The nVisium Blog

Fun with CAPTCHA - Pt I

Published on February 23, 2017 by Jonn Callahan

After spending the last half a decade reviewing web applications, I've come across multiple homebrewed CAPTCHA implementations. None of them have stood up to any kind of rigorous testing and vulnerabilities tended to start appearing with only a moderate amount of poking. Because of this, I decided to go after a widespread solution to see how the best implementations stood up to analysis.

Read more...

AppSec Basics: Your First Pentest

Published on February 9, 2017 by David Coursey

So, another year has come and gone and you still have that feeling. That little voice inside that says, "I wonder how good our cyber security is..." Is that super critical application just sitting out there on the internet scared and alone? Maybe now is finally the time to look into it, but where to start?

Read more...

Introducing SpyDir

Published on January 18, 2017 by Ryan Reid

In this post, I'll discuss a Burp Suite extension I've recently developed and published to my GitHub. The extension provides a mechanism to enumerate endpoints within a web application via a local source code repository. Finally, it does this in an extensible manner.

Read more...

nVisium, Now an Amazon Consulting Partner

Published on December 20, 2016 by Ken Johnson

Our customers have always played a part in shaping our service offerings. Over the past several years, we have seen increasing demand from our customers for assistance in securing Amazon Web Services (AWS) environments. So at their request, we performed reviews of their controls, configuration of their services, etc. Essentially, we conducted AWS security assessments. We were able to do this work because we could "eat our own dog food," so to speak. We utilized AWS, so it made sense to go through the process of creating a secure framework for building on and completing various AWS trainings.

Read more...

re:Invent Recap

Published on December 8, 2016 by AWS Consulting Team

Last week our AWS consulting team attended AWS re:Invent. We thought we would recap some of the things we found exciting about the event.

Before we get into specifics, let us first summarize what really impressed us about the security tracks at re:Invent. Security teams utilized DevOps and Cloud-centric technologies to benefit themselves as well as their organizations. They did so in some really cool ways.

Read more...

Don't Touch Me That Way

Published on June 22, 2016 by David Lindner

Apple first released its iPhone in 2007, and over the past 9 years we have seen both the hardware and software evolve into what we now know as the iPhone 6s (e, plus) series of devices. These iPhones tout faster processing speeds, tons of data storage, and the ability to determine your blood alcohol level or your baby’s due date.

In 2013, with the release of the iPhone 5s, Apple introduced the capability to “authenticate” to the device via the “TouchID,” their fancy term for a fingerprint reader. With this major release, Apple decided to withhold access to TouchID functionality from any apps that were not Apple branded. This, however, all changed with the release of iOS 8 and the iPhone 6. Now developers could utilize TouchID to make authenticating to their applications much more convenient.

Read more...