Using Contextual Analysis to decide on a target software for vulnerability research

Contextual Analysis is a method for assisting in selecting software targets for vulnerability research. Contextual Analysis is the study of all components of a system or environment to determine how and by whom it is used. Researchers can use contextual analysis to see if the target software fits the conditions for vulnerability discovery and exploitation.

Goal 1: Develop a target list relevant to the mission

Contextual Analysis’ purpose is to avoid wasting time looking for vulnerabilities in software that isn’t relevant.

There are tens of millions of software products on the market, but which ones are essential to the organization that has hired you to conduct vulnerability research? Contextual Analysis comes into play here. It allows you to connect the context of a piece of software to the mission’s goals.

Goal 2: Achieving a greater understanding of the target software

In general, security researchers are familiar with software that appears on popular target lists like the Zerodium. They know what browsers are, how they’re used, and why they’re a target, for example. However, those aren’t the only targets a company might be interested in! How well-versed in ICS software are you? What about software for robots? What about medical software? HR software? Platforms for education?

Contextual Analysis is usually always effective in this situation. It will aid security researchers in understanding what software is, how it is used, why it is used, and who uses it. This information is likely to provide them with new ideas for identifying vulnerabilities.

Contextual Analysis is Non-Technical

Understanding what the software is supposed to achieve is the goal of contextual analysis. What are some examples of user stories? What are the applications? What kind of situation will the software be used in? Before we can even consider Technology Analysis, we must first understand all of this.

The user stories will give us an idea of what features the software needs to have. The use cases will help us understand how the user will interact with the software. And the scenarios will tell us what environment the software will be used in.

Key Questions

Here’s a list of simple questions to commence Contextual Analysis:

  • Who builds and maintains the software?
  • Who uses the software?
  • Where in the world is the software deployed?
  • What does the software do?
  • Why do organization use this software?

Data Sources

Sales materials such as presentations, user manuals, brochures, and whitepapers are excellent sources of data for Contextual Analysis. Everything you need to know about how to utilise the product and what issues are being solved.

Many software companies feature customer success stories on their websites. We can use this data to figure out who uses the software and where it’s most likely installed.

Deliverable

Contextual Analysis’ major findings should be summarized in a brief report of no more than 5 pages.

This report has two audiences:

Mission Commanders: The research must meet the mission’s requirements, according to key decision makers. Be ensure to describe the mission-related repercussions and impacts of serious vulnerabilities in the target software.

Cyber Operators: Prior to beginning the vulnerability identification procedure, technical personnel who need to comprehend the product.

Looking to expand your knowledge of vulnerability research and exploitation? Check out our online course, MVRE - Certified Vulnerability Researcher and Exploitation Specialist. In this course, you’ll learn about the different aspects of vulnerability research and how to put them into practice.