“Have you heard? We can present the CSTC at Black Hat again.” - This or something similar is how a chat at the coffee machine between Matthias Göhring from usd HeroLab and Mareike Clemens from CST Academy began a few weeks ago.
A lot has happened since then: Our pentesters Florian Haag and Matthias Göhring will present the Cyber Security Transformation Chef (CSTC), their in-house developed BurpSuite extension, not only at Black Hat USA 2024 but also at DEF CON 32. Fully in the spirit of our mission of sharing knowledge with the community.
Today we met them again at the coffee machine. We used this last chat before they left for Las Vegas to pepper them with our questions:
Black Hat and DEF CON - two of THE conventions for the security community. Which of the two are you particularly looking forward to?
It's not easy to answer that in one sentence. Black Hat always gives us good insights into trends and developments in the cyber security industry. What software solutions are available and what is in store for us as pentesters? For this reason, the exhibitors and many of the visitors are mainly representatives of companies. DEF CON is very different: as a hacker conference, it is much more about pure technology, vulnerabilities, tools and, above all, mutual learning. It's more about the hacker as a person and you can feel that too.
You're bringing your CSTC to Las Vegas again, just like last year. Can you summarize in one sentence what the tool can do?
Florian: To put it bluntly: the CSTC is there to make life easier for its users. You save time by automating with the CSTC - without having to write any code yourself. In addition, the recipes can be easily shared within the team and, unlike scripts, everyone can easily understand how a recipe is structured and works.
The CSTC is now 5 years old - doesn't that make it an old hat for the community?
Florian: Not at all. In order for the CSTC to be helpful for web application experts, it must constantly evolve and adapt to the current state of the art - just like we do as pentesters. Over the last few years, including from Las Vegas 2023, we have received great feedback and feature requests from the community, which we can now present. In addition, the CSTC now contains new operations that can be used in recipes, and the code base has been completely revised to adapt to changes in BurpSuite. My highlight: Together with the CSTC, we will introduce a new public repository with recipes that we have found useful in our daily work.
What setting will you be presenting the CSTC in and how are your preparations going?
Florian: This year we are represented in the Arsenal Lab at Black Hat - and not just with a station where we present our tool in a continuous loop, with or without an audience (laughs). Instead, this year we're giving a group of participants hands-on insights into our tool. I'm currently making the final preparations and can already reveal one thing: It will be interactive and exciting.
Matthias: In the DemoLabs and in the AppSecVillage at DEF CON, we get down to the nitty-gritty: other hackers are interested in the depths of the tool, the features, the recipes. To be honest, we have to focus more on what we want to show, because we are of course proud of everything.
And now to the most important question: How are you going to spend your nights after the official part of the events have concluded?
Matthias: We're in Las Vegas for a week, I think that answers your question (laughs). Joking aside, at night the meeting of old and new acquaintances continues at the parties around Black Hat and DEF CON.
Thank you both for your answers, have a good flight and lots of success and fun. We look forward to pictures and reports live from Las Vegas next week!