Featured Project

The Web Security Dojo – A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo

Featured & Upcoming Presentations

Latest Hacker Threats (PDF)
Presented by David Rhoades of Maven Security, April 19, 2010 at the North American CACS Conference in Chicago for ISACA.
90 minute presentation that covers some recent trends and tools.

DNSSEC & DNS Security (PDF)

Presented by Steve Pinkham of Maven Security at MIS InfoSec World 2008 on March 12, 2008

• Introduction to DNSSEC core technology
• Current attack vectors into the DNS system
• Protections afforded by DNSSEC
• Current implementation pitfalls and problems, with some suggested workarounds
• What DNSSEC can and cannot do: impact on phishing, pharming and beyond

Reference Sheets

Nmap Reference Sheet (version 5) (PDF)
A one-page PDF summary of nmap usage and command-line options.
This was taken directly from the nmap documentation (man page) and tweaked slightly to fit onto a single page for easy reference.

Presentations

Web Application Data Security Presented by David Rhoades.
Recent hand-outs from the Data Leakage Prevention conference in Washington DC by MIS Training Institute.

Wireless Security Attacks & Defense (PDF)
Presented by Steve Pinkham of Maven Security.
September 2007 at the IT Security Showcase in Hong Kong for HKPC.
This short presentation discusses current trends in Wi-Fi security and outlines best practices for deploying and auditing both securely authenticated and public Wi-Fi in organizations of varying sizes.

Session #44 – Effective Vulnerability Testing (PDF)
Session 44 taught at “The 26th Annual Conference & Expo on Control and Audit” in Boston, MA on November 15, 2006.
A short presentation that discusses security testing best practices, tips, and some tools and techniques.

Online Retail: Protecting Your Website (PDF)
Session R5 taught at IT Security World Conference in San Francisco, CA on September 26, 2006.
A short presentation that discusses PCI Dss v1.1 and web application firewalls.

CISO’s Guide to Ethical Hacking (PDF)
Presented at the Canadian Financial Institute CIRT (CFI-CIRT) event in Toronto, Canada on Feb. 9, 2006.
This session discusses key areas to consider when using ethical hacking as part of your overall security program. This session includes case studies and insights from CISOs across several industries, including banking.

Ethical Phishing Case Study (PPT)
Maven Security was hired to conduct a security assessment for an insurance company. The assessment employed various forms of social engineering and phishing which resulted in Maven Security gaining remote access to policy holder data. This short presentation outlines the technical details of the attacks used, and suggests a few simple solutions to mitigate the exposures presented by these forms of attack.

In-depth Topics for Web Application Security (PDF)
Presented for USENIX at LISA 2005.
Overview of remote web app security auditing techniques, using mod_security as an application firewall, and tips for testing for cross-site scripting (XSS).

De-Evolution of the Hacker
(last updated January 29, 2003 – presented at COMNET 2003)

Taking the Stand: Expert Witness Case Studies version 2.0 (PDF)
The Federal Trade Commission investigation of the Tower Record’s incident of December 2002.
Also, US vs. Herbert Pierre-Louis: The 2nd case ever to be tried in the US under 18 U.S.C. Section 1030

White Papers

Session ID Case Study

This whitepaper describes how a seemingly complex session ID number was easily cracked by Maven Security during a past web application security assessment.

Basic Auth logout procedures

When a web site uses HTTP Basic authentication, how can you “log out” the user? You could tell them to close all their browser windows when finished, or you could read this doc.
Basic Authentication Log Out (v1.0 – last updated June 10, 2002).

Legacy Projects

Achilles

World’s first general-purpose man-in-the-middle web application security testing tool. (Circa Oct. 2000)

WebMaven

First hacker challenge web application for practicing security testing.