Resources

By consulting across so many verticals, Praetorian is in a unique position in seeing emerging threats, failed technologies, and overall security trends. The resource center's intention is to share some of that insight back to the community. Here you will find a collection of various presentations, white papers, webcasts, and tools we have voluntarily lectured on and distributed. Visit our resource section regularly for the latest security information coming from our consultants in the field.

Tools

Scalable Tailored Application Analysis Framework

Creator and Project Lead: Ryan W. Smith

There has been no shortage of Android malware analysis reports recently, but thus far that trend has not been accompanied with an equivalent scale of released public Android application tools or frameworks. To address this issue, we are presenting the Scalable Tailored Application Analysis Framework (STAAF), released as a new OWASP project for public use under Apache License 2.0. The goal of this framework is to allow a team of one or more analysts to efficiently analyze a large number of Android applications. In addition to large scale analysis, the framework aims to promote collaborative analysis through shared processing and results.

Learn more about this Project

View STAAF OWASP AppSecUSA 2011 Presentation ↑ back to top

OWASP JBroFuzz

Contributing Developer: Nathan Sportsman

JBroFuzz is a web application fuzzer for requests being made over HTTP and/or HTTPS. Its purpose is to provide a single, portable application that offers stable web protocol fuzzing capabilities.

Learn more about this Project ↑ back to top

Books

Hacking Exposed 6th Edition

Contributing Author: Nathan Sportsman

The tenth anniversary edition of the world's bestselling computer security book! The original Hacking Exposed authors rejoin forces on this new edition to offer completely up-to-date coverage of today's most devastating hacks and how to prevent them. Using their proven methodology, the authors reveal how to locate and patch system vulnerabilities.

The book includes new coverage of ISO images, wireless and RFID attacks, Web 2.0 vulnerabilities, anonymous hacking tools, Ubuntu, Windows Server 2008, mobile devices, and more. Hacking Exposed 6 applies the authors' internationally renowned computer security methodologies, technical rigor, and "from-the-trenches" experience to make computer technology usage and deployments safer and more secure for businesses and consumers.


"A cross between a spy novel and a tech manual."

Mark A. Kellner, Washington Times

"The seminal book on white-hat hacking and countermeasures . . . Should be required reading for anyone with a server or a network to secure."

Bill Machrone, PC Magazine

"A must-read for anyone in security . . . One of the best security books available."

Tony Bradley, CISSP, About.com

Learn more ↑ back to top

Presentations

Mobile Applications - What's Under the Hood?

OWASP's recent release of the "Top 10 Mobile Risks" has spurred much discussion in enterprises regarding how they may begin to protect against mobile vulnerabilities and prepare for the next wave of threats on the horizon. At this point little has been done to clearly identify the risk of downloading applications from both official and unofficial application marketplaces. Join researchers from Praetorian and Veracode as they look under the hood of a huge selection of Android applications and provide a quantitative examination of the application security posture of today's mobile application space.

Discussion will include:

  • List most common mobile security risks
  • Unintentional threats in the mobile landscape
  • Overly permissive and malicious mobile applications
  • Fake / malicious applications from application marketplaces
  • Insecure mobile applications / security vulnerabilities

Watch the full Webinar ↑ back to top


STAAF - OWASP AppSecUSA 2011

There has been no shortage of Android malware analysis reports recently, but thus far that trend has not been accompanied with an equivalent scale of released public Android application tools or frameworks. To address this issue, we are presenting the Scalable Tailored Application Analysis Framework (STAAF), released as a new OWASP project for public use under Apache License 2.0. The goal of this framework is to allow a team of one or more analysts to efficiently analyze a large number of Android applications. In addition to large scale analysis, the framework aims to promote collaborative analysis through shared processing and results.

View this Presentation

Top 10 Critical Findings Presentation

As a consulting company, Praetorian has a unique ability to observe security programs across a wide range of companies. Based on the vulnerability patterns seen across organizations, a top ten list of common critical findings was created. The purpose of this presentation is to examine each of those critical findings and provide recommendations for mitigation. Examples from actual engagements are used to emphasize risk through real world scenarios. Some information from the screenshots provided has been redacted to protect confidentiality.

View this Presentation

Threat Modeling Presentation

Over the last few years, significant progress has been made in back end SDLC security controls. Vendors have developed sophisticated analysis tools focusing on code inspection and application testing and organizations are incorporating both automated and manual assessment methods into the latter half of their development process. However, adoption of architectural risk analysis has not been as widespread. Although threat modeling is not a new concept and approaches such as Microsoft's STRIDE are well known, companies have not internalized and adopted design related security controls with the same vigor. The purpose of this presentation is to provide an understanding of what threat modeling is, why it is important, and champion its benefits.

View this Presentation

Web Services Security Presentation

The concept of web services has become ubiquitous over the last few years. Frameworks are now available across many platforms and languages to greatly ease and expedite the development of web services, often with a vast amount of existing code reuse. Software companies are taking advantage of this by integrating this technology into their products giving increased power and interoperability to their customers. However, the power web services enables also introduces new risks to an environment. As with web applications, development has outpaced the understanding and mitigation of vulnerabilities that arise from this emerging technology. This presentation will first aim to identify the risks associated with web services. We will describe the existing security standards and technologies which target web services (i.e., WS-Security) including its history, pros and cons, and current status. Finally we will attempt to extrapolate the future of this space to determine what changes must be made going forward.

View this Presentation

Social Engineering Presentation

For many organizations, the human element is often the most overlooked attack vector. Ironically, people are typically one of the easiest vulnerabilities to exploit and an attacker needs little more than a smile or email to completely compromise a company. With targeted attacks on the rise, organizations must understand the risk of social engineering based attacks. The purpose of this presentation is to examine common physical, phone, and Internet based attacks. Real world case studies are included and recommendations are provided that will help mitigate this growing threat.

View this Presentation ↑ back to top