If it ain’t broke then break it (The OWASP Broken Web Applications VM Project)

If it ain’t broke then break it (The OWASP Broken Web Applications VM Project)

Henry Dalziel | General Hacking Posts, Hacker Hotshots, Latest InfoSec News, Pentesting Tools, Resources and Tutorials | September 23, 2013

Another week and another bunch of amazing Hacker Hotshots! – and this week it’s special for two reasons: Mario Vuksan and Domingo Guerra.

Tomorrow, Tuesday September 24th, Mario will be presenting: “File Disinfection Framework: Striking Back at Polymorphic Viruses” and Domingo, as the co-founder of Appthority will be presenting, “Status of App (in)Security: A look at common risky behaviors in the top 400 iOS and Android Apps” Friday the 27th.

We have already written a blog post on Domingo’s much anticipated Android talk, and incidentally, whilst we are on the subject of Android and mobile security – go ahead and check our previous talk with Daniel Bradberry, one of the co-creators of the amazing Drozer Project (for those that don’t known Drozer is an excellent tool that can scan Android Apps for vulnerabilities and Malware which is increasing at a faster rate than for Apple iOS vulnerabilities).

Interested in Polymorphic Viruses?
If you are then make sure you join us Tuesday! Mario will present these three points. He will:

  • Describe where dynamic analysis falls short.
  • Discuss challenges of disinfection and breach eradication.
  • Outline what we need to know for rapid threat classification.

What are Polymorphic Viruses?
Good question, and yes, we had to reach up and get our Harry ‘Pentester’ Potter book of magic viruses off the shelf, blow off the dust, and remind ourselves too!

In information security speak, polymorphic code, and a polymorphic virus, is code within a virus that uses a polymorphic engine to mutate whilst maintaining the original algorithm and possible payload intact. Think of it in the same way that you would a virus that affects humans, it must mutate to combat our ability to create immunity. So, the same is for polymorphic viruses. Despite our best efforts to define this important area of research, we really look forward to Mario giving us his definition of what these viruses are and importantly what we can do to detect and prevent them.

All our of research in this subject has shown that polymorphic viruses are widely respected as being the most complex and difficult viruses to detect, often requiring anti-virus/ malware organizations to commit considerable resources in fighting their spread.

If you are interested in this subject and just came into this post after Mario’s presentation then don’t forget that all our events are recorded – hit the links provided at the top of this post.

If it ain’t broke then break it (OWASP VM’s)
A week tomorrow is going to be awesome and we can’t wait!

Chuck Willis, our first Hacker Hotshot of October 2013, is presenting: “OWASP Broken Web Applications VM”.

What is the OWASP Broken Web Applications VM Project?
OWASP provides a free and open source virtual machine which comes pre-loaded with web applications containing security vulnerabilities. This is taken from their official page on OWASP:

The Broken Web Applications (BWA) Project produces a Virtual Machine (VM’s) that purposely runs a bunch of web applications that have known vulnerabilities. The reason for this, is to:

  • Help those learn about web application security.
  • Help test manual assessment techniques.
  • Help training to be able to test automated tools.
  • Testing source code analysis tools.
  • To be able to observe web attacks.
  • Test WAFs and similar code technologies.

Our understanding is that the overriding benefit of using and training with OWASP’s compromised/ vulnerable machines is that it saves the student time! The reason for this is because most of the processes and methodologies have been cataloged from scratch.

In the talk, Chuck is going to outline:

  • How the OWASP Broken Web Applications Project can be used for training, testing, and experimentation by people in a variety of roles.
  • Show us how the project is used by pentester to discover and exploit web application vulnerabilities
  • Show how developers and others use this project to prevent and defend against web application attacks
  • Show how we can use the research to respond to web application incidents.
  • Discuss the new features and applications in the recently released version 1.1 of the VM
Important for our students! Please take note!
This is a really topical talk for our students that have enrolled on our “Learn How To Hack And Defend Your Website In Just 3 Hours” course this October 5th. We encourage all our students to watch and participate in all our Hacker Hotshot web shows – but Chuck’s OWASP talk is particularly relevant.

Alejandro, our unbelievably talented instructor (who incidentally is a speaker at DerbyCon 2013) will be teaching the course using a very similar application to the OWASP tool, called Damn Vulnerable Web App (DVWA, which is a PHP/MySQL web application that is ‘Damn Vulnerable). We think it would be awesome for our students to also use the OWASP Broken Web Applications VM Project.

Quick bio of your Tuesday October 1st Hacker Hotshot! – Chuck Willis
Chuck works for Mandiant and specializes in application and network security, where he audits the security of sensitive software and systems through pentesting, static analysis, and “white box” hacking. Chucks past includes in-depth experience with source code analysis tools, security software engineering, computer forensics, network intrusion investigations, research, and tool development.

As the leader of the OWASP Broken Web Applications project, we are delighted to have Chuck on the show and actively encourage you to attend and ask questions! This will be a superb learning experience and for that are we are most grateful to Chuck for his time.

In Summary
The relevancy of the OWASP Broken Web Applications VM Project to Concise Courses, and importantly our students, is immense. If you are one of our students then we will be contacting you to make sure that you register for this event – but as always, every Hacker Hotshot is open and free to everyone.

We actually had another major OWASP Hacker Hotshot this year with Michael Coates. Michael is the OWASP Chairman and last month, August 14th, he presented: “The State of OWASP. Michael’s talk was excellent, very informative and frankly the talk to listen to if you are interested in OWASP, which as a security professional, you really should be!

Leave a comment or reply below...thanks!