March 08, 2018

WhiteHat Secure Developer

The Security field has many facets. There are multiple areas which require various skill sets. The Security Engineer configuring a vpn needs different skills than the Security Auditor checking for compliance. However, from the "outside" some people expect Security people to cover all areas and all skills. Currently I find myself in Risk Management. Yes, it relies upon my CISSP training more than the CCNP Security training. One of the more interesting things in Risk Management is the emphasis on Application Security.

Here's how building skills and creating a career path can lead you in an unexpected direction. While working as a network engineer, I often performed packet captures. This lead to Wireshark training - along with training on OpNet ACE Analyst, Network Observer and CACE Pilot. When you expand your learning to fit the environment and experience, it leads you to things like application performance. All those "slow network" complaints were investigated fully - to include digging after the root cause and not just absolving the network of any slowness. I learned about application turns and messaging, packet sizes and how to use IT Guru to do "what if" analysis for applications. It was more efficient to give the customer answers than to just push them off with a "not our problem - the network's fine" response. And I learned a lot.

Then I became more involved in Security. Security training (especially the CISSP) touched on application security quite a bit. It taught me what to look for - but not really how to find it or fix it. That was the developer's responsibility. I knew about SQL Injections and Cross-Site Scripting, but not how to exploit or fix it. Then I started into the OSCP [Pentesting with Kali]. Here's where I learned how to really test for these things and exploit them. Between my fiddling with the code for this site to make it do what I want and the OSCP - I really started digging into being able to read and modify code. But still, the emphasis was on testing and proving exploits and not really how to fix things.

And with my work in Risk Management, I find myself wanting to know more. So I started looking for training. I started with Veracode and found that they have some free webinars, but no free training. The training is geared towards corporate consumption for their developers. Then I happened across an email from WhiteHat Security. They do the same scanning of code as Veracode and they did have a free training course. There was only one - WhiteHat Certified Secure Developer. It took a bit of emailing and registration, but I did manage to sign up. The course was awesome. There were 5 solid webinars that specifically addressed secure coding. They discussed common attacks, how they happen, what in your code allows it to happen, and how to change your code so that it can't happen anymore. Along with those 5 webinars, there are 5 CBT modules that cover similar items very deeply. And there is a test at the end that will earn you a certificate. The 10 CPEs are good towards my CISSP, C|EH and WCNA requirements.

WhiteHat also has regularly scheduled webinars on various topics. They also offer the same paid developer training (for corporate consumption) as Veracode. But the CSD training is really worth the time and effort. I never expected to be able to say that I'm a Certified Secure Developer.

Posted by BlueWolf on March 08, 2018

September 20, 2017

Almost there and Road Maps

I am still working my way through the OSCP. It's really tough to achieve any certification while you're working full-time. And it's tough to afford any certification when you're not.

The material is not that tough. Getting through the exercises is grueling. It's a lot of work and not as fun as working the lab and compromising machines. But it's worth 40 hrs of CPE credits and 10 points on the exam if you write up and submit the exercises and lab pentest. I'm sure those extra 10 points are going to be helpful and I'm going to thank myself for pushing through this when I sit in front of the computer at test time.

From previous self-study - I know when I'm not yet ready. And at this point, I'm not yet ready. Another benefit of my study experience is that I know how to detect my weak areas. I have two weak areas where I need more practice and I am facing and accepting it. Now I need to find the motivation to work hard at those areas and build strength. I will never tell anyone it's easy - because it's not. But it is worth it. That will have to do.

So to motivate myself a bit, I decided to finally get another tattoo. As a reward for plowing through this course, I am going to get a Kali Linux Dragon...

I'm thinking of getting it on my upper arm. Not too radical. Simple in design. And signifies an accomplishment.
So now I HAVE TO pass that test...

The scooter is doing well and I'm riding it all over. I've only had it for 2 months and I've already put over 200 miles on it. As the Starks say, "Winter is coming." So I'm riding now before it gets too cold. It's a joy and it really does get about 120 miles to the gallon. Saving a lot of gas with short trips around town (that's my excuse and I'm sticking to it).

And about the road map... Since my background is in networking, I've recently been asked a number of questions (from security folks) about authentication, authorization and accounting on network devices. It made me realize that not all security people know about network devices. So I spun up a short PowerPoint presentation on the topic. Hopefully this may be useful to someone. It's short (11 slides total) and doesn't go into too much detail, but gives an overview of the topic and can at least guide you enough to ask the right questions. Enjoy.

Posted by BlueWolf on September 20, 2017

August 17, 2017

OSCP Update and other FUN

I'm still working on the OSCP. Yes, it's very fun. Well, getting a shell is fun. But I also want the 40 credits for this course - so I have to complete all the exercises and submit them with a pentest report for the lab. AND I will have to write and submit a pentest report for the exam. That is a lot of work.

The exercises are really good. They force you to learn things (if you don't already know them) in order to complete the exercises. And - the information you obtain in those exercises is needed to exploit the devices. So you're going to have to do the work anyway - it just takes more time to document it.

Do not expect to be spoon-fed. They really just "introduce" you to the tools. You have to do a lot on your own in some cases to really learn how to use the tool well. And in many cases, you just have to practice to get good.

It IS an expensive course. And it can be more expensive than necessary if you try to do this while working full time. I wish I had taken this course between jobs. But when you're not working, it's difficult to justify the expense. And when you're working, it's difficult to find the time.

Now for the other fun... I bought a scooter!

It is so much fun. It's not the motorcycle that I wanted.... but I still don't have a place to put that motorcycle. So for now I'm riding my scooter. Yes, I'm wearing a helmet. And I already took a motorcycle safety course. It doesn't go over 35, so I won't be going on any highways. And it gets absolutely fantastic mileage!!!

In case you're wondering - you don't need a motorcycle license to ride it. You do need a regular driver's license. And you need insurance to get tags. And because you have tags, you are allowed on the road. Legally. Speaking of legal - in RI only the passenger is required to use a helmet. I still use one. And this is a one-person scooter. No passengers. So I don't have to worry about whether or not I'm comfortable with it - it's already a "no" by design.

As far as the scooter itself - it's really easy to ride. It's an automatic, so I don't have to worry about shifting. And the takeoff is really gentle. No quick jerking forward on takeoff. I finally re-filled the gas tank yesterday. It took 0.5 gal (and I had already gone about 65 miles). The specs say the tank holds about 1.5 gal > so when it says E don't panic, you still have a way to go... I re-filled as soon as it got close to E because that's what I do with my car.

There's a lot of room under the seat for storage. And you can put stuff on the back rack. If that's not enough, there's also a hook to hang a bag on (but that will limit your foot space). Oh, and don't forget the little pocket for a water bottle. So if you use this for errands, it can handle quite a bit. I find I'm doing quite a few errands lately. As I'm out getting experience - since I'm going in this direction, I might as well....(fill in the blank). Got my watch battery replaced, picked up milk, groceries, etc.


Posted by BlueWolf on August 17, 2017

May 19, 2017

OMG What fun!

So now I've been in the course/lab for a little bit and I have to admit it's pretty fun. I'm learning a lot more on the keyboard than 10 books combined. It's like giving an archeologist their own dig site. It's a great place to practice, practice, practice. Explore, test and document in a place that was built specifically for that purpose.

So here's what I can tell you about what I've learned. Don't worry about the amount of time you buy. You will probably get to a certain point - and then schedule the exam. And if you would happen to pass, you don't "lose" the lab time. It's still yours to use. So why would you use it? Because it's FUN... it's a challenge. Apparently there are a few devices that are particularly difficult. The exam challenges you to a certain level. The lab is practice to prepare you for the exam. And you don't have to get all the devices to get to the level that you need to pass the exam. So from what I'm hearing - you will probably take the exam with some devices still not compromised.

This course does make you THINK. It's definitely not a "spoon-fed" type of class. They will lead you to the tools and you have to figure out how to adapt them to your situation. The videos are really good. They don't cover everything that you will encounter, but what they do cover is well done. He makes it look and sound soooo easy. And in reality, it is that easy (once you know how).

Posted by BlueWolf on May 19, 2017

May 06, 2017

The Excitement Builds

OMG - today is the day! This evening I finally get the email that gets me into the OSCP Pentesting with Kali course. I have been wanting to take this course for years. When I first saw it, it was "Pentesting with Backtrack" - so that tells you that this has been on my wish list for some time.

It was the delay in CCIE Security materials that really pushed this one to the top of the list. I had planned to take it after the written and before the lab. Now, I'm just going to go for it. By the time I finish, more materials will be available for the CCIE (I hope).

When you sign up for this, be aware that it's going to take some time before your class starts. Yes, you sign up for a specific "class" - and I use this term in the programming sense of the word rather than the educational sense. This is apparently based on the number of people in each lab group. You really have to keep up with this - since links are only available for a limited amount of time.

When I clicked on the buttons to register, I got an email to click another link to "continue" registration. It was only valid for 72 hours. [I'm guessing this is to validate the email address used for registration.] Once I continued my registration, I was emailed a link to download the components of the connectivity test and quite a bit of information about the course. "Your seat will be confirmed and scheduled after payment has been received." Yeah, you would think that you can just click and pay. Not so fast. "Before submitting the course fees, please be sure to test the connectivity to our labs to see that the connection is satisfactory and that your response time is reasonable." That part now seems pretty funny. The only way to get to the payment page is through the vpn connection. Also note that you have only 48 hours to complete this testing and submit your payment.

And then you wait.

Now the waiting is over. I'm really excited about this - it sounds like fun. Basically, there are some videos on each topic - along with some lab exercises. I'm very familiar with a remote lab environment which I have been using at INE for CCIE studies. Labs are fun. I wasn't really sure about what kind of time I was going to need for this. Most people are saying they needed 60 days. But then again, most people taking this are early in their IT careers. And I'm not sure how my life/obligations are going to allow me adequate time for lab practice. So I signed up for the 30 day lab. I think by the first two or three weeks, I should know if I need to extend it for 30, 60 or 90 days. The cost savings for grabbing 60 days initially versus 30 days were not that large. My excitement may be adequate to get me through this quickly.

Not that I'm rushing. And not that I'm thinking this should be easy. It's supposed to be tough. And I'm hoping to learn quite a bit from this. And, no, I'm not wanting (at this point) to go into PenTesting as a career move. I'm actually wanting to take this so I can more fully participate in CTF exercises. And if you're taking this thinking that you're going to get CPEs from it - you have to submit the pentesting reports or pass the pentesting exam to get those points. I'm already prepared and set up to submit the lab and exam reports. Now just to add the exploit details and submit...

Posted by BlueWolf on May 06, 2017