You can't secure what you don't acknowledge.SM

Friday, March 1, 2013

Got WordPress? You'd better secure it.

If you use WordPress, take note. My colleague Robert Abela, one of the foremost experts on WordPress security, has a new course at Udemy.com on Securing a WordPress Blog or Website for Beginners that you should check out.

The course costs $15. When you use the coupon code OnWheels, you'll receive a $5 (33%) discount.

Don't let your guard down because "it's just a marketing site". WordPress-based sites can have tons of security flaws that can be used against you and your business, so be careful.

Thursday, February 28, 2013

Mobile app security assessments

I wrote recently about performing source code analysis for mobile apps. I'm seeing some crazy stuff that I didn't think I'd see in mobile apps (but I'm not really surprised) related to session manipulation, hard-coded cryptographic keys and the like which underscores the importance of the exercise.

But there's another side to mobile app security assessments - it's simply manual analysis. That is poking around with the apps and the mobile devices using good tools and proper techniques to find and demonstrate security and forensic-related flaws that aren't uncovered in traditional user, functional, and QA testing. In recent application assessments, I've found things like:
  • login-related weaknesses
  • information mishandling
  • insecure interactions with external applications/systems
  • exploits in general functionality that put PII at risk
Odds are good that you or someone you know is rolling out a new mobile app. Or perhaps you were an early adopter and need to validate that your existing apps are reasonably secure. The question is: What are you doing to ensure things are in check? 

Like I say about a lot of things related to information security...do it yourself, allow me to help, or hire someone else - just do something.