CGISecurity I work on other side projects from time to time. Below is an announcement about my latest project. Introduction I've worked in the security industry for over 20 years and, during this time, have built and shaped many security programs. At every company I join, I find myself...Robert A.20 years of CGISecurity: What appsec looked like in the year 2000tag:typepad.com,2003:post-6a00e553aa1a288833026be425fdae200d2020-11-22T02:03:41-08:002020-11-30T20:57:13-08:00Just realized that 20 years have passed since I started this site to learn more about web security threats. What 'appsec' looked like in 2000 OWASP didn't exist yet, nor did WASC Vulnerability disclosure was the wild west. Rain forest puppy (RFP) (that guy who discovered sqli) had just created the first...Robert A.My experience coleading purple teamtag:typepad.com,2003:post-6a00e553aa1a2888330223c84dbbec200c2018-05-29T11:22:43-07:002018-05-29T13:00:43-07:00I've been fortunate enough to manage a red team program for several years and since it's inception it has gone through many changes. What started out as adhoc engagements trying to see how far we could get/what problems we could find, turned into a mechanism to work more closely, and regularly with...Robert A.oAuth nightmares talktag:typepad.com,2003:post-6a00e553aa1a28883301b7c8fd7cd7970b2017-05-30T10:40:06-07:002017-05-30T10:40:06-07:00Two of my co workers have presented at HackMiami on flaws people implement in their oauth implementations. The talk summary is below "OAuth is one of the most popular authorization frameworks in use today. All major platforms such as Google, Facebook, Box etc support it and you are probably thinking of implementing...Robert A.Extensive IOS hacking guide released by Security Innovationtag:typepad.com,2003:post-6a00e553aa1a28883301b7c8fa085a970b2017-05-19T09:35:53-07:002017-05-19T09:35:53-07:00Security Innovation has published a very extensive guide to IOS hacking that's worth checking out. Here's the table of contents 1. Setting Up iOS Pentest Lab.................. 5 1.1 Get an iOS Device...................5 1.2 Jailbreaking an iOS Device.................. 7 1.3 Installing Required Software and Utilities .................. 10 2. Acquiring iOS Binaries.................. 13 3....Robert A.