From Security Weekly Wiki
Jump to navigationJump to search

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 286 for Thursday May 3d, 2012

Special Guests: Mike Yaffe, Alex Horan, Selena Proctor


Alex is a Senior Product Manager for Core, a serial hoarder, and certified Breadth and Depth expert. Previously he ran the System Engineering team at Core, helping to provide training and customer support services to CORE IMPACT'S user base. Alex brings a deep knowledge and understanding of vulnerability assessment, penetration testing, and network administration to his work at Core as well as to cigar smoking.


Mike Yaffe is the Director of Marketing for Core, and a pretty one at that.



  1. Do you need to exploit a vulnerability to know that you have a vulnerability?
  2. Why is it that people feel that you must show that a vulnerability is exploitable before you fix it?
  3. Web application vulnerabilities are by far the most difficult to show the impact, how can we best exemplify vulnerabilities such as XSS and SQLi?
  4. From a penetration testers perspective, how can we best utilize automated tools?
  5. When procuring a penetration test, how can we differentiate between the "good" and the "bad"?
  6. With the current measures in place to prevent exploitation, how much longer does it take to develop a reliable exploit?
  7. What value does automated exploitation provide to the enterprise? Isn't most of the value what happens after the exploit?
  8. What are some things that can be automated in post-exploitation?
  9. What stuff works now when automating in post-exploitation, and more importantly what areas need more work?
  10. Given that the underground market has exploded, How can we get better at testing for 0day exploits?
  11. When we embark on finding vulnerabilities, exploiting vulnerabilities, determining the affects, and generating a report, what can we do to improve the process that comes after that?


Some More Plugs

  • DerbyCon Call for Papers and Ticket Registration is: happening NOW. The PaulDotCom crew will be in attendance for DerbyCon. Training begins Thursday September 27th and the DerbyCon conference runs the 28th thru 30th.
  • Security BSides everywhere: Iowa, London, Chicago, Austin, Charleston, more. http://www.securitybsides.com/ - We have 5 BSides tickets to give away! Listen to the instructions at the end of Episode 282 for complete details!

Paul's Stories

Jack's Stories