Recently I have been struggling with some of the more theoretical parts of penetration testing as a lot of CTFs don't go over why things are happening.
This isn't really a necessary part of most CTFs, as most are designed to be a game, but if I want to be more than just a penetration tester I want to know why the XSS alert pops and not just find a flag by using a tool.
To be a good security engineer/penetration tester one should be able to tell a software engineer what/where the real issue is and be able to tell them how they might fix it and this can be done through Root Cause Analysis of a bug.
Root Cause Analysis (RCA) is an analysis of an issue, generally negative, and finding where it originated from. What is the "Point A" that triggered the events that cause said issue.
I like to think of root cause analysis as dealing with weeds in a garden. If you are only pulling the dandelion flowers off then the weed will keep coming back. But, if you go after the roots and can pull them up then you have found the cause of the weed and can prevent it from growing again.
In security doing root cause analysis is a very important part of triaging a bug report. It is used to help identify where the issue is originating from to prevent a bug from being reported multiple times and ensuring the quality of the product over its life.
Keep in minds when picking one that every method won't work for every situation so here are a few popular ones:
- Five Whys Analysis - is a tool that can be used in troubleshooting, quality improvement and problem solving. It is done when a problem arises by simply keep asking the question "why" until you reach the underlying source of the problem, and until a robust counter-measure becomes apparent.(1)
- Problem Tree Analysis - is a tool to break up a problem into smaller parts parts. It starts with the core problem and descending till creating a family tree structure of the problem itself. (2)
- Fishbone/Ishikawa - is used to group causes into different sub-categories like methods, measurements, materials and many others for easier determination of the cause.(3)
- Define the problem in as much detail as possible
- Gather data associated with the problem.
- Identify any causes of the problem.
- Identify any consequences of the problem.
- Determine the Root Cause(s)
- Identify any solutions that will be effective in preventing repeat problems.
- Implement appropriate changes
- Monitor changes to ensure that they effectively fixed the problem (2, 7)
"Performing a root cause analysis is one of the most important things you can do to improve operations and drive a continuous operations improvement mindset." (9)
Though often overlooked, a root cause analysis makes it easier to communicate what’s known and what needs a little more work. It allows all people involved to see how all of the pieces fit together and, most importantly, helps eliminate the need of taking unnecessary action, as well as reduce the cost associated with erroneous/excesses repairs, like a data breach.