Pentesting the
Modern Application Stack

by Bharadwaj Machiraju & Francis Alexander, OpSecX

Continuous Build & Deployment tools, Message brokers, Configuration Management systems, Resource Management systems and Distributed file systems are some of the most common systems deployed in modern cloud infrastructures thanks to the increase in the distributed nature of software. Modern-day pentesting is no more limited to remote command execution from an exposed web application. In present day scenario, all these applications open up multiple doors into a company's infrastructure. One must be able to effectively find and compromise these systems for a better foothold on the infrastructure which is evident through the recent attacks on the application stack through platforms like Shodan paving way for a full compromise on corporate infrastructures. 
 
In this 2-day training, we start by looking at the application stack consisting of Databases, Continuous Integration (CI) tools, Distributed Configuration & Resource management tools, Containers, Big Data Environments, Search technologies and Message Brokers.
 
Along with the training knowledge, the training also aims to impart the technical know-how methodology of testing these systems. This workshop is meant for anyone who would like to know, attack or secure the modern-day stack. Students are bound to have some real fun and entirely new experience through this unique workshop, as we go through multiple challenging scenarios one might not have come across. 
 
This 2-day course will take place on 21-22 May 2018.
The cost of this training course is $3,000 SGD
 
During the entire duration of the course, students are expected to learn the following: 
  • Look for vulnerabilities within the application stack
  • Gain in-depth knowledge on how to pentest the modern stack consisting of Continuous Build & Deployment tools, Message broker's, Configuration Management systems, Resource Management systems and Distributed file systems. 
  • Security testing of an entire application stack from an end-to-end perspective.
 
Teaching Methodology
Students are encouraged to follow the technical training with a hands-on approach to the facilitated labs for every module to gain deeper and practical understanding of the topic. 
 
Course Outline
Day 1
  • Module 0: Modern Application Stack
  • Module 1: Pentesting Databases
  • Module 2: Public Cloud Environments
  • Module 3: Continuous Integration (CI) Tools
  • Module 4: Software Collaboration Tools
  • Module 5: Message Brokers
Day 2
  • Module 6: Containers
  • Module 7: Distributed Configuration Management Systems (DCMS)
  • Module 8: Distributed File System
  • Module 9: Kubernetes, Mesos & Marathon (Distributed Deployment & Resource Management)
  • Module 10: Search Technologies
Labs
10+ containerised labs to emulate sophisticated production stack along with applications.
 
Who Should Take This Course
DevSecOps, Security Engineers, Penetration Testers, Bug Bounty Hunters, System Administrators, SOC Analysts, security enthusiasts and anyone interested in the modern application stack.
 
Students Requirements
Knowledge of basic pentesting, web application working with Linux command line basics, the ability to use a web proxy like Burp Suite, ZAP, and the ability to write basic scripts in any interpreted language is an added advantage.
 
What Students Should Bring
A laptop with administrative and USB access and minimum configuration of 8GB RAM and 100GB hard-disk space. Full virtualisation support, Virtual Box and Docker should be installed. Unix box is preferred. 
 
What Students Will Be Provided With
  • Presentation materials and associated PDFs.
  • 10+ containerised labs to emulate sophisticated production application stacks.
  • Access to specific relevent OpSecX courses and certifications.
 
About The Trainers
Bharadwaj Machiraju is project leader for OWASP Offensive Web Testing Framework (OWTF) . He is mostly found either building web appsec tool or hunting bugs for fame (https://hackerone.com/tunnelshade). All tools are available at http://github.com/tunnelshade and all ramblings at http://blog.tunnelshade.in/ . Spoke at few conferences notably nullcon, TROOPERS, BruCON, PyCon India, etc. Apart from information security, he is interested in mnemonic techniques and machine learning. He currently works at LinkedIn as Senior Application Security Engineer. 
 
Francis Alexander, Security Engineer for Envestnet|Yodlee has over 3+ years of experience in the application security industry, the author of NoSQL Exploitation framework and NoSQL honeypot. His area of interest include NoSQL databases, machine learning and cloud security. He has been invited to speak and train at various conferences such as TROOPERS, BruCON, PHDays, Hack in the Box (HITB), Hack in Paris, 44CON, ITWeb, nullcon, C0c0n. 

Infosec in the City. Copyright © 2017-2019
IIC Productions (Pte. Ltd.). All rights reserved.

  • @infoseccity
  • @infosec_city

Contact Us  |  Join Our Mailing List   |  Follow Us :