Upload File

orchestrating security testing with golismero

18
AppSec USA 2014 Denver, Colorado Orchestrating Security Testing With Golismero Mike Landeck

Upload: abraham-clay

Post on 03-Jan-2016

59 views

Category:

Documents


0 download

Report

Tags:

DESCRIPTION

Orchestrating Security Testing With Golismero. Mike Landeck. Speaker Bio. Mike Landeck. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Orchestrating Security Testing With Golismero

AppSec USA 2014

Denver, ColoradoOrchestrating Security Testing

With GolismeroMike Landeck

Page 2: Orchestrating Security Testing With Golismero

2

Speaker Bio

Mike LandeckMike Landeck led the security implementation and then operationalized the Country’s largest Medicaid Management Information System as the Director of Information Security for Xerox’ State Healthcare and then managed the security program implantation of Colorado’s Health Insurance Exchange as a consulting manager for CGI.

Mike currently consults at one of the World’s largest technology companies on improving security in the software development lifecycle as a Product Security Strategy Consultant.

Mike is a frequent conference speaker and workshop presenter appearing at conferences throughout the United States focusing on topics of software security testing and security program management

Page 3: Orchestrating Security Testing With Golismero

3

Disclaimer

I do not speak on behalf of my employer. The information and perspectives I present are personal and do not represent those of my employer.

Page 4: Orchestrating Security Testing With Golismero

4

Golismero Project Teamwww.golismero.com

Mario VilasCore developer

Raúl RequeroFrontend developer

Daniel GarcíaBackend developer

Golismero

Page 5: Orchestrating Security Testing With Golismero

5

Agenda1. Very Brief Business Context2. Golismero for Senior Users3. Golismero for complete and total rookies

Agenda

Page 6: Orchestrating Security Testing With Golismero

6

Top three reason I hear organizations cite for not using more automated assessment tools:• Don’t know how to use• Don’t know which tools to use• Too much time to vet results

Business Context

Page 7: Orchestrating Security Testing With Golismero

7

Business Context

Request Analysis Configuration Execution Vetting/Audit Report

Request Analysis Configuration Execution Vetting/Audit Report

Request Analysis Configuration Execution Vetting/Audit Report

Request Analysis Configuration Execution Vetting/Audit Report

Web Vulnerability

HostVulnerability

NetworkVulnerability

ApplicationVulnerability

Typical Automated Security Assessments

Page 8: Orchestrating Security Testing With Golismero

8

Single Request

Single Analysis Single Config Single

Execution Single Vetting Single Report

Business Context

1. Nikto2. Nmap3. Openvas4. Spiderfoot5. Sslscan6. Sqlmap7. Xsser8. Dns_Malware9. Geoip10.Punkspider11.Shodan12.Plecost

13. Default Error Page14. Directory Listing15. Exploit-DB16. Fingerprint Web17. Brute Directories18. Brute Dns19. Brute Extensions20. Brute Permutations21. Brute Predictables22. Brute Prefixes23. Brute Suffixes

Page 9: Orchestrating Security Testing With Golismero

9

Simple Demo- Default Settings

Golismero Demo

Golismero scan <host>

Action Test Target

Page 10: Orchestrating Security Testing With Golismero

10

File Location: /usr/share/golismero/golismero.conf[openvas]host = localhost#[testing/scan/openvas]user = adminpassword = <your password>#[shodan:Configuration]apikey = <your shodan key>

Golismero Config File

Page 11: Orchestrating Security Testing With Golismero

11

Golismero Advanced

golismero scan <host>

-db <name for scan> -o <user defined name of output file> --cookie <name=value> --user-agent <user defined value>-pu <user name>-pp <password>

Golismero Demo

Page 12: Orchestrating Security Testing With Golismero

12

Report Formats:• Determined by the extension– I.e.: .html, .txt and .rst

Reporting on Previous Scans:golismero report <fileName.ext> -db <scanName.db>

Golismero Reporting

Page 13: Orchestrating Security Testing With Golismero

13

Step 1: Download VMWare PlayerStep 2: Download pre-configured kali

imageStep 3: Open ImageStep 4: Click the button to start wizard

Golismero for Complete Rookies

Links and help for all this at:http://SoftwareSecurityAssurance.com/AppSecUSA2014

Page 14: Orchestrating Security Testing With Golismero

14

Demo: Go from zero experience to running golismero!

Setting up a Test System

Page 15: Orchestrating Security Testing With Golismero

15

There is not enough time in a one hour workshop to walk through the installation process, however there are literally hundreds of Kali installation demo’s on YouTube.– This one is comprehensive (and narrated!) https://

www.youtube.com/watch?v=k5mNnkG0FVk

Installing Kali

https://www.youtube.com/watch?v=k5mNnkG0FVk
https://www.youtube.com/watch?v=k5mNnkG0FVk
Page 16: Orchestrating Security Testing With Golismero

16

Questions

Page 17: Orchestrating Security Testing With Golismero

17

Topic Link

Golismero Web Site www.golismero.com

Slides and supporting material

http://SoftwareSecurityAssurance.com/AppSecUSA2014

OpenVAS Help http://goo.gl/im2FLe

Basic Linux commands for Kali users

http://kali4hackers.blogspot.com/2013/06/some-basic-commands-for-kali-linux.html

Kali Installation (video)

https://www.youtube.com/watch?v=k5mNnkG0FVk

Download Kali http://www.kali.org/downloads/

Download VM Player https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/6_0

Shodan Registration http://www.shodanhq.com/account/register

Useful Links

Page 18: Orchestrating Security Testing With Golismero

18

End –h now


Orchestrating Energy

Orchestrating Microservices with Kubernetes

Orchestrating Harmony in Small Business

Orchestrating Docker with OpenStack

Orchestrating the Edge

Orchestrating learning: survey

Orchestrating Game Generation

Orchestrating Docker Across Your Cloud

Orchestrating Your Supply Chain

Orchestrating Content—FOWD NYC

GoLismero Documentation

Orchestrating the Stack

Insight2014 orchestrating customer_activated_supply_chain_6913

The Ecosystem of Network Testing - itu.int · PDF fileThe Ecosystem of Network Testing ... Ran Configuration and Audit ... Orchestrating network performance | Sample Voice KPIs and

Orchestrating Touchpoints - Chris Risdon

Orchestrating the TSO Experience

Orchestrating a Successful CRM Implementation

Cost efficient services testing, monitoring and benchmarking · Cost efficient services testing, monitoring and benchmarking ITU-T QSDG Workshop Brazil, 27th-29th November. Orchestrating

Orchestrating Content Marketing

Orchestrating Distributed Apps with Docker

Orchestrating Buy In

Automating and Orchestrating Cloud Computing

orchestrating our transformation

Orchestrating Linux Containers

Orchestrating and Automating Trend Micro TippingPoint …socautomation.com/data/datasheets/Orchestrating-and-Automating... · Orchestrating and Automating IBM QRadar and Trend Micro

Orchestrating Docker containers at scale

Orchestrating Collective Intelligence

Orchestrating VM & Container Deployments

Orchestrating Academic Excellence

ORCHESTRATING DIGITAL BUSINESS TRANSFORMATION

Orchestrating Soft and Hard Technologies

Orchestrating Successful Leadership Change

Orchestrating Change with Campaigns

Orchestrating the new paradigm kpmg

Orchestrating Sacred Space