Young hacker smiling

Zero false positives

Expert intelligence + effective automation

Photo by KP Bodenstein on Unsplash: https://unsplash.com/photos/ElQI4kGSbiw

Fool the machine

Trick neural network classifiers

Artificial Neural Networks (ANNs) are certainly a wondrous achievement. They solve classification and other learning tasks with great accuracy. However, they are not flawless and might misclassify certain inputs. No problem, some error is expected. But what if you could give it two inputs that are virtually the same, and …



Git. Photo by Yancy Min on Unsplash: https://unsplash.com/photos/842ofHC6MaI/

Big Code

Learning from open source

In our Machine Learning (ML) for secure code series the mantra has always been the same: to figure out how to leverage the power of ML to detect security vulnerabilities in source code, regardless of the technique, be it deep learning, graph mining, natural language processing, or anomaly detection. In …



Photo by Andres Urena on Unsplash. Credits: https://unsplash.com/photos/k1osF_h2fzA

Natural code

Natural language processing for code security

Our return to the Machine Learning (ML) for secure code series is a bit of a digression, but one too interesting to resist. At the same time, it is not, since the Natural Language Processing (NLP) field is also part of what, at least today, is considered to be Artificial …



Choices. Photo by Nathan Dumlao on Unsplash: https://unsplash.com/photos/pMW4jzELQCw

Risk indicator roundup

A matter of taste

What is the best risk indicator? Bottom line: there is no "best", only different approaches to the same thing. Ultimately, it’s up to you. Here we will show the pros and cons of each so you can make an informed decision (about that which will guide your informed decisions …



Parsing code. Photo by Markus Spiske on Unsplash: https://unsplash.com/photos/hvSr_CVecVI

Parse and Conquer

Why Asserts uses Parser combinators

As you might have noticed, at Fluid Attacks we like parser combinators, functional programming, and, of course, Python. In the parser article, I showed you the essentials of Pyparsing and we also showed how to leverage its power to find SQL injections in a PHP application. Here we will extend …



Chess strategy. Photo by Inactive. on Unsplash: https://unsplash.com/photos/nAjil1z3eLk

Great Expectations

What to expect when you're at risk

Thus far, the situations we have modeled have been either over-simplifications or fabrications in order to illustrate a concept. This article will try to improve on that a bit by considering more variables and closer to reality, too. We will do so by presenting the subject matter needed to understand …



Finance simulation. Photo by M. B. M. on Unsplash: https://unsplash.com/photos/ZzOa5G8hSPI

Quantitative Python

Risk management with Python

Now that we have an understanding of risk concepts such as the loss exceedance curve, value-at-risk, Bayes Rule, and fitting distributions, we would like to have a realiable, extensible and preferably open tool to perform these computations. In the background, we have used a spreadsheet, which is hard to extend …



Fire extinguisher. Photo by Tommaso Pecchioli on Unsplash: https://unsplash.com/photos/XG_wi3W4-m8

Para bellum

Prepare for the worst risk

"Si vis pacem, para bellum", goes the old adage. If you want peace, prepare for war. In our case, the worst possible risky scenario our information assets could go into. While probability distributions, loss exceedance curves, simulated scenarios, etc, are all great for the quants in the office, at the …



Baseball hit. Photo by Chris Chow on Unsplash: https://unsplash.com/photos/BhwRQr08PcM

Hit or miss

Estimating attack probability

One of the main obstacles against adopting a quantitative approach to risk management is that since major security breaches are relatively rare and hence, there cannot be enough data for proper statistical analysis. While this might be true in the classical sense, it is not if we adopt a Bayesian …



New information. Photo by M. Parzuchowski on Unsplash: https://unsplash.com/photos/GikVY_KS9vQ

Updating your beliefs

How Bayes Rule affects risk

Usually, changing our beliefs is seen as a negative thing. But when those beliefs represent our state of uncertainty regarding a particular cybersecurity risk, you’d better use all the tools at hand to reduce that uncertainty, i.e., measuring. Why do we speak of "belief" and not "probability" here …



Monetizing risk. Photo by rawpixel on Unsplash: https://unsplash.com/photos/5IiH_UVYdp0

Monetizing vulnerabilities

From probabilites to dollars and cents

In our previous article, we merely scratched the surface of the problem that quantifying risks poses, barely touching on concepts such as calibrated estimation, confidence intervals and specifying the measuring object. Now that (if?) we are convinced that: Cybersecurity risk can and should be measured in...



Risky poker move. Credits: https://unsplash.com/photos/5jkCyS8HOCY

Quantifying risk

From color scales to probabilities and ranges

One of the least understood parts of a vulnerability is the risk it poses to the target. On the client side, it tends to get confused with impact and occurrence likelihood, due to devices like the so-called “risk matrix”, which are supposed to help us better understand risks: Figure 1 …




Service status - Terms of Use