A (mostly) unstructured stream-of-consciousness dedicated to life, tech and infosec minutiae.

Captain's Log (August 01, 2021)

It’s been a busy month

Site News

  • The first annual >Shark Week was held July 11-17! It was a bit hectic getting everything out on time given everything else I had going on (work, fitness challenge and training) but I had a lot of fun and met some new people in the community! Reddit was okay on it. I’ll be trying to do this every year for sure. However, next time I will have some things prepared leading up to it. True Story: I literally thought of the idea the day before >Shark Week began - so I was a bit rushed.

  • I hosted a (non-Shellsharks-related) AMA on Reddit and the response was pretty great!

Shellsharks Community
Shellsharks Podcast
  • I dropped two new episodes of the podcast. Check ‘em out!
  • I’ve been thinking of introducing the idea of “seasons” into the podcast. Each season would have a theme. Season one’s theme, (for example) could be something like “Getting Into Information Security”. Then, throughout that season, I would have a lot of podcast content focused on that subject. Just a nugget of an idea at this point…
What I’m Learning

  • I served as a moderator for SANS SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment @ SANSFIRE (Virtual Edition 2021). The course was really (and I can’t stress this enough), really good. I consider myself a bit of a Vulnerability Management/Assessment expert and I still learned so much. The instructor (and course author), Matt Toussain did a fantastic job. I definitely recommend this course. Prepping for the certification exam (GEVA) now!

  • I’ve been interested in getting more experience in Threat Modeling. If you didn’t know, there are a ton of methodologies…
    • STRIDE : Spoofing, Tampering, Repudiation, Information Disclosure, Denial-of-Service, Elevation of Privilege
    • DREAD : Damage, Reproducibility, Exploitability, Affected users, Discoverability
    • PASTA (Process for Attack Simulation and Threat Analysis)
    • LINDDUN : Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance
    • hTMM : Combines Security Cards, Persona non Grata and STRIDE.
    • Trike
    • VAST (Visual, Agile and Simple Threat modeling)
    • OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)
    • to name a few

  • In addition to threat modeling, I’ve been looking to strengthen my overall AppSec-fu. Reading through OWASP’s Application Security Verification Standard (ASVS v4) is one part of that effort.

  • A long time ago, I purchased the eLearnSecurity, “All Access Pass”. Shortly after purchasing, I managed to complete their Penetration Testing Student (PTS) and Penetration Testing Professional (PTP) courses/certifications - but for the last 5 years, have not really touched any of the other bundled content. After all this time, I’ve re-opened the legacy console and have started hacking away at the Web Application Penetration Testing course yet again. Once I (hopefully) obtain my eWPT cert, I can then proceed to the more advanced Web Application Penetration Testing eXtreme course, WAPTX!

  • I’ve just finished up moderating the SANS course, SEC450: Blue Team Fundamentals: Security Operations and Analysis @ SANS Cyber Security East. Though I don’t consider myself a “blue-teamer”, and this course is a 400-level course, I found the material to be incredibly high-value and immensely thorough. The instructor, John Hubbard, is really top-notch. I recommend you check out his podcast, Blueprint.
    • It’s worth mentioning that this course has a certification (GSOC) coming out in August. I’m looking forward to adding it to my collection!

  • In addition to all my other AppSec-ing, I am eyeing the Offensive Security WEB-300 course, Advanced Web Attacks and Exploitation (AWAE/OSWE). I’m hoping to start (and finish) it sometime before the end of the year. The OSWE would be the first in my pursuit of the epic (and new) OSCE3 certification from OffSec.

  • In preparation for the AWAE/OSWE, I’ve joined the Offensive Security Discord. I’m in way too many infosec Discords

  • As part of all this AppSec learning, I am working on a web security compendium of sorts. What form it will ultimately take and its release date is TBD.
Gadgets
Fitness

  • I was victorious in the Apple Watch fitness challenge throw-down between myself and some recent Podcast guests. Though I will say that the parameters of the challenge were somewhat contested.

  • I’ve been playing a little more basketball recently. I just hope the Delta variant doesn’t completely ruin inside ball.

  • Picked up a gym membership. I’m fortunate to have work pay for it so why not? Typically, I just play bball at the gym but have been trying my hand at weight-lifting.

TV
Gaming
Life

All Log Entries


Disclaimer