NetSPI Blog

Dan Gardner
October 16th, 2009

Preventing SQL Injection at the Database

SQL injection vulnerabilities are common out in the real world. We spend a lot of time and effort looking for SQL injection vulnerabilities in application code, a good and necessary practice. Application security, however, must be considered at every layer of the system. In fact, by using a good database and data access layer design, […]

Seth Peter
October 5th, 2009

Are We Ready for a Security Software Assurance Program?

Integrating security checks and balances with your application development processes is certainly uncharted territory for many security professionals. Why is this so? With the multitude of benefits that custom developed applications bring to an organization, there is also a multitude of risks, namely that sensitive, regulated, and confidential data is being stored, processed, transmitted, and […]

Scott Sutherland
October 5th, 2009

Windows Privilege Escalation Part 1: Local Administrator Privileges

The process of stealing another Windows user’s identity may seem like black magic to some people, but in reality any user who understands how Windows works can pull it off. This is the first of two blog entries giving an overview of privilege escalation techniques that prove that fact. Part 1 (this entry) discusses obtaining […]

Scott Sutherland
October 5th, 2009

Windows Privilege Escalation Part 2: Domain Admin Privileges

Introduction This is the second part of a two-part series that focuses on Windows privilege escalation. The previous post (Part 1) provided an overview of 10 vectors that could be used to obtain local SYSTEM and administrative privileges from an unprivileged user account. This post focuses on obtaining domain administrative privileges from a local administrator […]

Deke George
October 1st, 2009

Mergers & Acquisitions in the Information Security Field

The news about the sale of the VeriSign consulting team to AT&T suggests that there will be many similar transactions in the near term within the information security market. The investment being made in this market is great, but based on previous experience, a positive outcome is less than certain. From my point of view […]

Deke George
September 28th, 2009

Maturity and Convergence at the PCI-SSC Community Meeting

I attended the PCI-SSC community meeting this past week (September 22-24). There were three key issues discussed that showed that the PCI program is maturing and that a number of standards and regulations are converging (both in and outside the PCI world). The first issue signaled that the council’s view of IT risk is maturing. […]

Alex Crittenden
September 21st, 2009

Security, Compliance, and the New Retail Economy

As the PCI Community Meeting is set to start tomorrow, I have been thinking about the current state of the retail marketplace and what that means for NetSPI’s focus–security and compliance. During the down economic times no retailer really came through unscathed. Everyone suffered to some degree, but even during the most difficult periods of […]

Deke George
September 17th, 2009

Cyber Security and Nuclear Energy

I attended the Nuclear Information Technology Strategic Leadership (NITSL) conference last week, which featured some very interesting discussions on cyber security. One of the keynote speakers described the state of the industry’s physical security, which, when compared with information security, is in very good shape.  She discussed the quite substantial investment that her organization had […]

Yan Kravchenko
August 21st, 2009

You Cannot Outsource the Consequences of a Breach

Mozilla is known to most people for its open-source and free software, most notably Firefox. However, starting around August 4th, it also became known as yet another company whose merchandise store was breached. Following the announcement on the company’s blog and closure of Mozilla’s store, the following headlines filled trade pubs and the blogosphere: “Mozilla […]