A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Web app testing classroom in a box - the good, the bad and the ugly - Lee Neely, Chelle Clements, James McMurry Derbycon 2018 (Hacking Illustrated Series InfoSec Tutorial Videos)

Web app testing classroom in a box - the good, the bad and the ugly
Lee Neely, Chelle Clements, James McMurry
Derbycon 2018

Web based applications and services are the key technologies behind modern service delivery. And their security, or lack thereof, can make or break a company. We developed an approach to follow including tools to help with the assessment throughout each step of the process, leveraging free and commercial products that can assist the assessment process. There are more engagements than there are resources, so we set out on a mission to train new web application testers on a portable platform to teach them an approach to not only test application security but also leverage tools that simplify the process, in effect cheating to win. To conduct that training, we had to develop a classroom-in-a-box, which included the network, the targets and tools for the students. Over the last year, we have leveraged Raspberry Pi Zeros, Thumb Drives with Kali Linux, Chromebooks and Intel NUC servers. We will discuss the pros and cons, showing what works and what to avoid, as well as what can be leveraged to build a home lab, or your own classroom in a box. The user will leave with information they can take back to their home organization to serve as a foundation for either an ad-hoc or ongoing capability.

Jim McMurry is an accomplished Technologist with an entrepreneurial mindset with over 23 years of combined experience in Security, Information Technology, Telecommunication, Networking, Management and Software development. Jim's varied experience in network security, military projects, IT and high-tech arenas, with startups through Fortune 1000 companies, provides him with a unique set of tools as he grows Milton Security. He volunteers for numerous charities, and supports Veterans through the Milton Veteran Hiring program. Lee Neely is a senior IT and security professional at Lawrence Livermore National Laboratory with over 25 years of extensive experience with a wide variety of technology and applications from point implementations to enterprise solutions. He currently leads LLNL’s Entrust team and is the CSP lead for new technology adoption specializing in mobility. He teaches cyber security courses, and holds several security certifications including GMOB, GPEN, GWAPT, GAWN, CISSP, CISA, CISM and CRISC. He is also the President of the ISC2 Eastbay Chapter. Chelle Clements has been associated with computer science and cyber security for over 20 years. She has an AAS in Environmental Science from Northern Virginia Community College, and a BS and an MS in Information Systems Management from University of San Francisco. She is an Army Veteran, one of the first women in the Corps of Engineers (she has some great stories!). She spent 30-years at Lawrence Livermore National Lab as a researcher in three different fields (chemistry, physics and computer science) and also as a community outreach volunteer. She currently supports several Veteran causes with pro bono web development (such as East Bay Stand Down) and served on her city’s art commission.

@lelandneely, @jmcmurry

Back to Derbycon 2018 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast