Security Risk Advisors


We recently presented to the FSOEP (Financial Security Officers of Eastern Pennsylvania) on the topic of Corporate Treasury Attacks.  The talk included exploitation techniques that attackers may use to infiltrate corporate treasury and cash managemen… Continue Reading

User Enumeration

January 21, 2013 | Posted in Red Teams by Chris Salerno

One of the most common and underestimated web application vulnerabilities I find frequently is user enumeration. Simply put, I can figure out a list of valid user accounts that are allowed to login to an application. This isn’t just assuming there’s … Continue Reading

Fresh from the ASIS-ISC(2) Conference in Philadelphia on September 10th, below is Tim’s presentation on “Mobile Security Risks and App Security”.  Tim presented to a packed room and had great interaction and feedback from the attendees.  Tim is also … Continue Reading

ThreatView - August 2012 QSA vs ISA

August 21, 2012 | Posted in GRC by Carl Angeloff

Many organizations that must comply with the Payment Card Industry Data Security Standard (PCI DSS) are asking what the differences are between QSA's and ISA's and which direction they should take with their program.  We address this question in the … Continue Reading

We recently co-presented a case study with Vas Rajan (CISO, INGDirect) discussing how we jointly developed a security risk management program for customer-facing mobile apps. We discussed the security risks and challenges, and a programmatic approach… Continue Reading