We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

The Mike Rothman Security Report

Peter Schooff

Hacker-Proof Your Applications: Mike Rothman Talks with Kevin Beaver

Vote 0 Votes

***Editor's Note: If you like this podcast, make sure to tune into the upcoming ebizQ Webinar hosted by Mike Rothman about the latest and least-greatest threats titled Threatscape 2008.

Listen to or download the 11:52 minute podcast below:

Download file

This month Mike chats with Kevin Beaver of Principle Logic about the ins and outs of application testing. They discuss how network and system penetration testing differs from testing applications and why it's critical to look at the problem from both sides. Kevin also provides a little view into his tool bag and discusses what tools he uses for what jobs and, finally, Mike subjects Kevin to the free association treatment. Hear what Kevin has to say about Metasploit, source code analysis and cross-site scripting.

The transcript follows:

MR: Hello, this is Mike Rothman. Welcome back to the Mike Rothman Security Report on the ebizQ Network. This week we are going to tackle the concept of application testing. And you know whether we want to call application scanning, or you want to call it application penetration testing, you know, there are a lot of different ways to talk about the issue.

But given the fact that applications are still a bulk of and becoming increasingly the majority of where many of the attackers are going first, putting your applications through its paces, really understanding, you know, that the issues are, vulnerabilities, exploitabilities of that application are is absolutely critical. And I'm very pleased to have a local Atlanta guy, a good friend, Mr. Kevin Beaver with me today. He is with a shop called Principle Logic. Kevin how are you?

KB: Mighty fine. Doing great Mike, thanks for having me today.

MR: Oh, that's great. That's great. So Kevin why don't give everybody a little bit of background Principle Logic and on what to do because you're very well known in the networking and systems security areas but maybe not so much on the applications side.

KB: Well, I'm working on that. I am an independent information security consultant. In my practice I basically focus on performing security assessments, pointing out the flaws in networks, applications, databases, and even security operations so really end-to-end services. And I've also been doing quite a bit of expert witness work lately, and I do a lot speaking, and I have this new audio program series called "Security On Wheels".

MR: Well, that's great. That's great. So since a lot of what you're doing is, you know, kind of assessments and really helping folks go through and understand, you know, what's actually happening in their infrastructure as well as their applications. You know why don't we kind of start with a little bit in terms of, you know, how you tackle a network assessment, or a systems assessment and how that's different than, you know, how you tackle an application assessment, you know. Well, is it is that the tools, is it just the methodology, or the mentality, or is there no difference at all; a test is a test is a test?

KB: Well actually, by and large a test is a test is a test. I think the big differentiator is the tools that use. You know whether you're looking at a operating systems, network infrastructure devices, or web applications, the methodology is the same. I've used what's called the "Ethical Hacking Methodology" where, you know, you get in, you plan things out, you do your testing, which involves, you know, performing your initial scanning, your reconnaissance, your actual vulnerability findings, and then any exploitation, and then once you're done with the testing, of course, you got to go in and analyze your results, you got document your results, and then deliver the reporting phase essentially.

So really regardless of what it is, if it's an IP address, if it's a URL, if -- basically, if it has an on/off switch, it's essentially the same. I think the biggest differentiator is the tools. And whenever you're looking at an entire network of systems -- of operating systems, routers, firewalls, switches, you name it, you're going to want to use good tools that are specific to those type of devices. I mean for instance, I use QualysGuard to find network and OS level of vulnerabilities and then follow-up with tools like Cain and Metaspoit, and some of the Back Track Live CD tool's to exploit the flaws.

MR: Yep.

KB: A lot of times, if I'm doing an internal network assessment, I'll use a network analyzer called "OmniPeek" and I'm able to quite often find some network anomalies that you'd never find otherwise, you know. And he thing is with the network layer or network-centric vulnerability assessment tools, they're going to look at everything, they're going to look all the way up to Layer 7, you know, look at the Web server and maybe some of the web application components, but they're not going to dive in deep enough and that's where these applications, security specific tools come in to play.

MR: Good. So that's actually a great segue into some of these tools. Obviously, there are scanners. Obviously, there are, you know, some tools that are being positioned more as penetration testing tools so -- you know, again, you've been contracted to give SecurityInsight.com, for example, and by the way don't do this.

KB: I won't; I don't have permission.

MR: Yes, that's right. So let's say, you know, I contract you to kind of figure out where the holes are in my application or my shopping cart or something like that. You know, how do you get started? What are the first couple of things that you end up doing?

KB: First couple things are determining what's the URL, obviously. And then figuring out do you want to look at this from a true outsider's perspective or do you want to look it both from an outsider's perspective as well as a trusted user's perspective. And a lot of people they just look at their Web apps from the outside.

They assume, well, you know, we've got these Eastern European bloc countries, and Asia, and all that stuff, they're trying to hack into our system, that's what we need to worry about the most. But a lot of people overlook the fact that somebody on the inside, somebody that has a trusted access into the environment may actually be able to get in and manipulate the URL, get in a poke around and do things with the application that allow them to penetrate the system.

MR: Yeah. So, either you'll go in, you'll kind of check out the URLs, you'll kind of look at it again depending on whether you're kind of acting as either an outsider or a potentially trusted insider. You know there are certain, you know, set of tools or a number of tools that you have in your little kitbag that help you do this stuff?

KB: Absolutely. Even if I'm running a general application assessment, I tend to use some of the network level tools like QualysGuard and Nessus and things like that just to get an overall picture of the server that the applications running on and maybe find stuff that some of the higher level scanners aren't going to fine. But then I'll actually start digging in and using tools like HP's WebInspect is usually the primary tool that I use.

MR: Yep. I mean have you seen any difference in level of support or, you know, kind of responsiveness since they were actually bought -- since SpyDynamics, is again, another local Atlanta company was acquired by HP?

KB: No, I mean if anything, it's gotten better so. I've always had a good experience with these guys and that's why in my work I strive to be vendor neutral but if I find a product and a vendor that I really like and really believe in, I'm not ashamed to tell people who it is and to point people in that direction.

And, you know, just like QualysGuard, I think that WebInspect is an excellent tool if you're looking to find the most vulnerabilities without all the false positives and all the noise that a lot of the other ones will generate.

MR: Yep, I'm sure a lot of listeners certainly appreciate that perspective because --

KB: Sure.

MR: -- and again, there are just a lot of solutions out there and to hear from, obviously, somebody knowledgeable in terms of what works -- that's, obviously, you know very helpful. So, you know, let's talk a little bit. So you've got some tools but the tools will only get you so far, how much of doing these assessments, you know, well get back to your own skill or your ability to interpret the information that comes out of the tool versus the tool itself?

KB: It's almost always about 50/50. It's 50 percent tools and 50 percent human expertise and context. You know a lot of people they go and they run their scans but they never do any in-depth checking or validation of the findings of their tools. And you've got to take your security scanner results with a grain of salt. And the thing is no matter how good the tools are there's simply not going to find us certain vulnerabilities.

And really, likewise, no matter how good you are at finding security weaknesses, there's no way to test that the level that these security testing tools can test. So it's got a be a good trade off, it's got to be good balance and, you know, using good tools and pulling in your expertise, your experience, your analytical abilities is really important to find out what matters in the environment that you're testing.

MR: Yeah. Great. So, you know, anybody that's listening out there don't worry you will still have a job tomorrow.

KB: Oh absolutely.

MR: We're not having a Terminator action here where SkyNet is going to come out of the sky and -- and make all of us security folks irrelevant.

KB: Well, as much as the vendors want you to believe that all you need is their tool, it's simply not the case.

MR: Well, that's great. That's exactly what I think everybody wants to hear. So now we'll kind of bridge into what I call "the free association" part of the -- of the show. And, you know, the rules are pretty simple, Kevin. I'll blurt out a statement; you kind of provide your perspective and what I hope to be a sentence or less.

KB: Okay.

MR: We'll do a couple of them and, you know, again, we'll just see where it goes. So let's start with Metaspoit.

KB: A must have security testing tool. That's the first thing that comes to mind.

MR: Yep. No, that's great and that's what exactly what free association is about. And for those of you that aren't familiar with Metaspoit, it's actually an Open Source exploit penetration testing service or package, I guess, is what you would call it. But it actually uses real exploits to help compromise machines and understands, you know, where the real holes are as opposed to broader vulnerabilities.

KB: Yeah, it actually helps you to show just what can happen out when QualysGuard and Nessus, and all these other tools find the missing patches. It allows you to take things to the next level.

MR: You bet. Source code analysis?

KB: Got to have it, not seeing enough of it.

MR: And Cross-site scripting?

KB: Still see it everywhere; don't know why it's not fixed yet.

MR: That's exactly what free association is all about. Because you know again, I mean, I'm seeing a lot of the same stuff which is, you know, source code analysis is just hard and, you know, this is part of the reason I'm excited to continue to work withebizQ is that it's largely an application developer that their heritage is certainly application developers and SOA, and a lot of application oriented stuff. And, you know, it really is an evangelizing role that we security professionals have to take with, you know, kind of the idea of building security, and building secure applications sooner rather than later. And the fact that a lot of people are, you know, not embracing source code analysis, and a lot of people, you know, still are plagued by, you know, again, pretty straightforward, you know, attacks that can be solved with things like, you know, input validation, you know, like SQL Injection and some of these other buffer overflow issues. I mean, you know, again, you look at from a security guy standpoint, you know, like why is this stuff still happening? But again, it just gets back to the evangelizing that we as security people continue to have to do.

KB: Right. And you know what's happening? The essence of all this is that developers by and large, I'm not saying all of them, but by and large, from what I'm seeing, they think that as long as they're checking for memory leaks, checking making sure they have strong password requirements, and they're using SSL, then that's what security is all about, but we know that it's way more than that.

MR: You beg; we do know. So with that, Kevin Beaver, thanks so much. Why don't you again, give us some URLs so the listeners know where they can find you.

KB: Absolutely. My business is at PrincipleLogic.com. I have links to all of my articles, Webcasts, podcasts, you name in my audio programs both free and for sale are at SecurityOnWheels.com.

SecurityOnWheels.com. Thank -- thanks again, Kevin. Thanks everybody for listening to the latest edition of the Mike Rothman Security Report on ebizQ Network and we will see you next time.

ebizQ is proud to bring you Security Incite's Mike Rothman, who podcasts and writes on application security and related topics.

Recently Commented On

Monthly Archives