Preface
Our First Computer Gets Ready
We connected our Christmas gift to the TV and flipped the power switch. A line of text that read Commodore
64 Basic was displayed over the blue-framed background. In an almost overwhelming state of excitement,
I – then eight years old – eagerly awaited our new computer to start showing us all the games it had in store
for us. But it didn’t. The only thing that happened on the screen was the display of the word “ready.” Our new
futuristic friend was apparently ready. I just didn’t know for what.
I sat there hoping that my brother, who was always the smarter one, would somehow get us out of this
anti-climactic situation. He did. By typing in a few commands that made no sense to me, we were soon
gaming the December evening away. My love-hate relationship with computers started then and there.
Fast forward thirty years and computers are literally everywhere: they keep an eye on your well being
when you’ve been hospitalized. They are used by nation-states to monitor everything imaginable in the
name of national security. And I hardly need to mention that the Internet is the perfect place to waste your
time when you could be doing something useful instead. It is simply getting harder and harder to imagine a
world without computers.
Like it or not, living in a world that depends on computers raises some rather difficult questions. This
book focuses on trying to solve one of them: how do we successfully test the security of our data and the
systems that manage them? I am the first person to admit that it might be tough, if not impossible, to come
up with a proper answer.
Very few systems exist for the purpose of being secure. And very few systems were designed from the
ground up with security in mind. Given that all systems are different, we don't have the luxury of having a
standardized security test to use in every situation. Throw the ever-changing security landscape into the mix,
together with project underfunding, and things will get even more complicated.
Correcting, or at least trying to improve, security issues can sometimes make you feel as if you're
stumbling around a dark room trying to find a decent place to fit a brighter light bulb. I do, however, choose
to see the light that is always there as just that – light – not as the blinding headlights of an oncoming train.
My first few attempts at testing data security were, mildly put, unorganized. Sure, I knew a few ways to
exploit insecure software, successfully guess poorly chosen passwords, and bring a system to its knees by
flooding it with various bits of data. But I didn't understand the importance of writing an understandable
report, keeping a solid command log, or even explaining why security testing was necessary in the first place.
I would like to think that I'm somewhat wiser now, and that's the main reason why I decided to write this
book. I sincerely hope that these pages will give you the tools you need to plan, carry out, and successfully
wrap up any security test.
I have done my very best to write the book on security and penetration testing that I wish I had read
myself before I got into the profession. Yes - this book will teach you things like how to crack passwords, how
to break into a vulnerable web application, and how to write a professional report. But more importantly,
this book allows me to share with you the experience I’ve gained over the years from working with hands-
on security testing. This includes advice on how to best communicate with customers on the importance of
security testing, and how to deliver a solid presentation of your work and much more.
Computer security is an important and fascinating field, and I am delighted to have been given the
chance to help you become a true security professional. The journey starts now.
xxi