Application and Cybersecurity Blog https://blog.securityinnovation.com Learn about application and cybersecurity from the experts at Security Innovation. en-us Wed, 19 Oct 2022 14:34:10 GMT 2022-10-19T14:34:10Z en-us The Magic of Empowerment: My First Year at Security Innovation https://blog.securityinnovation.com/the-magic-of-empowerment-my-first-year-at-security-innovation <div class="hs-featured-image-wrapper"> <a href="https://blog.securityinnovation.com/the-magic-of-empowerment-my-first-year-at-security-innovation" title="" class="hs-featured-image-link"> <img src="https://blog.securityinnovation.com/hubfs/the-magic-of-empowerment-my-first-year-at-security-innovation.jpg" alt="The Magic of Empowerment: My First Year at Security Innovation" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>I joined Security Innovation last year as a Product Marketing Manager. While one year pales in comparison to the 20-year history of Security Innovation, I've been able to experience something I may never see again… <br><br>Security Innovation has mastered the art of empowerment. Not only in their in-house day-to-day operations but having empowerment as the root of the entire business.</p> <div class="hs-featured-image-wrapper"> <a href="https://blog.securityinnovation.com/the-magic-of-empowerment-my-first-year-at-security-innovation" title="" class="hs-featured-image-link"> <img src="https://blog.securityinnovation.com/hubfs/the-magic-of-empowerment-my-first-year-at-security-innovation.jpg" alt="The Magic of Empowerment: My First Year at Security Innovation" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>I joined Security Innovation last year as a Product Marketing Manager. While one year pales in comparison to the 20-year history of Security Innovation, I've been able to experience something I may never see again… <br><br>Security Innovation has mastered the art of empowerment. Not only in their in-house day-to-day operations but having empowerment as the root of the entire business.</p> <img src="https://track.hubspot.com/__ptq.gif?a=49125&amp;k=14&amp;r=https%3A%2F%2Fblog.securityinnovation.com%2Fthe-magic-of-empowerment-my-first-year-at-security-innovation&amp;bu=https%253A%252F%252Fblog.securityinnovation.com&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Cybersecurity Training Security Innovation Wed, 19 Oct 2022 14:34:10 GMT https://blog.securityinnovation.com/the-magic-of-empowerment-my-first-year-at-security-innovation 2022-10-19T14:34:10Z Jason Shepard Attacks Over The Air – Cracking a Sports Scoreboard: Part 2 https://blog.securityinnovation.com/cracking-a-sports-scoreboard-part-2 <div class="hs-featured-image-wrapper"> <a href="https://blog.securityinnovation.com/cracking-a-sports-scoreboard-part-2" title="" class="hs-featured-image-link"> <img src="https://blog.securityinnovation.com/hubfs/cracking-a-sports-scoreboard-part-2.jpg" alt="Closeup photo of a digital sports scoreboard with bokeh effect - cracking a sports scoreboard." class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><span>In our last post,&nbsp;</span><span>in</span><a href="https://blog.securityinnovation.com/cracking-a-sports-scoreboard-part-1"><span> part 1</span></a><span>, we purchased a game scoreboard, which we’re calling the Score9, in our quest to deepen our understanding of RF hacking projects and to attack a game scoreboard for the very first time. This post continues the story: covering our investigation and initial building of the attack, and is complementary to&nbsp;</span><a href="https://maxwelldulin.com/BlogPost?post=8579892224"><span>Maxwell’s more detailed blog</span></a><span>&nbsp;on the same topic.</span></p> <div class="hs-featured-image-wrapper"> <a href="https://blog.securityinnovation.com/cracking-a-sports-scoreboard-part-2" title="" class="hs-featured-image-link"> <img src="https://blog.securityinnovation.com/hubfs/cracking-a-sports-scoreboard-part-2.jpg" alt="Closeup photo of a digital sports scoreboard with bokeh effect - cracking a sports scoreboard." class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><span>In our last post,&nbsp;</span><span>in</span><a href="https://blog.securityinnovation.com/cracking-a-sports-scoreboard-part-1"><span> part 1</span></a><span>, we purchased a game scoreboard, which we’re calling the Score9, in our quest to deepen our understanding of RF hacking projects and to attack a game scoreboard for the very first time. This post continues the story: covering our investigation and initial building of the attack, and is complementary to&nbsp;</span><a href="https://maxwelldulin.com/BlogPost?post=8579892224"><span>Maxwell’s more detailed blog</span></a><span>&nbsp;on the same topic.</span></p> <img src="https://track.hubspot.com/__ptq.gif?a=49125&amp;k=14&amp;r=https%3A%2F%2Fblog.securityinnovation.com%2Fcracking-a-sports-scoreboard-part-2&amp;bu=https%253A%252F%252Fblog.securityinnovation.com&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> security engineering penetration testing technology Mon, 19 Sep 2022 13:30:00 GMT https://blog.securityinnovation.com/cracking-a-sports-scoreboard-part-2 2022-09-19T13:30:00Z Jesse Victors Attacks Over The Air – Cracking a Sports Scoreboard: Part 1 https://blog.securityinnovation.com/cracking-a-sports-scoreboard-part-1 <div class="hs-featured-image-wrapper"> <a href="https://blog.securityinnovation.com/cracking-a-sports-scoreboard-part-1" title="" class="hs-featured-image-link"> <img src="https://blog.securityinnovation.com/hubfs/cracking-a-sports-scoreboard-part-1.jpg" alt="Closeup photo of a digital sports scoreboard with bokeh effect - cracking a sports scoreboard." class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>Over the past 18 months, a small group of us at Security Innovation have been delving into hacking at the physical layer. This layer covers the physical movement of 1s and 0s over cables or through the air, such as through an Ethernet cable or over a wireless signal. Penetration testing rarely touches the physical layer, and while it may be under-discussed in most circles, we also know that it can be quite fruitful.</p> <div class="hs-featured-image-wrapper"> <a href="https://blog.securityinnovation.com/cracking-a-sports-scoreboard-part-1" title="" class="hs-featured-image-link"> <img src="https://blog.securityinnovation.com/hubfs/cracking-a-sports-scoreboard-part-1.jpg" alt="Closeup photo of a digital sports scoreboard with bokeh effect - cracking a sports scoreboard." class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>Over the past 18 months, a small group of us at Security Innovation have been delving into hacking at the physical layer. This layer covers the physical movement of 1s and 0s over cables or through the air, such as through an Ethernet cable or over a wireless signal. Penetration testing rarely touches the physical layer, and while it may be under-discussed in most circles, we also know that it can be quite fruitful.</p> <img src="https://track.hubspot.com/__ptq.gif?a=49125&amp;k=14&amp;r=https%3A%2F%2Fblog.securityinnovation.com%2Fcracking-a-sports-scoreboard-part-1&amp;bu=https%253A%252F%252Fblog.securityinnovation.com&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> security engineering penetration testing technology Mon, 12 Sep 2022 15:33:51 GMT https://blog.securityinnovation.com/cracking-a-sports-scoreboard-part-1 2022-09-12T15:33:51Z Jesse Victors Just Doing Secure Code Training? How Immature! https://blog.securityinnovation.com/just-doing-secure-code-training-how-immature <div class="hs-featured-image-wrapper"> <a href="https://blog.securityinnovation.com/just-doing-secure-code-training-how-immature" title="" class="hs-featured-image-link"> <img src="https://blog.securityinnovation.com/hubfs/just-doing-secure-code-training-how-immature.jpg" alt="Just Doing Secure Code Training? How Immature!" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><span>Many of us are very aware of the OWASP Top 10 and use it as a tool to help determine what web application vulnerabilities to prioritize. Too many are using it as an exclusive list for a minimum focus and only training developers on related coding flaws,&nbsp;</span><a href="https://blog.securityinnovation.com/software-security-beyond-secure-code-training-across-the-sdlc"><span>which doesn't even cover the OWASP Top 10</span></a><span>. But this blog is not about the OWASP Top 10. Despite broad awareness of the OWASP Top 10 due to its mention in compliance frameworks, far fewer are aware of all the other helpful guidance provided by OWASP. One of these tools is the&nbsp;</span><a href="https://owaspsamm.org/"><span>OWASP Software Assurance Maturity Model (SAMM</span></a><span>). According to OWASP, SAMM offers prescriptive guidance for improving security posture across the complete software lifecycle. It is extensive, but fortunately, it can be used in small digestible chunks to create incremental, measurable improvement. The overall model looks like this:</span></p> <div class="hs-featured-image-wrapper"> <a href="https://blog.securityinnovation.com/just-doing-secure-code-training-how-immature" title="" class="hs-featured-image-link"> <img src="https://blog.securityinnovation.com/hubfs/just-doing-secure-code-training-how-immature.jpg" alt="Just Doing Secure Code Training? How Immature!" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><span>Many of us are very aware of the OWASP Top 10 and use it as a tool to help determine what web application vulnerabilities to prioritize. Too many are using it as an exclusive list for a minimum focus and only training developers on related coding flaws,&nbsp;</span><a href="https://blog.securityinnovation.com/software-security-beyond-secure-code-training-across-the-sdlc"><span>which doesn't even cover the OWASP Top 10</span></a><span>. But this blog is not about the OWASP Top 10. Despite broad awareness of the OWASP Top 10 due to its mention in compliance frameworks, far fewer are aware of all the other helpful guidance provided by OWASP. One of these tools is the&nbsp;</span><a href="https://owaspsamm.org/"><span>OWASP Software Assurance Maturity Model (SAMM</span></a><span>). According to OWASP, SAMM offers prescriptive guidance for improving security posture across the complete software lifecycle. It is extensive, but fortunately, it can be used in small digestible chunks to create incremental, measurable improvement. The overall model looks like this:</span></p> <img src="https://track.hubspot.com/__ptq.gif?a=49125&amp;k=14&amp;r=https%3A%2F%2Fblog.securityinnovation.com%2Fjust-doing-secure-code-training-how-immature&amp;bu=https%253A%252F%252Fblog.securityinnovation.com&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Cybersecurity Training Wed, 07 Sep 2022 18:44:06 GMT cschulz@securityinnovation.com (Fred Pinkett) https://blog.securityinnovation.com/just-doing-secure-code-training-how-immature 2022-09-07T18:44:06Z DEFCON 30 (2022) – A Study in Scarlet https://blog.securityinnovation.com/defcon-30-a-study-in-scarlet <div class="hs-featured-image-wrapper"> <a href="https://blog.securityinnovation.com/defcon-30-a-study-in-scarlet" title="" class="hs-featured-image-link"> <img src="https://blog.securityinnovation.com/hubfs/defcon-30-study-in-scarlet-mailjay-cloud-cyber-range.jpg" alt="DEFCON 30 (2022) – A Study in Scarlet" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><span>To paraphrase the protagonist of the aforementioned novel:&nbsp;</span></p> <blockquote> <p><em><span>There's a scarlet thread of security holes running through the colorless cloud of digital life, and our duty is to unravel it, isolate it, and expose every inch of it.</span></em></p> </blockquote> <div class="hs-featured-image-wrapper"> <a href="https://blog.securityinnovation.com/defcon-30-a-study-in-scarlet" title="" class="hs-featured-image-link"> <img src="https://blog.securityinnovation.com/hubfs/defcon-30-study-in-scarlet-mailjay-cloud-cyber-range.jpg" alt="DEFCON 30 (2022) – A Study in Scarlet" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><span>To paraphrase the protagonist of the aforementioned novel:&nbsp;</span></p> <blockquote> <p><em><span>There's a scarlet thread of security holes running through the colorless cloud of digital life, and our duty is to unravel it, isolate it, and expose every inch of it.</span></em></p> </blockquote> <img src="https://track.hubspot.com/__ptq.gif?a=49125&amp;k=14&amp;r=https%3A%2F%2Fblog.securityinnovation.com%2Fdefcon-30-a-study-in-scarlet&amp;bu=https%253A%252F%252Fblog.securityinnovation.com&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> cloud cloud security cloud application security Mon, 29 Aug 2022 19:59:36 GMT lparcella@securityinnovation.com (Lisa Parcella) https://blog.securityinnovation.com/defcon-30-a-study-in-scarlet 2022-08-29T19:59:36Z