With Black Hat USA 2019 fast approaching, we continue our blog series highlighting training sessions and research briefings that we think Qualys customers will find relevant and valuable. Our pick this week is the training session An Introduction To IoT Pentesting With Linux.

The course offers “a hands-on, example-driven introduction to IoT hacking” and focuses on tactics for assessing and exploiting devices. Participants will learn why perimeter security falls short for securing private LANs from Internet attackers, and how vulnerability assessment techniques can be implemented using the Bash Unix shell and command language. Such skills are critical today due to the booming popularity and weak security of Internet of Things systems.

The two-day course is aimed at anyone wanting a hands-on introduction on using Linux to perform software-based security analysis of embedded Linux devices. The instructor, Craig Young, is a Tripwire computer security researcher who has used the course’s techniques to identify over 100 CVEs on embedded IoT devices. He has discovered dozens of vulnerabilities in products from Google, Amazon, Apple and others.

Continue reading …

Qualys offers a wide array of security and compliance solutions for your organization.  All capabilities are delivered from Qualys Cloud Platform.  Visit Qualys Cloud Platform Apps to learn more.

But let’s narrow the discussion to web application security.  To have a complete webappsec program, it’s important that ALL of your web applications have some level of security testing.  Automated scans using Qualys Web Application Scanning (WAS) are perfect to meet this need given its cloud-based architecture, accuracy, and ability to scale.  However, performing manual penetration testing against your most business-critical applications is highly recommended to supplement automated scanning.  Manual analysis complements scanning by identifying security holes such as flaws in business logic or authorization that an automated scanner would be incapable of detecting.

One of the most popular tools for manual testing of web apps is Burp Suite Professional. This month Qualys introduced a Burp extension for Qualys WAS to easily import Burp-discovered issues into Qualys WAS.  With this integration, Burp issues and WAS findings can be viewed centrally, and webappsec teams can perform integrated analysis of data from manual penetration testing and automated web application scans. The combined data set may also be programmatically extracted via the Qualys API for external analysis.

Continue reading …