Web app testing classroom in a box - the good, the bad and the ugly

DerbyCon 8.0 - Evolution

Presented by: Chelle Clements, Jim McMurry, Lee Neely
Date: Saturday October 06, 2018
Time: 16:00 - 16:50
Location: Kentucky E
Track: Track 3

Web based applications and services are the key technologies behind modern service delivery. And their security, or lack thereof, can make or break a company. We developed an approach to follow including tools to help with the assessment throughout each step of the process, leveraging free and commercial products that can assist the assessment process. There are more engagements than there are resources, so we set out on a mission to train new web application testers on a portable platform to teach them an approach to not only test application security but also leverage tools that simplify the process, in effect cheating to win. To conduct that training, we had to develop a classroom-in-a-box, which included the network, the targets and tools for the students. Over the last year, we have leveraged Raspberry Pi Zeros, Thumb Drives with Kali Linux, Chromebooks and Intel NUC servers. We will discuss the pros and cons, showing what works and what to avoid, as well as what can be leveraged to build a home lab, or your own classroom in a box. The user will leave with information they can take back to their home organization to serve as a foundation for either an ad-hoc or ongoing capability.

Lee Neely

Lee Neely is a senior IT and security professional at Lawrence Livermore National Laboratory with over 25 years of extensive experience with a wide variety of technology and applications from point implementations to enterprise solutions. He currently leads LLNL’s Entrust team and is the CSP lead for new technology adoption specializing in mobility. He teaches cyber security courses, and holds several security certifications including GMOB, GPEN, GWAPT, GAWN, CISSP, CISA, CISM and CRISC. He is also the President of the ISC2 Eastbay Chapter.

Chelle Clements

Chelle Clements has been associated with computer science and cyber security for over 20 years. She has an AAS in Environmental Science from Northern Virginia Community College, and a BS and an MS in Information Systems Management from University of San Francisco. She is an Army Veteran, one of the first women in the Corps of Engineers (she has some great stories!). She spent 30-years at Lawrence Livermore National Lab as a researcher in three different fields (chemistry, physics and computer science) and also as a community outreach volunteer. She currently supports several Veteran causes with pro bono web development (such as East Bay Stand Down) and served on her city’s art commission.

Jim McMurry

Jim McMurry is an accomplished Technologist with an entrepreneurial mindset with over 23 years of combined experience in Security, Information Technology, Telecommunication, Networking, Management and Software development. Jim's varied experience in network security, military projects, IT and high-tech arenas, with startups through Fortune 1000 companies, provides him with a unique set of tools as he grows Milton Security. He volunteers for numerous charities, and supports Veterans through the Milton Veteran Hiring program.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats