appsec – Where can I download the Blue Coat Unified Agent?

I work for a company and do not have an official laptop, in the current situation of working from home
I am trying to download a Blue Coat Unified Agent onto my personal laptop so that I can access certain Office 365 applications on my company server.

Is it possible to download the agent myself without my company's IT support team?

AppSec – Cybersecurity Startup (Vulnerability Research & Red Team)

If I wanted to move from an independent to a good plan to build a startup based on what I was basically working on at companies penetration testing, some red team engagements, but I've been in for a few years vulnerability research, but I also want to apply for business. Of course I can't start with everything, but how do companies make offers? vulnerability research Sell ​​the service without a product like Metasploit, core impact or sell exploits to the government? The closest to this area is application vulnerability analysis/product security that it ranges from the web app to the software, looks for loopholes and remedies. Depending on the setting restrictions, the following things may also be affected

fuzzing
reverse engineering
protocol analysis
data injection
target application binary analysis and debugging
session manipulation
flow analysis

appsec – Testing web applications from an end user's perspective

I looked at OWASP and other types of checklists for testing web applications. One of the best methods is to ensure that the session IDs that are generated are sufficiently random and unpredictable.

Suppose I am an end user of a company who is not authorized to install software on my laptop to test the security of a web application through my web browser.

In my opinion, this ensures that no one can force an encrypted HTTPS (SSL / TLS) connection to prevent the disclosure of the session ID through MitM (Man-in-the-Middle) attacks. Simply capture the session ID from web browser traffic.

If the session IDs are actually encrypted based on HTTPS, can we still determine if the session IDs are sufficiently random and unpredictable? I asked myself this question and for me a narrow and likely answer that I would give myself is no. (I might be wrong)

Am I also correct to say that knowing that if session IDs are generated randomly and unpredictably, would you actually need access to the internal web application code? There's probably a lot more I can't do without additional tools to gather more information about the web application.

What are the other types of test cases – as an end user who may not have advanced tools to search the network or read the underlying code to more fully test my test cases in web applications and add value? For e.g. Test for invalid entries and check whether errors have been issued.

appsec – Securing User Secrets in KeyChain vs Keychain + Biometrics

The usual approach to securing user secrets in native applications seems to be to store the secret in the keyring and add an additional layer of protection using biometrics / touchId / FaceID.

My questions:

Will your app be safer by adding the extra level of protection (biometrics)? What advantage did you gain if the attacker was able to unlock your phone using the same biometrics that you used to secure your app?

For which attacking methods are you open for an app to back up user data in the keychain but not use biometrics as an additional second factor?

Some apps also use a 4-digit PIN entry as an alternative to biometrics. Is not that a placebo? i.e. Most of the app security relies on the fact that the application relies on an operating system that provides a keyring and secure mechanism for this app and only for this app to retrieve its secrets. What if you add a 4-digit pen to allegedly hack your secrets and then secure them in your keychain?

appsec – AMSI scan for domain-specific languages

Should an application running Windows with DSL (in this case domain-specific language, script interpreter) pass these scripts to AMSI for scanning, or should we limit ourselves to more familiar types such as DLLs, Excel, and so on.

I do not expect that our DSL will ever be a global standard, so anti-malware detection is unlikely ever to catch anything, but part of me says we should send it anyway, just in case. The only downside is that false alarms can be more harmful than non-scanning. Of course we can scan ourselves, but these will always be just trivial exams

Separately, we also have the ability to use a JIT and generate x86 code dynamically from "C" scripts. This is a bit riskier (though only executed in a controlled, unprivileged way and not normally activated). Can AMSI detect potential problems in "C" source code? (eg ShellExecute ("del windows xyz"))

The AmsiScanBuffer () function just seems to return AMSI_RESULT_NOT_DETECTED, no indicator like "I do not know what this content is".

If AMSI is not the right approach, what should we look for?

appsec – How do I learn to create codes?

I am a Commerce Stream student with some computer literacy. I can create and develop games and applications, and I know how to properly use a sceipt kiddie operating systems. So far, I'm pretty familiar with basic Python, C ++ and C # (I honestly use a few hints even for basic ones) and the full HTML programming language. I would like to learn other programming languages ​​and those that I already know fully, such as C #, C ++, Java, CSS, Javascript, Python, etc., to extend my knowledge on these topics and help them for a future career in IT to promote. Where do I start and get the right and complete resources for free?
Even if I know a bit about these topics, why could not I create tools and codes myself like professionals?

appsec – Secure coding standards and guidelines

I've tried to look for available secure coding guidelines for server-side and client-side languages.

There are online documentation for Oracle for Java, Microsoft for asp.net, and w3 for html5, just to name a few. There were also third guidelines from SEI, Veracode etc

Question:

For secure encoding, third-party documentation such as Veracode must be followed?

becomes the documentation of the parent vendor (such as Oracle, Microsoft, etc.)
It lacks any security policy from third-party publications, such as:
Vera code.

Do all scripts / programming languages ​​have secure coding policies? it is mandatory

appsec – Could mobile apps that always listen secretly spy on conversations?

Various apps and services that are available on modern smartphones are constantly listening with the microphone (eg Siri or Google Assistant waiting for wake-up, "Now Playing" function on pixel phones). To address users' concerns about privacy, most of these services promise to process only the relevant bits of recorded audio (eg, the voice command following the wake-up word, audio signatures of songs recognized by "Now Playing") ).

How can users be sure that other recorded sounds, eg. For example, private conversations that are not processed and transcribed locally on the device and sent to their servers in the form of encrypted text or audio signatures? Compression, timing, obfuscation and encryption can make it difficult or even impossible to detect such behavior through traffic analysis.

My question is: are users ultimately relying on their trust, or are there effective ways to validate the data protection promises they have made?

I'm grateful for all the ideas and insights you can share.