Thursday, May 26, 2011

Book Review - "Open Source Fuzzing Tools" by Gavi Evron

"Open Source Fuzzing Tools" is written by Gavi Evron and does an excellent job providing a broad range of tools used for fuzzing and their basic usage. There is even a chapter that walks you through building your own file fuzzing tool in perl.

Some specific points that I learned from this book:
- There are (at least) three flavors of fuzzing: 1)File fuzzing- where you create malformed files used by the application. 2) Network fuzzing - network traffic used by the application are malformed and sent and 3) Library fuzzing - calling libraries directly with malformed input.
- The more you know about the workings of the application, the better you can tune your fuzzer to generate malformed data.
- The more you know about assmebler, compilers, bytecode, and TCP/IP, the better. These are the building-blocks for fuzzing.

It's possible to run many of these tools, such as wsfuzzer, without a deep understanding of the application and the underlying technologies, but the more you know, the better you are able to understand the output and take appropriate action.

Tuesday, May 17, 2011

Impressive Presentation Tool

Here is a fun way to do presentations. Let me know what you think of my first one!

Tuesday, May 03, 2011

Levels of abstraction, from Order to Chaos and back again

"There is a theory which states that if ever anyone discovers exactly what the Universe is for and why it is here, it will instantly disappear and be replaced by something even more bizarre and inexplicable. There is another theory which states that this has already happened." - Douglas Adams from 'The Hitchiker's Guide to the Galaxy'
For years, I've thought about the order and chaos of the Universe as a lens to look at work. There is order in the universe in that there is this one large blob. But it quickly devolves into chaos when you see each of the galaxies. But looking at our galaxy, there is a sense of order in the spiral arms that make it up and the line of stars in the night sky that we see. This devolves again into chaos as we see the scattering of star systems within the galaxy. But order shows itself again in the orbits of the planets around the sun and the seemingly-perfect spheres that the planets and moons make. But a closer look reveals the chaos of the surface of the planet with mountains and valleys. We can continue this journey to the infinitesimile, but you should get the idea by now :)

Now think about working in a company. The company has a simple goal of making a profit. Then there is the chaos of how the organization is split up But in business unit, there are often annual goals which are very specific. These are to be met by a variety of teams that must figure out a plan to meet these goals, which you as an individual have specific annual goals. However, on a day-do-day basis, your time is spent doing many things, only some of which is towards the annual goals directly.

If you are still reading, congratulations! (and thanks for bearing with me while I try to get to the point) So, where do you like spending your time, in the chaos or the order? Where do your peers like spending time? In which location does your company's culture want you to spend your time?

Just something to ponder...

Book Review - "Threat Modeling" by Frank Swiderski and Window Snyder

Even though this book is from 2004, the method it describes for approaching security testing is sound. The basic method is:

  • Create a Threat Profile

    • Idendity Targets

    • Identify Entry/Exit Points

    • Build Models based on this data

  • Associate Risks with each Target

  • Determine how these risks will be tested

  • Perform tests and report results

  • Repeat

This book is an easy read and there is little technical knowledge that is required to be able to understand the concepts presented, which allows it to be technology-agnostic. However, you will need a bit more technical skill to be able to perform some of the analysis and testing that is described. The examples are helpful and provide a good guide on how do document the models.

I would recommend this book to anyone that is responsible for building, testing or responsible for the security of an application.