Holistic Info-Sec for Web Developers - Fascicle 0
Homepage
Please support this book:
buy it (PDF, EPUB, MOBI)
Table of Contents
Foreword
Preface
Description
Purpose
Reason
Acknowledgements
Influences
Introduction
Starting with the 30,000’ View
1. SSM Asset Identification
2. SSM Identify Risks
Rating of Threats
3. SSM Countermeasures
4. SSM Risks that Solution Causes
5. SSM Costs and Trade-offs
2. 10,000’ View and Lower
A 10,000’ View Scenario
3. Tooling Setup
Kali Linux
What’s Included in Kali Linux
Kali Linux Install
Tools I Use in Kali Linux requiring config, etc
Metasploit
Useful metasploit commands
metasploit meterpreter client commands
Using the database and workspaces in metasploit
BeEF
Updating BurpSuite
Tools I Use That Need Adding to Kali Linux
Terminator
Discover Scripts
SmbExec
Gitrob
CMSmap
Veil Framework
Password Lists
Common User Passwords Profiler (cupp)
Http Screenshot
Psmsf
Responder
Custom Scripts from The Hacker Playbook 2
BypassUAC
NoSQLMap
Spiderfoot
OWASP SecLists
Net-creds
Unix-privesc-check
LinEnum
Chromium
Chromium Extensions
Iceweasel (FireFox with different Licensing) add-ons
Additional Hardware
TP-LINK TL-WN722N USB Wireless Adapter
Wi-Fi Adapter:
Useful commands:
Reconnaissance:
Provide USB privileges to guest:
Provide USB recognition to guest:
Blacklist Wi-Fi Module on Host:
Test:
Windows
Tools I Use That Need Adding to Windows
MinGW
Hyperion
psmsf
Nishang
PowerSploit
4. Process and Practises
Penetration Testing
Reconnaissance
Reconnaissance Forms
Passive
Semi-Active
Active
Netcat
Nmap
Concealing NMap Source IP Address
Decoy host
-D
Idle scan
-sI
Service Fingerprinting
Depending on the Server field
Ordering of Header Fields
Malformed Requests
Non-existent protocol
Other Services
Web Application Firewall (WAF) Fingerprinting
Nmap
WAFW00F
DNS
Domain Information Groper (dig)
dnsenum
dnsrecon
theHarvester
Discover-scripts
recon-ng
Password Profiling
Vulnerability Scanning / Discovery
Nmap
Metasploit
Vulnerability Searching
Security Focus BugTraq
Exploit Database
Metasploit
Exploitation
Isolating, Testing Potential Malware
linux containers (LXC)
Docker
Virtual Machines
FireJail
Qubes
Offensive
Documenting and Reporting
Dradis
CaseFile
Agile Development and Practices
Architecture
Cheapest Place to Deal with Defects
Evil Test Conditions
Security Focussed TDD
Security Regression Testing
Zap REST API Regression Testing NodeGoat
NodeGoat Set-up on your local machine
Zap Running on a local VirtualBox guest
Start the Security Regression test(s) from your local machine
Hand-crafted Penetration Testing
Establish a Security Champion
Pair Programming
Code Review
Why?
Linting, Static Analysis
Dynamic Analysis
Techniques for Asserting Discipline
Static Type Checking
Design by Contract (DbC)
Essentials for Creating and Maintaining a High Performance Development Team
How and Why Many Software Development Shops Fail
The Scenario
Scrum Teams can Fail Too
How Does This Happen?
So… What do We Do?
How do We Do This
Forming Habits and Sharpening Skills
5. Physical
1. SSM Asset Identification
2. SSM Identify Risks
Fortress Mentality
Internal Doors and Cabinets Left Unlocked
Insecure Doors and/or Windows
Easily Penetrable Building Materials
Service Labels
Sensitive Printed Matter
RFID Tags
Computers Logged in and Unlocked
Networking Equipment
Network Ports
Wi-Fi Access Points
Hiding the SSID
Wi-Fi Protected Set-up (WPS)
Transient Devices
Lack of Visibility
3. SSM Countermeasures
Fortress Mentality
Internal Doors and Cabinets Left Unlocked
Insecure Doors and/or Windows
Easily Penetrable Building Materials
Crime Prevention Through Environmental Design (CPTED)
Service Labels
Sensitive Printed Matter
RFID Tags
Computers Logged in and Unlocked
Networking Equipment
Network Ports
Wi-Fi Access Points
Hiding the SSID
Wi-Fi Protected Set-up (WPS)
WPA2 and WPA
Transient Devices
Lack of Visibility
Cameras, Sensors and Alarms
4. SSM Risks that Solution Causes
Fortress Mentality
Internal Doors and Cabinets Left Unlocked
Insecure Doors and/or Windows
Easily Penetrable Building Materials
Service Labels
Sensitive Printed Matter
RFID Tags
Computers Logged in and Unlocked
Networking Equipment
Network Ports
Wi-Fi Access Points
Hiding the SSID
Wi-Fi Protected Set-up (WPS)
WPA2 and WPA
Transient Devices
Lack of Visibility
Cameras, Sensors and Alarms
5. SSM Costs and Trade-offs
Fortress Mentality
Internal Doors and Cabinets Left Unlocked
Insecure Doors and/or Windows
Easily Penetrable Building Materials
Service Labels
Sensitive Printed Matter
RFID Tags
Computers Logged in and Unlocked
Networking Equipment
Network Ports
Wi-Fi Access Points
Hiding the SSID
Wi-Fi Protected Set-up (WPS)
WPA2 and WPA
Transient Devices
Lack of Visibility
Cameras, Sensors and Alarms
6. People
1. SSM Asset Identification
2. SSM Identify Risks
Ignorance
Morale, Productivity and Engagement Killers
Undermined Motivation
Adding people to a late project
Noisy, Crowded Offices
Email
Meetings
Context Switching
Employee Snatching
Weak Password Strategies
Password Profiling
Crunch
Common User Passwords Profiler (CUPP)
Who’s your Daddy (WyD)
Custom Word List generator (CeWL)
Wordhound
Brute Forcing
Hydra
Medusa
nmap http-form-brute
Vishing (Phone Calls)
Spoofing Caller ID
SMiShing
Favour for a Favour
The New Employee
We Have a Problem
It’s Just the Cleaner
Emulating Targets Mannerisms
Tailgating
Phishing
Spear Phishing
Infectious Media
Social Engineering Toolkit (Set)
Teensy USB HID
USB Rubber Ducky
Other Offerings
Additional USB Hardware
3. SSM Countermeasures
Ignorance
Morale, Productivity and Engagement Killers
Undermined Motivation
Adding people to a Late Project
Noisy, Crowded Offices
Email
Meetings
Context Switching
Top Developer Motivators in Order
Employee Snatching
Exit Interviews
Weak Password Strategies
Brute Forcing
Vishing (Phone Calls)
Spoofing Caller Id
SMiShing
Favour for a Favour
The New Employee
We Have a Problem
It’s Just the Cleaner
Emulating Targets Mannerisms
Tailgating
Phishing
Spear Phishing
Infectious Media
An Attacker with Physical Access.
An Attacker with No Access.
4. SSM Risks that Solution Causes
Ignorance
Morale, Productivity and Engagement Killers
Undermined Motivation
Adding people to a late project
Noisy, Crowded Offices
Email
Meetings
Context Switching
Top Developer Motivators in Order
Employee Snatching
Exit Interviews
Weak Password Strategies
Vishing (Phone Calls)
Spoofing Caller ID
SMiShing
Favour for a Favour
The New Employee
We Have a Problem
It’s Just the Cleaner
Emulating Target’s Mannerisms
Tailgating
Phishing
Spear Phishing
Infectious Media
5. SSM Costs and Trade-offs
Ignorance
Morale, Productivity and Engagement Killers
Undermined Motivation
Adding people to a late project
Noisy, Crowded Offices
Email
Meetings
Context Switching
Top Developer Motivators in Order
Employee Snatching
Exit Interviews
Weak Password Strategies
Vishing (Phone Calls)
Spoofing Caller ID
SMiShing
Favour for a Favour
The New Employee
We Have a Problem
It’s Just the Cleaner
Emulating Targets Mannerisms
Tailgating
Phishing
Spear Phishing
Infectious Media
Additional Resources
Starting with the 30,000’ View
Rating of Threats
Tooling Setup
Process
People
Attributions
Introduction
The 30,000’ View
Rating of Threats
Tooling Setup
Process
Physical
People
© 2015 - 2017 Kim Carter
