Avatao Blog
Cybersecurity best practices, tips, and the latest news discussed by security professionals. Read on to find the topic that interests you the most!

Featured article

What’s next? – OWASP Top 10 2021
OWASP Top 10 Vulnerabilities in 2021 based on the non-official proposal of Phillippe De Ryck. Here is what we know.
Browse by topic
Latest posts
What’s next? – OWASP Top 10 2021
OWASP Top 10 Vulnerabilities in 2021 based on the non-official proposal of Phillippe De Ryck. Here is what we know.
5 best practices to successfully implement training as part of your security program
For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.
5 Key Challenges When Building a Security Training Program
To build an enterprise security program, one has to go back to the well-known fundamentals of organizational change: People, Process, and Technology (originates from Harold Leavitt’s “Applied Organization Change in Industry”, 1964).
Getting started with Kotlin
If you are working on Java projects you might have heard about other languages that run on the JVM, like Clojure, Kotlin, or Scala. Programmers like to try new things out but is it worth it to pick one of them over Java?
The Tutorial Framework: Containerizing IT Security Knowledge
How can we make security education a whole lot more accessible and fun? The tutorial framework is the answer. In this article we dive into how to create interactive learning environments running inside containers.
Life Before Docker and Beyond – A Brief History of Container Security
Containers have been around for over a decade. Yet before Docker’s explosive success beginning in 2013 they were not wide-spread or well-known. Long gone are the days of chroot, containers are all the rage, and with them, we have a whole new set of development and security challenges.
How cybersecurity contributes value to business
Cybersecurity is an inherently negative asset. As with any protective measure, the major challenge is to measure the value (or Return on Investment, ROI) of cybersecurity. It is significantly more difficult to make this value apparent to stakeholders: customers, users and decision-makers in the company.
Make your company better, invest in security training for developers
What are the key benefits of a practical security training for developers? Here are some tips on how you can build a case for a developer security program. Security training for developers: More...
Back to school – Cybersecurity is missing on college campuses
Not a single day goes by without a devastating security breach affecting someone, somewhere. In the first six months of 2019 alone, over 4 billion records around the globe have been exposed due to...
XSS Case Study
You’ve probably heard about the recent Cross-Site Scripting vulnerability in the Google search engine. With a clever payload, you could have crafted a link which executes JavaScript after opening it...
A quantitative approach to Data Protection Impact Assessment
Everyone is already familiar with the expression “data is the new oil”. Ever-increasing amounts of information are produced, stored, processed and transferred enabling products and services across...
DNS security and privacy issues and how to avoid them
Even if you use HTTPS, your browsing habits can still be tracked by observing your DNS queries. Besides the lack of confidentiality, plain old DNS doesn’t provide data integrity and authenticity...
Wild card to win USPS customer data
The US Postal Service launched their Informed Visibility program last year to provide better insight into their mailstream service. For example, one can obtain near real-time notifications about...
An overview of Linux container security
Containers are often treated as if they were virtual machines which is far from the truth, they are a lot less isolated from the host system. However, there are a myriad of ways to enhance...
Not so smart pointers
Even though modern C++ ( the standard since C++11) has made programming in this language much more secure, it also introduced new vulnerabilities hidden under its layers of abstractions. In C and...
Security and usability: How to find a good balance
How would you like the idea of being escorted by armed security staff from the grocery store to your home in order to protect the valuable air fresheners you have just bought? Would you be confused,...
How I could have stolen your photos from Google – my first 3 bug bounty writeups
IT security is a really huge topic and until you find your first bug you can’t be sure that you have the required amount of knowledge, luck, and patience. Joining the club of bug bounty hunters as a...
Smart Contract Security
Blockchain-based platforms are becoming increasingly popular due to their ability to maintain a public distributed ledger, providing reliability, integrity, and auditability for transactions without...
Secure collaborative infrastructure deployment workflow with Terraform, Vault, and Atlantis
In one of our recent posts, we wrote about the difficulties of adopting infrastructure automation in a previously static environment. As experience shows, it’s never easy to get accustomed to a tool...
Secure development with Spring Framework
In the past decade, Spring Framework became a well established and prominent web framework for developing Java applications. The most exciting and essential changes in the Spring ecosystem was the...
The three fatal bugs behind the Facebook breach
The breach was discovered after Facebook saw an unusual spike of user activity that began on September 14, 2018. A few days later, on Tuesday, September 25, Facebook’s engineering team discovered an...
How to automate your infrastructure with Ansible in a secure way?
In this article we will cover how to use Ansible for infrastructure automation. Here at Avatao, we are big believers in infrastructure-as-code which is a way of infrastructure automation using the...
How to dive into web-security as a developer
Great developers possess a wide variety of skills, from technological expertise to product thinking. You need some of these for your current job, others you just picked up over the years....
Semancat versioning
Tackling the versioning pains of a greenfield project with cats. New projects can force us, developers to face certain challenges that we won’t even have to think about when working on an already...
Security issues to be aware of before moving to the cloud
As more and more infrastructures are moved to the cloud datacenters, services offered by the cloud providers became an obvious target for exploitation and cloud security in practice is more...
Git security best practices
In this article we will discuss different methods to avoid common pitfalls in terms of Git security. We live in a world where it is hard not to know Git, the most popular Distributed Version Control...
Using cloud-services, security is your job too
Being cloud native won’t save you from external threats if you as a user are not aware of basic security needs – cloud providers simply cannot do everything for you while due to the heavy demand to...
Report a vulnerability in a responsible way!
If you have found a vulnerability and you want to act responsibly, discretion is most important. Always remember you have information that can be exploited by black-hats putting not only the...
Broken Access Control
In this article we cover examples of broken access control, how to find it in your application and possible consequences. Access control, or authorization, is how a web application grants access to...
Learn about CSP-based XSS protection
The security model of web is rooted in the same-origin policy. Each origin is isolated from the rest of the web and codes should only have access to their origin’s data. Because of this model,...
Is your company ready for a responsible disclosure policy program?
A company has to be mature enough to implement a responsible disclosure policy – or at least mature enough to implement its own tailor-made program. Implementing a responsible disclosure...
Make AWS infrastructure more secure with the help of IAM
The trend to move to the cloud seems to be unstoppable that raises more and more security concerns. AWS can be considered the leader in the market of cloud service providers. It offers more than a...
Insource instead of outsourcing your cybersecurity operations
As the enterprise architecture becomes more and more complex, the task of the Chief Security Information Officer (CISO) becomes overwhelming. CISOs have a tough time to find talented cybersecurity...
Deep dive into the Equifax breach and the Apache Struts vulnerability
You’ve probably read about the Equifax breach and the Apache Struts vulnerability in NY Times, in Bloomberg or somewhere else. The breach resulted in the leakage of 143 million user profiles,...
Learn to build secure software
We are writing millions of lines of code day by day, but only a few of us take security into account. We exactly know that it’s really easy to put security aside as it takes more investment than...
How !SpamAndHex became a top hacker team in the world. The final part.
This is the final part of this blog series. If you haven’t done already so, you can read the first and second part of our story also. It was early 2013, in the middle of my PhD studies when two...
Interview with Tamás “KT” Koczka from !SpamAndHex
We are more than happy to welcome Tamás Koczka (aka “KT”) who is one of the key members of the CrySyS Student Core so that of the !SpamAndHex team also. As the captain of !SpamAndHex and the main...
Three major XSS issues in 2016 (plus an avatao XMaSS challenge)
In our previous blog, we gave you a small introduction to Cross-site Scripting (XSS) attacks and added some easy challenges to get a taste of web security. It seems, however, that XSS is still one...
Parse your binaries with Kaitai WebIDE
Binary analysis starts with the understanding of different file formats. Fortunately, there are several tools (e.g., CFF explorer, FileAlyzer) which help you to understand their internal structure,...
Interview with Chris Wysopal, CTO of Veracode
We are more than happy to welcome Chris Wysopal, (also on Twitter) as the next security expert on our blog. Chris, the CTO of Veracode, is one of the key influencers in IT security today. He is a...
Interview with Zoltán Balázs, security expert
We are more than happy to welcome Zoltán Balázs, (also on Twitter) as the next security expert on our blog. Zoli has long track records in bypassing security defense products. He regularly gives...
avataoTools introduces popular security tools
One of the most difficult parts in IT security is to get started. There are zillions of interesting topics all around, but if you are completely new in this area you can easily get lost....
Interview with Charlie Miller, security researcher
Charlie Miller, (also on Twitter) is well-known in the security community for his exceptional hacking results. He won the Pwn2Own contest at CanSecWest 4 times by exploiting various Apple products...
How !SpamAndHex became a top hacker team (part 2)
This is the second part of our !SpamAndHex series. You can read the first part here. Everything starts with a vision. It was in 2009 at the very beginning of my master studies at the Budapest...
Interview with Mateusz “j00ru” Jurczyk, security expert
We are more than happy to welcome Mateusz Jurczyk (aka “j00ru”), (also on Twitter) as the second security expert on our blog. When talking about low-level Windows kernel security, we are unable to...
Reverse engineering tutorial and challenge
So here we are again with your next avatao Tuesday challenge. Today, we are delving a bit into reverse engineering by providing a small tutorial and a challenge to solve. A decent definition for...
Interview with Gabor Molnar, security expert, who co-discovered Rosetta Flash
In this new series we talk to security experts on how they started their journey in this exciting field. The first is Gabor Molnar (aka “mg”), (also on Twitter) who independently co-discovered the...
Interview with the CyKor CTF team
The South Korean CTF team CyKor, (also on Facebook) is one of the best CTF teams in the world. Together with other South Korean security experts like Junghoon Lee (aka “lokihardt”) and the members...
Your first Avatao Tuesday
How to get started in computer security? I think this is the first question that people raise when they are about to learn computer security. Here is a good answer from Parisa Tabriz, computer...
How !SpamAndHex became a top hacker team (part 1)
Summer just started in 2011, when Gábor Pék, Buherátor and Bencsáth Boldizsár (aka “Boldi”) decided to do some nice hacking over the summer instead of going to splash in Lake Balaton all summer...
Test your secure coding skills with Avatao
