Purple Squad Security

The penetration test, or pen test as it's commonly referred to, is one of the great necessary evils in Infosec today.  My guest for this episode is Adrian Sanabria, who has an interesting thought - let's kill the pen test!  Adrian has been in the industry for quite some time in quite a variety of roles, so he has some great experience and insights to share.  Let's see what his replacement for a pen test entitles! Some links of interest: Adrian's Twitter: @sawaba Savage Security: https://www.savagesec.com/ BSides Knoxville: https://bsidesknoxville.com/ Penetration Testing Execution Standard (PTES): http://www.pentest-standard.org/index.php/Main_Page Want to reach out to the show?  There's a few ways to get in touch! Show's Twitter: @PurpleSquadSec John's Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com Thanks for listening, and as always, I will talk with you all again next time. Find out more at http://purplesquadsec.com

It's that time again!  We're doing another Infosec tabletop in a D&D style, this time with the fine gentlemen from the Defensive Security podcast!  Jerry and Andrew join me for another infosec tabletop with all new scenarios, pitfalls, and approaches. Special thanks to Ryan McGeehan and his Tabletop Scenarios twitter account for providing the ideas behind this episodes "challenges". Some links of interest: The Defensive Security Podcast: https://defensivesecurity.org/ Jerry's Twitter: @maliciouslink Andrew's Twitter: @lerg Tabletop Scenarios Twitter: @badthingsdaily Want to reach out to the show?  There's a few ways to get in touch! Show's Twitter: @PurpleSquadSec John's Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com Thanks for listening, and as always, I will talk with you all again next time. Find out more at http://purplesquadsec.com

The idea of "community" is an important one, especially if you talk about a group of people who want to help improve their skills by sharing their ideas, experiences, etc, with like minded individuals.  The Infosec community is no exception to this.  In fact I would argue that it is one of the strongest communities I have encountered yet! Joining me this week is Cheryl "3ncr1pt3d" Biswas to talk about the Infosec community, what makes it special, and the importance of it.  In addition we will be talking about one of Cheryl's many contributions to the community in the form of the Diana Initiative. Some links of interest: Diana Initiative Website: https://www.dianainitiative.org/ Diana Initiative's Twitter: @DianaInitiative Cheryl's Twitter: @3ncr1pt3d Cheryl's Website: whitehatcheryl.wordpress.com Want to reach out to the show?  There's a few ways to get in touch! Show's Twitter: @PurpleSquadSec John's Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com Thanks for listening, and as always, I will talk with you all again next time. Find out more at http://purplesquadsec.com

With no guest this week, John decides to share his own story about how he got into #infosec and some other thoughts he's had about the journey and why it's a never ending adventure to learn new things. Some links of interest: MeetUp.com OSSEC Wazuh (OSSEC Alternative) Want to reach out to the show?  There's a few ways to get in touch! Show's Twitter: @PurpleSquadSec John's Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com Thanks for listening, and as always, I will talk with you all again next time. Find out more at http://purplesquadsec.com

Stress.  Depression. Anxiety.  Fear.  Uncertainty.  Doubt.  All of these symptoms and conditions are well known to anyone who has spent a few years in security.  This can be a heavy topic, but it's one that we should discuss openly and often.  Danny Akacki joins me on this episode to talk about his own mental health, what are some of the things that has helped him, and he also gives us some insight on his contributions back to the community through the creation of infosanity.org, a website dedicated to helping those in the hacking community who may be struggling and aren't sure where to go. Please remember, if you have a serious concern about your mental health, please, PLEASE seek professional help. Some links of interest: Worldwide Crisis Line Phone Numbers Infosanity.org @DAkacki @InfoSanityOrg Want to reach out to the show?  There's a few ways to get in touch! Show's Twitter: @PurpleSquadSec John's Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com Thanks for listening, and as always, I will talk with you all again next time. Find out more at http://purplesquadsec.com

From the crowd to the cloud, we shift focus this episode to a topic that may be holding back some infosec professionals from embracing the cloud - namely what to do when you're attacked?  Digital Forensics and Incident Response (DFIR) is a topic we've covered in the past, but that was from a more traditional view.  I'm fortunate enough to have Jonathon Poling (@JPoForenso) join me again to revisit DFIR, but this time from a cloud perspective.  What's easier, what's harder, and what's different?  Have a listen to find out! Some links of interest: Margarita Shotgun AWS to Azure Mapping AWS to GCP Mapping Azure to GCP Mapping Duo Labs GitHub StreamAlert Netflix GitHub RepoKid NCC Group Scout2 Ponder The Bits - https://ponderthebits.com/ @JPoForenso Want to reach out to the show?  There's a few ways to get in touch! Show's Twitter: @PurpleSquadSec John's Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com John's Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and as always, I will talk with you all again next time. Find out more at http://purplesquadsec.com

The crowd.  Recently gaining attention again due to some news events that were much ado about nothing, there is still a bit of a mystery with crowdsourcing and how best to secure it.  Organizations like Bug Crowd and HackerOne have shown it can be used for specific security tasks, but what about in general?  Nicolas Valcarcel joins me on this episode to share his thoughts and experience with security the crowd and what organizations should be aware of when considering using the crowd for their own purposes. Some links of interest: Crowd Security Whitepaper - https://github.com/nxvl/crowd-security How to Make the Most of Mechanical Turk How We Maintain a Trustworthy Rainforest Tester Network The Pros and Cons of Using Crowdsourced Work How We Train Rainforest Testers AWS re:Invent: Managing Crowdsourced Testing Work with Amazon Mechanical Turk Virtual Machine Security: The Key Steps We Take to Keep Rainforest VMs Secure @nxvl Want to reach out to the show?  There's a few ways to get in touch! Show's Twitter: @PurpleSquadSec John's Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com John's Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you all again next time. Find out more at http://purplesquadsec.com

In the first of a new format, I sit down with Joe Gray with only a handful of questions and just chat.  We cover things from Through The Hacking Glass, upcoming talks that Joe will be doing, to the various conferences that Joe will be attending.  Lots of great information and stories were shared, and if you'd like to provide feedback, please reach out and let me know!  Also, make sure you listen for a special easter egg that Joe has for those who are in the Atlanta area in September for entry to a conference at no cost! Some links of interest: Through The Hacking Glass @hackingglass - https://twitter.com/hackingglass Facebook - https://www.facebook.com/hackingglass/ Peerlyst - https://www.peerlyst.com/posts/announcing-through-the-hacking-glass-a-peerlyst-mentorship-experience-joe-gray RSA Conference USA - https://www.rsaconference.com/events/us18 Hacker Halted - https://www.hackerhalted.com/ Free Admission to conference code: HH18JGCON 25% off training code: HH18JJTRN Hack NYC - https://q22018.hacknyc.com/en/ Coupon code: STORMNYCJJ @c_3pjoe @advpersistsec Want to reach out to the show?  There's a few ways to get in touch! Show's Twitter: @PurpleSquadSec John's Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com John's Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you all again next time. Find out more at http://purplesquadsec.com

Continuing with the theme of soft skills that any infosec professional should have, this episode will focus on developers.  I sit down with James Jardine from the DevelopSec podcast to talk about how best to communicate with developers.  Just like executives, developers have a different language and approach that is needed in order to communicate effectively.  Trying to avoid the all-to-common animosity between developers and security, James and I discuss some strategies to help build bridges between the groups and not burn them to the ground. Some links of interest: www.jardinesoftware.com www.developsec.com podcast.developsec.com podcast.wh1t3rabbit.net DevleopSec YouTube Channel @developsec @jardinesoftware Email James:  james@jardinesoftware.com Want to reach out to the show?  There's a few ways to get in touch! Show's Twitter: @PurpleSquadSec John's Twitter: @JohnsNotHere Podcast Website: purplesquadsec.com Sign-Up for our Slack community: https://signup.purplesquadsec.com John's Peerlyst Profile: https://www.peerlyst.com/users/john-svazic Thanks for listening, and I will talk with you all again next time. Find out more at http://purplesquadsec.com

Michael Bazzell, author of the book on OSINT techniques, joins the show to discuss the power of open source intelligence (OSINT) and its versatility in various fields. They delve into conducting background checks using OSINT, specifically starting with email addresses as unique identifiers. The chapter also explores training courses offered by the guest and ways to connect with the podcast and host.