You can't secure what you don't acknowledge.SM

Tuesday, October 8, 2013

Windows 8.1 changes/enhancements, BitLocker's improvements, and related Windows mobile/security tips

In addition to my independent information security assessments through my consultancy Principle Logic, I've been writing a ton...including a lot on Windows 8 and 8.1. Check out these new pieces published by my friends at TechTarget:

What's old, what's new for the enterprise with Windows 8.1

Understanding why Windows 8 for mobile is perfectly viable for enterprise use 

Don’t forget enterprise password protection in a merger or acquisition

Three ways Sysinternals Process Explorer reveals system usage

Ease Windows 8 frustration by focusing on what the OS actually does

Looking at Windows 8 BitLocker full-disk encryption and alternatives

You know the deal...check out for links to hundreds of additional security resources I've written and developed over the past 12 years.

s always, check out for links to all of my information security whitepapers, podcasts, webcasts, books, and more. - See more at:
s always, check out for links to all of my information security whitepapers, podcasts, webcasts, books, and more. - See more at:

Monday, October 7, 2013

Experiencing problems with authenticated web vulnerability scans? Try NTOSpider.

You're performing authenticated web vulnerability scans, right? If you're not, you're missing out...big time.

When performing authenticated scans, you'll find a whole different set of security flaws likely consisting of session fixation, SQL injection (that often differs among user role levels), weak passwords, login mechanism flaws, and perhaps...just maybe that beloved cross-site request forgery flaw that may or may not be exploitable or even matter in the context of what you're doing.

Bottom line: you need to be testing for flaws behind your web login prompts.

The thing is, though, authenticated web vulnerability scanning can extremely painful and inaccurate at best. If you're not paying attention, your web vulnerability scanner is not going to authenticate properly, it's not going to stay logged in, it's going to continually lock the user account (a major annoyance), or it's not going to properly crawl the entire application. Many of these pains are doubly true if your web applications are using Web 2.0 technologies (can we still call them that?).

Web vulnerability scanners are getting better and better, but the problems with authenticated web vulnerability scans still exist with most scanners I've tried - at least some of the time. Except one...NTObjectives' NTOSpider.

I've written about NTOSpider before (here and here) and in the interest of helping out my fellow IT/security professionals who are performing authenticated web vulnerability scans and experiencing these same pains, I feel I have to say something about NTOSpider again...

Check it out. It works extremely well with authenticated scans. Whatever Dan Kuykendall and his guys are doing to get the tool to establish and maintain state - for the entire scan, without locking up, or taking two weeks to run - it's working. Kudos.

One of the neatest things about NTOSpider is that it will tell you whether or not the scanner is logged in as you can see in the screenshot below:

It's a brilliant feature - something I haven't yet seen on any other web vulnerability scanner. I'm sure some people don't value such a feature (think: "Let's just get this scan done, check our box, and move on!") but it's very useful if you want to make sure your authenticated scans are running properly.

NTOSpider definitely won't find every web security flaw. I haven't yet found a scanner that will. With enough experience, you'll see that this is one of the fundamental problems we have with web vulnerability testing. Relying on a single web vulnerability scanner to find all the flaws is like relying on a single firewall to keep every threat out of your network. It's not going to happen.

NTOSpider is not perfect either. It has several quirks - some of which have been resolved in the latest version 6 (which is much improved). But, again, I haven't yet found a scanner that is perfect.

The only thing that matters is that NTOSpider feels perfect when it ends up getting you out of a bind like it has for me several times now in my web security vulnerability assessment work. Add it to your arsenal of multiple web vulnerability scanners. You won't regret it.