Security Basics mailing list archives
RE: Binary Analysis with Internal Solutions
From: "Simon Thornton" <simon () thornton info>
Date: Tue, 24 Jul 2012 18:35:16 +0200
Hi Nick, NS> "Should binary analysis (i.e. reversing and fuzzing) NS> be part of an internal vulnerability and pen testing solution?" You are asking about two different activities with widely different requirements in terms of the time and potentially resources needed. Fuzzing is the simpler of the two exercises and can be automated, often used as part of pentesting exercises. Reverse engineering is largely a manual process and can be significantly more challenging and time consuming. Part of the answer depends on the perceived attack surface (the risk of an attack) and the impact a successful compromise would have. If this is an internal application on a closed network not connected to the internet then it may be worth it. If however this application contains data covered by regulatory compliance and/or legal requirements (privacy laws) and it is exposed directly or indirectly to the internet then this is different. Start with a simple risk assessment, considering the data (classification) processed by the application, location of the service, who accesses it etc. This should give you an indication if you need to consider more in-depth analysis. To go as far as reverse engineering would normally be predicated by an event which cannot be explained by looking at source code, logs etc. Examples might be - if a security incident or breach occurred which could not be explained by other analysis. - Another example might be a requirement (legal/regulatory) that all applications used strong ciphers or long key lengths and the source code was not available. My experience; most of the time reverse engineering is not justified from a cost/risk perspective. Fuzzing interfaces can detect functional bugs not caught through normal testing. Whatever the source of a vulnerability or issue the risk (impact/exploitability or impact/likelihood) needs to be addressed. Simon -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of nschroedl () mtiorg com Sent: Tuesday, July 24, 2012 17:15 PM To: security-basics () securityfocus com Subject: Binary Analysis with Internal Solutions Hello everyone, A debate has been started in the office that I work in over this question. "Should binary analysis (i.e. reversing and fuzzing) be part of an internal vulnerability and pen testing solution?" There is mission critical custom in house software solutions deployed here. My opinion is Yes, but others say it is a waste of resources to go this deep into offensive security. Please send your comments, and opinions so that I can either win/loose this debate. Nick Schroedl ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Binary Analysis with Internal Solutions nschroedl (Jul 24)
- RE: Binary Analysis with Internal Solutions Ward, Jon (Jul 24)
- RE: Binary Analysis with Internal Solutions Mike Vella (Jul 24)
- RE: Binary Analysis with Internal Solutions Simon Thornton (Jul 24)
- RE: Binary Analysis with Internal Solutions Nick Schroedl (Jul 24)
- RE: Binary Analysis with Internal Solutions Pranav Lal (Jul 25)
- RE: Binary Analysis with Internal Solutions Mikhail A. Utin (Jul 24)
- RE: Binary Analysis with Internal Solutions David Gillett (Jul 24)
- RE: Binary Analysis with Internal Solutions Simon Thornton (Jul 25)
- RE: Binary Analysis with Internal Solutions Mikhail A. Utin (Jul 27)
- RE: Binary Analysis with Internal Solutions Nick Schroedl (Jul 24)
- RE: Binary Analysis with Internal Solutions Simon Thornton (Jul 25)