#30DaysOfSecurityTesting – Task VII

screen-shot-2017-02-09-at-01-55-17

All previous posts in this series: I, II, IV, V, X, XXX

Task: Learn one or more things about Penetration testing.

First thing what I learned today about the topic is the difference according to vulnerability scanning. During scanning you identify and prioritise possible vulnerabilities, but during penetration testing you actively explore those vulnerabilities with the aim to break in.

Second, very important thing what I learned: in Germany all penetration testing without permission of an owner is illegal. So if you will scan somebodies system in the Germany, try to use the vulnerability and report it to the owner with hope to get a reward, you may land in the jail.

#30DaysOfSecurityTesting – Task IV

vulnerability

All previous posts in this series: I, II, X, XXX

Task: Learn anything about Vulnerability Scanning

I looked for the answer in “How To Break Web Software” – book, which I chose in task II. In the index, the only page selected for “vulnerabilities, searching for” is page 107. You can see it in the image above.

It was not enough for me. So I checked the source, which, as I learned from my son, has many answers:

Than I found the list of vulnerability scanners. The experts will LOL about my comparison of Nessus and Nmap, but that is what works for me:

  • Nmap is free, the website from 90’s and tool is difficult to configure.
  • Price of Nessus single user licence is “$2,190 USD/year” (funny that they use both: $ and USD for the price), modern website and the tool seems to be very user-friendly (according to demonstration above).

I consider to download Nessus and scan my home network. Curious what it will say about my internet radio. Download starts with filling out the form, even if you want try-out for single user licence you have to select your job position. In the list you will find all kind of people, except software testers.

screen-shot-2017-02-04-at-23-58-53

The more I think about web security, the more it reminds me birth control. Some of us blindly trust a protection of their choice, some think that nothing will happen anyway and use none and there are some of us, who choose to walk on the edge. Negative consequences of some of those decisions are AIDS, fertility treatments or teen mums.

I am quite a sceptic – if we cannot handle issues of our own bodies and health, then such abstract thing as web security has no chance to get our attention before something really bad happened.