Blog

Automated Security Analysis AWS Clouds

I’m hooked on cloud security, it has a little bit of everything: network security, application security, automation and DevOps . One of my latest cloud security assessments was on a huge AWS account: 500k USD / month billing 2500 EC2 instances 200 RDS instances 2000 IAM users and roles 250 IAM groups 500 security groups […]

Read More

Threat modelling

As an external consultant that focuses on application penetration testing I’m not usually invited to application design, business logic discussions or threat modelling sessions. A few weeks ago a client invited me to be part in a threat modelling exercise for their latest and greatest feature that is still in design phase. The client wanted […]

Read More

reCAPTCHA bypass via HTTP Parameter Pollution

tl;dr I reported a reCAPTCHA bypass to Google in late January. The bypass required the web application using reCAPTCHA to craft the request to /recaptcha/api/siteverify in an insecure way; but when this situation occurred the attacker was able to bypass the protection every time. The security issue was fixed “upstream” at Google’s reCAPTCHA API and no […]

Read More

OWASP LATAM Tour 2017

Developers and Application Security Every year OWASP local chapters from Latin America organize a huge one month event called OWASP LATAM Tour, where each chapter hosts a one day conference in their city. These events are a great place for security professionals and developers to get together and exchange ideas and knowledge. Just like the […]

Read More

Hello world

I’m Andrés Riancho, and this is my blog. Hacker: Born and raised Argentine, husband, father, software developer, application and cloud security expert. Since I can remember I take things apart to understand how they work and improve them. Initially this lead to many electronic devices with missing parts at my parent’s house, but with time […]

Read More