Saturday, January 2, 2016

What every penetration tester should learn in 2016 ?

1:46 PM Posted by ASM
The last years have come with meaningful changes in the way IT professionals operate and the way we approach security.

This is a list of the hot trends that most IT experts agree that they will continue to shape Devops. Every security specialist should learn about them, either as a tool in his toolbox or as a technology that he might meet during his assessments:

Containers: Containers are invading the IT scene and changing the way developers write their code and the way admins manage their systems. Dockers have started a new era of new architecture designs based on micro-services, continuous integration and cloud based infrastructure.

Containers must be a tool in every security specialist toolbox and more work need to be done to leverage the flexibility offered by these systems.

Containers present both new challenges and opportunities, challenges due to the novelty of the system and the lack of security maturity but also incredible opportunities to help solve problems like patch management, rapid bug fixing and deployment ...

Javascript everywhere: oh boy, many never saw this one coming, but Javascript is now everywhere. V8 Javascript engine allowed for an incredible increase in the speed of execution of Javascript which opened the door to have the same langage running website's front-end and back-end. Javascript is also more and more used in many security tools (Cydia and Frida are the first to come to mind).

Frameworks like React, Angluar, Ember and Polymer are now the norm and almost all major websites are using them. Understanding how these frameworks work, the security challenges they present and ways to exploit vulnerabilities on the server side should be common knowledge to all pentesters.

Mobile, Mobile, Mobile: Mobile is definitely not new and has become to many the norm to access our data. Mobile has also given a push to third party authentication models like OAuth.

Mobile security is however still a challenge as we still see critical application not validating server side certificate, storage of sensitive information in world writable files, and many many more oddities.

The main issue in performing mobile assessment is the lack of tools and the complexity of the platforms. Android and iOS come with new security concepts and attack surface. Assessing a mobile application is usually a mix between reverse engineering, source code review and web application assessment.

Async what ? (Websocket, SSE and HTTP/2): Websocket, Server-Side Event and HTTP/2 are already here and will continue to attract adopters due to the many advantages they offer. Enabling HTTP/2 on nginx comes to having the correct version and adding http2 to the configuration file.  HTTP/2 allows for instance increasing loading speed, and Websocket  allows an easier implementation of server-based notification and gets rid of all old methods like long polling.

Async communication renders most web application scanners inefficient as communication is no longer a request response model. Examining a vulnerability by sending a probe request might not yield the response right after, other responses could be triggered which affects the causality of scanners logic.

IoT, Agile Security and continuous integration, SDN and IPv6 are other technologies that deserve to be investigated as each present amazing opportunities and challenges.

Popular Posts