Vulnerabilities / Threats
5/23/2013
05:00 PM
Vincent Liu
Vincent Liu
Commentary
50%
50%

Beware Of The 'Checklist' Penetration Tester

A surefire way to spot a novice

Part 2 in a series on spotting a novice pen tester

If your penetration tester has an overreliance on checklists, then he or she is a novice. In the hands of a novice tester, checklists are treated as both the start and the end of a test.

In the eyes of a skilled tester, a checklist defines the minimum level of testing. A common mistake made when evaluating third-party firms is to place too much weight on checklist comparisons. Sure, it's easy to compare lists, but it often leads to the omission and exclusion of much more important attributes, such as whether they can actually hack.

Consider this: You aren't feeling well, so you go to see the doctor. Your doctor follows a top 10 checklist to try and diagnose your symptoms, but none of the symptoms matched. So you're sent home with a clean bill of health because none of your problems were on the top 10 checklist. You're probably thinking that this doctor should have his medical license reviewed, but this is how many novice pen testers go about performing their assessments -- by adhering strictly to a checklist.

If you notice that the only issues being identified are the ones commonly found on a top 10 (e.g., OWASP Top 10) list, then there's a chance that those are the only ones that are being tested. Going off of a checklist can garner only so many results or findings, and oftentimes validating a finding is confused with actually performing a penetration test -- and it really is not the same. It's important to note that checklists can be helpful, but checklist-driven testing should not be the end-all, be-all when it comes to penetration testing because you can't find what you're not looking for.

It's good to ask your tester what he attempted to look for but didn't find. If you're still suspicious, then ask for evidence. A similar question to ask is: What aspects of security were strong? Carefully listen to his response because the answer should not be a statement of what you don't have (e.g., you didn't have SQL injection), but instead a statement of you do have (e.g., your input validation system is effective at stopping input-based attacks).

Part one of this series is here.

Vincent Liu (CISSP) is a Managing Partner at Stach & Liu, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm strategy, practice development, and client matters. Vincent is ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2174
Published: 2015-05-24
Cisco TelePresence T, TelePresence TE, and TelePresence TC before 7.1 do not properly implement access control, which allows remote attackers to obtain root privileges by sending packets on the local network and allows physically proximate attackers to obtain root privileges via unspecified vectors,...

CVE-2015-0713
Published: 2015-05-24
The web framework in Cisco TelePresence Advanced Media Gateway Series Software before 1.1(1.40), Cisco TelePresence IP Gateway Series Software, Cisco TelePresence IP VCR Series Software before 3.0(1.27), Cisco TelePresence ISDN Gateway Software before 2.2(1.94), Cisco TelePresence MCU Software befor...

CVE-2015-0722
Published: 2015-05-24
The network drivers in Cisco TelePresence T, Cisco TelePresence TE, and Cisco TelePresence TC before 7.3.2 allow remote attackers to cause a denial of service (process restart or device reload) via a flood of crafted IP packets, aka Bug ID CSCuj68952.

CVE-2015-1894
Published: 2015-05-24
Cross-site request forgery (CSRF) vulnerability in IBM InfoSphere Optim Workload Replay 2.x before 2.1.0.3 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2015-1895
Published: 2015-05-24
IBM InfoSphere Optim Workload Replay 2.x before 2.1.0.3 relies on client-side code to verify authorization, which allows remote attackers to bypass intended access restrictions by modifying the client behavior.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.