The BBC reported recently that a five year old had been added to Microsoft’s Hall of Fame for security researchers who find and privately report security vulnerabilities. Andrew Mason, co-founder and technical director of security vendor and pen testing company, RandomStorm (www.randomstorm.com), considers the contributions made to everyone’s online safety by people who are passionate about security testing. He believes information security has to be a passion not a nine to five.
A five year old boy became the youngest person to be named in Microsoft’s Hall of Fame
Crowdsourcing security
The success of our most popular web services hinge on the public’s trust in them. This is why Microsoft is among a growing number of cloud service providers running bug bounty schemes to reward individual researchers and ethical hackers for privately disclosing vulnerabilities that could compromise users’ security. Bounty schemes help web companies to keep up with the latest cyber threats and remediate issues before they can be exploited by hackers.
Catching the bug
A number of our employees are involved in both voluntary disclosure and bug bounty programmes, as well as taking part in the Cyber Security Challenge, Google’s Pwn to Own and Capture the Flag events. RandomStorm researcher, Avram Marius Gabriel, has gained the top spot on PayPal’s Wall of Fame as well as being recognised for responsibly disclosing security bugs in the websites of Facebook, Google, Evernote, eBay Inc., and Twitter. All of these discoveries have been made outside of working hours. So what drives these researchers to spend every waking hour looking for bugs?
Playing by the rules
The law governing penetration tests is different in different countries. In the UK ethical hacking comes under the Computer Misuse Act
Common bugs
The Open Web Application Security Project
Wherever I lay my hack
Web application testers initially look for the more common vulnerabilities such as XSS or SQL injection, just as a black hat hacker would. SQL injection is particularly dangerous because it can be used to compromise web servers, extract data and launch attacks on network hosts that are connected to them.
Once they have searched for the obvious flaws, testers look for more obscure bugs in web developers’ coding. Unusual hacks are more rewarding to discover, because of the sheer intellectual thrill of finding and running a proof of concept on a vulnerability that no-one else has spotted. It is this that keeps independent researchers fired up and searching for bugs well into the small hours and helps to make popular web services safer for users.
Passing the baton
In my view, as well as their willingness to play with technology, the key attribute that marks out white hats is their willingness to share what they’ve learned, so that websites and online payment transaction systems become safer for us all to use.
We share our learning with the community on Twitter, through OWASP events and via open source apps added to Linux Kali
DVWA is a free PHP/MySQL web application that teaches how to test for XSS; SQL injection; brute force attacks; upload exploit vulnerabilities or file inclusion within web apps, without flouting the Computer Misuse Act. It can be used in a classroom environment as part of a cyber security course, but should never be uploaded to a live web server, as it will be hacked. DVWA is now being used by bluechip companies to train their web app developers about common programming mistakes that allow malicious code to be inserted into strings, making the application unsafe for users.
This willingness to pass on skills to develop the next generation of white hats is a core part of our company culture. One of our apprentice PCI security engineers, Scott Glossop, has been mentored by five members of our web testing and PCI DSS team. He has also increased his knowledge of web app testing through hacklabs, and reading other security researchers’ blogs in his spare time. Scott has already been publicly acknowledged in the Halls of Fame of Microsoft
Conclusion
Information security has to be a passion, not a nine to five. The very best ethical hackers spend most of their waking hours reading up on the latest testing techniques and discovering exploits. The independent research undertaken by web security specialists also helps to keep their professional skills sharp, enabling them to perform more in-depth pen tests on behalf of clients.
Raspberry Pi founder, Eben Upton, has stated that he wants to use his Linux microcomputer to encourage iterative learning and coding. This is an important skill to foster in youngsters, as ethical hacking is all about discovering vulnerabilities through trial and error, so that they can be fixed. However, it is easier to code than it is to code securely. There are currently a great many more web application developers than there are security experts. As a result, even the largest companies rely on voluntary disclosure programmes and bug bounty schemes to identify and close vulnerabilities in their web-facing applications.
Through a combination of the work of organisations such as OWASP