Why should we invest our time in doing security testing?

Richard Adams (@oxygenaddict )spoke at TestBash UK 2023 on how security testing should be something we can and should be doing every day.

Richard Adams on stage at TestBash UK with slide "Why should we invest our time?1268×712 168 KB

So we invite you to watch his talk and use this Club thread to:

• Share what you’d like to apply or have already applied at work
• Open a discussion about what you’ve learned
• Share your appreciation for Richard
• Ask a question

You don’t have to watch the entire talk if you don’t have time. Skip ahead to one of these concepts. And then come back to others later:

1m 28s - Getting started and finding bugs
8m 17s - Why should we invest our time?
8m 24s - Business Case
9m 58s - Security testing is just testing
10m 29s - Planning
11m 04s - Scenarios
13m 01s - Test beyond UI
15m 47s - Test data
20m 51s - Tools
24m 32s - Summary

Watch " Exploring Security in Day-to-day Testing"

This talk is available to watch with a Pro Membership

How about you?

• How to make beginner testers start thinking about security?
• What sort of tools do you have in your security testing toolbox?
• Have you heard of any nightmare security vulnerability stories from across the globe? What can we learn from them?

I like the OWASP Penetration Testing Kit browser extension he mentioned. Let’s hope our IT allows us to use it.

We started to focus more on security recently. Many tools and techniques are complex and scary for beginners. We got a lot of value out of simple security tests (try logging in without/with wrong password) and security analysis of existing features and documentation.

I’m not sure it’s the best start for a beginner - level tester to do security tests, they should probably focus on the learn testing aspect first. But letting them think about security is basically easy!

• What can I do to exploit this? Or How would a hacker exploit this?
  You don’t need to be able to do it, if you can think of it and it would theoretically work, there is probably a loophole in there that needs to be looked at.

This totally depends on what you are doing.
I like to use:

• Postman & BurpSuite for quick API altering / proxy & exploratory testing
• Burpsuite for the Intruder
• ffuf: GitHub - ffuf/ffuf: Fast web fuzzer written in Go
• ZAP for passive & active scanning, also for web crawling to expose endpoints
• XSS Striker from s0md3v: GitHub - s0md3v/XSStrike: Most advanced XSS scanner.
• Sherlock for recon on social medias of people: GitHub - sherlock-project/sherlock: 🔎 Hunt down social media accounts by username across social networks
  I use this to look through DEVs portfolio’s like linkedin to see which tech-stacks they use to find vulnerabilities in platforms.
• Google Exploit DB: Google Hacking Database (GHDB) - Google Dorks, OSINT, Recon
• Metasploit https://www.metasploit.com/
• Hydra for brute forcing PW: GitHub - vanhauser-thc/thc-hydra: hydra
• Google Dorking (not really a tool, just a fun way to use Google): here’s a cheat sheet: Google dork cheatsheet · GitHub
• Ciphey for decrypting: GitHub - Ciphey/Ciphey: ⚡ Automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes ⚡
• JWT_Tool to check JWT tokens for vulnerabilities: GitHub - ticarpi/jwt_tool: 🐍 A toolkit for testing, tweaking and cracking JSON Web Tokens

There are so many more, but it depends what you are doing. But these are my common onces

There are so many. I’ve learned that bad organisations rather pay ransomware then invest into security. Security is not a joke and a lot of people don’t know how to act around it. So maybe it’s not “bad organisations” but the LACK of Knowledge of people. Then again, often after explaining what the damage can be, it gets neglected

It’s a dark hole in the IT - Business which nobody dares to crawl into.

I’ve seen organisations being hacked for 8+ months in my first week at the client and not a single person invested time in it earlier. (they didn’t knew) It costed the company a lot of money … A LOT. The hacker just had a backdoor file installed and was just regularly connecting to disable items in their online webshop. It finally stopped just because I spend 10 minutes on it because I was intrigued with why the webshop items were getting “automatically” archived since there was no “automatic-archive” but I was to late, the damage had been done and the webshop closed a while after due to this, because it wasn’t getting any return value.

The Best/Worst nightmare security vulnerability stories are those which you warn a company about a security breach and they do nothing about it and they get hacked. You feel absolutely the worst since you tried to warn them but they didn’t listen, you can’t help it … but you knew… .

I’ve reached out to at least 50+ companies by email about security vulnerabilities on their product/website and literally 0 …ZERO… replied. (not through bug-bounty-programs)

I often get a linkedin profile view from somebody at the company but nothing happens. I even tell them that I’m open to provide some guidance or do a re-test.
And sometimes after a while you can see in the news " X or Y has been hacked"

Sometimes you heard " we had an email about this but didn’t think it was legit"
The recent Okta Breach had this issue also, they’ve been informed about a vulnerability ~3 weeks before being breached but they didn’t act upon it.

So yea… the nightmare stories… I can go on and on and on …