Difference between revisions of "Episode286"
|Line 20:||Line 20:|
== Questions ==
== Questions ==
= Stories =
= Stories =
Revision as of 19:37, 2 May 2012
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 286 for Thursday May 3d, 2012
- Register today for Offensive Countermeasures: Defensive Tactics That Actually Work at SANSFIRE July 7, 2012 - July 8, 2012 with the freewheeling, piano playing & clown loving John Strand!
- You can watch us live at http://pauldotcom.com/live or watch the recorded episodes on Ustream
- Check out our new shows: Hack Naked TV with John Strand, Hack Naked At Night with Larry and Darren, PaulDotCom Espanol with Carlos Perez and our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini.
Special Guests: Mike Yaffe, Alex Horan, Selena Proctor
Alex is a Senior Product Manager for Core Security Technologies, a serial hoarder, and certified Breadth and Depth expert. Previously he ran the System Engineering team at Core, helping to provide training and customer support services to CORE IMPACT'S user base. Alex brings a deep knowledge and understanding of vulnerability assessment, penetration testing, and network administration to his work at Core as well as to cigar smoking.
- Do you need to exploit a vulnerability to know that you have a vulnerability?
- Why is it that people feel that you must show that a vulnerability is exploitable before you fix it?
- Web application vulnerabilities are by far the most difficult to show the impact, how can we best exemplify vulnerabilities such as XSS and SQLi?
- From a penetration testers perspective, how can we best utilize automated tools?
- When procuring a penetration test, how can we differentiate between the "good" and the "bad"?
- With the current measures in place to prevent exploitation, how much longer does it take to develop a reliable exploit?
- What value does automated exploitation provide to the enterprise? Isn't most of the value what happens after the exploit?
- What are some things that can be automated in post-exploitation?
- What stuff works now when automating in post-exploitation, and more importantly what areas need more work?
- Given that the underground market has exploded, How can we get better at testing for 0day exploits?
- When we embark on finding vulnerabilities, exploiting vulnerabilities, determining the affects, and generating a report, what can we do to improve the process that comes after that?
Some More Plugs
- Be sure to register for Carlos Perez class "Introduction to PowerShell for Security Professionals" happening at DerbyCon.
- Larry is teaching for SANS, check out Larry's very own dedicated page on the SANS web site for a complete list.
- DerbyCon Call for Papers and Ticket Registration is: happening NOW. The PaulDotCom crew will be in attendance for DerbyCon. Training begins Thursday September 27th and the DerbyCon conference runs the 28th thru 30th.
- Security BSides everywhere: Iowa, London, Chicago, Austin, Charleston, more. http://www.securitybsides.com/ - We have 5 BSides tickets to give away! Listen to the instructions at the end of Episode 282 for complete details!