• ADD CAPTION HERE

  • ADD CAPTION HERE

  • Helper Blogger
Showing posts with label Networking. Show all posts
Showing posts with label Networking. Show all posts

Wednesday, August 27, 2014

Garmr – Automate Web Application Security Tests

Garmr is a tool to inspect the responses from websites for basic security requirements. It includes a set of core test cases implemented in corechecks that are derived from the Mozilla Secure Coding Guidelines which can be found here:

 https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines

 The purpose of this page is to establish a concise and consistent approach to secure application development of Mozilla web applications and web services. The information provided here will be focused towards web based applications; however, the concepts can be universally applied to applications to implement sound security controls and design.

It’s a useful tool, combined with others to automate web application security tests to a decent, fairly comprehensive baseline. It was built to be part of a Continuous Integration process by the Mozilla WebQA team, but could easily be adopted by other teams and used in a similar way – it ouputs a JUnit style XML report that can be consumed by other tools such as Jenkins.

 More info:
https://github.com/mozilla/Garmr




WiFi software Acrylic WiFi Free v2.0 - Real-time WLAN information and network analysis



The main improvements of the new Acrylic WiFi software release are as follows:
Acrylic Free WiFi program incorporates information about the maximum speeds supported by the WiFi access point.
Fixed install and uninstall issues with NDIS capture driver under x64
Enhanced NDIS driver to avoid packet loss under heavy network capture with monitor mode.
Enhanced Wireshark integration for better performance and fixed radiotap header issues

 Fixed compatibility with Windows Vista.
Added additional Visual studio dependencies.
Fixed issues when requesting trial licenses for Acrylic WiFi professional.
New exception handler module to detect Acrylic bugs.
Execute Acrylic as user: Acrylic can be installed and executed as user, without administrator rights. Note that without admin privileges monitor mode won’t be available
Added additional software tooltips.
Added social network buttons to share information about Acrylic WiFi software with all your friends and followers .
Improved graphical interface and usability.
Acrylic WiFi Free starts with data capture automatically once the program is executed.



PHP Secure Configuration Checker script


Among the most tedious tasks of PHP security testing is the check for insecure PHP configuration. As a successor of our PHP Security Poster, we have created a script to help system administrators as well as security professionals to assess the state of php.ini and related topics as quickly and as thoroughly as possible. For later reference, the script is called "PHP Secure Configuration Checker" , or pcc.

One single file for easy distribution: In respect to an update process and access restrictions, a single file can be handled easier than a whole web application monster.
Simple tests for each security related ini entry: Testing php.ini on a live system is the main aspect of this project. Each entry is supposed to be checked or otherwise actively ignored.
A few other tests: pcc is not restricted to php.ini checks. Other ideas can be implemented as well.

Compatibility: PHP 5.4 is supposed to work. Older PHP versions are not supposed to be used in the wild anyway.
NO complicated/overengineered code, e.g. no classes/interfaces, test-frameworks, libraries, ...: In most cases, a recommendation is based on a simple boolean decision, e.g. is it 1 or is it 0. The corresponding code is supposed to reflect this simplicity. Also, simple code leads to fewer programming errors.Novice factor: The result is supposed to help secure the PHP environment. There is no need to obfuscate, encrypt or hide the code. Even unexperienced developers or system administrators may take a glance at the code - free of charge.


NO (or very few) dependencies: pcc is supposed to run in the most simplistic (yet still realistically sane) PHP environment. Writing files and loading bloated library code should be avoided.
Safeguards: In order to prevent information disclosure, IP restrictions are implemented, as well as a lock-out mechanism based on the script's modification time.
Suhosin: pcc checks the correct configuration of the Suhosin extension.