DISQUS

Matasano Chargen: On The Different Types Of Penetration Tests

  • Chris_B · 2 years ago
    TP,

    The transgressive bit didnt come at the end. The thing which is going to upset alot of pester divas of all types is the fact that this stuff really is QA processes.
  • Thomas Ptacek · 2 years ago
    I agree, a lot, but from experience a shrink-wrap pentest usually requires more code than an average QA person can turn out in a tight time frame.
  • Chris E · 2 years ago
    Chris_B, though pen testing can be classified as QA and the lines are becoming increasingly blurred between the two, QA tends to be more scripted than pen testing and usually doesn't require building customized tools each time. Product (or shrink-wrap) pen tests require a very different skillset, and they are few and far between.
  • Jordan Wiens · 2 years ago
    Great writeup, Thomas. If I thought I could get away with it, I'd use web pester and web pesting in an article I'm writing now on webapp scanners.

    One minor nitpick -- I'd suggest that methodology is crucial for web pentesting as well. In fact, I think it's even more crucial than network pentesting.

    Mainly because a big web app actually has a much bigger attack surface area that has to be mapped out than your average network (assuming we're discounting web-apps from the network segment), and the details of that surface area are theoretically totally new to you each time. There are so many nooks and crannies that it's really important to have a good methodology to be repeatable and thorough. Of course, you need experience as well, I definitely agree with that.
  • Thomas Ptacek · 2 years ago
    Purely subjectively, the word "methodology" scares me. In the best circumstances, a methodology is a safety net, keeping you thorough and accurate even if your head isn't in the game. But if your head isn't in the game, don't test. People rely on your results to assure my mom's credit card numbers.
  • Chris_B · 2 years ago
    TP,

    OTOH a methodology can be good for people whose heads are too much in the game, forcing them to mind the shot clock and get the rest of the work done.

    Chris E,

    Even now a certain percentage of pesting can be automated and can spot the low hanging fruit. I expect that this percentage will rise over time. Of course human eyes will always spot more, but eliminating some problems before shipping is better than waiting for someone else to identify those problems for you.
  • Anonymous · 2 years ago
    Just the description of web pentest strikes me as silly... "A team is given accounts"... How about looking at the code, Sherlok? As Ranum beautifully puts it - you have an application you don't understand and you shell out money for someone who doesn't understand it, and doesn't even look at the code, in the hopes they'll make it secure. When you think about it it's just ludicrous. Don't give me the "simulate an attacker" talk, that's just idiotic.

    There are people hired to do these things couldn't program themselves out of a hello world and they're supposed to say what's broken with an application? What's broken is that some clueless person is shelling out money for "penetration testing"... How about shelling out money for code reviews and for having top notch programmers that understand security?

    How about spending your time coming up with solutions for secure coding and design of these things instead of searching for the 1001th variation of a flaw here and there? Yes, I know it's not so cool and you won't be a "mercenary" badass, but maybe you'll actually change the world for the better? I'm tired of this arrogant talk. It's always me, me, me - I can break, I can hack, all books suck (unless of course they teach how to pentest), all certifications suck, all software sucks, and no advice on how to actually improve anything. Blargh.
  • Dave G. · 2 years ago
    Anonymous:

    We agree! However, most companies just don't want to share source code to their applications with third parties. And most companies have a business need to have an independent third party review their application. For example, their customer might demand it. So, on one side, a company needs to have someone outside of its organization perform a security review, on the other side, they want to protect their intellectual property.

    Code reviews and penetration testing will find different bugs. Most companies that do one will also do the other.

    Some people are really good at software development and penetration testing. You are pigeonholing an industry based on some of the people inside of it.
  • Some other Dave · 2 years ago
    Anonymous -

    First, the goals of a web app "pen test" can be different than trying to secure it. Sure, securing it is the ultimate goal, but 100% of the multi-billion dollar companies that I consult with do pen tests to confirm that they don't have any vulnerabilities. The reality is, I've never seen a web app without some flaw - however serious. These organizations usually DO have a security development lifecycle, have very intelligent and security-saavy developers, and incredibly layered security review processes. This doesn't mean that there will never be vulnerabilities, and no amount of developer training will ensure apps are always secure.

    Another thing I'd like to state is that I usually don't need the code. When I test an app, I can usually tell you what the code looks like behind the vulnerability. In my experience, rarely does a code review turn up new vulnerabilities - though it might locate more instances through root-cause analysis and point out other broken security practices.

    I guess my point for this entire post is to say the pen testing definitely does have value. Our customers go much further knowing where the issues are really at. It can then be used as a metric to improve future development practices and create better and more secure apps.
  • Pyrotechnic Automation · 4 months ago
    I always like your post.. nice list.. hope everybody will appreciate your post..