Running an effective bug bounty program requires balancing an attractive scope and payout to hunters with an attack surface that challenges hunters to do more than automated scans. Program managers want to pay for skillful findings, not automated ones. In this episode, we talk about how ASM helps optimize your bug bounty program.…

In this episode, we discuss the blindspots of IP-centric approaches to asset discovery and the importance of understanding the full attack surface of an organization. We unpack the challenges posed by modern cloud architectures, load balancers, and WAFs, and how these can create blind spots in reconnaissance efforts. We also highlight the significa…

This week's episode dives deep into the concept of shadow exposure and how it relates to third-party software, often overlooked in discussions about shadow IT. We explore the historical context of shadow IT, its evolution, and the real risks associated with widely deployed enterprise software that organizations may not fully understand. Join us as …

Today, we explore the world of asset discovery and reconnaissance, particularly how these practices have evolved over time. Historically, discussions around reconnaissance have been overly simplistic and tool-centric, often focusing solely on the latest tools rather than the underlying principles and methodologies. Join us as we break down our appr…

In this episode, we dive into the technical complexities of DNS resolution in the context of ASM asset discovery. Join us as we discuss the challenges, implications, and solutions we have encountered while dealing with DNS resolution at scale. From DNS wildcards to security scanning considerations, we explore the importance of DNS data and its role…

There's a lot of confusion in the ASM (Attack Surface Management) market. Today we discuss the core principles of ASM, the challenges of building and maintaining an effective ASM system, and the importance of safety and accuracy in external attack surface scanning. We share insights on the differences between asset discovery and exposure management…

Today, co-hosts Michael and Shubs reflect on the six-year milestone of Assetnote and do a deep dive into a critical Magento bug. They explore the importance of proactive and reactive security research, the limitations of traditional vulnerability scoring systems like CVSS and EPSS, and the significance of understanding exploitability in assessing v…

In this podcast episode, Michael and Shubs explore the background and evolution of Assetnote, a pioneering Attack Surface Management platform. They discuss the company's origins, the challenges faced in its early days, and the strategic decisions that established it in the market. They discuss the importance of speed and scale and the value of auto…

Today we look at Attack Surface Management (ASM) with a focus on what true ASM entails. Join us as we discuss the core principles of ASM, the importance of understanding real exposure on your attack surface, and the role of security research in identifying vulnerabilities beyond known CVEs. Discover how our team at Assetnote pioneers a new approach…

Over the last decade, ServiceNow has been deployed readily across enterprises. With its growing popularity, combined with the lack of visibility organizations have on its security posture, at Assetnote, we worked hard to discover vulnerabilities in the ServiceNow platform. Assetnote Security Researcher, Adam Kues, spent over a month finding an expl…

On May 14th, 2024, we disclosed a chain of vulnerabilities to ServiceNow, resulting in 3 new CVEs. This series of security issues affected all Vancouver and Washington ServiceNow instances (around 42,000 globally), allowing an attacker to execute code on the instance. In this live Q&A, Assetnote security researcher Adam Kues explains his approach t…