Research

Our research and development programme sets industry standards in cyber security

At Dionach we are proud of our well-established research and development programme. Our team of consultants are focused on continually uncovering new technical vulnerabilities in software and hardware, raising the bar in security assessment services and sharing our knowledge through whitepapers and various industry channels.

Through the responsible disclosure process we have published numerous vulnerabilities in leading software applications that our team has identified.

As part of our commitment to remaining vendor independent and offering the best technical solution to each client engagement, we also develop proprietary security tools for testing methods including vulnerability scanning, spear phishing and security auditing. In practice, our consultants have a wide range of commercial, open-source and custom tools at their disposal to deliver industry-leading outcomes for our client base.

Some of our custom tools are published as open source on Dionach’s GitHub page: https://github.com/Dionach.

Technical blog

Cisco ASA Firewall Hardening

Introduction I have conducted numerous firewall review for various types of organisations over the years. A common theme observed during these reviews is that most organisations do not have a firewall hardening procedure and/or do not conduct a regular firewall review...

read more

Introduction To Red Teaming

When a company is in the process of proactively improving security posture, there are various services and standards that comes into help. Performing a penetration test of a production website or a vulnerability assessment of the internal network are valid methods to...

read more

Fun with SQL Injection using Unicode Smuggling

During a recent test, I ran into a curious SQL injection vulnerability that required some old but still valid tricks to bypass certain restrictions, and then some imagination to fully exploit it and get command execution on the vulnerable server. First off,...

read more

What is the difference between ISO 27001 and ISO 27002?

In short, ISO 27001 is the standard for implementing an Information Security Management System (ISMS) that companies are certified against. It details what organisations must implement in order to have an ISMS that meets the requirements of ISO 27001. To broadly...

read more

OWASP Top 10 2017 Final Release Review

Back in May 2017, I reviewed the release candidate (RC1) version of OWASP (Open Web Application Security Project) Top Ten Web Vulnerabilities for 2017, which as stated within the previous blog entry, has been eventually rejected.To quote my previous OWASP...

read more

How to Spot Phishing Email Attacks

Social engineering attacks are becoming increasingly popular amongst attackers, as a strategy to breach companies. Verizon carried out a study on social engineering attacks and found that over 43% of breaches that were documented involved some form of social...

read more

Quick Comparison Between iOS and Android Encryption

Encryption in mobile devices is tricky and often developers do not fully understand the mechanisms that iOS and Android, the most common operating systems for mobile devices, provide to ensure data stored on the devices remains relatively secure. In this blog post I...

read more

PostgreSQL 9.x Remote Command Execution

During a recent penetration test I was able to gain access to a PostgreSQL 9.0 service. While the process for executing system commands from PostgreSQL 8.1 and before is straightforward and well documented - there is even a Metasploit module to make the process very...

read more