BlackHat Training

Will and I have teamed up to bring you the Web Application Hacker Level-up Lab at Black Hat USA 2019! This hands-on course is designed for hungry intermediate+ penetration testers and seasoned web application developers who want to level up their skills in a challenging training that focuses on just a few vulnerability classes. This […]

Read More

2019 Information Security Predictions

Cloud computing provider will suffer major breach And we’ll all reconsider running our most business-critical applications and storing our unencrypted information in the cloud. The hack will most likely affect one of the second tier cloud computing providers, and compromise their backend systems: hypervisor or client REST APIs. This breach will show how helpless our […]

Read More

Automated Security Analysis AWS Clouds

I’m hooked on cloud security, it has a little bit of everything: network security, application security, automation and DevOps . One of my latest cloud security assessments was on a huge AWS account: 500k USD / month billing 2500 EC2 instances 200 RDS instances 2000 IAM users and roles 250 IAM groups 500 security groups […]

Read More

Threat modelling

As an external consultant that focuses on application penetration testing I’m not usually invited to application design, business logic discussions or threat modelling sessions. A few weeks ago a client invited me to be part in a threat modelling exercise for their latest and greatest feature that is still in design phase. The client wanted […]

Read More

reCAPTCHA bypass via HTTP Parameter Pollution

tl;dr I reported a reCAPTCHA bypass to Google in late January. The bypass required the web application using reCAPTCHA to craft the request to /recaptcha/api/siteverify in an insecure way; but when this situation occurred the attacker was able to bypass the protection every time. The security issue was fixed “upstream” at Google’s reCAPTCHA API and no […]

Read More


Developers and Application Security Every year OWASP local chapters from Latin America organize a huge one month event called OWASP LATAM Tour, where each chapter hosts a one day conference in their city. These events are a great place for security professionals and developers to get together and exchange ideas and knowledge. Just like the […]

Read More

Hello world

I’m Andrés Riancho, and this is my blog. Hacker: Born and raised Argentine, husband, father, software developer, application and cloud security expert. Since I can remember I take things apart to understand how they work and improve them. Initially this lead to many electronic devices with missing parts at my parent’s house, but with time […]

Read More
Recent Posts
Blog subscription