Coffee Break with Pentesters: 5 Questions about Black Hat & DEF CON 2024 

26. July 2024

“Have you heard? We can present the CSTC at Black Hat again.” - This or something similar is how a chat at the coffee machine between Matthias Göhring from usd HeroLab and Mareike Clemens from CST Academy began a few weeks ago.  

A lot has happened since then: Our pentesters Florian Haag and Matthias Göhring will present the Cyber Security Transformation Chef (CSTC), their in-house developed BurpSuite extension, not only at Black Hat USA 2024 but also at DEF CON 32. Fully in the spirit of our mission of sharing knowledge with the community.

Today we met them again at the coffee machine. We used this last chat before they left for Las Vegas to pepper them with our questions:

Black Hat and DEF CON - two of THE conventions for the security community. Which of the two are you particularly looking forward to?

It's not easy to answer that in one sentence. Black Hat always gives us good insights into trends and developments in the cyber security industry. What software solutions are available and what is in store for us as pentesters? For this reason, the exhibitors and many of the visitors are mainly representatives of companies. DEF CON is very different: as a hacker conference, it is much more about pure technology, vulnerabilities, tools and, above all, mutual learning. It's more about the hacker as a person and you can feel that too.

You're bringing your CSTC to Las Vegas again, just like last year. Can you summarize in one sentence what the tool can do?

Florian: To put it bluntly: the CSTC is there to make life easier for its users. You save time by automating with the CSTC - without having to write any code yourself. In addition, the recipes can be easily shared within the team and, unlike scripts, everyone can easily understand how a recipe is structured and works.  

The CSTC is now 5 years old - doesn't that make it an old hat for the community?

Florian: Not at all. In order for the CSTC to be helpful for web application experts, it must constantly evolve and adapt to the current state of the art - just like we do as pentesters. Over the last few years, including from Las Vegas 2023, we have received great feedback and feature requests from the community, which we can now present. In addition, the CSTC now contains new operations that can be used in recipes, and the code base has been completely revised to adapt to changes in BurpSuite. My highlight: Together with the CSTC, we will introduce a new public repository with recipes that we have found useful in our daily work. 

What setting will you be presenting the CSTC in and how are your preparations going?

Florian: This year we are represented in the Arsenal Lab at Black Hat - and not just with a station where we present our tool in a continuous loop, with or without an audience (laughs). Instead, this year we're giving a group of participants hands-on insights into our tool. I'm currently making the final preparations and can already reveal one thing: It will be interactive and exciting.

Matthias: In the DemoLabs and in the AppSecVillage at DEF CON, we get down to the nitty-gritty: other hackers are interested in the depths of the tool, the features, the recipes. To be honest, we have to focus more on what we want to show, because we are of course proud of everything. 

And now to the most important question: How are you going to spend your nights after the official part of the events have concluded? 

Matthias: We're in Las Vegas for a week, I think that answers your question (laughs). Joking aside, at night the meeting of old and new acquaintances continues at the parties around Black Hat and DEF CON.   

Thank you both for your answers, have a good flight and lots of success and fun. We look forward to pictures and reports live from Las Vegas next week! 

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories