Security testers have one of the most exciting and creative jobs in the industry. They are tasked with finding elusive security bugs in complex software systems and convincing the rest of the team of their importance.
They must prioritize their time and efforts to make sure the best (or worst) security vulnerabilities are found and fixed.To do that, the security tester should have the best resources available:
access to external classes, conferences, magazines and books. The
security tester has to find as many critical security bugs with limited
resources before the major ship deadline; the attacker has to find only
one – and has all the time in the world after ship to do so. Is it a level
playing field? No. That is what makes the tester's job so exciting,
critical and challenging.
Every great security tester has these three qualities: a great imagination,
complete knowledge of the system they are testing and an evil streak so
they can think like an attacker -- and beat him at his own game. By
mastering those three pillars of expertise a tester will be well on his way
to becoming an exceptional security tester.
Imagination -- Many times we don't have all the information we'd like
to have as security testers. When exploiting an SQL injection vulnerability,
for instance, the security tester has to make certain leaps of faith about the
underlying system and make educated guesses about what is really going
on to create an effective test.
Complete knowledge of the system -- A great security tester must
know about each component of the system he is testing. For Web
applications that often means in-depth knowledge of JavaScript,
XML, server-side code (ASP, JSP, Ruby, PHP, etc.), databases,
Web services and more. The tester must be able to recognize when
things are out of place and when components may be used incorrectly.
This complete knowledge comes with time and expertise, but it can be
aided by intense research of each subject with a security focus in mind.
Evil streak -- The previous two pillars of expertise will take a security
tester only so far in his quest for security testing nirvana; the pillar that is
a game-changer is the ability to think like an attacker. Being able to
anticipate the way an attacker will visualize the system is an integral part
of testing the system. Similar to mapping out the many ways a burglar
might be able to break into your house, the same thought process is
needed for security testing so that you cover all the creative ways an
attacker could exploit your application.
A great security tester has a great imagination
A great imagination extends beyond the ability to imagine a system as it
could be. It also includes the ability to envision the truly interesting bugs
and vulnerabilities in a system. Most security assessments are performed
black box -- without source, documentation or access to internal systems.
When a security tester approaches a security assessment with little
information he must make certain assumptions and inferences about the
system he is testing. Sometimes those can be verified later through focused
testing, but often they cannot.
SQL injection is an exceptional example of a vulnerability that requires a
creative imagination to be discovered. For these vulnerabilities, a tester
must be able to envision how certain features in the Web application
would be executed on the database.
Great security testers have complete knowledge of a system
The most common Web application vulnerability by far is cross-site
scripting (XSS). At Security Innovation our engineers maintain a
knowledgebase of all security vulnerabilities we have found over
the years of security testing. More than 85% of vulnerabilities found
in Web applications are due to XSS. Often they are so ubiquitous
that after finding dozens of them, we actually stop looking and instead
provide guidance to our customer's development team so they can fix
them and we can focus our testing efforts on more mission-critical issues.
For that reason XSS is a great example for this subject. Ideally the
system is protected by defense in depth. Initially any user input
should be checked in the Web browser, then validated on the server
using a whitelist regular expression. Finally, when that data is displayed
back to the user, it should be whitelist-encoded to make sure no
errant characters slip by and are executed on the client's browser.
Finding your inner evildoer
The final and, in my opinion, the most important pillar of expertise
for a great security tester is being able to understand how the
system can fail and to think maliciously once you've got your foot
in the door. The moment a potential vulnerability is discovered
it must be assessed for risk. The most common risk rating system
is DREAD, which stands for Discoverability, Reproducibility,
Exploitability, Affected users and Damage potential. A tester
with a healthy understanding of the latest exploits and a bit of
an evil streak may be able to persuade developers and managers
to escalate the vulnerability to a higher risk rating and increase
the likelihood of getting it fixed quickly.
