Scripting with OWASP ZAP

So you’ve got a great DevOps pipeline that builds, tests and deploys your application. You might still be running manual security scans for vulnerabilities or you could be passively scanning with OWASP ZAP as your functional tests run. Here are some ways you can automate OWASP ZAP to actively scan your entire application for vulnerabilities. […]

Read more
Automating ZAP through Gauntlt — A DevOps Solution

Rugged DevOps, or DevSecOps, is a method for developing software that is gaining much traction in recent years. However, the security tools and practices may not merge well with automation. This produces bottlenecking or delays security processes until time-consuming manual tests at the end of a release cycle. Such delays in security testing greatly increase […]

Read more
Some Ansible Examples

When going to a new environment, it would be nice if someone had already thought out the networking and authentication needs. It would be nice if we had a sane DNS solution and a good LDAP server. Regrettably, Life in operations is not always that nice. We are frequently asked to quickly set up a […]

Read more
Building and Testing Secure Mobile Apps
Mobile Security

Mobile application development has been on the rise lately because of the convenience mobile apps have to offer. Despite the occurrence of security breaches performed on mobile devices recently, security testing is not as emphasized as other forms of quality testing measures such as user acceptance or functional testing. Just last year, hackers in China […]

Read more
Integrating Sonatype LifeCycle with Eclipse
Sonatype Lifecycle

In my previous post, I covered the initial installation of Sonatype LifeCycle (aka IQ Server). In this post, I will show you how to integrate it into Eclipse IDE, but first a quick background on the benefits of this integration and the value it adds to your software development process. As I mentioned previously, IQ […]

Read more
Mobile App Security Testing – Local Data Storage Vulnerability with iGoat

The video below demonstrates how to test a mobile application for local data storage vulnerabilities. For this demonstration, I used a mobile application called iGoat. iGoat is designed for the iOS platform and functions as a learning tool for iOS developers. iGoat is a safe environment in which iOS developers can gain knowledge about the […]

Read more
Create FreeIPA Users Script

On my current project, my team is using FreeIPA to implement Single Sign-On (SSO) for all the employees at Coveros.  FreeIPA is an open-source security solution for the Linux operating system which provides account management and centralized authentication, similar to Microsoft’s Active Directory. It is built on top of multiple open source projects such as […]

Read more
How to Use Ansible-Container to Build a Docker Container

Last month I talked about the need for Docker-aware configuration management (CM) tools to effectively build and test containers in a CI/CD pipeline. The goal is to not install any extra tooling inside of the docker container that gets published for production use; not sshd, nor any CM tooling. This technical post documents the major […]

Read more