Mit großer Freude durfte ich vergangenen Samstag Prof. Dr. Katja Wengler bei der Mastervorlesung “Software Quality Engineering” am DHBW Center for Advanced Studies (CAS) unterstützten. Das Modul “Software Quality Engineering” beschäftigt sich mit der Analyse von Softwaresystemen und deren Optimierung. Was ist Softwarequalität, wie kann Softwarequalität bewertet oder verbessert werden? Je nach Vorkenntnissen der Teilnehmer werden Themen wie Refactoring, Clean…
Leave a CommentCategory: AppSec
I am already very excited that I will be giving a talk at Ekoparty security conference 2022 in Buenos Aires. #Eko2022 My talk outline: https://ekoparty.org/en_US/eko2022/main-track-talks-a-race-against-time-javan-rasokat Get your tickets here: https://ekoparty.org (free) #GlobalAppSecSanFran I am also looking forward to be part of the OWASP Global AppSec in San Francisco. My talk is on the last day of the conference. Check out…
Leave a CommentI was very pleased to give my presentation on race condition vulnerabilities in web applications at this year’s HITB conference in Singapore. The talks with the participants, the other presentations, the organisation, everything was very well done and I was able to exchange ideas with the security community in Singapore and internationally.The people, the city and the food are amazing.Many…
Leave a CommentIn the past two weeks some news articles about “data breaches” affecting Clubouse, LinkedIn and Facebook have been shared. I’d like to add my two cents on two points that keep coming up and clarify the following. Scraping is not a crime Scraping is not a data leakage Scraping is not a crime The first time I read about scraping…
Leave a CommentThis week security researcher Laxman Muthiyah published his bugbounty write-up “How I Might Have Hacked Any Microsoft Account“. For his finding, he was paid a bugbounty of $50,000 by Microsoft. The researcher describes a vulnerability that theoretically can be used to bypass a rate limit which results in brute-forcing a code. Theoretically, a 6-digit code (1 million necessary attempts) can…
1 CommentThis month I passed the (ISC)² Certified Secure Software Lifecycle Professional (CSSLP) exam. As I have been studying with the new version revised in late 2020 and have taken the revised exam, I would like to share my experience with you. My previous security certifications were always practically applied certifications, for example for pentesting. For me, the CSSLP was the…
7 CommentsAfter 3 months of good preparation I passed a challenging GIAC Certification for the GXPN – GIAC Exploit Researcher and Advanced Penetration Tester. The highlights for me were to learn and really understand how to defeat Windows and Linux stack protection, find common mistakes in cryptography implementation and in general to create and customize the tools to make them work…
2 CommentsSince Kali Linux is not available as an app in the Microsoft App Store, the installation as subsystem requires to run a few commands. 1. First, the subsystem feature must be activated via PowerShell (if not already activated). Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux 2. Kali Linux is downloaded as an AppX file. We can find a file that is always up…
Leave a CommentThis article is about installing Sqreen on the hosting and web server management system Plesk. Sqreen is a Web-Application-Firewall (WAF) and Runtime-Application-Self-Protection (RASP) solution. Sqreen is easy to install and works out of the box. The onboarding process guides you very well step-by-step through the whole setup and while setting up your first application you learn about each config. This…
Leave a CommentWordPress ist das weit verbreitetste CMS überhaupt. Doch nach der ersten Betriebsnahme denken die meisten nicht weiter an die Sicherheit. Deshalb sind Schwachstellen in WordPress besonders lukrativ. Veraltete Versionen, für welche öffentliche Schwachstellen bekannt sind, werden durch sogenannte Crawler und Bots erkannt und angegriffen. Dies passiert meist vollautomatisch. Oft ist das Ziel dieser automatisierten Angriffe das CMS dazu zu missbrauchen,…
1 Comment