Paco Hope Presents Security Testing for Muggles at STARWEST 2014
As an admitted Harry Potter nerd, I knew I had to attend Paco Hope’s keynote presentation, “Softwarts: Security Testing for Muggles.”
Paco, the principal consultant for Cigital, had the last keynote and the final event of STARWEST 2014, and he really committed to his subject matter: He took the stage wearing a bright purple robe and pointed hat, complete with a long, white beard.
Though he looked full wizard, he peppered a variety of geek lore into his talk, including The Lord of the Rings and Star Trek references.
Paco began by dispelling three security myths in the software testing world:
Security defects are different. From your perspective, he said, what you do is what you’d do with any other defect: You still need to track its impact, behavior, and result.
With that false conception out of the way, he removed his tall, pointed hat.
Security testers can do special things. Paco said people often take the attitude of “Security testers can find defects no one else can.” The reality is that functional testers usually can do things security people can’t do because they know the specifications of the software component under test.
He took off his long fake beard.
You need a magic wand. You don’t need a special tool to do security testing, Paco said. You already have a lot of the necessary tools: test inputs and test harnesses, the ability to execute important functions, logs and profiling information about how the system runs, user stories, use cases, and requirements. And most importnatly, you know what the software is supposed to do.
With that, Paco took off the purple robe. "Now I'm dressed just like all of you," he said. You don't have to have special powers (or a special costume) to be an effective security tester. You just need the right tools.
So, what security testing can you do your way with the tools you already have?
In keeping with the magical theme, Paco revealed a "spell book" with four principles for security testing.
1. Orcs, not elves. For those not into The Lord of the Rings, Paco explained, “An orc is just a dumb brute with a blunt weapon that pretty much just understands ‘Kill.’” One alone can't do too much damage. You don’t get to be Saruman with one orc—but with fifty thousand orcs, you can get some stuff done. That, he said, illustrates a classic denial of service attack. When you see these big password breaches in major companies, people actually pull the encrypted versions of the passwords out and do an offline attack trying every possible password—like if your orcs each had a key and were trying to unlock a lock. You need a horde of orcs that work for you—think of executing denial of service attacks like commanding armies of dumb, brute labor.
2. No gold required. Paco revealed that most of the security tools he uses are free, and most automate for you. There are also a ton of cheat sheets and tutorials, online communities, and open frameworks, such as OWASP, CVSS, and Kali Linux. You can get “free spells” from Twitter, too—experts in the testing community tend to be accessible, Paco said, and you can get real, useful information just by reaching out.
3. Reverse alchemy. This is what it sounds like, Paco said: “You take something gold and turn it into crap.” HTTP proxies show you communications between devices when you’re testing secure connections and validating certificates. You should monitor, intercept, and rewrite traffic in your local proxy: Take something good and make it junk. Proxy connections and tamper with them. This will tell you a lot about your security.
4. Use a spell book. You don’t need to have everything committed to memory. Your "spell book" should contain commands for common tests you like to perform. Specific examples of what you need to do should be in your list of spells, including external XML entity, malicious HTML and SQL, and the “billion laughs attack.” Add these spell ingredients everywhere along with your negative test cases and repeated applications of well-known malicious inputs. They will help you cover more areas of vulnerability.
So, that’s how you become a security wizard like Paco Hope. You don’t even need robes.