Acquisition of PEN Consultants, LLC

Acquisition of PEN Consultants, LLC


Throughout most of 2021, we have been increasingly pursued by various business referral partners and investment firms, asking if we would be interested in merging with them or being acquired. This is our boilerplate statement, as to not have to repeat ourselves.

(more…)

User Enumeration vs Password Spraying

User Enumeration vs Password Spraying


What do you call a User Enumeration attack against a logon service (i.e. username + password)? Based on recent polling (Source_1, Source_2), it would appear our industry peers call this a password spray attack (by a 3-to-1 margin), despite the purpose clearly being for user enumeration. This article will explain why we are taking a minority view, while still recognizing the validity of our peers’ viewpoints, and incorporating them.

(more…)

How do I get into Cybersecurity?

How do I get into Cybersecurity?


I’m often asked questions such as, “How do I get into Cybersecurity?” or “How do I get from an IT role a cybersecurity role?”. This is a copy/paste, with a few edits, from previous emails.

(more…)

Your Schema is Showing

Your Schema is Showing


Here’s a look at the results from our recent effort analyzing GraphQL API endpoints across the web, and the percentage of those endpoints that allowed an unauthenticated user to view the query & data schema. The intent of this article is to address the implications of allowing this schema to be retrieved, similar technologies that allow access to their schema, what can be done about it, and the trend of those who have prevented such a disclosure.

(more…)

Building a Security Testing Business

Building a Security Testing Business


I am often asked, “How did you get started with your security testing business?” “What are some lessons learned?” “What are your current challenges?” I have been asked enough times that I decided to post my thoughts in blog format.

(more…)

HTTP Response Headers

HTTP Response Headers


While preparing for a monthly Lunch-and-Learn lesson for a client, I wanted to collect various examples of good, bad, faulty, and missing HTTP response headers. As is typical, I went a little overboard and collected all of the headers for the top one million websites. This article will describe some interesting findings and the raw data collected, as well as provide other researchers with the script created and used.

(more…)

MFA Implementation Attacks

MFA Implementation Attacks


Most Multi-Factor-Authentication (MFA) implementations do not protect your password from brute forcing or from account level DoS attacks. This article will demonstrate various attacks that exploit weaknesses found in nearly every industry Identity and Access Management (IAM) provider/solution as well as offer solutions on how to mitigate.

(more…)