Blogs and Podcasts

Man vs Webapp: Blog and Podcast from Dan Kuykendall (Co-CEO/CTO) and the NTOLabs Team.

An Information Security Place Podcast: Where to hear commentary on the state of information security. Dan Kuykendall, Co-CEO of NT OBJECTives co-hosts this security podcast. New episodes posted bi-weekly.

Online Training: Try watching our online training videos.


Free Tools

 NTO SQL Invader - Gives you the ability to quickly and easily exploit or demonstrate SQL Injection vulnerabilities in Web applications. With a few simple clicks, you will be able to exploit a vulnerability to view the list of records, tables and user accounts of the back-end database.




 White Papers

Detecting Persistent Cross-Site Scripting
This white paper will explain how these attacks work and will discuss the difference between Non-Persistent Cross-Site Scripting and the far more dangerous Persistent Cross-Site Scripting variations. We will highlight the challenge presented to Web Application Security Scanners and how only NTOSpider solves them.

 

Phishanomics: The Economics of Phishing, the iframe attack and the Brand ROI of Security Spending
This paper will argue that the iframe attack (popularized by the Bank of India hack) has fundamentally altered the way that security professionals must defend less important websites. By allowing phishers to leverage a company’s brand to steal from users, the iframe attack has made an entirely new class of formerly unimportant sites into material security concerns.


 

Is Your Website Already Infected?
Analyzing and Detecting Malicious Content. This paper asks a question many web admins would rather not face. Is your website already infected with malicious content? How to find out and what to do about it.


 

Security Snake Oil
Why Known Vulnerability Checks for Web Applications Simply Don’t Work. This paper explains the ineffectiveness of known vuln checkers such as Nikto, Wikto and other such solutions added to network scanning tools.

 

Application Vulnerability Scanners: Understanding Your Organization's Needs
With the proliferation of application security products, namely vulnerability scanners, many organizations are struggling to understand what features are most important to them and their unique security concerns. This solutions white paper explores 10 important questions that assist in identifying your organization's needs from such solutions, regardless of vendor.


 

Budgetary Aspects of Web Application Security
Many organizations are discovering that they are extremely vulnerable to web application hacks. Perimeter protection and network security provide some protection, but the majority of these threats occur at the Web application layer, and it is critical for organizations to put comprehensive programs in place that include application security. Many organizations wonder why the security investments they have already made are no longer sufficient. This article provides guidance for including Web application security in your overall strategy, and best practices for planning and budgeting for it appropriately.


 

Web Application Exposure to Risk: Raising Awareness to Build Confidence and Improve Security
Web applications possess a given level of inherent security exposure based on numerous variables associated with their environment and intended functionality. In this technical white paper, NTO outlines the important considerations and policies required to proactively understand threat exposure and how to leverage this knowledge in order to mitigate security concerns and build effective policies to minimize security risk.


 

If You Can’t Crawl It, You Can’t Test It
Why A Little Understood, Challenging Technology May be the Key to Application Security. This paper details the critical nature of a strong automated crawler in web application scanners.



 Book Recommendations

HackNotes: Web Security Portable Reference, by Mike Shema
As one of the most recognized application security experts in the world, Mike Shema quickly and concisely explains application security threats and countermeasures. Let researcher, consultant, trainer, and author Mike Shema show you how to guard against standard and uncommon web site penetration methodologies and eliminate susceptibility to e-commerce hacking. Plus, learn to bolster Web application security and secure vulnerable hacking function areas.

 

 

The Anti-Hacker Toolkit, by Mike Shema, Keith Jones & Brad Johnson
Explains how to use 100 plus software tools for auditing systems on a network, auditing a network, and investigating incidents. The authors also overview some of the most common hacking programs used in attacks, and how to detect them on a system. Topics include port scanners, vulnerability scanners, password crackers, and war dialers. Among the specific products described are Netcat, Nessus, Tripwire, John the Ripper, and the Forensic Toolkit. The CD-ROM contains demonstration and open source security tools.


 

Hacking Exposed: Web Applications, by Mike Shema & Joel Scambray
Get in-depth coverage of Web application platforms and their vulnerabilities, presented the same popular format as the international bestseller, Hacking Exposed. Covering hacking scenarios across different programming languages and depicting various types of attacks and countermeasures, this book offers you up-to-date and highly valuable insight into Web application security.