As a Security Tester, or hacker, I have one of the most exciting and creative jobs in the industry. We are asked to find as many critical security vulnerabilities in complex software systems with limited resources - before the application is released or shipped. We have the challenge of knowing more about the system in the first couple of days than the developers who wrote the system. We have to find every vulnerability in the system, while the attacker effectively has all the time and resources in the world to find only one issue. The deck is stacked against us, but that’s what makes it fun, exciting, and a constant challenge.
To be effective, we have to get in the attackers mindset. In my experience as both a software security engineer and trainer, it has become clear to me that some students catch on to the concepts more quickly than others. Sometimes, those who turn into the best hackers don’t immediately show signs of brilliance; it takes dedication, practice and a laser-like focus for years to become the best. Frequently, a seasoned tester that can hunt down functional bugs in the weirdest of places can’t think maliciously like a hacker would and never make the transition to security testing. In the last few years, I have trained development teams from some of the world’s largest software vendors. Like an anthropologist on Tanna Island, I’ve examined their behavior and attempted to distill what makes a great security tester. I’ve come up with three pillars that, if developed fully, will make an outstanding hacker.
Complete knowledge of the system – When I say "complete" I mean complete. A great security tester must know about every component, protocol, application, layer and subsystem of the system he or she is testing. For example, testing a web application isn’t just about the application itself. What components are relied upon? On the client we have the OS, Browser, JavaScript Engine, Rendering Engine, Client JavaScript, Image Processors, SSL components, kernel, network stack, etc. All that and we haven’t even left the client! On the server, think about the application, frameworks, Server’s OS, Server’s SSL configuration, etc. It’s a lot to know, but if you can hold all of that in your mind at once you can recognize when things are out of place, and when components are used incorrectly. This complete knowledge comes with time and expertise, but can be aided by intense research of each subject with a security focus in mind.
Imagination – Many times we don’t have all the information we’d like to have as security testers. When exploiting an SQL injection vulnerability, for instance, the security tester has to make certain leaps of faith about the underlying system and make educated guesses about what is really going on to create a really effective test.
Evil streak – The previous two pillars of expertise will only take you so far in your quest for security testing nirvana; the pillar that is a game-changer is the ability to think like the attacker. The desire to cause your application true pain and agony is what we should strive for. Don’t stop at the possibility of a vulnerability, instead take it to its logical end, string multiple vulnerabilities together like a combo move in Street Fighter. Anticipate the way the attacker will visualize the system and use that against the application; which may have been built with only functionality in mind. Similar to mapping out the many ways a burglar might be able to break into your house, the similar thought process is needed for security testing so that you cover all the creative ways an attacker could exploit your application.
In my next three blog posts, I’ll discuss each of these pillars in more depth and provide a few tips on how to become an expert in each field.
Security Innovation is hiring. If you think you've got the three qualities I describe above and aren't completely and utterly excited about the job you currently have come work for us. We have some of the best perks in the industry and you'll be having as much fun as you've ever had at work.
To Apply send an e-mail to jobs@securityinnovation.com or try your hand at our challenge website at http://challenge.si.vc if you get stuck on the challenge just send an e-mail to the e-mail address above and we'll give you a hint. The challenge is supposed to be fun, so have fun with it!
Read on to learn more about what it means to have Complete Knowledge of the System
