Hey everyone. Just want to shoot out a quick blog post announcing the new Who is @nathiet? page. You may have noticed him as the author for several of our standard posts. Well, I don’t want to give away too many details here so I encourage you to check out his contributor page and follow him on Twitter at @nathiet. And if you want to find his info in the future, look no further than the Contributors area in the right-hand column.

Speaking of contributors … NovaInfosecPortal.com is always looking for articles from locals that want to get something off their chest. Even if you already have a blog, reposts of an existing article will help expose your meanderings to a wider audience.

Additionally, contributing an article is a great way to help keep this site going if you can’t afford to contribute in another way. It lets us focus on adding new features (and regularly patching so we don’t get hacked) for the rest of the community to enjoy.

If you’d like to contribute an article, let us know via our Contact Us page or mention @grecs in a tweet.

It’s been a busy week for local security bloggers—particularly for Richard Bejtlich of @TaoSecurity. With a whopping 8 or so posts this week, the Tao Security blog is where you should visit if you’re looking for great stuff to read.

You can also check out our NovaInfosec Twits list for even more great security blogs and people to follow on Twitter. Be sure to follow us on Twitter @grecs if you want to know more about what’s going on in the local security community.

Now, on to those posts!

#3 – Sanitize Those Inputs (Again): The third installment of their “Sanitizing Input in Web Apps” series, @geminisecurity shows why sanitizing web apps is not only a good idea, but necessary for good security. We’re especially keen on the idea of sanitizing input because it comes back to the idea of security basics we’re always talking about. You wouldn’t build a house with a faulty foundation, and security should be no different. Be sure to read the post to find out how to keep those inputs clean.

#2 – Interview With Marcus: It’s no secret that DojoSec and Marcus J. Carey are favorites of the local security community. And with DojoSec’s one year anniversary coming up in October, we were happy to find that Marcus did an awesome interview with Con-Techie about DojoCon, his relationship with Johnny from Hackers for Charity (please check them out!) and more. While Marcus linked to the interview in a post on his blog, you can find the full interview here.

#1 – The Tao of Open Source Vulnerability Disclosure: After publishing so many top-notch posts this week, it was hard to pick which of Richard Bejtlich’s posts should be featured this week. In the end, we had to go with his post “Open Source Vulnerability Disclosure with FreeBSD” because it is such an important and timely topic. It’s a great technical post filled with lots of helpful information. Be sure to check it out and pass it along if you find it to be helpful.

And last, but certainly not least, we wanted to mention Wade Woolwine’s (@wadew) “News and Commentary” post for this week. While we wanted to pick it for one of our top slots, he was nice enough to mention us (twice!), so we didn’t want anyone saying we were playing favorites. Be sure to check it out.

And if you haven’t already, you can check out the excellent guest post that Wade wrote for us just last week. (You can also contact us if you’d like to write a guest post like Wade did.)

Well, that’s all for this week. Happy reading!

If you’re getting a little tired of the debates surrounding the Cybersecurity issue, you’ll find the posts we selected for this week’s “Top NoVA Infosec Blog Posts” refreshing.

#3 – The Art of Persuasion: In his post “Recognizing False Arguments,” @electricfork outlines the familiar arguments that many of us hear when we try to convince our employers that a gaping vulnerability won’t just fix itself or go unnoticed by attackers. While employers tend to come up with all kinds of arguments—many of them ranging from slightly absurd to completely ridiculous—the reality is that we must be prepared to show our employers why vulnerabilities cannot remain unfixed. @electricfork does a great job of outlining basic responses to some of the most common arguments used against fixing vulnerabilities. You can check them out here.

#2 – What the Hex: For those of you who haven’t used a hex editor before, or are looking for a new one, you’re in luck. In their post “XVI32: Hex Editor of Champions,” @geminisecurity talks about hex editors (the XVI32 hex editor specifically), and why we should use them. Calling the hex editor “an essential tool for anyone in the computer security field,” @geminisecurity says that hex editors are especially good for looking at the nitty-gritty details of data. The XVI32 is no exception. Describing the XVI32 hex editor “a very robust, stable, and easy-to-use hex editor for Windows,” @geminisecurity says that some of its best features include a built-in scripting engine, bit manipulation capabilities, and numerous ways to interpret and display data. You can check out all the details here.

#1- Think Outside the Toolbox: The PaulDotCom post “Find Time to Put the Tools Away” opens with an interesting comparison of pen testing eerily resembling airport security. Both pen testers and TSA professionals are trained to look for very specific things, often overlooking other potential problems because they neglect to see the big picture. For example: Instead of looking for certain vulnerabilities like XSS, XSRF and SQLi, PaulDotCom encourages security professionals to look at how an application works instead of looking at the parts that make it work. He also gave one of the most profound pieces of advice that we’ve heard in awhile: “Trying to understand how something worked used to be the goal and definition of hacking.” And on that note, I hope that you’ll read the post yourself.

Don’t forget to follow me during the week @grecs to get more recommendations on the blog posts you should be reading.

o o o o o

Wanna hack your career?