Comments on: It is Persistence

By: stephen

stephen — Thu, 26 Mar 2009 01:27:44 +0000

Most people stumble and bumble around and bounce into vulnerabilities. Some use a toolbox of strategies in a particular order. Some use a toolbox in no particular order.

Whilst others still can almost KNOW what the vulnerabilities are before they delve down deep inside. A kind of sixth sense (intuition)- is what they have.

When you research the psychology of analysts you begin to understand just how deep some can get into this zone. Why they can is the most interesting story of all.

By: hartog

hartog — Fri, 06 Mar 2009 13:47:04 +0000

Totally agreeed! I dont know much about cryptography but I did find a flaw in a crypto module of Ruby. See my blog article (http://www.coffeeaddict.nl/blog/20090306/171/) for the full story

By: triggerzdown

triggerzdown — Tue, 03 Mar 2009 14:44:06 +0000

Yes this is correct the more you dabble and research on a topic the more you will find out. But experience does have a factor in this. So to all you researchers just keep on searching and trying new things and something is bound to happen.

-triggerzdown

By: pdp

pdp — Wed, 25 Feb 2009 12:10:03 +0000

I see what you are saying and I am not disagreeing that experience is important. I am simply mentioning that finding vulnerabilities (not penetration testing), when time is not an issue, does not require anything else apart from persistence.

By: Andre Gironda

Andre Gironda — Wed, 25 Feb 2009 11:45:04 +0000

I disagree. There is:

Testing
Inspection

Testing has Dynamic analysis, white-box testing (full knowledge), black-box testing, gray-box testing (see: OSSTMM 3.0 for more details), experience-based testing (which you speak against), and defect-driven testing (which Gareth Hayes has mastered with XSS and which Bernardo Damele A. G.has mastered with SQLi – and which Shreeraj Shah has mastered with basically everything else).

Inspection has static analysis + another called “review”.

Your “Persistence” is really something else called “Completeness” in my eyes. I also feel that experienced-based testing is the most important, which is why tools fail us (imagine imperfect software failing at testing imperfect software!). I have found bugs just by looking at a web page and saying “that’s a bug!” that nobody else would ever see. Ask the tssci-security team + others that I probably can’t and shouldn’t name.

So for you to dismiss experience-based testing seems to demonstrate (to me) that you don’t have enough experience. This isn’t a knock, but defect-driven approaches and focusing too much on other areas (which you are clearly highly intelligent about) may blind you to the overall “big picture” stuff.

Curphey wrote an article about the Security Gene, so this was already discussed (and I think at the time, I didn’t agree with either of you), but it’s an interesting conversation topic. Thanks.