Penetration Testing mailing list archives
Re: SQL injection ( and being a pen tester means being good in every area)
From: Bernhard Mueller <research () sec-consult com>
Date: Fri, 8 Aug 2008 01:51:39 +0200
Hello, On Thu, 2008-08-07 at 17:46 +0200, mark mark wrote:
It makes me wonder that if you are into information security auditing, you have to be really good in all areas, otherwise you will always rely on automated scanners 80 percent of the time.
This is a very interesting question IMHO. Of course, you require a basic knowledge of software development, programming languages, operating systems databases, networking technologies, and more. However, as I see it (about 5 years in ;)) the way is to aggregate knowledge as you are going. If you are testing something (be it an webapplication, router, binary application, or whatever), ask yourself the following questions: * what are the most likely security bugs that this could have? * what is the minimum of information that i need to be able to effectively test for these bugs? * what techniques do i need to apply to test for these bugs? In one project, you will expect some authorization issues and will have to analyze the source code for logic errors. For this, you will obviously need to understand the programming language. In the next project, you will have to reverse engineer a binary protocol, and to do that, you will have to write an ssl proxy in perl first. Another project might require you to find errors in a router setup, and therefore to learn the inner workings of a specific routing protocol. So in that sense, you will indeed have to be an expert in every area. The thing is, you will get better and faster in becoming an expert as required. You will find many similarities in how things work and don't work, where security bugs occur, a better understanding of what to look for, and what kind of information you need to filter out. Most importantly, you will eventually be able to think along the lines of people who design the things you are testing, and what kind of errors they are likely to make. When I test something I have not seen before, or need to use a new technique, I usually take some extra research time for that project. If a really interesting issue pops up in a penetration test, I will also do a standalone research project on that topic (test a specific technology or software, code a special tool, or whatever is needed). With time, you will actually have at least basic knowledge and experience with almost all relevant technologies, and only have to expand that knowledge in specific directions as required by your objective. Regards, Bernhard -- _________________________________________ Bernhard Mueller Security Consultant SEC Consult Unternehmensberatung GmbH www.sec-consult.com A-1190 Vienna, Mooslackengasse 17 phone +43 1 8903043 34 fax +43 1 8903043 15 mobile +43 676 840301 718 email b.mueller () sec-consult com Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223 Firmensitz: Prof. Dr. Stephan Korenstraße 10, A-2700 Wiener Neustadt Advisor for your information security. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- SQL injection ( and being a pen tester means being good in every area) mark mark (Aug 07)
- Re: SQL injection ( and being a pen tester means being good in every area) Bernhard Mueller (Aug 08)
- RE: SQL injection ( and being a pen tester means being good in every area) Erez Metula (Aug 08)