27 Aug, 2014

The AppSec Newb’s Journey Part I: Welcome to AppSec

by Marcus Richardson

Welcome to the incredible and exciting world of Application Security (AppSec).

In The AppSec Newb’s Journey series I want to provide a starting point for those interested in AppSec but may not know where to start. I am new to the industry myself, so I wanted to share some of the resources and tactics that have helped me along my journey. It should be noted that I decided to go down the self-learning path, so many of these resources are dependent on taking the time and effort to learn on your own. This doesn’t mean that you shouldn’t ask for help from anybody; there are plenty of people out there eager to help you!

Where do I get started?

A good way to start is to familiarize yourself with The Open Web Application Security Project (OWASP). OWASP’s mission is to promote software security while focusing on providing a forum for improving, sharing, and researching security methods within the community.

One of the key resources they provide is the OWASP Top 10, a list of the ten most common and critical web application security risks. This is a great reference point for vulnerabilities you will see when assessing applications, examples, references for more in-depth analysis, and some mitigation techniques. You should definitely reference this page often; you’re going to see these usual suspects frequently.

Another great resource for gathering knowledge on AppSec is  The Web Application Hacker’s Handbook. Not only is it a great introduction to AppSec, but having this guide handy provides an invaluable wealth of knowledge while hacking on applications. When I started in AppSec, buying this book was one of the first things suggested to me.  Often while working on an application assessment I hit this book to research key points on the vectors I am trying to exploit.

Cool, but what are the tools of the trade?

Though there are many tools to learn and add to your arsenal (which I will touch on in future posts), for this series I focus on Burp Suite. I use Burp because it has a great collection of tools needed for web application testing. It was also easier for me to learn Burp’s more straightforward functions when I started in this field and then the more advance features as my skills progressed. A limited version of Burp Suite is available for free.

My colleague Ken Toler posted a multi-part series of blogs to introduce Burp and some of the fantastic features it has to offer. Here is Part I of his fantastic series.

nVisium also provides an Intro to Burp training video within our YouTube Channel catalogue. The video provides configuration recommendations, tips, and an overview of Burp.

Great, I’m ready to hack! Where’s an app?

Well, before you go off into the wild, gather some practical hands-on experience with some deliberately vulnerable apps and sets of tutorials. Below is just a sample of what is out there, but they’re definitely good places to start the learning process. It’s one thing to read about a vulnerability and another to see it in action after you send a payload to an application.

WebGOAT - A wonderful place to get your hacking feet wet. Provided in both Java and ASP.NET flavors to get you acclimated with what these security vulnerabilities look like in the wild.

RailsGOAT - Similar to WebGOAT but in the Ruby on Rails framework.

PentesterLab - An awesome set of exercises in testing and exploiting vulnerabilities in web applications. You’ll need a Virtual Machine application for these exercises.

I could break these applications all day, but who is going to fix them?

You are! An important element of being in the application security field is being able to help fix these vulnerabilities, so it is important that you learn the languages and frameworks of many of these applications. Breaking an application is fun and very satisfying, but securely building it back up is what AppSec is all about. Knowing languages and frameworks is also key when it comes to static analysis of code. Being able to recognize security flaws in code is a key part of the AppSec process.

Whether you’re a developer or just starting out, these free resources assist in learning various languages being utilized today. I have a background in programming from my early days as a Computer Science major working with C, C++, and some Java, but it’s not nearly enough to be a beast. That is where these sites come into play. Of course, this is a small subset of what is available, but after I hit these sites I was ready for more.

Codecademy - Great place to get some practice on Ruby, Python, and PHP. Not to mention various other languages common in web development.

w3schools - Another great resource with tutorials on utilizing SQL and XML, both necessary in mastering your AppSec skill set.

rubymonk - In my development, I wanted to focus on Ruby, so this site is a great companion to the Ruby track on Codecademy.

LearnJava - If you’re assessing web or Android applications, knowing some Java is a must. This site provided a good launching point.

I have questions and ideas I want to run by other AppSec folks or developers! Where do I go?

One of the best aspects about AppSec is the access to a vast community consisting of seasoned AppSec veterans, developers, security professionals, and others just like you, all ready to share their knowledge.

OWASP has local chapters all over the world that have gatherings; these include talks and presentations concerning new techniques, research, and other points of interest in the AppSec field. I am fortunate enough to live in an area that has two local chapters, and I try to attend the meetings as often as possible. I go because I want to see what is new or to have insightful discussions on all things AppSec. Seeing people taking notes is not uncommon as a lot of valuable information is presented!

Also, Meetup is a great place to find like-minded folks in your local area that will share your passion for web and mobile application security, hacking, coding, and a whole host of other topics that will help you in a budding AppSec career. For me, the local Ruby developer meet ups provided an outlet for any questions I had when I was learning Rails. It also provided a view into many of the common techniques that Rubyists tend to use.

Reddit is a valuable resource as well. Check out r/netsec, r/netsecstudents, and many other subreddits full of people with experience (as well as newbies) who are willing to contribute to the growing knowledge base related to Applications Security, Network Security, and Information Security.

This is just a brief overview of some of the resources that I used (and continue to use) to get started. In the future I will post more in-depth entries that provide entry level tutorials, various problems/roadblocks I encountered and how I resolved them, and more topics to prep you for the world of AppSec. Now go out there and hack!