Monday, May 27, 2013


Network Penetration Testing or Application Security Assessment – Where to start from?

ethical-hackerThere have been lot of similar questions regularly being posted to us by aspiring information security experts. In the interest of our future penetration testers or information security consultants to enter the industry with the required expertise and also answering to online queries, we made this blog entry.
There are many training companies in India alone which run training programs on network penetration testing or application security assessment. There are both good and bad training companies and it is left to the candidates to research and select the right company. But more importantly, apart from class room training, it is much required for the aspiring information security experts to self-practice in their home lab. environment. After all, practice makes a man perfect! And certainly, boys need more practice than a man!
Jokes apart, in the past 7 years of establishing our company, we have interviewed many fresh candidates who attended multiple courses in penetration testing or/and application security, but due to no or less self-practice, most of them were not able to think and solve practical scenarios. Until the time of writing this blog, we run very limited and exclusive training sessions that too for government agencies, corporate and groups only and normally suggest our participants to pick one of these two domains in the beginning i.e. network penetration testing or application security testing and move step-by-step. Once the expertise is built over one domain, it should be convenient to start with the second but not together. Jack of all, is only known as Jack, people still call them master of none!
But the question then comes, which domain to pick first or the easy one to start with?
The answer is simple, if not straight forward, though with pros and cons as listed below:

Pros

Network Penetration Testing

  1. Easy to start with since most of it is based on automated tools
  2. Nearly 70% of tasks can be handled by automated tools and most of those come with easy to use GUI
  3. With MCSE, RHCE, CCNA background, testing appear to be easy

Application Security Testing

  1. Easy to setup testing environment in limited resources
  2. Limited protocols and number of application attacks make it quick to learn the domain
  3. With moderate knowledge of any web programming (PHP, .Net, J2EE, Rails, etc.), testing goes easy

Cons

Network Penetration Testing

  1. A deep understanding of networking (OSI, TCP/IP), protocols (HTTP, FTP, SMTP, LDAP, etc.), operating systems (Linux, Windows, etc.) is required. 0-days/Custom exploits, social engineering and client side attacks are domains in itself, better not to mix in the beginning. Its learned automatically as the time and experience goes, keeping in mind there was interest to learn
  2. Understanding of various enterprise network components, architectures and deployments are required which comes with experience or taking extensive testing exercises
  3. Setting up a lab. with bunch of vulnerable/mis-configured machines requires considerable computing power, time to install or bandwidth to download vulnerable virtual machines available online
  4. Setting up a real device (firewall, IPS, VPN, Switch, etc.) is even more expensive

Application Security Testing

  1. Depends mostly on manual testing due to limitations of automated tools, need a lot of practice to identify the bugs quickly along with logical approach towards the testing. There comes the human brain!
  2. Need basic knowledge of almost all the programming languages along with different web technologies (SOAP, REST API, AJAX, FLASH), Databases (Sybase, Oracle, MySql, Mongo, etc.), web application firewalls, load balancers, etc. Though, in the beginning start with selected technologies and with good fundamentals, its easy to scale
  3. You will hardly hit the exactly same bug again. Every application is a new application, focus is required more on fundamental concepts than applications or programming languages.
Few points to be considered before pursuing information security as career option:
  1. No training course or trainer can make you penetration testing or application security expert, its only you who wish to be the one by devoting time, energy, dedication and devotion.
  2. Best deal to learn is to create the vulnerable system or application yourself and learn by tweaking the scenarios and attacking
  3. In information security follow “never giveup” approach. If you couldn’t do it, no one else should be able to do it
  4. There is nothing called as 99.999% security, you need to either call it 100% secured or 0% secured. 0.00001% of vulnerability left behind can do the same damage as 100%, so no difference
  5. This is a game of trust, ethics and integrity, if you have lesser courage to carry them, better search another career option. Information security is a small world even on global map, you never know!
  6. Knowledge is in the mind and not on the piece of paper which people call as “Certificate”. Focus on knowledge first and then certificates rather than attaining bunch of certificates with no knowledge
I am personally not in the favor of spoiling the hard earned money on attending ethical hacking training. And then cursing the trainer for not covering the important topics or not educating the promised contents. There are more than required contents on this subject available on the Internet, your courage to find those good resources, learning and practicing them, eventually becomes a strength to conquer any situation.
Though, the idea is not to discourage attending the training courses but there has to be a realization amongst the aspirants that information security domain requires more of a self-practice by thinking different scenarios and hitting at it than simply attending classroom style training or gaining a piece of paper to start calling themselves “Blah Certified Ethical Hacker”, whatever.
My next blog entries should help the learners with the technologies to learn in the beginning in a step-by-step approach both in network penetration testing and application security testing domains.

No comments:

Post a Comment