Tuesday, December 11, 2007

LearnSecurityOnline Interview with Andres Andreu


Originally published in the LearnSecurityOnline.com June 07 Newsletter

What we try to do with the Interviews with Security Professionals is ask people that are considered "Professionals" in the information/computer security field questions about their relevant field of research and advice on how for someone starting out to get to their level. Hopefully good information for people starting out.

============================
Interview with Andres Andreu
============================

[LSO]
How did you get into the security business, specifically penetration testing and penetration testing web applications?


[Andres]
I am at the core a software engineer so coding and architecting complex solutions is still an area of focus. I started getting into the security side of web software because I got sick of the weak app security that the network security world was providing. The Information Security industry needed much more than mere network security and those I was encountering that were in charge of security just couldn't see past the firewall/IDS/IPS paradigm. So I took it upon myself to do what I could so that the solutions I built wouldn't suffer from an overt lack of security.

Pen testing I kind of fell into by accident, it was something I informally did for years. AAMOF when I first heard the term I didnt know what it was but I had been performing those functions for some years. Earlier in my career I just took pleasure in breaking the coding work of others as well as my own. Pen testing is really a formalization of this otherwise devious activity. The web app realm was a natural progression because that kind of development work just started coming my way.


[LSO]
How about some background about yourself, who you are? What you do? Who you work for? Location?


[Andres]
I am a self employed native New Yorker but travel all over with work. I build custom software solutions as well as pen test anything I can legally get my hands on. Other then that I am a very dedicated husband,father of 4, artist (painting/illustration), and martial artist.


[LSO]
What do you think are the 3 biggest changes in the security field lately?


[Andres]
One change that really was inevitable, and is so evident these days, is a hard shift from the edge (network level security) to the core. The old guard of network based security is coming to terms with the fact that the security world is not boolean in nature. In the realm of core web app security there is also an interesting change in that Web 2.0 has brought about a resurgence of client side web computing. The web world of server side computing isn't going away anytime soon so the security field now has to contend with an interesting combination of the 2 tiers working simultaneously.

The field of information security is also getting a harsh dose of change with the distributed nature of things that are coming out these days. Mobile devices and their apps are a perfect example of this; and this concept of high mobility computing adds serious challenges. Moreover, users of these devices are becoming more and more savvy in terms of functionality. But as time has shown us all the more functionality at hand the more security challenges at hand. So expertise in this realm of security is an inevitable change.

Finally the information security field has been forced to get into the realm of compliance. It makes sense to an extent since security has an enforcement role. But time will tell if these moves are indeed wise because I travel the world and see the issue of policy creation and enforcement as a big area of challenge. I also see the frustration of otherwise technical security folk being forced into compliance related roles.


[LSO]
Where do you see the security field going in the next 1-3 years?

[Andres]
To hell! LOL, just joking. But all jokes aside the field has to change, adapt and overcome. It is still for all intents and purposes a reactive industry and that has to change. Many of the old school security people have not been able to keep up with the technological aspects of modern day info sec. They are network people at the core and just dont get the app space. So there will be a distinct shift in the industry where some people will enter the realm of security policy and wont deal with technology hands on. Those that do deal with hands on sec work will have a much richer skill set then what exists nowadays. They will truly be versed in the multiple layers of security, from the edge all the way down to code. This convergence is already starting from the inner world of developers, more and more of them are getting involved with security. And viewing info sec from a coders point of view is radically different then an edge perspective.


[LSO]
What are the basics that you think every security person should know?

[Andres]
The most basic set of knowledge is that of multiple tiers, or layers. No one layer is a silver bullet. I think your standard FW and IDS/IPS knowledge is important along with Proxy and Reverse Proxy technologies. The use of Proxy tiers is critical in todays web centric environments.

I find that protocol knowledge is lacking in the industry as is the handling of data. In reference to the latter, I mean an understanding of the effects that input data can have on a target and how to properly validate or dismiss such input. So those areas should be treated as basic along with the multi layer approach.


[LSO]
What are the specifics that a person in your security field should know?

[Andres]
To be effective in the field of web app security one has to understand how web apps work. So being familiar with the inner workings of web environments is important. Moreover, deeply understanding the OWASP Top 10 as areas of risk and remediation is a must.


[LSO]
Any suggestions on breaking into the security field?

[Andres]
Yeah, don't limit yourself and train yourself to be flexible. Adapting to constant environmental change is a way of life for modern day information technology professionals. The concept of wearing "many hats" is very real these days and maintaining pace with the chaos of modern day technology is key.

Don't be afraid of code, it is the at the heart of the problems most information security professionals have to solve. Familiarity with code will always be an advantage to anyone in the information security field. Also don't be afraid of RFC's, protocol knowledge is very important. You have to deeply understand what it is you will one day protect if you are to be truly effective.

Finally practice, practice and practice some more. An open mind coupled with practice on a myriad of platforms makes for a solid foundation. Virtual environments lend themselves well for all the practice and exposure necessary to be effective as a security professional these days. So build yourself a good virtual lab and hack/protect away.


[LSO]
Can you tell us about interesting things you are working on right now, or just recently finished (latest book, future book, current/future projects)?

[Andres]
I just wrote an article on XML Fuzzing for hackin9 magazine.

I am doing lots of Federated ID work these days. This represents a serious shift in security to that of heavily distributed data sets so it is quite challenging and exciting at the same time. So if for instance properly protecting one app/DB combo is challenging, now imagine protecting an object (of data) that doesn't actually fully exist in any one place. It exists partially in many places and some of those data sources you cant directly touch. This is very fun stuff that will be the norm in the future of the Internet.


[LSO]
Any cool new projects that you think we should let our members know about?

[Andres]
I have recently put some serious work into WSFuzzer, so check that out if you have any SOAP targets. I am also planning on kicking off a new project to deeply pen test REST services since I see them as an integral part of the future of web development.

Other then that I can't really expose my current work due to client confidentiality issues.

thx,

Andres Andreu, CISSP-ISSAP, GSEC
Author of "Professional Pen Testing for Web Applications" ISBN
0471789666
CG

1 comment:

Sir Henry said...

This is a pretty cool article. Good tips on the future of security. I live in the Philly area and you would not believe how old school are the employers and how they simply do not understand the "Many Hats" idea in security. They want you to have a traditional background that concentrates on one thing. Kinda sucks when you are looking for a job and you have a ton of different infosec technologies on your res.