What is Converge and BSides Detroit?

In this Motor City edition of the Exploring Information Security podcast, Ryan Harp, Kyle Andrus, and Kate Vajda join me to discuss the conferences Converge and BSides Detroit.

Ryan (@th3b00st), Kyle (@chaoticflaws), and Kate (@vajkat) help put on one of the best conferences. Last year was my first year at the conference. I was not disappointed. They had a workshop on application security; a room set aside to get resume feedback; Ham radio exams; and much more. They also had three days of wonderful talks with some really great speakers. At lunch there are multiple treks to go grab a coney dog.

The call for papers is currently open. They're looking for speakers and to add more workshops this year. Tickets are also available now. Make sure to grab yours and I'll see you at Converge and BSides Detroit May 10-12.

In this episode we discuss:

  • How the conference got started.
  • Where the conference is at and what's new this year for the layout.
  • What's unique about the conference.
  • Coney dogs.

How to build an AppSec Pipeline

In this foundational episode of the Exploring Information Security podcast, Matt Tesauro and Aaron Weaver join me to discuss the AppSec Pipeline.

Matt (@matt_tesauro) and Aaron (@weavera) are the project leads for the OWASP AppSec Pipeline. The project provides resources and guidance for building out your own appsec pipeline within a development team. Building a pipeline is important in helping get security embedded within software.

In this episode we discuss:

  • What is the OWASP AppSec Pipeline
  • How did it get started
  • Who should use the AppSec Pipeline
  • How to implement the AppSec Pipeline

What's ahead for the Exploring Information Security podcast in 2018

In this reflection edition of the Exploring Information Security podcast, I look back at 2017 and also look ahead to 2018 for the podcast.

2017 was a great year for the podcast. I saw increased listernership. We had a new episode format that involved talking to several security professionals at various conferences. I've also seen an increase in companies and public relation firms reaching out to me to pitch guests. In 2018 I'd like to explore some new formats. There may be a conference panel in the future. I also expect to look at advertising and sponsorship for the podcasts. I also need to work on an archive feed for older episodes.

If you have feedback on any of this or ideas for where I should take the show, I would love to hear them. You can hit me up on Twitter (@TimothyDeBlock), email: timothy.deblock[@]gmail[dot]com, or by leaving a comment below. Thanks for such a great year and I look forward to a fantastic 2018.

How to overcome imposter syndrome

In this fake episode of the Exploring Information Security podcast, Micah Hoffman joins me to discuss imposter syndrome.

Micah (@WebBreacher), this past year, spoke on imposter syndrome and how to overcome it. It's something we all deal with (even several years into our careers). It's useful, but also dangerous for those of us in the information security community. We need to try and compare ourselves to others less and speak more positively internally.

In this episode we discuss:

  • What is imposter syndrome?
  • Why people get imposter syndrome.
  • How to overcome imposer syndrome.
  • Stick around until the end to hear some real imposter syndrome.

What is the Rural Technology Fund?

In this non-profit edition of the Exploring Information Security podcast, Chris Sanders joins me to discuss the Rural Technology Fund.

Chris (@chrissanders88) grew up at a disadvantage. He wasn't rich or handed a great educations. He speaks of being part of the free lunch kids at school. He's managed to turn himself into a successful information security professional, with his own company and non-profit. A lot of that is due to his teachers and mentors encouraging his interest in computers. The Rural Technology Fund is a way for him to give back and give other kids an opportunity to see if they have a spark for technology.

In this episode we discuss:

  • What is the Rural Technology Fund?
  • How it got started.
  • How people can apply for funding.
  • How people can contribute.

Ways to donate can be found at their website. Also, make sure to pick them as your charity for Amazon Smile.

How to build your own tools - Part 2

In this bird feeding episode of the Exploring Information Security podcast, Chris Maddalena joins me to discuss how to build your own tools.

Chris (@cmaddalena) gave a talk at DerbyCon this past year on writing Win32 Shellcode. We've talked before on a previous podcast around why building your own tools is important. Chris has also written several tools for his day job and for public consumption. His most recent tool is ODIN, a passive recon tool for penetration testers.

In this episode we discuss:

  • Why should someone build their own tool
  • What tool should people build?
  • How to get started building tools
  • What resources are available for building tools

How to build your own tools - Part 1

In this bird feeding episode of the Exploring Information Security podcast, Chris Maddalena joins me to discuss how to build your own tools.

Chris (@cmaddalena) gave a talk at DerbyCon this past year on writing Win32 Shellcode. We've talked before on a previous podcast around why building your own tools is important. Chris has also written several tools for his day job and for public consumption. His most recent tool is ODIN, a passive recon tool for penetration testers.

In this episode we discuss:

  • Why should someone build their own tool
  • What tool should people build?
  • How to get started building tools
  • What resources are available for building tools

What is the Orange Team?

In this colorful edition of the Exploring Information Security podcast, April Wright joins me to discuss the orange team.

April (@aprilwright) and I met earlier this year at ShowMeCon. She shared with me the concept of the Orange Team. Which is an idea around the security (blue) team working more closely with the development (yellow) team. I loved the idea and wanted to hear more. She spoke about the topic at BlackHat and DefCamp. Unfortunately, the recordings of her session haven't been released yet. So, I decided to have her on to discuss in more detail.

In this episode we discuss:

  • What is the orange team
  • How did the idea come about?
  • What are the activities of the orange team?
  • Who should participate

How to secure NodeJS

In this protuberance episode of the Exploring Information Security podcast, Max McCarty joins me to discuss how to secure NodeJS.

Max (@maxrmccarty) has a great course called Securing Your Node.Js Web App available on Pluralsight. The course is five and a half-hours long, walking through the basics on security. Security for NodeJS is not unlike security for other languages and technologies. If you can secure other web apps you can secure NodeJS.

In this episode we discuss:

  • What is NodeJS
  • How Max got started in NodeJS
  • Why it's important to secure NodeJS
  • How to secure NodeJS

More resources:

What is the Node Security Platform?

In this devtastic episode of the Exploring Information Security podcast, Adam Baldwin joins me to discuss the Node Security Platform (NSP).

Adam (@adam_baldwin) is the team lead at Lift Security and founder of the Node Security Platform. NSP is one of the simplest tools to put into a development life cycle for NodeJS. It checks for vulnerable packages in an environment during pull requests or builds. This allow developers to quickly and easily identify packages that put their applications at risk.

In this episode we discuss:

  • What is nsp?
  • How it should be used?
  • Where it should be used?
  • How to use it.

Resources:

Why we need to get outside the infosec echo chamber

In this bouncy edition of the Exploring Information Security podcast, I talk about getting outside of the information security echo chamber.

Getting outside of the infosec echo chamber is something I've wanted to do for the past year. Spending time at infosec events is important for a career. It's great for networking and knowledge sharing. We need to do those same things at non-infosec events. For me that means getting out to developer events. I am speaking at Nodevember at the end of November 2017 and also at CodeMash in early January 2018. For better security I think it's a crucial activity.

In this episode I discuss:

  • What is the echo chamber?
  • Why it's important to get outside of it
  • Who should get outside the echo chamber
  • Where to get outside the echo chamber

How to hack a car

In this speedy episode of the Exploring Information Security podcast, Brandon Wilson joins me to discuss his adventures in hacking a car.

Brandon (@brandonlwilson) spoke at BSides Knoxville in 2017. I had the pleasure to be in attendance for his talk. The talk was technical and very interesting. Brandon talked about how he tried to take his old 90s car and fix it himself. The was a malfunction in the anti-theft system that kept the car from running. He decided to go deeper. Unfortunately, he was unable to fix his car. He did, however, learn a lot from the experience.

In this episode we discuss:

  • How Brandon got into car hacking?
  • What resources were available for hacking a car?
  • How long did the project take?
  • What tools are available for hacking a car?

How to implement the CSF from NIST

In this skeleton edition of the Exploring Information Security podcast, I discuss the Cybersecurity Framework (CSF) from NIST with Rick Tracy the CSO at Telos.

Rick (@rick_tracy), is very passionate about the CSF from NIST. The framework is meant to help organizations become more mature from a security standpoint. The CSF provides guidance on implementing security controls and countermeasures. It's not meant to be a one size fits all framework, but something that each organization can cater to their organization.

In this episode we discuss:

  • What is NIST?
  • What is the Cybersecurity Framework?
  • Why it's important
  • How organizations implement the framework

More resources:

What is the OWASP Threat Dragon?

In this fire-breathing edition of the Exploring Information Security podcast, I talk to Mike Goodwin the project lead of the OWASP Threat Dragon.

Mike (@theblacklabguy) joins me to discuss his OWASP project Threat Dragon. The project is meant to give developers an easy use tool for performing threat modeling. The project is built on NodeJS and AngularJS. It has a slick easy-to-use interface and Github integration. His roadmap for the project include Bitbucket integration and a rule engine that will help with threat modeling.

In this episode we discuss:

  • What is threat modeling?
  • What led to the idea of Threat Dragon?
  • How does someone get started with the tool?
  • What's the effort on a project like this? (mike[dot]goodwing[at]owasp[dot]org to help)

More resources:

What's happening at DerbyCon?

In this legacy edition of the Exploring Information Security podcast, Ben Miller (@securithid) , Cliff Smith (@BismithSalamandr) , Paul "BubbaSec" Coggin (@PaulCoggin) , Dave Chronister (@bagomojo), Sean Peterson (@SeanThePeterson), and Jimmy Byrd (@Jimmy_Byrd) (and briefly @aprilwright ) join me to talk security.

 This is likely the last podcast conference special of the year. It's a good one. We had quite the crew to record this one and got very in-depth and deep on topics related to infosec. Big shout out and thanks again to Dave for bringing the mics and participating in the podcast.

I've been pleasantly surprised with how this and the other podcasts have turned out. I've gotten some great feedback and I plan to do more of these in the future. It was also floated to me that we record one of these as a panel at one of the conferences. We'll see.

In this episode we discuss:

  • The legacy of DerbyCon and what the future holds.
  • What it's like at a developer conference?
  • Is there security fatigue?
  • Patch your shit.

Resource we discussed:

What's happening at BSides Augusta?

In this masters edition of the Exploring Information Security podcast, Adam Twitty, Robert Preston, Jeff Lang, and myself discuss security things.

This is another EIS podcast special at BSides Augusta. I have some close friends joining me for this one. Adam, Jeff, and Robert all part of a local user group in Columbia, South Carolina, aptly named ColaSec. I also worked with Adam and Robert at my first security gig.

BSides Augusta is one of my favorite BSides events. It's really well run. It has a great facility and there's so much to do. In fact, I took part in my first conference capture the flag (CTF) with some of the guys from ColaSec. It was quite the experience and a lot of fun. I highly recommend the conference for those free in mid-September.

In this episode we discuss:

  • What it's like to be on a good team
  • What you need to know to get into the field?
  • What paths are available to get into infosec
  • What is ColaSec?

How to setup a pineapple?

In this fruity edition of the Exploring Information Security podcast, Kate Vajda joins me to discuss how to setup a pineapple.

Kate (@vajkat) is a senior security consultant at Secure Ideas. She recently wrote an article on setting up a targeted pineapple. In the article she walks through setting up a pineapple. What I really enjoy about the article is that she walks through some of the issues she runs into setting up the pineapple. It's a really good example of how to work through problems using troubleshooting techniques.

In this episode we discuss:

  • What is a pineapple
  • Where to get a pineapple
  • How to set one up
  • What are the use cases for a pineapple

What is isolated browsing?

In this contained edition of the Exploring Information Security podcast, Danny Miller joins me to discuss isolated browsing.

Danny, is the Director of Product Marketing for Ericom (@EricomShield). He came on the show to talk about isolated browsing. Which is a technology that I've never heard of before. It's similar to virtual machines and technology like Citrix, which provide solutions that help isolate a user. Isolated browsing is different. It uses containers (like Docker) to provide a user with a browser that is completely separate from the computer. This has the advantage of keeping things like malware of user computer and in a contained environment.

In this episode we discuss:

  • What is isolated browsing?
  • How does it work?
  • Where the solution is located
  • How is the technology different from Citrix?

More resources:

Why getting into infosec is hard

In this Han Solo edition of the Exploring Information Security podcast, I discuss my experience on why getting into infosec is hard.

This is a solo episode where I share my thoughts on why it's hard to get into infosec. I've been on both sides of the interview process. In this episode I share my own personal experience (where I failed), as well as what I've seen on why people didn't get the role they wanted. This topic deals with the skills shortage topic often discussed on Twitter and other media. It's a very nuanced topic. I wanted to focus on what those applying could do better to apply and interview for an opportunity.

In this episode:

  • Why people don't apply?
  • Why requirements can limit job opportunities
  • Why your resume sucks
  • How are you preparing for the interview?
  • What are you doing to improve your chances of getting an offer?

What it's like in the SECTF soundbooth

In this on a whim episode of the Exploring Information Security podcast, Michelle joins me to discuss here time participating in the SECTF.

Michelle (@MlleLicious) was one of the contestants who competed on Friday in the Social Engineering Capture The Flag (SECTF). This year the SECTF focused on video game companies and Michelle (happily) pulled Disney. Getting up on stage in front of hundreds of people is already a nerve racking proposition. Now add in that you have to interact with another human being to try and get them to divulge information for points. As you'll hear this was Michelle's first year at DEFCON. She dove right in to the event and walked away from the even with an amazing experience.

In this episode we discuss:

  • What is the SECTF
  • Why apply to the competition
  • What was her preparation for the contest
  • Where could she have improved