GNUCITIZEN

It is Persistence

published: February 25th, 2009

Do some people have the magical skill to find vulnerabilities with ease while others don’t! Of course not! I disagree with the whole tendency to believe that technical understandings is all that is needed to find vulnerabilities.

It is mostly persistence that plays a role. Most of the researchers I know have almost zero knowledge on the subjects they dive into. The knowledge builds up with the time and by being more persistent on the topic of exploration regardless of its difficulty level.

Simply put, the more time you spend on something, the higher the chances to find oddities. It sound quite logical, don’t you think? Countless of examples already exist to prove my point.

more | comments | comments rss | posted by pdp

Andre Gironda says:

February 25, 2009 at 12:45 pm

I disagree. There is:

Testing
Inspection

Testing has Dynamic analysis, white-box testing (full knowledge), black-box testing, gray-box testing (see: OSSTMM 3.0 for more details), experience-based testing (which you speak against), and defect-driven testing (which Gareth Hayes has mastered with XSS and which Bernardo Damele A. G.has mastered with SQLi – and which Shreeraj Shah has mastered with basically everything else).

Inspection has static analysis + another called “review”.

Your “Persistence” is really something else called “Completeness” in my eyes. I also feel that experienced-based testing is the most important, which is why tools fail us (imagine imperfect software failing at testing imperfect software!). I have found bugs just by looking at a web page and saying “that’s a bug!” that nobody else would ever see. Ask the tssci-security team + others that I probably can’t and shouldn’t name.

So for you to dismiss experience-based testing seems to demonstrate (to me) that you don’t have enough experience. This isn’t a knock, but defect-driven approaches and focusing too much on other areas (which you are clearly highly intelligent about) may blind you to the overall “big picture” stuff.

Curphey wrote an article about the Security Gene, so this was already discussed (and I think at the time, I didn’t agree with either of you), but it’s an interesting conversation topic. Thanks.

pdp says:

February 25, 2009 at 1:10 pm

I see what you are saying and I am not disagreeing that experience is important. I am simply mentioning that finding vulnerabilities (not penetration testing), when time is not an issue, does not require anything else apart from persistence.

triggerzdown says:

March 3, 2009 at 3:44 pm

Yes this is correct the more you dabble and research on a topic the more you will find out. But experience does have a factor in this. So to all you researchers just keep on searching and trying new things and something is bound to happen.

-triggerzdown

hartog says:

March 6, 2009 at 2:47 pm

Totally agreeed! I dont know much about cryptography but I did find a flaw in a crypto module of Ruby. See my blog article (http://www.coffeeaddict.nl/blog/20090306/171/) for the full story

stephen says:

March 26, 2009 at 2:27 am

Most people stumble and bumble around and bounce into vulnerabilities. Some use a toolbox of strategies in a particular order. Some use a toolbox in no particular order.

Whilst others still can almost KNOW what the vulnerabilities are before they delve down deep inside. A kind of sixth sense (intuition)- is what they have.

When you research the psychology of analysts you begin to understand just how deep some can get into this zone. Why they can is the most interesting story of all.

Navigation

It is Persistence

Respond