The nVisium Blog

Musings on the OWASP Top 10 2017 RC1 Part 2: The Data

Published on April 24, 2017 by Brian Glas

As I wrapped up my first round of analysis on the Top 10, I realized that this data set is a relative rarity and I could probably glean some interesting insights from it.

In the call for data for the Top 10 2017 project, submitters were required to provide some structure as well as supporting metadata for their data contributions. There was some structure and a number of metadata questions that submitters needed to provide. This was to help structure or normalize the data so that it could be comparable. However, after looking at the data, I've come to the conclusion that more needs to be done up front. We'll touch on that point later, but first I want to share what I believe are interesting insights about the data.

Read more...

Musings on the OWASP Top 10 2017 RC1

Published on April 18, 2017 by Brian Glas

The recent announcement of the OWASP Top 10 2017 RC1 has many people asking questions about what exactly this is the Top 10 of, how did it get here, and does the data really support the proposed Top 10. I was curious to see what I could figure out, so I thought I would take a look at the data that was publicly released.

Disclaimer: I do not have insight into how each data set was collected, so I will just have to take it all at face value.

Read more...

Handling Missed Vulnerabilities

Published on April 5, 2017 by Tim Tomes

Robin "digininja" Wood wrote this interesting article about the impact of missing vulnerabilities during security assessments. He makes a lot of good points, and the reality is, it's something we all deal with. Robin talks about how missing a vulnerability can be the end of one's career, or at least a large step backward. While this is true, his article only addresses the impact at a micro level. I'd like to expand on that.

Read more...

CodeBuild, Brakeman, and CodePipeline

Published on March 15, 2017 by Ken Johnson

I’m tired of running a Jenkins server; there, I said it. It costs us money, I have to keep it patched, and patching equates to lost energy. Lost energy and lost time which means lost forward momentum working on the things we should be focused on. This is where CodeBuild came into play. We were already using CodePipeline but wanted to use CodeBuild because CodeBuild integrates with CodePipeline. CodeBuild is a replacement for Jenkins, it is a managed service by AWS, and it costs very little.

Read more...

Introducing the nVisium On-Demand Training Platform

Published on March 2, 2017 by Jack Mannino

When we set out to build an on-demand developer training platform, we wanted to focus on the most important part of any course: the student. Developers learn by using familiar tools and writing code, not by watching non-specific, generic content or playing contrived games. When discussing training options with some clients, the chief complaint about current Computer Based Training (CBT) solutions and gamified apps was that developers didn’t recognize the value in them. Additionally, security struggled internally to build support and adoption for these solutions with their development teams.

Read more...

Fun with CAPTCHA - Pt I

Published on February 23, 2017 by Jonn Callahan

After spending the last half a decade reviewing web applications, I've come across multiple homebrewed CAPTCHA implementations. None of them have stood up to any kind of rigorous testing and vulnerabilities tended to start appearing with only a moderate amount of poking. Because of this, I decided to go after a widespread solution to see how the best implementations stood up to analysis.

Read more...