If you are using WCF client certificate authentication on a site that accepts but does not require client certificates in transport security mode and see this error: “The HTTP request was forbidden with client authentication scheme ‘Anonymous’.” Make sure your certificate was issued with the following purpose: “Proves your identity to a remote computer” EOM

Working on a WCF service with transport security using client certificates for credentials, I came across this error today: “The SSL settings for the service ‘SslRequireCert’ does not match those of the IIS ‘Ssl’.” Having figured out what the issue is, now the message is obvious but before I had the solution, google search lead me nowhere. I finally figured it that IIS’s default setting for handling client side certificate is to ignore them. Once I changed it from “Ignore” to “Accept”, the service started working. As a recap...

As featured in PenTest Magazine If you could tell your customers that you can help them secure their custom built software, significantly reduce the number of bugs and save them money in the process, do you think they would heed to your advice? Penetration testing is an effective technique in finding vulnerabilities and demonstrating the impact and severity of these issues. Typically, a penetration test report will recommend security mitigations such as patches, firewalls, IDS/IPS, NAC, anti-malware, etc. In this article I’d like to focus on putting in place long term mitigation for custom...

How do you find vulnerabilities in software? Here is a little bit about the tools and techniques I am familiar with. Fuzzing Probably the most common technique to find vulnerabilities is fuzzing. Fuzzing simply means sending random or not so random data to software. The more random a fuzzer is the dumber it is. So called smart fuzzers try to follow protocols or file formats more closely. There is no right and wrong and usually a combination of both is useful in finding vulnerabilities. Dumber fuzzer tend to scratch more of the surface of the software while smarter fuzzers get deeper into the...

Do not spend more per year on the security of an asset than the cost of the asset’s Annualized Loss Expectancy (ALE). The formula to calculate how much an asset’s realized security risk will cost you per year is: ALE = SLE * ARO Annualized Loss Expectancy (ALE): How much money should you expect to spend due to a realized risk Single Loss Expectancy (SLE): Revenue lost from single occurrence of risk. Annualized Rate of Occurrence (ARO): How often do you expect this risk to be realized per year Testing should focus on assets having the highest Annualized Loss Expectancy (ALE) since they are...

What is a vulnerability assessment? A vulnerability assessment identifies vulnerabilities in a set of assets (computers, equipment, people) and categorizes them by severity. A lot of the discovery process is automated by tools and once a vulnerability is found, it is not exploited. Vulnerability assessments do contain false alerts that may need to be verified manually. A vulnerability assessment is less likely to cause the target applications, services or hosts to crash during the test. What is a penetration test? A penetration test is more manual than an vulnerability assessment and a wider variety...