Steve Milner is an information security analyst from North Carolina. He uses Fedora to audit web applications for security issues. Steve walks us through some great apps in Fedora for security analysis and has some tips for you in keeping your systems safe, too!
All over the USA. Currently live in Raleigh.
Ashcrow. When I was in middle school I really liked The Crow. I would use many different Crow references in my IRC nicks but ashcrow was the one that I ended up sticking with.
My first use of Fedora was Fedora Core 2. At that time I was a pretty hard Debian user. Since I had used Red Hat Linux in the past I decided to give Fedora Core 2 a chance. I honestly thought Fedora Core 2 was just OK at the time but Fedora Core 3 impressed me so much that I decided to put it on my parents machine. My Mom really liked it!
Reading code. In high school I was very interested in code but most of the programming books were way to expensive for me. I remember getting a copy of an old C book in the mid 90's which had a accompanying 5 1/4 floppy which taught me a little. The biggest thing that taught me to code was watching Free and Open Source coders at work. From there I started writing code and submitting patches to projects and ended up being hired at a small yet before it's time web app development firm in Orlando, Florida.
In a nutshell security auditing is looking for security problems in an application or system. Once found, the issues are recorded and brought to developers with information on how to fix the problems. I primarily do web application security audits and pentests (Penetration tests.)
The first line of issues I look for are the same listed on OWASP's Top Ten. Of the 10 listed I start off looking for what I find to be the most common: injections, cross-site scripting, cross-site request forgeries and unvalidated redirects. After looking for the most common I start looking deeper into the application to find logic issues, error messages, etc.. which will help uncover other security issues.
Nmap, ratproxy and python.
When doing an audit it's important to be able to write up quick proof-of-concept attacks. Python has a plethora of modules which make doing POC attacks a joy. To list a few:
ipython and bpython also are great code-as-you-go environments for trying quick variations on POC attacks. Using Python's modules as well as general security tools being controlled by Python easily make the programming language an indispensable tool.
Nmap (http://nmap.org/) is a network exploration tool. Nmap scans a host or set of hosts and responds back with information. It is commonly used as a general portscanner.
Nmap can find or scan pretty much any machine on the network. I've used it in the past when auditing Windows or OS X based machines as well.
I use Nmap as a part of my audits along with NSE (Nmap scripting engine) scripts most of which come directly from the Nmap project itself. I usually use it to check firewall status, open services of a system along with said service versions. It helps get a recon baseline.
Ratproxy (http://code.google.com/p/ratproxy/) is a passive web application auditing proxy. It sits between your browser and the web application you are auditing and records information as you move through the site. It can analyze most any web application no matter what OS it's running on. Since Ratproxy is passive it can be used with ajax applications.
I use a two machine/three monitor setup with GNOME and synergy. I'm really looking forward to GNOME Shell to be considered stable. I use it on my own personal machines and love it! If I can, I try to run most everything through the terminal. I find using terminal applications much easier especially since I can run it all through byobu/screen.
Chaining together an unvalidated redirect and a cross-site request forgery I crafted a link which would do the following:
Don't trust your users! You should write code with expectation that there will be at least one malicious user who will stop at nothing to find issues in your application.
Don't forget the basics! Keep updated, use sane firewall rules (and use the firewall), turn off services you don't need and use sane passwords.