NO DOUBT, there are tons of "legit" companies walking around simply running a va scan and handing them a stock report. What a joke and nobody knows any better. As long as the box gets checked. I once had some idiot at an unamed company tell me that their pentest was only running firewalk from the outside. Apparently firewalk was their magic bullet for security.

I think a one man pen test shop could only cater to really small businesses. Anything bigger and your gonna want a whole team, with a few guys that specialize in various areas. I've thought about that idea, as far as doing it on the side. As long as you can line up customers and provide value, why not.

Also, between SANS and the Infosec Institute, which one has more hands-on activities? And do either use Core-Impact and/or Canvas during the class?

GREAT IDEA!!!!

In its current form, I do not believe the CEH provides any value. I studied for a week and passed it easily. My complaints about it, are that it is too much focused on tools and options of said tools. Knowing that a tool exists and how to use it, is nothing special IMHO. I wouldn't call the CEH a pen testing cert either. Its more like hacking tools 101.

Congrats on your new adventure! At least you can say you no longer work for the "man" now. This forum and the con have really taken off due to your hard work and it looks like things will only get better

Cool, thanks for the info. I will checkout both of those books at the store to figure out which one to buy online.

Is that Webgoat thing on the OWASP site decent?

If you go the dd or dcfldd route, check the free tool from cert/cc for booting a dd image

http://liveview.sourceforge.net/

If FOG disappoints, you might consider just trolling the dealdump sites for awhile. This year I saw a Symantec bundle with Ghost for like 29.99. Yeah it sucks to pay, but your getting a reliable product.

Samurai,
I agree. I'm trying to build up my skillset in this area, beyond just scanning and exploiting.

VJ,
Are there any instructors that standout? Just wondering as my past experience with SANS was heavily dependent on the which instructor you got. For example, the smaller SANS events usually don't get the A Team.

Anybody have a recommendation for a training class and/or book on Web App Hacking?

I was think about buying
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws

I think the main issue was that the Air Force was making a power grab to own all CyberSecurity, whereas the Navy and Army with there own Cyber groups had a slight problem with that

I was really impressed with HP WebInspect, it did everything I was looking for. But I'm still evaluating right now, so far all I've compared it to was Accunetix, which I thought was a real value for how cheap it is. The trial version only includes 2 of the many modules it has, but I'm sure you know that.

Haha, yeah I was at something that lasted till 11:30 that night and I didn't know if ya'll would still be there. I should have gone over just in case, oh well next year I will have to make it for sure. And for the record, I'm a big fan of all beer, especially free german beer 

So my first Blackhat is in the books. I thoroughly enjoyed it and got to learn quite a bit and get some networking done as well. My only two complaints would be first, that it was completely overcrowded on the 4th floor and that made getting to a session very difficult. The second being that classic conference paradox. Alot of the great topics with new material were presented by people with poor public presentation skills, whereas alot of the great speakers presented either old stuff or no real useful content. That aside it was a hoot.

    I started the week attending a Malware Analysis class by Mandiant which was excellent. They basically crammed a 4 day course into 2 days, so it move very quick and had lots of content and labs. The teachers were extremely knowledgeable and were able to convey the material well. My only complaint would be that they should have spent more time on Ollydbg, but with the labs I can do that on my own time. They did spend extensive time using IDAPro, which helped me understand assembly code structures much better. I would highly recommend this course.

    The first keynote speech by Ian Angell was very funny, but essentially preached an anti technology message which I think is mostly pointless considered the techno-geek audience. He did have some really fascinating quotes though. My first presentation was Bad Sushi: Beating Phishers at Their Own Game. While presenting nothing new, they did provide much comedy and insight into how spammers routinely try to rip each other off.  They also showed an insane toolkit that traffics in the spam underground that basically contains knock off sites for every large bank in the world. Of course the next session was the highly anticipated DNS Goodness by Dan Kaminsky. This has already been covered to death, so I will only add that it was worth the wait and Dan is the man. Next I attended The Four Horsemen of the Virtualization Security Apocalypse by Chris Hoff. This was probably the most usuful and timely presentation I attended. Chris is a good speaker and I enjoyed how he detailed the current shortcomings of virtualization, while also pointing out VM myths as well. In a nutshell, the HA functionality is not there to do anything more then server/desktop virtualization. Beyond that, you are rolling the dice with your availability and network capacity. After that I hit up Bruce Potter's presentation on Malware Detection Through Network Flow Analysis. This guy is a bad ass and a very good speaker, but he provided nothing relevant in his talk, unless you didn't know Net Flow existed. My last session of the day was Reverse DNS Tunneling Shellcode by Ty Miller. Ty debuted his dns tunneling tool and also a very cool project to create a consolidated framework for shellcode. Once it gets up and running it, check it out at http://projectshellcode.com/ . I liked his talk alot, especially how he demonstrated various attacks through a corporate DMZ. The day ended with beer and pizza, yay!!

    Leading of the second day was a keynote by Rod Beckstrom of the newly created NCSC. His talk was very interesting and had a historical twist to it. I agree with him 10 million percent that the best chance to make a security significant impact is to upgrade our protocols which are mostly outdated. My first  session of the day was No More 0-days by Ohad Ben-Cohen. He showed off a cool new tool called Korset, which will basically create a control flow graph for any Linux compiled binary which prevents anything out of the ordinary from occurring. I like this technology and would like to see it integrated into a windows based AV suite. My only issue with the tool is that it only works based off system calls and doesn't check parameters. So it would be easy to circumvent by creating your own CFG and passing malicious parameters. Very good work though. My second talk of the day was Visual Forensic Analysis and Reverse Engineering of Binary Data by Greg Conti and Erik Dean. The debut 2 new cool tools aimed at shortening the time it takes to inspect a huge file at the hex level. Basically it helps you quickly find areas of interest in a file, as well as lending it self to repeating patterns that can be used in the future once identified. Next I attended Secure the Planet! New Strategic Initiatives from Microsoft to hear the latest from Redmond. I only heard the first half, but they are expanding their vulnerability research efforts to include 3rd party products and adding an exploitability index to their black tuesday reports. I LOL'd when they referred to black tuesday as something stupid like feature upgrade day. I had to cut this meeting short to head over to Deobfuscator: an Automated Approach to the Identification and Removal of Code Obfuscation by Eric Laspe and Jason Raber. Its a very much needed IDAPro plugin that can save us tons of time. I wrapped up the conference by listening to Bruce Dang's talk on Methods for Understanding Targeted Attacks with Office Documents. Bruce is smart as hell, but talked way too fast. He walked through a few of the office documents headers and structure and demo'd and attack. Also, he did mention that many of the current attacks could be avoided by either installing MOICE, Office 2K3 SP3, or Office 2K7.

    On Friday, I was able to make it to most of Defcon. Those badges are freaking sweet. The talks there were mostly the same, but had a much more relaxed, less corporate feel. For only 125 bucks, Defcon is a steal when compared to 1500 for Blackhat. Thats all for now and back to your regularly scheduled programming. 

Yeah I caught that one as well. The Four Horsemen of the Virtual Apocalypse. That line got some good laughs. He pointed out some VM myths about interVM traffic as well as painted a very scary picture of vendors roadmap for pushing virtual networking. I would have to agree with him in that it is a bad idea, due to HA and capacity issues.