From: Andre Gironda (andreg@gmail.com)
Date: Tue Mar 04 2008 - 16:04:42 EST
On Tue, Mar 4, 2008 at 12:54 PM, Trygve Aasheim <trygve@pogostick.net> wrote:
> This might be a bit hard for you to understand, I see that, but just
> trust me - ok?
> There is a world outside of web servers and web applications. There are
> tests that needs to be done outside the scope of owasp, and there are
> companies with more complex systems than those of auction sites.
I'm not talking solely about web applications for auction sites. Did
you read my bio somewhere?
> Parts of this world contains servers that performs different tasks like
> backup, store databases, process data, pass mail etc. You also have
> clients, routers, switches, as well as the wide variety of different
> systems that perform security tasks at different levels. This is usually
> referred to as an infrastructure. Most companies have this, and it's
> quite fascinating.
After being primarily an autodidact operator for 12 years, I think I'm
allowed to speak to these needs as equally as I do about web
applications or auction sites. A lot of this comes from my experience
as a BGP and Internet data center LAN operator.
For the assessment work I've done in the past two years on
"infrastructure"... yes, I wish that I had access to something like
Nipper, Redseal, or Skybox. Yes, I wish I had access to Core Impact,
Qualys Guard, and Canvas+packs. Would they have been worth the money
printed to buy them? No, I can safely say that all of these
assessments were better done without these "tools". The manual
inspection of every line of configuration - whether IOS, CatOS, JunOS,
ScreenOS, et al - is more important. Even for web servers this is
true - certainly the Apache Cookbook and the logging / event-handling
recommendations from the Web Application Hacker's Handbook have quite
a lot to add to the process of securing a web application.
I'm not an open-source bigot, but I can't argue with the free nature
of Nipper, the CIS benchmark tools, and many of the freely available
guides. Comparing GFI LANguard Network Security Scanner 8 to Qualys
Guard is a stretch, but one is free for 30-days with issues fixed and
the other is only a free 14-day trial with issues left open. I admit
that not all of my logic is perfect... as long as the
penetration-testing industry is willing to admit that 99% of their
testers and tools are 99% invalid and unworkable.
How is any consulting company supposed to address all of these issues
in two-week window of opportunity? Core Impact RPT might be fast, but
it's also going to put these assessment consulting companies out of
business if they have to pay into an expensive tool that still only
views 10% of the issues without fixing any of them.
> So, in this thing called infrastructure - you also have vulnerabilities.
> Either through bad design, implementation, wrong use or configurations
> of software at different levels or due to lack of maintenance.
> Some of these can be found and addressed quite quickly by the use of
> tools, while others needs manual testing before they reveal themselves.
Some of these issues can be found using these tools. But not all of
the issues can be.
The primary "issue" that penetration-testing tools address is
awareness. They bring light (and hopefully funding) to a huge
problem. I spoke to an easy and scaled way of handling this, which
included Core Impact at the end of a formal process a few emails back.
The deliverable shouldn't be awareness - it should be workable
solutions. Most of the time - these aren't technical at all.
Strategy consulting is a good start to any project of this nature, and
while the cost might be the same as a two-week assessment, it only
takes up 1-2 days of a client's time, which really equates to much
better savings for the client because a two-week assessment is a large
investment for them.
I would hit a few key areas:
1) Software acquisition. How does the client acquire new software?
Does it come with hardware out-of-the-box (e.g. installed on a
router)?
2) Software update. How does the client upgrade/update their software?
3) Software configuration. How does the client configure their
software? How do they handle changes?
4) Software development. Does the client write their own software?
What processes do they use?
I'm fairly impressed with the BITS Shared Assessments Program
Standardized Information Gathering questionnaire as a starting point,
which is also available in a SIG-Lite version. Note that you don't
have to be under SOX, ISO27k, or PCI "law" to follow COBIT, ISO 27002,
or PCI-DSS.
When I say, "workable", I am referring to the "root-cause" of the
vulnerability problems in any given organization. I know that many
penetration-testing tool, assessment based organizations,
vulnerability research businesses, and "security" consulting companies
base all of their future income on FUD in order to sell more
products/solutions (and seem to get off on this fact). I find this
demoralizing and reprehensible.
> I common approach is to do a full test using a lot of tools that address
> known vulnerabilities, common design flaws and such - in combination
> with penetration testing tools to sort of false positives and confirm
> what sort of consequences a breach would have. In combination with
> firewall policy analyzes, looking at the routines surrounding security
> all the way from development to maintenance you'll have some sort of
> baseline to work out from when it comes to the level of security. The
> work will also reveal how well the company can detect and address events.
Firewall policy analyzers? Testing the monitoring and response
capability? You really think these are valuable?
> Yeah - I answered on your trap, and I knew it would end up in another
> rant - like the ones you've been delivering the last 10+ years.
> And yeah, I know that even though this looks like text to the rest of
> us, for you it's just a rorschach that makes you go off with a new rant
> - usually pretty far away from the subject.
I appreciate that you understand where I'm coming from. If my way of
educating you isn't working for you, then I suggest you figure it out
on your own by researching the facts for yourself.
Cheers,
Andre
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:26 EDT