Web app testing classroom in a box - the good, the bad and the ugly presented at DerbyConVIIIEvolution 2018

by Lee Neely, Chelle Clements, James Mcmurry,

Summary : Web based applications and services are the key technologies behind modern service delivery. And their security, or lack thereof, can make or break a company. We developed an approach to follow including tools to help with the assessment throughout each step of the process, leveraging free and commercial products that can assist the assessment process. There are more engagements than there are resources, so we set out on a mission to train new web application testers on a portable platform to teach them an approach to not only test application security but also leverage tools that simplify the process, in effect cheating to win. To conduct that training, we had to develop a classroom-in-a-box, which included the network, the targets and tools for the students. Over the last year, we have leveraged Raspberry Pi Zeros, Thumb Drives with Kali Linux, Chromebooks and Intel NUC servers. We will discuss the pros and cons, showing what works and what to avoid, as well as what can be leveraged to build a home lab, or your own classroom in a box. The user will leave with information they can take back to their home organization to serve as a foundation for either an ad-hoc or ongoing capability.