Penetration Testing Execution Standard

2,242 views
1,995 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,242
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
94
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Penetration Testing Execution Standard

  1. 1. Penetration TestingExecution Standard Iftach Ian Amit VP Consulting - Security Art Founder - PTES DC9723 March 22nd, 2011
  2. 2. Agenda• Why?• Who?• How?• You!
  3. 3. PTES - Why?
  4. 4. PTES - Why?RAPE!
  5. 5. PTES - Why?RAPE! Someone call the police...
  6. 6. PTES• Common language for organizations and service providers• Set the bar for a common standard to be used• Eliminate hacks (as in run Nessus, generate report, send to customer, charge $10,000)
  7. 7. PTES - Who?• As always - started during a long night of drinking...• Nickerson (@indi303), Kennedy (author of SET), me (@iiamit), Gates (@carnal0wnage),Val (@attackresearch), Nick (@c7five), Robin (@digininja), Wim (@wimremes), Stefan (@stfn42), lots more... www.pentest-standard.org
  8. 8. PTES - How?• Basically, define the basic 7 elements of a pentest: • Pre-engagement • Intelligence gathering • Threat modeling • Vulnerability Analysis • Exploitation • Post exploitation • Reporting
  9. 9. PTES - How?• Basically, define the basic 7 elements of a pentest: • Pre-engagement • Intelligence gathering • Threat modeling • Vulnerability Analysis • Exploitation • Post exploitation • Reporting
  10. 10. PTES - How?• Basically, define the basic 7 elements of a pentest: • Pre-engagement • Intelligence gathering • Threat modeling • Vulnerability Analysis “old” pentesting scope • Exploitation • Post exploitation • Reporting
  11. 11. Pre-Engagement
  12. 12. Pre-Engagement
  13. 13. Pre-Engagement
  14. 14. Intelligence Gathering
  15. 15. Intelligence Gathering
  16. 16. Intelligence Gathering
  17. 17. Threat Modeling
  18. 18. Threat Modeling
  19. 19. Vulnerability Analysis
  20. 20. Vulnerability Analysis
  21. 21. Exploitation
  22. 22. Exploitation
  23. 23. Post-Explotation
  24. 24. Post-Explotation
  25. 25. Reporting
  26. 26. Reporting
  27. 27. Reporting
  28. 28. PTES - initial reactions
  29. 29. PTES - initial reactions• You have to be kidding me
  30. 30. PTES - initial reactions• You have to be kidding me• No one does that
  31. 31. PTES - initial reactions• You have to be kidding me• No one does that• I can’t do this all by myself
  32. 32. PTES - initial reactions• You have to be kidding me• No one does that• I can’t do this all by myself• This is a lot of work
  33. 33. PTES - initial reactions• You have to be kidding me• No one does that• I can’t do this all by myself• This is a lot of work• Is this going into PCI/ISO/[someStandard]?
  34. 34. PTES - initial reactions• You have to be kidding me• No one does that• I can’t do this all by myself• This is a lot of work• Is this going into PCI/ISO/[someStandard]?• We already do that
  35. 35. Now what?
  36. 36. Now what? YOU!
  37. 37. Now what? YOU! Yes, you...
  38. 38. Roadmap
  39. 39. Roadmap• Catch up on all the “official” news at www.pentest-standard.org
  40. 40. Roadmap• Catch up on all the “official” news at www.pentest-standard.org• Volunteer! (we need working hands...)
  41. 41. Roadmap• Catch up on all the “official” news at www.pentest-standard.org• Volunteer! (we need working hands...)• Previous milestone - Shmoocon (Feb 2011)
  42. 42. Roadmap• Catch up on all the “official” news at www.pentest-standard.org• Volunteer! (we need working hands...)• Previous milestone - Shmoocon (Feb 2011)• Next milestone - ph-neutral (May 2011)
  43. 43. Roadmap• Catch up on all the “official” news at www.pentest-standard.org• Volunteer! (we need working hands...)• Previous milestone - Shmoocon (Feb 2011)• Next milestone - ph-neutral (May 2011)• Drop the bomb - BlackHat?

×