TMI: Testing and Exploiting SharePoint

Presented at DerbyCon 3.0 All in the Family (2013), Unknown date/time (Unknown duration).

SharePoint has become one of the most common platforms in organizations today. Originally designed for simple content management, it has grown into a workflow, CMS and communication powerhouse that run on intranets and the Internet all over the Internet. While it is powerful, most organizations do not realize the risks it exposes within their organization. Kevin Johnson and James Jardine of Secure Ideas will be walking attendees through the systems available under the SharePoint name, as well as showing ways that penetration testers are able to assess and exploit them. They will also be releasing a series of tools and guidelines to help organizations assess their SharePoint systems.


Presenters:

  • Kevin Johnson
    Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is an instructor and author for the SANS Institute and a faculty member at IANS. He is also a contributing blogger at TheMobilityHub. Kevin has performed a large number of trainings, briefings and presentations for both public events and internal trainings. Kevin teaches for the SANS Institute on a number of subjects. He is the author of three classes: SEC542: Web Application Penetration Testing and Ethical Hacking, SEC642: Advanced Web Application Penetration Testing and SEC571: Mobile Device Security. Kevin has also presented at a large number of conventions, meetings and industry events. Some examples of these are: DerbyCon, ShmooCon, DEFCON, Blackhat, ISACA, Infragard and ISSA. Kevin is also very involved in the open source community. He runs a number of open source projects. These include SamuraiWTF; a web pen-testing environment, Laudanum; a collection of injectable web payloads, Yokoso; an infrastructure fingerprinting project and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer.
  • James Jardine
    James Jardine is a Principal Security Consultant with Secure Ideas, LLC. James has over 12 years of software development experience with over half of that focusing on application security. During his long development history, he has had the opportunity to write both large enterprise applications, thick clients, and mobile applications. He has held many roles including senior developer, software architect, and application security expert. In addition, James is an instructor and author for the SANS Institute. He is also a contributing blogger for the Secure Ideas blog, the Jardine Software blog, and the SANS Appsec blog. James has performed a number of trainings and presentations for both public events and internal trainings. James teaches the Dev544: Secure Coding in .Net course at the SANS Institute. He is also a contributing author for that course. James will also be teaching a mobile security course that he co-authored at BlackHat USA 2013. He has also presented on multiple webcasts, at the Kentucky ISSA InfoSec Summit, and BSides Orlando. In addition, James is the co-host of the Professionally Evil Perspective podcast and the Down the Security Rabbithole podcast. James is also involved in the open source community. he runs a number of open source projects. These include WCSA; a security analyzer for web.config files, and EventValMod; a tool to modify event validation values in .Net. He is also a contributor to the Laudanum project; a collection of injectable web payloads.

Similar Presentations: