How to implement a DAST

Summary:

Frank Catucci CTO & Head of Security Research at Invicti is someone who I go back with many years. We both meet while working for the state of South Carolina. I was happy to see him end up at Invicti because I think they have a great podcast focused primarily on Dynamic Application Security Testing (DAST). We get into a variety of topics in this episode around MoveIT, implementing DAST, APIs, and AI.

Episode Highlights:

  • How DAST could have helped with MoveIT

  • How to implement DAST into the SDLC

  • Automation that can be setup with DAST

  • How tickets from DAST should be handled

  • How AI is going to change DAST

  • How DAST handles APIs

Guest Information:

Frank Catucci CTO & Head of Security Research at Invicti - LinkedIn

Resources and Mentions:

Contact Information:

Leave a comment below or reach out via the contact form on the site, email [timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.

Check out our services page and reach out if you see any services that fit your needs.

Social Media Links:

[RSS Feed] [iTunes] [LinkedIn]


What are bug bounty programs?

In this hunting edition of the Exploring Information Security podcast, Keith Hoodlet of Bugcrowd joins me to discuss bug bounty programs.

Keith (@andMYhacks), is a solutions architect at Bugcrowd. He's also the co-host of Application Security Weekly. While Keith works at Bugcrowd, he also has a lot of experience participating in bug bounty programs. Check out his website AttackDriven.io.

In this episode we discuss:

  • What are bug bounty programs?

  • Who are security researchers.

  • Who is running the bug bounty program?

  • When should an organization implement a program.

More resources:

How to build an AppSec Pipeline

In this foundational episode of the Exploring Information Security podcast, Matt Tesauro and Aaron Weaver join me to discuss the AppSec Pipeline.

Matt (@matt_tesauro) and Aaron (@weavera) are the project leads for the OWASP AppSec Pipeline. The project provides resources and guidance for building out your own appsec pipeline within a development team. Building a pipeline is important in helping get security embedded within software.

In this episode we discuss:

  • What is the OWASP AppSec Pipeline

  • How did it get started

  • Who should use the AppSec Pipeline

  • How to implement the AppSec Pipeline

What is the Orange Team?

In this colorful edition of the Exploring Information Security podcast, April Wright joins me to discuss the orange team.

April (@aprilwright) and I met earlier this year at ShowMeCon. She shared with me the concept of the Orange Team. Which is an idea around the security (blue) team working more closely with the development (yellow) team. I loved the idea and wanted to hear more. She spoke about the topic at BlackHat and DefCamp. Unfortunately, the recordings of her session haven't been released yet. So, I decided to have her on to discuss in more detail.

In this episode we discuss:

  • What is the orange team
  • How did the idea come about?
  • What are the activities of the orange team?
  • Who should participate

How to secure NodeJS

In this protuberance episode of the Exploring Information Security podcast, Max McCarty joins me to discuss how to secure NodeJS.

Max (@maxrmccarty) has a great course called Securing Your Node.Js Web App available on Pluralsight. The course is five and a half-hours long, walking through the basics on security. Security for NodeJS is not unlike security for other languages and technologies. If you can secure other web apps you can secure NodeJS.

In this episode we discuss:

  • What is NodeJS
  • How Max got started in NodeJS
  • Why it's important to secure NodeJS
  • How to secure NodeJS

More resources:

What is the Node Security Platform?

In this devtastic episode of the Exploring Information Security podcast, Adam Baldwin joins me to discuss the Node Security Platform (NSP).

Adam (@adam_baldwin) is the team lead at Lift Security and founder of the Node Security Platform. NSP is one of the simplest tools to put into a development life cycle for NodeJS. It checks for vulnerable packages in an environment during pull requests or builds. This allow developers to quickly and easily identify packages that put their applications at risk.

In this episode we discuss:

  • What is nsp?
  • How it should be used?
  • Where it should be used?
  • How to use it.

Resources:

What are the steps to secure application development?

In this getting started episode of the Exploring Information Security podcast, Jim Manico joins me to discuss the steps (or rather phases) to secure application development.

Jim (@manicode) is an active member in the application security field. He's been a board member for OWASP. He's a regular speaker at OWASP conferences and he provides appsec training nine months out of the year. I recently had the opportunity to tune into a webinar put on my Jim discussing the steps to secure application development. He's got a wealth of knowledge and provides actionable advice for anyone wanting to move in that direction.

In this episode we discuss

  • How Jim got started in appsec
  • Why secure application development is important
  • What the steps are to get started
  • Who should be implementing application security

How to secure Docker

In this docked edition of the Exploring Information Security podcast, Rory McCune joins me to discuss how to secure Docker.

Rory (@raesene) gave a talk over the summer at BSides London 2016 on the myths of Docker. Docker is a technology being used by more and more development teams. We're even starting to see security tools run on Docker, such as OWASP ZAP. With more teams using Docker we need to have an understanding of how to secure it.

In this episode we discuss:

  • What is Docker?
  • Why it is important to secure Docker
  • What the positive and negatives of Docker are
  • How to secure Docker

More resources:

What is DefectDojo?

In this to the mat edition of the Exploring Information Security podcast, Greg Anderson joins me to discuss the OWASP project DefectDojo.

Greg (@_GRRegg) is one of three project leads for the OWASP project DefectDojo. The project is an appsec automation and vulnerability management tool. This is something I wish was around when I first started managing vulnerabilities for the development team. It has got a lot of great features including metrics, integration with JIRA, automatic ticket creation, vulnerability de-duping, and of course it allows appsec teams to manage vulnerabilities in development. A demo site is available. It's open-source (as all OWASP projects are). I would recommend anyone having to manage vulnerabilities check this project out.

In this episode we discuss:

  • What is DefectDojo?
  • Why create the project?
  • Why the name?
  • Who should use the tool
  • How to effectively use the tool

How to hire qualified application security talent - Part 2

In this two-part edition of the Exploring Information Security podcast, James Jardine of Jardine Software joins me to discuss how to hire qualified application security talent.

James (@JardineSoftware) recently wrote a post about the five mistakes to avoid when hiring qualified application security talent. It's such an interesting list and something I don't see a lot of people talking about. For more application security advice be sure to check out James podcast DevelopSec.

In this episode we discuss:

  • The fifth mistake to avoid when hiring
    • Overly broad job requirements
  • How involved should the development team be in the process?

How to hire qualified application security talent - Part 1

In this two-part edition of the Exploring Information Security podcast, James Jardine of Jardine Software joins me to discuss how to hire qualified application security talent.

James (@JardineSoftware) recently wrote a post about the five mistakes to avoid when hiring qualified application security talent. It's such an interesting list and something I don't see a lot of people talking about. For more application security advice be sure to check out James podcast DevelopSec.

In this episode we discuss:

  • What prompted James to write the article
  • What he considers qualified application security talent
  • Four of the five mistakes to avoid
    • Not understanding your current needs
    • Ignoring existing resources
    • Not sharing the worload
    • Not defining the role

How to break android apps for fun and profit - part 2

In this ruptured episode of the Exploring Information Security podcast, Bill Sempf joins me to discuss how to break android apps.

Bill (@sempf) is an application security architect who loves the grind of security. He recent spoke at DerbyCon on "Breaking android app for fun and profit." Watching the talk prompted me to invite Bill on the show to dive in a little more. What I like about the talk is that it's almost entirely a demo that walks through the steps of setting up the test environment. You can find more content from Bill at his website and the OWASP .NET project.

In this episode we discuss:

  • Other tools to use for testing mobile applications
  • OWASP Mobile Top Ten
  • Methodology for testing
  • Types of vulnerabilities Bill has found

More resources:

How to break android apps for fun and profit - part 1

In this ruptured episode of the Exploring Information Security podcast, Bill Sempf joins me to discuss how to break android apps.

Bill (@sempf) is an application security architect who loves the grind of security. He recent spoke at DerbyCon on "Breaking android app for fun and profit." Watching the talk prompted me to invite Bill on the show to dive in a little more. What I like about the talk is that it's almost entirely a demo that walks through the steps of setting up the test environment. You can find more content from Bill at his website and the OWASP .NET project.

In this episode we discuss:

  • Whybreak an android app
  • The skills needed to break android apps
  • We start to get into some of the tools needed to break an android app
  • What operating system to perform the tests on

More resources:

What is Practical Web Applicaiton Penetration Testing?

In this educational edition of the Exploring Information Security podcast, Tim Tomes joins me to discuss Practical Web Application Pentration Testing (PWAPT) training.

Tim (@LaNMaSteR53) is one of the leading names within the application security field. A former instructor for many organizations, he wanted to do more with training. He wanted to provide attendees to training with more hands on work. Get into an application, exploit it, and then provide remediation steps. He came up with the PWAPT training.

In this episode we discuss

  • How the idea for the training came about
  • Why the training is important
  • Who should attend the training
  • What makes this training unique

How to automate security into the SDLC

In this automatic episode of the Exploring Information Security podcast, Jimmy Byrd joins the show to discuss his DerbyCon talk, "Security automation in your continuous integration pipeline."

Jimmy (@jimmy_byrd) is the lead developer at Binary Defense. Recently, he was accepted to speak at DerbyCon. He will be speaking Saturday September 24, 2016, in the stable talk track. His topic is on integrating security into the automation part of the software development life cycle (SDLC).

Jimmy's DerbyCon talk is available here.

In this episode we discuss:

  • What is the SDLC?
  • What is continuous integration?
  • Why getting security automated in the SDLC is important
  • How to get security automated in the SDLC

More resources:

When not to use Burp Suite

In this gassy edition of the Exploring Information Security podcast, James Green joins me to discuss when not to use Burp Suite. 

James (@Greenjam94) is a member of the MISec community and recently gave a talk about why not to use Burp Suite. Being in application security this was a topic I had interest in. Unfortunately, the presentation was not recorded. I decided to take matters into my own hands and have James on the show to discuss this topic.

In this episode we discuss

  • What is Burp Suite?
  • How is Burp used
  • Why Burp shouldn't be use
  • When to use Burp