At least for just a second or two.
There is a problem that I have been fighting with. Lately many security testers are becoming like the TSA… Trained to look for very specific things.
For example, TSA agents appear to be focused on looking for things like scissors, containers with the ability to hold more then 3 to 3.4 ounces of fluid. Rather then looking for threats we are focusing our TSA to look for specific things.
And that is the problem with many penetration tests today, they are looking for specific things. Many of us are reducing our craft to the search for XSS, XSRF and SQLi vulnerabilities (just to name a few). However, I would say that a test that looks for only those types of vulnerabilities is sub-par at best.
Here is why. We need to be looking at how the application and the network functions. We need to understand how it is transferring data from the back end to the web front-end. We need to try to understand how the data is being segmented and protected. All of this requires us to try and understand how the application works. Trying to understand how something worked used to be the goal and definition of hacking.
Do you see the difference in perspective? If you are hunting for missing patches and other vulnerabilities you will find them, but you are missing out on the bigger (and probably more important) picture.
This goal with looking for specific vulnerabilities is weakening our profession in two ways. First, it is locking us into very small and well defined roles. Unfortunately, this type of mindset is driving many of the audit standards that help us get work. Audit standard X says we should look for Y vulnerability, so that is what we look for. Second, and somewhat related, there are a number of outstanding tools that are automating that process. If at any point in your career the opportunity exists to replace you with a tool your employer/customer will do it.
If we continue to allow this to happen the modern penetration tester will quickly become a thing of the past. We will have been replaced by a number of tools that look for the same defined sets of vulnerabilities.
The reason I am writing this is the past couple of tests I have been on the tools have turned up squat. In-fact a couple of the customers use the exact same tools I use on a regular basis. However, I have been able to find fairly major holes in their applications or network architectures without tools. I just start messing around with different applicants and accounts. To be honest, this approach is where I started. I strongly believe that this is where a good number of you started as well. We probably do our best work this way.
Automation and tools are great. I love all of the wonderful tools I have on my computers. But they are not sufficient to do a penetration test. If they are, we are all in big trouble. Run the tools, automate and print reports.
However, when the tools are done running. It is time to get back to basics. Consider a new definition of “Hack Naked”, put all of your tools away and just use what you have at your disposal. A browser, a OS and a couple of test accounts are all you need.
-strandjs

About the author