Purple Squad Security

The first of a series, I sit down with Bryan and Brian of Brakeing Down Security fame to have a fun take on a classic tabletop scenario with a D&D feel.  Please hold the hate, I haven’t played D&D in many years and I know it’s not “classic”, but it’s fun and lighthearted.  We go through a few different scenarios with you all in the hopes you find it enjoyable, entertaining, and educational. If you enjoyed this episode, please let me know!  I’d like to make this a recurring theme every 12-15 episodes with different podcasters if there’s enough interest.  Special shout out to @badthingsdaily on Twitter for helping provide the scenarios! Some links of interest: Brakeing Down Security – http://www.brakeingsecurity.com/ @brakesec @bryanbrake @boettcherpwned @infosystir Tabletop Scenarios – @badthingsdaily Want to reach out to the show?  There’s a few ways to get in touch! Show’s Twitter: @PurpleSquadSec John’s Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com John’s Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you all again next time.

In the completion of our look at the OWASP Top 10 for 2017, this episode will cover the final 5 items on the list, from A6 (Security Misconfiguration) through A10 (Insufficient Logging & Monitoring). Some links of interest: OWASP Top 10 – https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf OWASP XSS Filter Evasion Cheat Sheet – https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet OWASP XSS Prevention Cheat Sheet – https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet OWASP DOM-based XSS Prevention Cheat Sheet – https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet Bypass WAF with DOM-based XSS – https://www.sunnyhoi.com/using-dom-based-xss-bypass-waf/ Want to reach out to the show?  There’s a few ways to get in touch! Show’s Twitter: @PurpleSquadSec John’s Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com John’s Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you all again next time.

The Open Web Application Security Project (OWASP) group has created a Top 10 web applications vulnerability list since 2003.  Normally the list gets updated every 3 years or so, with the previous release being 2013.  Now with the 2017 list being finalized, I felt it was appropriate for us to go through it and look at it from a red and blue team perspective. This episode will cover the first 5 items on the list, from A1 (Injection) through to A5 (Broken Access Control). Some links of interest: OWASP Top 10 – https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf SQLMap – http://sqlmap.org/ Burp Suite – https://portswigger.net/burp OWASP Zed Attack Proxy (ZAP) – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Want to reach out to the show?  There’s a few ways to get in touch! Show’s Twitter: @PurpleSquadSec John’s Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com John’s Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you all again next time.

Certifications.  We either love them or hate them, but we cannot deny that they are needed.  Either to prove a set of skills, prove the ability to memorize facts and take tests, or to prove that our egos are bigger than our peers, there are lots of opinions on certifications. This week Kim Crawley joins me to talk about a recent article she has written for Cylance, Security Certifications You Should Consider Getting.  We discuss what certifications are good for, our opinions on them, HR managers, and where you can find resources to help you study. Some links of interest: Security Certifications You Should Consider Getting: https://www.cylance.com/en_us/blog/security-certifications-you-should-consider-getting.html Kim’s Twitter: @kim_crawley Cybrary: https://www.cybrary.it/ O’Reilly Safari Books Online: https://www.safaribooksonline.com/ Want to reach out to the show?  There’s a few ways to get in touch! Show Twitter: @PurpleSquadSec John’s Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com John’s Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you all again next time.

As security professionals, we often try to keep our skills sharp.  We normally do this by going to training, reading books, or participating in CTFs.  There are Webgoat and Juice Shop from OWASP; sites like HackTheBox, OverTheWire, and SmashTheStack which are often mentioned when people are looking for websites to practice on. This week I speak with Dr. Z. Cliffe Schreuders about the Security Scenario Generator, a rather ambitious project that may scratch that vulnerable VM itch you’ve had for a while. Some links of interest: Security Scenario Generator: https://github.com/cliffe/SecGen Dr. Z. Cliffe Schreuders’ Website: http://z.cliffe.schreuders.org/ Dr. Z. Cliffe Schreuders’ YouTube Channel: https://www.youtube.com/channel/UCAYF5jJkUBcmn1cor50yDOg Want to reach out to the show?  There’s a few ways to get in touch! Show Twitter: @PurpleSquadSec John’s Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com John’s Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you again next time!

Penetration testing.  If you’re in the information security field, you have run into your fair share of them.  Now there seems to be a trend with penetration testing moving to a crowdsourcing model.  This week I speak with Jason Haddix of Bugcrowd to explore why that is, what’s the draw and how are companies like Bugcrowd helping build the infosec community. Some links of interest: Bugcrowd: https://www.bugcrowd.com/ HackerOne: https://www.hackerone.com/ HackTheBox: https://www.hackthebox.eu/ Bugcrowd Report: The 2017 State of Bug Bounty Bugcrowd’s Twitter: https://twitter.com/Bugcrowd Want to reach out to the show?  There’s a few ways to get in touch! Show Twitter: @PurpleSquadSec John’s Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com John’s Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you again next time!

The old saying of a defender has to be right 100% of the time while an attacker only has to be right once is growing a bit tired.  Now blue team members should be measured not by keeping the attackers out, but by how quickly they can find out that they’re on your network. Scott Piper joins me this week to discuss how we can detect intruders in your AWS cloud infrastructure.  We cover a lot of different tools and techniques that you can use to help detect intruders, and some mitigation strategies to help reduce the risk when an attack is successful. Some links of interest: ElastAlert: https://github.com/Yelp/elastalert StreamAlert: https://github.com/airbnb/streamalert Prowler: https://github.com/Alfresco/prowler Security Monkey: https://github.com/Netflix/security_monkey AWS Billing Alerts: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/free-tier-alarms.html jq (for JSON parsing on the CLI): https://stedolan.github.io/jq/ Summit Route: https://summitroute.com/ Downclimb: https://summitroute.com/blog/ Scott’s Twitter: @SummitRoute Want to reach out to the show?  There’s a few ways to get in touch! Show Twitter: @PurpleSquadSec John’s Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com John’s Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you again next time!

The cloud.  The final frontier.  Well, not exactly but it is a pretty important topic in today’s IT environment.  Unfortunately 2017 has been the year of leaks, hacks, and misconfigurations when it comes to the cloud.  Amazon Web Services (AWS) is the cloud provider with the most market share, but its security configuration can leave a bit to be desired. J Cole Morrison joins me this week to discuss IAM policies in AWS, what they are and why they are important.  Cole has written about IAM policies on his blog (link below), which I encourage everyone to read. Some links of interest: Cole’s IAM Blog Article: AWS IAM Policies in a Nutshell Cole’s Website: https://start.jcolemorrison.com/ Cole’s Twitter: @JColeMorrison AWS DevOps: https://awsdevops.io/ Want to reach out to the show?  There’s a few ways to get in touch! Show Twitter: @PurpleSquadSec John’s Twitter: @JohnsNotHere Website: purplesquadsec.com Slack Sign-Up Link: https://signup.purplesquadsec.com John’s Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you again next time!

Linux is often the operating system of choice for server deployments due to its stability and security posturing, right out of the box.  Unfortunately not everything is “production ready” right after an install.  Throughout the internet, there are a lot of Linux hardening and security guides on the internet but most are outdated and provide instructions that are no longer applicable. Kyle Rankin joins me this week to discuss his latest book, Linux Hardening in Hostile Networks: Server Security from TLS to Tor.  This really is a great book and one I would recommend any InfoSec professional pick up to read.  It will make a great reference guide and provides an up-to-date hardening guide for most popular Linux distributions. Some links of interest: Kyle’s Book: Amazon Barnes & Noble Kyle’s Twitter: @kylerankin Want to reach out to the show?  There’s a few ways to get in touch! Show Twitter: @PurpleSquadSec John’s Twitter: @JohnsNotHere Website: purplesquadsec.com Slack Sign-Up Link: https://signup.purplesquadsec.com John’s Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you again next time!

When people think of an open source IDS, they usually think of Snort.  Bro is another open source IDS that is more than just an IDS.  It is a Network Security Monitor that does so much more.  Matt Domko joins me this week to talk about Bropy, a tool he built that works with Bro to help perform anomaly detection.  This is definitely a tool you will want to have in your bag of tricks. Some links of interest: Bro Homepage: https://www.bro.org/ Bropy: https://github.com/hashtagcyber/bropy Matt’s Twitter: @Hashtagcyber Matt’s Bropy Talk at Security Onion Con: https://www.youtube.com/watch?v=LzFNOuaYc0g Want to reach out to the show?  There’s a few ways to get in touch! Show Twitter: @PurpleSquadSec John’s Twitter: @JohnsNotHere Website: purplesquadsec.com Slack Sign-Up Link: https://signup.purplesquadsec.com John’s Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you again next time!

Digital Forensics and Incident Response – DFIR.  The mere mention of the acronym brings forth memories of CSI, plastic bags and agents in suits coming to collect all manner of evidence.  In this episode I speak with Jonathon Poling, a DFIR expert who has graciously agreed to talk DFIR with me!  Another great listen, Jonathon has a lot of great experience in the field and much to share.  Have yourself a listen! Some links of interest: Jonathon’s Blog: http://ponderthebits.com/ Jonathon’s Twitter: @JPoForenso Slack Sign-Up Link: https://signup.purplesquadsec.com Want to reach out to the show?  There’s a few ways to get in touch! Show Twitter: @PurpleSquadSec John’s Twitter: @JohnsNotHere Website: purplesquadsec.com Slack Sign-Up Link: https://signup.purplesquadsec.com John’s Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you again next time!

Red Teams.  For some, it’s the “frenemy”.  For others, it’s the greener grass on the other side of the defence wall.  In this episode I spend some time speaking with security consultant Mark Kikta about Red Teaming.  Mark has been a Red Teamer for a while and has a lot of experience to share.  We talk about a number of different things, share some laughs and try to shed some light on an often misunderstood group. Mark has also graciously offered to hang out in our Slack channel!  Just message @mark to get in touch with him if you have questions or just want to say “hey”. Some links of interest: CircleCityCon – Seeing Purple Hybrid Security Teams for the Enterprise Time Based Security Slack Sign-Up Link: https://signup.purplesquadsec.com Want to reach out to the show?  There’s a few ways to get in touch! Show Twitter: @PurpleSquadSec John’s Twitter: @JohnsNotHere Website: purplesquadsec.com Slack Sign-Up Link: https://signup.purplesquadsec.com John’s Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you again next time!

Equifax had the largest data breach this year, possibly ever!  How could I possibly pass up this opportunity to discuss what happened?  How did it happen and what lessons could we learn from it?  Equifax did a lot of things wrong for sure, but that doesn’t mean that we should throw stones.  Especially given how many of us live in glass houses. Have a listen as I explore the Equifax breach from another perspective, in the hopes of salvaging something of use for others in the infosec community. Some links of interest: https://www.equifaxsecurity2017.com/ Equifax Bitcoin Ransom Krebs On Security – Equifax Breach Response Turns Dumpster Fire Apache Foundation Responds to Struts Vulnerability Confirmation CVE-2017-5638 Details OWASP Maven Dependency Checker Wappalyzer Browser Plug-In Want to reach out to the show?  There’s a few ways to get in touch! Show Twitter: @PurpleSquadSec John’s Twitter: @JohnsNotHere Website: purplesquadsec.com Slack Sign-Up Link: https://signup.purplesquadsec.com John’s Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you again next time!

This is the conclusion of my two part series on threat modeling with Archie Agarwal.  In this episode we go into some benefits on threat modeling, how it can be used beyond the early stages of development and how it can help red teams carry out a more in-depth test against targets! Some links of interest: Offensive Threat Modeling for Pen Testers and Red Teams How to Threat Model a Microservice Architecture Anyone can Threat Model a Commute to Work Archie’s Email ThreatModeler Company Website Want to reach out to the show?  There’s a few ways to get in touch! Website: purplesquadsec.com Show Twitter: @PurpleSquadSec John’s Twitter: @JohnsNotHere John’s Peerlyst: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you again next time!

Welcome to episode 1!  In this first part of a two part series, I sit down with Archie Agarwal to discuss threat modeling, what it is, why we need it and how it can help with improving your security posture early in your development cycle. Some links of interest: Offensive Threat Modeling for Pen Testers and Red Teams How to Threat Model a Microservice Architecture Anyone can Threat Model a Commute to Work Archie’s Email ThreatModeler Company Website Want to reach out to the show?  There’s a few ways to get in touch! Website: purplesquadsec.com Show Twitter: @PurpleSquadSec John’s Twitter: @JohnsNotHere John’s Peerlyst: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you again next time!