Code & Data Security
”If you can’t explain it simply, you don’t understand it well enough” – Albert Einstein
Although the majority of application security tools requires you to know the threats that confront you, most users do not have the security knowledge needed to recognize these threats, much less identify them specifically. However, there are tools on the market that are able to complete a full security checkup of your application without you having to know anything about cyber security.
Seeker is one of them. Seeker does not require security-proficient operators to test applications. In fact, a Seeker operator can be utterly oblivious to the vulnerabilities within his system; he only reports the recommendations suggested by Seeker. Furthermore, Seeker will teach the operator of the vulnerabilities found within the application.
Several aspects of Seeker enable a layman operator to thoroughly test an application on his own for the first time while learning of the vulnerabilities from Seeker. Some of them are outlined below.
A user can operate Seeker, open and record projects, review recordings, test projects successfully and act upon the results without having an inkling of security vulnerabilities. In fact, Seeker will educate the user about the vulnerabilities it has found in the tests and show him step-by-step videos of actual exploits.
By Seeker exploiting and verifying each vulnerability, no false positives are reported. The user does not have to sift through masses of false positives and ensure that they are, in fact, false and that no real vulnerabilities have been left unreported.
Seeker explains each vulnerability both textually and graphically (by video), in general and in detailed technical explanations, leaving the user fully informed, and without having to explore further.
To create a project, the user only needs knowledge of his environment, such as the type of server used, the URL of the application and whether he wishes to record certain MIME types, nothing to do with cyber security.
After providing the environmental data, recording a project manually is a matter of browsing through an application while Seeker automatically records your actions. In addition, an application can be recorded automatically or by an external program of your choice. The recordings are saved within the project.
After recording, you have the choice of deciding on testing or excluding certain pages from being tested, as well as defining the page type in order to have it tested differently, and so on.
Once the recording is done, you instruct Seeker to test the project. Seeker immediately starts analyzing the recording and testing the project for vulnerabilities.
Seeker analyzes your requests, learns the behavior of the application and how the application responds to certain requests. Seeker then sends out requests of its own in order to test the application behavior for vulnerabilities. The execution log shows you what Seeker has done. After a test is completed, you can evaluate the results.
After a test is completed, the results are displayed in a variety of ways. Thumbnails representing the pages of the application are colored with the highest severity level of vulnerabilities found on that page. By their color you can find the most severe and the most benign of the vulnerabilities for each page. You can find vulnerabilities that affect the whole site and are common to all pages. A hierarchal tree shows you, node by node, how vulnerable are those pages. You can view the technical details of each vulnerability and how it was exploited by showing you a video of the exploit. In short, if you wish to learn more about application security, Seeker will give you a good start. If you don’t, then just report the vulnerabilities to an external bug tracking system where the developers can get at the report.
Reports in different formats, short or detailed, can be generated to send along to the security personnel.
Most options can be configured according to your requirements. You can decide you want a different kind of report, having the vulnerabilities found by Seeker compared with the OWASP Top 10, or PCI-DSS with more, or less, detail. Or, you may want your project to open with the results of the last test displayed. You can decide to record your project manually by yourself, or by a built-in automatic crawler that will crawl your whole application. You can even decide to use an external application to do your recording. Seeker will accept the external recording, remove duplicates from all the input and give you a clean set of data to use in testing. If using these configuration options are too much, just process a project using the default values, and later review the results.
While you reach for your coffee and take a sip during a test, Seeker decides for you on the best course of action. For example, after you have recorded your application, it is possible that you recorded a page twice. Seeker will check out if the code flow is exactly the same both times and if it is, declare one of the times a duplicate recording and ignore it. Seeker’s runtime code & data analysis technology, the forerunner of Interactive Application Security Testing (IAST), conducts runtime analyses of the application code, of memory and data flow. It knows what to do and how to do it.
Many software vendors claim their product is intuitive and easy-to-use, however, when you come down to it there is a learning curve which may be steep and requires some proficiency to begin with. What is an intuitive user interface?
Clue-intensive – the interface provides clues to tell you what is going on, you do not have to experiment. The behavior is based on the standard conventions used in the software world. On the Seeker interface, when you mouse-over a button the software displays tooltips that tell you exactly what that button will do after you press it.
Predictability – what the user expects to happen does actually happen with no ambiguity or uncertainty.
Acknowledgement – the interface clearly indicates that a request for action was received and that it is working on it. At the end of the process,a clear indication of success or failure is issued.
Forgive and forget – when the user makes a mistake the software will offer choices on how to proceed, and lets you undo the action.
Explore to your heart’s content – you can navigate throughout the interface and return to the originating screen easily without fear of getting lost.
The Seeker user interface assumes that the user has a basic knowledge of software and computers and is familiar with the basic computer conventions. This assumption simplifies the explanations provided by the online help and the printed documentation. The less text that is displayed, the less text to wade through for the reader.
Even with an easy to use interface, the user will want to know more about the actions he is taking and their consequences. That is where the online help and context-sensitive help come in. Both can be accessed from within Seeker, thus providing the user with full instant documentation support.
Online help follows the procedure of a regular Seeker operation, with bookmarks on the left-hand side, and the ability to search the whole help for certain keywords. A topical index organized by topic is useful for those looking up a specific subject.
Jack Shasha is an experienced technical writer, who works for Quotium on the Seeker project, and has viewed quite a few interfaces during his lifetime. He has also served as a quality assurance person on the Seeker interface. By writing the documentation for Seeker he learned how to operate it on his own by following the interface, and sending occasional questions to the developers.
This post is also available in: French