In the ideal world, every engagement would grant you source code access and a copy of the application/environment. Having 100% visibility into the static and dynamic environment of an application is incredibly powerful. By its nature, it eliminates the need for guessing and will make attacks significantly more informed and reliable. Simply put, a better job can be done because this is a position of advantage. In all situations less than that ideal, we can use reverse engineering to get into that position.

This talk outlines the concepts, strategies, and specific methods I have used to learn the inner workings websites for exploitation. We will specifically cover:

• pattern matching to quickly identify technologies

• deductive and inductive reasoning as ways to dial in our understanding

• how to ask informed questions to prove out those assertions

• walkthrough of how code structures look, and what the rendered website will show

• demonstration of decomposition techniques

kuzushi

I have spent nearly two decades working with technology. The first half of my career was spent as a professional developer, and the last 10 years of my career I have worked as an ethical hacker / cyber security professional / offensive security consultant. I have personally performed hundreds of penetration tests throughout the last decade, and I have led even more. I specialized in application security and secure developer training. For the last few years I've continued my growth into executive leadership; where I have built and lead international and national teams of security testers to deliver the highest quality penetration tests. I currently am the Vice President of security consulting services for Bishop Fox.