I got a notice from a marketing friend of mine that may point to the fact that GDPR forbids the use of Google Analytics. Google Analytics is one of the most widely used ways to identify traffic on websites, and the implications of its non-compliance are wide-reaching as not many …

Read More

Python is often called “type safe” by people who aren’t
aware of the fact that it is actually “duck typed” in the sense that if the
variable ‘walks like a duck and talks like a duck, it must be a duck’. A
variable can be injected with a string called NaN (which stands …

Read More

At Bit Discovery, we often must walk both clients and potential clients through the rational objection to the idea of adding everything to their inventory and then testing everything that they find.  The concern is understandable – it’s expensive, creates duplicate workload, potentials for false positives grow, and any additional …

Read More

On occasion, there will be an asset that slips through the cracks, and there is a wide variety of reasons for it. Not all assets are made equal, so while an asset may be missed, the ones that are missed are often the least important in terms of risk, but …

Read More

One of the most powerful features within Bit Discovery is an often overlooked one – the HTML search. It is so simple, yet so powerful. It gives you the unique ability to “see” what is on each homepage within your environment without having to look at each page.  Think of …

Read More

What if I were to tell you that an attack surface map can be more effective at finding critical vulnerabilities in some cases than a traditional network vulnerability scan? Crazy to think about, I know.  To understand why it is crucial, you must first understand that CVEs do not matter …

Read More

I had the pleasure of talking to an IT Audit organization that had been using Bit Discovery extensively to protect themselves and audit external IT. When they mean external, they really mean companies they have either acquired or are about to acquire.  We usually don’t get a lot of insight …

Read More

This post is the eighth and last of a short series of posts that we have dubbed “Attack Surface Mapping the Wrong Way,” showing the wrong ways that people/companies/vendors attempt to do attack surface mapping. In this final post, I will show the right way.

The answer: Start with Everything

So now …

Read More

This post is the seventh of a short series of posts that we have dubbed “Attack Surface Mapping the Wrong Way,” showing the wrong ways that people/companies/vendors attempt to do attack surface mapping. Next up is passive DNS and why it is the wrong way.

Passive DNS Only is Flawed.

A handful …

Read More

This post is the sixth of a short series of posts that we have dubbed “Attack Surface Mapping the Wrong Way,” showing the wrong way that people/companies/vendors attempt to do attack surface mapping. Next up is IP and why it is the wrong way.

IP Only is Flawed

Many security tools scan …

Read More