December 18, 2008
Posted by on
This post is in response to “Fradulent Security Experts” as posted on the SNOsoft Research Team Blog
As a lot of other security professionals (and I use the term loosely), I subscribe to a range of mailing lists to keep my finger on the pulse so to speak. Amongst the usual posts to the Nessus mailing list (followed normally by a rude or at the very least, rudely worded response from Tenable & Co.), and the informative posts on PaulDotCom and the SANS mailing lists, there lies the PenTest mailing list. I tend to prefer lurking on this list, as a lot of what I see makes me cringe. However I’ve never taken the time to comment on the mailing list before. That is until I saw the blog post from Adriel T. Desautels on the SNOsoft Research Team blog.
If you’ve not had a chance to read the blog, then I’ll summaries. His gripe (and rightfully so) is about so-called security professionals selling a service (and we’ll use a penetration test here as an example) and then not being qualified to finish the job. I’ve seen it on the mailing list before, but the latest post regarding SQL injection.
Now I want to quantify something before we move forward. I have no problem with people asking questions. I like to help people out where I can, and if people want to learn then asking questions is a must. However when people start their question with something like “I’m doing a pentest for a customer and…” I start to get worried. After all if you have a customer then you should know enough to cover the basics. Sure some of the questions are real brain teasers, but a lot fall into the “security 101” arena. So many people seem to think that penetration testing is about running nmap and nessus and walking away. There will always be people looking to make a quick buck, and penetration testing will be no exception.
The problem is, that there is no easy solution. Certification (as was discussed in the PenTest mailing list recently) is no indication of a persons true knowledge. Also at fault here is the Human Resources people who think a CISSP means everything security. Anyway, that’s an argument for another day. There is a lack of regulation and accreditation in the security industry as a whole. What accreditation does exist (i.e. Crest, the Council of Registered Ethical Security Testers in the UK) lacks pull, and is restricted to government contracts. However the problem really lies with the customers. I know it’s hard to say, but the average customer will take the lowest and quickest quote. If I say I can do it $100 cheaper and in 2 days less, then I win, no questions asked. Instead the customers need to be asking, why you’re better suited to do this test. How many have you done before, can you give sample reports, can you give references for previous work, and can we see the CV of the staff doing the test. Maybe it’s time for a list of questions the customer needs to ask, after all right now it’s the penetration testers doing the asking.
December 15, 2008
Posted by on
We just got the news that Core Impact 8 (with XSS and Blind SQL injection) has been released by Core Technologies. You can read the full press release for the new version HERE.
Main features .:
- XSS and Blind SQL Injection Checks
- Comparing Test Results Over Time
- Scheduling Regular Testing
- Managing Large-Scale Testing
December 15, 2008
Posted by on
The Blog over at blog.portswigger.net has been buzzing for the last month about the new version of Burp Suite. After a short time in beta testing (with users of the professional version) it’s been released for those using the free version. I’ve had a quick look over the features and think that version 1.2 is a big step in the right direction.
I’ve flitted backwards between using OWASP’s Webscarab, and Burp Suite. As much as I’ve always wanted to go the free route and use Webscarab, something kept pulling me back to Burp. I guess it just makes things easier. The new version seems to fill in some gaps, and I’ll be looking at the pro license soon to really get the full benefit.
The professional version includes the new burp scanner (passive and active scanning) seems to fill a void a lot of people have been looking for. i.e. an affordable web-application scanner that actually works. No automated scan will find everything, but users of Burp suite already know that. so the addition of a scanner just seems to make sense at this point. One thing I wish was in the free version however was the save/restore session function. Then again, I can see why this is held back for the paying customers.
Some of the new features include .:
- Site map showing information accumulated about target applications in tree and table form
- Fully fledged web vulnerability scanner [Pro version only]
- Suite-level target scope configuration, driving numerous individual tool actions
- Display filters on site map and Proxy request history
- Ability to save and restore state [Pro version only]
- Suite-wide search function
- Support for invisible proxying
Checkout the full details at www.portswigger.net
December 10, 2008
Posted by on
SANS SEC:709 – Developing Exploits for Penetration Testers – Day 2
I didn’t get a chance to post up my thoughts on the second day of the SEC:709 class before leaving London, so here’s a quick recap of the second day.
Today we began looking at the Windows side of exploit writing. Although in theory things are slightly harder with Windows exploitation than with Linux (at least at the level we were working at), things seemed to click on the second day. Whereas the first day was new concepts mixed with exercises to show how things work, the second day looked at the same points made in day 1 from a Windows standpoint. The examples were a chance to review some points from day 1 in a new light, and introduce some new points. The day was finished off with a Capture the Flag. Most people managed to get a couple of flags at least, but with the limited time, and a raging brain ache from “drinking from the fire-hose” so to speak, it was slow going. One person managed to get almost all the flags, which was impressive given the time spent learning these points. I guess with some more reviewing of the topics and some practice, I’ll be able to get the hang of this mystical side to penetration testing and security research.
Overall the course was very fun. As it’s a 700 level course (from my understanding SANS does 400, 500, 600 and now 700 level courses. 400 being the basics, through to 700, which is, more than a little advanced) so you get what you ask for. It’s high-tech from moment 1, and the pace is fast and furious. It’s not one of those courses where you can get into class 10 minutes late from lunch and still catchup. If you miss a concept, then everything that follows will be that much harder to grasp. Stephen Sims (the class author and the teacher for the London class) is looking to take the class to 4 days. I think this would make the concepts easier to grasp, as more time could be spent in labs to drill the concepts into your head. One of the other facilitators (class helpers, of which I was lucky enough to be one) said that the 4 day course should be the contents from days 1 and 2 repeated twice ;). Still Stephen said he wants to put more into the 4 day course. So keep your eyes peeled for that in the near future.
Overall my time in London was great. I managed to meet some really smart people, and the SANS Christmas dinner was really fun. Working as a facilitator for a SANS conference is fun, but a lot of work. If you’re thinking of try it out, expect a lot of >12 hour days, and bleeding fingers. Still, from my experiences it’s 100% worth it. Just getting a chance to work with the SANS instructors and staff is reward enough. If anybody will be attending the upcoming SANS Munich 2009 (June/July time) then looking for a stressed and tired looking facilitator, it’ll probably be me…