AI-Powered Application Penetration Testing—Scale Security Without Compromise Learn More

bishopfox-logo-grey
Get Started
Abstract cybersecurity illustration featuring servers, network nodes, and stylized attack indicators representing penetration testing and threat activity.

Offensive
Security Blog

Expert insights on offensive security, AI vulnerabilities, and emerging threats from Bishop Fox's leading security researchers and penetration testers.

Advisories Culture Industry Product Technical Research View All
Industry

CVE Digest for January and February 2021: Buffer Overflows Take the Spotlight

CVE Digest for January and February 2021: Buffer Overflows Take the Spotlight

Mar 1, 2021

In this CVE recap of January and part of February 2021, we review notable security vulnerabilities that can threaten an organization's attack surface.

By Britt Kemp
Technical Research

An Exploration of JSON Interoperability Vulnerabilities

An Exploration of JSON Interoperability Vulnerabilities

Feb 25, 2021

Learn more about how the same JSON document can be parsed with different values across microservices, leading to a variety of potential security risks.

By Jake Miller
Industry

What We Can Learn from the Accellion Breach

What We Can Learn from the Accellion Breach

Feb 23, 2021

News about the recent Jones Day/Accellion vendor data breach highlights just how difficult third-party risk management (TPRM) is in practice.

By Joe Sechman
Industry

Choosing the Right Modern Application Security Tools

Choosing the Right Modern Application Security Tools

Feb 23, 2021

Tom Eston describes how a combination of manual and automated application security tools can best support the way your organization develops applications.

By Tom Eston
Industry

When to Engage a Red Team

When to Engage a Red Team

Feb 16, 2021

Engage with a Red Team to uncover business risks and vulnerabilities, improve your defenses and security, and strategize and protect your environment.

By Todd Kendall
Industry

Preparing for the Google Partner Program Security Test

Preparing for the Google Partner Program Security Test

Feb 9, 2021

This Self-Assessment covers common threats to prep for the Google Partner Program assessment, that validates the security of Google partners’ applications.

By Zach Moreno
Industry

How a Common Misconfiguration Led to Over 30 Critical Findings

How a Common Misconfiguration Led to Over 30 Critical Findings

Feb 2, 2021

Nate Robb discusses how continuous attack surface testing (Cosmos) found a new vulnerability that served as a pivot point to identifying more critical risks.

By Nate Robb
Culture

Bishop Fox Presents at 2021 Virtual CactusCon 9

Bishop Fox Presents at 2021 Virtual CactusCon 9

Jan 28, 2021

Bishop Fox is a Partner sponsor of the 2021 virtual CactusCon 9 cybersecurity conferenc. Current and former Foxes will be presenting and running the CTF.

By Bishop Fox
Industry

Google Partner Program – GPP Top 10

Google Partner Program – GPP Top 10

Jan 26, 2021

We’ve created a prioritized list of the top 10 most common/high-risk bugs and trouble spots that we find on Google Partner security program assessments.

By Jake Miller
Technical Research

Bad Pods: Kubernetes Pod Privilege Escalation

Bad Pods: Kubernetes Pod Privilege Escalation

Jan 19, 2021

Seth Art discusses the impact of overly permissive pod security policies and the importance of applying restrictive controls around pod creation by default

By Seth Art
Advisory

Mautic Version <=3.2.2 Advisory

Mautic Version <=3.2.2 Advisory

Jan 15, 2021

Bishop Fox advisory on Mautic application version 3.2.2. The Mautic application is affected by stored cross-site scripting (XSS) vulnerabilities.

By Dardan Prebreza
Advisory

CRAN Version 4.0.2 Advisory

CRAN Version 4.0.2 Advisory

Jan 11, 2021

Bishop Fox advisory on CRAN package manager version 4.0.2. A medium severity path traversal vulnerability was found in the CRAN package manager.

By Chris Davis, Joe DeMesy
Industry

Building a Security Program That Scales

Building a Security Program That Scales

Jan 6, 2021

Bishop Fox collaborated with a startup to build a scalable security program and methodology, while analyzing security risks during each step of the SDLC.

By Bishop Fox
Industry

Infosec Talks You May Have Missed This Year

Infosec Talks You May Have Missed This Year

Dec 18, 2020

Recap of Bishop Fox's favorite infosec talks from the security community in 2020, including presentations at DEF CON Safe Mode, BSides, DerpCon, and more.

By Britt Kemp
Industry

What We Know (And Don’t) About The SolarWinds Orion Hack So Far

What We Know (And Don’t) About The SolarWinds Orion Hack So Far

Dec 15, 2020

Bishop Fox Lead Researcher Dan Petro provides a detailed explanation of what we know and don’t know about the recent SolarWinds Orion hack.

By Dan Petro
Industry

Continuous Testing Finds Major Risks Under the Surface

Continuous Testing Finds Major Risks Under the Surface

Dec 15, 2020

Nate Robb discusses how Continuous Attack Surface Testing operators use automation and human intel to identify emerging threats and protect perimeters.

By Nate Robb
Industry

cyber.dic 2.0: Expand Your Computer’s Vocabulary

cyber.dic 2.0: Expand Your Computer’s Vocabulary

Dec 10, 2020

Update of cyber.dic, the spell checker add-on specializing in cybersecurity terms. The tool offers support for industry-specific terms in word processors.

By Catherine Lu
Industry

The Stolen FireEye Red Team Tools Are Mostly Open Source

The Stolen FireEye Red Team Tools Are Mostly Open Source

Dec 9, 2020

After an attack against FireEye by a nation-state group, we provide context about what’s in the GitHub repository and what these stolen red team tools do.

By Bishop Fox
Technical Research

Lessons Learned on Brute-forcing RMI-IIOP With RMIScout

Lessons Learned on Brute-forcing RMI-IIOP With RMIScout

Dec 8, 2020

New features that have been added to RMIScout, a pen testing tool that performs wordlist and brute-force attacks against exposed Java RMI interfaces .

By Jake Miller
Advisory

OpenClinic Version 0.8.2 Advisory

OpenClinic Version 0.8.2 Advisory

Dec 1, 2020

Bishop Fox advisory on OpenClinic medical records software V. 0.8.2, including high risk missing authentication and insecure file upload vulnerabilities.

By Gerben Kleijn
Industry

The Pen Testing Tools We’re Thankful for in 2020

The Pen Testing Tools We’re Thankful for in 2020

Nov 23, 2020

Recap of Bishop Fox's favorite penetration testing tools for 2020 including, Nuclei, Spyse Search Engine, Dufflebag, GadgetProbe, RMIScout and more.

By Britt Kemp
Industry

Diverse Perspectives Offer a Broader Understanding of Your Attack Surface

Diverse Perspectives Offer a Broader Understanding of Your Attack Surface

Nov 17, 2020

Barrett Darnell discusses how having a diverse, specialized team of CAST pen testers on your side can make your organization less vulnerable to groupthink.

By Barrett Darnell
Culture

Hacking Into Cybersecurity: Security Interns Share Their Stories

Hacking Into Cybersecurity: Security Interns Share Their Stories

Nov 12, 2020

We have a robust internship program that has given many people an entry point to infosec. Learn more about breaking into the security industry.

By Nazariy Haliley
Industry

Cheating at Online Video Games and What It Can Teach Us About AppSec (Part 3)

Cheating at Online Video Games and What It Can Teach Us About AppSec (Part 3)

Nov 10, 2020

Dan Petro delves into more methods of cheating at video games, highlighting lessons AppSec can learn from their complex and technical security challenges.

By Dan Petro
Load More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.