The Front Range’s Largest AppSec Conference is BACK February 18, 2016 Details & registration at www.snowfroc.comwww.snowfroc.com Keynote by Jeremiah Grossman.

Slides:



Advertisements
Similar presentations
Privacy: Facebook, Twitter
Advertisements

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Armitage and Metasploit Penetration Testing Lab
Presenter: Robbie Corley Organization: KCTCS
Installing and Configuring SharePoint 2013 on a Test Machine without screwing it up (too badly) Todd Klindt (master install screwer upper)
Social Media Networking Sites Charlotte Jenkins Designing the Social Web
Clusterd: app server security Bryan Alexander. who Coalfire Labs Independent researcher Breaking via building.
Offensive Security Part 1 Basics of Penetration Testing
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
The OWASP Foundation AppSec DC Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Browser Exploitation Framework (BeEF) Lab
CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
SharePoint 2010 Business Intelligence Module 3: Business Intelligence Center.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
The Business of Penetration Testing
PCM2U Presentation by Paul A Cook IT SERVICES. PCM2U Our History  Our team has been providing complete development and networking solutions for over.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
Arif Fazel School of Molecular and Cellular Biology Academic Advisor IlliAAC Conference 2012 December 14, 2012 Tweet Us, Like Us, Watch US! MCB Goes Viral.
Your Medical Blog Zero to Hero Guide Mark Seigel, MD, FACOG Chair, ACOG Committee on Practice Management Co-Chair, Physicians’ Electronic Health Record.
OPIM 3801: Principles of Project Management Instructor: Bob Day Associate Professor OPIM Dept.
DIY Site Review + Summer Cleaning Keeping Your System Running Smoothly Rachel & Kevin.
CSO Boot Camp Your Drill Sergeants: Sam and Tracy.
Google Apps (Education Edition) A step guide to a successful deployment January 10 th, 2008 California Technology Assistance Project
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Applications Testing By Jamie Rougvie Supported by.
Penetration Testing 101 (Boot-camp)
Tyler Capitan ET 280 How to install an Xbox 360 LIVE to a wireless network.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Working Wiki-ly An Information Tool for the Global Marketing Team April 18, 2012.
CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.
Text Stephanie Ciccarelli Marketing on Social Networks.
Slide 1 FastFacts Feature Presentation December 22, 2015 To dial in, use this phone number and participant code… Phone number: Participant.
Automated Security Testing Using The ZAP API. About Me My name is Michael Haselhurst. I work for Sage as a Test Analyst. This is the first OWASP meeting.
Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,
Computer Security By Duncan Hall.
OWASP Secure Configuration Guide Alexander Antukh 25/11/2014.
IoT BBQ Carve Systems. Outline About us (Carve) About IoT Our IoT assessment methodology The Sacred Tenants of IoT Security Some bugs IoT IRL.
JMU GenCyber Boot Camp Summer, “Canned” Exploits For many known vulnerabilities attackers do not have to write their own exploit code Many repositories.
SnowFROC Front Range OWASP Conference February 18 th, 2016.
SnowFROC Front Range OWASP Conference February 18 th, 2016.
1 PROPRIETARY AND CONFIDENTIAL, MARITZ COPYRIGHT 2009July Next Generation Customer Experience Management Webinar 24 th September 2009 Roger Sant.
Copyright © 2008 Customer Paradigm, All Rights Reserved.Web Marketing Personalized URLs.
PROFESSIONALISM AND SOCIAL MEDIA Created by: Bedig Galladian.
1. Begin Quick Start 2. Administration 3. Good to Know 4. Slightly Technical 5. User Experience 6. You are ready to go !
Social Media Tools Building a company blog presence presented by Tom Swift Wednesday Nov 18, 2009: 10:45 AM (PST) – 11:30 AM Building Websites and Web.
FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.
What we will cover Introduction To Social Media Turn your Linkedin Connections into Gold Additional Resources Next Steps.
Bluemix for Domino Developers Niklas Heidloff, heidloff.net.
James F. Fox MENA Cyber Security Practice Lead Presenters Cyber Security in a Mobile and “Always-on” World Booz | Allen | Hamilton.
Intro to Ethical Hacking
Penetration Testing Karen Miller.
AppSecEU 2015 Mobile App Reverse Engineering / Hacking Workshop
One OSINT Tool to Rule Them All
Automating AD Administration with Windows PowerShell
Metasploit assignment
Pentesting with Powershell
Getting Started with LANGuardian
Closing Summary – Getting Started With EiB Analytics 2018
Web Penetration Testing and Ethical Hacking Capture the Flag
RECONNAISSANCE & ENUMERATION
Pedro Worcel – OWASP AKL Security-Assessment.com
Web Application Penetration Testing ‘17
Metasploit Analysis Report Overview
PowerShell + SharePoint Online – An Admins Guide to Administration in the O365 Cloud Marrell Sanders – Sr. SharePoint Administrator SharePoint Saturday.
Recon DSU GenCyber.
Presentation transcript:

The Front Range’s Largest AppSec Conference is BACK February 18, 2016 Details & registration at Keynote by Jeremiah Grossman Hands-on lab throughout the day

AppSec Blue Team Basics How improving those Blue Team skills will give you an edge when playing for the Red Team … and just help you be more awesome in general. Speaker: Tyler Bell (We’ll use Kali toward the end of this)

Plug Time Director, App Security at AppliedTrust – 4 years at AT AppliedTrust – Infrastructure, Security, DevOps – We’re hiring … and not just in Colorado!

Before We Begin… Please ask questions if you have any throughout this talk (or any other 101 talk today). Let’s make these talks interactive! Let me know what you thought about the talk afterwards. , Twitter, yelling in my face about getting something wrong, etc.

What Is the Blue Team? Defenders of the Organization – Developers – Infrastructure – Operations – Security – Everyone

What Does the Blue Team Do? Confidentiality – Preventing disclosure of sensitive data Integrity – Preventing corruption of data or services Availability – Keeping the cogs turning

Importance of Gaining Blue Team Skillz Before Joining the Red Team Understand common platforms and services before trying to break them Efficiency is key Know how to adapt to your test environment Meaningful communication Everyone here has some interest in Security. It is a Security Conference.

Common Blue Team Tools

Utilize the Tools Available to You Don’t let those pesky hackers or security consultants have all the fun at your expense Find the low-hanging fruit – Most (hopefully) do this with common vulnerability scanning tools such as those mentioned previously, but there’s still so much more we could do…

Missing Pieces of the Blue Team Puzzle Profiling OpenSource Intelligence (OSINT) – Publicly-disclosed information on your organization’s Web presence – Data being indexed by search engines – Public records – Gitrob – Recon-Ng Excellent 2015 talk from creator Tim Tomes on Recon- Ng and AppSec: tch?v=zgz6QYpdzT8 tch?v=zgz6QYpdzT8 Exploitation/Post-Exploitation Exploitation 101 coming up after lunch! Metasploit (pro, msfconsole, msfvenom, etc.) Powershell Empire Powersploit Too many to mention! Your customized scripts

Profiling your Organization Let’s explore Find the gaps before the bad guys do All info is public

Demo: Recon-Ng Boot up Kali and open up a recon-ng Ta-da!

Commands Create a new workspace … because it’s clean! >workspaces add owasp Add a domain to begin profiling. >add domains owasp.org List added domains. >show domains Go through modules. >show modules Let’s use a couple of modules to gather intel via popular search engines: >use recon/domains-hosts/google_site_web >run >use recon/domains-hosts/bing_domain_web >run >show hosts

More Commands You can harvest subdomains using the bruteforce module that brute-forces DNS using a specified wordlist. >use recon/domains-hosts/brute_hosts >show info >run Use Recon-Ng to resolve all these subdomains to IP addresses, and then do a reverse resolve to possibly identify even more subdomains. >use recon/hosts-hosts/resolve >run >use recon/hosts-hosts/reverse_resolve >run Use Recon-Ng modules to identify potential users and addresses related to your organization via identified hosts. >use recon/domains-contacts/whois_pocs >run >use recon/domains-contacts/pgp_search >run

Even More Commands Run a cross-check on identified addresses against the haveibeenpwned.com site to see if they have any disclosed credentials. >use recon/contacts-credentials/hibp_paste >run Build yourself a nice report to reference later. > Use reporting/html >set CREATOR [Your name] >set CUSTOMER [Your Org] >run

AppSec Resources OWASP is an excellent resource for AppSec. – Top 10 lists – Testing methodology guide – Cheat sheets and hardening guides – Zed Attack Proxy (ZAP) – Use Webgoat to work on those Red Team skills. Many other insecure apps out there for working on skills including: – - Damn Vunerable Node App – - Hackazon is an archive for many recorded talks at various security conferences. Blogs, blogs, and more blogs – – Go get involved in your local community. – OWASP Chapters in Boulder and Denver – Meetup.com is a great resource for many organized tech meetups. DevOps Boulder & Boulder Linux Users Group – Denver CitySec, DC303

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.