How to secure Docker

In this docked edition of the Exploring Information Security podcast, Rory McCune joins me to discuss how to secure Docker.

Rory (@raesene) gave a talk over the summer at BSides London 2016 on the myths of Docker. Docker is a technology being used by more and more development teams. We're even starting to see security tools run on Docker, such as OWASP ZAP. With more teams using Docker we need to have an understanding of how to secure it.

In this episode we discuss:

  • What is Docker?
  • Why it is important to secure Docker
  • What the positive and negatives of Docker are
  • How to secure Docker

More resources:

Who is looking for more in infosec - Feb 27, 2017

In this job posting edition of the Exploring Information Security podcast, who is looking for more in infosec?

This is a bonus episode of the podcast. This is a solo podcast where I discuss open positions and people looking for opportunities. I plan to do these based on demand. If you would like to submit a position you are looking to fill or looking for an opportunity send me an email timothy.deblock[at]gmail[dot]com or hit me up on Twitter @TimothyDeBlock.

Employers looking to fill a role

Sr. Splunk Admin - Premise Health

  • Splunk experience a plus
  • SIEM experience and management is required
  • Must live in Nashville, TN, or be willing to relocate

Jr. Pen Tester - Premise Health

  • Testing experience a plus
  • Familiarity with testing tools
  • Must live in Nashville, TN, or be willing to relocate

Sr. Endpoint Security Consultant - Optiv

  • Focus on Carbon Black
  • Optiv's Architecture & Implementation Services
  • Location anywhere
  • 50% travel time
  • Fill out position or contact Brad Pace (brad.pace[at]gmail[dot]com)

Quicken Loans

Multiple positions open at Quicken Loans as we continue to mature our information security team. All positions would require relocation to the metro Detroit area, no remote opportunities unfortunately. Great team of people, great company culture and atmosphere. At the end of the day the positions are what you make them. - Robert Knapp @power_napz or robertknapp[at]quickenloans[dot]com

 

People looking for an opportunity

Joshua Ovalle - Resume

Type of work: Entry level

Interested Areas:
I have been interested in the idea of breaking down and building up security networks and things of that sort. I had always pictured hacking as something fun and challenging. Challenging things are what really get me involved more deeply in my work.

Experience:
Navy Aviation Electronics Technician. My experiences are with mostly physical maintenance (wire running, electronic testing, circuit card installation/testing and software instillation. I am also familiar with Microsoft computers and Apple products.

Community Contribution:
I have recently started dedicating time to a prison ministry at my church spending time with the children of men and women who are incarcerated by teaching and playing sports with them.

Education:
I graduated high school in 2009 and went to college for 2 semesters until I decided to join the military.

Willing to Relocate:
I am currently in San Diego, and with a new born i don't know if i could relocate any time soon.

Coding Experience:
I don't have any experience with coding, but I am willing to learn it.

How to contact:
email: jgovalle[at]gmail[dot]com

Again if you are looking to fill a role or looking for an opportunity email me timothy.deblock[at]gmail[dot]com

How to become a penetration tester - Part 2

In this reddish edition of the Exploring Information Security podcast, Andrew Morris of Endgame joins me to discuss how to become a penetration tester.

Andrew (@Andrew___Morris) is a security researcher at Endgame. Before he got that role he was a penetration tester. I had an opportunity to get to know Andrew at some events in the Columbia, SC. He's very knowledgeable and excited about what he does in the information security space. In this two-part series we discuss some of the nuances of being a pen tester and how to find yourself in that particular role.

In this episode we discuss:

  • What tools a penetration tester uses
  • What skills are needed to be a penetration tester
  • Andrew discusses how he became a penetration tester

More resources:

How to become a penetration tester - Part 1

In this reddish edition of the Exploring Information Security podcast, Andrew Morris of Endgame joins me to discuss how to become a penetration tester.

Andrew (@Andrew___Morris) is a security researcher at Endgame. Before he got that role he was a penetration tester. I had an opportunity to get to know Andrew at some events in the Columbia, SC. He's very knowledgeable and excited about what he does in the information security space. In this two-part series we discuss some of the nuances of being a pen tester and how to find yourself in that particular role.

In this episode we discuss:

  • What is a penetration tester?
  • Why become a penetration tester?
  • What writing a report is like
  • What is the day-to-day life of a pen tester

More resources:

What is BSides Indy?

In this circular edition of the Exploring Information Security podcast, Frank the Tank joins me to discuss BSides Indy.

Frank (@TheDevilsVoice) is the lead organizer of BSides Indy (@indybsides). I am excited to be traveling to the conference this year. I will be taking pictures and speaking at the event. I decided to have Frank on to talk about BSides Indy to gauge what type of BSides event I can expect. The theme I got from my chat with Frank is that it's a very laid back type of BSides with a lot of the usual events. They have some wonderful speakers. A lock pick village and a place for hacking Internet of Things (IoT) devices. Hack4Kidz for the little ones and a devious capture the flag (CTF) event. I am excited to go. Tickets are still available. General Admission is $15 for Saturday. Hack Harder (Friday workshops) and the Saturday talks are $30. If you're a student or broke tickets are free. See you there!

In this episode we discuss:

  • What is BSides Indy?
  • How the con got started
  • What makes this conference unique?
  • What is the one thing to do in Indy (Pork tenderloin sandwiches)

What is DefectDojo?

In this to the mat edition of the Exploring Information Security podcast, Greg Anderson joins me to discuss the OWASP project DefectDojo.

Greg (@_GRRegg) is one of three project leads for the OWASP project DefectDojo. The project is an appsec automation and vulnerability management tool. This is something I wish was around when I first started managing vulnerabilities for the development team. It has got a lot of great features including metrics, integration with JIRA, automatic ticket creation, vulnerability de-duping, and of course it allows appsec teams to manage vulnerabilities in development. A demo site is available. It's open-source (as all OWASP projects are). I would recommend anyone having to manage vulnerabilities check this project out.

In this episode we discuss:

  • What is DefectDojo?
  • Why create the project?
  • Why the name?
  • Who should use the tool
  • How to effectively use the tool

What is decentralized IT? - Part 2

In this non-central edition of the Exploring Information Security podcast, Michael Santarcangelo joins me to discuss decentralized IT.

Michael (@Catalyst) has talked about decentralized IT before on a couple other podcasts. It's a concept that I am currently experiencing in my day-to-day role. I work with the development team to improve security in the software development life cycle. I sit with the dev team. I attend meetings. I am a resource for them to approach about security concerns and questions. I am having quite a bit of success. Which is why I wanted to have Santarcangelo on to have a discussion around this concept. It's something that I think more teams should be looking into as an approach for working with other departments and teams.

In this episode we discuss:

  • What are the roles and responsibilities
  • Having leadership buy in
  • Being adaptable
  • Building better relationships

Plugs:

What is decentralized IT? - Part 1

In this non-central edition of the Exploring Information Security podcast, Michael Santarcangelo joins me to discuss decentralized IT.

Michael (@Catalyst) has talked about decentralized IT before on a couple other podcasts. It's a concept that I am currently experiencing in my day-to-day role. I work with the development team to improve security in the software development life cycle. I sit with the dev team. I attend meetings. I am a resource for them to approach about security concerns and questions. I am having quite a bit of success. Which is why I wanted to have Santarcangelo on to have a discussion around this concept. It's something that I think more teams should be looking into as an approach for working with other departments and teams.

In this episode we discuss:

  • What is decentralized IT
  • The different approaches to working with other departments
  • Who should use a decentralized model
  • Training with the development team

Plugs:

What is BSides Hunstville?

In this launched edition of the Exploring Information Security podcast, Paul Coggin joins me to discuss BSides Hunstville.

Paul (@PaulCoggin) is the founder and organizer of BSides Hunstville (@BSidesHSV). I will be attending the conference for the first time this year. The conference is in it's fifth year of existence. In our discussion I found something unique about the conference. Paul doesn't deal with sponsors like some other BSides conferences. Which isn't a bad thing and I'm interested to see how that plays out in talks and networking opportunities. The lineup of speakers looks fantastic. Tickets are still available and I encourage people to check it out.

In this episode we discuss:

  • What is BSides?
  • How BSides Hunstville got started?
  • What is unique about the conference?
  • Why Huntsville is a prime place for a BSides?

How to be a good mentee

In this studious edition of the Exploring Information Security podcast, Amanda Berlin and Wolfgang Goerlich join me to discuss how to be a good mentee.

After recording the How to find a mentor episode, Wolf (@jwgoerlich) suggested that I do a podcast on how to be a good mentee and to invite Amanda (@infoSystir) on to discuss. I thought this was a great idea. I've heard Amanda rant before about people who ask for advice but don't do anything with it. And that's the sad truth. She's given out advice and taken the time to write up a how to on networking and networking forensics (try it out and let her know), but has yet had a mentee follow through. This episode is meant to guide those looking for their start infosec, asking for advice, how to interact with a mentor.

Be sure to check out Amanda's new book Defensive Security Handbook. Also Converge and BSides Detroit, which Wolf helps run.

In this episode we discuss:

  • Who is a mentee
  • What makes someone a good mentee
  • Experience of being a mentee and mentoring someone
  • Examples of good mentees

How to find vulnerabilites

In this susceptible edition of the Exploring Information Security podcast, Samy Kamkar joins me to discuss how to find vulnerabilities.

Samy (@samykamkar) shouldn't need too much of an introduction to most people. He's been in the news for hacking garage doors, credit cards, cars, and much much more. Samy likes to hack things and has a knack for finding vulnerabilities in everything from locked machines to wireless doorbells. His site has the full list of vulnerabilities as well as videos and press appearances. Which made him the perfect guess for talking about how to find vulnerabilities.

In this episode we discuss:

  • What got him started in looking for vulnerabilities
  • What is a vulnerability
  • What skills are necessary for finding vulnerabilities
  • How he decides his next project
  • The steps to finding vulnerabilities
  • What he does when he discovers a vulnerability
  • How long the process takes

What is the SANS Holiday Hack Challenge

In this holiday edition of the Exploring Information Security podcast, Ed Skoudis joins me to discuss the SANS Holiday Hack Challenge.

Around this time each year the SANS Holiday Hack Challenge releases under the direction of Ed (@edskoudis) and instructor with the SANS institute. This year Santa has been kidnapped and it’s up to use to figure out who did it and save Christmas. The challenge is for new people in infosec, and for those who have been in the industry for many years. As Ed notes in the episode it is even for children. The challenge itself has been around for years and several past years are still available for people to go through.

In this episode we discuss:

  • What is the SANS Holiday Hack Challenge
  • How it got started
  • What preparation goes into making the challenge each year
  • Who can participate

How to hire qualified application security talent - Part 2

In this two-part edition of the Exploring Information Security podcast, James Jardine of Jardine Software joins me to discuss how to hire qualified application security talent.

James (@JardineSoftware) recently wrote a post about the five mistakes to avoid when hiring qualified application security talent. It's such an interesting list and something I don't see a lot of people talking about. For more application security advice be sure to check out James podcast DevelopSec.

In this episode we discuss:

  • The fifth mistake to avoid when hiring
    • Overly broad job requirements
  • How involved should the development team be in the process?

How to hire qualified application security talent - Part 1

In this two-part edition of the Exploring Information Security podcast, James Jardine of Jardine Software joins me to discuss how to hire qualified application security talent.

James (@JardineSoftware) recently wrote a post about the five mistakes to avoid when hiring qualified application security talent. It's such an interesting list and something I don't see a lot of people talking about. For more application security advice be sure to check out James podcast DevelopSec.

In this episode we discuss:

  • What prompted James to write the article
  • What he considers qualified application security talent
  • Four of the five mistakes to avoid
    • Not understanding your current needs
    • Ignoring existing resources
    • Not sharing the worload
    • Not defining the role

How to find a mentor

In this advised edition of the Exploring Information Security podcast, I have three guests join me to discuss how to find a mentor.

First up is Wolfgang Goelrich (@jwgoerlich). Wolf provided me with a video he recently did on how to find a mentor for his stuck in traffic series on YouTube. His focus is on what to look for in a mentor and that where we focused in the interview. He's also written about finding and using a mentor on his website.

Next we have Javvad Malik (@J4vv4d). You may no him from his YouTube channel and the wonderful infosec video he posts there. He also recently started doing the weekly infosec update with Alien Vault, titled Alien Eye In The Sky. In our interview we focus on where to look for a mentor.

Finally we have Johnny Xmas (J0hnnyXm4x). Who gave me some feedback that I didn't expect, don't look for a mentor. He thinks mentors can be placed on pedestals. The result of that can mean overlooking the people you already look at as mentors. 

How to find your niche in information security

In this stag episode of the Exploring Information Security podcast, I provide tips on how to find your niche and share my story of getting into information security.

This topic is one that I've submitted to a couple different conferences, but didn't get excepted. I still think it's an interesting topic and useful for those just getting into infosec. Find your niche is advice you will see other professionals give to new people in the field. I think it's good advice, but it can be frustrating figuring out how to do it. Some will find their niche quickly, while for others it may take a while. It took me a long time to figure out that I even wanted to be in infosec. I was then shocked when I got in and had to find a niche within a niche. 

In this episode I discuss:

  • Tips for finding your niche
  • Share my story of getting into infosec
  • Then getting into application security

More Resources:

What is straight talk - Part 2

In this to the point episode of the Exploring Information Security podcast, Michael Santarcangelo joins me to discuss straight talk.

Michael (@catalyst) has launched a new program called straight talk. What I like about this program is that it helps solves problems. It cuts right through symptoms and other distractions and gets right to the point. This framework is for managers and executives, but worth the time for security professionals at any level.

In this episode we discuss:

  • How to get started with straight talk
  • Resources available for getting started with straight talk

More resources:

What is straight talk - Part 1

In this to the point episode of the Exploring Information Security podcast, Michael Santarcangelo joins me to discuss straight talk.

Michael (@catalyst) has launched a new program called straight talk. What I like about this program is that it helps solves problems. It cuts right through symptoms and other distractions and gets right to the point. This framework is for managers and executives, but worth the time for security professionals at any level.

In this episode we discuss:

  • What is straight talk
  • Why it's important
  • Who should use it

More resources:

How to harden AWS

In this firm episode of the Exploring Information Security podcast, Andrew Krug of ThreatResponse joins me to discuss tips and resources for hardening AWS.

Andrew (@andrewkrug) and Alex (@amccormack) recently presented on AWS hardening at DerbyCon (slides). I previously talked about their talk on the "What I learned at DerbyCon" episode. Alex was gracious enough to join me to discuss what he talked about in his talk. He also provided some other tips and resources for improving the security in an AWS environment.

In this episode we discuss:

  • Why hardening AWS is important
  • What attacks we need to worry about in AWS
  • How to harden AWS
  • What are the tools he's created to help harden AWS

More resources:

How to break android apps for fun and profit - part 2

In this ruptured episode of the Exploring Information Security podcast, Bill Sempf joins me to discuss how to break android apps.

Bill (@sempf) is an application security architect who loves the grind of security. He recent spoke at DerbyCon on "Breaking android app for fun and profit." Watching the talk prompted me to invite Bill on the show to dive in a little more. What I like about the talk is that it's almost entirely a demo that walks through the steps of setting up the test environment. You can find more content from Bill at his website and the OWASP .NET project.

In this episode we discuss:

  • Other tools to use for testing mobile applications
  • OWASP Mobile Top Ten
  • Methodology for testing
  • Types of vulnerabilities Bill has found

More resources: