Software security tools to improve your skills in a single day
When it comes to boosting your technical information security skills, no single type of
education can touch the value offered by hands-on learning. Getting your hands dirty by working
with the ins and outs of software security in real-world settings leads to practical experience.
Learning the fundamentals in this area is key. You know, such as basic buffer checking, input
validation, stepping through application logic, and so on to see how software is hacked.
There are several good books on this subject like Exploiting Software: How to Break Code and 19 Deadly Sins of Software Security.
Premium Access
Register now for unlimited access to our premium content across our network of over 70 information Technology web sites.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy
This was first published in April 2007
I highly recommend these books. But what
if you're not a developer? Where's a good place to start learning about hands-on software security?
Whether you're a DBA, developer, security professional, or all of the above, it only takes playing
around with some great tools to take your software security expertise to the next level.
Enter Foundstone's Hacme toolset and OWASP's
WebGoat. Using these tools, you'll learn about the critical software security problems such
as:
- Cross-site scripting
- Cross-site request forgery
- Weak authentication mechanisms
- SQL injection
- Weak application logic
- Privilege escalation
- Improper session and error handling
Learning how these weaknesses are exploited in web applications, web services, and related
databases is guaranteed to help you sharpen your security skills, especially when it comes to
keeping your systems' crown jewels protected. The bonus is that these tools are free and the time
required is minimal.
Let's take a peek at the Foundstone tools first. The Hacme tools are essentially a set of
poorly-coded web applications (J2EE, C++, ColdFusion, and a web service) and you're tasked with
finding the security holes in them. There are currently five themed tools: Hacme Casino (shown in
Figure 1 below), Hacme Shipping, Hacme Travel, Hacme Books, and Hacme Bank.
Figure 1 - The main page for Foundstone's Hacme Casino
Each tool has very good documentation with pre-canned hacking lessons and screenshots that step
you through what you need to know, so you're not just hacking blindly. You could literally spend an
hour or less on each one and learn a ton about how not to write software and manage your
systems.
Now on to the popular WebGoat. WebGoat – now at version 5.0 – is sponsored by the Open Web Application Security
Project (OWASP). It's similar to the Foundstone Hacme tools, as built-in lessons are included
and there's good documentation to help you along. However, WebGoat focuses solely on the J2EE and
Tomcat platform which limits its scope and your ability to learn software security on various
platforms. Arguably, a software security flaw on one platform is essentially the same on all
others. Whether you want to focus on Java is up to you. That said, WebGoat is more of an extensible
framework with its own open source community, where you can share ideas and contribute your own
lesson plans. A sample WebGoat page is shown in Figure 2.
Figure 2 - The first WebGoat lesson on HTTP basics
Like the Foundstone Hacme tools, just a couple of hours spent with WebGoat and you'll grow your
software security skills practically overnight. You could also perform automated
 |
| More on SQL Server Security: |
|
|
|
|
|
|
testing on the Hacme and WebGoat applications using tools
such as SPI Dynamics
WebInspect and the N-Stalker Web
Application Security Scanner. There's certainly some value in this and I encourage you to do so
if you have the tools. However, the main intent with the Hacme tools and WebGoat is to step through
software security problems manually. You'll get to know the application logic and understand how
specific exploits are carried out at the hands of the bad guys. Either way, the bonus of working
with tools like Foundstone's Hacme and WebGoat is that you don't have to worry about messing around
with your own production environment. You can do everything conveniently at your own computer.
Forget the fancy four-and five-letter security certifications everyone covets. OK, they do add
value, especially when it comes to getting work. However, it's hands-on experience with these types
of security tools that will give you the real-world experience to keep your skills fresh.
Ultimately, you'll be ahead of the competition. Bottom line: the Foundstone Hacme tools and WebGoat
should be required learning for anyone who takes security seriously.
ABOUT THE AUTHOR
Kevin Beaver is an independent information security consultant, speaker, and
expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of
experience in IT and specializes in performing information security assessments revolving around
compliance and IT governance. Kevin has authored/co-authored six books on information security
including Hacking
For Dummies and Hacking
Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security
Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. Kevin can be
reached at kbeaver ~at~ principlelogic.com.
Copyright 2007 TechTarget
Disclaimer:
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
Join the conversationComment
Share
Comments
Results
Contribute to the conversation