Table of contents
Please support this book: buy it (PDF, EPUB, MOBI)



Bruce Schneier Sensible Security Model (SSM)

The 30,000’ View

Scrum Guide

MS 1. Identify Assets

OWASP Assets

MS 2. Create an Architecture Overview

MS 3. Decompose the Application

MS 4. Identify the Threats

OWASP Threat Model Information

OWASP External Dependencies

OWASP Entry Points

MS 5. Document the Threats

OWASP Risk Rating Methodology

Intel Threat Agent Library

Rating of Threats

Based on the MicroSoft 6. Rate the Threats

Exploit Database from Offensive Security

Web Front-end

SecurityFocus BugTraq

Rapid7 (current owner of Metasploit) also has a database


National Vulnerability Database

OWASP Countermeasure Identification

MS STRIDE provides countermeasures to identified threats

MS Threats and Countermeasures

Tooling Setup

Peter Kim discusses a selection of tools in “The Hacker Playbook” that he uses regularly. I’ve included some of them in this section as they have been found to be very useful.

Kali Linux

Kali repository

Turn-key VMware or VirtualBox image

Custom ARM images


Offensive Security team which can be found on IRC

Official Kali documentation

Pre-generated SSH host key, check-out Nilesh Kapoor’s talk at OWASP NZ Day 2016 on Host Hardening

VMware and VirtualBox images

ISO can be downloaded from

SHA1 checksums


SSH1SUMS and gpg files

Extra help with gpg

Hard-disk install

Install Guest Additions

You will need to add your user

The Metasploit Community / Pro package is no longer shipping in Kali

Useful metasploit commands

Meterpreter Client

Meterpreter Basics

Using databases

Information gathering

BeEF recommended configuration

Contrary to a blog post on the beefproject, I’ve found the most useful way to run BeEF

BeEF console

Terminator does everything I need from a terminal. Briefly discussed on my blog

Veil Framework

Install all of the projects

Install guides


These came available from a social game and advertising website in 2009
Peter Kims “The Hacker Playbook 2”.

Search for crackstation


SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.

RSnakes collection

Tamper Data

Install the particular VirtualBox Extension Pack on to the host:


The fact that a WAF is in place is often given away by simply inspecting the responses from the server side

To view all of the currently available local nmap scripts

NMap has a couple of good scripts out of the box for WAF detection

WAFW00F is also an excellent tool

nslookup which generally provides less information and uses its own internal libraries as opposed to the OS resolver libraries that dig uses.

/usr/share/dirbuster/wordlists/directories.jbrofuzz is not great, but it is not bad either

theHarvester is a tool for gathering e-mail acconts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, pgp key servers)

See issue 30

recon-ng tracks users by default using google analytics.

You can dissable this with the --no-analytics argument

Also discussed in the wiki!analytics

API keys for recon-ng!acquiring-api-keys

Microsoft bing virtual hosts search feature
“Penetration Tester’s Open Source Toolkit” book

I also wrote about a few other vulnerability scanners on my blog

Exploit Database

Docker used LXC as the default execution environment before the release of version 0.9 on March 13, 2014

Docker was open sourced in March 2013




Allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Linux namespaces

The source code is on github

Pre-built DEB, AUR and RPM packages are available for download

Firejail can even run LXC, Docker and OpenVZ containers



Technically Qubes is not a Linux distribution, it’s closer to being a Xen distro if anything

USB stacks and drivers are sand-boxed in their own unprivileged VM (currently experimental)

A storage domain has also been considered

It provides proper GUI-level (one of the main goals) isolation

Along with security as one of the primary goals of the GUI virtualisation subsystem, performance was also priority so the virtualised applications feel as if they were executed natively

Based on monolithic kernels usually containing tens of millions of lines of code. Most of this code is reachable from untrusted applications via all sorts of APIs, making the attack surface on the kernel huge.

Support for Windows 8+ is in development

Excellent tools for this task. There are also many others. Many of which are included in Kali Linux

Dradis is included in Kali Linux and the source code can be accessed from the dradisframework repository

There is a collection of security tools that Dradis integrates with

If you look at the public statistics on businesses loosing value due to being compromised regularly, the figures are staggering

I have already discussed the test condition workshop many times on-line

Cost of Change curve adapted from Scott W. Ambler’s article on Examining the Agile Cost of Change Curve, which I’ve used in many presentations and workshops.

NodeGoat The purposly vulnerable NodeJS web application

OWASP ZAP (which also comes pre-installed on Kali Linux) is a particularly useful tool for security regression testing.

Node.JS (by way of zaproxy)

ZapPenTester write-up on codeproject

The source

There is also the Zap supported zap-api-dotnet

BSIMM again has some good guidance




Code Climate is a static analysis platform
that provides an open and extensible model to run community provided analysis engines

Flow looks to be a good option. Providing consumers with the ability of introducing type checking progressively


Example from the flow website

contract-js NPM module

contract.js home

contractual NPM module


Essentials for Creating and Maintaining a High Performance Development Team

I really liked what Moxie Marlinspike said on the topic of career advice


There are competitions devoted to reassembling shredded printed documents with contestants that have successfully reassembled all printed matter:

Not all paper shredders are created equal. Understand the pros and cons:

Readers and cloners

Tessel and its RFID module

Lan Turtle

Remove or degausse MFD hard drives before the device leaves premise at end of life / lease

Detection works where prevention fails and detection is of no use without response.
Beyond Fear by Bruce Schneier

People can be your strongest or your weakest defence. This is your choice. Cultural change can be implemented from any level. The most successfully being from the shop floor

You will also need to think about company culture and whether this needs some works

The speed benefits of Li-Fi are also compelling, many times faster than current Wi-Fi speeds.


Content Michael Bazzell has collated and his excellent books on the gathering of Open Source Intelligence

The Arxan 5th Annual State of Application Security Report Perception vs. Reality

The content Michael Bazzell has collated and his excellent books on the gathering of Open Source Intelligence.

Studies show that motivation has a larger effect on productivity and quality than any other factor. Software Engineering Economics by Barry W. Boehm 1981.

Increase software developer productivity on my blog

Those distracted by incoming email and phone calls saw a 10-point fall in their IQ by BBC:

Gerald Weinberg’s rule that 20% of our time is lost every time we perform a context switch. This is from “Quality Software Management: Systems Thinking” by Gerald Weinberg.

Who’s your Daddy (WyD) Another password profiling tool that “extracts words/strings from supplied files and directories. It parses files according to the file-types and extracts the useful information, e.g. song titles, authors and so on from mp3’s or descriptions and titles from images.” “It supports the following filetypes: plain, html, php, doc, ppt, mp3, pdf, jpeg, odp/ods/odp and extracting raw strings.

CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers


Hydra has many other options. Plenty of good documentation out there.

Hydra seems like the most mature of the brute force specific tools

Keep the Attack type: “Sniper” because we are only using one wordlist

Keep the Payload set to 1 and Payload type set to Simple list

NMap http-form-brute

A few changes to this script which may have fixed it

You can DIY with the likes of Asterisk

The government that imprisoned Kevin Mitnick for nearly five years, later sought his advice about how to keep its own networks safe from intruders

Open source framework providing all the tools anyone would need to spoof caller Ids and much more

Some services can not handle return messages though, unless the attacker has physical access to a phone that would contact the targets phone (as with flexispy)

SMS spoofing was removed from the social engineering toolkit in version 6.0 due to lack of maintenance

Episode 5 of Mr Robot
Elliot was making his way through the so called impenetrable storage facility (Steel Mountain) to plant a Raspberry Pi on the network

His colleagues diverted the manager that was escorting him out of the building by sending her a spoofed SMS message

SMiShing attacks are on the rise

The following attack was one of five that I demonstrated at WDCNZ in 2015. There was an attack leading up to this one

Also noted in the Arxan report that 80% of consumers would change providers if they knew about the vulnerabilities and had a better option. 90% of the app execs (the creators) also believed that consumers would switch if they knew and better offerings were available.

What you need to do is be aware of how much productivity is killed with each switch. Then do everything in your power to make sure your Development Team is sheltered from as much as possible. How to Increase Software Developer Productivity by Kim Carter.

The Multi-Tasking Myth by Jeff Atwood:

The trick here is that when you manage programmers, specifically, task switches take a really, really, really long time. Human Task Switches Considered Harmful.

Get yourself a OneRNG for generating true randomness

MembershipReboot also raises events via an event bus architecture that your application can listen to and take further action on

Michael Bazzell has an excellent collection of tools to assist with validating phone numbers under the “Telephone Numbers” heading at his website

Michael also has a simple tool under the “Telephone Number” heading on the left
which leverage’s a collection of phone number search API’s.

Services such that

automate the above training techniques

A tool such as Pond can help you automate the entire testing process.
Chris Campbell (creator of Pond) can be found at:

Retrospective is a good time and place to raise the awareness and make sure change occurs

Should Pond be used to facilitate the testing, then hosting of the application will incur Windows licensing costs.