From Security Weekly Wiki
Jump to navigationJump to search

Paul's Security Weekly - Episode 492

Ferruh Mavituna from Netsparker joins us to talk about the perception of automated scanners, Ofri Ziv will deliver this week's technical segment and tell us how The Oracle of Delphi Will Steal Your Credentials , and in the news this week old code from Linux and BSD is vulnerable, my worst fears about IoT security appear to be reality, voice control, more SSL protected web sites, security for small businesses and hacking doomsday. All that and more on this edition of Paul's Security Weekly.

Episode Audio

Recorded December 8, 2016


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Jeff Man
    Infosec analyst
    Pioneering ex-NSA pen tester
    PCI specialist
    Tribe of Hackers
    InfoSec Curmudgeon
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security.
  • Jack Daniel
    Co-Founder of Security BSides and certified security wizard.


  • Make sure you visit http://securityweekly.com/subscribe and subscribe to our new shows including Enterprise Security Weekly and Startup Security Weekly. You can also subscribe to all shows individually, as well as a main feed which contains this show, Hack Naked TV and Enterprise Security Weekly.
  • Take our super cool survey! http://www.securityweekly.com/survey

Interview: Ferruh Mavituna, Netsparker - 6:00-7:00PM

Ferruh Mavituna, Netsparker.


Hacking web apps since 2003, web app sec expert, CEO of Netsparker - http://netsparker.com

Founder of Netsparker Ltd, Product Manager of Netsparker, Web Application Security Scanner. Developed the first and only false-positive free web application security scanner with state of the art accurate vulnerability detection and exploitation features, today used by thousands companies around the world. Changed the automated web application security space. Frequent speaker at several conferences about Web Application Security, released several research papers and tools. Coming from a developer background (C++, ASP, ASP.NET and PHP), working in the web application security area since 2002. Deep understanding of web application security in both sides, attacking and defending. Between 2002-2006 worked for Turkish Army and Police as well as several big clients as freelance contractor, in Turkey, USA, Canada and UK.

We think that many professionals do not believe in automated black box scanners such as Netsparker. It seems that black box scanners are no longer popular mainly because:

   False positives somehow ruined the reputation of scanners. Back in the days they used to generate a lot of false positives and even though we’ve done a lot to eliminate such problem, and we did manage to eliminate it people still don’t believe in the software.

   People believe that there hasn’t been any particular “breakthrough” in the scanners’ making the tools outdated (even though there were breakthroughs, such as what we are doing with proof-based scanning).

   Many believe that scanners cannot scan and find vulnerabilities in modern Web 2.0+ / HTML5 / Single Page applications.

   Pentesters tend to shy away from automation because they think tools such as black box scanners won't find anything that can’t be found manually as well (theoretically this is correct but in real world they don't have that much time).
   People believe that scanners can only find low-hanging fruit.

First of all, considering you are an industry veteran, what do you think of the above? Do you think that what we are seeing in the industry is actually true or not really?

Secondly, we’d like to showcase the capabilities of black box scanners in the next interview of Security Weekly. We’d like to talk about black box scanners in general, and not Netsparker. As in we would be more than happy to mention Netsparker in the interview, but we’d like to keep the interview vendor neutral and focus more on the industry and not on the product per se.

We’d like to highlight some facts during the interview, such as:

   There is no other solution that allows you to scan 100, 1000 or more websites and highlight the real exploitable issues within a day or two.

   It is the closest you can get to emulating a real-world malicious attack. The attacker does not have access to your code but uses scanners (most probably cracked versions of commercially available software) and/or manual methods to find vulnerabilities in your website.

   Scanners can find vulnerabilities in modern web applications and web services.

   The false positive issue is a thing of the past, especially with Netsparker. We have the proof-based scanning technology (would it be possible to stream this video during the interview: https://www.youtube.com/watch?v=uF9eGAfBh8A)

   Black box scanners do not only detect low hanging fruit vulnerabilities. And that takes us to the next point;

   A black box scanner can find vulnerabilities that your team cannot find. Some vulnerabilities that black box scanners can detect can not be identified manually (because the tester will not try 50 attack variants on every single input of every single page). You need automated tools to detect them.
   A tester, or a group of them do not know every single bypass and different tricks or issues. For example not every tester knows the details of CSP or how to exploit a out of band SQL Injection in Oracle, while the team behind Netsparker, or any other scanner typically has been researching such issues for years, got feedback from 1000s of customers and have been perfectioning the scanning engine for years.

Ferruh mostly focus in these technical areas: Web Application Security Research, Automated Vulnerability Detection & Exploitation. https://www.netsparker.com/blog/web-security/exploiting-csrf-vulnerability-mongodb-rest-api/ https://www.netsparker.com/blog/docs-and-faqs/export-netsparker-web-security-scan-web-application-firewall-rules/ https://www.netsparker.com/blog/docs-and-faqs/selenium-netsparker-manual-crawling-web-applications-scanner/

Technical Segment: Ofri Ziv, Detection Development team at GuardiCore - 7:00PM-7:30PM

Ofri Ziv, GuardiCore.
Ofri Ziv, GuardiCore.

Ofri Ziv leads the Detection Development team at GuardiCore which is responsible for security research, detection and development of data analysis algorithms. Ofri is a veteran of the Israel Defense Forces Corps (IDF), where he led groups of security researchers and was in charge of the IDF’s elite cyber security training program. He has been instrumental in the threats discovered by GuardiCore including this recent one as well as PhotoMiner and also unveiled the infection monkey open source cyber security testing tool when he recently presented at Black Hat.

Security News - 7:30PM-8:30PM

Paul's Stories

  1. Fast comparison of Nessus and OpenVAS knowledge bases | Alexander V. Leonov
  2. Could this be you? Really Offensive Security Engineer sought by Facebook
  3. Buffer Overflow in BSD libc Library Patched
  4. Solar Power Firm Patches Meters Vulnerable to Command Injection Attacks
  5. New Call to Regulate IoT Security By Design
  6. Old Linux Kernel Code Execution Bug Patched
  7. OpenVPN to Undergo Cryptographic Audit
  8. Hacker Claims To Have Pushed Malicious Firmware Update To 3.2 Million Home Routers
  9. Millions exposed to malvertising that hid attack code in banner pixels
  10. Trend Micro Says Cyber-Attacks Will Continued Unabated in 2017
  11. Comodo Partners with cPanel to Enable AutoSSL
  12. Hacking Doomsday: Your Cyberattack Survival Checklist
  13. IBM Watson for Cybersecurity Inches From Research to Reality
  14. NIST's Cybersecurity Framework offers small businesses a vital information security toolset - TechRepublic
  15. Daily Motion video sharing service named in breach claim of 80M accounts
  16. The Flowering Of Voice Control Leads To A Crop Of Security Holes
  17. TalkTalk Wi-Fi Router Passwords Stolen
  18. Russia Accuses Hostile Foreign Powers Of Bank Attacks
  19. IT Professionals' Cyber-Security Confidence Levels Fall, Survey Finds

Larry's Stories

  1. distributed CC guessing
  2. IoT and your kids
  3. ads, why we hate you so
  4. Oldie but goodie, WUDS
  5. Lloyds of Londin EMP study

Joff's Stories

  1. Linux Local Privilege Escalation
  2. The Daily DDoS (CloudFlare)