How to Embrace Penetration Testing: Insights from a Cybersecurity Expert with Gabrielle B (Desjardins)

Hello, everybody, and welcome back to Build Amazing Things Securely. My name's Laura Belmain. I'll be your host and guide today. And today we are actually, we're going global. We have an exciting guest today from the from the great space of Canada. So today I'm welcoming Gabrielle an offensive security advisor at Desjardins. Now I came across Gabrielle at a conference this year. And like many of these interactions, I. Talked to a stranger and asked her to come do a thing. So thank you so much for coming on Gabrielle. It's really wonderful to have you here. Now, as the audience know, I don't like reading out bios because I don't think I can ever do a person justice. So let's kick off by saying firstly, welcome Gabrielle. It's lovely to have you here. Thank you. Awesome. Thank you very much. And Gabrielle, who are you, the human? I'm I'm Gabrielle. I work in Montreal. I really love Montreal. It's a great city, but I'm originally from Paris, from France. Oh, amazing. And I moved there four years ago. So I love to travel. I love to see nice places and. Yeah, as a human, I think that's pretty much it. So how did you end up then as an offensive security advisor? Now, I really, I'm interested in this because there's a lot of our audience who, for them, offensive security is this big kind of unknown space, they have no idea where it begins. So what do you do? What is an offensive security advisor? An offensive security advisor it's also like the same Post as a pen tester, the same position as a pen tester. Basically I'm going to attack systems to make sure that they are safe. In the process, I will try to find the maximum of vulnerabilities. But yeah that's the. sum up of what this is, even though it includes many more things. Like we have to, so there's different phases. So we have different phases to do this. And so we need to know It's we need to know about different technologies, about different things. And we some of us are going to specialize. It really depends. But most of the time we start with a web pen test and then we specialize in something we like. It can be mobile application. It can be different. It can be cloud. Like there are many possibilities. And yeah, so we are going to do what a cyber criminal would do, but we have the right to do it because it's all really legally organized. And then we can like the goal is to find vulnerabilities. And to help the team who make the project to patch them. So this way they have the application that are as secure as possible. Oh, fantastic. So I'm going to just clarify a couple of things here. When we're talking about pen testing the folks out there may have heard it as penetration testing, if you weren't used to the abbreviation. But many of us as software engineers, we only really get a side view of penetration testing. Occasionally somebody says. Your app's going to be penetration tested this week. And you go, Oh, okay, cool. I don't know what that is. So let's start with you first. I'm going to ask you about how you became a penetration tester. And then I'd love to know how the process works. So let's start with you. How did you end up here? A long time ago, I was an actress and so I was, that was not what I was expecting. Okay, cool. This is a good story. Carry on. So yeah, I had this background of art and I decided to try out as an actress and, but also at the same time, I was very passionate about doing websites and doing computer things. So that's how I made like a first website about Seattle and and then I really liked it. 13 years ago I did a first experience in Montreal, in Canada where I am now. And I had a very good experience at a university where I had the opportunity to work with a computer and to see help with applications and help my colleagues and everything. So it was really fun and I had a lot of fun. So when I came back to France, I wanted to do software development. And I looked for trainings and I did. liKe the equivalent of a bachelor degree and that's how I in in application development. And then after this, I worked for a while as a developer and, I was thinking, uh, what am I delivering? Is it safe? Is it, that's how I started to Google around and check how I could make sure that my applications were safe and how I, I want, I wanted to protect the data of my customers. So I wanted to make sure that what I was doing was really secure. And so that's how I found out about Pentest and I found it really cool. To be able to actually test security was really I found this really fascinating. And I started to look for trainings that would take into account my background or, and and also something not too costly, but it was a little complicated and I didn't find something that would fit my profile. I decided to train myself and I did a program. I, I made this very structure. So I did a program. It's a six step program. And it was based on an education science concept called a pronounced, which which is which basically means that in really simple words that you can. learn in every situation and in many different ways. And so it's that's how I did these six steps program. So there was a catch the flag competition. So catch the flag competitions are competitions where you are going to have cyber security challenges that you will have to solve. And so it's, Sometimes little hacks that you have to do or things like this, or it can be also challenges about cryptography. There are many different topics. It really depends on the competition you do. And there's also catch the flag platforms such as hack the box or try hack me. And these are great platforms to to learn about how to hack things. And so this is one of the step I did. I went to conferences. I went to summer schools. Also I did online courses, so yes, very different step and all of this and was documented on my blog because I figured, okay, I did all this. This is very structured. If someone wants. To do it as well this way they can find a way to make it and also a blog is a great way to to, showcase what you know, and this is good for employers to see what you can do, like it's really it really goes further than a resume and it's a way to show what you can do to an employer, to a potential employer. And I think this is probably something that our developer audience probably understand already because they're probably doing this themselves. So we do this, with our GitHub, uh, histories with all the projects that we do and we try to showcase. And I think that's a nice, it's really good to see that you migrated from application development to security. Not everyone does. But it means that you have that wonderful view of both sides. And I'm really impressed that you came up with your own syllabus to do that. I will grab a link afterwards if that blog is still around. I'm sure some of our readers would, readers, listeners? Some of our audience would love to Have a check that out. So you're now in the penetration testing space. And I think for, one of the comments that we hear from our audience a lot is that, the penetration test happens, but it's like this weird, unknown thing and nobody tells them what's happening and nobody tells them the results. Can you de mystify it for us a little bit? As a penetration tester, what are the types of things that you're doing? What are the types of tools you're using? And what's your process for finding these vulnerabilities? Sure. So we have different phases. So first we have the planification phase. So we are going to so depending if you work for the internal security team of a company, or if you do contracting work this phase is different, like for example for the internal of a company, you sign everything and year related like when you. Go into the company and then you, there is the legal part is less important. There are still a legal part because sometimes we are going to do pen tests for contractors of the company, but most of the time it's really less less heavy the legal part. And all this planification phase is about defining the scope of the pen test. So a scope is like. What are you allowed to test? And it has to be very precise because this is this is what is a way to secure you as a pen tester and also to like it's really a big part of the trust between your customer and what you're going to do. So it's really important that everyone is on the same page or the scope. So you are going to the more precise it is, the best it is. And then after all of this is taken care of, we can start and we are going to do a reconnaissance phase depending on the type of pen test. So we have different methodology. We have a black box pen test. So black box. A black box pen test is when you have no knowledge of the target except what you can find publicly. So for example say your swagger file is public. This is something I will find. And so this is something I would work with. But if it's if it's not public and if it's I would have to do some research and some things a gray box pen test is when you have not all the knowledge, but part of the knowledge. So for example, you have a user account, a basic user account, you can have also have a different level of users and a white box pen test is when you really have everything that the team has. So you have documentation, you have diagrams, you have all the swaggers they have, you have really different things. And Depending on on the methodology, the reconnaissance phase is going to be different. aNd it's going to be longer or shorter. And then we can go to the, after this phase, we can go to the attack phase. So this reconnaissance phase it has allowed us to find potential entry points in the application, potential things that we could try out. anD finally, after the attack phase, so during the attack phase, we, we have to try our attacks, actually, try our attacks, and we take many notes in the process because we have to be able to show in what we were able to do, and the goal is that when someone from the developer team, for example, we will read a report, they have to be able to Reproduce what we were able to do so this way they can understand the impact and they can patch it And then so after this is the report phase. So after the attack phase, this is a report phase So we will have a report with an executive summary. So this is going to be for the executive Of the company. So it's going to be, very general explanations, but it has to show the impact in terms of business of what we could do. And then we will go into the details. So this way the blue team or the developers of the people of the project are going to have really technical and detailed explanations on what to do and and everything. That's a lot more than, I, I have been a pen tester, so I knew this, a lot of this before, but, as an outsider, if I put myself into a dev team shoes, we never see the depth that you go to, especially that reconnaissance phase. And I don't think we appreciate how much information is out there that can be useful in a pen test. So let's dig into a couple of bits of this. So we, you talked at the start about black box and gray box and white box testing. Now, in your experience, which one is, which one gets the better results? I would say a white box pen test. Even though I would ask for more time when we are in a white box because we have to really grasp all the concepts and, there's there's always A learning phase, like when you do a black box spin test, you just try out things and you try to find everything as you can and everything, but when you have a white box spin test, you actually some, most of the time have the code of the application. So you also have time to dig into the code and check what functions are are used. And do I have hard coded credentials in there? Do I have, so there's this whole process. So there are a lot more things to check, but I think it's more efficient because it's not more efficient. It really depends on what. The team of the project once, I think all pen test are really interesting. But with a whiteboard pen test, you can know what happens in case someone was able to bypass the for example if you have a WAF in front of your application and say your black box pen tester was not able to bypass this WAF, uh, you won't know what would happen if it was possible to actually bypass the WAF. So say one day. Your WAF is off for some reason, or a cyber criminal is able to bypass it. This way, you will have vulnerabilities that were not found because you did a black box pen test. But if you do a white box pen test, you also sometimes what we do is that we keep the WAF on so we can try with the WAF on and we can try with the WAF off. And so this way we can try different things and we actually know what could happen in case the WAF is off. So we find different vulnerabilities that could happen after first and initial confirmation. This is really cool. When you look at what you're describing there as a white box test, not only are you having to. Understand and dig into and learn an entire system that somebody else has been developing for months and years. But you're also looking at the architecture level. The infrastructure components that are laid on top of each other, as well as the source code layer. That as a challenge face, that's a lot to take in and comprehend in a short period of time. Do you find that your background as a software developer helps you with that part, or is it what are the challenges in that for you? It definitely helps, yes because there are not only the way that, the fact that I know how to code, but also the fact that I have a certain knowledge of also architecture of applications. So this is really helpful. It doesn't mean that if you If you are, I don't know someone who never opened a computer, you are not going to be able to learn pen test. It's it's completely possible as long as you have the motivation and that you want to learn you can definitely do it. But having some background in development also in networking is really helpful. That's really cool. And so I've heard comments before, I'm sure you've heard similar that, a penetration test isn't realistic because, you have access to these things all because it's time bound or scoped in that way. In your experience. What's the big value that a team can get if you're a software team and you are working with a penetration tester, like yourself, what's the value that they can get that's different from just, simulating a hacker. What makes that relationship with a penetration tester special? It's it's when you are working, like, say you want, you are writing a text and you have your feelings, you put your feelings in your text and then you show it to someone else, someone who doesn't know you, uh, you can have, um, a new point of view about your text and you can actually improve it. It's a pattern that applies in a lot of things in the technology field. For example it also applies in my opinion for diversity. Like we, we also have different backgrounds. So it's great to have someone from a different background to check out to be on a project because they have different ideas. When you have a pen tester in a software project It's a way, so I know sometimes some people can be, scared or something, but we are not here. And I always this is very important for me that we have a good communication with the developers because we are not here to to put them to be mean or anything, we want to work together to make to make the application safer. This is really a teamwork. So I really like when everybody's involved and when we can explains work together and learn from each other. For example when I was working for another company a while ago, we had we were doing the same pen test every year and every year it was harder because the person we were testing, the application was very excited every time we were coming because they would. They would try to to make things to so that we were not able to to get in the system. So it was really fun because we really had this teamwork and and we were working towards security together. I really love this. I love the shift from, that traditional adversarial view of penetration testing where they, they're going to come tell you your baby is ugly and walk away to, it really is that collaboration. It's having somebody. Who can see things differently. And I think we all benefit from that in every part of our life. So it was really well explained. Thank you so much for that, Gabrielle. Now, just to round out, I want to ask one last question, really. If one of our audience, they know they've got a penetration test coming up and they want to make the most of that experience. What are your tips for a software developer who's about to be penetration tested, how can they make. It make that relationship with the pen tester really useful. What kind of information should they provide? If you're doing this for the first time, what would you recommend? I Would recommend to feel free to reach out to the person who is going to, who you are going to work with and ask any question you might have also, it's always good to have what patterned, what patterns you used, like what, which design pattern you used or also the diagram as well, of course, depending on the methodology of the pen test. And so we really like when we do a white box pen test, we really like to to have this information. And. Yeah, I think I'm trying to put myself in the shoes of a developer who would do this for the first time. Yeah, I think I would ask questions and try to provide as much information as possible. And and also give some short Like a short explanation of the goal of the application and the way and also yeah, that would be, don't be afraid to ask questions. We are here to work together and give as many information as possible and also feel free to reach out after. The pen test, if you, because we are going to, we are going to provide a report with detailed explanations, but sometimes it can be unclear. And so we are able to to talk together. And sometimes also what we find. it's really in the context of what we were able to test. Like we don't have as much time as someone who would have worked multiple weeks on the same project to build it. So it's nice to have also the other point of view. Why, like sometimes why applying this patches, this patch can be a challenge. So we also like to have also this feedback, and and also yeah check out everything DevSecOps related because it's also really interesting, but. Yeah, that's a really great set of things. Just to sum these things up, approaching having a pen test with a curiosity and an excitement is really important. So ask questions you, there's very little in a pen test report that should be super secret because. You wrote the system. thEre should be no surprises. So go and be curious, go and ask some questions. And when you've got somebody joining your team or working with you for a period of time to do that testing, just to sum up what Gabrielle shared here, there's a learning phase. And like when somebody joins your team as an engineer, they only have a short period of time to go from, I know nothing to, I know enough to now go and test this thing. Find ways to make that easier, provide the information if it is a white box situation. So really good guidance there. And about those reports and those write ups I've been on that side of really hard to write a write up that is understandable to everyone from every background. So do just gently push back and ask if there's anything unclear. So really great practical guidance there, Gabrielle. Thank you so much. I'm going to just ask you just as a little fun. Final question, what's the most interesting app you've ever pen tested? I love to test games, video games or casino games or things like this. I really have fun because it's a different way to test because you are going also to try to find a way to trick the game and to see if we can actually cheat or do things like this. I like this. I also like to test APIs because it's. Completely different than a web application. And what I really want to to learn and get better at is also hardware pen test. I really want to do IOT and hardware pen test because it's really, it sounds really fun. And amazing. Look, there's a lot to be said for all of this. So much fun, so much exciting stuff and so many useful bits here, Gabrielle, for our teams to use if they're going to be penetration tested. So thank you so much for sharing all of your knowledge with us today. It's been a pleasure to talk to you from the other side of the world. If we were going to follow up with you, Gabrielle, what's the best way to keep in touch? You can reach me out on LinkedIn. You can follow me on LinkedIn. I share resources and I, I like to, have people talk with me on LinkedIn and also I have a blog CSS by gb.github.io. And also in this blog you are going to find a, a. Pen test tips. I call it pen tips, uh, where you can find different tips. There's also some part about digital skills because sometimes I use different softwares and I'm stuck in doing things. So I just, screenshot what I'm doing and write down the things on how I get unstuck on things. So that's super useful things. Wonderful. We will put the links in the show notes for folks. So check those out. Thank you so much for joining us today, Gabrielle. It's been so much fun to talk

to

you. Thank you for having me. It was nice. Let's just round it out the same way we always do team now. Whether you are listening to this on. Apple or Spotify or Google or YouTube. It doesn't matter. Please remember to like, and subscribe and follow and all of those things because it does make us happy. We're very simple creatures and also because it helps us understand where our audience is coming from and what you're enjoying. And finally, a little tip to one hour AppSec program. So if you haven't joined yet. Please do get stuck in. So go to www. onehourappsec. com and it's going to deliver 60 minutes worth of security activity that you can do in your software projects, big or small, in just one sprint.