Questions? Call 877-752-7170 or


Introducing AppTrust

FYRM Associates is proud to announce our new AppTrust offering that enables organizations to produce secure applications in Agile environments, in a cost-cutting manner. The typical, flawed approach to application security is based on the network security model of “when we find a vulnerability, we patch it.” This forces your organization into a never-ending game of catch-up with attackers that is nothing more than a costly and time-consuming strategic failure.

Continue reading

XAB – Cross Site Scripting Anonymous Browser updated and seeking help

in Tools

A new release of XAB, the framework that allows one to browse the web via XSS has been updated. This release will now accommodate all content-types, thus allowing any file format to be transferred through the framework. The latest release can be found at sourceforge: We’re seeking volunteers to help out with development. We’d like to take this from a small research project to a community driven effort to expand the possibilities of what can be done with XSS.

Continue reading

XAB Presentation @ OWASP DC Chapter Meeting on 9/2

I will be giving an update on XAB (Cross Site Scripting Anonymous Browser) with Jeff Yestrumskas at the OWASP DC Chapter’s next meeting on September 2 at 6:30PM. More details can be found here. See you there!

Continue reading

OWASP AppSec DC 2009 Sponsor

OWASP just launched the official AppSec DC 2009 site @ We’ll be out in force and will most definitely have some type of party/event. Check back here often or follow us on Twitter (getFYRM) for updates. We’ll see you there!

Continue reading

Bluetooth 3.0 + HS: Compromising Your Security at 24 Mbps

On April 21, 2009, the Bluetooth 3.0 specification was adopted by the Bluetooth Special Interest Group (SIG). This new specification includes new attributes such as: *High speed data transfer of large files (~24 Mbps) *Bluetooth low energy The new specification achieves these new attributes by including an 802.11 radio, aka Wi-Fi, that allows lower energy usage when attempting to transfer large amounts of data. While ultra-wideband (UWB provides ~480Mbps) was widely rumored to be included in the upcoming specification, it was absent from the final release.

Continue reading

Cross Site Scripting Anonymous Browser (XAB) Proof-of-Concept Released

Today I finally found the time to release the XAB Proof-of-Concept code. An apology to those of you who have been emailing us wondering when we would publish it. For the time being, it’s hosted at sourceforge and you can download the code from the XAB project page located at: We’ve submitted talks to Black Hat and Defcon for the updates we’re working on, so hopefully we’ll have the chance to catch everyone up, solicit some more feedback, and grab a brew.

Continue reading

Black Hat / DEF CON 2009 Reception

We’ll be hosting an informal reception at the Hofbräuhaus Las Vegas on Thursday, July 30 to celebrate Tony, Matt, and Jeff’s Black Hat and DEFCON presentations. Please RSVP to rsvp[shift+2] or talk to one of the guys wearing the FYRM Associates shirts at Black Hat. The beer will start flowing at 6 PM and we’ll be around until at least 8 PM.

Continue reading

Black Hat DC 2009 Presentation

My abstract for this year’s Black Hat DC was picked up. I’ll be presenting the XSS Anonymous Browser tool, or XAB for short. I’m currently hammering out some of the more technical aspects of the tool, but I’ll have a working proof of concept ready for the conference. Plus if there’s time (who am I kidding?), I’ll release a second tool that is a great defense against the attack vectors that XAB utilizes.

Continue reading

The New PCI 6.6

By Matt Flick in PCI

All Your Public facing Web Apps Are Relevant To Us. I’m going to start off this post with the moral of the story: Good intentions often have bad, unintended consequences. The following is the ‘Testing Procedures’ text of requirement 6.6 from the new PCI DSS v1.2 (source: For public-facing web applications, ensure that either one of the following methods are in place as follows: Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows:

Continue reading

Application Security Industry: 2008 Report Card

I have had many discussions this year regarding the future of the application security industry and even more about its current state. It’s interesting how people of such varying backgrounds will have similarly varying views; this short article is designed to capture those views and hopefully drive some productive discussion as a result. Where are we now? Should be a simple question, right? Let me summarize in three main categories:

Continue reading