November 17, 2009
If you read my previous posting, you have an understanding of goal oriented pentesting. That being said, let’s assume for a second that the goal of a penetration assessment is to get access to sensitive information and that it is possible to achieve this goal in several different ways. Now the penetration testing team should be able to achieve this goal, but can they find all possible vectors? Not necessarily.
Without a testing methodology the team will likely reach a point of diminishing returns in which their efforts are not producing unique attack vectors for achieving the goal(s). The only way to ensure complete coverage of an application, is to use a testing methodology like the Full OWASP Testing Methodology.
The Full OWASP Testing Methodology is useful because it provides a comprehensive guide for techniques that can be used to identify risks within a web application by testing each component. Each component is tested in several different ways. Testing each component ensures that the application is tested fully. All penetration assessments should use both a goal oriented approach as well as a strong testing methodology. This will ensure that the assessment covers both depth and breadth.
November 16, 2009
Many people including network administrators and even security professional are confused by the penetration testing process. The penetration testing process is the process of identify and demonstrating risks to an organization. The key here is identifying and demonstrating risks. Demonstrating risks can be done in several different ways. One common method that administrators use to protect their network is to use vulnerability scanning solutions to automatically find vulnerabilities. The vulnerabilities are similar to risks; however automated solutions have no ability to put information in context. The process of manually testing and leverage vulnerabilities is what the penetration testing process is all about.
Okay great, you have 10 or 100 or 1000 vulnerabilities, now what? 1000 vulnerabilities don’t necessary mean a greater risk than 10 vulnerabilities because not all vulnerabilities pose the same risks. Many vulnerability scanning solutions contain risk rating in the vulnerability scanning reports. These risk rating are not the same as business risks because they do not directly demonstrate risks to the business. Vulnerabilities are potential risks that would need to be leveraged by an attacker to demonstrate business risk. That is where penetration testing comes in. Penetration testing is designed to demonstrate the business risks by leveraging vulnerabilities to achieve a level of access or gain access to data.
So what drives the penetration tester? How do they know what they want or what level of access is going to demonstrate the highest risks to the organization?
It comes down to a list of goals. Wikipedia defines a goal:
goal or objective is a projected state of affairs that a person or a system plans or intends to achieve – a personal or organizational desired end-point in some sort of assumed development. Many people endeavor to reach goals within a finite time by setting deadlines.
This is process is known as a goal-oriented penetration assessment. The goals are defined before the assessment begins and the penetration tester works to achieve the goals. Once a goal is achieved, the penetration testers should determine how many unique ways the goal can be achieved.
A few example goals for a penetration assessment:
- Gain access to the internal network (remotely)
- Gain access to credit-card information
- Gain Domain Administrator access
Penetration testing is all about achieving goals and not about finding vulnerabilities. Enough said. Vulnerabilities are not the goal. Goals are the goal.
November 3, 2009
On November 12th, I will be giving a talk at the annual OWASP AppSec conference titled “Synergy! A world where the tools communicate”. I am really excited to give this talk since I have been working on the content for almost 2 years. If you have attended any of my talks in the past like BlackHat/DefCon, ShmooCon and/or InfoSec World you already know that I will bring tons of fresh code! I can’t wait for OWASP AppSec 09.
Brace yourself. We are gonna raise the bar on the industry.