Why a Hacker isn’t an Application Tester
This is a story that i have to tell; it’s impossible to ignore. I spend a couple of days of my time talking to one of the largest companies in the world… They have been looking for ethical hackers / security consultants or whatever you want to call it, so I was introduced by a head hunter to the company.
After two very pleasant interviews and shared thoughts about how the security world works and what the key points for (network) security are, I had to do a CTF challenge to show my hacking skills. Sure; why not… After all that’s what I have to do to earn my paycheck, right?
The challenge was set up on 2 days. The first day was to find the open ports on their VPN server to establish access to the system. Very decent challenge; it involved writing some custom scripts as their firewalls had been set up properly. Took a few hours including writing the report. Check; completed.
Day 2; I was ready and looked forward to a decent challenge in which all skills of a hacker would be explored properly. Man; how I was in for a deception. It turned out they set up this one (2 if you count the SQL injected login screen) page website in which I had to find the flaws… If THAT was their thought of a test for a serious hacker… Anyhow; finding the UNION SQL and the XSS flaws; as well as some hidden directories and default applications installed; I wrote the report with the vulnerabilities found and was done in a couple hours…
After that; they declined the report and claimed my skills have not been enough to join their ethical hacking team because I missed flaws??? (I wrote a 30 pager on each and every flaw on that site; including recommendations on how to change their firewall settings; their weak password policy and the problems with the XSS and SQL vulnerabilities)
Slept over this for a night I woke of with a thought: How can one seriously determine the skills of a hacker based on a remote web-based challenge? If I wanted to be an application tester; I would buy a Nessus / Acunetix license and ran scans from home each and every day. I’d be bored to death within a week probably.
In my humble opinion; running an application scan is only 5% (if not less) of what a serious penetration tester / ethical hacker / IT security specialist does. With more and more companies moving their applications and networks into the cloud; the factor of risk for SQL injections etc becomes less and less. If you break into the website; you have their database, yay… There aren’t many companies left that also store their sensitive corporate secrets on that same web-server…
In my opinion; an ethical hacker and penetration tester focuses far more time on the people in a company; and how they can use these employees as leverage to gain the information the hacker is after. It’s what’s inside the people’s mind and what is on the desktop computer that is of interest of a serious hacker looking for corporate intelligence; not what’s on the website of the corporation…
Application Testing is a skill; and a decent one. But it’s not that alone that makes a good hacker. A good hacker thinks like the company; uses the company and uses every bit of information he finds about them while being on-site with their victims.
This is what many many security companies out there miss in their vision; and that’s why hackers continue to win the battle for many many years to come.
As long as the corporations who ‘test’ for their clients don’t think like real hackers; we all have a long way to go…