How Red Teams Hack Your Site To Save It

Nerval's Lobster writes "The use of a Red Team and penetration testing can strengthen an organization's security posture. But how does a Red Team member actually think like an attacker, and use that mindset to exploit security vulnerabilities? Gillis Jones works for WhiteHat Security, where his job rests within the TRC (Threat Research Center). It's here that he performs hands-on site assessments, which involve manually confirming all the issues reported by an automatic scan of a particular Website or application. His job includes checking the application's POST and GET requests for reflection of any inputs. He also checks for Cross-Site Scripting (XSS), which includes stored, reflected, and DOM XSS vulnerabilities. Those checks let him determine the Website’s basic security posture. If user input isn’t encoded or sanitized, that’s a good indicator of other problems. And if that’s the case, then Jones (or someone like him) will move on to checking for SQL Injection (SQLi) vulnerabilities and other issues."

For Those Left Wondering...

[Revotron]

From Wikipedia:

A red team is an independent group that seeks to challenge an organization in order to improve effectiveness.

Re:For Those Left Wondering...

[interkin3tic]

All this time, I thought the Red team was our enemy... they were really just trying to help us keep the flag more secure? Now I feel bad about killing them, t-bagging them, and calling them racist names.

WhiteHat Security.... McDonalds

[SecurityTheatre]

With all due respect, WhiteHat Security is the Denny's of web application testing shops.

Sure, they're one step above TrustWave (who are just "checklist compliance" shills and would qualify as the McDonalds of testing), but it's hardly what many places would call a proper "red team" approach.

The run automated tools and do a basic level of validation against those tools. The problem is that with web applications, the automated tools only get about 40% of issues and have a 50% false positive rate (or higher) in my experience. Their tools are pretty fancy compared even to the commercial scanning bits, but they aren't perfect.

There are plenty of boutique shops (and even some larger ones) that do more in-depth testing with more experienced testers. I'm not claiming that Mr Jones here isn't experienced, but more pointing out the general trend within some of the testing shops like WhiteHat.

Re:WhiteHat Security.... McDonalds

[Zapotek]

It's really simple:

• Automated tools are here to pick the low handing fruit;
• You should always validate their findings manually;
• You should, if you can afford it, hire someone who knows what he's doing to do a proper pen test.

Also, 50% false positive rate is useless and surprisingly bad, what sort of tools have you used?

As you can see from my sig I'm a dev of such a web app sec scanner and I'd really, really like to stress the first point I've made. If someone tries to sell you something that will make you completely secure you can tell them to their face: I'm sorry sir/madam, I'm not an idiot.

Use them to make your life easier while you do a manual check, integrate them into your SDLC (or just into your test suite) but do not trust them blindly; that's not how they're designed to be used.

Web scanners are seriously complicated systems and require a successful combination of a multitude of CS principles to in order to just be able to even finish their task, never mind returning useful results. Yes, we're making progress in analysis techniques and performance improvements and coverage but you'll never beat a human; on the other hand a human won't be able to inspect 200k pages either so just use some common sense and balance your expectations.

Re:This is actually common in corporations...

[OhSoLaMeow]

This is /. What would we know about penetration?