doug-rogahn

Doug Rogahn

Security Consultant

Doug Rogahn is a security consultant in Optiv’s advisory services practice on the application security team, delivering a variety of service offerings including web and mobile application assessments, architecture reviews, and database security reviews. Doug’s role is to provide post-sales support and consulting to Optiv’s clients as well as providing support and mentoring to other Optiv team members.

 

From Low to p0wn (Part 3 of 3)

· By Doug Rogahn ·

In the final installment, we will again be looking at an instance of vulnerability stacking, this time, however, we’ll be focused on account management. I have seen the set of issues I will discuss in this post all reported as low severity. I have also seen instances where the severity has been increased due to the ability to combine the vulnerabilities associated with an application to perform a more advanced attack.

Continue reading

From Low to p0wn (Part 2 of 3)

· By Doug Rogahn ·

In the scenario, we focus on session management. The most common session management mechanism is a session cookie. We commonly see session cookies without the secure flag. Issues like weak SSL encryption ciphers, the presence of an invalid SSL certificate or missing the HTTP Strict Transport Security (HSTS) header weaken the security posture of the application and increase the likelihood of an attacker being able to intercept and view the application communications.

Continue reading

From Low to p0wn (Part 1 of 3)

· By Doug Rogahn ·

There is a growing trend in the information security and risk management world of ignoring low severity findings from security testing. Perhaps it stems from PCI allowing organizations to pass audits with outstanding, low severity vulnerabilities. Perhaps it is a result of the volume of findings needing remediation coupled with insufficient resources. Whatever the cause, the result is low severity findings being deprioritized and forgotten.

Continue reading
(3 Results)