#30daysofsecuritytesting – Task XII

screen-shot-2017-02-19-at-22-43-17

All previous posts in this series: I, II, IV, V, VII, IX, X, XVIII, XXX

Task 12: Read about security testing and discuss where it best fits in an SDLC

Here are some of sources who supported my learning about security testing.

Very good introduction in first 3min:

I have met Simon in TestBash Manchester and had nice chat. Unfortunally I could not attend his ZAP introdoction course, but definatly software development needs more people like Simon.

If you still are not convinced by this 30 days of security challenge and think it is too complicated, then read this article. Especially I liked arguments should you or should you not start security testing in your company and the link to The Big List of Naughty Strings.

#30daysofsecuritytesting – Task XVIII

screen-shot-2017-02-13-at-23-46-14

All previous posts in this series: I, II, IV, V, VII, IX, X, XXX

Task 15: Write and share ideas for security testing via twitter or a blog
Task 18: Learn about Security Headers

Oh, people, this challenge is a real challenge! I use to write one two blog posts a week, my wish to document my learnings is making me difficulties. I had the most beautiful weekend with my family on the hill and now I am missing several tasks. It is what it is. I move on and tick off two tasks.

So. Security Headers. The first thing I wanted to do was to scan my own website. I thought it will be short check and then I move on, but instead of that I happened this>

I started with scan on security headers – free website, which analyses headers, build and run by Scott Helme. The scan showed some problems with headers and I started to research – should I panic or not.

With help of developer tools, I checked network/headers on Safari, Chrome and FireFox. Every browser shows the header information differently. Chrome at the beginning appeared as the less valuable, but then I discovered tabs “security” and “audits” and it changed my top3.

With help of Chrome I learned tonight about also about Wildcard or Multi-Domain (SAN) Certificates and websites with whom I share it. Chrome audit showed that I have 2237 unused CSS rules. Will need to decide what to do with that…

All together this task was very useful. I learned a lot and got long to do list what to improve to my website.

At the end – Automattic has good humour:
screen-shot-2017-02-14-at-00-48-59

From the other side – my header has ad for Automattic and I am not OK with that.

#30daysofsecuritytesting – Task IX

Task: Discover the process and procedures around Security Auditing

This is hard one. I do my research already second day, but still did not managed to create my own picture of “what is Security Auditing?”

Confusion starts with Wikipedia, because there are two articles about the topic, both marked as no complete.

https://en.wikipedia.org/wiki/Information_security_audit

https://en.wikipedia.org/wiki/Information_technology_security_audit

Maybe someone wants to fix it?

Piece, what I found helpful and useful is this 10 step guide “if a security auditor isn’t in the budget”: http://www.itsecurity.com/features/it-security-audit-010407/

#30DaysOfSecurityTesting – Task VII

screen-shot-2017-02-09-at-01-55-17

All previous posts in this series: I, II, IV, V, X, XXX

Task: Learn one or more things about Penetration testing.

First thing what I learned today about the topic is the difference according to vulnerability scanning. During scanning you identify and prioritise possible vulnerabilities, but during penetration testing you actively explore those vulnerabilities with the aim to break in.

Second, very important thing what I learned: in Germany all penetration testing without permission of an owner is illegal. So if you will scan somebodies system in the Germany, try to use the vulnerability and report it to the owner with hope to get a reward, you may land in the jail.

#30DaysOfSecurityTesting – Task IV

vulnerability

All previous posts in this series: I, II, X, XXX

Task: Learn anything about Vulnerability Scanning

I looked for the answer in “How To Break Web Software” – book, which I chose in task II. In the index, the only page selected for “vulnerabilities, searching for” is page 107. You can see it in the image above.

It was not enough for me. So I checked the source, which, as I learned from my son, has many answers:

Than I found the list of vulnerability scanners. The experts will LOL about my comparison of Nessus and Nmap, but that is what works for me:

  • Nmap is free, the website from 90’s and tool is difficult to configure.
  • Price of Nessus single user licence is “$2,190 USD/year” (funny that they use both: $ and USD for the price), modern website and the tool seems to be very user-friendly (according to demonstration above).

I consider to download Nessus and scan my home network. Curious what it will say about my internet radio. Download starts with filling out the form, even if you want try-out for single user licence you have to select your job position. In the list you will find all kind of people, except software testers.

screen-shot-2017-02-04-at-23-58-53

The more I think about web security, the more it reminds me birth control. Some of us blindly trust a protection of their choice, some think that nothing will happen anyway and use none and there are some of us, who choose to walk on the edge. Negative consequences of some of those decisions are AIDS, fertility treatments or teen mums.

I am quite a sceptic – if we cannot handle issues of our own bodies and health, then such abstract thing as web security has no chance to get our attention before something really bad happened.

#30DaysOfSecurityTesting – Task X

screen-shot-2017-02-04-at-11-14-00

All previous posts in this series: I, II, XXX

The task for today: Read and Learn about Ethical hacking

My way to learn about the topic was to read the story how Troy Hunt started his career in web security and how he became a content creator for ethical hacking certifications. After reading the story you may want to browse other articles written by him.

Another great thing (even I do not agree to everything, it is still very good) created by Troy: Internet Security Basics for those, not so much into security.

#30DaysOfSecurityTesting – Task XXX

30 Discover the difference between White, Grey, and Black Hat Hacking

This task is not a real challenge for me, but challenge is a challenge, so here is a summary:

Black Hats see hacking as an intellectual challenge, they have drive to outsmart others and see stolen money as a reward for their skills.

White Hats are called also as ethical hackers. They use the same methods of hacking as black hats, but they do it with permission of the owners. For example, @mikko is a white hat hacker.

Grey Hats in my understanding are kids, who have skills, like to play with those, but behave careless or are not aware of law or ethical issues.

So far so good. Now time for one of my learning sources – YouTube :)

“wild pleasure of exploration”, “the pope is currently not available”

 

#30DaysOfSecurityTesting – Task I

screen-shot-2017-02-01-at-19-28-12

Ministry of testing organizes another challenge: 30 days of security testing. I like challenges in general and even I am not a security tester, I am privately interested in the topic. In my opinion, everybody should be. Week ago I bet with my colleague that in less than five years, a health of individual digital privacy will be a standard. …or robots will rule the world and we will have no privacy at all.

Today is the first day of the challenge: Read a security blog

Here is my very short list of security blogs:

What I read today? Since I learned a lesson do not to click a button, I am aware of ransomware. This week on news on local radio I heard that in Germany hackers attack companies who are looking for new employees. They send application with CV in the attachment, which is not readable at first. And then there is the button. The rest you can imagine. Stories about attacked hospital, police offices and here is a new ransomware story about a locked in hotel guests.

At the end, some ideas how to protect yourself from ransomware. And of course: do NOT click the button!

 

~UPDATE with another links to web security related blogs~