- maven (noun):
- a trusted expert who seeks to pass knowledge on to others
Resources
Slides, reference materials, white papers, and the Web Security Dojo training environment
Quick Links
- I need a web application security assessment
- Web Security Dojo: free training environment
- I need a bid or proposal
- I would like training or a speaker for an event
News & Events
- Software Test Professionals Fall 2012
- ISACA NJ Hands-On Training
- Web Security Dojo 2.0 Released
- Interop NY - Oct 2011
- ISACA NACACS - Las Vegas - May 2011
- OWASP Raleigh - Declaritive Web Security
Spotlight
Software Test Professionals -
Fall 2012
Maven Security will be teaching a one day hands on web security assessment course on Oct. 15, 2012
Featured Project
The Web Security Dojo – A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
Featured & Upcoming Presentations
The Latest Hacker Tools and Attacks (PDF)
Presented in New York on 07-Oct-2011 for Interop NY.
There is an older version covered in a webcast for ISACA’s February 2011 eSymposium. Visit http://isaca.brighttalk.com/node/947 to register and download the webcast.
Tips for Better Online Living (PDF)
Go beyond just AV and system updates – A few tips for being more secure online.
Social Engineering & Ethical Phishing Case Study (PDF)
Maven Security was hired to conduct a security assessment for an insurance company. The assessment employed various forms of social engineering and phishing which resulted in Maven Security gaining remote access to policy holder data. This short presentation outlines the technical details of the attacks used, and suggests a few simple solutions to mitigate the exposures presented by these forms of attack.
Reference Sheets
Nmap Reference Sheet (version 5) (PDF)
A one-page PDF summary of nmap usage and command-line options.
This was taken directly from the nmap documentation (man page) and tweaked slightly to fit onto a single page for easy reference.
Presentations
CISO’s Guide to Ethical Hacking (PDF)
Presented at the Canadian Financial Institute CIRT (CFI-CIRT) event in Toronto, Canada on Feb. 9, 2006.
This session discusses key areas to consider when using ethical hacking as part of your overall security program. This session includes case studies and insights from CISOs across several industries, including banking.
DNSSEC & DNS Security (PDF)
Presented by Steve Pinkham of Maven Security at MIS InfoSec World 2008 on March 12, 2008
- Introduction to DNSSEC core technology
- Current attack vectors into the DNS system
- Protections afforded by DNSSEC
- Current implementation pitfalls and problems, with some suggested workarounds
- What DNSSEC can and cannot do: impact on phishing, pharming and beyond
Wireless Security Attacks & Defense (PDF)
Presented by Steve Pinkham of Maven Security.
September 2007 at the IT Security Showcase in Hong Kong for HKPC.
This short presentation discusses current trends in Wi-Fi security and outlines best practices for deploying and auditing both securely authenticated and public Wi-Fi in organizations of varying sizes.
Taking the Stand: Expert Witness Case Studies version 2.0 (PDF)
The Federal Trade Commission investigation of the Tower Record’s incident of December 2002.
Also, US vs. Herbert Pierre-Louis: The 2nd case ever to be tried in the US under 18 U.S.C. Section 1030
White Papers
Session ID Case Study
This whitepaper describes how a seemingly complex session ID number was easily cracked by Maven Security during a past web application security assessment.
Basic Auth logout procedures
When a web site uses HTTP Basic authentication, how can you “log out” the user? You could tell them to close all their browser windows when finished, or you could read this doc.
Basic Authentication Log Out (v1.0 – last updated June 10, 2002).
Legacy Projects
Achilles
World’s first general-purpose man-in-the-middle web application security testing tool. (Circa Oct. 2000)
WebMaven
First hacker challenge web application for practicing security testing.