Oct 23, 2012
Interview Dan Kuykendall
Dan manages NT OBJECTives’ software development and has an extensive background in web application development and security and is co-host of "An Information Security Place" Podcast.
How did you get your start in information security?
We are seeing the proliferation of apps using JSON, AJAX, REST,
etc. These apps have vulns that aren't being tested by scanners and
people don't know how to test them, yet there are serious vulns
there.
What about HTML5, what are the new vulnerabilities and protections?
How can we test them?
What are the challenges, and solutions, for an automated scanner to
overcome authentication?
How do you handle technologies such as Flash?
Which seems to have more vulnerabilities, in-house written apps,
open-source or commercial? Or are they all even? What advice do you
have for folks looking to acquire an application to solve a
business problem?
Scanners traditionally have trouble with certain vulnerabilities,
which ones are the most problematic?
Are people testing them by hand? If so, what can you do to be the
most efficient?
Scanners haven't really kept up with the application technology and
the coverage gap is widening. Scanners need more application
coverage. They will never cover all of the app, but they should
cover more. What are your thoughts on that as pen testers? How do
you balance manual and automated testing?
Which vulnerability, with respects to web applications, goes
unnoticed and unlatched the most?
What training options are available for application developers?
What advice do you have for folks who want to get started and learn
how to test web applications for security?