RE: Techniques for Vulnerability discovery

["Leon " <leon.rosenstein () verizon net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to add this to the thread.

http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi
?database=JanL%2edb&command=viewone&id=14&op=t

This covers a lot of what is being discussed in this post. 
Additionally if one takes a look at hack proofing your internetwork
there are quite a few chapters on how to discover vulnerabilities.

Best regards,

Leon

- -----Original Message-----
From: Oliver Petruzel [mailto:opetruzel () cox rr com] 
Sent: Friday, April 05, 2002 1:25 AM
To: 'kaipower'; security-basics () securityfocus com;
vuln-dev () security-focus com; vuln-dev () securityfocus com
Subject: RE: Techniques for Vulnerability discovery

I am sincerely glad someone brought this up. My concern lies in a
total
lack of education or training in this area.  Hacking 101 courses are
all
over the place now; teaching MCSE-kiddies and non-technical managers
how
to run scripts and nmap (swell..$2-4k to learn this stuff in 3 days?
Ach, ask a single grad of those programs what nmap is ACTUALLY
sending
and receiving..lol "duhh, errr, but it says it's BeOS with port 80
open,
I'll just use securityfocus like they showed me to find a script to
shoot at it..")...

(I digress...) There are not many courses that I know of that
actually
explain the methodology in searching for *new* vulnerabilities... As
in
"Tearing apart that new .dll, .asp, or cgi from a security
perspective
101"

Some folks claim it's just trial and error and dumb luck.  Others say
that folks troll the "most downloaded" new pieces of software at
shareware sites and then pound away semi-blindly with input variables
and switches that have worked against previously announced holes in
other software until they find something that will get their name on
bugtraq... 

Problem is, in our growing field of infosec, beyond post-grad or
doctorate level CS, there aren't very many educational tracks to show
your average programmer/engineer how to start finding new holes...
The
only thing I can think of is to send someone through: a secure
programming program AND a webapp dev course AND a windows API course
AND
AND AND..etc...we're talking tens of thousands of bucks there, not to
mention the hours involved..ouch.

My goal:  I want to take 4 of my Jr Security Engineers and send them
somewhere for a week or two, or perhaps several weeks at night, and
have
them come back to tear apart software like it's nothing...
<foundstone,
hint hint, E&Y, hint hint.. Anyone? Bueller? Bueller?...>  Of course,
pre-req's would be a solid knowledge of scripting languages, C/C++,
network architectures and protocols, and all publically known scripts
and code... (but I require that of my jr's anyways so I just want
someone else to show them the next level!  I have no time, and hell,
if
the course is good enough, I would even go so that I can stop using
semi-educated dumbluck and trial and error! lol)

I am VERY interested to see someone post a resource... Maybe this is
just a pipe-dream.

./oliver

Ps: on a side note, there are several interesting projects currently
in
dev everywhere to automate all of this..  So don't worry, soon those
afraid of anything they can't click on will also be able to point and
click their way through code to find new vulns...swell eh?  There are
even dev projects going to automate vulnerability discovery in
ALREADY
COMPILED software! Woohoo...

"Excellent Smithers! Now activate the artificial lightning and blue
screens of death!"

- -----Original Message-----
From: kaipower [mailto:kaipower () subdimension com] 
Sent: Thursday, April 04, 2002 8:05 PM
To: security-basics () securityfocus com; vuln-dev () security-focus com;
vuln-dev () securityfocus com
Subject: Techniques for Vulneability discovery


Hi,

After reading the mailing list for quite a while, there is a burning
question which I kept asking myself:

How do experts discover vulnerabilities in a system/software?

Some categories of vulnerabilities that I am aware of:
1) Buffer overflow (Stack or Heap)
2) Mal access control and Trust management
3) Cross site scripting
4) Unexpected input - e.g. SQL injection?
5) Race conditions
6) password authentication

Do people just run scripts to brute force to find vulnerabilities?
(as
in the case of Buffer overflows) Or do they do a reverse engineer of
the
software?

How relevant is reverse engineering in this context?

Anybody out there care to give a methodology/strategy in finding
vulnerabilities?

Mike



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPLH3ndqAgf0xoaEuEQLRlwCgjLIEX5srvI8SKIsSLtqZvhFVUvIAnAvL
vGKkupag9SRmmt49YjufzbrT
=v9Cx
-----END PGP SIGNATURE-----