What is BSides Indy?

In this circular edition of the Exploring Information Security podcast, Frank the Tank joins me to discuss BSides Indy.

Frank (@TheDevilsVoice) is the lead organizer of BSides Indy (@indybsides). I am excited to be traveling to the conference this year. I will be taking pictures and speaking at the event. I decided to have Frank on to talk about BSides Indy to gauge what type of BSides event I can expect. The theme I got from my chat with Frank is that it's a very laid back type of BSides with a lot of the usual events. They have some wonderful speakers. A lock pick village and a place for hacking Internet of Things (IoT) devices. Hack4Kidz for the little ones and a devious capture the flag (CTF) event. I am excited to go. Tickets are still available. General Admission is $15 for Saturday. Hack Harder (Friday workshops) and the Saturday talks are $30. If you're a student or broke tickets are free. See you there!

In this episode we discuss:

  • What is BSides Indy?
  • How the con got started
  • What makes this conference unique?
  • What is the one thing to do in Indy (Pork tenderloin sandwiches)

What is DefectDojo?

In this to the mat edition of the Exploring Information Security podcast, Greg Anderson joins me to discuss the OWASP project DefectDojo.

Greg (@_GRRegg) is one of three project leads for the OWASP project DefectDojo. The project is an appsec automation and vulnerability management tool. This is something I wish was around when I first started managing vulnerabilities for the development team. It has got a lot of great features including metrics, integration with JIRA, automatic ticket creation, vulnerability de-duping, and of course it allows appsec teams to manage vulnerabilities in development. A demo site is available. It's open-source (as all OWASP projects are). I would recommend anyone having to manage vulnerabilities check this project out.

In this episode we discuss:

  • What is DefectDojo?
  • Why create the project?
  • Why the name?
  • Who should use the tool
  • How to effectively use the tool

What is decentralized IT? - Part 2

In this non-central edition of the Exploring Information Security podcast, Michael Santarcangelo joins me to discuss decentralized IT.

Michael (@Catalyst) has talked about decentralized IT before on a couple other podcasts. It's a concept that I am currently experiencing in my day-to-day role. I work with the development team to improve security in the software development life cycle. I sit with the dev team. I attend meetings. I am a resource for them to approach about security concerns and questions. I am having quite a bit of success. Which is why I wanted to have Santarcangelo on to have a discussion around this concept. It's something that I think more teams should be looking into as an approach for working with other departments and teams.

In this episode we discuss:

  • What are the roles and responsibilities
  • Having leadership buy in
  • Being adaptable
  • Building better relationships

Plugs:

What is decentralized IT? - Part 1

In this non-central edition of the Exploring Information Security podcast, Michael Santarcangelo joins me to discuss decentralized IT.

Michael (@Catalyst) has talked about decentralized IT before on a couple other podcasts. It's a concept that I am currently experiencing in my day-to-day role. I work with the development team to improve security in the software development life cycle. I sit with the dev team. I attend meetings. I am a resource for them to approach about security concerns and questions. I am having quite a bit of success. Which is why I wanted to have Santarcangelo on to have a discussion around this concept. It's something that I think more teams should be looking into as an approach for working with other departments and teams.

In this episode we discuss:

  • What is decentralized IT
  • The different approaches to working with other departments
  • Who should use a decentralized model
  • Training with the development team

Plugs:

What is BSides Hunstville?

In this launched edition of the Exploring Information Security podcast, Paul Coggin joins me to discuss BSides Hunstville.

Paul (@PaulCoggin) is the founder and organizer of BSides Hunstville (@BSidesHSV). I will be attending the conference for the first time this year. The conference is in it's fifth year of existence. In our discussion I found something unique about the conference. Paul doesn't deal with sponsors like some other BSides conferences. Which isn't a bad thing and I'm interested to see how that plays out in talks and networking opportunities. The lineup of speakers looks fantastic. Tickets are still available and I encourage people to check it out.

In this episode we discuss:

  • What is BSides?
  • How BSides Hunstville got started?
  • What is unique about the conference?
  • Why Huntsville is a prime place for a BSides?

How to be a good mentee

In this studious edition of the Exploring Information Security podcast, Amanda Berlin and Wolfgang Goerlich join me to discuss how to be a good mentee.

After recording the How to find a mentor episode, Wolf (@jwgoerlich) suggested that I do a podcast on how to be a good mentee and to invite Amanda (@infoSystir) on to discuss. I thought this was a great idea. I've heard Amanda rant before about people who ask for advice but don't do anything with it. And that's the sad truth. She's given out advice and taken the time to write up a how to on networking and networking forensics (try it out and let her know), but has yet had a mentee follow through. This episode is meant to guide those looking for their start infosec, asking for advice, how to interact with a mentor.

Be sure to check out Amanda's new book Defensive Security Handbook. Also Converge and BSides Detroit, which Wolf helps run.

In this episode we discuss:

  • Who is a mentee
  • What makes someone a good mentee
  • Experience of being a mentee and mentoring someone
  • Examples of good mentees

How to find vulnerabilites

In this susceptible edition of the Exploring Information Security podcast, Samy Kamkar joins me to discuss how to find vulnerabilities.

Samy (@samykamkar) shouldn't need too much of an introduction to most people. He's been in the news for hacking garage doors, credit cards, cars, and much much more. Samy likes to hack things and has a knack for finding vulnerabilities in everything from locked machines to wireless doorbells. His site has the full list of vulnerabilities as well as videos and press appearances. Which made him the perfect guess for talking about how to find vulnerabilities.

In this episode we discuss:

  • What got him started in looking for vulnerabilities

  • What is a vulnerability

  • What skills are necessary for finding vulnerabilities

  • How he decides his next project

  • The steps to finding vulnerabilities

  • What he does when he discovers a vulnerability

  • How long the process takes

What is the SANS Holiday Hack Challenge

In this holiday edition of the Exploring Information Security podcast, Ed Skoudis joins me to discuss the SANS Holiday Hack Challenge.

Around this time each year the SANS Holiday Hack Challenge releases under the direction of Ed (@edskoudis) and instructor with the SANS institute. This year Santa has been kidnapped and it’s up to use to figure out who did it and save Christmas. The challenge is for new people in infosec, and for those who have been in the industry for many years. As Ed notes in the episode it is even for children. The challenge itself has been around for years and several past years are still available for people to go through.

In this episode we discuss:

  • What is the SANS Holiday Hack Challenge
  • How it got started
  • What preparation goes into making the challenge each year
  • Who can participate

How to hire qualified application security talent - Part 2

In this two-part edition of the Exploring Information Security podcast, James Jardine of Jardine Software joins me to discuss how to hire qualified application security talent.

James (@JardineSoftware) recently wrote a post about the five mistakes to avoid when hiring qualified application security talent. It's such an interesting list and something I don't see a lot of people talking about. For more application security advice be sure to check out James podcast DevelopSec.

In this episode we discuss:

  • The fifth mistake to avoid when hiring
    • Overly broad job requirements
  • How involved should the development team be in the process?

How to hire qualified application security talent - Part 1

In this two-part edition of the Exploring Information Security podcast, James Jardine of Jardine Software joins me to discuss how to hire qualified application security talent.

James (@JardineSoftware) recently wrote a post about the five mistakes to avoid when hiring qualified application security talent. It's such an interesting list and something I don't see a lot of people talking about. For more application security advice be sure to check out James podcast DevelopSec.

In this episode we discuss:

  • What prompted James to write the article
  • What he considers qualified application security talent
  • Four of the five mistakes to avoid
    • Not understanding your current needs
    • Ignoring existing resources
    • Not sharing the worload
    • Not defining the role

How to find a mentor

In this advised edition of the Exploring Information Security podcast, I have three guests join me to discuss how to find a mentor.

First up is Wolfgang Goelrich (@jwgoerlich). Wolf provided me with a video he recently did on how to find a mentor for his stuck in traffic series on YouTube. His focus is on what to look for in a mentor and that where we focused in the interview. He's also written about finding and using a mentor on his website.

Next we have Javvad Malik (@J4vv4d). You may no him from his YouTube channel and the wonderful infosec video he posts there. He also recently started doing the weekly infosec update with Alien Vault, titled Alien Eye In The Sky. In our interview we focus on where to look for a mentor.

Finally we have Johnny Xmas (J0hnnyXm4x). Who gave me some feedback that I didn't expect, don't look for a mentor. He thinks mentors can be placed on pedestals. The result of that can mean overlooking the people you already look at as mentors. 

How to find your niche in information security

In this stag episode of the Exploring Information Security podcast, I provide tips on how to find your niche and share my story of getting into information security.

This topic is one that I've submitted to a couple different conferences, but didn't get excepted. I still think it's an interesting topic and useful for those just getting into infosec. Find your niche is advice you will see other professionals give to new people in the field. I think it's good advice, but it can be frustrating figuring out how to do it. Some will find their niche quickly, while for others it may take a while. It took me a long time to figure out that I even wanted to be in infosec. I was then shocked when I got in and had to find a niche within a niche. 

In this episode I discuss:

  • Tips for finding your niche
  • Share my story of getting into infosec
  • Then getting into application security

More Resources:

What is straight talk - Part 2

In this to the point episode of the Exploring Information Security podcast, Michael Santarcangelo joins me to discuss straight talk.

Michael (@catalyst) has launched a new program called straight talk. What I like about this program is that it helps solves problems. It cuts right through symptoms and other distractions and gets right to the point. This framework is for managers and executives, but worth the time for security professionals at any level.

In this episode we discuss:

  • How to get started with straight talk
  • Resources available for getting started with straight talk

More resources:

What is straight talk - Part 1

In this to the point episode of the Exploring Information Security podcast, Michael Santarcangelo joins me to discuss straight talk.

Michael (@catalyst) has launched a new program called straight talk. What I like about this program is that it helps solves problems. It cuts right through symptoms and other distractions and gets right to the point. This framework is for managers and executives, but worth the time for security professionals at any level.

In this episode we discuss:

  • What is straight talk
  • Why it's important
  • Who should use it

More resources:

How to harden AWS

In this firm episode of the Exploring Information Security podcast, Andrew Krug of ThreatResponse joins me to discuss tips and resources for hardening AWS.

Andrew (@andrewkrug) and Alex (@amccormack) recently presented on AWS hardening at DerbyCon (slides). I previously talked about their talk on the "What I learned at DerbyCon" episode. Alex was gracious enough to join me to discuss what he talked about in his talk. He also provided some other tips and resources for improving the security in an AWS environment.

In this episode we discuss:

  • Why hardening AWS is important
  • What attacks we need to worry about in AWS
  • How to harden AWS
  • What are the tools he's created to help harden AWS

More resources:

How to break android apps for fun and profit - part 2

In this ruptured episode of the Exploring Information Security podcast, Bill Sempf joins me to discuss how to break android apps.

Bill (@sempf) is an application security architect who loves the grind of security. He recent spoke at DerbyCon on "Breaking android app for fun and profit." Watching the talk prompted me to invite Bill on the show to dive in a little more. What I like about the talk is that it's almost entirely a demo that walks through the steps of setting up the test environment. You can find more content from Bill at his website and the OWASP .NET project.

In this episode we discuss:

  • Other tools to use for testing mobile applications
  • OWASP Mobile Top Ten
  • Methodology for testing
  • Types of vulnerabilities Bill has found

More resources:

How to break android apps for fun and profit - part 1

In this ruptured episode of the Exploring Information Security podcast, Bill Sempf joins me to discuss how to break android apps.

Bill (@sempf) is an application security architect who loves the grind of security. He recent spoke at DerbyCon on "Breaking android app for fun and profit." Watching the talk prompted me to invite Bill on the show to dive in a little more. What I like about the talk is that it's almost entirely a demo that walks through the steps of setting up the test environment. You can find more content from Bill at his website and the OWASP .NET project.

In this episode we discuss:

  • Whybreak an android app
  • The skills needed to break android apps
  • We start to get into some of the tools needed to break an android app
  • What operating system to perform the tests on

More resources:

What is a denial of service (DOS) attack?

In this disclaimed episode of the Exploring Information Security podcast, Daniel Smith of Radware joins me to discuss denial of service attacks.

Daniel (@hypoweb) is a security researcher at Radware and he loves watching denial of service attacks. He joins me to explain what is a denial of service attack and the nuances of this type of attack. He will be speaking on this type of attack and the threat landscape in general in Bogota Columbia October 26, 2016, at Tactical Edge.

In this episode we discuss:

  • What is a denial of service attack
  • The different kinds of denial of service attacks
  • Who will launch a denial of service attack
  • Who DOS attacks typically target

What I learned at DerbyCon

In this enlightening episode of the Exploring Information Security podcast, I talk about what I learned at DerbyCon.

This was my second trip to DerbyCon. Last year was a wonderful experience. This year was much the same. While at the conference I had some takeaways that I wanted to share on the podcast (Also, I've been slack in getting guests on the show lately).

In this episode I discuss:

What is Practical Web Applicaiton Penetration Testing?

In this educational edition of the Exploring Information Security podcast, Tim Tomes joins me to discuss Practical Web Application Pentration Testing (PWAPT) training.

Tim (@LaNMaSteR53) is one of the leading names within the application security field. A former instructor for many organizations, he wanted to do more with training. He wanted to provide attendees to training with more hands on work. Get into an application, exploit it, and then provide remediation steps. He came up with the PWAPT training.

In this episode we discuss

  • How the idea for the training came about
  • Why the training is important
  • Who should attend the training
  • What makes this training unique