Sunday, July 26, 2009

Blackhat, Part 1

My first two days of Blackhat are complete. This weekend I took the "Web Application (In)Security" course by NGS Software. The class was taught by Dafydd Stuttard and Marcus Pinto. It covered pretty much every web application security topic you can imagine, and was heavily focused on attack, rather than defense. It seemed very oriented toward pen testers.

Before the class started, I had some doubts about whether it would be too basic. While most of the topics covered were topics I was already familiar with, the course material as a whole was intermediate to advanced. Dafydd and Marcus really know their stuff, and it shows. We started going really quickly in day 2, and I think a lot of us were struggling to keep up.

The course was about evenly split between presentation time and lab time. I appreciated the hands-on approach. These guys had a TON of labs available. I actually was kind of annoyed at the absolute impossibility of completing all the labs in the time given, but I think the point was to make sure nobody ran out of work to do. I don't think anyone was expected to complete them all.

We were encouraged to use Burp Suite, and many of the examples were shown using Burp. I'd never used Burp before, thinking it was just another localhost proxy. Turns out I was very wrong. Burp is an extremely powerful, flexible, and complete web application security tool, and I will definitely be using it in the future. I'd say this aspect of the course was worth the price of admission.

We finished out the course with a CTF game, which always makes me happy. I wish we had a little more time to work on it. (And I'm happy to say that I spent most of the game near the top of the leaderboard.)

My only real complaint about the course is that there seemed to be way too much material for two days, and it felt very rushed. (Also, the room was absolutely FREEZING.)

In other Vegas news, I kind of feel like I should be putting some more effort into making some friends here. I haven't really been socializing outside of class. I've spent some time on the poker tables, but I've been taking a beating and am busted out. (Last night I went to the felt on a flush draw with two overs, caught my flush on the river, turns out I was drawing dead to a boat. Part bad luck, part bad play.)

Also, there is absolutely nowhere to eat here that costs less than a million dollars.

1 comment:

Mike said...

I thought Vegas was the land of $4.99 buffets.

There's also that giant McDonald's about halfway down the strip. Can't miss it.

Sorry to hear about the beating.