About this Episode:
How can you prevent attacks if you don't know your enemy? In this episode, Malek Mohammad, author of the Pluralsight course: Web Application Penetration Testing: Information Gathering, discusses how to know how your enemies target you. Discover fingerprinting web applications, enumerating applications, understanding their entry points, and tooling needed. Listen up!
TestGuild Security Testing Exclusive Sponsor
Micro Focus Fortify is the recognized market leader in application security and is the most comprehensive and scalable application security solution that works with your current development tools and processes. Try it today
About Malek Mohammad
Malek is an Information Security Consultant and Penetration Tester with previous software development experience. He is also an author for video courses on cyber security subjects. Malek works on making payment applications more secure through Penetration Testing and Threat Modeling. In addition, He helped many software developers in designing their application with security in mind, and not as an afterthought.
Connect with Malek Mohammad
-
-
- Pluralsight: malik-zak
- LinkedIn: malekmohammad
-
Full Transcript Malek Mohammad
Joe [00:01:51] Hey Malik! Welcome to the Guild.
Malek [00:01:57] Thanks, Joe. Thanks for having me here on this interesting podcast.
Joe [00:02:01] Awesome. Great to have you. Before we get into it, though, is there anything I missed in your bio that you want the Guild to know more about?
Malek [00:02:09] No. It's yeah, it's complete.
Joe [00:02:13] Very cool, so, you know, in your bio, there was an interesting piece that you put in there saying that you're really interested in helping developers create Security, create applications with Security in mind. Actually, I think this is something that's kind of lacking in the industry. So why do you feel so passionate about this? Is this even possible to get developers really to start thinking about Security as they're developing the code?
Malek [00:02:39] Yeah, well, I started my career as a software developer and back then, it was in 2004, there wasn't much knowledge about information security and the vulnerabilities, the hacking. It wasn't prevalent. So also there was a lack of information and awareness for software developers and engineers. They merely know anything about information security. So nowadays, from I think 10 years and forward, the cyberattacks are increasing with high numbers. Every system is subject to attack. So, software developers are concerned with getting the task done and keeping up with the deadlines. And maybe they are focused on the quality of the task, maybe on the performance issues. But I think till now, software developers are lacking information security awareness and experience and secure coding practices that would make the overall product more secure.
Joe [00:04:33] Absolutely, and that's what I love about Pluralsight. There's a lot of courses around Security now, and I think it's really helpful. So I guess the question is then, does a company know about this? Do companies know, like, “Look, we could probably get better secured from getting more involved? Is it still an education that you think is going on, that security is important not only with the team dedicated to Security but actually having Security as part of our software development lifecycle?
Malek [00:05:04] Well, yeah, well, most of the companies are recognizing that right now with the also the increasing attacks after Covid-19 took place. There were massive attacks and massive phishing attacks on humans themselves. So, yeah, companies are starting to recognize that software developers must have sufficient information about information security and secure coding standards. But maybe some of them do not know how to do it or to approach perfection or near perfection of providing a secure coding environment or a secure development lifecycle with the proper awareness for security for the software developers.
Joe [00:06:18] So you were a software developer. You're probably still a software developer at heart, just developing probably Security solutions now. So how did you get into Security? I mean, maybe that would be a way that people listening they could take. “Maybe I can get my developers more involved because of your experience.”
Malek [00:06:39] Well, I worked as a software developer. I worked on many development languages. I started on C++, which I love very much, C and C++. I worked on C# Java. So I started reading about information security and the attacks, the rise of the hackers, and how they show them on maybe Hollywood movies like there are shadowy and shadowy places and something like that. Well in real life they are not in shadow places they are sitting on their desks and they are focused on many screens. So I like the idea. The more I read on it, it keeps pulling me towards it. So I got certified. I got my first information Security. I think it's yeah, it's the ESC Council CEH. It was back in 2013. It has much information, it has many information for the learner to know it. It has diverse subjects. It's a very good certificate for beginners. Back then it didn't have the virtual machines, the virtual labs as part of the test. But right now, I think now it has version ten. I think they have added the virtual machines as a part of the exam. Yeah. So it's a really good thing if you discovered your passion for Security. You have to read much because there is a ton of information to read. You'll have to get certified. Then you could switch inside your company or you could go to another opening.
Joe [00:09:20] So that brings up a good point, it does take a lot of training, a lot of reading, a lot of self-learning. So for companies, big enterprises is there a way to make their development life cycle more secure? How do you get developers then to learn? Do you usually have someone embedded on the team that is a security expert that shepherds them or are there automated tools you have along the automation pipeline now at every stage that kind of tries to bake in Security before it gets to when you're just shipping it out to the customer?
Malek [00:09:54] Yeah, this is a great topic, Joe. Security there is a framework, testing framework that could be customized to suit the organization's needs towards Security. It is the secure development lifecycle. Well, it should be implemented at each company. Each development company, they should have a secure development lifecycle in place. So in brief it has many phases. So I will talk briefly about each phase and answer your second question about the security expert. So the first phase of the secure development lifecycle is the information gathering or requirement gathering. It is the requirement gathering for the application you are building. So in this phase, the most important thing to make sure all the non-functional security requirements, all of them are there and they're embedded in the requirements. Also with the functional security requirements, because sometimes the customer if this is the business model, so the customer asks for specific security requirements. So this becomes a functional security requirements. But there are nonfunctional Security requirements like input validation, vulnerability detection. And also the access controller authentication. Those are the non-functional requirements, so at this phase, you can make sure all the required requirements are there and are defined for the software developers to start designing their application using those requirements. After the requirements are done, the software development start designing their application. They start maybe drawing diagrams, starting or eliciting the data flow from the requirements itself. So what's the Security input do in that regard is threat modeling? Threat modeling is that a Security expert will come to make meetings, sit in meetings with the software developers and see all the designs and diagrams I think exactly the data flow diagrams and do a threat modeling where the security experts can anticipate Security problems and the design itself. So the security problem and the design is called the weakness. And in the implementation, it is called vulnerability. So when they do the Security, when they do the threat modeling, the security experts anticipate all the security weaknesses in the design and suggest a correction and solutions to the design. Afterward comes the software development. The development team starts writing code and they start committing to the source code repository so that the CI/CD does a thing. So at this phase of the software development, a static application and a static analysis, static analysis for source code tools. It's called SAS tools. They are tools on the code repository itself that when a software developer commits their code, this tool analyzes the code and see if there are any Security problems or hardcoded keys, concatenating SQL statements and all, everything that is related to bad Security practices. And it points out all the problems so that the software developers correct that and commit these changes again.
Joe [00:15:48] Awesome. Yeah, but what I love about it is it sounds like a process that you could fit into any kind of organization.
Malek [00:15:54] Yeah.
Joe [00:15:55] So whether you're DevOps, Agile, or whatever, it seems like it would fit right in easily.
Malek [00:16:00] Yeah.
Joe [00:16:00] Plug and play for sure.
Malek [00:16:03] Yeah, yeah. There are a ton of tools on the market that are open source tools and it is integratable with the CI/CD of the major companies like GitLab or GitHub. So, yeah, going forward on the secure development lifecycle, there is the Penetration Testing cycle where when there is a tangible insoluble application for penetration testers to start hacking. So this is where the penetration testers start searching for vulnerabilities and start to exploit them. And also after they exploit them, they could know the impact that these vulnerabilities have on the system itself. And they report that back to the software development team with solutions and suggestions. And also on this stage, it is also integrated with the DAST tool, dynamic application secure testing where after deployment configuration management could be tested by this tool, like testing for allowed HTTP methods, the Security headers and the responses, all sorts of stuff related to this paradigm. These are, in brief, the secure development lifecycle. Penetration Testing is a defense in depth among all of these other phases. So going back to your second question, whether there should be another whether the development team should be shepherd by the security expert or it should be one of the software developers. So, yeah, the software development team could have a champion. It's called the champion. They have all the necessary awareness for secure coding and vulnerabilities, and the proper certification for that. So this champion, their job is reviewing the code for the rest of the team. And they have to make sure all the source code are reviewed in terms of Security and there are no logical Security problems in the source code that are not detected by the static application Security Sync tools.
Joe [00:19:51] Nice. So I've never heard of a secure development lifecycle before. Is it the same as DevSecOps? Is it the same principle or is it a completely different kind of framework?
Malek [00:20:01] No, it could be integrated. Secure development lifecycle could be integrated with DevSecOps. The DevSecOps is the operational part of the CI/CD and is regarded regarding the security part of the CI/CD. And the secure development lifecycle. It is the testing framework that the company could customize to adapt to their security needs and it could be integrated and reflected on the DevSecOps.
Joe [00:20:49] Awesome. So now I want to dive in a little bit more into your course, because, as you said, education's really critical and I love how anyone could go to Pluralsight. They definitely should check out your course on Web Application, Penetration Testing, Information Gathering. Now, as software engineers, I think we all like to geek out on tools. But what I found interesting about your course was it focuses on something I usually don't hear about with penetration testing right away is information gathering. So why focus a whole course just on the information gathering piece of the Penetration Testing lifecycle?
Malek [00:21:22] Yeah, because as the saying says or as you know, the old saying of how could you attack your enemy if you don't know them? You know, if you want to attack a target, you should know each and every information and aspect of that target, because if you miss anything from the information gathering phase, a testing scenario or attack scenario could be missed when the actual penetration testing or sort of the actual hacking is done. So, yeah, this is crucial to know everything about the target you're about to attack.
Joe [00:22:20] Great. So the course goes up to three or four different areas, one of them is using fingerprinting to identify targets. So once again, this is a term I haven't heard before, is fingerprinting. So what is fingerprinting?
Malek [00:22:31] Well, fingerprinting is trying to know, getting to know the architecture behind the work application, getting to know the webserver, what type it is. Or what is the version number of that web server, getting to know the actual platform, whether it's Linux, what type of Linux, what version or whether it's Windows, Microsoft Windows. So, yeah. You could fingerprint to know the application framework. So attacking Java is different from attacking .net applications and Angular. So they all have different attack scenarios and payloads. So it's crucial to identify what is the web framework used so that you craft your attacks based on this information. So if you don't know what application framework you are attacking, then how could you craft your attacks? Because if you want to attack using a test for cross-site scripting. So injecting JavaScript on Angular is different than injecting JavaScript on a Java-based application. So, yeah, it's crucial to know every detail about the environment – web server, web framework, the platform.
Joe [00:24:23] Nice, so it sounds kind of complicated. Are there any tools you can help use you for the information gathering piece of it?
Malek [00:24:31] Yeah, there are great tools, the netcat, the open cell (??), banner grab, make a connection with the server, and see what that connection dumps so you could read the version number of the service you are connected to. And also you could use Nmap because it has a magnificent service identification feature. Yeah, everybody uses that. It's a great feature. And it's also it could navigate all the reports on the server, not only the force that, the 44 C and 80 ports. And there is the (unintelligible). It's a cool plugin. It analyzes the web application. And when you visit any web application and you have the plug-in installed on your browser and you click it, it shows all the client-side components that is used to build that site.
Joe [00:26:01] Know, that sounds cool. I've never heard of that either, so it's just a simple plugin in Chrome or something, you could just add-in and click on any application. Nice. Cool. So once you have the tools, I think you also go into things called enumerating hidden web apps and searching for info leakage. So what can I say? As I said in the beginning, I'm kind of a newbie, so I'm not sure what is info leakage in Security?
Malek [00:26:26] Information leakage, where sometimes developers leave important information right there in the source code. It's either dumped in their GitLab or their source code repository, or it could be in the lying around and the HTML client side code of the application. So in the meter that information, you could find keys you can use to connect to back end servers the application uses. You can find information about the infrastructure, you could find information about the subnet of the infrastructure. You could find information about the back-end systems, the subnet like the database server, IP address, the message queues. And it could give easily important information for attackers to pursue their or take on their attack from that starting point.
Joe [00:28:12] Got you. Is it I don't know if sometimes people release secrets to GitHub by mistake. Is that what you mean by information leakage or metadata, or could someone use comments that they don't know that it's actually providing an attacker information they can use to attack them?
Malek [00:28:29] Yeah, well, it could be anything. It could be leakages and comments. It could be a JavaScript code that could have a client-side key that could be used to connect to the back end servers. And you could have also comments that show IP addresses for the back-end services. And also yeah, so you could find information in the source code repositories. Most probably you could find username passwords for accounts for a hacker. If a hacker found that source code and downloaded it and exactly the username and password, they could exploit that service or connect to that service using that account and does their thing.
Joe [00:29:38] Awesome, and I highly recommend everyone to check out this course because it's easier to actually see it in action. A lot of great examples. So definitely check a Web application, Penetration Testing Information Gathering at Pluralsight. I have a link to it in the show notes. Okay, before we go, is there one piece of actionable advice you can give to someone to help them with the Security testing efforts?
Malek [00:30:02] Yeah, the most important thing for Security testers is to practice. There are a ton of attacks out there. There are many web application frameworks used. So the best thing is always to keep your skills sharpened and up to date within your vulnerabilities that arise in the framework. So they could always find…there are many sources for Security and Penetration Testers to practice on. So the most important thing is to keep up to date with the security vulnerabilities and tools.
Malek [00:31:15] Absolutely, and the best way to find a contact you.
Joe [00:31:19] Well, yeah, they could contact me on my LinkedIn profile.
Rate and Review TestGuild Security Podcast
Thanks again for listening to the show. If it has helped you in any way, shape or form, please share it using the social media buttons you see on the page. Additionally, reviews for the podcast on iTunes are extremely helpful and greatly appreciated! They do matter in the rankings of the show and I read each and every one of them.