Don't Draw on The Walls

InfoSec

AppSec

TrynaGetPaidSec

Agenda

  • Make a Decision
  • AppSec Fundamentals
  • ...and Beyond
  • Random Tips

The Decision

What's an AppSec?

InfoSec

  • Network Security
  • Vulnerability Management
  • Security Compliance
  • Cryptography
  • AppSec
  • Etc...

AppSec

  • Software Applications
  • Typically Web Applications
  • Specific Vulnerabilities (SSRF, SSTI, etc..)

Why AppSec Tho?

  • Highly Accessible
  • Transferable Skills
  • Growing Fast w/ "Cloud Adoption"

AppSec Fundamentals

  • HTTP Intercept Proxy
  • Scripting (Python)
  • Software Architecture Project (GoLang)

HTTP Intercept Proxy Demo

Jupyter Notebook Demo

Learn You Some Python

Software Architecture Project Demo

....and Beyond

  • Networking/Speaking/Blogging
  • Continuous Learning
  • OSCP
  • OJT
  • Mentoring
1

Networking

Continuous Learning

On The Job Training

  • Customer Support at SaaS Company
  • Pre or Post Sales roles at Security or SaaS Companies

Mentoring

  • Organize a Security Conference 😉
  • Mentoring Tests Boundaries
  • Builds Collaborative Skills
  • AppSec is a Community

Random Tips

Interviewing

Boredom and Monotany Drive Opportunities

What are the three types of XSS?

Types of XSS

  • Dom
  • Reflective
  • Persistent

What are the any types of XSS contexts?

XSS Context

  • Text space <html> here </html>
  • Attribute space <html attr=here
  • Javascript <script> var = here;
  • CSS 😕

What are the three types of Blind SQLi?

Blind SQLi

  • Timing
  • Boolean
  • Out-of-band (Super Blind)

How does CSRF work?

I
Always
Forget too.

AppSec Pass The Interview

  • Know the categories (XSS, SSRF, SSTI, CSRF)
  • Understand the mechanics
  • Demonstrate business value

ToroHack

By Cody Sparky Wood

Private

ToroHack