WTF, OF COURSE WE DO WEB APP PEN TESTING

Dave G. | June 4th, 2008 | Filed Under: Matasano, Navel Gazing

It boggles my mind, but we get a fair amount of people asking us if we do web application penetration testing, or if we only do the “interesting stuff”. I think there are two reasons for this:

1. The first is, our website just doesn’t explain what we do very well.
2. Our blog focuses on the “interesting stuff”.

A dirty little Matasano secret is:

We not only do a lot of web app pen testing, but we actually like it.

I know, it’s crazy, isn’t it? People who can spend a day in a disassembler without bleeding from their eyes aren’t supposed to enjoy testing software as open as websites. But you know what? You have to be engaged to turn in a good penetration test, and if you can’t engage on a web app project, you might be in the wrong business. We like breaking software. The web is no different.

We’re lucky to get diverse projects, and what we find is, the skills you use on them cross-pollinate constantly. For instance:

• Your software protection project involves lots of block crypto, which you take with you to bust up a web site that uses AES ECB tokens.
• Or, in the reverse, web pen testing teaches you to think about how sessions are managed, which you take to a binary management protocol and score auth bypass with.

The fact is, there are security disciplines that web app developers have matured far more than shrink wrap or embedded developers like session management, single sign-on, and authorization systems and there are disciplines where the C coders are still the thought leaders, like crypto and software protection. If you ignore either, you fall behind.

So, to answer the question, one last time…

Yes, we do web application penetration testing. And we are horrifyingly good at it.