Brian Warner

app security

From web app, desktop and mobile, application security is a mix of manual iterative process, as well as automated vulnerability scans. A cohesive approach, well documented (Pen Test) captures the application vulnerability landscape.

  • OSINT: Getting Git secrets with .patch

    The information presented is for learning and investigative purposes using OSINT (Open Source Intelligence). This

    OSINT: Getting Git secrets with .patch

    The information presented is for learning and investigative purposes using…

  • ISO 27001

    To get a company ISO certified requires a lot of planning and effort from a

    ISO 27001

    To get a company ISO certified requires a lot of…

  • Writing a Static Code Analyzer for Security

    As I get more into white box testing of code bases, I started looking for

    Writing a Static Code Analyzer for Security

    As I get more into white box testing of code…

  • Setting Up an EDR with Email Alerts [Wazuh]

    EDR (Endpoint Detection and Response) is part of a security toolset to ensure protection of

    Setting Up an EDR with Email Alerts [Wazuh]

    EDR (Endpoint Detection and Response) is part of a security…

APP SECURITY

OWASP AND BEYOND

Starting with static code analysis, application security is validated against the OWASP Top Ten. App Security testing goes hand in hand with Application Log Monitoring.

Security Testing

Regular penetration tests are a good idea to capture the application status. From manual exploratory & exploit (OSINT, Burp Suite, manual attack), to regular vulnerability scans (GVM, ZAP, etc.)

Security Monitoring

Utilizing large data harnesses, such as Elastic, log data can be easily turned to security focused dashboards. Alerts are driven by triggering levels, notifying the appropriate departments.

APP TESTING

SDLC & COMPLIANCE

From manual testing to application automation, Quality Assurance and software reliability is in focus. Adhering to an SDLC, reporting and validation, as well as policy creation and adherence, goes a long way towards compliance certification (HIPA, ISO, etc.)

Testing

Regular penetration tests are a good idea to capture the application status. From manual exploratory & exploit (OSINT, Burp Suite, manual attack), to regular vulnerability scans (GVM, ZAP, etc.)

Staying Compliant

Utilizing large data harnesses, such as Elastic, log data can be easily turned to security focused dashboards. Alerts are driven by triggering levels, notifying the appropriate departments.

philosophy

Security is a natural resulting focus from the Quality Assurance & Bug Hunting mindset.

From manual GitHub vulnerability search, to using tools to scrape local repositories for exploitive & vulnerable code.

Code Analysis

Static | Dynamic

Monitoring logs using Filebeat and Elastic, as well as IDS applications like Suricata are pivotal with compliance and security.

Log Monitoring

Elastic | IDS | SIEM

Develop tools from automated regression, to static code analysis, as well as 3rd party tools assist in validation of code quality.

Tooling

3rd Party | Developed

Achieved ISO 27001 corporate compliance by holding strong SDLC policies, regular Pen Testing, Code analysis, and Log monitoring.

Compliance

Security Engineer

news & blogs

blog over tips

  • OSINT: Getting Git secrets with .patch
    OSINT: Getting Git secrets with .patch

    The information presented is for learning and investigative purposes using OSINT (Open Source Intelligence). This…

    Brian Warner
  • ISO 27001
    ISO 27001

    To get a company ISO certified requires a lot of planning and effort from a…

    Brian Warner
  • Writing a Static Code Analyzer for Security
    Writing a Static Code Analyzer for Security

    As I get more into white box testing of code bases, I started looking for…

    Brian Warner

FAQ

common questions

How often to run penetration tests?

These tests should be run regularly on a schedule – for my work, I prefer to run them monthly.

Can a company be compliant and use AI?

Yes. AI needs to be specified in the scope of compliance documentation. The main ai compliance factors relate to 1) Bias 2) fairness. Bias relates to ai that offers advice, that it uses a non biased dataset to base responses to clients. fairness is a requirement that a company will not “outsource” jobs to AI.

How can I perform static code analysis if I am not intimate with the laguage?

teams may switch languages, or you may change jobs. Your role as security remains the same, no matter what. You can use (add on) open-source tools, like my own [link] or use ai to help write tools to perform static code analysis.

What is your preferred os for security testing?

dedicated os, is osx on my mac laptop. However, I also make use of kali linux vm’s, debian vm’s, debian derived tools (Ubuntu) and Parrot os.

Is there a role for SDLC Security Testing?

Security should also be part of the regular Software development life-cycle. This includes white-box static code analysis, as well as testing code against common vulnerabilities (owasp top 10).

How can a company establish a strong blue team position?

run all application and server logs through a central resource (such as Elastic). From the log parsing, create a dashboard of data objects. Trigger event based notifications. Work with 3rd parties to protect against ddos (cloudflare) and block tor traffic. create documentation and play books for the moment. of incident.

Are there security tools to test mobile?

Yes. One of my favorite open-source tools is MobSF [link].

How can I get into security?

I got into the field through the Quality assurance path. After many years doing QA, I found a need at my job where there was lacking security. I filled the role with vulnerability scans. Then I took courses at Offensive security to get into true penetration testing (Oscp, web-200, web-300). I also wrote many tools for the company. I also created a prototype siem by harvesting logs with elastic stack. On top of all this, I created teh company’s security wiki for reference by staff.