Wednesday, November 28, 2012

Pen-Testing as a Service (pTaaS)

Today the most popular term in software industry is probably 'SaaS --> Software as a Service ; which basically means 'Software on Demand'. In SaaS model software is hosted on some remote place and customer can access it using a web browser or so. The main benefits of SaaS models include-
  • customer needs not to worry about hardware and maintenance requirements of the software 
  • and in most of the cases customer has to pay only for what he is using i.e. in case of DynamoDB customer has to pay only for the amount of data he is storing or retrieving.
These  two benefits made SaaS a quite popular concept. 

In the term SaaS, 'service' word is being used as figuratively i.e. its like outsourcing your software's infrastructure and maintenance needs. When I said pTaaS i.e. Pen-Testing as a Service, I meant it literally rather than figuratively; i.e. by pTaaS I meant outsourcing your penetration testing work. 

The biggest hurdle in outsourcing some XYZ service is the amount of information that needs to be exchanged between the client and service provider; if the information exchange involves sharing something confidential then probably that service XYZ cannot be outsourced. As penetration testing in itself is a form of black box testing so it can be easily outsourced as pen-tester hardly needs any implementation or even design information. 

Although some forms of pen-testing can be better categorized as gray or white box testing but that's  not actual pen-testing; this is what I feel at least. Pen-Testing is basically thinking from an attacker's or hacker's point of view and then probing a piece of software for security vulnerabilities. Lesser information (off course about the targeted software) a pen-tester has in the beginning of the pen-testing, more effective and more practical pen-testing results are going to be !! When someone knows the internal details of a product YYY then for him it is comparatively easy to figure out the issues with that product YYY. But the real art lies in starting with zero information and then ultimately figuring out a way to compromise the whole product; this is what our pen-testing services are all about. 

If you allow us to do this service for you, then;


  •  we will be doing a complete analysis of your website by exploring all possible issues because of  which your website can be compromised;
  • and finally we will be sharing a detailed report of how those issues can be exploited along with the suggestions to fix those issues.

PS: In my last post I promised to discuss about UI Redressing attack and usage statistics for 'X-FRAME-OPTIONS'; please excuse me for changing the topic today; I will be writing on that topic very soon.

-Archana

Monday, November 26, 2012

Creating Website for Dummies -DreamWeaver and GoDaddy - Amazing Combo !!

Disclaimer: If you are an expert web designer then this blog post is not for you :) ; this is meant only for Dummies like me who doesn't have even very basic knowledge of website creation concepts.

My core interest is in Testing (i.e. breaking things, complaining about problems, shouting here and there on why things are not working etc. etc. :D) ; I never thought about the amount of effort that is actually needed to get a simple thing like static website working. Seriously, finding issues in working things is lot lot lot lot more easier that actually get those things working.

I was searching for easy solution to create a website with static content; hosting server 'GoDaddy' I immediately finalized (based on my brother's recommendation) but I  was not sure about the tool to use for creating those static pages. While browsing internet I suddenly saw Dreamweaver which reminded me my college days. I used Dreamweaver little bit in college, but that was around 4-5 years before and I didn't remember a bit about what Dreamweaver was like at that time.

So based on that fact that at least name of Dreamweaver is looking familiar; I downloaded trail version from here (CS6). Luckily I found this link for a video on internet in which integration of Dreamweaver to FTP server of GoDaddy was explained; the Dreamweaver version that they are showing in the video is probably some older version, still it was not tough to figure out the same settings in CS6. With 3-4 lines of settings for remote server in Dreamweaver I was able to directly sync my content with the content on GoDaddy FTP server!! I am not going to explain minute details of those settings here as I believe Dreamweaver UI is very intuitive and using the video, for which I shared the link above, it is very easy to figure out exact steps.

Our website is still under construction but the easiness provided by Dreamweaver (at least in syncing the content)  is awesome!!.

Keep tuned for coming post on UI Redressing attack and usage statistics for 'X-FRAME-OPTIONS'  in reference to Indian websites.

-Archana

Saturday, November 24, 2012

HackVidhi - Story of Inception


A warm midnight of October this year, myself and Archana bumped into a discussion of how her random attempt of placing an order online for a commodity (and not actually completing the order) resulted in a successful order notification and she was left with an order placed worth Rs 17,000 of a commodity that she neither intended to buy nor had she paid for it!!
I have once placed an order that I wanted to modify later and was left with no other way of editing my order but to write to customer care using their “Post us” form. Not to say the perplexed I was heartlessly filling the form rapidly thinking over what I could post in this form to inform them about an alteration I needed to make in my order.  When I was done with posting my query I started thinking if there was a different brain thinking ‘what all’ could be posted on this form rather than just what could be posted on such forms.

There are spams floating all around offering products that mislead the consumers to online frauds.
These represent a much larger gamut of such experiences in an online customer’s day to day life that makes him rethink over the fidelity of online endeavors and the fatality of them if precautions are overruled. For all we know in an online world the thick layer of underlying security vulnerabilities exposed by high traffic web applications and numerous bare loopholes make a great motivation for a series of malicious brains making their way into the world of tremendous possibilities termed as hacking.


The question comes, are today’s online businesses have enough investment awareness to protect their systems from potential attacks or the red carpet laid to welcome their customers are eventually trafficking the hackers.

The mere thought process took us through a joy ride of much interesting discussion on how we can explore these possibilities and help online business hear the Ninja's nocks on their doors!
Result of our discussion was Hackvidhi - a simple and thoughtful initiative to provide quality assurance services for the magnitude of security vulnerabilities unleashed by millions of dollars worth insecure information travelling through trapped tunnels.
At HackVidhi and in this blog we will continually talk about

-          Most common Web App Security threats

-          Current Hacking trends and Math of Security Risks
-          Dynamics of site exposures and Threat Modeling
-          Preventive measures and our offerings
-          Penetration Testing : Raising the bars
-          Specialized service for Web Application Security

Look for our upcoming posts on Web Application Security hazards, making your Web App your secure home, Keys to your own doors of Assured and Secured success and a lot more.