Fuzzing, security testing and tips for a career in AppSec
In this episode of Infosec’s Cyber Work Podcast, host Chris Sienko welcomes back previous guest Dr. Jared DeMott. In the previous episode, the topic was all things IoT security. This episode covered more of Dr. DeMott’s skills, delving specifically into fuzzing, dynamic analysis, security testing and AppSec tools and concluding with some tips about how you can enter this same field yourself.
11 courses, 8+ hours of training
A few words about guest Dr. Jared DeMott
Dr. Jared DeMott is the CEO and founder of VDA Labs and an accomplished author. He regularly speaks about vulnerabilities at conferences such as DerbyCon, RSA, Black Hat, ERCon, TourCon and HITB and has been on three winning Capture the Flag Teams at DevCon. Jared previously served as a vulnerability analyst with the NSA, and he holds a Ph.D. from Michigan State University.
The appeal of AppSec
In life, you have to expect some unexpected surprises. While always somewhat interested in technology and engineering as a kid, Jared thought he’d maybe go into the Air Force Academy. His parents weren’t confident of this choice, preferring his second choice of going to college instead.
Like many, DeMott was set to work at a big company doing Unix IT admin stuff, a common and quite lucrative career. At the last moment, he got a call from an organization he never heard of. They said, “We’re the NSA. You should fly to Baltimore and we’re going to give you an interview.” DeMott thought, “Hmm, what do you guys do?” and they said, “Well, just talk about it when you get here.”
Jared entered the field early and was able to leverage that. With the blessings of the people he met and the skills he gained, he was able to earn a master’s degree, write a book and earn a Ph.D. He’s worked in some very interesting places and ultimately found his own company, VDA Labs.
Many enter AppSec for the challenge it offers their security skills and the value it offers to their organization. For Jared, his journey due to a mixture of personal passion and employer expectations. According to him, “the passion that I had for the field just continued to grow. I love it. I’ve been in this field 20 years [and have] never been bored. There’s always something new to learn. To me, that’s really been a treat.”
Jared notes the flexibility that the field offers, where there is room for anybody as long as they have the personality, skill set, passion and drive. He adds that a lot of companies have two general tracks they can take, either the technical or leadership track. He made sure to add that it’s important that those taking the leadership role do not blindly manage people but rather take care of the talent and organization.
The current state of IoT security implementation
DeMott notes that one of the big aspects of IoT security has been connectivity, an issue that is happening across the board and across technologies. An influx of APIs is now connecting an application program interface that can connect a mobile app to your car, a smart camera to your web browser or any of a dozen other applications. The connectivity aspect is now the bigger story than just the individual device.
Is fuzzing a hacking tool or just a tool for vulnerability assessment? How does fuzzing work?
For those new to fuzzing, it refers to a technique for discovering vulnerabilities by flooding a target computer or network. It entails flooding the target with massive amounts of data, or fuzz. DeMott noted several types of fuzzing.
Over the years, fuzzing has matured into feedback fuzzing, where they watch the application as it executes to find deeper vulnerabilities in the application’s code.
Jared points out that there are different testing techniques and where fuzzing fits in. There’s static analysis, in which one simply looks at the code or the binary kind of in a standalone fashion. This is accomplished with tools. The user scans and looks for certain patterns that might be indicative of vulnerability.
Alternately, there are dynamic runtime techniques. This is where fuzzing lands, as a runtime technique. It is sometimes called DAST, or Dynamic Application Security Testing, as opposed to SAST, Static Application Security Testing.
There are still other types, including IAST, which is an internal test conducted while a program runs. There are all these different pieces, and during the course of the podcast, DeMott does his best to pull them apart and really talk about what should be in an AppSec program.
A few tools DeMott recommends for fuzzing include open-source tools that Google has made. There are also several commercial tools: one by Mayhem, one by a company called ForAllSecure and one called MSRD or Microsoft Security Risk Detection. These tools are among the top fuzzing tools DeMott uses with his clients.
Crucial skills in the AppSec field
“I am always a big fan of the fundamentals,” says DeMott. Fundamentals like networking and TCP have been around forever and should be considered essential skills, as well as knowledge of operating systems, Linux, Windows, coding and understanding how to code at a lower level, medium level, high level — anything between C and Python and maybe C# or Ruby. Other crucial skills include pentesting and code auditing.
Making the switch to AppSec from other security enterprises: How can you be seen as desirable to potential employees?
DeMott’s advice is to continue to dive deep. For example, professionals might need to move from just the use of a scanning tool like Nessus over to something like to Visual Studio.
Learning how to look at and read code is a big transition into a higher-quality set of skills. Now you are no longer thinking, “Hey, I run this and it pops out some results”: you can actually understand what it’s doing. This could make the difference between being stuck in place with a current job and moving toward something that could be more challenging and fulfilling.
All of the top infosec professionals got where they were not just by learning what they needed to do their jobs, but by learning as a daily exercise and a source of intellectual nourishment. Once it becomes part of your life, you find yourself moving past what once seemed like barriers.
Tips for those trying to break into the AppSec field
DeMott emphasizes the importance of applying your passion. Professionals need to show that they are really interested in doing the work, not just showing up. If you’re just trying to make a buck, DeMott suggests working on Wall Street instead.
If you really want to get into infosec, it takes a certain set of passion and knowing what you’re passionate about. You could be in love with the Blue Team, protecting and building and growing the defenses, or you might be more passionate about testing, code auditing, Red Teaming — all places where one gets to poke holes and find bugs and call attention to all the things that were missed. All of these roles are equally needed.
There’s never been a more pressing need for people that are kind of passionate about information security. It is important to remember that breaking into AppSec is not just about doing the minimum. Professionals like DeMott do this because they actually have interest in information security and are not just in it for a buck.
Showing you have invested time into learning hands-on skills applicable to AppSec is another great way to help you break into the field. Learning hands-on skills such as SOC analyst work, pentesting or code auditing will make breaking into the field easier.
11 courses, 8+ hours of training
Conclusion
Jared DeMott is happy to connect with listeners on LinkedIn, as well as on Twitter @JaredDeMott. VDA’s website, vdalabs.com, is of course the place he most wants you to visit.
Stay tuned to Infosec’s Cyber Work Podcast which regularly features cybersecurity industry leaders giving valuable, insightful information about their careers and cybersecurity today.
To watch the full conversation between Jared DeMott and host Chris Sienko, check out the episode at the Cyber Work YouTube page.