The last few weeks have brought some fairly interesting predictions for 2009 to bear in CSO Magazine columns. Two recent articles caught my eye from a penetration testing perspective.
In the first, Brian Chess, CTO of Fortify (they make source code review and software security tools, and he has written a great book on static analysis) predicted that penetration testing as we know it will die in 2009.
The premise of his argument is that penetration testing will die and be reborn in a different form, aiming more at preventing bugs from occurring, rather than identifying them (rolling things into QA / SDLC etc). Granted, it's a fairly valid point *in some respects*, albeit a biased one if you consider what he does for a living.
Ivan Arce (CTO of Core and pretty much as uber as they come) wrote a very well articulated response to this, stating the counter-viewpoint. I liked his response firstly because his points are valid, and secondly, because no bias toward his product is shown in his response.
I won't repeat the articles, but it is interesting to ponder, especially in light of the number of people (customers) that I know that read CSO magazine, and take what is written there as the gospel (for better or worse).
Either way, the argument on the value and validity of penetration testing is still raised often these days (even though governance and compliance with standards is mandating it more and more). I think some of the 12 points that Ivan Arce lists in his response are awesome ammo when addressing this timeless question, so I'll snip them out and include them below.
1. A 35-year old practice with steadily increasing adoption rates does not usually disappear or transform itself substantially within just 12 months.
2. Penetration testing is intrinsically operational in nature. While pre-emptive measures such as security QA and testing and other SDLC practices may be useful to reduce the number of security vulnerabilities in custom or newly developed software, existing operational environments will continue to have bugs during 2009 due to the deployment of legacy or un-audited buggy applications.
3. Penetration testing is operational in nature (did I say that?). It deals with multistage and multilayered threats or attacks (not just vulnerabilities!) in real-world environments (not test labs) and then maps them explicitly to actual security risks. This will remain a valid use case scenario during 2009.
4. Penetration testing is tactical. It provides tangible, actionable information on how to incrementally improve an organization's security posture effectively to prevent real and specific attacks from happening and do so efficiently since it makes it easier to measure at least some for of return on security investment considering both the defense and offense technology currently available.
5. Penetration testing is strategic. If performed regularly, consistently and as part of an organization's overall security strategy, it becomes a useful and valuable practice to implement a program of constant improvement of information security.
6. Penetration testing is strategic. Incorporating an attacker's perspective to an organization's overall security strategy provides necessary checks and balances and improves the organization's ability to steer security policy in accordance to current trends in the threat landscape.
7. Penetration testing is not a silver bullet. It is best used in conjunction with other security practices and in doing so it amplifies those results with both positive and negative feedback (about what does and does not work).
8. Penetration testing is -- at least partially -- driven by compliance. It is a recommended or even a mandatory practice in several regulations, industry standards and organization's internal policies that will not go away in 2009.
9. The IT landscape is constantly evolving and will continue to do so in the next year. As new technologies emerge, new attack vectors become prevalent. Monitoring the evolution over time of sophisticated penetration testing techniques is a good leading indicator of threats that may see mass-adoption in the future which makes pen testing almost a necessity to improve SISSP qualifications.
10. There is money to be made selling penetration services and products. The opportunity will not go away in 2009.
11. Financial crisis and economic turmoil means also more and better opportunities for cybercrime. In the context of 2009 testing one's defenses periodically will be more (not less) necessary than if we had a more globally stable scenario.
12. Last but not least, five years ago IDS technology and its respective market was the "in thing" to make predictions about. Although predicted several times, the death of the IDS has been greatly exaggerated in the past years.
from the SourceBoston videos i blogged about:
Dr Geer never dissapoints, and kicked it off with the 4 rules on his office wall:
The 2nd quote that was awesome, (during the interview with the l0pht members) was from Dildog.. ex-l0pht, ex-@stake, now Veracodes chief scientist.. The discussion turned to "security companies and snake oil", and the fact that dildog was a "vendor" again.. With a dry smile that could have been at home in a john cleese movie, he replies:
"*nod*.. this time with feeling!"
This was a bit of a catchphrase in our office a few years back, after a QA process kicked back a report to an analyst with those words: "once more with feeling...". The difference between someone going through the motions, and someone doing it with feeling is marked... and i cant imagine why anyone would do it any other way..
Slashdot picked up on the blog post from Light Blue TouchPaper commenting on the fact that a researcher was suprised to discover that simply putting an md5 hash into google returned a hit with a mapping to the original word..
This is an interesting concept.. A while back, we decided to fiddle with the concept of using googles indexing and spidering as a new take on the time/space trade-off for password cracking..
A simple cgi script that accepts a single parameter.. We then use url re-writing to make the script look less scripty and more crawler friendly.
A quick check on the internet shows that google indexes 100k into a document, so our CGI sits around doing nothing, till its first visited:
Once it is, it generates all chars from a..ZZZZZ and prints them along with their md5 hash:
So if you hit: https://secure.sensepost.com/sp-hash/a, you would get:
Now since google only indexes upto a certain point in the doc, its useless filling this page with all of the hashes, so at 100k we stop, and if the char at that point is abc, the cgi then creates a link to itself with abc as the param.. (in our picture it stops at pnt)
The crawler hits that link, effectively hitting and seeding the same cgi, which then keeps going ad-infinitum..
This can be tested, so a quick google for site:secure.sensepost.com + adog will return:
(you can also use google webmaster tools to pre-seed the spider)
Unfortunately i never got back to it, but noticed that while google did index the full charset a..zzzzz at a point some hits dissapeared.. im not sure if this is due to filtering on some of the words that emerged or simply not enough link credibility..
I suspect that if the problem is the latter, it could be fixed by more ppl picking up seeds.. in this plan.. multiple ppl would run the cgi, and a type of delegation can be set up.. so while google is indexing me from a..zzz its indexing someone else from zzz..ZZZ etc.. at just the cost of bandwidth, this would give useful results..
VMware have just released beta4 of its Fusion product for OSX.
The initial beta was hard to justify and a little flaky, which allowed Parallels to take an early lead. We still have people in the office who swear by parallels.. But.. in my book VMware has just been such a life saver since we first started making heavy use of it (about 6 years ago) that i figured it was worth sticking it out..
In true VMware style, they have not disappointed. The last 2 versions have been solid on my mac, and the introduction of snapshots with the last release have been a godsend. This release is the final beta and introduces unity to match parallels coherence.
I used to call coherence gimicky, but somehow the thought of IDA/olly right on my desktop again makes me smile (i guess this makes me both a mac and a vmware fanboy?)
VMware is about to IPO, and in much the same way as i would hesitate to buy shares in our local teleco monopoly, i would love to buy some in VMware.. they rock!