Episode 5: Interview with Frank Kim

Man, it was a great week. If you ever have the chance to go to a SANS Course, do it, and do it often. It may be expensive, but the networking opportunities are great, and the instructors are just good people.

During the "Capture the Flag", which I will not give out information about (so don't ask), I felt utterly useless. I had done all that I felt I could do, but it's amazing that you can take experiences from your own work and apply it to issues. Once we'd gotten in, I remembered something about a security issue at our office, and in doing so, I found a flag! I went from thinking I was a failure to being a hero of our team. What we didn't know was that another team had found all the flags, but because of a configuration issue on their browser, they missed a flag they'd discovered. If they'd not done that, they would have won.

But because of that mistake, our team capitalized on the the CTF, and won first place!

Mr. Boettcher and I had a blast over the week, networking with various people and instructors, meeting a tons of great people, hearing Robert 'RSnake' Hansen speaking at the SANS Summit, and just getting some really excellent training on tools like Burp, SamuraiWTF, Sqlmap, and others.

We also got several interviews in the can. Episode 5 is with Frank Kim, an Instructor with SANS, who was teaching the Secure Java coding class. We got him to sit down with us and discuss some of the issues dealing with the culture of secure coding

Have a listen: Frank Kim Interview

Episode 4: Origin stories, and talking about mentoring and reconnaissance

Next week is going to be super hectic for your favorite co-hosts. Starting on Monday 3 February, we'll be taking SANS SEC542 in an effort to get our GIAC Web Pentest certs (GWAPT).

I haven't been this nervous since I went for my CISSP. Another company paid the skrill for that cert as well. Thankfully, I passed my CISSP on the first try. I was always excellent listening and retaining information in school, and I write a decent test.

But I know I'll prevail, because of excellent instructors like Kevin Johnson and Jason Lam. And I'll have my comrade in security Mr. Boettcher right alongside of me.

Anywho, enjoy the episode, we didn't have show notes, because of some logistical issues, our interview with Michael Gough had to get re-scheduled until after our class... but we are going to have that really soon, and it will be awesome.

Take care, we love the feedback, thanks to all those with positive feedback, and those with constructive feedback. We hear you, and are learning so we can do better.

#13: Vulnerability Scanners -- Episode 2

Episode 2 podcast

It's an odd thing editing audio. Some people make it look so easy. It helps having only two people on the podcast. This is not my first podcast to be on. My other podcast "Major Technicality", I am merely a contributor. And Jared, our producer, and co-host, spends several hours making everything sound just so.

Anyway, the audio will sound better on this one. Mic levels were dialed in, audio was normalized, and the crackling in the Intro is gone.

I really had a good time talking about vulnerability scanners. It's hard to believe that they've been around for over 20 years, and yet they haven't changed all that much. They still use concepts like banner grabbing, port scanning/knocking, and best guesses to scan a system for vulnerabilities. They should never be used as an end all be all, and truly on taken with a grain of salt.

Question all findings, trust nothing...

Next Friday, we'll be flush from our monthly ISSA meeting, which Michael Gough, from MI2 Security, will be discussing malware infection, and we are hoping to be able to get a few minutes with him. We'll have the interview spliced into the podcast, and we'll be able to continue our discussion about malware. Our first Interview! SQUEEEE!

I would have loved to speak about the other web application security scanners, but I really have only used Burp Suite. Brian and I will be attending SEC542 at the SANS convention 3-8 February in Austin, and we will definitely have one or more podcasts about web application pentesting and security assessment of websites.

Here are the show notes for this week:

Episode 2 show notes