Blog

PEN Consultants held its inaugural annual meet-up October 8th – 10th 2021, giving each team member (and their family) the ability to meet each other face-2-face (many for the first time), participate in team-building activities, and give back to the community. Here is a summary of that event. Friday Meeting up at the Neel’s house […]

Throughout most of 2021, we have been increasingly pursued by various business referral partners and investment firms, asking if we would be interested in merging with them or being acquired. This is our boilerplate statement, so as to not have to repeat ourselves. Thanks for reaching out! I don’t think we’re going to be interested […]

On 08 Sep 2021, we utilized Ramsey Solutions’ SmartVestor Pro service to find a firm that could help maximize our investment strategy as both a business and personally. This is a review of our experience with that service. Thank You Thank you to Dave Ramsey and his team for providing this service! We’ve used their ELP service in the […]

17 Sep 2021: Robert Neel of PEN Consultants joined Pete Martin and James Beecham on ALTR’s The Data-Planet to discuss data security challenges and best practices. Source: https://www.linkedin.com/posts/altrsoftware_the-data-planet-this-week-pete-and-james-activity-6844676380626620416-w3Dm If you are interested to know how your network services and web apps would perform against these types of attacks, but you do not have the expertise or resources to do so, contact PEN Consultants today!

An ongoing responsible (but frustrating) vulnerability disclosure with a well-known cybersecurity vendor. After reading through this, please leave your feedback at one of the following polls: The vulnerability risk scores somewhere between a 4.0 and 4.2 on a CVSS calculation (ex. https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N), so not a huge deal. We could certainly develop a working PoC (with time), […]

What do you call a User Enumeration attack against a login service (i.e. username + password)? Based on recent polling (Source_1, Source_2), it would appear our industry peers call this a password spray attack (by a 3-to-1 margin), despite the purpose clearly being for user enumeration. This article will explain why we are taking a minority […]

I’m often asked questions such as, “How do I get into Cybersecurity?” or “How do I get from an IT role a cybersecurity role?”. This is a copy/paste, with a few edits, from previous emails. Bottom Line up Front (BLUF) I’d lean towards a shorter/cheaper tech degree in the field you want to go into […]

Here’s a look at the results from our recent effort analyzing GraphQL API endpoints across the web, and the percentage of those endpoints that allowed an unauthenticated user to view the query & data schema. The intent of this article is to address the implications of allowing this schema to be retrieved, similar technologies that […]

I am often asked, “How did you get started with your security testing business?” “What are some lessons learned?” “What are your current challenges?” I have been asked enough times that I decided to post my thoughts in blog format. How did you decide it was the right time to take the step from W-2 […]

While preparing for a monthly Lunch-and-Learn lesson for a client, I wanted to collect various examples of good, bad, faulty, and missing HTTP response headers. As is typical, I went a little overboard and collected all of the headers for the top one million websites. This article will describe some interesting findings and the raw […]