Re: SQL injection ( and being a pen tester means being good in every area)

[Bernhard Mueller <research () sec-consult com>]

Hello,

On Thu, 2008-08-07 at 17:46 +0200, mark mark wrote:
> It makes me wonder that if you are into information security auditing,
> you have to be really good in all areas, otherwise you will always
> rely on automated scanners 80 percent of the time.

This is a very interesting question IMHO. Of course, you require a basic
knowledge of software development, programming languages, operating
systems databases, networking technologies, and more. However, as I see
it (about 5 years in ;)) the way is to aggregate knowledge as you are
going. 
If you are testing something (be it an webapplication, router, binary
application, or whatever), ask yourself the following questions:

* what are the most likely security bugs that this could have?
* what is the minimum of information that i need to be able to
effectively test for these bugs?
* what techniques do i need to apply to test for these bugs?

In one project, you will expect some authorization issues and will have
to analyze the source code for logic errors. For this, you will
obviously need to understand the programming language. In the next
project, you will have to reverse engineer a binary protocol, and to do
that, you will have to write an ssl proxy in perl first. Another project
might require you to find errors in a router setup, and therefore to
learn the inner workings of a specific routing protocol.
So in that sense, you will indeed have to be an expert in every area.
The thing is, you will get better and faster in becoming an expert as
required. You will find many similarities in how things work and don't
work, where security bugs occur, a better understanding of what to look
for, and what kind of information you need to filter out. Most
importantly, you will eventually be able to think along the lines of
people who design the things you are testing, and what kind of errors
they are likely to make. 
When I test something I have not seen before, or need to use a new
technique, I usually take some extra research time for that project. If
a really interesting issue pops up in a penetration test, I will also do
a standalone research project on that topic (test a specific technology
or software, code a special tool, or whatever is needed).
With time, you will actually have at least basic knowledge and
experience with almost all relevant technologies, and only have to
expand that knowledge in specific directions as required by your
objective.

Regards,

Bernhard



-- 
_________________________________________

Bernhard Mueller
Security Consultant

SEC Consult Unternehmensberatung GmbH
www.sec-consult.com

A-1190 Vienna, Mooslackengasse 17
phone     +43 1 8903043 34
fax       +43 1 8903043 15
mobile    +43 676 840301 718
email     b.mueller () sec-consult com

Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223
Firmensitz: Prof. Dr. Stephan Korenstraße 10, A-2700 Wiener Neustadt

Advisor for your information security.


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------