When testing applications for security vulnerabilities, enterprises often face the problem of picking from countless...
assessment options and the compliance and audit urgencies associated with securing applications from attack.
In order to discover and mitigate as many exploitable flaws in an application as possible, a different perspective that applies a hacker mindset can be effective. In today's world of instant gratification-based vulnerability scans that are often performed with generic network security products, enterprise IT and security professionals overlook tons of opportunities to better secure their application environments simply because they're not thinking like the bad guys.
The concept of knowing your enemy, conceived by Chinese military strategist Sun Tzu centuries ago, is popular in security circles, but it has yet to be truly ingrained into most information security programs. When web applications, mobile apps and internet of things devices are tested using only automated tools and are not analyzed to see how a malicious actor can go about further exploiting the systems from every possible angle, then a proper assessment has not been performed.
Vulnerability scanners -- even dedicated web vulnerability scanners -- are notorious for overlooking low-hanging fruit that only someone with a hacker mindset would notice. For example, when I'm testing for application security flaws, one of the main areas that I focus on is the login mechanism. Things like weak password policies, a lack of intruder lockout and a password reset mechanism can all be exploited through manual human efforts. Yet vulnerability scanners struggle to find such deficiencies.
Applying a hacker mindset
Criminal hackers think and work no differently than any other criminals, such as burglars and kidnappers. Thinking like a hacker can help uncover other, overlooked application weaknesses, such as:
- Unobvious, yet viable application logic flaws that allow for ill-gotten gains based on how the system steps the user through certain workflows and how it processes information.
- Exploitation avenues associated with email phishing and end users, which is a level of testing that most people are not doing.
- Content management systems, marketing websites and other hosted applications that are notorious for not being tested because of the assumption that the hosting provider is doing so, when they're actually not.
- Performing database dumps via SQL injection commands over transport layer security encrypted sessions knowing that they will likely go undetected because web application firewall controls and packet inspection are not taking place on encrypted communication sessions.
- Missing web server software updates that have remained unpatched due to limited resources or the fact that the vendor will no longer support their software.
- Open web proxies that are there for a specific business reason, but that are still exploitable -- and being exploited -- by criminals to cover their tracks and make it look like the attacks are coming from your network.
- Registering an internet domain similar to one that hackers know your users connect to and interact with in hopes of gaining access to sensitive information. The same goes for mobile apps; all it takes is for an attacker to create and upload a malicious app to an app store and wait for your users to download, install and run it.
The possibilities are endless. Criminal hackers know they must do what they can to test the limits of your application environment, while at the same time, flying under the radar. They also know that they likely won't get into trouble because the typical enterprise has limited visibility and control over their application environment. Worst case scenario: The bad guys know that they can use other people's systems to attack you in order to cover their tracks.
Thinking like a black hat
Hackers also know that just because vulnerabilities haven't been uncovered, it doesn't mean they're not there. Enterprise IT and security managers, on the other hand, tend to assume that all is well unless there's a security advisory that tells them otherwise.
Hackers know that when web vulnerability scanners uncover potential vulnerabilities involving SQL injection and cross-site scripting, they need to dig in further, as something is likely there. Many people tend to dismiss such patterns, viewing them as mere false positives, and then moving onto the next thing.
From a malicious attacker's perspective, you have to determine what will benefit you or inflict harm on your victim the most. One thing to keep in mind is that not all hacking is financially motivated; simply wreaking havoc on targets can be the desired outcome. That motivation may have even played a role in the recent NotPetya ransomware attack, which many experts believe was simply a wiper attack in disguise.
The bottom line: It pays to understand your threats. One thing that benefits my work is looking at everything in IT from the perspective of a criminal hacker. This is tricky sometimes because it requires taking a negative approach to life. Still, it's very beneficial in helping you grow your hacker mindset and, ultimately, strengthening your overall security program.
Approach things in and around application security by giving processes, policies, systems and applications the benefit of the doubt in terms of positivity, but also think about how they can be broken down. Attending security and hacking conferences can provide you with a better sense of how hackers think; even reading novels based on criminal activity can help. I go fairly in-depth cracking the hacker mindset in my book, Hacking for Dummies, and there are many other resources available, as well.
Application security testing is an art, as well as a science. It requires creativity and analytical skills, and using a hacker mindset is an essential component of both. Going through the motions of web vulnerability scans and penetration tests for the sole purpose of checking the box and appeasing auditors does nothing to improve your application security efforts.
Get your hands dirty. Start thinking and acting like a criminal hacker during your testing. Do what it takes to dig in further and uncover application security weaknesses before the bad guys find them. They have nothing but time; you don't.
Find out what it takes to set up a security operations center
Read more on the benefits of static source code analysis
Discover the enterprise security risks of invalid web certificates