Author Topic: Why I think all security testers should know QA and QA testers should know sec.  (Read 1073 times)

0 Members and 1 Guest are viewing this topic.

Offline Jackal

  • Serf
  • *
  • Posts: 32
  • Cookies: -17
    • View Profile
Well honestly QA testing principals helped me in one big area automation QA has helped me write better tools for general uses and the specific job for example  why run a vulnerability scanner that is so noisy when you can crawl the site find all the php scripts and write a test script to test all of them for sqli or ruby and go out for coffee or an early lunch until the script is done sure the script will take 20 minutes or so to write but in the end you have much less to worry over. Additionally selenium or web browser drivers in general are insanely useful for searching for specific vulnerabilities as well if you don't want to outright attack and instead wish to enumerate the vulns you can simply through all the href tags on the site  with php?  or aspx? whiand tell it to click on it which is achievable with a driver and a parsing library and then append different waf evasion methods to an xss payload or sqli you could write a specific test case for the different vulns it might have so for all the scripts that refer to a file try lfi rfi dir traversal with the other attacks. Though the way I type things might be garbled up Im sure you see my point QA testers should know sec to a basic degree because most companies don't pay or sec staff yet QA is still there for many companies. Long story short I have a problem with sec testers in the sense that they really avoid programming it's fine to be a lazy programmer in sec but sometimes even when it saves you the time to create an automated test case and you just have the rest of your day freed up you still refuse to do it

Offline _Enigma

  • Serf
  • *
  • Posts: 27
  • Cookies: 3
    • View Profile
I definitely agree that there should be a little overlap when it comes to the skills and responsibilities of QA and Sec, but I think youre making an oversimplification of what we do.

Im not very fond of using automated scanners myself but something you program in 20 minutes is not going to have the same breadth or depth of the test cases it performs. There are thousands of ways to avoid certain defensive methods and plently of special case scenarios that require this bulk testing. I agree creating tools or test cases should be within the skillset of a security professional, but I think youre making it sound like if something is vulnerable to sqli or xss itll pop after 5 attempts...

In my experience automated testing does a lot to give you good places to look or identify patterns about the application, but nothing beats good ol manual analysis
« Last Edit: January 10, 2016, 06:42:50 pm by _Enigma »

Offline Jackal

  • Serf
  • *
  • Posts: 32
  • Cookies: -17
    • View Profile
I hate vulnerability scanners too and I never really use them when I'm doing free play be honest too but what I'm saying is if you do the recon beforehand on a company and you're assessing web app security you spider all the sites exposed to the internet and write a test to do all of them it' saves time and gets the low hanging fruit you feel me. What bothers me is like a lot of pentesters are just dudes that started playing with backtrack a few years ago.

Offline Jackal

  • Serf
  • *
  • Posts: 32
  • Cookies: -17
    • View Profile
But I never said I'm big on vuln scanners I hate nessus, I hate nikto, vega, shit like that too noisy and I won't use it unless I have to and to be honest I basically use some common xss evasion filters and sqlmap tamper script payloads along with my own modified payloads for evasion just you know to see what works and what doesn't after I comb through the results but manual recon first is necessary but writing test cases for the results of recon helps you when you gotta do other shit.

Offline _Enigma

  • Serf
  • *
  • Posts: 27
  • Cookies: 3
    • View Profile
It depends on what your job is, if it's to try to find a single vulnerability in an application that you can use to further exploit the system sure a vuln scanner would be too noisy. When it's your job to make sure there are as few vulnerabilities in an application as possible then vulnerability scanners become a very useful.

Offline Jackal

  • Serf
  • *
  • Posts: 32
  • Cookies: -17
    • View Profile
Which is why I said I never use it for play just for corporate assessment if you have permission by all means go ahead use the scanner if not well I think it should be a last resort of desperation.

Offline _Enigma

  • Serf
  • *
  • Posts: 27
  • Cookies: 3
    • View Profile
Well everything you've talked about so far implies that someone with a job title of a security tester shouldn't be using these tools... Your thread focuses on a corporate environment since you are talking about these positions

Offline Jackal

  • Serf
  • *
  • Posts: 32
  • Cookies: -17
    • View Profile
Dude you seem to be looking for a debate but well security testing isn't isolated to your occupation you could be a janitor and a sec tester which in that case I wouldn't recommend vuln scans. 

Offline phunkpwnz

  • /dev/null
  • *
  • Posts: 13
  • Cookies: -1
    • View Profile
Interesting discussion but also gotta consider that these vulnerability scanners have configurations that can be fine tuned to be less noisy if the tester has indepth knowledge of what they are using.