At Dionach we are proud of our well-established research and development program. Our team of consultants are focused on continually uncovering new technical vulnerabilities in software and hardware, raising the bar in security assessment services and sharing our knowledge through whitepapers and various industry channels.
Through the responsible disclosure process we have published numerous vulnerabilities in leading software applications that our team has identified.
As part of our commitment to remaining vendor independent and offering the best technical solution to each client engagement, we also develop proprietary security tools for testing methods including vulnerability scanning, spear phishing and security auditing. In practice, our consultants have a wide range of commercial, open-source and custom tools at their disposal to deliver industry-leading outcomes for our client base.
Some of our custom tools are published as open source on Dionach’s GitHub page: https://github.com/Dionach.
As an industry, we are vulnerable to being dazzled by new technologies, distracted by future trends, and overwhelmed by threat intelligence and security analytics data. In doing so, we are in danger of losing sight of the fundamentals of cyber security.
During a recent penetration test I conducted against one of our client’s websites, I found an interesting case of a misconfigured CORS implementation that I would like to quickly showcase in this post. From Wikipedia, cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a
The UAE’s National Electronic Security Authority (NESA) has developed the UAE Information Assurance Standards (IAS). These are primarily based on ISO 27001:2005. This blog entry reviews the IAS and looks at how organisations can get compliant to them.
It is generally accepted within the information security world that penetration testing is a good way to provide assurance as to the security of applications or infrastructures. With numerous companies offering these testing services, how do you differentiate and evaluate which company uses the best approach for your organisation? At
Should I whitelist my penetration tester’s IP address range on my intrusion prevention system? Variations of this question have featured in numerous information security forums and mailing lists. Unfortunately the factors and variables in play here are considerable so a worthy response is unlikely to be short or universal. This
During a recent engagement I was asked to perform a penetration test of a Citrix environment. One particular requirement of this test was to see whether I could transfer files back and forth between my local computer and the remote environment. The easiest way to transfer data was through their
Some simple tips to improve the Information Security of your organisation. Stop using sticky notes as advertisements for your passwords Do not leave your password where someone can easily read it. This is the same as not having a password at all, as anyone can read it and log in
Now and then, while performing internal penetration tests we come across Splunk default installs where system users can log in as “admin” and are granted the associated privileges without having to authenticate. Splunk is based on Django, and among the options it gives you when accessing the admin panel is
Red Team exercises can be thought of as extended penetration tests designed to thoroughly assess an organisation’s security posture across multiple domains. Some security firms employ the term liberally, packaging it up and conflating it with conventional assessments; just maybe with a bit of social engineering thrown in. But ‘old