appsec usa 2014 denver, colorado orchestrating security testing with golismero mike landeck
TRANSCRIPT
![Page 1: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/1.jpg)
AppSec USA 2014
Denver, ColoradoOrchestrating Security Testing
With GolismeroMike Landeck
![Page 2: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/2.jpg)
2
Speaker Bio
Mike LandeckMike Landeck led the security implementation and then operationalized the Country’s largest Medicaid Management Information System as the Director of Information Security for Xerox’ State Healthcare and then managed the security program implantation of Colorado’s Health Insurance Exchange as a consulting manager for CGI.
Mike currently consults at one of the World’s largest technology companies on improving security in the software development lifecycle as a Product Security Strategy Consultant.
Mike is a frequent conference speaker and workshop presenter appearing at conferences throughout the United States focusing on topics of software security testing and security program management
![Page 3: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/3.jpg)
3
Disclaimer
I do not speak on behalf of my employer. The information and perspectives I present are personal and do not represent those of my employer.
![Page 4: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/4.jpg)
4
Golismero Project Teamwww.golismero.com
Mario VilasCore developer
Raúl RequeroFrontend developer
Daniel GarcíaBackend developer
Golismero
* My role is that of self-appointed evangelist and bug hunter who wants to promote the concept of automated test orchestration in the cyber security testing community
![Page 5: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/5.jpg)
5
Agenda1. Very Brief Business Context2. Golismero for Senior Users3. Golismero for complete and total rookies
Agenda
![Page 6: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/6.jpg)
6
Top three reason I hear organizations cite for not using more automated assessment tools:• Don’t know how to use• Don’t know which tools to use• Too much time to vet results
Business Context
![Page 7: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/7.jpg)
7
Business Context
Request Analysis Configuration Execution Vetting/Audit Report
Request Analysis Configuration Execution Vetting/Audit Report
Request Analysis Configuration Execution Vetting/Audit Report
Request Analysis Configuration Execution Vetting/Audit Report
Web Vulnerability
HostVulnerability
NetworkVulnerability
ApplicationVulnerability
Typical Automated Security Assessments
![Page 8: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/8.jpg)
8
Single Request Single Analysis Single Config Single Execution Single Vetting Single Report
Business Context
1. Nikto2. Nmap3. Openvas4. Spiderfoot5. Sslscan6. Sqlmap7. Xsser8. Dns_Malware9. Geoip10.Punkspider11.Shodan12.Plecost
13. Default Error Page14. Directory Listing15. Dns Malware16. Exploit-DB17. Fingerprint Web18. Brute Directories19. Brute Dns20. Brute Extensions21. Brute Permutations22. Brute Predictables23. Brute Prefixes24. Brute Suffixes
![Page 9: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/9.jpg)
9
Simple Demo- Default Settings
Golismero Demo
Golismero scan <host>
Action Test Target
![Page 10: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/10.jpg)
10
File Location: /usr/share/golismero/golismero.conf[openvas]host = localhost#[testing/scan/openvas]user = adminpassword = <your password>#[shodan:Configuration]apikey = <your shodan key>
Golismero Config File
http://goo.gl/im2FLe for detailed instructions on setting up OpenVAShttp://www.shodanhq.com/account/register for a shodan API key
![Page 11: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/11.jpg)
11
Golismero Advanced
golismero scan <host>
--audit-name <user defined name for scan>-o <user defined name of output file> --no-parent --cookie <name=value> --user-agent <user defined value>
Golismero Demo
![Page 12: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/12.jpg)
12
Golismero Plug-ins
golismero plugins returns all loaded plug-insgolismero –e <plug-in name> enables plug-ingolismero –d <plug-in name> disables plug-in
Example:golismero scan <host> -d brute* disables all of the brute force plug-ins
Golismero Demo
![Page 13: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/13.jpg)
13
Report Formats:• Determined by the extension– I.e.: .html, .txt and .rst
Reporting on Previous Scans:golismero report <fileName.ext> -db <scanName.db>
Golismero Reporting
![Page 14: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/14.jpg)
14
Step 1: Download VMWare PlayerStep 2: Download my pre-configured imageStep 3: Open ImageStep 4: Click the button to start wizard
Links and help for all this at:http://SoftwareSecurityAssurance.com/AppSecUSA2014
Golismero for Complete Rookies
![Page 15: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/15.jpg)
15
Demo: Go from zero experience to running golismero!
Setting up a Test System
![Page 16: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/16.jpg)
16
There is not enough time in a one hour workshop to walk through the installation process, however there are literally hundreds of Kali installation demo’s on YouTube.– This one is comprehensive (and narrated!) https://
www.youtube.com/watch?v=k5mNnkG0FVk
Installing Kali
![Page 17: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/17.jpg)
17
Questions
![Page 18: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/18.jpg)
18
Topic Link
Golismero Web Site www.golismero.com
Slides and supporting material
http://SoftwareSecurityAssurance.com/AppSecUSA2014
OpenVAS Help http://goo.gl/im2FLe
Basic Linux commands for Kali users
http://kali4hackers.blogspot.com/2013/06/some-basic-commands-for-kali-linux.html
Kali Installation (video)
https://www.youtube.com/watch?v=k5mNnkG0FVk
Download Kali http://www.kali.org/downloads/
Download VM Player https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/6_0
Shodan Registration http://www.shodanhq.com/account/register
Useful Links
![Page 19: AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck](https://reader036.vdocument.in/reader036/viewer/2022081519/56649d745503460f94a53ad3/html5/thumbnails/19.jpg)
19
End –h now