Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

(NEW) STANDARDSReferences• [1] Sony picture database is hacked, http://www.h-online.com/security/news/item/Hacktivists-break-into-Sony-Pictures-database-1254622.html,03.06.2011 [1]• LulzSec states that the website of CIA is offline, https://twitter.com/#!/LulzSec/status/81115804636155906, 14.06.2011 [2]• Mozilla Security Bug Bounty Program, https://www.mozilla.org/security/bug-bounty.html, 14.12.2010 [3]• Rewarding web application security research, http://googleonlinesecurity.blogspot.com/2010/11/rewarding-web-application-security.html,01.11.2010 [4]• Facebook Security Bounty Program, https://www.facebook.com/whitehat, 29.07.2011 [5]• Sony takes legal action against PS3 hackers, http://www.h-online.com/open/news/item/Sony-takes-legal-action-against-PS3-hackers-1168231.html, 12.01.2011 [6]• OpenSSL Vulnerability Shows Open-Source Process Weaknesses, http://www.gartner.com/DisplayDocument?id=676807 [7]attack. Therefore, Hatforce recommends the client tomake a test on a copy of their website in order to notdisrupt any productivity.Nevertheless, sometimes it is not easily possible tomake a copy of a website, this demands resources andit does also change the value of the test since softwareand configuration files may be slightly changed.Consequently, every test should be planned carefullyand the client should be aware of the associatedrisks. Data backups and intensive communication withHatforce might help mitigate the risk at most.Is crowd-sourcing replacing the standardpenetration test?Depending on the size of the company and many otherfactors, there may be that crowd-sourcing would notbe suitable for a penetration test. For example, largecompanies will most likely want to employ somebodywho will check their entire network infrastructure frominside. Crowd-sourcing cannot be applied to suchdemands. Nevertheless, the recent example of Mozilla,Google and Facebook shows that the crowd-sourcingprinciple has been accepted and is actively in use.Future improvementsHatforce is for the moment just starting its service.There are many improvements that can still be doneand the community can help to refine the model to theirneeds.Once the evaluation system will start to be used,clients will get the best testers depending on their needsand testers will be able to choose the good clients whichhave proven to pay the testers.Hatforce is actually using its own platform to testits own website! There might be some vulnerabilities,although we hope there are not really easy ones, andtesters will be rewarded for finding them.ConclusionAn open market for crowd-sourcing for IT-securitytesting is a new and efficient method to quickly getas many testers as possible. If Sony had used thispossibility with a reasonable reward per vulnerability,testers would have found the simple SQL injectionsthat have been made possible to hack its websites.And Sony is just one of the most popular examples.Who knows how many easy and critical vulnerabilitiesare still out there, not only in the systems of bigcompanies, but also in the products of small andmiddle sized companies.Hatforce offers an efficient and competitive testingopportunity compared to standard penetration tests,since there is no money to be paid if no vulnerabilitiesare found. Furthermore, through crowd-sourcing, everyhacker gets the opportunity to use his knowledge in agood way. Converting illegal hackers in white hats whohelp other people fixing the security vulnerabilities oftheir products is the best result which can be achievedthrough crowd-sourcing.ARTHUR GERVAISArthur Gervais is a passionate studentof IT-Security, currently in Sweden atthe Royal Institute of Technology – KTHin Stockholm. Since an early age, he isdetermined to work in the eld of IT-Security. He is the founder of the startupHatforce which offers crowd-sourcing for IT-security tests. Hehas won recently the “Best Student Award 2011” offered by theGerman Federal Office for Information Security (Bundesamtfür Sicherheit in der Informationstechnik). In 2012 he willachieve his Master degrees from INSA de Lyon (France), KTHStockholm (Sweden) and the Aalto University in Helsinki(Finland).05/2011 (5) SeptemberPage 40http://pentestmag.com