Hi guys you’re listening to by Biometric Authentication News this is your host Satish KARRY.

Today on our show we have Caroline Wong.She is an information security expert and published author with broad industry experience including management consulting at Cigital product management ,Symantec and day-to-day leadership roles at eBay and Zynga.
We have her here today to talk about pentesting welcome to the show.

As we get started into the show the first question which I have for you is how important is pentesting in-house apps vs. SaaS Applications?

I actually believe it’s important to perform security testing on all applications. The simple reason being that you know there are so many things along the way around the software development process that can go wrong, and of course you don’t know what you don’t know so pentesting can help you to know what the vulnerabilities exist before they can be exploited by someone else.
Now there are some reasons why a person might choose to penetration test one particular application rather than another one or one particular application more frequently than another application.
The way that I have seen this most frequently done is based on risk ranking applications. So I’ve seen people choose a set of attributes that matter to the organization namely that something like this particular application is very important to generating revenue or very important to a particular user type
maybe it has some compliance requirements
maybe it stores sensitive data
maybe it integrates with other systems in a special way
but these are the types of criteria that you can consider in order to assign a risk ranking to each application and of course you know the approach then is to pentest the highest risk applications first and most frequently.

Another aspect of your question with regards to in-house versus SaaS applications.I think it’s very important to consider both. Some differences, of course SaaS apps are generally not going to have the same legacy code and technical depth issues that some in house applications have ,but there are more of them, because companies are always acquiring new SaaS applications working with many different SaaS vendors, there’s just a lot of them all the time and as time goes on people are more and more comfortable with their SaaS applications handling more critical and sensitive information.Since platform and infrastructure being treated as code and as we all know you know from the OWASP top ten list of security vulnerability types out there are there are lots of things that can go wrong.

So how do you go about pentesting in SaaS applications? in-house applications one would think they have a better control over them, but when it comes just SaaS application is it that simple to do a pentest? and what are some of the changes you would see for inhouse vs. SaaS Applications?

I’ll talk you through the methodology that my organization does,the first thing is whether its in house or SaaS, to look at what is that applications techstack? and then of course ideally you want to have a team of pentesters who have skills that are matching to that tech stack. This team would work together over a fixed time period, they would do manual security testing and and look at things like input validation , authentication, access controls, and really what they’re looking for is any flaws in the application implementation.
As the team finds issues, ideally those go to either a security team or maybe a product team who’s responsible for managing that application and then when those records are received it’s up to someone determine what’s going to be done about them .
Are we just gonna leave them be, are we going to get them fixed? who do we need to talk to in order to get them fixed and so on. The backend, there’s the finding component to it up but then there’s the fixing component to it and and those are different types of problems. But I think at a high level that methodology can apply both to in-house as well as SaaS applications the most important things being a team that has the proper skills in order to do the testing and once the issues are found actually working with the team who can change the code in order to get any issues addressed.

I’m sure you’ve seen a lot of tests in your in your organization if there are three things that you need to summarize your learning what would they be?

Indeed we have,Cobalt performed one hundred Pentests in 2016 and 350 pen tests in 2017, and it turns out that a lot of the issues which are found are not really that complicated ones.They’re actually many simple mistakes and basic vulnerabilities ,which are common across many different organizations, it’s things like for a mobile application in a failure to encrypt sensitive data or something that we see you know surprisingly often with SaaS applications is simply that the front door is left wide open so a simple mis-configuration mistake.
Somebody has adjusted a setting with the cloud provider that says anyone in the world can read this and then all of a sudden here you have,a large data store with you, who knows what kind of information whether the user names,passwords, emails you know maybe even more sensitive data than that, social security numbers tax data etc.
So thats the first thing which is that many of the items that are found are actually relatively basic.
the second thing I think is that as I as I mentioned briefly in response to your previous question is that finding the issues of course is very important but fixing issues is what actually matters.
And that leads me to my third point which is that in order to get the issue fixed there’s a great deal of communication and coordination that needs to go on between the pentest team and the developers of that application in order to get those issues addressed and resolved. Often times the major challenge there is not so much one of a technical nature, of course the pen testers understand technically what needs to be done and and that can be communicated but it’s in that communication to the developer team as well as sort of in some cases the justification and the prioritization that says this is important and we need to actually fix these things.

I was reading about your organization, why is crowdsourced pentesting better than a pentesting by a specific vendor?

Crowdsourced pentesting is one term that we use another way to think about it is pentesting as a service. What we’ve observed in the industry is that your more traditional options for getting a pentest started with a consulting firm we’ve seen that there are some cases where this is done with kind of a relatively low tech approach things like you know you get a final report in a PDF that’s not machine readable. They can’t be easily exported into for example a developer bug tracking system , and I think unfortunately what you see sometimes also is a large variance in the quality of the testers and of course there are all sorts of reasons for that.

But that being said, with our PenTest as a service what we do is we provide clients with a high degree of visibility into the quality of the talent, so all the researchers are highly vetted, that starts with a recommendation from within the current researcher community and then folks are matched to projects based on feedback and experience and for every project they complete, they actually get rated on a five star scale similar to how you might rate a restaurant on yelp or a place you might stay on Airbnb. There’s this kind of like quantitative feedback loop that’s built into the system, in order to provide organizations with more visibility into the talent,and then the other thing is because we have a global network of highly vetted and certified researchers we are able to scale in a way that many consultancies which for the most part of locally based cannot.

We have this ability to kick off a pentest on demand, unlike an organization working with more traditional consulting firm might need to wait weeks or even months to get a pen test started. We actually have an ability to pick up a pentest within forty eight hours, which we’re seeing is of great value to a lot of customers,particularly those who find out about an acquisition at the last minute or maybe they need to respond preventive security questionnaire. There are many reasons why somebody might want to do a security test now and that’s something that we can actually accommodate.

Seems a lot of benefits from crowdsourced pentesting , I think you have an advantage compared to the other pentesting services which I’ve seen, as we wrap up the show I have one last question give us one real life pentesting scenario that was tough or adventurous however you call it?

Of course, I’m not allowed to give away any secret information but I will say that we do find a lot of issues with regards to login and password recovery .I’ll talk briefly about a generic a situation which is also I think very interesting.It’s a flow that that you and I and the listeners of this podcast are very familiar with I suspect. It’s the forgot my password flow. When you forget your password you go through an application flow and we’re all very familiar with that I’ll just briefly go through the typical steps of course. At some point before you forget your password presumably the application has collected some verification data from you. The second step is when you have forgotten your password and then the application asks you for the correct answers to the questions which you provided in the past ,the third step is for the application to lock the user out so the previous password doesn’t work and then the user should get a new code ideally that sent out of band and then finally the user is supposed to submit the code that they just received to the application and then the application is supposed to allow the user to reset his or her password.

On one hand of course it’s quite straightforward we are all very familiar with it but there are many mistakes that can be made along the way. The first thing that happens sometimes is there are during step two when the questions are being verified if the answers are being provided in a drop down or if the username is being display you know both of which are totally unnecessary not simply an example of more information being shared with potentially malicious user than is necessary.
Once the user does enter the forgot my password flow it’s very important that the application locks that user out, so that if a malicious person at any point obtained working password then it should no longer work and then finally and most critically
once you get to the final step where the application allows the user to change their password of course you should only be allowed to get to that step if the previous steps have occurred and if the verification has been checked.
At each of these steps something can go wrong and the reason I describe this particular scenario is because it’s something that we all expect to just work but if you think about actually implementing that flow , you can see the different places in which an account might be easily compromised if there is a mistake in implementation

I think once you start looking at the overall flow for the password reset as you rightly said, these are some things which we are all used to, but looking at the detail and the flow is critical and you’re very right and that if you don’t get that you got the door and the entrance to the building and then
that is very scary, so Caroline appreciate you taking out that time on your busy schedule and being with us and sharing some of the pentesting details. I’m very glad that you’re here on the show and I’m sure my listeners would reach out with more questions and I hope to get you back sometime soon on the podcast

wonderful it’s been my pleasure and I would love to do it again thank you.