Vulnerability Scanning & Risk Mitigation Project

In INFOSEC, the focus of the discussion is a bird’s eye view of the different domains of Information Security. More importantly, the curriculum followed is the CompTIA Security+ lessons. The final project’s objective is to be able to explore on security tools and software such as firewall, IDS, honeypot and to demonstrate the functionalities by doing test scenarios.

For COMSEC1, the focus shifts into a more specific topic on ethical hacking. The course discusses the steps on ethical hacking and its importance. For the final project, students are required to conduct a static code analysis and vulnerability scan in an existing project and fix the risks to an acceptable risk level.

Some of the projects include:

Web application – Web_COMSEC1

Mobile application – Mobile_COMSEC1

Information Security & Ethical Hacking 101 @ PATTS

Last July 31, 2015, I gave a talk about Information Security and Ethical basics at PATTS College of Aeronautics in Paranaque City. It was quite challenging because the audience were not familiar with IT concepts.

I started by showing them local news about hacking data in banks. Then I established the need for the information security field. I discussed the core concepts of information security.

I also talked about the steps in ethical hacking and the reason why it has to be conducted routinely. Lastly, I stressed the need for a cybercrime law that will protect our data handled by third-party organizations.

The presentation I used and created can be found here: PATTS_Infosec&EthicalHacking101

Special thanks to Prof. Diana Lachica for inviting me to their campus. 🙂

Photo Credit: Ashley Dy

10984111_1030960710256090_2495478400270029599_n 11145182_1030960843589410_5172429549901189908_n 11693961_1030960750256086_6222822229063846860_n 11813264_1030960723589422_614397325621181618_n 11822705_1030960820256079_7745031637066193848_n

PCI-DSS and Vulnerability Management

Last August 1, 2015, I presented about a known security standard for credit cards. The Payment Card Industry Data Security Standard (PCI-DSS) is a standard used to protect data of merchants and banks that utilize the credit card facility.

There are 12 requirements of PCI-DSS. I focused my presentation on the vulnerability management side since I handled the vulnerability assessment (VA) in my previous work.

For the demo, I used the trial version of Acunetix vulnerability scanner. I used the test website to and verified 1 of the vulnerabilities (sending data in cleartext) and exploiting it by using Wireshark.

My presentation can be found here: PCI_MSORMAN.

Detecting Command and Control Traffic Using Botnet Correlator Module

Last June 8, 2015, I presented a paper entitled “Detecting Command and Control Traffic Using Botnet Correlator Module” in Kuala Lumpur, Malaysia. The paper was a product of a project in APC together with my students in INFOSEC. The trip was entirely sponsored by the school (thank you so much!) and the experience was very unforgettable.

Going to Kuala Lumpur

I rode a Cebu Pacific plane going to Malaysia last Jun 7 in NAIA Terminal 3. As usual, the airport was jampacked with people. The flight was around 4 hours long and arrived at the KLIA2. I then rode an express train (20-minute train) going to the downtown KL.

I met my former officemate in the Philippines who is already working in KL. He toured me around KL (Petronas, Jalon Alor) and brought me to the hotel, Melia Hotel.

1381942_1001804846505010_5715889195211344600_n
With Ashley Dy in front of the Petronas Towers (thanks Alfred for the picture)

Conference Day

It’s a good thing that the school booked in the hotel where the conference will be held. The parallel sessions started at 8am. It was my first time to present in an international conference and I was very nervous. The presenters were mostly Muslims coming from Malaysia, Indonesia, India other neighboring countries. The participants were very friendly and excited too. I met 2 other professors from the Philippines, Terry from UP-Diliman and Marylene from MUST in Mindanao.

With Terry from UP-Diliman (leftmost ) and Ederlyn from MUST (2nd from the right) after the presentation.
With Terry from UP-Diliman (leftmost ) and Ederlyn from MUST (2nd from the right) after the presentation.

I attended and listened to the keynote presentation of Dr. Rozhan Mohammed Idrus who discussed about “IT Education and Its Impact to the Society.” He coined the term, “technogogy” which means blending in of technology to the teaching pedagogy. In essence, Dr. Idrus pointed out that teachers and the curriculum must be able to adapt with the technological advances in today’s world.

My presentation was scheduled in the afternoon. The paper is an applied research on how to detect Botnet traffic in a Local Area Network (LAN) using Snort and aggregated reputable Botnet sources.

The presentation lasted for 10 minutes. The PDF presentation can be found in this link: BCM_Presentation.

11251047_1002485706436924_4995811343764475449_n 10622713_1002485633103598_4000319264568441150_n 11427220_1002485729770255_498091567338954458_n

I went to fetch my girl friend in Pavillion Mall and ate dinner there. We rode Uber going to another mall outside KL called Publika.

Last day in KL, walking around the city

Our third and last day in Malaysia was spent in touring around the city by foot. We went to Mydin, where wholesale products are sold. We bought a lot of Cadburry and other chocolates.The place was not very classy thought. We walked to Low Yat, a technology/gadgets mall. We then walked to the KLCC area and visited Kinokuniya. We checked out then rode Uber to the train station going to KLIA2.

Uber ride to Ritz Carlton
Uber ride to Ritz Carlton

Over-all experience

I heard a lot of negative stories in Malaysia (dangerous at night, a lot of street clubs, ill-mannered taxi drivers, snatchers riding motorcycles etc.) but I haven’t experienced those stories. Maybe they have already changed? Or I’m just used to living with a similar environment in the Philippines? I don’t know. The experience was great. Their express train is very convenient and spacious. The establishments offer items both expensive and cheap depending on your budget.

Infosec books at Kinokuniya
Infosec books at Kinokuniya

Since I did not want to experience the horror stories in the taxi, I always used Uber for the transpo around the area. Malaysia has more Uber cars compared to the Philippines.

In terms of value for money, I can say your money has a big value in their country.

Protection through Network Security

Last February 26, 2015, I gave a talk at the Pamantasan ng Lungsod ng Pasig for their CCS Week. It’s my first time to go there and to that part of Pasig City.

I was very fascinated by the campus because the classrooms and facilities are state-of-the-art. Also, the CCS students were very hospitable and accommodating during my stay.

My talk was about protecting your network through Network Security and discussed some types attacks and countermeasure. I started the talk with the latest security news on Superfish which affected Lenovo products. I also encouraged the school to participate with JISSA (Junior Information Security Systems Association) which can help the schools learn the IT trends in information security.

You can download my presentation here: Protection through Network Security

Photo credit to: Jhes Ter Ladera

11035627_10204873574950491_6813368003208916790_o
I really am happy! haha
1655474_10204873564030218_4356033935283196982_o
Discussing Defense-in-Depth (layers of security)
10708700_10204873582350676_2446237824854056741_o
w/ the 3rd year student organizers of the program
10861019_10204873579430603_817000487512266403_o
Thanks for the caricature! Need to work on my exercise to achieve that weight. Beside me is Ms. Noreen Archangel, Dean of CCS.
10922289_10204873559630108_1579937846206966572_o
Superfish on Lenovo
10998899_10204873494308475_7926566154978347662_o
w/ Bernadine Bacolod, one of the lead organizers of the event
11018980_10204873561470154_642106652935180709_o
Determine if it is a Confidentiality, Integrity or Availability issue

1498966_10204873564230223_4517240199710062473_o 10371184_10204873577590557_2425693782663756280_o 10982595_10204873579990617_5053876611928926870_o 10991549_10204873537869564_2844852222877505467_o 11002699_10204873495268499_1573140387248946129_o

Infosec: Discipline and Opportunities at LPU Batangas

Last February 2, 2015, I was invited to conduct a talk during the CCS Days of Lyceum of the Philippines University (LPU) in Batangas City, Batangas. It’s a 2-hour drive from Quezon City to Batangas City with more than 100 kilometers from my place to the venue.

What I like about Batangas City is that it’s very clean and people are very orderly. The place didn’t look much of a province at all! It looks very progressive.

I was supposed to focus on Ethical Hacking. However, I learned that the theme was “CCS: Practicing Theories towards ASEAN Integration.” I introduced Information Security as a discipline and introduced career opportunities to students especially for those graduating ones.

Photo credit to the student photographer of LPU-Batangas.

10979311_10205887674729896_81024097_n
With the Department Chairs, Tina & Mischelle (from left), and Dean Roselie Alday,
10965875_10205887683850124_2030415691_n(1)
With Ernesto Boydon, my colleague in APC and the second speaker.
10966857_10205887683810123_199112349_n
With Irene Balmes, my former colleague in APC

10965543_10205887667929726_1758397814_n 10965927_10205887668009728_1338855883_n 10965467_10205887666449689_936184996_n 10966514_10205887667329711_802150987_n 10961925_10205887667649719_1207230235_nYou may download the slides of my presentation here: Information Security Discipline Opportunities

Lesson 5: Social Engineering

When I studied and took EC-Council’s Certified Ethical Hacker (CEH) in 2013, I learned a very important lesson: even if you follow the hacking methodologies, it only has a 10% success rate. This lesson has, on the other hand, 90% success rate. In gist: Why would you spend a lot of time to brute force a password when you can just ask for it? That’s social engineering.

Social Engineering is an attempt to gain information from a victim or target through manipulation and deceit. The attacker attempts to gain the victim’s trust then exploits the emotions of the latter.

Note: There is a reading I wrote in 2011 that is relevant with this lesson. Copies will be/are given during class.

Why is Social Engineering very successful?

In the past lessons, we studied about Defense in Depth. This means that in every layer of security, there should be protection. Now in Network Security for instance, you may deploy and implement a firewall. The firewall has its limitations but it will strictly enforce whatever rules are written in the ACL. If it says allow web traffic, it will allow web traffic. If it says deny FTP traffic then it will deny FTP traffic.

Problems rise when humans intervene. Let’s say a school enforces a “No ID, No Entry” policy. All students are required to wear their ID upon entering the school. One day, one student forgot to bring his ID but the guard still allowed him to enter because they’re friends. Is it correct for a guard to make exceptions even if there’s an explicit ID policy? What if the said student brought his friends? Will the guard still allow it because they’re friends?

Humans or wetware are the weakest link in the security chain because they simply make a lot of exceptions. That’s why the human vulnerability is a weakness that no patch can perfectly fix.

Ethics: Social Engineering in Penetration Testing

In penetration testing, a third party service provider actively tests the security solutions implemented in the network. Active testing means exploiting discovered weaknesses in security. One of the tests is the social engineering test. In this case, the pen tester tries to bypass security through social engineering.

For example, the company security policy requires the use of a badge/ID to enter the office. The pen tester will carry a lot of heavy things so the guard will help him instead of looking for the ID. The pen tester successfully enters the facility with the guard as accessory to the crime. After the pen testing, the guard is terminated due to abandonment of duty during the test.

It is the job of the pen tester to lure people into breaking the policy. The targets, out of good-will, will help them. But in the end, they will be terminated. Is that ethical?

Steps in Social Engineering

There are three steps in social engineering.

  1. Information Gathering

In this step, the social engineer gathers as many information about his target as possible. He can do online searches in social networking sites, stalk the target to learn his routines and talk to his friends to learn more about his likes.

  1. Developing Relationships

After you have gathered enough information about your target, it’s time to build relationship. Let’s say you learned that the target likes Justin Bieber. You can create a “perfect encounter” with him in his daily routine. You could probably sit beside him in a bus and have a little chitchat about Justin Bieber. Ideally, you can build a relationship with the “serendipitous meeting.” In some cases, you will need to “invest” on something. If you learned that the target is in a lot of debt, aside from being a Justin Bieber fan, you can use that to your advantage for the next step.

  1. Exploitation

In the last step, you push through with your goal of eliciting the information you need from the target. You may have allowed your target to borrow a sum of money from you so that he can pay his debt. Now, you can use that to your advantage. You can ask for the information and remind him that he is in debt so he should return the favor. In this case, you are successful in your mission.

Types of Social Engineering Attacks

The Social Engineering Attacks can be classified into 2 categories:

  1. Non-technical – Doing social engineering in a traditional way
    1. Dumpster diving – Literally checking the target’s garbage.
    2. Shoulder surfing – Glancing at other person’s computer, cellphone or paper.
    3. Impersonation – Pretending to be key personnel in your target’s company.
    4. Tailgating – Walking in the vicinity after the person ahead of you taps his badge to open the access door.
  2. Technical – Doing social engineering using technology
    1. Phishing – Getting target’s information using fake e-mail or website.
    2. Spear phishing – A type of phishing targeting a particular person.
    3. Pharming – A type of phishing targeting a group of people/organization.
    4. Vishing – Deceiving target using telephone/cellphone/smart phone.

—– NOTHING FOLLOWS —–

You can download the PDF version of this lesson here: INFOSEC_L5_SE

Lesson 4: Types of Authentication and Access Control

Authentication

Authentication is defined as proving who you are claiming to be. By default, we have 3 types of authentication:

  1. Something that you know – A form of authentication coming from what you know (residing in the mind)

Ex. Password, pin

  1. Something that you have – A form of authentication that is tangible.

Ex. Token, cellphone, ID

  1. Something that you are – A form of authentication where the uniqueness of the part of your body is used.

Ex. Fingerprint, voice recognition, iris scan

Not one of the authentication types can be considered the strongest. Something that you know authentication such as password can be cracked using brute force or social engineering. Something that you have authentication such as ID’s can be stolen or reproduced. Something that you are authentication such fingerprint is prone to false positives (you have sweaty hands etc.)

To make your authentication stronger, it is advised that you use 2 or more types of authentication to provide a layer of security. This is what we call 2-factor or multi-factor authentication. Examples include:

  1. ATM + Pin (something that you have and you know)
  2. Credit card + signature (something that you have and you know)
  3. Cellphone for One-Time Password (OTP) + password (something that you have and you know)
  4. Badge + biometric (something that you have and you are)

Note: Usernames and passwords are not considered multi-factor because both are something that you know type of authentication.

Questions to search on:

  1. What is the fourth type (or other types) of authentication?
  2. What is the most accurate biometric? Why?

Types of Access Control

Access Control or Authorization determines the type of privilege a user has after being authenticated. If you enter the school, an authentication mechanism could be your school ID. Access Control determines which rooms in the school you can access. If you’re a student, you can access the classrooms, computer laboratories and cafeteria. However, you are prohibited from accessing the faculty room and server room. A faculty member can access more rooms compared to a student.

Mandatory Access Control (MAC)

MAC is the strictest type of access control. This access control can be seen in government especially in military. It uses Sensitivity Labels (SL) both for the subject (initiates an action) and object (waiting for action). It is also known as a multi-level type of access control.

SL can be classified as:

Top Secret

Secret

Confidential

Public

Let’s say a File A (Object) has an SL of Secret. Only the subject that has an SL of either Top Secret or Secret can access the file.

To visualize, let’s say a 5-star General has an SL of Top Secret, Colonel with SL of Secret, Lieutenant with SL of Confidential and Sergeant with SL of Public. Only the Colonel or 5-Star General can access File A because they have clearance to do so because of their SL. A subject can access all objects that are below his/her SL. MAC uses a top-down approach.

Discretionary Access Control (DAC)

DAC is the direct opposite of MAC. In this case, this type of access control can be seen in non-military institutions (commercial use, usually). In DAC, the owner of the file determines the privilege of the subjects to the objects. It is also known as a single-level type of access control.

DAC uses an Access Control Matrix (r-read, w-write, x-execute) shown below:

S (down) O (right) Chicken File

Owner: Riza

Object 1

Pasta File

Owner: Reese

Object 2

Beef File

Owner: Rex

Object 3

James

Subject 1

rwx -wx
Ray

Subject 2

rw- rw- -wx
Ogawa

Subject 3

rwx -wx

In the above scenario, we have 3 users (subjects) trying to access 3 files (objects). Each file is owned by a specific individual (owner). It becomes the discretion of the owner on what privileges he/she wants to give the subjects. These privileges may change also.

Role-based Access Control (RBAC)

RBAC is also known as a non-discretionary access control. It gives privileges based on the roles/tasks. It is beneficial for large organizations in organizing group privileges to objects. For example, all students have read only access to File 1, File 2 and File 3. All faculty members, on the other hand, have full access to all the files mentioned. The admin will just add users (subjects) on the groups created for consistency and convenience.

Rule-based Access Control

Rule-based Access Control basically gives privilege based on a list of an enforced policy. A good example is an Access Control List (ACL) in a firewall. The firewall will grant/deny access based on the rules found in the ACL. However, if no rule is present, then no privilege should be given. (implicit deny)

—– NOTHING FOLLOWS —–

You can download the PDF version of this lesson here: INFOSEC_L4_AuthAC

Lesson 3: Defense in Depth and related concepts

Defense-in-Depth

We have agreed that we protect data/information in Infosec. And as we have discussed in Lesson 1, the scope of Infosec is very broad and IT Security is just part of it. We have also learned in Lesson 2 that preventive controls are incomplete without detective controls and response. With former concepts discussed, a more concrete and concise security architecture is formed- Defense in Depth.

The concept of Defense in Depth states that in order for anybody to access the data, it should pass layers of security first. Security controls may vary but it should be in layers.

For example, if you want to access the bank database, you need to pass through frisking of security guards, inspection of bags and proper identification when entering the bank premises. That is what we call Physical Security.

When you enter the premises, you are required to wear your ID at all times. If you are a visitor, a security personnel is required to accompany you wherever you go within the premises. That is the next layer called the Operational Security.

If you connect to their wireless network and your laptop cannot access the Internet because of MAC filtering, that is an example of Network Security.

When desktop computers have disabled USB ports to prevent spread/download of virus, that is an example of Host Security.

When you need to enter a username and password to gain access to your account, that is an example of Application Security.

Diversity of Defense

The Diversity of Defense security concept is quite tricky. Management will always want a cost-effective IT infrastructure setup. For example, Huawei, a known networking product, might offer an IT infrastructure package that may be very appealing. Let’s say they offer the whole IT infrastructure with X pesos. The management may be lured to buy the package because of the cost. However, as an information security professional, you should weigh the possible security issues that may take in place.

In Diversity of Defense, you are compelled to buy different brands of network and IT devices such as firewall, switch, router, etc. But assuming you plan to buy different types of devices, the cost may double (2X pesos) compared to the X pesos if you have a single brand.

So what is the advantage of this concept?

If a vulnerability in Huawei firewall is found, no matter how many Huawei firewalls you have, then your network is vulnerable to that particular attack. You can simply say that the cost of information disclosure is way more expensive than the implementation of diversity of defense when a single proprietary vulnerability is exploited.

Security through Obscurity

If we say that a company is implementing security through obscurity, can we consider it secured? In Security through Obscurity, we rely on the idea that nobody will think that some valuable asset is hidden in an obscure place.

For example, will anybody think that there’s 1M pesos stored underneath the driver’s seat of my car? What are the odds, right? But if I accidentally left my car unlock and somebody randomly opens the door of my car, is my asset still secured?

Security through obscurity is simply hiding something. But hiding something without proper safeguards has no security at all.

Cost-Benefit Analysis (CBA)

In information security terms, CBA refers to the weighing of the cost of safeguards to the value of asset. As a rule of thumb, you are not supposed to buy a safeguard that is more expensive than the asset.

For example, you won’t buy a vault that is valued at 20,000 pesos to safeguard a Timex watch from a buy 1 take 1 sale worth 2,000 pesos. The thief will probably steal the safeguard instead of the asset in it.

—– NOTHING FOLLOWS —–

You can download the PDF version of this lesson here: INFOSEC_L3_GenSec

Lesson 2: Security CIA, Protection & Least Privilege Concepts

The CIA Triad

All issues and solutions pertaining to security fall under 3 categories:

  1. Confidentiality – Protection against unauthorized access
  2. Integrity – Protection against unauthorized modification
  3. Availability – Protection against denial of service

The exact opposite of the CIA is the DAD – Disclosure, Alteration and Destruction.

CIA-DAD
The CIA Triad and its opposite, the DAD

See the following events and solutions:

  1. Locking the door when you leave the house – This is a confidentiality solution because only the person who has the key to unlock the door can enter the house.
  2. A students overwrites the teacher’s Powerpoint presentation – This is an integrity issue because the content of the presentation is already changed.
  3. The system administrator backs up the file server every Friday – This is an availability solution because the backup ensures access to the files when the main file server becomes unavailable.
Example
Example scenarios that can be accidental or incidental

A security issue can be a result of an accidental or intentional event. In example 2, the student may have accidentally overwritten the teacher’s file because of his negligence. He may also have overwritten the file intentionally out of revenge. But regardless of his intention, it is classified as a security issue.

The Formula for Protection

Some decades ago, the formula for protection is:

PROTECTION_OLD

This means that in order to protect something, you need to prevent something bad from happening. For example, in order to prevent a home intruder from entering your home, you install a gate around your house. You are preventing the intruder from getting in the house because of the gate.

Similarly in the technical world, you can install a firewall in your network. A firewall is a hardware or software that enforces a security policy. For example, you have a web server in your company and you would like the public only to access the web server, the firewall can filter the traffic going to your network. Only packets/traffic that are destined to TCP port 80 (http) will be allowed to enter the network. That’s because port 80 is specifically opened for web connections. All other traffic will be denied.

Now, what is the problem or limitation with this formula?

In the first example (gate example), what will happen if the intruder climbs using a rope and he is able to pass the gate? Hypothetically, if the intruder is able to enter your house in the middle of the night, will you be able to stop him?

The formula for protection lacks other components.

Let’s say you bought a motion sensor alarm and a gun. You realize that if the intruder is able to enter your house after passing the gate using a rope, the motion sensor alarm will detect his movements and will alert you. Now if you see him and he’s planning to attack you with some weapon, you can defend yourself by shooting him using your gun.

Well, that’s just a hypothetical situation. But the point is, you need to anticipate that your preventive tool may be bypassed. That’s why you need to set up other security controls.

Therefore, the modified and correct formula for protection is:

PROTECTION_NEW

Protection = Gate + (Motion Sensor Alarm + Shoot using your gun)

This formula can be applied to all domains of information security.

Going back to the firewall example, can you determine the limitation of implementing only a firewall in your network? If the firewall is the preventive tool, what is the detective tool and the response mechanism?

Least Privilege

I think the concept of least privilege is the essence of information security. In least privilege, you only get the privilege and access that you need, nothing more and nothing less.

In a company, there is an Accountant, HR assistant and Sales Agent. When we apply least privilege to these 3 employees, we will give each employees the following access to applications:

Accountant – MS Excel, Calculator, E-mail, Printer

HR Assistant – Telephone, Job Street, LinkedIn, MS Word, E-mail, Printer

Sales Agent – Telephone, Facebook, MS Word, E-mail, Printer

In least privilege, we list the things that each employee needs and we give the needed access to them. However, those applications that are not in the list won’t be given to the users.

Types of Least Privilege

Separation of Duties (SOD)

SOD states that a task (especially critical jobs) must be delegated to more than 1 person. Let’s use the payroll system as an example.

HR Department – Computes your daily time record (DTR)

Accounting Department – Computes your salary based of the DTR submitted by HR department

Management Group – Approves the salary computed and submitted by the Accounting department

What happens if only one person, let’s say Paula, computes for the DTR and salary and approves the computation also?

For instance, if an employee, Gilbert, does not go to work, then it will reflect in his DTR. However, if Paula decides to give Gilbert a salary, then she can freely do so without anybody questioning it. There’s nobody who checks if the task is done correctly or not.

The SOD for the payroll scenario is very important to ensure checks and balances of activities related to work.

SOD

Implicit Deny

Implicit Deny is another type of least privilege that is usually seen and applied in a firewall Access Control List (ACL). Assuming we have an entry in an access control list:

access-list

This ACL entry allows web traffic (tcp 80) going in and out of the network. If that’s the only rule that we have in the ACL, can we access the file server in the network (tcp 21)?

The answer, of course, is no. But one can ask, will it deny tcp 21 even if there is not rule stating that it should be denied?

The implicit deny states that if there is no rule that states allow, then deny access. So even without a specific rule, it is understood that there is a “deny all” rule after the last entry in the ACL.

Job Rotation

Job Rotation is a not so known type of least privilege. This concept requires that other persons are familiar with the job that you have especially if it is a critical role. Although it is costly because you need to train other employees, this is very helpful in determining what is happening to the tasks assigned to a particular person.

If you are put in an employee’s shoes due to job rotation, you and the management may find a lot of things. For example, why does this employee take 10 hours (with overtime) to do his job when I can finish it in 4 hours when I assumed his role in job rotation? There may be something to investigate in this issue.

Job Rotation

—– NOTHING FOLLOWS —–

 

Ethical Hacking Workshop with SSS

Just this December, I was invited by DynamicMinds Business Solutions to conduct a 5-day Ethical Hacking Workshop in Makati. The participants in the workshop were employees of Social Security System Philippines. I followed the curriculum of the Certified Ethical Hacker by the EC-Council. We had lecture and discussion, assessment per lesson and lab exercises.

Over all, the workshop was great! The participants were very active and the discussion was interactive.

Photo Credit: Eden Dungca

1395923_900822596603236_4758897925518457254_n
Lecture time.
1920397_899287926756703_1185428698758128563_n
After the 5-day workshop, they look fulfilled!
10665368_900822736603222_5103678021730335164_n
Remembering the OSI and the network devices.
10151769_900822626603233_479811379083320292_n
Lab exercise time
10300789_900822573269905_2495592550596721669_n
Light moments during the workshop

10402587_900822679936561_332706450880114876_n 10003894_900822529936576_8764707224670948776_n

Secure Web Application Coding

I had a chance to give a training on Secure Web Application Coding under Bitshield Security. The company is a training and consulting center.

The first training I conducted was on October 2012 in their office in Shaw Blvd, Mandaluyong. The focus of my talk back then was on the OWASP tools and best practices.

The participants were relatively young and new to information security. The whole training was useful for the participants because they are developers. The good thing about it was that OWASP best practices can now be incorporated in their projects.

(Photos courtesy of Bitshield)

64514_446288185407096_1445104487_n
The participants look very serious. (and they know somebody’s taking their photo!) hehe
I really like writing something on the board! haha
I really like writing something on the board! haha
406851_446288332073748_1695298599_n
Giving a talk all day will make you tired. I need to sit from time to time.

531131_446288135407101_209406624_n 602456_446288015407113_1985333081_n

The second workshop that I conducted was for Bancnet. The training was customized and focused more on secure coding and more application-based approach. I included Payment Card Industry (PCI) Standard as one of the key topics in the discussion.

Getting to know the participants
Getting to know the participants

374693_513570998678814_1155381997_n 381483_513570825345498_1301883168_n 381519_513571468678767_1921722547_n

In-house training in their office
In-house training in their office

935184_513569948678919_226485340_n 935212_513571542012093_1462015745_n 942278_513569702012277_95381743_n

Demonstrating a source code analyzer from OWASP
Demonstrating a source code analyzer from OWASP

945758_513571555345425_257896355_n