Thursday, August 25, 2011

Penetration Testing Execution Standard

There is a new homepage created for "Penetration Testing Execution Standard" at

Although it is still at alpha release, you can see the coverage of many tools. The web site is created in the form of wiki and mind map. Here's the brief summary:
  1. Pre-engagement Interactions
  2. Intelligence Gathering
  3. Threat Modeling
  4. Vulnerability Analysis
  5. Exploitation
  6. Post Exploitation
  7. Reporting

Tuesday, August 23, 2011

Hacking Resistance (Time-to-Hack)

After I read from the article, "ModSecurity SQLi Challenge: Lesson Learned", I learned a lot more about SQLi.

I can see a lot of creative ways to bypass security rules in order to inject SQL statements. The rule of thumb is blacklist filtering is not adequate to fully prevent SQLi.

In the last section of the article is what that catch my eyes, the "Hacking Resistance (Time-to-Hack)".  In the article,

The real goal of using a web application firewall should be to gain visibility and to make your web applications more difficult to hack meaning that it should take attackers significantly more time to hack a vulnerable web site with a WAF in front in blocking mode vs. if the WAF was not present at all.  
The idea is to substantially increase the "Time-to-Hack" metric associated with compromising a site in order allow for operational security to identify the threat and take appropriate actions. 
Think of a WAF as a tool to identify and block the initial probes and to alert incident response personnel.  It is up to the IR teams to match wits with an attacker and protect the application as necessary.

The article also include the analysis of how long it took for each Level II winner to develop a working evasion for the CRS v2.2.0.  Here's the result:

  • Avg. # of Requests to find an evasion: 433
  • Avg. Duration (Time to find an evasion): 72 hrs
  • Shortest # of Requests to find an evasion: 118
  • Shortest Duration (Time to find an evasion): 10 hrs

The conclusion is: the data shows that having active monitoring and response capabilities of ongoing web attacks is paramount as it may only a matter of hours before a determined attacker finds a way through your defenses.

Friday, August 12, 2011

Google+ Games

I just have my Google+ Games enabled today.

Google+ Games

And this is the first game that I play.

Angry Bird in Google+ Games