Security Testing for Muggles: An Interview with Paco Hope


Cameron Philipp-Edmonds: Okay, so let's say down the line organizations stop squandering what they have in front of them. Security testing becomes a part of day-to day testing regularly. What will that mean for the future of software?

Paco Hope: Well, I often make the comparison between security testing and security requirements, and performance testing and performance requirements because it's another one of these non-functional requirements it's really important to get right. If we were to start testing these things earlier while we're still building the software then A, the security results come on sooner and they're a lot cheaper to fix if we find things sooner. B, then the security testers spend their time doing the stuff that really does take a security tester's capabilities to find, rather than have security guys come in and pick low-hanging fruit and say ha ha, look what we did.

Cameron Philipp-Edmonds: Now before we go on, I kind of want to know what really got you interested in the realm of security testing?

Paco Hope: I've been doing security for fifteen years. I've been doing it for awhile, and probably seven or eight years ago I attended a talk by somebody who was a software testing specialist. Just someone who does use software testing. I looked at how they were organizing their work, and how they were really approaching it with this professional mindset and I thought 'Good grief! We security people don't do nearly that level of professionalism and that level of diligence. We just go in and start shooting at stuff and we manage to hit a few things, and we call it job done.'

I went to a STAR conference probably the first time, I want to say 2006 maybe, 2007. I was just really blown away by the level of professionalism and diligence that people were applying to what I as a non-tester had always thought just make sure the thing works. I thought gosh, look at the level of professionalism and how diligent they are. Man, if we applied even a fraction of that diligence to security testing, we would achieve so much more. Likewise, if these people who are so diligent and thorough and conscientious about what they were doing, they started doing half the security stuff that I know then I'd almost be out of a job. The testers would get it right then I would have almost nothing to find.

Cameron Philipp-Edmonds: Okay, there's been a whole lot of high profile security breaches happening recently. You talked about how security testing overall has become more professional and it's become more and more part of that day-to-day testing, so with that in mind, if the knowledge of the area, the confidence of the subject keeps going, is security testing going to keep up or is there trouble ahead?

Paco Hope: I think ... There's an interesting effect that I've been seeing lately which is the ever shortening time between finding something that's a possibility and saying 'you know, I think the software might do this' to a weaponized payload of yep, I can exploit that thing time and time again. That's what the black hats are doing. There was an event just very recently with an app called TweetDeck where they had cross-eyed scripting in TweetDeck. A tweet could come across your Twitter feed and as a result, bang. Your web browser just did something that you didn't even have to click to make it happen.

The fact that black hats can rapidly bundle and package their exploits also helps testers because it means we can rapidly bundle and package up regressions that will spot the same sorts of issues. If we tap into that packaging and rapidly reusing security payloads and security test cases, the testers will benefit from that same speed up.

Cameron Philipp-Edmonds: Okay, so to kind of put you on the spot here and I understand you're not Nostradamus or anything, do you expect there will be more security breaches like we've seen with Target and eBay and what not?

Paco Hope: Yeah, a great example is OpenSSL because SSL underpins everything we do and it's really, really important, and what we discovered was holy cow, there have been two or three major bugs laying around in that code base for two years.

Cameron Philipp-Edmonds: And one for like fifteen years?

Paco Hope: Yeah, there was the one that was laying around since 1998, and there's the one that had been laying around for a couple of years, and so now everybody and their brother is picking through OpenSSL with a fine-toothed comb. Now OpenSSL is flashy because it's so well known and it's used everywhere but there's a lot of software out there that we're reusing everywhere.

I think it's woke everybody up to holy cow, there's a lot of stuff we're leveraging and nobody's really picked through it carefully. We're going to see a lot more before it finally starts to taper off.

Cameron Philipp-Edmonds: Okay, now to move on here a little bit, you've co-authored a few books such as "The Web Security Testing Cook Book" which I think is a great name, and that offers recipes for security testing. It's pretty intriguing that you made that analogy. Is testing for security kind of like cooking?

Paco Hope: Yeah, in fact it's a lot like cooking. If you think about ... I'm no chef but you know that there's some rudiments like making a roux which is a very basic white sauce, and everybody knows the ingredients to a basic white sauce are just some butter, some flour, some milk and cook it in a certain way. So many security testing payloads are exactly that. Oh, I want to test fro cross-eyed scripting. Well, I've got these three or four possible payloads that I should try, and here's three or four typical ways that I'm going to put those payloads into a test case, and so it really is like having a cook book of some recipes. Oh look, I've got web interface that takes in some free text. I've got five good recipes to test that kind of an interface.

Oh, I have a database extract transform load, an ETL application we call them. Well, I've got some standard recipes for the sorts of malicious stuff I could stick into an ETL app and look for the results.

Cameron Philipp-Edmonds: So it's fair to say there really is a recipe for a lot of security testing?

Paco Hope: There really are. That's right, and then given that recipe, like anything else, like pairing a wine with a meal, you can say this is going to go well with that, and you know how to recognize a vulnerability. You know how to recognize a failure or a finding. It becomes very repeatable.

About the author

Upcoming Events

Oct 15
Nov 05
Nov 14
Jun 03