You can't make web app security easy, but you can make it simple

hey good morning guys good morning good morning good morning anybody hungover all right all right all right I seem to be the guy who like replaces sunday morning speakers it seems to be like a theme for me it's actually happen to me a couple of conferences now all right let's do this all right how many of you people are apset people's my people in the house that's my boy good got some love in the room all right how many of you are like WTF when it comes to app sec where's my people all right all right ok guys so for me I really had to kind of wrap my head around this app sec thing I don't know if it hit you like it

hit me but I struggled with it I I'm a network guy by trade came from a networking background sysadmin back kind of background so when it came time to actually start dealing with apps I really struggled with that I mean none of it made sense like how many of you guys this was you like this this was this was my world like I I'm cool with this mess anybody like this mess I got this I got this you you could throw me in the nasty nasty server room you know I don't even need a jacket like yeah I mean if you guys been in the server room so long you don't even need a Jackie you

don't even hear the hum anymore you just say I'm good right now it's cool this was me so I started

I started on the help desk I was a pc tech you know telling people how to right-click you know how that life is right so I did that for a little while chemist admin net admin then I had the horrible misfortune of becoming an incident responder you know anybody have to live that life packet monkey baby right so I did that for a while then it became a pen tester and that's the way nature intended anybody that's the way it's supposed to work so I affectionately called web hacking a female dog hacking that was the word I used I had a particular phrase I just I just couldn't see put in a single quote or a back tick in something and calling

that hacking lose one like you know where's my command prompt you know something should go from a dollar sign to a pound sign something should go hey your route like that's hacking this this is theirs mmm there's no masculinity in this web hacking stuff that that's all I'm saying right come on anybody with me so that that was what I struggled with so pin testing started moving away from the network and I struggled with that because I was cool with networking sysadmin stuff but then when we started to move to web app I started to struggle we moved a mobile app I really started to struggle cloud confused me even more people started talking about mashups and

I'm thinking mashed potatoes anybody know is it just you I can't be the only one so I was like okay I don't know what the heck of mashup is and then someone's like well guys you got to understand its single page applications now it's sp-a I was like I don't know what that is either so all I could say is I don't know if you went through what I went through but it was like houston we got a problem all this garbled e goop is what I started running into when I started doing more and more apps so I needed something that could help me

I felt lost any of you guys got lost like that Bennett and then I can get without lost so I realized he was my problem I couldn't program who's with me right I i no speaka cold mm-hmm no i no speaka geekin ease that's pretty much my situation right so for those of you who are computer science majors you smart people I don't know anything about turns primitives programming logic data structures algorithms object-oriented programming anything like that I am a regular guy I like alcohol I like barbecuing I like sports that kind of stuff right I don't like surround at home and you're like well you know have you really seen the differences between ember Jas and angularjs i'm really

loving single application single page application capabilities what do you think Bob no no no no so I like most people figured why don't I just go grab the OWASP testing guide yeah so that'll help me learn how to do this that's what I figured so well okay look let me just grab the OS testing guide and you know maybe that'll be all I need so I can do this so can you guys please not hack the network while I go out to the internet please

so I went to the Olaf testing guide and here's how it started I said okay got my principles of testing testing techniques driving testing requirements okay security test integrated into the development and testing workflows security test data analysis k here's what i do before testing here's what i do during testing here's during development during deployment this sounds freaking pretty good who's with me Milo dead Bob I feel great then you start scrolling down right and as I get through the information gathering stuff you know I can kind of you know I could do a little bit right as well conduct search engine discovery I could handle that you know i can google and i can do

that identify application entry points hmm map execution flows through a website hmm so i was like i can do some of this so here's what happened to me most of this stuff I could do when I got down into here authentication testing all this kind of stuff I was like okay I can read it I can google it session testing yeah this kind of confused me and then this stuff really confused me how many of you guys actually know the difference between ldap injection orm injection xml injection ssi injection xpath injection I'm map smtp injection em code injection anybody okay you guys are way smarter than me because I don't so I used to watch guys pen test and

guys would say to me oh man well I'm really working hard on that test I'm doing full a wasp and and they were meaning that to say that they do this whole list so like when you look at a page do you test the web page for all these different things java script execution HTML injection Lee do you do all of that how many of us were like pretty proud of ourselves because we can finally explain cross-site scripting to our boss anybody like had that you're like I did pretty good on that one high five yeah I explained cross-site scripting yesterday and and and when someone wants to talk about interpreter injection you know or HTTP

requests you know response splitting a request smuggling you kind of look at that like huh anybody yeah that was me I'm like what what is all this stuff so then I figured okay well let me just do this why don't i watch somebody do a web app test how about that okay well let me watch you watch me so I'm going to open up the interweb

so let's go to a quick page all right so I'm on the web and let me see if I can fix my graphics real fast now you tell me

okay now watch what I'm doing you tell me if this looks like the full owasp test so I'd see somebody and they go okay nothing in the get request I pop it open so let me go view page source pretty simple post request okay mmm yeah definitely vulnerable to cross-site scripting okay mmm nope not vulnerable there drop-down hip up not vulnerable there we'll try it down here

nope we'll try here Oh ramener passing let's see what it does it's in sort of tick oh yeah that's bad okay let's go or one and select that app version yeah that's bad almost kill server oh boy yep that's bad k is SQL injection there let's try that about an insert yeah throw in a single tick they're throwing a fanatic hear about it yeah oh boy that's bad too i'll look xml injection yeah that's bad all right all right test is done all right yeah I work so hard i did go ahead full owasp right now how many of you were like me where you came from you came from this so to watch a

guy look really like my two-year-old browsing the web because I mean honestly one that would it looked like is gonna click over here oh that looks bad oh oh pretty color oh that's bad okay your web apps insecure and I was like how the heck did you know to put this here how the heck did you look at this and now to do this any of you guys do that like on networks networks we get how many of you guys are with me you get network guy says DMZ we're all right uh huh dmz it's over there it's the demilitarized zone that's how we segment you know the exterior traffic for me you know they

bled the dead it cool now on someone's like oh it's middleware any of you guys what the hell is where right I don't know this stuff so it took me two years of web app pen testing and what I did was I did what every other security consultant did hit every website with 50 million tools period typical web app pen test light that bad boy up with to 300 tools if I had to 301 guess what I've thrown that at it too and then I will go right to the customer your website seems to have the something bad it's it says that so you want to fix that then I go over to the developer

give it to the developer and the developer would laugh at me because that's what they do right when you give them stuff that makes no sense then you go this says you have cross frame a scripting and then developer will go no I don't maybe like okay well maybe you don't that was all I had I was ok so I needed to come up with a way that work for me ok so I'm going to teach you guys my way this is the gel way you're not going to find it in any book it's not an o oz this is just what I do when I test websites so if you were on the job with

me and I was teaching you web app I'll be like artnet sit down with me this is how I test web apps and then you would use this i would say use this methodology and as you learn new stuff add to it cool all right so what you're going to do is you're going to learn three questions so when I deal with a web app for me I always ask myself three questions so I'm looking at a website on every single page of the website ask yourself three questions so you're looking at a website and you say okay question number one is it talking to a database okay yes it is or no it's not

question number two can I or someone else see what I type yes I can no I can't question number three does it reference a file if a reference is a file I gotta think a list of things I try that's it so on every page ask yourself three questions okay so guys question number one what come on does it talk to a database question number two what see what I tied question number three what that's it that's it we're done there's no Oh asp is that that's it that's it that's it that's it that's all I do okay now is it the most thorough test in the world no right but can you with just Firefox go

through a website on every single page and ask yourself three questions if you can do that then you can get started with web testing that makes sense guys okay so question number one what is it yeah there's going to be a pop quiz yes question number one does it talk to a database okay so what we got to figure out is how do we know if it's talking to a database so when I look up here here's the address and guys if you guys want to jump online and do this with me jump on line drive right with me okay so I'm on this website up here do you see anything after the IP address you got nothing

there right okay what I'm looking for is parameter passing ok so I'm going to click a link and now can you see that I've got a page name ? so page name is bookie tail de su the parameter name is ID and the parameter value is what what are so soon as I parameter passing the answer to question number one is yes that see parameter passing answer a question of our luck is what yeah that's cool so what you want to do is you want to insert a single quote and place up or immediately after the parameter value so you have done well any place you were quoting here this is D technical stuff ready this is

the deep technical stuff this is the D technical stuff yet you know so now now what we need to say is something really you know something that makes us sound like it insulted I mean it comes up especially when able to identify as well objection inside of your application the get request for it a lesbian all right angle by D seems to be more horrible might get dressed that we go about now okay so okay so guys whenever you can see stuff in the address bar up here we're going to call that a get request okay anytime you can see stuff up here in the address bar you can monkey my budget we're going to call that a get

request so when you see under passing in the gear up list you can mess with parameters and serviceable quote drawer stuff in there try to see the ghost boom fair enough okay how many of you can go to every single page in a website and try it right maybe like that I think I can do this right okay so now the next piece is all right that's a neighbor request sometimes you can align post request so can you guys see this login page so why did not aspx there's no question mark something english something here so it's not a get request and so what guys it's a post request so here's your post request now pulsar must

still send broilers so I need to see if i canna mess with those parameters what I'm going to do some of those start something called tamper data and tamper data is a leadbox II just like any of your other leg Rises then how do you do people see application monkeys get into fights over stuff like burp suite and said like I mean this is like World War friend Nelda I like purple and it triggers an asic all right I want to get my firstborn child right like this people think think I really mad like how do you think the only thing you can do to sway them on this argument is derived in the star track now really that's all

you got so yeah imma put in hello right hello and I'm going to start my tan right so I've got this start my tampers to start timber I said go it says hey do you want to tamper with this request today and I got one last time too so I want to tamper with this request and we look at it says tada looky there there are post parameter names and post parameter values so immediately here in the post parameter here's your bracket value you would insert your single quote right there it's the signal so if you see parameter passing a life and serve a single bowl that's it another stuff an awesome have time that's it that's it okay so you're

looking for parameter passing when you see primer cassidy answered a single quote that's it so we're looking for injection born release of some sort so you gotta ask ourselves so we got to ask ourselves why well computers like numbers computers don't like names like a little number number equals 10 computers like cool right if I get a string string equals Joe from here's like no doubt isn't in right because if you're going to declare strength you have to put it inside a lot whole spread computer so perfectly cool with numbers if you're going to do anything that has taxed in it he wants the text that said hey dude here's the beginning and here's my life you gotta do that so here's the

problem when you have when you have happening on the web

you have stuff is happening on the lips same thing like I just shows you right you go okay no problem it this is Joe not a problem it is a number string here's Jill which license inside of clothes we're cool how many of you guys made this mistake and another that's important okay what happens for a thing goes boom right okay then your professor walks by and something when I actually viewed it properly turning variables cause a syntax error right and I would say something like why the heck does it say there's a pot on my mind 12 when it comes on on five because you can what right teach a little to me lyrics wrong

with you Joe but no man which one but obviously it's not working right so you can see that as I have you got up close quotation mark after the character shrink something's wrong right so let's go with look here at specific blood I got here's honest a select all records from my products table where product ID equals request having this request piece lets me know what's coming for me on this number is going to go right in there that make some sense so guys dragon you let whatever he has if you look here products that ESP is probably talking about what that products table and I need it's probably talking about but then that number is going to go in

there so you're like okay bad now what happens when the guy puts in that single book so it throws in the single foot right here and now look that ends up doing designed up with two on this side and what now is that going to make it go boom and pretty things going to go bump right so now when it goes boom did you basically just do this I mean that's really what's happening on the back end something sense guys so you're like okay now that I understand why I put in the single quote right I'm trying to blow up what's going on on the back here now the rest is just syntax stuff that's all the others so this is

just syntax okay the next one let's say I'm out and I'm surfing the web and I go whoa search box and put this in and I go whoa pressing script yep how many of you are like me when you see that you find that your box gives you that locating so something intelligent I was so what and you go well actually what that means is you can ask your code context with your browser because although smell and that's bad right obviously them in the cheese yes that's pretty bad because I've been lucky code because what an act okay so this is why I don't do for us a soccer ball because our that looks like this so let's sit out

here and you said you quit right I really informal the writing code you guys are like me do you holy write code if there's alcohol involved I'm gonna come up the spot if I'm drinking I'll tell you want but this it's a letter mouth like you gotta come cheers them out to kind of take the edge off a little too much you can ok what if you get our it so let's save my search box on your script alert right so I'm going to throw this script alert now after this in the search box diagram here right thing pops up was like I think I'm strong yeah anyways so I did the script alert and you get that pop up so script

JavaScript code javascript is client-side code that means a month later what's on the client was a new browser okay sir psycho asp JSP page that stuff runs we're on the server right okay so when you put that script alert in there that pop-up actually happen later yeah that happen here ok so the server's find as a service not struggling who's struggling the client is struggling so and we did that pop up we prove that we can execute code here so that pop-up just goes eh I can execute code now I'm gonna get right ok hit my back button now I'm going to grab another one I'm it says skirt what is if you're talking about what document doc

clicking all right so I'm going to throw that in there hopefully a copy pasted so after that and this time I get a pop-up power what ok so I'm go to gmail right that's what I'm like oh man pump up give it up give us a technical term denotes you guys know I'm saying it right up I give my username and password they give me back the session ID no okay maybe you guys been to a different school than I that's all I said that all right so HTTP is stateless right so your website has no idea who you are from one packet to the next so you need the session and he sold it to a web server to be like oh

that's jump he's the guy who likes documentary and it's not not us wrap up of get technical it's how will you share that it gets an authentication mechanism it's all I'm saying it was keep talking so you prove to an execution with a pop-up you also proved that you have access to the session ID right so you first step one prune code execution step 2 said hey not only web code execution what I also have access to the society so now I want to do is I want to say i don't want to script alert I want to say document that what it goes somewhere okay so I want you to go to this page

the page is called but uh huh and I'm going to take the session cookie on a hop give and send it over here this make sense guys okay so you take that whole link you take that whole link throw that in there like so right I paste that in there the doggone thing doesn't answer it sucks or did what happened yeah the session I need got sent what somewhere else thus the term cross-site make sense so I give this username a password you gave me back this session I'm the session ID is how the server knows who I am so this is how the server knows who I am if someone else would have my session I think they could do

let negativity me right so the idea behind it is to say okay well this is how you steal a session ok so now you can grab this which is right here case I said and when I cook you catch the rights out all these different cookies anyone's ever click the link your pranks them out right so that's us today make sense ok now what you could do I'm gonna do this in internet exploder get it so it's going to lay right this no it's the only ones that really would go right so good lueg go to shopping cart right here just in the browser like JavaScript

when I met those are my session right so its like you such my veto to come here a lot and spend the most money and you should girlfriend off it's got my last visit it's got all the stuff here's here it come from do I walked here Jill find stuff now what you can do you can say all right well I'm going to go back to this page change this

equals of Oh give ya right it's time so back on this bad boy all right and my session on he is now what a kid right so if you can take a session ID and just right in the browser override it and try to impersonate somebody and so now how many of you are going okay so i got that the problem is probably wouldn't want to explain it to my boss that way okay mother like you guys are technical so you're like well you know i'm drinkin a cute little but i really know when I explain this to my CIO this way so what do I do when I slant to my CI go I say

hey you know cross-site scripting down here can any of you guys who speak geek anis translate that code jscript password equals prompt what document dot write what so what I do is I just tell my logs hey you have a process scripting so what that means is

how many of our users will fall for this plenty right so no give right so we tell our customer look you have cross-site scripting people can steal passwords now do the Nerds get mad at me when I say that right because I'm not explaining it not explaining it exactly correct in line I mean how many nerves and get all kinds of upset and mixed up in arms this is some Farkle BS that's how you properly explain code execution of the context of the browser is it no but what do i do need the customer can do and they don't know what we're gaining I'm able to fix it right so I used to work for this really interesting place out of

my opinion that's going in here but you know it was some luxury hotel so I work on a luxury hotel it was a great place strongly recommend you got a gets a chance to go strong American luxury accommodations so this was the hyatt regency if so i'm working with general battle I have to tell my boss the cross that script in an ellipse I called sink compound meant to whatever sick huh okay little government by the point so I'm not gonna tell general bel sorry about my cross section of the advancing on Donna anyone's ever reaped a general kind of knows how it goes sir we've identified this it's like Roger that XY red silly not really grammys brown

finish line went to the next time well we later everything against survive our process instead calm down dough is a problem that next Lok rights in two weeks I keep breathing cross-site scripting now the third week I was a certain you identify processor do you want people walking into the website as you now know Jim generals have a notch rocks I capacity right now let's not rush do I love that fix it the problem was i speaking nice that's right that's right anybody who does my beloved military knows and we have this phrase them use when we talk to Jones beams bullets fuel didn't know that means what's being full of fuel come on

transportation right if we're not talking about feeding my trees if we're not talking about arm in my troops if we're not talking about Moodle metrics or location 80 location are we talking about anything important no sir actually the BPM we actually need to pass the BPM so need to add more RAM to the server sir Sir sir Sir can you can they do it right just makin sense that it was awesome to VPN right so the whole thing here is trying to bring app set down and something that we can digest okay so question number one was what bass okay now how do you know if it's talking to a database do you remember what to look for parameter

passing good question number two wells question number two can I see what I'm typing okay the only place where you can see what you're typing a form a blog a guest book a contact us form instant messenger windows chat window any place or you can put in something and someone else can see it because what happened to because I'm scripting is you throw in that script alert right this other guy comes to it later and because he's on that same page he executes sit right so it's an abuse of trust for it you think that you're looking at content from the real page but actually you're dealing with script code from someone else when objected it into the page that make

sense guys so you can look for search boxes feedback forms anywhere where you can type something right that's really locally on such Perkins and its derivatives and prospects tributes now here's crazy when we found the parameter passing I just told you to insert or what tickles insert simple moments or a tick right if it goes boom look at the error message if the error message has you know a WBC jbc something like that then it's what test you all right what if it has XML then it's like XML injection what if it's an ldap error then it's like oh well it's the Surfside include and that's why service i'm into an injection this is make sense guys how

did you guys did what I did meaning when you see this you immediately think I test the left side for all of that like you look at the guy and kindle hey they didn't want me to check for it I would then right into the freaking guy right vroom yeah so I was like did well yeah and people will tell me that well you're up to full god I'm doing it right but my gosh guys it looks like they just play it on the website something says okay last one most Western I 3d verifier there's a reference of five good okay so let's say girl something like this okay so if you look here I click here right

once it's a guys but it is it is it talking about 50 / ba system yeah so what you want to try to be you want to say hey and just swap that sucker out with this real ways in it ha you made this up set out to show this or is that a real way I'm ended up to show you see

I'm just saying I thought y'all it's a hypothetical going on you know I'm just teaching it here for the sake of academic warning right okay so what you did is you just said hey he's talking about 50 local file system so I just left yeah hey man can you read this spot right now what you could say is you go well okay so what I got is a text file and the text file looks for life oks obviously deep technical stuff so copy that if I can look for this will call this an LF I global what we filed include right now the same thing you should test for what well Mull file inclusion so all i did was uh says hey he's

talking about file so i switched what was that with a new father I wanted him to yank down and didn't get that down into the page okay can you google website and ask yourself these three questions on every page can you do that okay so guys is this the most thorough blood test out there no no it's not it's not but how many of you have struggled with validating results from a scanner you might ever done with that or someone brings in the web inspect students and they go well you've got this horner ability and then you the security person you got to walk over to the developer and go okay this says your cross

descriptive can you develop reduce what's cross-site scripting and you know we'll know it's a vulnerability that allows code execution in the context of your browser so it says right and then he goes oh we're not going back right and you have nothing to say you guys because if you can use these three questions you're going to be able to validate a lot of our builders like this will pick up like eighty percent of web app stuff guys is there more sure this'll course there's no okay now let's figure out something something called the fuzz DB okay buzz bee bee it's a project that's out on google code got moved to give up a couple of weeks ago but what I want you

guys to realize is I'm going to jump into the attack section right and if we look at the attack section let's choose cross-site scripting so i choose cross-site scripting now I talk to you one type of processor in today at night okay but if you look at this file what do they have I have one a whole bunch now everywhere where you can which question to see what you type so the reason that guys tell you that they like burp suite so much is because they can load this list and now when they have a page when they can see what they tight they'll make it what trial trial iterate through everyone does that make sense

guys that's the major feature that guys might write your bike and trigger that like up here they like being able to take these massive funds database list right now guys processor in a slow process scripted it'd be like if I wrote a vulnerability of SLO hit 5 of 5 equals 12 years 10 and with a below so you go hey I'm not going to allow you to do that the attacker could do what six plus one ok what if you will rule for that what can the attacker you okay 73 11-1 but how long did this go on right now that's why people like these massive plus database lists because they're just looking for lots and lots and lots of

different ways to say the same type of attack that make sense hasn't so when I showed you right i showed you a local file of food did that okay but you can do that local file include and we'll get all the different stuff that you can look for something sense guys so when people are running something like first week are quite rightly anymore on our ability scared now that you know these three steps do you understand what the vulnerability scare is doing right so it's just got this huge list of things it tries and if it gets a certain response back he goes up it's all into that attack that's all it is how many of

you guys thought it would be so much more complex than this right you guys like about me a lot harder news because like after a couple of years Robert some rounder for a little bit I was like that inning and guys like kind of expected a little bit more its head of here right you've got certain things that you said I was only three major classes of our abilities injection Bordelaise do some trust water abilities filing analytical abilities everything else is like medication or anization it's all stuff that your scanners are going to pick up right so I'm in that 8020 rule right how many of you guys are like I just then that picks up a big stuff right and

that's what's best but most of our cases so if you just need stuff that picks up the big stuff now that you learn my things what I would say your next step if you guys want to drive all the same commands you can take a picture of this link right that pastebin that I just use is public all these servers that I'm using or publicly available if you want to try any of the vulnerabilities should i zoom in some more okay so if you guys want to try all these vulnerabilities all those servers are publicly available i got them out on amazon please be gentle to my servers don't beat them up too bad okay but seriously you guys got

to try this stuff right I'm not a big fan of things like web goat web may event and all that kind of stuff the problem with those is not that they're bad they're very good at explaining how a particular vulnerability works right you can understand what cross that request forgery is through like Hackney bank Hackney Bullock's Hackney casino web maven web goat you can learn that what you don't learn is how to traverse through a website that's what's kind of tough from those kind of tools so what you're going to notice is I built like nine of these different vulnerable apps and there are all the different languages so I gotta a sp1 a PHP one a

JSP one Oracle back in mysql right you got to cruise through the apps and look for vulnerabilities and the text file negotiates you through them like it says here type this here type that here that kind of thing alright so that's completely free you don't need to give your email or anything like that if you want to do it just drive got it all right next thing I would say guys get yourself some Firefox add-ons okay you should be able to perform a full penetration test using nothing but firefox you should be able to perform a full penetration test using nothing but what firefox now I don't know this guy but whoever this guy is that put this

together this link right here it's 68 different Firefox security add-ons I don't know the guy personally but I think you did a really good job of organizing all those different Firefox add-ons so you can do web testing because there's way more than just Firebug you know because that's what most of us right hack bar Firebug we're kind of like hey we got a couple of cool ones but that link down here this guy did a really good job of like organizing all these different security add-ons I really strongly recommend that you you know plus one or thumbs up the dude or something let him know he's doing a good job I don't know who he is but I really think you did a

good job on that okay next thing guys is once you're comfortable on the Firefox side then you can step up to a proxy right then you can start messing around with burp suite zap fiddler you know Charles proxy on the mac side for any of you guys who drive a Macintosh right that's when you can kind of step into that I think with some proxies the learning curve is a little higher right me personally and I really try to steer people away from the proxies until they're comfortable browsing a website and finding trivial vulnerabilities after that then you can step into like a burp suite or something like that I personally think if you have no

background burp is very complicated right you got to kind of build your way up to that okay all right after that shameless plug we have to talk about the big boys so commercial tools IBM apps can thirty thousand dollars a year HP web inspect twenty four thousand dollars a year acunetix is six thousand dollars ok Nets Parker I should have put that up here but I was doing my slides this morning while we were talking Nets Parker I think that's like five thousand dollars it's another one that's fairly low cost this website sec tool market now I know it's a long URL but if you just go to sexual market com this guy does a comparison of like 65 different

vulnerability scanners and he rates what they're good at so he like compares he's like here's all the different scanner sec tool market com it redirects to that long URL and he goes down and compares each of the different vulnerability scanners right and he shows you like what they're good at finding what they're not good at finding how much they cost you did a really good job here okay so if you're looking to move into that commercial scanner space like you're at work you have to do vulnerability scanning for like this my compliance PCI compliance something like that you really want to be pretty aggressive on this page trying to learn what's going on and then quite frankly

trying to find a lower-cost alternative than apps can and HP web inspect all right and then time for my shameless plug I wrote a scanner so i need help i need help i need help i need help okay i spent the last year building a web app vulnerability scanner and the thought process behind it was I wanted to make something that was kind of like the nessus model right free the big boys who like have money they can spend money on it but most of us are regular working stiffs how many of you guys regular work and stiff like hey I show up for work and I would do this if I you know could

do something else but I have no other real qualifications in life like if I wasn't doing security I'd be working at McDonald's like I don't know how to do anything else like this is it any of you guys in the same boat like this is kind of it right so if you're a regular working stiff the thought process behind this was to make a vulnerability scanner made very much just like messes matter of fact we stole the interface from Nessus so if anybody from tenable is here leave the room right now okay so the thought process behind it guys was to make a scanner with unlimited scanning right so you download this game you're gonna be able to scan to your

heart's content I will not charge you for it unlimited scanning for what for free yes yes yes unlimited scanning for what for free so the whole thought process behind the scanner guys is the reporting engine so you're going to be able to visualize the reports yourself you know change all the reporting we do CBE CBS s all that good stuff and let me jump back here right the other thing on our new things that we just now added we add an AWS scamming and sharepoint scanning yeah so I'm really trying to build this now what I'm what I'm showing you this for today is I want your help what I'm looking for is feedback so the

scanners been released now for two weeks right it's been out for two maybe three weeks now right so scanners been out for about three weeks we got about hundred and eighty users right now so people downloaded people are using it right now you can only download the scanner as a virtual machine it's a vm virtual appliance a couple of things I'm looking to learn from you guys maybe you can help me okay me and my team we thought the best deployment model would be a virtual appliance most people they want to be able to download a virtual machine and just run with that right now it downloads is just a VMware virtual machine we're pushing it through

something called packer and with that we'll be able to make it so that it runs in digital ocean runs in amazon runs on OpenStack all those kind of things so a virtual appliance thing that's what we've been working on how many of you guys think it would be a big deal to have it have like a regular install like desktop install all that kind of stuff any of you guys drinking that kool-aid okay I got one too okay half the room my god really that big of a deal guys

uh-huh okay okay okay how much of a big deal to drive it on linux or how many of you guys want a windows installer okay so you're cool on linux okay harden bsd got my man in the back what's up but if you download an install out how do you trust the Installer I mean you're going to look to the source code uh-huh okay baseline it's dig it that kind of stuff right okay okay i'm drinking the kool-aid i'm drinking the kool-aid okay what else you're looking for guys how can I make this something that people use because I have never built a product in my life so I spent my last year you know being like head down writing code

so i met a lot of drinking yes we are docker should be inside of the next 90 days what's up but likes cap and all that kind of stuff

uh-huh oh really oh no way okay yeah I was not doing any of that okay okay huh yeah yeah actually um second tool we actually wrote a source code scanner since we're doing so many source code scans on our own product um go ahead but i don't know if i will call us ready for anything serious guys um I just look you guys you you know for any woman I'm really gonna be offended when I say this you're not a woman I got no reason to lie to you we're just not ready for that my buddy in the you know halfway back matt is here and Matt's been helping me deal with this and you know how do I

talk to you about it do I BS or do I lie about any of it right we're look I'm one of you guys right I'm not trying to make a bajillion dollars on the doggone thing I'm just trying to push something out that hopefully working stiffs can use so what I want to scan a complex app with this not just know yeah we're not there yet we're just not there yet and I just don't want to lie to you guys look I made this because it's something that I needed from my job right and then I thought like okay well how do I make it so that it's not twenty thousand dollars a year you know what I mean but it's not

burp suite and the reason I say that is I think Burke suite is a little too complicated for a normal working guy who needs to scan a lot of sites right you're at work you gotta scan 30 40 servers I don't think you're firing up herb sweet manually iterating through those things most people want some sort of point and click scanner that they can just point out something that's what I decided to try to build so I want your help that's the short version so I figured what i would do is i will come here do a little thing try to give you guys some things that hopefully help you then hopefully you could give me some

feedback that helps me so definitely take home number one desktop install i had no idea it was that big of a deal right most of my customers big virtualization environment so that's what i thought i had no idea was that big of a deal so i'll take that home what else are things that you guys would want to see like right now we just got sharepoint what else would you like ooh

documentation us nerds are always good in that i'm not hating on you i'm drinking that kool-aid i'm drinking that kool-aid i'm drinking that kool-aid okay all right so good docs good videos to walk you through how to use it and what else

we scammed for CIS benchmarks right now right we scan for CIS benchmarks right now that's why we're able to do like the AWS scanning the sharepoint scan and the web services scanning so right now we scan for that we don't adhere to it right so again I don't want to turn around and give me in a way I'm lying we built the virtual machine we tried to harden it we don't allow it to point to anything but our repository so the vm doesn't update anywhere else you know that way we can keep the but we did that trying to keep the platform as stable as possible so my thing is how do I keep this where it's beneficial to you guys

so what things are you looking to scan like right now I got SharePoint I got amazon AWS so we scan AWS s3 I am ec2 RDS what else are you guys testing that's out there that would be big for you yeah no I don't do that at all yeah how do you like to keep throwing stuff at me uh-huh um what me and Matt we're talking about i was on a pen test with a customer and the customer wanted an advanced search feature so on this advanced search feature what he wanted to do was right here where you could search your last ex many days of results like you want to know hey did I have a

cross-site scripting and any of these websites in the last 90 days did I have a whatever attack in any of these in the last 90 days we were but what the customer was struggling with was if you wanted to look through his previous results he couldn't look for a particular thing in a particular date range of time do you guys have any things like that that you'd like to see like how many of you guys run into quirky things like that like like Matt wanted Matt wanted custom alerts so like you know matt is like our primary Ivan guy right now so Matt wanted if if a new web service stands up in my environment a targeted email or trend

reporting like between this scan and this scan if a critical vulnerability showed up in my target environment send me an email right what are some other kinds of things that you guys would like one what's up how tagging how

how big of a deal if you do something like that does it need to integrate into your asset management system if you're going to do that Oh

oh cool okay for the deaf guys you gotta know who to bring the Star Trek memorabilia to okay what's up but the trimming and what change in what okay okay all right all right I'm going to keep all that how are we doing on time I gotta wrap it up now huh scheduled task will be out on Wednesdays push yeah so if you download after Wednesday you'll have scheduled job schedule scanning schedules Canada the plan is to charge for custom reporting so if you want to build really complex reports the plan will be to charge one thousand dollars a year for that again the thought process was for working stiffs I'm not trying to be a bajillion air i'm just a regular

working guy just like you guys so if you want to do really custom reporting beyond what it already does so let's say you go to this type of report and you want to do more custom reports like custom exports like API access like you want to push this into a sim you want to do stuff like that nah bro you writing me a check that's all I'm saying you know huh yeah yeah so like if you're a regular working stiff man i'll let you drive it i'll let you you know beat your head against it as much as you want if your name is HP arcsight of some crazy mess like that oh not just no but hell

you giving me a check sorry man I'm just saying I spent way man you have no idea the divorce that I had to go through basically like kiss guys I don't know any of you guys got any death experience but you basically have in less than a thousand hours of dev them just calling it like it is so you know we spent a year developing this and me and three other guys and we're now like a notch above crap like like I'm just being I'm keeping it real man I'll even come on Matt what come on man like we worked our butts off on this and now I see why these people want so much

freaking money when they build software like this was not easy so you know now that the dream is finally being realized and we're starting to get users and users are starting to say hey I wanted to have this and I wanted to have this or the website doesn't support the right authentication thank you Matt you know um I want to make it helpful you know look I'm not hurting you know I'm I think I can lose a few pounds so I'm not trying to get rich off you guys right now my focus is how do I make something good that's that's that's where I'm at so help me make something good guys message me on twitter email me you guys

got my info and if you don't i guess i should put it up there huh yeah yeah but right now we have PCI reports we're working on GLBA HIPAA FISMA all that kind of stuff will probably be before the year is over or early next year we'll be getting compliance reports and stuff like that out that stuff is all going to be free so the idea is to keep all of this stuff free if you're going to do enterprise integration stuff that's what I want to charge for but for regular working stiffs drive it go ahead but is it open source nope no yeah oh you want me to open source it what if I

open if I hope if i open the api's and let you guys right because somebody asked me the other day about extensibility like if i open if i give you guys api access to it so you can write stuff to it I'd be okay with that I'd be okay with that

so I've had some customers ask me about CI people want to like hook up with Jenkins and JIRA do continuous integration kind of stuff and then build it into their process is that a big deal for any of you guys be able to drink that Jenkins jira kool-aid that kind of stuff huh ok ok so I can kick off scans here and then have it talk to something over here mm-hmm so so if you're doing your regular testing any time you find a web server automatically add this ok I see what you're saying I see what you're saying see what you're saying ok all right so any just a list of web services kick it over mm-hmm not too bad not too

bad ok how many of you big deal wanted to get into repositories the ubuntu debian RPM types i mean a red hat RPM ubuntu kali linux all that kind of stuff how many of you guys big deal that it's in the repositories

oh whoa okay okay I appreciate it alright guys i'm thinking let's hammer the nails in the coffin i'm thinking stick the fork in us we're done guys I appreciate you guys putting up with me thank you so much guys I really appreciate