Best option from web developer to web penetration testing?

Mike7

Management is asking, so....
As in the title, what is the most effective (and formal) way to get a web app developer with no security experience become a decent web application penetration tester?

Attend training?
Get a fully featured app scanning software that does everything?

My current preference is eWPT training and a copy of Kali VMware image.
Looking through the WAPTv2 outline, I like the fact that they start from basics, covers OWASP and the major web vulnerabilities, has hands-on labs and even include a section on report writing.

We do not need full penetration testing capabilities so OSCP and GPEN are out for now. Also looked at GWAPT and OSWE. Understand that GWAPT is more theoretical whereas OSWE training is only available at Black Hat 2015. Not keen on CEH either.


Thoughts?

OctalDump

In between web developer and penetration testing is secure programming. Are those skills already there?

Anything OWASP based is a good start. CEH is almost not worth the effort, especially if there is a real web focus. I am assuming that this is more to do with ensuring that the web application is secure than ensuring that the whole stack is secure. Offensive Security and GIAC both offer web focused courses/certifications. GWAPT and OSWE. I am guessing that it might also involve code auditing rather than pure black box testing, which is where the secure programming courses can be useful.

Having web developer experience certainly is an advantage for web pen testing.

Mike7

OctalDump wrote: »

I am assuming that this is more to do with ensuring that the web application is secure than ensuring that the whole stack is secure.

The entire stack is secure except for .... .
It is easier to harden the OS, HTTPS, network and all 6 network layers; we have hardening procedures in place and incorrect configuration can be detected by regular VA scans. Application layer security is another matter.


GWAPT seems to be all theory with no hands-on while OSCE training is only available live at Black Hat USA. I am leaning toward eWPT as the course makes you hack into a web app.

OctalDump wrote: »

In between web developer and penetration testing is secure programming. Are those skills already there?

I will not worry too much about this. Once the developer finds out how his insecure code can be exploited, he will be motivated to learn secure programming. That was one of the intent.

OctalDump

I missed that on the OSWE course. I made the assumption that it was available on line.

The GWAPT has associated SANS training that does have hands on component. I think this one is near you. Although not until March/April next year, and quite a bit more expensive than eWPT.

Mile2® - Cyber Security Training - Penetration Testing, Digital Forensics - Home is the other company I was thinking of, but they don't appear to have web specific penetration courses. I think you might have found the best option.

Mike7

Yes. That was what I thought too.

Thanks for the input.

the_Grinch

eWPT is definitely the route you will want to go in my opinion. If you have a developer already, it wouldn't be a big jump to learn how to secure the code that they wrote (they have the foundation). Also, they can learn at their pace and get lab time in which to test the new skills they are learning. It seems to me that most developers are pretty good with learning on demand. OSCP does cover some web stuff (that's a section I just completed), but eWPT (or eWPTX) would serve you or the developer well.

Mike7

the_Grinch wrote: »

eWPT is definitely the route you will want to go in my opinion. If you have a developer already, it wouldn't be a big jump to learn how to secure the code that they wrote (they have the foundation).

My thoughts too.

Our dev team was recommended AppSpider Pro. Seems that they were not comfortable with Kali, MetaSploit or anything command line.

the_Grinch wrote: »

but eWPT (or eWPTX) would serve you or the developer well.

I may do eWPT on my own next year as it seems like a good next step after CSSLP. Thanks for the input.

xXxKrisxXx

Being a full-time web developer here and having gone through a few security courses (SEC542, eWPT, eWPTX, eWDP, CSSLP, GWEB) I figured I would chime in here. I haven't picked up the GWAPT certification yet because I only had an opportunity to view the content material. This is also the case for me with eWDP, and the CSSLP course. To top that off, I'm currently enrolled in DEV544.

I'm going to highly recommend purchasing an automated web application vulnerability scanner (such as Acunetix, NetSparker, etc). These tools aren't going to be everything for you. You're going to have to hunt down things like business logic issues, chaining vulnerabilities together to accomplish exploitation of bigger problems, and more. Web Application Penetration Testing should be (aside from running a well configured scanner), all manually based in a Web Proxy (such as Burp Suite Professional). Sure you'll have your browser add-ons you'll be using and other tools like Dirbuster, etc, but for the most part you need to get comfortable with a Proxy tool.

I'm not sure why you feel like the SEC542 Material is mainly theoretically based. This course has labs where you're actually getting the practicality part down. The course also now comes with Netwars accompanying it. It's a capture the flag style approach where you actually have to demonstrate you know the material to answer certain questions based on whatever level you're on. Consult this clip for general information about NetWars. If you're company has the training budget, you'd enjoy this class.

What I liked most about the eWPT material was that the exam actually entailed a web application penetration test and writing a thorough report of your findings. They weigh the report 50% and your discovery (and accomplishment of the given task) 50%. You could end up accomplishing the end goal and have a horrible report and end up failing. A lot of people fail first time around (I did too), and luckily they include a free exam re-take. You feel like you get more out of the course when the examinations are practically based. Alternatively, you can sit in a class like SEC542 and go for the GWAPT certification with open books. This doesn't mean the information isn't valuable, it's just you can obtain the certification having not completed the labs and passed a multiple-choice test.

In terms of, 'respect' (if you care about that sort of thing), GIAC's certifications are always going to look better on a resume to HR, regardless if they're multiple choice. The people working in the field though are going to start recognizing eLearnSecurity's hands-on style approach to passing their examinations. Holders of these will eventually start getting the respect they deserve. The fact is that it takes a few years and a lot of money to get a certification good recognition. eLS has been around 5 successful years now, and we're barely seeing their eCPPT and/or eWPT being wanted by employers. This is irrelevant honestly though in your situation. You're already working and not looking to leave. Your company is additionally willing to train your skill set.

In my opinion, SANS is going to beat eLearnSecurity out in terms of training content. There's just more hours of content coverage, they have some of the best instructors in the world who are experts in this field. You're going to see eLearnSecurity offers a similar approach to training by giving you Slide Content to read over. If you wanted a lab comparison between SEC542 and eWPT they're very similar. SEC542 offers you a video containing a walkthrough on how to complete each lab, but with eLearnSecurity you're going to have to keep requesting hints to get answers. Of course do the best you can without the hints.

I absolutely love what OctalDump said here, "In between web developer and penetration testing is secure programming. Are those skills already there?". Way to hammer the nail on the head here! He has more than a point here. What use is penetration testing if you can't write the secure code? You're going to find a bunch of bugs and not know how or why they are there in the first place. You're employer is probably just thinking in terms of, 'you find the flaws for us before the bad guys do!', but they aren't addressing why do we have these flaws in the first place?

If you can get away with it, I highly recommend DEV522. The material isn't programming language specific but will introduce you to common flaws in web applications and how to mitigate them. You go through and actually mitigate and do some attacking in this course. It won't make you an expect in attacking web apps, but you'll walk a way with a thorough understanding on why certain flaws exist and how to defend against them. If you happen to be a PHP developer, look no further than eLearnSecurity's Web Defense Professional. Not only are you fixing flawed PHP code, but you're also attacking it. The course came out in 2013, and I have a feeling that eLearnSecurity has a Version 2 release of the course on its way scheduled for next year sometime.

If you're a .NET Developer like I am, look into DEV544. It's similar to DEV522 and eWDP combined except you're attacking and fixing .NET Code (Web Forms & MVC). I am enjoying DEV544 right now. It's like a recap of DEV522 but it's practically applying it using the .NET Framework. If you are curious about the CSSLP course. I just got out of the course September 25th this year. I wasn't incredibly impressed. The whole course was very slide intensive and very theoretical. You hear about terms like Static and Dynamic Code analysis, but not once was there a lab where we sat down and opened up a tool to do it. This update for this course came out back in 2013 (I think), and if you're going to go for it I warn you here not to take it online. Take it in person if you can. The CSSLP Certification has a good ROI, but it doesn't make you a penetration tester. They briefly mention penetration testing and you do none of it at all so you'll walk out of the course with a ton of knowledge not knowing how to apply it.

I feel like I'm ranting here, but long story short you have a lot of courses to pick from. I've taken a handful of them and if you have any specific questions after reading through everything I typed up, don't hesitate to ask here or through a PM.

OctalDump

xXxKrisxXx wrote: »

I feel like I'm ranting here, but long story short you have a lot of courses to pick from. I've taken a handful of them and if you have any specific questions after reading through everything I typed up, don't hesitate to ask here or through a PM.

Not a rant. This is the kind of stuff that makes TE such a great forum. People who sampled enough of the wares to give you some good quality information about them.

Mike7

xXxKrisxXx wrote: »

I feel like I'm ranting here, but long story short you have a lot of courses to pick from.

This is the reason why I frequent TE forums; people providing valuable input unreservedly.

xXxKrisxXx wrote: »

I've taken a handful of them

And this is another reason. Many in this forums have the knowledge and experience. Just 7 months back, the only infosec certs I know are CISSP and Security+. I was not aware of GIAC's certification, have never taken their training or personally knew someone who did. And that is despite visiting SAN's ISC site on a regular basis, and seeing the advertisements. Guess I have been living in a cave for too long or have become immune to internet adverts.

xXxKrisxXx wrote: »

I absolutely love what OctalDump said here, "In between web developer and penetration testing is secure programming. Are those skills already there?".

The skills are not there. Neither is there a desire to learn. A senior developer once argued that SQL injection means query string manipulation and nothing more.
Management is not knowledgeable nor patient enough. To them, antivirus and firewall is security.

xXxKrisxXx wrote: »

What use is penetration testing if you can't write the secure code? You're going to find a bunch of bugs and not know how or why they are there in the first place. You're employer is probably just thinking in terms of, 'you find the flaws for us before the bad guys do!', but they aren't addressing why do we have these flaws in the first place?

To the dev team, pen test report findings are just a nuisance. They do not understand the implications of the vulnerability.

GIAC training is definitely going to have better content and more in-depth coverage, and their certs well recognized. From ROI perspective, our web developer may go through a very expensive class without an open mind and learn nothing. And it is only available in March

Agree with you on CSSLP as I self-studied and passed the exam recently. The CSSLP is a what we call a "management" exam; it focus more on managing the security process, not on doing it.

Management wants to build internal pen test capability. This is a business decision and ASAP is the key word.
From a security professional perspective, I see this as an opportunity to get the dev team into secure programming mindset. Hence the suggestion to get a developer to go through eWPT as it is readily available has hands-on, is inexpensive and has a section on pen test report writing.


Thanks for the input especially on GIAC portion. Now that I come to know more, I may sign up for one come March. Either save money for it or look for an employer who is willing to pay.