RSSHaddix

Interview: Bugcrowd Founders on Herding Ninjas for Crowdsourced Bug Bounties

| March 29, 2013

Bugcrowd LogoBy Jason Haddix

Love it or hate it, crowdsourcing is here to stay. While it’s been mostly confined to development and design, eventually it was going to come to security.  Two such gentlemen trying to pioneer the space are Casey Ellis and Sergei Belokamen. Being long-time hackers and having seen how the security space works, they decided to start Bugcrowd. Here’s a description directly from the source:

“Bugcrowd is by far the most comprehensive and cost-effective way to secure websites and mobile apps. We’ll do a brief consultation and help you set the budget, the duration, and which websites or apps you’d like our curated crowd of researchers to test. The Bugcrowd researchers get to work finding security flaws in your applications. All testing can be routed through Bugcrowd’s crowd-control system, providing control and accountability. Any bugs are submitted to our Secure Operations Centre as soon as they are found. We validate the flaws and, at the end of the bounty, reward the first researcher to find each unique flaw. We provide you with an easy to understand report for you to hand to your developers… We can even recommend partners to help you fix what we find!”

Join me as I interview them both about their new venture and uncover some interesting information about security testing on a massive scale, as well as how to start. For example, if you are a tester looking to participate, it couldn’t be easier. Fill out the “Ninja” form and create an online profile (public or private) in which you provide Bugcrowd with your PayPal email address. Then you wait until you receive an email message announcing a new bounty… and it looks a little something like this…

Continue Reading

Review: Advanced Penetration Testing (APT)

| September 20, 2010

apt_mccray.jpgThis year I had the opportunity to take a few stellar instructor-led training courses, one of which was Joe McCray’s "Advanced Penetration Testing: Pentesting High Security Environments" course from his training entity LearnSecurityOnline.

Since I’m already doing pen testing full time I feel like it’s a tremendous opportunity to see what techniques other testers use. I’m definitely not arrogant enough to think I know everything, but I do know Joe is tremendously skilled and has many more years "in the game" than I have. What an opportunity for me to learn from the best.

Joe’s class is presented as higher level pen test course. There are no real introductions into pen testing theory, tools, or syntax. APT is largely comprised of labs and demos. The course also has a very unique structure. It comes from the mindset of attacking from the outside (web) and pivoting through the DMZ to the LAN. There is a lot of emphasis on stealth, persistence, and evasion. Even if your testing isn’t scoped this way it is a powerful ability to be able to show your clients how one seemingly innocuous web flaw can lead to network disaster. Regardless, I found that this class was beneficial even to those that separated web and network scopes.

This review covers the course offered in conjunction with Black Hat Training at the venerable annual event in 2010 and will take a detailed look at the 2-day agenda, coverage of the 5-Day version of the course, thoughts on presentation and technical content, conclusions made as well as modest recommendations.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Haddix}

Continue Reading

Review: eLearnSecurity’s Penetration Testing Pro (PTP)

| April 29, 2010

eLearnSecurity’s Penetration Testing Pro - What CEH Should Have Been

elearn.jpgRecently the web has been abuzz with pentest training options. The CEH received new life as it was added to  DoD Directive 8570 as well as revamped its courseware in version 6.0, Offensive Security rolled out their version 3.0 of “Pentesting With BackTrack,” and it seems like new training options are coming out almost every day in the field. That being said, I have been lucky enough to receive an advanced copy of the flagship course by eLearnSecurity, Penetration Testing Pro (PTP).

PTP is a three section presentation and video course authored by Armando Romeo (admin of hackerscenter.com), Brett D. Arion, Nitin Kumar, and Vipin Kumar. It has an optional certification component called the Certified Professional Penetration Tester or eCPPT for short. The target audience for the course is security engineers or penetration testers in the 0-3 year experience range. The course divides penetration testing into three categories: System Security, Network Security, and Web Application Security. Let’s take a look at each.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Haddix}

Continue Reading

Interview: Joe McCray of LearnSecurityOnline

| March 1, 2010

lso_logo.pngReview by Jason Haddix

Have you ever seen Man on Fire? If you haven’t and you like watching kick-ass, kick-you-in-the-teeth, relentless, Denzel-Washington-type of-action-flicks… you might want to Netflix that one. Our interview this week is kind of like Denzel in Man on Fire but with less guns and more SQLi strings meticulously crafted to pwn your databases.

Enter Joe (j0e) McCray of LearnSecurityOnline… Joe is a long standing friend of both Security Aegis and The Ethical Hacker Network, and, after wanting to keep the limelight off of himself and his teaching projects, we have finally pestered him enough to agree to sit back and answer a few of our questions about life, liberty, and the pursuit of root.

The great thing about Joe is that he will never make you feel like an idiot, even while he’s managing to teach you cutting-edge stuff. He keeps you engaged in a half comedy, half lecture style teaching format.  I have no reason to think that his energy and effectiveness won’t continue to shine through in his upcoming new advanced course, Pentesting High Security Environments. Make sure to check out his video at the end of the interview.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:/root}

Continue Reading

Interview: Ferruh Mavituna on Netsparker

| January 7, 2010

netsparker_logo.jpgReview by Jason Haddix

Today we showcase a new web application scanner called Netsparker, and believe us when we say that we put this app through the ringer.

There’s a big distinction between testing a tool against dummy apps in a lab and using it first hand against a large environment. Luckily for us we got to do both.

Over the course of a month we ran several engagements and specifically watched Netsparker’s performance compared to other tools we normally use in the assessment process (w3af, Grendel Scan, Nikto, Wikto, Websecurify, Paros, Burp, etc). We have to say, we are very impressed. Netsparker not only caught vulnerabilities that other scanners missed but also had excellent remediation and a documentation section for most of its findings.

For injection it does a full-scale attack, testing every parameter it can spider (which it also does very well), and, although this lengthens the testing time, it also awarded us with some valuable injection findings. Netsparker is developed by Mavituna Security, and more specifically our guest, Ferruh Mavituna.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:/root}

Continue Reading

Interview: Peter Giannoulis of The Academy Pro on eLearnSecurity

| September 11, 2009

elearn.jpgReview by Jason Haddix

If anyone hasn’t seen or used The Academy Pro, then you’re missing out on an incredibly valuable resource. Peter Giannoulis and friends have put together 400+ videos on setting up and using optimally all our *favorite* security technologies. Need to set up IronPort? They have a video. GFI Languard? They have a video, too. Need pentest tool tips? They have over 70 different VA/Pentest video tutorials. Heck, they have our Security Aegis videos.

Last month, Peter started the buzz on a new training class he will be offering. It’s called eLearnSecurity. So far we know it has about 2000 slides of theory and practical application, plus 5 hours of unreleased video. The class promises to be affordable and have some awesome labs.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:/root}

Continue Reading

Interview: Kevin Johnson of SANS, InGuardians

| May 30, 2009

kj.jpgReview by Jason Haddix, Security Aegis

Anyone who knows training (or InfoSec for that matter) knows SANS is probably THE most recognized name in InfoSec training. While the foundation of SANS is Stephen Northcutt and Alan Paller, his superstars are the InGuardian’s crew. Call them security divas, we don’t care. We know that Ed Skoudis, Kevin Johnson, Mike Poor, and Joshua Wright are instructors with whom we’d give the whole of our security budget to train. We can’t decide what we like best: their stellar tool development, their helpful whitepapers, their nifty cheat sheets, their open source projects, or the fact that their courses are the most interesting and engaging we’ve seen.

Web application pen testing is a huge focus for the security space right now, and SANS just turned their 4-day SEC542 – Web App Penetration Testing and Ethical Hacking into a 6-day class. We had the chance to pick the brain of its instructor/creator Kevin Johnson, InGuardian pen tester, father, and all around great guy.

Read on as he answers our questions on a wide array of our web-app security queries. Cool 

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:/root}

Continue Reading