I’ve been a tester for a while now, and I’ve done most types of testing for a little while. However, there is one really glaring hole in my skillset (among many other, slightly less glaring ones). and that is security testing.
While I’ve used code scanners (AppScan, AppSpider, Checkmarx, OWASP Dependency Checker) and automated them with Jenkins in a DevSecOps fashion, I don’t really consider that security testing. Using code scanners is testing in the same way that automated testing is testing; i.e. not.
They can find things they know to look for, but can’t recognise or highlight anything else, unless it gets in the way of what they’ve been told to do. Sure, code scanners make available the work of security researchers around the world, but they don’t do anything to educate those who use them. If all I have to do is push a button and then send the report to the devs, what have I learned? Nowt.
Some time ago, I decided I wanted to make my own security testing environment. The reason for this is mostly to learn how, but the other major driver was that setting up a security testing environment in a corporate IT infrastructure is problematic.
No matter how friendly your IT folks are – and mine are very friendly and exceedingly accommodating – they will quite sensibly baulk at letting some n00b tester install security software into their lovely corporate environment.
Security testing tools use the same techniques and look to exploit the same vulnerabilities that malicious hackers would, so performing security testing on the network will (or should) cause their network monitoring and intrusion detection systems to light up like a Christmas tree. Sure, in the initial reconnaissance phase you’re not doing anything naughty, but which IT guy really wants that noise and hassle in their life?
My initial plan was to rip the guts out of an old Xbox 360 (who had suffered the dreaded RROD) and use that as the case, but it was a bitch to work with; lots of sharp metal edges and, unsurprisingly, hard to get into, with losing patience and layers of skin.
The project died, but not until after I had bought the initial pieces of hardware.
In the next post I’ll go into the hardware I am using, with some idea of how it all fits together into one package.