Brian Warner

app security

From web app, desktop and mobile, application security is a mix of manual iterative process, as well as automated vulnerability scans. A cohesive approach, well documented (Pen Test) captures the application vulnerability landscape.

  • OSINT: Getting Git secrets with .patch

    The information presented is for learning and investigative purposes using OSINT (Open Source Intelligence). This post discusses a way to gain information on a GitHub user through their commit id. Tools required: A web browser. I was playing one of Kase Scenario games. If you haven’t heard if them, give it a look. Kase scenarios are online…

    OSINT: Getting Git secrets with .patch

    The information presented is for learning and investigative purposes using…

  • ISO 27001

    To get a company ISO certified requires a lot of planning and effort from a variety of parties. ISO 27001 will touch upon hiring policies, safety equipment, physical security and of course operations / application security. My effort, at my job, helped get our company ISO 27001 certified. My effort in a strong SDLC, proper…

    ISO 27001

    To get a company ISO certified requires a lot of…

  • Writing a Static Code Analyzer for Security

    As I get more into white box testing of code bases, I started looking for tools that run static code analysis. A lot of teams I work with believe that GitHub is doing that for them, as they get alerts on their codebases. What is often triggered, however, is not scans of their primary code…

    Writing a Static Code Analyzer for Security

    As I get more into white box testing of code…

  • Setting Up an EDR with Email Alerts [Wazuh]

    EDR (Endpoint Detection and Response) is part of a security toolset to ensure protection of computers (endpoints) in a network. EDR is complimented with AV, IDS/IPS and SIEMs. What makes EDR great, is the reported insight of every known endpoint on the network. From application crashes, registry modifications, to threat actions, EDR gives insight on…

    Setting Up an EDR with Email Alerts [Wazuh]

    EDR (Endpoint Detection and Response) is part of a security…

APP SECURITY

OWASP AND BEYOND

Starting with static code analysis, application security is validated against the OWASP Top Ten. App Security testing goes hand in hand with Application Log Monitoring.

Security Testing

Regular penetration tests are a good idea to capture the application status. From manual exploratory & exploit (OSINT, Burp Suite, manual attack), to regular vulnerability scans (GVM, ZAP, etc.)

Security Monitoring

Utilizing large data harnesses, such as Elastic, log data can be easily turned to security focused dashboards. Alerts are driven by triggering levels, notifying the appropriate departments.

APP TESTING

SDLC & COMPLIANCE

From manual testing to application automation, Quality Assurance and software reliability is in focus. Adhering to an SDLC, reporting and validation, as well as policy creation and adherence, goes a long way towards compliance certification (HIPA, ISO, etc.)

Testing

Regular penetration tests are a good idea to capture the application status. From manual exploratory & exploit (OSINT, Burp Suite, manual attack), to regular vulnerability scans (GVM, ZAP, etc.)

Staying Compliant

Utilizing large data harnesses, such as Elastic, log data can be easily turned to security focused dashboards. Alerts are driven by triggering levels, notifying the appropriate departments.

philosophy

Security is a natural resulting focus from the Quality Assurance & Bug Hunting mindset.

From manual GitHub vulnerability search, to using tools to scrape local repositories for exploitive & vulnerable code.

Code Analysis

Static | Dynamic

Monitoring logs using Filebeat and Elastic, as well as IDS applications like Suricata are pivotal with compliance and security.

Log Monitoring

Elastic | IDS | SIEM

Develop tools from automated regression, to static code analysis, as well as 3rd party tools assist in validation of code quality.

Tooling

3rd Party | Developed

Achieved ISO 27001 corporate compliance by holding strong SDLC policies, regular Pen Testing, Code analysis, and Log monitoring.

Compliance

Security Engineer

news & blogs

blog over tips

  • OSINT: Getting Git secrets with .patch
    OSINT: Getting Git secrets with .patch

    The information presented is for learning and investigative purposes using OSINT (Open Source Intelligence). This…

    Brian Warner
  • ISO 27001
    ISO 27001

    To get a company ISO certified requires a lot of planning and effort from a…

    Brian Warner
  • Writing a Static Code Analyzer for Security
    Writing a Static Code Analyzer for Security

    As I get more into white box testing of code bases, I started looking for…

    Brian Warner

FAQ

common questions

How often to run penetration tests?

These tests should be run regularly on a schedule – for my work, I prefer to run them monthly.

Can a company be compliant and use AI?

Yes. AI needs to be specified in the scope of compliance documentation. The main ai compliance factors relate to 1) Bias 2) fairness. Bias relates to ai that offers advice, that it uses a non biased dataset to base responses to clients. fairness is a requirement that a company will not “outsource” jobs to AI.

How can I perform static code analysis if I am not intimate with the laguage?

teams may switch languages, or you may change jobs. Your role as security remains the same, no matter what. You can use (add on) open-source tools, like my own [link] or use ai to help write tools to perform static code analysis.

What is your preferred os for security testing?

dedicated os, is osx on my mac laptop. However, I also make use of kali linux vm’s, debian vm’s, debian derived tools (Ubuntu) and Parrot os.

Is there a role for SDLC Security Testing?

Security should also be part of the regular Software development life-cycle. This includes white-box static code analysis, as well as testing code against common vulnerabilities (owasp top 10).

How can a company establish a strong blue team position?

run all application and server logs through a central resource (such as Elastic). From the log parsing, create a dashboard of data objects. Trigger event based notifications. Work with 3rd parties to protect against ddos (cloudflare) and block tor traffic. create documentation and play books for the moment. of incident.

Are there security tools to test mobile?

Yes. One of my favorite open-source tools is MobSF [link].

How can I get into security?

I got into the field through the Quality assurance path. After many years doing QA, I found a need at my job where there was lacking security. I filled the role with vulnerability scans. Then I took courses at Offensive security to get into true penetration testing (Oscp, web-200, web-300). I also wrote many tools for the company. I also created a prototype siem by harvesting logs with elastic stack. On top of all this, I created teh company’s security wiki for reference by staff.