The challenge for Day Twenty-Five is - Find and use a mobile security tool. I've heard mixed responses about mobile security applications, on one hand I've heard that Lookout is a good antivirus application - I used it on my first smartphone, a Galaxy S many many moons ago, but managed to brick it -... Continue Reading →
30 Days of Security Testing – Day Fourteen
The challenge for Day Fourteen is - Develop a test plan including security tests. In my day-to-day work I don't necessarily write formal test plans, but rather user stories for what I'm going to test. When writing my user story I'd consider the following points for security: Environment: How is this application accessed? Private network... Continue Reading →
30 Days of Security Testing – Day Twenty-Eight
The challenge for Day Twenty-Eight is - Share security testing ideas for specific domains For this challenge I thought I'd look at E-Commerce as a domain, as there are plenty of opportunities to test for security vulnerabilities. Some items to check if you were looking at testing the security of an e-commerce application: Authentication -... Continue Reading →
30 Days of Security Testing – Day Thirty!
The challenge for Day Thirty is - Discover the difference between White, Grey, and Black Hat Hacking. The names White Hat and Black Hat are derived from the old Western Movies where the "good guys" wore white hats, and the "bad guys" wore black hats White Hat Hackers are also known as "Ethical Hackers" These... Continue Reading →
30 Days of Security Testing – Day Twenty-Four
The challenge for Day Twenty-Four is - Use a suggestion from the OWASP Web Application Security Checklist. To attack this challenge I went to the OWASP JuiceShop here The OWASP JuiceShop is an intentionally vulnerable web app that allows people to test out exploits, kind of a "Don't do what Donny Don't Does" for web development.... Continue Reading →
30 Days of Security Testing – Day Twenty-Three
The challenge for Day Twenty-Three is - What are the top 10 security threats of 2017? For this challenge I'm going to blatantly cheat and refer to my previous blog posts on the OWASP Top Ten 2017 https://mikethetesternz.wordpress.com/category/supergoalingbros-project/ Still relevant! Thanks for reading my post and following my progress through the 30 Days... Continue Reading →
30 Days of Security Testing – Day Twenty-Seven
The challenge for Day Twenty-Seven is - How could BYOA (bring your own application) play a part in security? I couldn't find much information regarding BYOA issues, so instead I interpreted the task as looking at security implications of BYOD (Bring your own device). I also felt it was more relevant as people bringing their... Continue Reading →
30 Days of Security Testing – Day Twenty
The challenge for Day Twenty is - Read about DOS/DDOS attacks. Share examples/stories via social media. A DOS attack or Denial of Service Attack is where the attacker seeks to make a resource or machine unavailable to it's intended audience or user. This is usually done by spamming the target with too many requests for... Continue Reading →
30 Days of Security Testing – Day Nineteen
The challenge for Day Nineteen is - Research Script Kiddies and/or packet monkeys. Script Kiddies and Packet Monkeys are derogatory term created by experienced hackers for unskilled/inexperienced hackers. Found a great article from the SANS institute written back in 2001 that explains the terms brilliantly. In more detail: Script Kiddies A script kiddie is a... Continue Reading →
30 Days of Security Testing – Day Eighteen
The challenge for Day Eighteen is - Learn about Security Headers. If you are testing a web application, the Developer Tools in your browser are your friend. By pressing F12 on a Windows or Linux machine while accessing a site through a browser (or ⌥⌘I on a Mac), you can see a host of information.... Continue Reading →
30 Days of Security Testing – Day Seventeen
The challenge for Day Seventeen is - Research a recent hack/security breach This was a fun challenge with tonnes of material to pick from. I decided to look into the HSBC breach that I heard about on the IT Governance Weekly Podcast from the 9th of November. In a BBC article posted on the 6th... Continue Reading →
30 Days of Security Testing – Day Sixteen
The challenge for Day Sixteen is - Research how to build a Tiger Box. Note: Please use this information responsibly Step One - find a box Step Two - add Tiger Step Three - release into the network ...not quite! When I started looking into this question the details on what makes a "Tiger... Continue Reading →
30 Days of Security Testing – Day Thirteen
The challenge for Day Thirteen is - Perform a Security analysis for requirements in a story. I interpreted this challenge as "demonstrate how you would consider the security implications in a user story". If you are new to the concept of a user story Wikipedia defines it as an informal, natural language description of one... Continue Reading →
30 Days of Security Testing – Day Fifteen
The challenge for Day Fifteen is - Write and share ideas for security testing via twitter or a blog Yusss ticked this one off without even trying! I started writing this blog a while back to document my learning and share my findings with others new to testing. I've also got a Twitter account I... Continue Reading →
30 Days of Security Testing – Day Twelve
The challenge for Day Twelve is - Read about security testing and discuss where it best fits in an SDLC. This was an interesting challenge, as most people will agree that it's important to perform security tests over an application, but when is the "best" time to test? To dig deeper we will need to... Continue Reading →
30 Days of Security Testing – Day Eleven
The challenge for Day Eleven is - Try to figure out the Posture Assessment for an application. This challenge was a pinch confusing for me, as I didn't know what a "posture assessment" was I decided to google the definition The security status of an enterprise’s networks, information, and systems based on IA resources (e.g.,... Continue Reading →
30 Days of Security Testing – Day Ten
The challenge for Day Ten is - Read and Learn about Ethical hacking. Ethical hacking is a bit of an odd one for me, as perception can play a big part in what's considered ethical. "Ethical Hackers" or "White Hat Hackers" are supposedly the good guys, using their powers for good. While malicious or "Black... Continue Reading →
30 Days of Security Testing – Day Nine
The challenge for Day Nine is - Discover the process and procedures around Security Auditing. I've never performed a security audit, nor have I ever seen one done, but from the brief reading I've done for this challenge I can absolutely see the merit in doing a security audit for a company. To put it... Continue Reading →
30 Days of Security Testing – Day Eight
The challenge for Day Eight is - Use a proxy tool to observe web traffic in a web or mobile application. For this challenge I could look back at using Burp Suite as that has a Proxy function, but another couple I've used are Fiddler and Charles Proxy. I'm more familiar with Charles and have... Continue Reading →
30 Days of Security Testing – Day Seven
The challenge for Day Seven is - Learn one or more things about Penetration testing. I ran a quick google search for Penetration Testing definition and found this tidy video: To me, penetration testing looks like one of the coolest branches of testing. Getting paid to play hacker/spy and commanding some of the tastiest pay brackets... Continue Reading →