I am sincerely glad someone brought this up. My concern lies in a total lack of education or training in this area. Hacking 101 courses are all over the place now; teaching MCSE-kiddies and non-technical managers how to run scripts and nmap (swell..$2-4k to learn this stuff in 3 days? Ach, ask a single grad of those programs what nmap is ACTUALLY sending and receiving..lol "duhh, errr, but it says it's BeOS with port 80 open, I'll just use securityfocus like they showed me to find a script to shoot at it..")... (I digress...) There are not many courses that I know of that actually explain the methodology in searching for *new* vulnerabilities... As in "Tearing apart that new .dll, .asp, or cgi from a security perspective 101" Some folks claim it's just trial and error and dumb luck. Others say that folks troll the "most downloaded" new pieces of software at shareware sites and then pound away semi-blindly with input variables and switches that have worked against previously announced holes in other software until they find something that will get their name on bugtraq... Problem is, in our growing field of infosec, beyond post-grad or doctorate level CS, there aren't very many educational tracks to show your average programmer/engineer how to start finding new holes... The only thing I can think of is to send someone through: a secure programming program AND a webapp dev course AND a windows API course AND AND AND..etc...we're talking tens of thousands of bucks there, not to mention the hours involved..ouch. My goal: I want to take 4 of my Jr Security Engineers and send them somewhere for a week or two, or perhaps several weeks at night, and have them come back to tear apart software like it's nothing... <foundstone, hint hint, E&Y, hint hint.. Anyone? Bueller? Bueller?...> Of course, pre-req's would be a solid knowledge of scripting languages, C/C++, network architectures and protocols, and all publically known scripts and code... (but I require that of my jr's anyways so I just want someone else to show them the next level! I have no time, and hell, if the course is good enough, I would even go so that I can stop using semi-educated dumbluck and trial and error! lol) I am VERY interested to see someone post a resource... Maybe this is just a pipe-dream. ./oliver Ps: on a side note, there are several interesting projects currently in dev everywhere to automate all of this.. So don't worry, soon those afraid of anything they can't click on will also be able to point and click their way through code to find new vulns...swell eh? There are even dev projects going to automate vulnerability discovery in ALREADY COMPILED software! Woohoo... "Excellent Smithers! Now activate the artificial lightning and blue screens of death!" -----Original Message----- From: kaipower [mailto:kaipowerat_private] Sent: Thursday, April 04, 2002 8:05 PM To: security-basicsat_private; vuln-dev@security-focus.com; vuln-devat_private Subject: Techniques for Vulneability discovery Hi, After reading the mailing list for quite a while, there is a burning question which I kept asking myself: How do experts discover vulnerabilities in a system/software? Some categories of vulnerabilities that I am aware of: 1) Buffer overflow (Stack or Heap) 2) Mal access control and Trust management 3) Cross site scripting 4) Unexpected input - e.g. SQL injection? 5) Race conditions 6) password authentication Do people just run scripts to brute force to find vulnerabilities? (as in the case of Buffer overflows) Or do they do a reverse engineer of the software? How relevant is reverse engineering in this context? Anybody out there care to give a methodology/strategy in finding vulnerabilities? Mike _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
This archive was generated by hypermail 2b30 : Fri Apr 05 2002 - 14:23:18 PST