Security Analysis | Application Security | Penetration Tests & more ..

Are Enterprises Aware Of A Defined Penetration Test?

It took me a decade to grasp meaningful dedicated routine time having few legit set of questions & debunks we’ll be looking at frequencies from here onwards. After having experienced a large number of strategic targets spending a decade of nights, an expensive totalitarian disciplined existence into hacker community circles ranging from the Mexican Boards, Russian Boards to few selected ones for intel since ages now & a sincere Executioner of Myth, Fanatics including an Experience in side swiping Best Charlatans who’re evolving at a faster pace;

I have with all such detailed experience in total truth concluded the larger scale enterprises lack a defined understanding of what a Penetration Test really is. My study show a very poor performance of the Enterprises at a far capital market reach of a Billion Dollar Industry that the Cyber Security Market can upscale to. I will be the surgeon & would logically be concluding:

  1. Are they Aware!?
  2. Are Even Cyber Security Companies Themselves Aware?
  3. What about the Indian Enterprise Eco-Space - they’re looking a complete joke by now.
  4. Re-Iterating & Re-Focusing, Do Indian Enterprise Eco-System Aware of a Dis-balanced IT Ops Budget & Security Ops Budget?

.. wait - don’t be waiting any longer to have a second thought about mistaking the wide information security domain with just a penetration test. The width I’m talking takes grasping this wide domain .. I’ll leave you there to the width in an image below ..

infosec

A Penetration Test by any margin among that huge wide Information Security Domain is simply put a task in an organization to settle down on a risk factor which includes live infiltration via the Organization’s Asset - the Application Stack or the Network Stack. And no, this doesn’t include Social Engineering attack for the people, that’s Red Teaming & has a larger strategical construct. Red Teaming includes several other facets & factors involved - We’d debunk that later for good.

Right now, let’s focus around Penetration Test. What would take an Organization, an Enterprise which is highly decorated in it’s all reputed glories from decades of business investments to fall apart from the reputation!? This!

reputationlossPT

Read More

Developing Web Security Program for Enterprise Organizations

A long-awaited idea to less complicate web security program came to me while researching and reading a thesis for CERN/European Organization for Nuclear Research to measure effectiveness and efficiency of web security methodologies & techniques for their web applications via employement of EAST - Extensible Agile Security Testing on their test subject web applications and closely monitor old security methodology techniques v/s newer ones by two-times iteration of each of the respective old/new techniques.

I have already laid down the foundation of web application security testing in one of my previous post. A web application security program is different than an actual security testing suite and from actual implementation. This is essentially the starting point for information security managers to normalize web application security programs, required tools, resources, and other necessary tasks to chalk out the right security program planner for thier organizations at an Enterprise level. To loosely present the overall process here, it’s relevant to discuss the essential pointers for any web application security program.

Note: A Security test plan is different than that of a security program. A security program must be placed first and then this program decides the security test plans with different test cases according to it’s requirements (both business & functional). I have had done the extensive research to liquidify and place the procedure in almost fundamental terms as much as possible and fixated this post to explore web security program rather than elevating it into topic of discussing the security test plan.

Basically, an overall information security plan could be reduced down only if certain program is in place in the enterprise organization. This is done via first questioning if any security planning is required or isn’t essential to it’s business nature? .. and this question is almost always true in cases for enterprise web applications. I have discussed security governance in Security Testing as an overall process with Application Lifecycle Management (ALM) before and would again like to emphasize on ‘governance’ since it’s management of these processes (security program). A substantial information about this overall security program setup could be demonstrated by top-down and bottom-up approches both in strategic risks and tactical risks. Strategic risks are those risks which are assumed to be treated before deployment of software (web applications for an instance) and Tactical risks are the risks which are to be treated or handled in tactical ways to mitigate risks.

To understand how security program can be set-up, there are three primary concerns and focus area for a professional security governance manager, and these are:

  1. Security Planning
  • Security Execution
  • Security Post-Execution
Read More

.. is it that hard to integrate security into SDLC?

Web Applications (Useful Applications which can be served in Web 2.0/3.0) today are rich and serve an intended purpose - be it to serve an ecommerce website or host a collaborative API to re-create something useful using new ideas for people and by the people. It’s completely safe to assume web applications should have a generic SDLC (software decelopment life cycle or system development life cycle) compared to that of software (as in thick client) and not surprisingly - they do!

Software go through phases of development which is known as the SDLC and represents how a particular task is carried out periodically and efficiently for better code productivity in terms of functionality. A generic overview process of a SDLC is to break tasks into pieces so that they can me managed well and later integrated into a complete working product which can be used for the intended consumers of that product. Similarily Enterprise Web Applications go through application development processess and on each of these phases of the entire process, seperate developers working on an unit is responsible for that particular code and hence is the code maintainer. SDLC isn’t short and static at Enterprise level but get’s worse and complex when phases begin to shift from one stage to another. There are main ingredients such as:

  • Functional Project Management
  • Technical Project Management
  • Information Security Assurances
  • System Integration Test Plan/Integration Test Cases
  • User Acceptance Test Plan/ Acceptance Test Cases

.. and most of what everyone else knows and what project managers are theoritically trained to prepare for boils down to:

  • Planning
  • Requirement Analysis
  • Design
  • Development
  • System Integration
  • User Acceptance and Parallel Testing
  • Implementation
  • Operations and Maintainence

All of the aforementioned are packaged into the five super’s i.e. functional project management, technical project management, information security assurances, system integration test plan and integration test cases and user acceptance test plan and acceptance test cases. We are more worried about Information Security Assurances and not long far in this way - we’ll be introduced to how information security is governed and where SDLC is outruled by it’s superset, and when precisely *security is to be placed into SDLC thoughfully by it’s governing superset.

##But the Question Remains ..

Read More

and the following isn’t discouraging!

Here’s why software security would always be a growing concern for leading technologies as well as for them who depend on these technologies e.g. corporations, companies, industry, small scale businesses and at a personal level social sites too. What we are talking here isn’t related to a set of standard de-facto technology but what we are talking about is the ** economics ** of related web application software, their technologies and how they can be measured in order to provide a continious flow of quality in security.

Almost everytime a new standard, or a technology is released - it does contain vulnerabilities. Most often, these vulnerabilities are either hunted down using platforms such as bug bounty or otherwise dealt with privately via internal security team or traded in terms of a 0day. It’s no more about how one was able to compromise the applications in order to gain/trade or protect data but how it could had or has been important to make an impact to the business in concern. Almost all technical security researchers can deal with identifying vulnerabilities and claim they had been protecting the industry - but how about measuring these vulnerabilities in terms of monetary impact to the business concerned? This post is to talk about that corner of web application security industry which hasn’t been much appretiated but still remains the core foundation to providing real security.

To ** quantify ** the expenditure spent due to the presence of a vulnerability or a chain of vulnerabilities isn’t an unknown art - but it is percieved to be as the most analytical security research art and therefore requires patience and core understanding about the vulnerability - most importantly business wise in terms of quantifying them in monetary impact and also in terms of technical impact which could lead to furthur compromise or weaken a particular asset. To me there are three categories of businesses:

  • Industrial scale business
  • Retail scale business
  • Personal scale business

To each having it’s own valuation in the market and having said that I furthur look at asset classifications for them; which is for an example a stock market would be an industrial scale business and they might have these assets:

  1. people
  2. investors
  3. investments

Now, taking the same example, it’s self-evident that people lead to processes in their business as per their role; this could be:

Read More
post @ 2015-07-14

and getting started with Octopress 2.0!

If you drove off here to know about the Octopress framework and get started rapidly over in a hour, this could be your best bet or you could always research and end up in thousand more blogs and end up on the same thing except only after having lost hours linking one solution to another problem and vice versa.

##Why migrate to Octopress?

Why would a chap like me want to migrate from Wordpress to Octopress? For that I would first need to answer problems with the basic setup and i.e: PHP/MySQL stack - a complete stupid stack with needs to update plugins/code, etc. in a long run, generate more dynamic pages, parameters, etc in order to exhale more security loopholes.

####Pointers:

  • I never wanted to maintain security updates
  • Being in Security, I know the pain
  • A nice attempt to keep it clean
  • Not at all for novice users
  • Above gives heartache

##In a Nutshell

Octopress Wordpress
Markdown Powered Driven by UI Interface
Parse Engine Choice WP Engine Default
Novice Unfriendly Novice Userbase Recommended

##Deploying to Github:

Read More
post @ 2015-03-12

Readers,

It’s been a while since I was in a move to port my old blog at pwntoken.wordpress.com to Octopress. I chose octopress over wordpress because of the functionality, the learning experience for the new age hackers and the speed. Along with the added repository at github, I had stood across on this one to be made available to the public from github site publishing service (git pages).

Here’s a couple of pointers I would like to add on this introductory post and what this blog would essentially be about:

  • computer science
  • information security research
  • web application security research
  • network infrastructure security research

A couple of other posts could make it out here. To get an overall abstract of the posts, it’s recommended to take a note of the category section and then click on the link of your subject interest. The sole purpose of this blog is to serve personal research tracking to myself and keep a regulatory note of information security sciences for analytical study and it’s development in past, present, recent and for future times; however the collected informational repository made out here could be used for essential incorporation of working knowledge into pratical driven measures given original credits are included and outcome of any code herein mentioned or copied does not hold any accountable responsibility to it’s authors.

I hope the readers will find this blog informative and updated from time to time and will ensure a good resource overall for the information security community. I look forward to constant feedbacks, if any. Time to get back to the originals.

Update: Please keep referencing these which might be very useful from time to time ..

- [How to setup Octopress Cloned Blog & keping accessing from different machines, also - the basic working of Octopress](http://blog.zerosharp.com/clone-your-octopress-to-blog-from-two-places/)

Regards,
Shritam Bhowmick,
Independent Security Consultant

Read More
⬆︎TOP