I want to be a consultant for web apps security testing.
Why would anybody need a consultant if they already have some opensource tool to do application vulnerability tests ?
Any points ?
Printable View
I want to be a consultant for web apps security testing.
Why would anybody need a consultant if they already have some opensource tool to do application vulnerability tests ?
Any points ?
Detecting vulnerabilities is one thing. Fixing them and educate your customer how to avoid them in the future is another.
The answer is very simple. A vulnerabilty scanner is unable to identify logical flaws within the application that cause security risks.
Further to that a most app scanners have problems in spidering a site correctly and maintaining correct state. They also have great problems with forms that have to be completed in a sequence, ie form 1, then form 2, then form 3.
But in there plus side, they are very good at static checks, ie looking for default files, and searching for backups of used files.
So in reality for app security test you need both, because if you were do all the checks manully, as a consultant you wont get any work because your quotes would be too big.
SittingDuck
Security Scanners are good at finding apps that have known flaws.Like SittingDuck said they tend to miss some stuff.
Penetration testing is more than looking for apps with vulnerablities. It also involves checking your configuration of these apps. Testing your site for other vulnerablities such as sql injection, or cross site scripting or any number of things that an app scanner cant fully test.
A penetration tester is also more skilled with a Vulnerability Scanning tool as well. While anyone can run a scan someone who has used it over time knows how to configure it for you specific network as well as configuring it with optimal settings for the most information.
A full penetration test should consist of scanning and attempting to break in with the human element.
SPI Dynamics makes some pretty decent tools for automated testing, but they even indicate it takes a human with judgement and experience to comprehensively distill the results of an automated scan to evaluate the true threat. A program can test SQL Injection queries hella faster than a human can, but will the output be trully useful to a bad guy? The human could tell a lot easier than any bot could, I'd put money on it.
Thanks for the teriffic insight.
If I were to argue that "application firewalls" may eventually cutting down any service offerings (say I offer a service with a human using an open source tool and his own techniques) , would someone of you participate in that arguement ?
Count me in
Because just rely on security automated tools is the dumbest attitude on a company.Quote:
Why would anybody need a consultant if they already have some opensource tool to do application vulnerability tests ?
Its like have no guards because "i have a total unbreakable safe and i dont need anybody to take care of it"
And IMHO, a vulnerability test or a penetration tests REQUIRES a security specialist.
The introduction of Application Firewalls has eliminated the need for a comprehnsive application security audit.
For your own sake I hope you don't actually beleave your own bullshit.Quote:
The introduction of Application Firewalls has eliminated the need for a comprehnsive application security audit.
I'm guessing you don't actually believe that, and you are just looking for the counterpoint that would justify your position as a consultant.
There are ways around firewalls, firewalls can be exploited, firewalls can be manipulated, firewalls are not foolproof. A consultants job isn't to just find holes, but to find design and infrastructure weakness. You may have a firewall for protection, but your job as a consultant is to make sure it's configured correctly and that policy is designed correctly among other things. If one layer is exploited, everything behind it suddenly depends on strong policies and designs. OWASP rings bells.
In the interest of Security, I believe it to be bullshit and pray god that the following will not turn out to be true:
The introduction of Application Firewalls has eliminated the need for a comprehnsive application security audit.
There is one word in the above statement that raises the debate "comprehensive". Security audits used to target the application that might be vulnerable. Having an "application firewall" in the front of the application means that we are testing the gateway and not the application.
Actually, you can go a little bit further than that. It's the fact that it's still made by a human. There will always be flaws, regardless of whether there is a firewall. Instead you now have two things to test: the firewall and the application. You cannot assume that the firewall will stop things from happening. Additionally, if you test only the gateway and not the application an attacker can go past the firewall through a legitimate port or pathway to the application.Quote:
There is one word in the above statement that raises the debate "comprehensive". Security audits used to target the application that might be vulnerable. Having an "application firewall" in the front of the application means that we are testing the gateway and not the application.
amen.Quote:
Additionally, if you test only the gateway and not the application an attacker can go past the firewall through a legitimate port or pathway to the application.
BTW, its a pretty common way to do that, since firewall are (usually) well tested by developer. I cant say that about some application developers that i know.. a lot of developers still allow that "or 1 = 1" on the logon screens :)
Actually, companies such as @stake hire people well versed in software testing and web security to work with companies on making their web applications more secure. This happens through testing the software, running the applications that do this in an automated fashion, doing code audits, developer education, etc.Quote:
Originally posted here by kautilya
The introduction of Application Firewalls has eliminated the need for a comprehnsive application security audit.
Firewalls do not solve the problem. Developers write bad code that can put customer data at risk. While automated solutions catch some of the vanilla problems that everyone makes, there are always one off problems due to custom made solutions or web application providers that the automated tool hasn't worked with yet.
Yes, I do hope and pray that what I said above should indeed become bullshit.
The point here is that "application firewalls" filter most vulnerabilities before they reach the "application".
If we have someone using a teros application gateway in front of their application, and then if we do a blackbox based remote ethical hacing test, we are testing the application firewall, not the application. This implies that web app security testing, the remote blackbox way does not make sense since the application firewalls are all ready tested products that the application deployers have bought.
I hope this adds a good smell to my ****.
Sorry guys, I posted an unordered reply...
I am talking about "application firewalls" not "network firewalls"
I am talking about "application firewalls" not "network firewalls"
Can you provide some names of these commercial application firewalls, for those of us not sure of the direction or subject of this thread? Just product names/links would be fine, to give me a point to go read up on the subject. Thanks!
sure - teros.com netcontinuum.com imperva