Security Testing Tips: Learn programming to build a strong report

Security Testing Tips
Security Testing Tips

If you think that one must learn programming to do security testing, I wouldn’t agree with it. However, programming knowledge surely adds value in writing exploits for the vulnerabilities that you have found. One skill is finding the vulnerability, but the other one is making others believe that it is really a lethal vulnerability which will help them decide its priority for fixing. Now, most of the security test team do not know to code or they don’t want to learn. That’s fair enough as it depends on the interest and their passion could be finding vulnerabilities and not writing exploits. But, the good news is; the gap can be filled by hiring (experienced) developers who could understand the vulnerability and write exploit to develop a strong report which would convince stakeholders about its severity in order to take it for fixing.

Case study
Let us say there is a cross site scripting vulnerability, now as a security tester you may just go to the bug tracker and report it. However, what if the developer or stakeholder wants to understand the effects of it? What if the developer asks, “Why do you think we should fix this?” May be you will end up in saying, “Oh, its categorized under OWASP Top 10 Attacks” which would not make sense in the given context to the developer or stakeholder. It is like using OWASP Top 10 as jargon, but it is useless sometimes or most of the times.

So the question is what to do? For example: Let us say, you found XSS vulnerability in a messaging system inside a social network. Now, what you can do is; you can embed a javascript which will steal a cookie and store it on your server and to do this, you need to write a simple javascript. Now, lets speak about much more lethal exploit where you could embed a malicious javascript in a message to admin and the javascript will contain a piece of code (Preferably AJAX) which will delete all the users from the system without the knowledge of the admin because once the admin opens the message the XSS attack is performed where AJAX code runs and deletes all the users in stealth mode and is not seen on the user interface.

Now, lets compare two things here — You just reported a vulnerability in bug tracker mentioning XSS in messaging system and the response from the developer or any other team member was “Okay, we will fix it”. Now, lets say you report it by taking a video of the exploit written where all users are deleted by admin without his / her knowledge and the malicious javascript was sent by a regular user who is not an admin. For this, you receive response as “Holy shit! We got to fix this as soon as possible”.

I leave the decision to you. If you are interested, you can practice programming in order to write cool exploits to help your stakeholders or developers understand the severity of the vulnerability. Or else if you are a hiring manager, how about hiring a dedicated team member in security testing who could write exploits for the vulnerabilities found by security test team.

Before I finish, I would love to say something; every profession or every activity is a mind-set and a skill-set. So is programming and testing. Choose your cup of tea / coffee / anything.

Santhosh TuppadSecurity Testing TipsSecurity Testing TipsSecurity Testing Tips: Learn programming to build a strong report If you think that one must learn programming to do security testing, I wouldn’t agree with it. However, programming knowledge surely adds value in writing exploits for the vulnerabilities that you have found. One skill is finding the vulnerability, but the...