Matasano Chargen: Penetration Testing: Dead But Not Really Dead.
StatlerAndWaldorf
· 10 months ago
It's raging confirmation bias. Fortify sells embedded Security QA. Hence, Fortify's customers have reached the point where they've matured enough to actually buy tools in-house and do source code review, and even actually fix crap prior to go-live.
I mean it! Security testing. During the development process. No, for reals! Srsly! Why are you laughing? These are the kind of companies that actually have security guys in their dev teams. The ETradestercardachovias and the AmaGoogaBays. People with the budgets to buy tools that do things like create pie charts of all the SELECT statements your apps have.
But is this everybody in the F500? Hells no. Now, to Bri, it sure feels like it, because they're the ones buying his lattes, and goshdarnit, it feels good to be right. People have been saying it was cheaper to test on the front end of the SDLC for years, and here he is, with a software company of his vewy vewy own, doing just that.
Prob is, Fortify's customers are probably a fraction of a percent of the companies in the world doing Serious Business on the Interwebs. Even inside Fortify's own customers there are KLocks upon KLocks of code in whose dark bowels no one will ever dare to inflict the eColonoscopy of a source code scanner. To say nothing of the Legacy Fortran App That Dare Not Speak Its Name.
So, enter pen-testing. It's ugly, it's unscientific. It's imperfect. It Does Not Offer Complete And Verifiable Code Coverage (tm). It may or may not succeed. But it confirms, within reason, that a very smart person spent some time trying to break your (app|network|building|crypto|drm|kneecaps), and failed. Or succeeded.
And until we reach the point where every app has been carefully verified by Fortify's Ironclad Patent Pending Business Software Assurance Process (FIPPBSAP for short) before ever ever ever going prod, guess what?
You need pen testers. Suck it up.
question_incentives
· 10 months ago
Do not fail to notice how the CSO author gladly proselytizes Fortify's new self-serving industry achronym "BSA" for business software assurance.....if Fortify's claim is that security assurances are now embedded in an industry-wide QA-gone-mature process, then they ought stop trying to differentiate themselves as a discoverer of a new niche process. If independent attack and pen efforts are dead, then any source control tool can commoditize their value-add for a far lower per seat cost.
Anthony Lai, CISSP, Hong Kong
· 10 months ago
I agree with the author that,m be frank, evensecurity process engaged in SDLC is becoming a trend and need, it is not a replacement of Penetration Test. It is because system designer has not got a priority to build a system with thought like a hacker to attack to system(except security software/system).
However, I would like to bring out the issue and the low quality of penetration test nowadays are those "Click-Once" scanning becomes the major trend without studying and harvesting system infrastructural information, studying the possible weaknesses and conducted exploitation.
From my perspective, vulnerability could be classified into two major types: 1. Systematic - It is related to OS/devices/software itself vulnerability. We may need to go for "Catch and Patch" approach for remedy.
2. Design/Implementation Flaws - the device itself may not exhibit any vulnerability, but if connected to another one or implemented/designed, it gives chances for malicious attack.
Hopefully, companies recruiting pentest service should engage this kind of approach, not just take a scan-once report for their homework to their headquarter and authority.
Thomas Ryan
· 10 months ago
Brian Chess needs a reality check. Penetration Testing is not going away anytime soon. Source Code Analysis has it's place within the SDLC, but it is not the cure all for application weaknesses. Security is undergoing drastic changes as week speak. As many companies try to turn security into a commodity, the value is brought down.
What do I mean by this? Companies are hiring less skilled testers, it's becoming a point and click world and so many vulnerabilities and weaknesses are being missed. On numerous occasions Jr testers are being promoted to Sr testers within 6 months to a year. Do they have the proper skillset? NO! They run WebInspect, AppScan, and import Nessus, Retina and Qualys into CORE Impact and Boom. You are Secure!
Whats the problem? Application Scanners find 20% of the vulnerabilities and Network Scanners find 50%. So that means there is another 80% of application weaknesses and 50% of network weakesses not discovered or tested.
Now Brian Chess claims Fortify will fix all the application vulnerabilities.........NOT REALLY!!! It has the same issues, it won't find Logical errors that lead to vulnerabilities.
THE TRUTH......If you combine Threat Modelling, Source Code Analysis, Application Pen Testing and Network Pen Testing. Roughly a 2 week process.....you will achieve the best results. and by Best I mean 80-90%. Why not 100%??? First of all no one can be 100% secure. TOO MANY unpublished vulnerabilities and malware out there.
Testers skillsets vary drastically, so desired results vary depending on the tester, time of year, mental state of the tester, how quick the project is being rush, how limited of scope is the project, etc.
Will Penetration Testing Die????? NOT ANYTIME SOON!!!!
StatlerAndWaldorf
· 10 months ago
Christ on a tricycle, Tommy!1!! If you can do a Threat Model, SCA, and App+Net Pen in 2 weeks I'm hiring your ass. Maybe that assumes a Big4-level army of interns and a handful of token hackers plus two partners to fellate the customer, for somewhere around the price of a chop-topped Bentley with white gold spinners?
Still, dude has a point, even if it is in caps. Takes a lot of tools, time and testing to keep up with the level of Kung Fu of your average garden-variety Bulgarian botmaster or Eastern Bloc carding gang.
voa
· 8 months ago
What you think about ISO 27001? A lot of company that need ISO compliance or PCI-DCC, needs penetration testing
emo hair
· 6 months ago
It is not necessary so to worry about it. Technological progress not to avoid. If you are connected with computer technologies can always earn. In it also there is a main plus.
All Comments
I mean it! Security testing. During the development process. No, for reals! Srsly! Why are you laughing? These are the kind of companies that actually have security guys in their dev teams. The ETradestercardachovias and the AmaGoogaBays. People with the budgets to buy tools that do things like create pie charts of all the SELECT statements your apps have.
But is this everybody in the F500? Hells no. Now, to Bri, it sure feels like it, because they're the ones buying his lattes, and goshdarnit, it feels good to be right. People have been saying it was cheaper to test on the front end of the SDLC for years, and here he is, with a software company of his vewy vewy own, doing just that.
Prob is, Fortify's customers are probably a fraction of a percent of the companies in the world doing Serious Business on the Interwebs. Even inside Fortify's own customers there are KLocks upon KLocks of code in whose dark bowels no one will ever dare to inflict the eColonoscopy of a source code scanner. To say nothing of the Legacy Fortran App That Dare Not Speak Its Name.
So, enter pen-testing. It's ugly, it's unscientific. It's imperfect. It Does Not Offer Complete And Verifiable Code Coverage (tm). It may or may not succeed. But it confirms, within reason, that a very smart person spent some time trying to break your (app|network|building|crypto|drm|kneecaps), and failed. Or succeeded.
And until we reach the point where every app has been carefully verified by Fortify's Ironclad Patent Pending Business Software Assurance Process (FIPPBSAP for short) before ever ever ever going prod, guess what?
You need pen testers. Suck it up.
However, I would like to bring out the issue and the low quality of penetration test nowadays are those "Click-Once" scanning becomes the major trend without studying and harvesting system infrastructural information, studying the possible weaknesses and conducted exploitation.
From my perspective, vulnerability could be classified into two major types:
1. Systematic - It is related to OS/devices/software itself vulnerability. We may need to go for "Catch and Patch" approach for remedy.
2. Design/Implementation Flaws - the device itself may not exhibit any vulnerability, but if connected to another one or implemented/designed, it gives chances for malicious attack.
Hopefully, companies recruiting pentest service should engage this kind of approach, not just take a scan-once report for their homework to their headquarter and authority.
What do I mean by this? Companies are hiring less skilled testers, it's becoming a point and click world and so many vulnerabilities and weaknesses are being missed. On numerous occasions Jr testers are being promoted to Sr testers within 6 months to a year. Do they have the proper skillset? NO! They run WebInspect, AppScan, and import Nessus, Retina and Qualys into CORE Impact and Boom. You are Secure!
Whats the problem? Application Scanners find 20% of the vulnerabilities and Network Scanners find 50%. So that means there is another 80% of application weaknesses and 50% of network weakesses not discovered or tested.
Now Brian Chess claims Fortify will fix all the application vulnerabilities.........NOT REALLY!!! It has the same issues, it won't find Logical errors that lead to vulnerabilities.
THE TRUTH......If you combine Threat Modelling, Source Code Analysis, Application Pen Testing and Network Pen Testing. Roughly a 2 week process.....you will achieve the best results. and by Best I mean 80-90%. Why not 100%??? First of all no one can be 100% secure. TOO MANY unpublished vulnerabilities and malware out there.
Testers skillsets vary drastically, so desired results vary depending on the tester, time of year, mental state of the tester, how quick the project is being rush, how limited of scope is the project, etc.
Will Penetration Testing Die????? NOT ANYTIME SOON!!!!
Still, dude has a point, even if it is in caps. Takes a lot of tools, time and testing to keep up with the level of Kung Fu of your average garden-variety Bulgarian botmaster or Eastern Bloc carding gang.
Technological progress not to avoid.
If you are connected with computer technologies can always earn. In it also there is a main plus.
ivlid, hypo4you, Unternehmer Gesellschaft, Erotik Vergleich