All Posts

Moving away from MVC

In of all my years as a software engineer, trying new libraries, frameworks and paradigms has been such a pleasure especially in web development. Even before the well known javascript libraries, web development was based on backend apps which render heavy html code within css and some js code. Frameworks such as spring, .NET MVC, django and rails helped us with abstractions and predone tasks increasing development speed and quality (reuse principles). But, it was not enough. Apps were getting

9 min Komand

Microservices – Please, don’t

This article originally appeared on Basho. It is adapted from a lightning talk Sean gave at the Boston Golang meetup in December of 2015. For a while, it seemed like everyone was crazy for microservices. You couldn’t open up your favorite news aggregator of choice without some company you had never heard of touting how the move to microservices had saved their engineering organization. You may have even worked for one of those compan

5 min Automation and Orchestration

Malware Attack Vectors

Synopsis You’re a malware writer. You’ve been tasked with infecting a remote computer, one that you have never seen before, have no physical contact with, and don’t have the IP address of. Maybe you have the email address of a user of that computer, or just the name of the facility in which that computer is stored. How do you proceed? Hopefully I’m not describing you or someone you know, but sometimes it can be helpful to consider the mindset of an adversary when devising defensive measures. In

3 min InsightIDR

3 Ways for Generating Reports on WAN Bandwidth Utilization

3 popular ways of getting visibility into WAN bandwidth monitoring, one of the most popular use cases for network traffic analysis.

3 min Nexpose

Managing Asset Exclusion to Avoid Blind Spots

Don't Create Blind Spots As a consultant for a security company like Rapid7, I get to see many of the processes and procedures being used in Vulnerability Management programs across many types of companies. I must admit, in the last few years there have been great strides in program maturity across the industry, but there is always room for improvement. Today I am here to help you with one of these improvements – avoid

13 min Vulnerability Disclosure

Multiple Disclosures for Multiple Network Management Systems, Part 2

As you may recall, back in December Rapid7 disclosed six vulnerabilities that affect four different Network Management System (NMS) products, discovered by Deral Heiland of Rapid7 and independent researcher Matthew Kienow . In March, Deral followed up with another pair of vulnerabilities

13 min Automation and Orchestration

OSSEC Series: Configuration Pitfalls

Synopsis: OSSEC is a popular host intrusion and log analysis system. It’s a great tool, and when configured and customized properly it can be a very powerful and holistic addition to your environment. In this article I will list a number of problems I’ve encountered while using OSSEC over the years. Many of these are the result of incomplete documentation. The purpose of this article is to save you time if you’re having trouble getting things working while doing similar tasks. Pitfalls: A gro

2 min Security Strategy

The One Aspect of Selling Security That You Don't Want to Miss

This is a guest post from our frequent contributor Kevin Beaver . You can read all of his previous guest posts here . When it comes to being successful in security, you must master the ability to “sell” what you're doing. You must sell new security initiatives to executive management. You must sell security policies and controls to users. You even have to sell your customers and business partners on what you're doing to minimize information risks. Thi

2 min Authentication

Credential Status in Reporting Data Model

The new version of Reporting Data Model (1.3.1) allows Nexpose users to create CSV reports providing information about credential status of their assets, i.e. whether credentials provided by the user (global or site specific) allowed successful login to the asset during a specific scan. Credential Status Per Service The new Reporting Data Model version contains fact_asset_scan_service enhanced with the new column containing the information about creden

5 min Log Management

Log Search Simplified

Hi, I'm Laura, UX Designer at Logentries and today I'm going to discuss how just about anyone can use Logentries to search and analyze their log data no matter what their job title or technical skill level. What is Logentries? At Logentries, the team works tirelessly to provide an easy to use log management service that allows users to stream their logs from just about anything. Logentries can accept data from almost any device that generates log data, inclu

4 min Security Strategy

UX Research: Steps & Methodologies to Inform Product Redesign

The user experience (UX) design and research teams are preparing to revamp Rapid7's customer learning and online help. As such, I thought I would take the opportunity to provide our community insight into the role UX research plays in bringing new designs – of both new and existing features and experiences – to fruition. Before I begin, I'll tell you a little bit about our “research” team. The Rapid7 UX research team, which sits within the greater UX team, consists of myself and my colleague Ge

5 min IT Ops

Get your work done even faster with the Logentries REST API

Now you can get your work done even faster by automating tasks with the Logentries REST API. With the ability to programmatically query data, manage users, create alerts and integrate third party tools, it’s now easier to finish the job and get on with your day. Table of contents * Query API- Example Usage * Team and User Management API- Example Usage * Tags and Alerts API- Example Usage * LeExportPy- Read More * LeCLI- Read More On-demand Webinar Interested in learning more about the

4 min Automation and Orchestration

Secure Password Storage in Web Apps

Synopsis We like writing web applications. Increasingly, software that might have once run as a desktop application now runs on the web. So how do we properly authenticate users in web contexts? Passwords, of course! Let’s look at how to handle password authentication on the web. What not to do It’s very tempting to use plaintext authentication for web applications. Let’s whip up a quick python web server that we’ll use to test authentication. Let’s say we want to provide access to magic number

5 min Komand

5 Reasons Companies Are Losing Security Talent (And What to Do)

It’s hard enough finding security talent, but losing the talent you already have can be a particularly painful blow. That’s why we’ve put together a quick guide to help you: * Address some of the underlying causes of attrition * Increase retention of your security talent * Solve the security gap at your organization Here are five common talent-retention challenges and how to address them head-on. Challenge #1: Constrained Budgets and Disproportionate Strategy According to Kaspersky Labs, 8