Compass Security Blog

Offensive Defense

Page 3 of 3

ASFWS – Obfuscator, ou comment durcir un code source ou un binaire contre le reverse-engineering

Slides available on http://asfws12.files.wordpress.com/2012/11/asfws2012-pascal_junod-jean_roland_schuler-obfuscator.pdf Both presenters, Pascal Junod and Jean-Roland Schuler work for the HES-SO – the University of Applied Science Western Switzerland. This talk is the follow-up of last year’s presentation, including the improvements done since. While Pascal Junod, from the HES-SO HEIVd (Yverdon-les-Bains) focused on obfuscating binaries based on their source code, Jean-Roland […]

Continue reading

ASFWS – Keynote 1 – Gestion opérationnelle de la sécurité logicielle sur la plateforme Facebook

Slides available on http://asfws12.files.wordpress.com/2012/11/appsec2012_keynote.pdf Alok Menghragani graduated in Lausanne with a Master at the EPFL before joining Facebook in 2008, which was back then still a young startup with “only” 100 millions users. He gave us an interesting insight in how Facebook manages over 10 millions of lines of code while keeping “move fast and […]

Continue reading

Day 1 of ASFWS – Introduction

Wednesday 7th of November started early for me as I had to take the train at 6am in Zürich to be in time in Yverdon-les-Bains for the beginning of Application Security Forum – Western Switzerland 2012. This annual security conference, regrouping all actors of the French part of Switzerland during 2 days, invited me to […]

Continue reading

nevisProxy Advisory Release

Today, Compass Security published a public advisory regarding nevisProxy, a product from AdNovum, used by several Swiss financial institutions. nevisProxy is a secure reverse proxy with an integrated web application firewall (WAF). It acts as a central upstream entry point for web traffic to integrated online applications. nevisProxy controls user access and protects sensitive data, […]

Continue reading

Exploit credentials stored in Windows Group Policy Preferences

Group Policy preferences are a new feature set available since Windows Server 2008, which shouldn’t be confused with the well known Group Policy objects (GPOs) dating back to Windows NT. The main idea behind the creation of Group Policy preferences is the ability to push so-called “unmanaged” settings. Compared to “managed” GPOs, group policy preferences can be altered by […]

Continue reading

JBoss 7.1 Web Server Hardening

JBoss is a popular open-source Java application server which underwent a major rewrite of its code-base for its latest version 7.x. Of this new branch, only version 7.1.0.Final, released a week ago, is certified for the Java EE 6 Full Profile. As part of the code rewrite, the configuration settings also got a global overhaul. […]

Continue reading

New Security Enhancing HTTP Headers

In the past few years, several new HTTP Headers have been proposed to increase the security of web applications. This is being done by providing additional instructions and information about the served application to the browser. Those can mitigate and avert various common web attacks, even if the underlying application contains vulnerabilities, therefore adding another […]

Continue reading

Retrospective about cache snooping

As it is known since at least 2006, a website is able to identify the domains a user previously visited, with some simple CSS hacks. This had great privacy implications, and browsers took steps to eliminate this problem. But in December 2011, lcamtuf presented a new proof of concept based on cache timings, which basically does the […]

Continue reading

Newer posts »