Hands-On Web Exploitation with Python
Back in 2015, a colleague and friend asked if I would be interested in teaching a training class with him at OWASP AppSec USA. After carefully considering, I agreed. It’s a good thing, because he had already submitted the class to the call for trainings before asking me.
Fast forward a bit and we’re now gearing up to teach our third version of the class. What started out as a one-day training session has turned into a three-day course. Based on the feedback we have received over the previous years, my colleague and I have tweaked the class in an attempt to provide a class for all levels of programmers, from beginners who may be new to Python to veteran programmers.
Much like our first class, I have taken the time to develop a new vulnerable virtual machine for the test lab. This time around, I applied several lessons I learned along the way. The primary change to the virtual machine is that I made it quite a bit more simplistic. I did this because I... read more >
How long is too long?
There has been a lot of chatter on social media lately surrounding the topic of public vulnerability disclosure. Doing a quick Google search, I found a ton of resources, discussions and blog posts available, covering different ways to properly disclose a vulnerability. Several are listed below:
#WarStoryWednesday: Quick and Dirty Social Engineering
Every now and then, I work on the assessments that normally Brent White and Tim Roberts blog about. When I’m privileged to get such an assignment, I typically create unnecessary pressure on myself in an effort to compete with the likes of my aforementioned teammates and their overwhelming success on Social Engineering Assessments. I find myself feeding off the pressure and nervous energy, turning it into excitement and focus. By drawing on my past experiences in the Broadcast Television industry, I convince myself that this will only help me succeed on such a project. Then, when I get word of the increased challenge level, whether due to the small size of the company being assessed, a shared work environment or building, or armed guards present, I actually find myself... read more >
The Agile Movement
In my previous blog, Developing a Strong Application Security Program: Part 1, I looked at aspects of a successful application security program as it pertains to a more traditional waterfall Software Development Life Cycle (SDLC). In part two of this series, I’ll focus more on an agile-based SDLC and options for implementing a successful application security program.
Let’s briefly describe some of the differences between a traditional waterfall SDLC and agile SDLC. In a waterfall SDLC, there are clear project objectives through each phase of development. Typically, each project consists of several phases: planning, design, coding, and finally testing. Security teams are injected into the phases and should have sign-off authority on each phase before the project continues to the next. I detailed security’s role in this... read more >
#WarStoryWednesday: so many hosts, so little time
Every now and then, while performing a penetration assessment, we’ll get a large set of hosts considered in scope. This is often a nice change of pace from the compliance-based penetration assessment where the scope is smaller and more focused on the Cardholder Data Environment (CDE). With the larger scope, we can come a bit closer to simulating an actual attacker from the perspective of the internal network. I say closer because as security consultants we are still limited by time, often only having a week to perform an assessment. If the scope is big enough, we will typically send two or more consultants. This blog will detail just one of those assessments and will hopefully give insight into effective time management for large scopes that offer more than one method of compromise.Background
Let me set up the scenario a bit. My co-worker Adam Steffes and I were tasked with performing an assessment with... read more >