The nVisium Blog

Of Airbags and Modeling, Part 0

Published on July 18, 2017 by Stefan Edwards

I was in a car accident the last year, and was talking with our CEO Jack after the fact. He asked if the air bags had deployed, which I said they didn't (in fact, if they had, I probably wouldn't have been injured). Jack responded with:

That's the thing with air bags, you assume they work and they'll save your life until they don't.

Now, being the jerk that I am, I responded:

Basically like all security controls?

Read more...

Advantages and Disadvantages of Android N+ Network Security Configuration

Published on July 12, 2017 by Kevin Cody

As more and more applications and manufactures upgrade their Android APIs or device software versions, many security testers will face an interesting dilemma. The days of simply trusting a supplied Certificate Authority (CA) and forwarding all device traffic to an HTTPS proxy are gone. This is due to some major trust changes made in the plumbing of Android N and beyond.

Read more...

Three Reasons Why You Should Consider Attending the OWASP Summit 2018

Published on June 29, 2017 by Brian Glas

After I returned home from the OWASP Summit last week, I started with my typical valuation of my time. I asked myself whether or not this was a good use of a week, did I contribute, what did I learn, and most importantly, would I do it again? The answer to the first and last question was an emphatic "YES!". After further introspection (completing the feedback loop!), I realized there were three primary reasons I was planning to return for the next summit.

Read more...

Secure Mobile Development Training - On-Demand, Gamified, and Engaging

Published on June 26, 2017 by Jack Mannino

Since nVisium first launched its On-Demand Training Platform to educate software developers on secure coding in 2016, we have received some incredible and valuable feedback from our users. We’ve taken a great deal of that feedback and have incorporated it directly into the product to improve it. Software developers love learning with nVisium because they are immersed in an environment that is relevant to them, which is writing code, rather than watching boring computer-based training (CBT) videos. Our initial courses focused on web applications and frameworks including Spring, ASP.NET, and Django. The number one question over the past year has been “When will you release secure mobile development courses that we can use to educate our developers?”. The answer to that, my friends, is now.

Read more...

Securing GitHub Commits With GPG Signing

Published on June 21, 2017 by John Poulin

At nVisium we use Git, and more specifically, GitHub, quite frequently. A lot of our clients also manage their application source code via Git. As such, it is important to us that we protect both our source code as well as our client's source code.

One issue we have been talking a lot about recently is Git commit attribution. For instance, when a user pushes a commit up to a repository, part of that commit includes the user's email address. On Git-based SCM systems, such as GitHub or Bitbucket, these email addresses link the commit to a specific user account. From a security perspective, it is a bit concerning to utilize a known value (such as email address) as a form of attribution. Our CTO Ken Johnson has talked about this issue several times, but we'll be digging in a bit deeper.

Read more...

Musings on the OWASP Top 10 2017 RC1 Part 2: The Data

Published on April 24, 2017 by Brian Glas

As I wrapped up my first round of analysis on the Top 10, I realized that this data set is a relative rarity and I could probably glean some interesting insights from it.

In the call for data for the Top 10 2017 project, submitters were required to provide some structure as well as supporting metadata for their data contributions. There was some structure and a number of metadata questions that submitters needed to provide. This was to help structure or normalize the data so that it could be comparable. However, after looking at the data, I've come to the conclusion that more needs to be done up front. We'll touch on that point later, but first I want to share what I believe are interesting insights about the data.

Read more...