Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Security IT

How Red Teams Hack Your Site To Save It 58

Posted by samzenpus
from the we-had-to-destroy-the-village-in-order-to-save-it dept.
Nerval's Lobster writes "The use of a Red Team and penetration testing can strengthen an organization's security posture. But how does a Red Team member actually think like an attacker, and use that mindset to exploit security vulnerabilities? Gillis Jones works for WhiteHat Security, where his job rests within the TRC (Threat Research Center). It's here that he performs hands-on site assessments, which involve manually confirming all the issues reported by an automatic scan of a particular Website or application. His job includes checking the application's POST and GET requests for reflection of any inputs. He also checks for Cross-Site Scripting (XSS), which includes stored, reflected, and DOM XSS vulnerabilities. Those checks let him determine the Website’s basic security posture. If user input isn’t encoded or sanitized, that’s a good indicator of other problems. And if that’s the case, then Jones (or someone like him) will move on to checking for SQL Injection (SQLi) vulnerabilities and other issues."
This discussion has been archived. No new comments can be posted.

How Red Teams Hack Your Site To Save It

Comments Filter:
  • by SecurityTheatre (2427858) on Monday November 12, 2012 @01:05PM (#41958409)

    With all due respect, WhiteHat Security is the Denny's of web application testing shops.

    Sure, they're one step above TrustWave (who are just "checklist compliance" shills and would qualify as the McDonalds of testing), but it's hardly what many places would call a proper "red team" approach.

    The run automated tools and do a basic level of validation against those tools. The problem is that with web applications, the automated tools only get about 40% of issues and have a 50% false positive rate (or higher) in my experience. Their tools are pretty fancy compared even to the commercial scanning bits, but they aren't perfect.

    There are plenty of boutique shops (and even some larger ones) that do more in-depth testing with more experienced testers. I'm not claiming that Mr Jones here isn't experienced, but more pointing out the general trend within some of the testing shops like WhiteHat.

  • by Anonymous Coward on Monday November 12, 2012 @01:06PM (#41958421)

    There's a nice little article over at the 360 Security blog on how penetration testing is a valuable exercise AND how sometimes penetration testing fails to improve security outcomes. It should not come as too much of a surprise to know that its one of those things where "you get out what you put in".
    Disclosure: I do red-team penetration testing for a living, and rarely have I seen anyone squeeze full value out of the exercise without a lot of coaching and encouragement!

    http://360is.blogspot.co.uk/2012/05/360is-guide-to-understanding.html

  • by Zapotek (1032314) <tasos.laskos@nosPAm.gmail.com> on Monday November 12, 2012 @02:04PM (#41959017) Homepage
    It's really simple:
    • Automated tools are here to pick the low handing fruit;
    • You should always validate their findings manually;
    • You should, if you can afford it, hire someone who knows what he's doing to do a proper pen test.

    Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?

    As you can see from my sig I'm a dev of such a web app sec scanner and I'd really, really like to stress the first point I've made. If someone tries to sell you something that will make you completely secure you can tell them to their face: I'm sorry sir/madam, I'm not an idiot.

    Use them to make your life easier while you do a manual check, integrate them into your SDLC (or just into your test suite) but do not trust them blindly; that's not how they're designed to be used.

    Web scanners are seriously complicated systems and require a successful combination of a multitude of CS principles to in order to just be able to even finish their task, never mind returning useful results. Yes, we're making progress in analysis techniques and performance improvements and coverage but you'll never beat a human; on the other hand a human won't be able to inspect 200k pages either so just use some common sense and balance your expectations.

"Hey Ivan, check your six." -- Sidewinder missile jacket patch, showing a Sidewinder driving up the tail of a Russian Su-27

Working...