How to build your own tools - Part 1

In this bird feeding episode of the Exploring Information Security podcast, Chris Maddalena joins me to discuss how to build your own tools.

Chris (@cmaddalena) gave a talk at DerbyCon this past year on writing Win32 Shellcode. We've talked before on a previous podcast around why building your own tools is important. Chris has also written several tools for his day job and for public consumption. His most recent tool is ODIN, a passive recon tool for penetration testers.

In this episode we discuss:

  • Why should someone build their own tool
  • What tool should people build?
  • How to get started building tools
  • What resources are available for building tools

What is the Orange Team?

In this colorful edition of the Exploring Information Security podcast, April Wright joins me to discuss the orange team.

April (@aprilwright) and I met earlier this year at ShowMeCon. She shared with me the concept of the Orange Team. Which is an idea around the security (blue) team working more closely with the development (yellow) team. I loved the idea and wanted to hear more. She spoke about the topic at BlackHat and DefCamp. Unfortunately, the recordings of her session haven't been released yet. So, I decided to have her on to discuss in more detail.

In this episode we discuss:

  • What is the orange team
  • How did the idea come about?
  • What are the activities of the orange team?
  • Who should participate

How to secure NodeJS

In this protuberance episode of the Exploring Information Security podcast, Max McCarty joins me to discuss how to secure NodeJS.

Max (@maxrmccarty) has a great course called Securing Your Node.Js Web App available on Pluralsight. The course is five and a half-hours long, walking through the basics on security. Security for NodeJS is not unlike security for other languages and technologies. If you can secure other web apps you can secure NodeJS.

In this episode we discuss:

  • What is NodeJS
  • How Max got started in NodeJS
  • Why it's important to secure NodeJS
  • How to secure NodeJS

More resources:

What is the Node Security Platform?

In this devtastic episode of the Exploring Information Security podcast, Adam Baldwin joins me to discuss the Node Security Platform (NSP).

Adam (@adam_baldwin) is the team lead at Lift Security and founder of the Node Security Platform. NSP is one of the simplest tools to put into a development life cycle for NodeJS. It checks for vulnerable packages in an environment during pull requests or builds. This allow developers to quickly and easily identify packages that put their applications at risk.

In this episode we discuss:

  • What is nsp?
  • How it should be used?
  • Where it should be used?
  • How to use it.

Resources:

Why we need to get outside the infosec echo chamber

In this bouncy edition of the Exploring Information Security podcast, I talk about getting outside of the information security echo chamber.

Getting outside of the infosec echo chamber is something I've wanted to do for the past year. Spending time at infosec events is important for a career. It's great for networking and knowledge sharing. We need to do those same things at non-infosec events. For me that means getting out to developer events. I am speaking at Nodevember at the end of November 2017 and also at CodeMash in early January 2018. For better security I think it's a crucial activity.

In this episode I discuss:

  • What is the echo chamber?
  • Why it's important to get outside of it
  • Who should get outside the echo chamber
  • Where to get outside the echo chamber

How to hack a car

In this speedy episode of the Exploring Information Security podcast, Brandon Wilson joins me to discuss his adventures in hacking a car.

Brandon (@brandonlwilson) spoke at BSides Knoxville in 2017. I had the pleasure to be in attendance for his talk. The talk was technical and very interesting. Brandon talked about how he tried to take his old 90s car and fix it himself. The was a malfunction in the anti-theft system that kept the car from running. He decided to go deeper. Unfortunately, he was unable to fix his car. He did, however, learn a lot from the experience.

In this episode we discuss:

  • How Brandon got into car hacking?
  • What resources were available for hacking a car?
  • How long did the project take?
  • What tools are available for hacking a car?

How to implement the CSF from NIST

In this skeleton edition of the Exploring Information Security podcast, I discuss the Cybersecurity Framework (CSF) from NIST with Rick Tracy the CSO at Telos.

Rick (@rick_tracy), is very passionate about the CSF from NIST. The framework is meant to help organizations become more mature from a security standpoint. The CSF provides guidance on implementing security controls and countermeasures. It's not meant to be a one size fits all framework, but something that each organization can cater to their organization.

In this episode we discuss:

  • What is NIST?
  • What is the Cybersecurity Framework?
  • Why it's important
  • How organizations implement the framework

More resources:

What is the OWASP Threat Dragon?

In this fire-breathing edition of the Exploring Information Security podcast, I talk to Mike Goodwin the project lead of the OWASP Threat Dragon.

Mike (@theblacklabguy) joins me to discuss his OWASP project Threat Dragon. The project is meant to give developers an easy use tool for performing threat modeling. The project is built on NodeJS and AngularJS. It has a slick easy-to-use interface and Github integration. His roadmap for the project include Bitbucket integration and a rule engine that will help with threat modeling.

In this episode we discuss:

  • What is threat modeling?
  • What led to the idea of Threat Dragon?
  • How does someone get started with the tool?
  • What's the effort on a project like this? (mike[dot]goodwing[at]owasp[dot]org to help)

More resources:

What's happening at DerbyCon?

In this legacy edition of the Exploring Information Security podcast, Ben Miller (@securithid) , Cliff Smith (@BismithSalamandr) , Paul "BubbaSec" Coggin (@PaulCoggin) , Dave Chronister (@bagomojo), Sean Peterson (@SeanThePeterson), and Jimmy Byrd (@Jimmy_Byrd) (and briefly @aprilwright ) join me to talk security.

 This is likely the last podcast conference special of the year. It's a good one. We had quite the crew to record this one and got very in-depth and deep on topics related to infosec. Big shout out and thanks again to Dave for bringing the mics and participating in the podcast.

I've been pleasantly surprised with how this and the other podcasts have turned out. I've gotten some great feedback and I plan to do more of these in the future. It was also floated to me that we record one of these as a panel at one of the conferences. We'll see.

In this episode we discuss:

  • The legacy of DerbyCon and what the future holds.
  • What it's like at a developer conference?
  • Is there security fatigue?
  • Patch your shit.

Resource we discussed:

What's happening at BSides Augusta?

In this masters edition of the Exploring Information Security podcast, Adam Twitty, Robert Preston, Jeff Lang, and myself discuss security things.

This is another EIS podcast special at BSides Augusta. I have some close friends joining me for this one. Adam, Jeff, and Robert all part of a local user group in Columbia, South Carolina, aptly named ColaSec. I also worked with Adam and Robert at my first security gig.

BSides Augusta is one of my favorite BSides events. It's really well run. It has a great facility and there's so much to do. In fact, I took part in my first conference capture the flag (CTF) with some of the guys from ColaSec. It was quite the experience and a lot of fun. I highly recommend the conference for those free in mid-September.

In this episode we discuss:

  • What it's like to be on a good team
  • What you need to know to get into the field?
  • What paths are available to get into infosec
  • What is ColaSec?

How to setup a pineapple?

In this fruity edition of the Exploring Information Security podcast, Kate Vajda joins me to discuss how to setup a pineapple.

Kate (@vajkat) is a senior security consultant at Secure Ideas. She recently wrote an article on setting up a targeted pineapple. In the article she walks through setting up a pineapple. What I really enjoy about the article is that she walks through some of the issues she runs into setting up the pineapple. It's a really good example of how to work through problems using troubleshooting techniques.

In this episode we discuss:

  • What is a pineapple
  • Where to get a pineapple
  • How to set one up
  • What are the use cases for a pineapple

What is isolated browsing?

In this contained edition of the Exploring Information Security podcast, Danny Miller joins me to discuss isolated browsing.

Danny, is the Director of Product Marketing for Ericom (@EricomShield). He came on the show to talk about isolated browsing. Which is a technology that I've never heard of before. It's similar to virtual machines and technology like Citrix, which provide solutions that help isolate a user. Isolated browsing is different. It uses containers (like Docker) to provide a user with a browser that is completely separate from the computer. This has the advantage of keeping things like malware of user computer and in a contained environment.

In this episode we discuss:

  • What is isolated browsing?
  • How does it work?
  • Where the solution is located
  • How is the technology different from Citrix?

More resources:

Why getting into infosec is hard

In this Han Solo edition of the Exploring Information Security podcast, I discuss my experience on why getting into infosec is hard.

This is a solo episode where I share my thoughts on why it's hard to get into infosec. I've been on both sides of the interview process. In this episode I share my own personal experience (where I failed), as well as what I've seen on why people didn't get the role they wanted. This topic deals with the skills shortage topic often discussed on Twitter and other media. It's a very nuanced topic. I wanted to focus on what those applying could do better to apply and interview for an opportunity.

In this episode:

  • Why people don't apply?
  • Why requirements can limit job opportunities
  • Why your resume sucks
  • How are you preparing for the interview?
  • What are you doing to improve your chances of getting an offer?

What it's like in the SECTF soundbooth

In this on a whim episode of the Exploring Information Security podcast, Michelle joins me to discuss here time participating in the SECTF.

Michelle (@MlleLicious) was one of the contestants who competed on Friday in the Social Engineering Capture The Flag (SECTF). This year the SECTF focused on video game companies and Michelle (happily) pulled Disney. Getting up on stage in front of hundreds of people is already a nerve racking proposition. Now add in that you have to interact with another human being to try and get them to divulge information for points. As you'll hear this was Michelle's first year at DEFCON. She dove right in to the event and walked away from the even with an amazing experience.

In this episode we discuss:

  • What is the SECTF
  • Why apply to the competition
  • What was her preparation for the contest
  • Where could she have improved

What are memory forensics?

In this investigative episode of the Exploring Information Security podcast, Kyle Andrus joins me to discuss memory forensics.

Kyle (@chaoticflaws) is someone I've started to get to know this year. He's an organizer of Converge and BSides Detroit. He's also an organizer for MiSec. Talking with him I noticed a strong interest in memory forensics. This allowed us to geek out a bit on the topic considering I have experience with performing memory forensics as part of incident response. It was one of the more interesting things I've done in security.

In this episode we discuss:

  • How Kyle got into memory forensics
  • What tools are available to perform memory forensics
  • Why memory forensics are useful to an organization
  • What skills are needed for memory forensics

What does Chris Maddalena, Kyle Andrus, and Daniel Ebbutt think about security at DEFCON?

In this crazy edition of the Exploring Information Security podcast, I am joined by Chris Maddalena, Kyle Andrus, and Daniel Ebbutt for another conference podcast special. This time it's DEFCON 25.

Chris (@cmaddalena), Kyle (@chaoticflaws), and Daniel (@notdanielebbutt) join me at DEFCON to discuss various topics ranging from conferences like DEFCON, Blackhat, and BSides Las Vegas to bird feeders. We read a couple passages from the POC||GTFO bible available from no start press.

In this episode we discuss:

  • The death of LineCon
  • Blackhat swag
  • BSides Las Vegas
  • Converge and BSides Detroit
  • Saying yes and knowing when to say no
  • Report writing
  • Macros
  • Bird feeders

What is BSides Bordeaux

In this exquisite episode of the Exploring Information Security podcast, Allan Liska and Tim Gallo join me to discuss a brand new BSides in Bordeaux.

Both Allan (@uuallan) and Tim (@TimJGallo) are in the Unite States. This makes starting a BSides in France challenging and intriguing. Both organizers love wine and saw an opportunity to put France on the BSides map. BSides Bordeaux (@BsidesBDX) is October 21, 2017, in Bordeaux France. The venue is Mama Shelter (which has a wicked video). Tickets are limited so be sure to grab one soon.

In this episode we discuss:

  • What inspired them to start BSides Bordeaux
  • The challenges of organizing a BSides on another continent
  • What makes the conference unique
  • What are some of the things to do in Bordeaux

How to prepare for the OSCP - Part 2

In this studious edition of the Exploring Information Security podcast, Offensive Security Certified Professional (OSCP) Chris Maddalena joins me to discuss how to prepare for the OSCP certification.

Chris (@cmaddalena) returns to talk about how he got his OSCP. He didn't get it on his first attempt. He did learn from his first attempt, though, and passed the exam on his second attempt. He was willing to come on the podcast to describe his experience and provide tips for others looking to acquire the certification. The exam is not easy. It's a 24-hour exam that includes writing a report as well as performing a penetration test. Preparation for the exam is very important.

In this episode we discuss:

  • How Chris' second attempt went
  • How to study for the OSCP
  • What the hardest part of the exam was for Chris
  • How the pointing system works

More resources (h/t @KrvRob):

How to prepare for the OSCP - Part 1

In this studious edition of the Exploring Information Security podcast, Offensive Security Certified Professional (OSCP) Chris Maddalena joins me to discuss how to prepare for the OSCP certification.

Chris (@cmaddalena) returns to talk about how he got his OSCP. He didn't get it on his first attempt. He did learn from his first attempt, though, and passed the exam on his second attempt. He was willing to come on the podcast to describe his experience and provide tips for others looking to acquire the certification. The exam is not easy. It's a 24-hour exam that includes writing a report as well as performing a penetration test. Preparation for the exam is very important.

In this episode we discuss:

  • What is the OSCP and OSCE
  • Why someone should pursue the OSCP
  • What is the test like
  • How Chris' first attempt went

More resources (h/t @KrvRob):

What are the steps to secure application development?

In this getting started episode of the Exploring Information Security podcast, Jim Manico joins me to discuss the steps (or rather phases) to secure application development.

Jim (@manicode) is an active member in the application security field. He's been a board member for OWASP. He's a regular speaker at OWASP conferences and he provides appsec training nine months out of the year. I recently had the opportunity to tune into a webinar put on my Jim discussing the steps to secure application development. He's got a wealth of knowledge and provides actionable advice for anyone wanting to move in that direction.

In this episode we discuss

  • How Jim got started in appsec
  • Why secure application development is important
  • What the steps are to get started
  • Who should be implementing application security