Not all penetration testing is done in a virtual setting or even through a phone call.  Sometimes you need to get down and dirty and actually interact with people.  In this very special episode I sit down and speak with the great Jek Hyde about physical penetration testing and everything that it entitles.  It's a fascinating talk for sure, and one you don't want to miss. Some links of interest:

• Jek's Motherboard Article

• IntelTechniques.com

• Open Source Intelligence Techniques (Book)

• Google Hacking Database (Google Dorks)

• redteamtools.com

• @HydeNS33k

Want to reach out to the show?  There's a few ways to get in touch!

• Show's Twitter: @PurpleSquadSec

• John's Twitter: @JohnsNotHere

• Podcast Website: purplesquadsec.com

• Sign-Up for our Slack community: https://signup.purplesquadsec.com

• John's Peerlyst Profile: https://www.peerlyst.com/users/john-svazic

Thanks for listening, and I will talk with you all again next time.

Find out more at http://purplesquadsec.com

Have you heard the term, managing up? It's and old expression used when you need to make sure that your boss has his or her expectations met so that you can focus on your own job.  Information security is really no different, and in a lot of ways it's also more important to get right.  We are an industry of social introverts and generally prefer the warm embrace of an IRC screen, Twitter feed or Slack channel for our communications.  It's taken me many years to get comfortable with speaking with other humans, but more than that I have learned there is a certain technique when speaking with executes - a special breed so to speak - about security.  Tracy Maleeff, the InfoSecSherpa, joins me to help guide us all on proper techniques to communicate with senior leadership. Some links of interest:

• InfoSecSherpa's Nuzzle Newsletter

• Information Needs Chart

• How To Effectively Communicate with Different Brain Types

• Be Brief, Be Bold, Be Gone

• @InfoSecSherpa

Want to reach out to the show?  There's a few ways to get in touch!

• Show's Twitter: @PurpleSquadSec

• John's Twitter: @JohnsNotHere

• Podcast Website: purplesquadsec.com

• Sign-Up for our Slack community: https://signup.purplesquadsec.com

• John's Peerlyst Profile: https://www.peerlyst.com/users/john-svazic

Thanks for listening, and I will talk with you all again next time.

Find out more at http://purplesquadsec.com

Take a pinch of blue, a dash of red, plus some good old fashioned investigative intuition and you get Threat Hunting!  Well, not exactly but it's a start!  This week Will Harmon from Trustwave's Spider Labs comes on the show to explain what Threat Hunting is, why it's important and how people can get started into this exciting infosec field! Some links of interest:

• Trustwave Global Security Report - 2017

• threathunting.org

• threathunting.net

• SANS Reading Room for Threat Hunting

• eLearningSecurity - Threat Hunting Professional

• cybrary.it - Introduction To Cyber Threat Intelligence

Want to reach out to the show?  There's a few ways to get in touch!

• Show's Twitter: @PurpleSquadSec

• John's Twitter: @JohnsNotHere

• Podcast Website: purplesquadsec.com

• Sign-Up for our Slack community: https://signup.purplesquadsec.com

• John's Peerlyst Profile: https://www.peerlyst.com/users/john-svazic

Thanks for listening, and I will talk with you all again next time.

Find out more at http://purplesquadsec.com

The Cloud Security Alliance (CSA) has long been known to be the source of cloud security discussions.  From the CCSK to the partnership with ISC(2) to bring us the CCSP, they are definitely a group to pay attention to.  This week I focus on their "Treacherous Twelve", a list of 12 security concerns for any organization moving to the cloud. Some links of interest:

• CCM - https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/

• CSA Top Threats To Cloud Computing Plus: Industry Insights - https://cloudsecurityalliance.org/download/top-threats-cloud-computing-plus-industry-insights/

Want to reach out to the show?  There's a few ways to get in touch!

• Show's Twitter: @PurpleSquadSec

• John's Twitter: @JohnsNotHere

• Podcast Website: purplesquadsec.com

• Sign-Up for our Slack community: https://signup.purplesquadsec.com

• John's Peerlyst Profile: https://www.peerlyst.com/users/john-svazic

Thanks for listening, and I will talk with you all again next time.

Find out more at http://purplesquadsec.com

This week Joe Gray, host of the Advanced Persistent Security podcast, that friend you didn't recognize but added to Facebook anyway, and security researcher joins me to talk about OSINT.  This is a packed episode full of security goodness and definitely not one you want to miss! Some links of interest:

• Advanced Persistent Security - https://advancedpersistentsecurity.net/

  • @c_3pjoe

• Through The Hacking Glass

  • @hackingglass
  • @rainmain_a
  • Peerlyst

• OSINT Tools

  • Recon-NG
  • OSINT Framework
  • Maltego
  • Hunch.ly

• Other Sites

  • Indeed.com
  • haveibeenpwned.com
  • Innocent Lives Foundation

Want to reach out to the show?  There's a few ways to get in touch!

• Show's Twitter: @PurpleSquadSec

• John's Twitter: @JohnsNotHere

• Podcast Website: purplesquadsec.com

• Sign-Up for our Slack community: https://signup.purplesquadsec.com

• John's Peerlyst Profile: https://www.peerlyst.com/users/john-svazic

Thanks for listening, and I will talk with you all again next time.

Find out more at http://purplesquadsec.com

The first of a series, I sit down with Bryan and Brian of Brakeing Down Security fame to have a fun take on a classic tabletop scenario with a D&D feel.  Please hold the hate, I haven't played D&D in many years and I know it's not "classic", but it's fun and lighthearted.  We go through a few different scenarios with you all in the hopes you find it enjoyable, entertaining, and educational. If you enjoyed this episode, please let me know!  I'd like to make this a recurring theme every 12-15 episodes with different podcasters if there's enough interest.  Special shout out to @badthingsdaily on Twitter for helping provide the scenarios! Some links of interest:

• Brakeing Down Security - http://www.brakeingsecurity.com/

  • @brakesec
  • @bryanbrake
  • @boettcherpwned
  • @infosystir

• Tabletop Scenarios - @badthingsdaily

Want to reach out to the show?  There's a few ways to get in touch!

• Show's Twitter: @PurpleSquadSec

• John's Twitter: @JohnsNotHere

• Podcast Website: purplesquadsec.com

• Sign-Up for our Slack community: https://signup.purplesquadsec.com

• John's Peerlyst Profile: https://www.peerlyst.com/users/john-svazic

Thanks for listening, and I will talk with you all again next time.

Find out more at http://purplesquadsec.com

I feel truly touched to be included in this year's tradition of the podcast of podcasters, hosted by Bryan Brake of Brakeing Down Security.  This is the audio that you will hear from the various other podcasts that were on the episode with me.  I was a bit star-struck, but it was a great time all around.  Enjoy! Podcasts and Podcasters represented on the show:

• Brakeing Down Security

  • @brakesec
  • @bryanbrake
  • @InfoSystir

• Advanced Persistent Security

  • @advpersistsec
  • @C_3PJoe

• Rally Security

  • @RallySecurity
  • @Dakacki
  • twitch.tv/rallysecurity
  • youtube.com/rallysecurity

• Iron Sysadmin

  • @IronSysadmin
  • @gangrif

• Tracy Maleeff

  • @InfoSecSherpa

Want to reach out to the show?  There's a few ways to get in touch!

• Show's Twitter: @PurpleSquadSec

• John's Twitter: @JohnsNotHere

• Podcast Website: purplesquadsec.com

• Sign-Up for our Slack community: https://signup.purplesquadsec.com

• John's Peerlyst Profile: https://www.peerlyst.com/users/john-svazic

Thanks for listening, and I will talk with you all again next time.

Find out more at http://purplesquadsec.com

In the completion of our look at the OWASP Top 10 for 2017, this episode will cover the final 5 items on the list, from A6 (Security Misconfiguration) through A10 (Insufficient Logging & Monitoring). Some links of interest:

• OWASP Top 10 - https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

• OWASP XSS Filter Evasion Cheat Sheet - https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

• OWASP XSS Prevention Cheat Sheet - https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

• OWASP DOM-based XSS Prevention Cheat Sheet - https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

• Bypass WAF with DOM-based XSS - https://www.sunnyhoi.com/using-dom-based-xss-bypass-waf/

Want to reach out to the show?  There's a few ways to get in touch!

• Show's Twitter: @PurpleSquadSec

• John's Twitter: @JohnsNotHere

• Podcast Website: purplesquadsec.com

• Sign-Up for our Slack community: https://signup.purplesquadsec.com

• John's Peerlyst Profile: https://www.peerlyst.com/users/john-svazic

Thanks for listening, and I will talk with you all again next time.

Find out more at http://purplesquadsec.com

The Open Web Application Security Project (OWASP) group has created a Top 10 web applications vulnerability list since 2003.  Normally the list gets updated every 3 years or so, with the previous release being 2013.  Now with the 2017 list being finalized, I felt it was appropriate for us to go through it and look at it from a red and blue team perspective. This episode will cover the first 5 items on the list, from A1 (Injection) through to A5 (Broken Access Control). Some links of interest:

• OWASP Top 10 - https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

• SQLMap - http://sqlmap.org/

• Burp Suite - https://portswigger.net/burp

• OWASP Zed Attack Proxy (ZAP) - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Want to reach out to the show?  There's a few ways to get in touch!

• Show's Twitter: @PurpleSquadSec

• John's Twitter: @JohnsNotHere

• Podcast Website: purplesquadsec.com

• Sign-Up for our Slack community: https://signup.purplesquadsec.com

• John's Peerlyst Profile: https://www.peerlyst.com/users/john-svazic

Thanks for listening, and I will talk with you all again next time.

Find out more at http://purplesquadsec.com

Certifications.  We either love them or hate them, but we cannot deny that they are needed.  Either to prove a set of skills, prove the ability to memorize facts and take tests, or to prove that our egos are bigger than our peers, there are lots of opinions on certifications. This week Kim Crawley joins me to talk about a recent article she has written for Cylance, Security Certifications You Should Consider Getting.  We discuss what certifications are good for, our opinions on them, HR managers, and where you can find resources to help you study. Some links of interest:

• Security Certifications You Should Consider Getting: https://www.cylance.com/en_us/blog/security-certifications-you-should-consider-getting.html

• Kim's Twitter: @kim_crawley

• Cybrary: https://www.cybrary.it/

• O'Reilly Safari Books Online: https://www.safaribooksonline.com/

Want to reach out to the show?  There's a few ways to get in touch!

• Show Twitter: @PurpleSquadSec

• John's Twitter: @JohnsNotHere

• Podcast Website: purplesquadsec.com

• Sign-Up for our Slack community: https://signup.purplesquadsec.com

• John's Peerlyst Profile: https://www.peerlyst.com/users/john-svazic

Thanks for listening, and I will talk with you all again next time.

Find out more at http://purplesquadsec.com