Penetration Testing Execution Standard
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,887
On Slideshare
1,880
From Embeds
7
Number of Embeds
3

Actions

Shares
Downloads
57
Comments
0
Likes
0

Embeds 7

http://dc9723.org 4
https://www.linkedin.com 2
http://www.linkedin.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Penetration TestingExecution Standard Iftach Ian Amit VP Consulting - Security Art Founder - PTES DC9723 March 22nd, 2011
  • 2. Agenda• Why?• Who?• How?• You!
  • 3. PTES - Why?
  • 4. PTES - Why?RAPE!
  • 5. PTES - Why?RAPE! Someone call the police...
  • 6. PTES• Common language for organizations and service providers• Set the bar for a common standard to be used• Eliminate hacks (as in run Nessus, generate report, send to customer, charge $10,000)
  • 7. PTES - Who?• As always - started during a long night of drinking...• Nickerson (@indi303), Kennedy (author of SET), me (@iiamit), Gates (@carnal0wnage),Val (@attackresearch), Nick (@c7five), Robin (@digininja), Wim (@wimremes), Stefan (@stfn42), lots more... www.pentest-standard.org
  • 8. PTES - How?• Basically, define the basic 7 elements of a pentest: • Pre-engagement • Intelligence gathering • Threat modeling • Vulnerability Analysis • Exploitation • Post exploitation • Reporting
  • 9. PTES - How?• Basically, define the basic 7 elements of a pentest: • Pre-engagement • Intelligence gathering • Threat modeling • Vulnerability Analysis • Exploitation • Post exploitation • Reporting
  • 10. PTES - How?• Basically, define the basic 7 elements of a pentest: • Pre-engagement • Intelligence gathering • Threat modeling • Vulnerability Analysis “old” pentesting scope • Exploitation • Post exploitation • Reporting
  • 11. Pre-Engagement
  • 12. Pre-Engagement
  • 13. Pre-Engagement
  • 14. Intelligence Gathering
  • 15. Intelligence Gathering
  • 16. Intelligence Gathering
  • 17. Threat Modeling
  • 18. Threat Modeling
  • 19. Vulnerability Analysis
  • 20. Vulnerability Analysis
  • 21. Exploitation
  • 22. Exploitation
  • 23. Post-Explotation
  • 24. Post-Explotation
  • 25. Reporting
  • 26. Reporting
  • 27. Reporting
  • 28. PTES - initial reactions
  • 29. PTES - initial reactions• You have to be kidding me
  • 30. PTES - initial reactions• You have to be kidding me• No one does that
  • 31. PTES - initial reactions• You have to be kidding me• No one does that• I can’t do this all by myself
  • 32. PTES - initial reactions• You have to be kidding me• No one does that• I can’t do this all by myself• This is a lot of work
  • 33. PTES - initial reactions• You have to be kidding me• No one does that• I can’t do this all by myself• This is a lot of work• Is this going into PCI/ISO/[someStandard]?
  • 34. PTES - initial reactions• You have to be kidding me• No one does that• I can’t do this all by myself• This is a lot of work• Is this going into PCI/ISO/[someStandard]?• We already do that
  • 35. Now what?
  • 36. Now what? YOU!
  • 37. Now what? YOU! Yes, you...
  • 38. Roadmap
  • 39. Roadmap• Catch up on all the “official” news at www.pentest-standard.org
  • 40. Roadmap• Catch up on all the “official” news at www.pentest-standard.org• Volunteer! (we need working hands...)
  • 41. Roadmap• Catch up on all the “official” news at www.pentest-standard.org• Volunteer! (we need working hands...)• Previous milestone - Shmoocon (Feb 2011)
  • 42. Roadmap• Catch up on all the “official” news at www.pentest-standard.org• Volunteer! (we need working hands...)• Previous milestone - Shmoocon (Feb 2011)• Next milestone - ph-neutral (May 2011)
  • 43. Roadmap• Catch up on all the “official” news at www.pentest-standard.org• Volunteer! (we need working hands...)• Previous milestone - Shmoocon (Feb 2011)• Next milestone - ph-neutral (May 2011)• Drop the bomb - BlackHat?