Dear PenTest Readers,
We are very proud to present you the new issue of our magazine. This time, we would like to concentrate mainly on the aspect of automation in penetration testing. Therefore, we are in a sense continuing the idea of our previous issue, which is analyzing the role of the AI in penetration testing. Not only are we aiming to present specific analyzes of automated pentesting processes or how they exceed beyond the limits of manual pentesting, but we also try to answer questions that the presence of automation in the penetration testing field evokes. For instance, what are the implications for the infosec business and the job market? What is the future of penetration testing in general, and to what extent the role of penetration testers can be diminished by AI? These are some of the aspects that we would like to deal with this month.
We are extremely happy to publish a piece written by Chrissa Constantine, the second issue in a row. This time Chrissa provided a comprehensive analysis of the Automated API Testing. This is another ‘must read’, especially if you are interested in web services, which have become more popular in penetration tests.
Furthermore, we are truly honored to include an interview with Dr. Jane LeClair, who is the President and CEO of the Washington Center for Cybersecurity Research & Development. The interview covers a number of topics within the cyber security field - the idea and activity of the institute, security culture in the workplace, education, the role of women in IT, and the cybersecurity of the particular industrial branches. Dr. LeClaire’s remarkable experience and broad perspective is a guarantee of an interesting conversation.
Speaking of the role of women in the field of cyber security, we would like to draw your attention to Nouha Ben, who is a 15-year-old Computer Science student and has her debut publication in this issue. We firmly believe that young talents should be promoted and supported.
Harpreet Singh provides an extended tutorial on the automation in penetration testing on the examples of Nessus, Yuki Chan, static and dynamic analysis. If you are looking for technical tutorials you will be satisfied with this one!
We are pleased about the fact that one of the authors in this issue is Professor John Walker, who provided us with a historical perspective on penetration testing (which contains some very interesting case studies), as well as the outlook for its future, with an emphasis on the role of the OSINT. A broad perspective is something we always appreciate, as we believe that only reflective approach can provide us with a better understanding of on-going changes and sensible prospects for the future.
Haydn Johnson wrote a thought-provoking article about the commoditization of penetration testing, and certain risks caused by automation in the context of the relation between companies and pentesters. This subject is also mentioned in our second interview of the issue. We talked with Mr Falgun Rathod, who has delivered over 100 seminars and training in various colleges and corporates across India and is listed on the Top ten Ethical Hackers of India & Top Ten Cyber Cops of India.
In the current issue, you can also find pieces about automated source code review with Fortify SCA, the implementation of automated penetration testing in a company, and cryptocurrencies and regulations.
Alright, that’s enough spoilers!
Enjoy your reading,
PenTest Magazine’s Editorial Team
Table of Contents
Automating API Testing
by Chrissa Constantine
There is considerable value in automating portions of API pentesting. Commonly pentesters open the web application and navigate to all of the pages, capturing the requests and responses in a security testing tool like Burp or OWASP Zap. The use of API testing tools like SoapUI or Postman can help pentesters generate and submit web service requests. For SOAP calls, the WSDL can be challenging to read and derive manual tests. Tools that can be used to point to a WSDL or Swagger file (REST) are essential to use so that testers can work more efficiently. It is essential to spend time setting up the testing environment in preparation for analyzing the API.
The Real Key Is To Create A ‘Cybersecurity Culture’ In The Workplace
An interview with Dr. Jane LeClair
While each sector is ‘critical’, they are bound by the single thread of energy without which none can effectively function. One of the problems associated with the energy sector is that it is primarily owned and managed by independent private organizations. As such, cybersecurity is not uniform in these areas and subject to attack by those with malicious intent including rogue nations.
Automation in Penetration Testing
Nessus, Yuki Chan, Static and Dynamic Analysis
by Harpreet Singh
During the course of a penetration test, you may encounter tasks that a tool may not accomplish. One such task that I faced during one of the tests is to identify if a set of default directories were present in the target. I know that there are tools like dirbuster that can be of use, but I had none with no accessibility to the internet. These kinds of situations forced me to develop a code that will do the job. The code is simple. There are two objects that we are going to play with. One is the IP that is the target and the other is the list of directories that will be checked. The code will generate the complete URL by appending the directory names to the target IP.
The Evolution of Penetration Testing
by Professor John Walker
In the current age of Cyber Security, I believe that the overall Penetration Testing activity must now move up a level to embrace the new era of subliminal isolated objects that, for many an organisation, can represent vulnerabilities in the form of unknown-unknowns that when aggregated and assessed, can lead to the discovery of other forms of usable intelligence, which may possibly lead to discovering other paths for usable exploitation – here I refer to the art of practicing effective OSINT (Open Source Intelligence) methodologies.
Automated Source Code Review with Fortify SCA
by Muruganandam Chandrasekaran and Sumalatha Chinnaiyan
Fortify could translate Java bytecode, and this bytecode analysis can find flaws introduced due to compiler bugs. This is used as a first step when the FOSS has been determined potentially unsafe, to understand the magnitude and criticality of potential security flaws found by SCA in the software. This high-level analysis can be followed by source code analysis if necessary.
The Commoditization of Penetration Testing
by Haydn Johnson
With the commoditization of the Pentest, it seems all the data is copy-and-pasted in, with the only thing changing being the client name. I can understand from a business perspective the need to standardize the methodology and reporting to provide a better service and ensure a certain quality of Pentest – and all the various benefits that come with this. However, the standard of quality takes a gigantic hit in the process.
How Does Python Affect Pentesters?
by Nouha Ben
The article covers the most useful information about Python, especially why it is worth using it as a pentester, white hat or IT professional in general. It presents a few of the most used Python libraries recommended by the author. There is also a basic approach to web scraping using Python and requests and a quick guide for Urlib. Moreover, she covers the basic usage of Scapy including simple code examples, and scanning ports and networks using Libnmap.
Automation In Penetration Testing Nowadays Is As Important As RAM In Any System
An Interview with Falgun Rathod
Automation in this service will minimize the manpower and the companies will stop outsourcing for this kind of project. Automation of penetration testing will just have a simple role as any other tool or service provider company will have. They will understand the infrastructure or SOW or deploying the tool in your environment. They will configure it for you and train your in-house team to use such tools. Hence, there will be a huge impact on the outsourcing of penetration testing, especially for manual testing.
Adopting Automated Pentest Within Your Company
by Zinedine Boudegna
Setting up a vulnerability management system will require the intervention of several stakeholders, whether in the security team or in the other operational teams. It is important to document the stakeholders, and to define their roles and responsibilities in relation to the program. It is recommended to define OLAs with internal teams to minimize the waiting times for exposure of the risks found.
Cryptocurrency and Regulations
by Sikkandar Sha
In every booming industry, there will be scams. Why do scams exist? If we analyze the basic root cause of this issue, ignorance and greed are the major drivers of such scams. If you think you can buy Bitcoin today and become rich overnight, you are WRONG. It does not work that way and it never will. You have to do your homework thoroughly before you make any decision.