Bishop Fox Blog

A space dedicated to sharing our thoughts on the latest cybersecurity news, trends, and threats


Subscribe to Blog via Email

Popular Posts:

An Introduction to AWS Cloud Security

Download the Bishop Fox Intro to AWS Cloud Security guide here. 

Amazon Web Services (AWS) isn’t the novelty it was a decade ago. Resource-intensive, computer-heavy work today flows upward from giant enterprises 24/7 to the nebulous cloud where its processed by virtual servers, stored in digital containers, and eventually returned in a manner that supports the bottom line of tens of thousands of businesses.

Password Security: The Good, the Bad, and the "Never Should Have Happened"

Download the Bishop Fox password security guide here. 

Introduction to Password Security 

While most organizations have a password policy that sounds technically secure, hardly any have a policy that benefits the organization, encourages strong passwords, and improves overall security. It’s time to stop requiring capital letters, numbers, special characters, and frequent password updates. We are here to correct the outdated, misleading, and muddled logic when it comes to what makes a password secure.

A Primer to Red Teaming

Download the full-length version of the guide including case studies and an introduction to our social engineering services here


In order to fully understand red teaming, it might be best to first decouple it from penetration testing. The two are often conflated, and that only serves to lessen the quality of the decision-making around which to choose.

A Guide to AWS S3 Buckets Security

Download our corresponding how-to guide here

The Threat of Poor AWS S3 Buckets Security

If your organization uses Amazon Web Services (AWS), it is extremely important to understand AWS S3 buckets security. Configuring your S3 buckets the right way can mean the difference between business as usual and nearly catastrophic data leaks. If you’ve noticed in the past few years, AWS S3 data leaks are not uncommon – and it’s fairly probable that your organization is not immune to them. They have affected high-profile organizations like Verizon, Accenture, and several others in recent memory.

My Time at NetWars Tournament of Champions


Each and every December, some of the best and brightest hackers from around the world travel to Washington D.C. for the NetWars Tournament of Champions. Champion golfers may have their prestigious green sportscoats, but NetWars champions receive the coveted black hoodie.

A Bug Has No Name: Multiple Heap Buffer Overflows In the Windows DNS Client


CVE-2017-11779 fixed by Microsoft in October of 2017, covers multiple memory corruption vulnerabilities in the Windows DNS client. The issues affect computers running Windows 8/ Server 2012 or later, and can be triggered by a malicious DNS response. An attacker can exploit this issue to gain arbitrary code execution in the context of the application that made the DNS request.

Is CORS Becoming Obsolete?

Lately, we have received a lot of questions from our clients about CORS becoming obsolete. They are rightfully concerned about this possibility because so much of Web 2.0 depends on the interoperability mechanisms that CORS provides.

Hot New ‘Anonymous’ Chat App Hijacks Millions of Contact Data

By now, you may have heard the about Sarahah, the new anonymous chat application that’s gone viral around the world.

How I Built An XSS Worm On Atmail

This blog post was authored by Senior Security Analyst Zach Julian; you can connect with him on Twitter here.

The Power of 'Agile' Security at Dun & Bradstreet

Interview with Jon Rose, Dun & Bradstreet 

In this wide-ranging cybersecurity expert interview, Bishop Fox Partner Vincent Liu chats with the CSO of Dun & Bradstreet, Jon Rose. The two discuss the commercialization of security, the road to becoming a CSO and how agile helped his security team take control of day-to-day activities and better manage priorities.

1 2