RE: WebAppSec Training Courses in UK

Hiya,

I've addressed you points inline.

G

> -----Original Message-----

All security review, audit and assessment represent a snapshot, and are subject to prevailing practice and disclosure. This relates particularly to infrastructure vulnerability assessments (e.g. those based on tool output, announced vulnerability data and manual research) and, to a degree, conceptual assessments relating to architectural review and best practice audit (bespoke design, configuration, coding or deployment). A good assessment consultant will both detail specific fixes within the environment and make strategic recommendations to mitigate against future or chained attacks through hitherto unreleased problems. The scope of recommendations may well include policy and procedural changes as well as 'download this patch'.

Application Security Assessment (pen-testing) was merely the third of my proposed broad categories. The first two address secure design and build - strategies for longer term security.

> Having ran some teams for some well known consulting
> companies in the past I know all to well the business model
> and why its pushed so hard by them. Now working in corporate
> America I also see why we the clients (yeah we as in my
> company and others at like minded user groups who

Indeed, many consultancies (but by no means all) are focussed on their own interpretation and methodologies rather than listening to client requirements. The security services industry evolves based on feedback from such user-groups, and many of us are active members of them. The client dictates the 'product', we add to and provide it where appropriate.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> <rant>

Hence projects such as OWASP and OSSTMM proposing methodologies and inviting comment and contributions. There is a shocking lack of accreditation within the IT industry, including security and particularly within the security assessment fields. In the absence of such qualifications, open-source frameworks provide real benchmarks by which to measure service providers.

> tested were. Secondly with 78% of attacks being from insiders

This typically relates to successful infrastructure attacks, but is still true in many cases (the prevalence of hybrid threats and worms have shifted the balance back towards the external threat, however, according to recent figures from the DTI, FBI and others). Indeed, application insecurities highlight the implications of the soft centre within the hard shell.

> little value. Too many companies reports read "High

IMHO, security assessment (as opposed to black box pentesting) isn't about detailing 'a' way into an environment, it's about identifying 'any and all', i.e. the most likely risks that may be exploited, and proposing mitigating strategies.

That is the philosophy I describe to potential clients, and the one by which I perform said assessments.

I agree that there are many that rely on shock value to intimate value. That is why public, open source guidelines are important.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

For the most part, people accept the insecurities of computer systems. Its no longer relevant to prove a break-in is possible, as that leaves the client feeling exposed and with no way forward. The successful outcome is to eliminate most of the threat, and mitigate against the rest (which may be a non-technical solution, e.g. insurance)

> in one place can lead to it in another. It's the consulting
> fluff syndrome. You've all heard it before I am sure. "These
> sessionID's don't look random". Well test the randomness if
> you have a math degree! If not look for the source of
> randomness and if /urandom is used then call it out.
> </rant>

<rant>I have a mathematics and computer science degree and apply it where relevant.</rant> ;)

There are those that use a shoddy assessment and shock tactics to push product sales. They should be identified early in the tender process.

There are those that aim to provide a full and comprehensive assessment suite for its own sake, not as a door opener to further sales.

> Someone once used a great analogy. If you're testing for
> cancer would you take someone's temperature? Would you look
> at their eyeballs? Hell No! Get them on the cat scan machine.

You may apply the aforementioned tests to eliminate many of the hypochondriacs before spending good money on the cat-scan...

> One of the things I liked when I spoke to the OWASP testing
> people was how they are going to cover what I think should be
> included in a web application security testing methodology.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Agreed.

> In a structured meaningful test you need to firstly sit down

Firstly, the business requirements and aspirations.

> say there is a problem unless you know the requirements and

Again, the aim of OWASP appears to be to raise awareness of commonly made, and exploitable, mistakes; and therefore eliminate them. Furthermore, it aims to propose strategic and practical guidelines to eliminate bad, and insecure, practice.  

> Then there is a technical assessment which is where most

I agree - the ideal assessment scenario, for me, is: 1/ Review the design from a security perspective, 2/ Ensure it has been implemented as expected.

> And then there's a security source code review, a web
> application security management review (what happens when it

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Agreed. Policy and procedure are not glamorous, but are essential to the security of an environment. Code reviews can be a time consuming and costly exercise. An application assessment bridges the middle-ground (as early infrastructure penetration tests did), mitigating against the highest impact, most exposed risks - setting precedents for a securer environment.

> Web application security assessment is far more than a pen

Agreed.

> test. They are prevalent because consulting companies can

I would, and could, not work for those with such a cynical view. Many on this list would agree.

> the consulting companies. If you pay 40K for a hit and run

Cowboys are getting nowhere in this market! Clients (rightly) expect a road-map for a secure future, not a demonstration of a breach for their $40k. "Any and all" vulnerabilities, not "a" vulnerability - the minimum requirement.

> to pay $40K for the next then its not economical and the

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Yes, there are a number of aspects. From architecture, to design, to deployment. And once those relating to the infrastructure are considered, one must review the application(s) themselves. It's usually the brand and data we're trying to protect, and the application by definition is often the highest exposure of that risk.

> strategically not tactically. Asses how security is baked
> into the development process and not just in a deployment scenario.

My point precisely. Workshops and training to enlighten developers. Peer review to validate designs and project plans. Code and application assessment to ensure the project runs securely to schedule.

> On Tue, 03 Dec 2002 01:54:14 -0800 Glyn Geoghegan
> <glyn.geoghegan@corsaire.com> wrote:

<snip> Received on Wed Dec 4 10:50:53 2002