At the age of six, my parents were looking for ways to get me out of the house and burn some of that energy every six-year-old child has. On top of being pretty small, I grew up in a small town. So my options for youth sports were pretty limited. However, through a series of conversations, my parents decided to get me involved in the youth wrestling program. What I didn’t understand at the time, was this was the beginning of many life lessons. In today’s blog, I want to talk about a few of those lessons and how they correlate to running web application pen tests.
The first valuable lesson I learned is to never quit. Things can happen extremely fast in a wrestling match. There were times I was losing by what I felt was an insurmountable amount only to catch my opponent and pin him for the win. I’ve also been on the other side where I was winning and I relaxed only to get pinned myself.
The point here is to not stop pen testing an application simply because you may have identified one exploitable URL. Oftentimes, breaching a URL means there are other things behind that vulnerability that can be leveraged. Take any one of the major breaches lately. You’ll see that they started with one thing, but they kept going to find the access they needed - as well as the data they wanted. To become more secure, we can’t be lazy in our pen tests. We have to keep going to understand what the impact of that exploitable URL has on your network.
Winning Doesn’t Come Easy
The second valuable lesson I learned was that winning didn’t come easy. There were countless hours spent in the wrestling room, practicing moves, running and sweating to lose weight. While it was hard in the moment, nothing felt better than getting my hand raised after winning a match.
The same concept applies to pen-testing web apps. Pen-testing web applications takes time. Breaching a website isn’t always easy. It takes time to understand and analyze the application. Sometimes, it takes chaining together several exploits to reach the desired outcome. It’s time consuming and hard work to research vulnerabilities and understand how they can be used together. However, if you just do the bare essentials you could potentially be leaving your organization open to some really bad things. So don’t take the easy road, take the hard road because in the end, your hard work will pay off and it will be worth it!
It Can Always Be Better
The third life lesson I learned through wrestling, is that I can always be better. No matter how bad I beat an opponent, I could always be better. You hear this of football coaches all the time. A reporter will ask them how they thought they played and the coach will respond at some point with, “We can always be better.” So how do we get better? We review and analyze how we performed. What did we do well and what did we not do so well?
I believe the same has to be done with running a web app test. At the end of the test, what were the results? Were there some things the developer did well? Alternatively, were there some things the developer did poorly? What about as a tester? Were there things a tester did really well? Or perhaps could have been done better? As a tester, do you understand what happened and the all the details of the findings? If an agent was deployed, what access did that agent provide?
As you can see there are many things that can be reviewed. All of which will help you be more successful in further tests.