Penetration Testing; A customers perspective

  • 135 views
Uploaded on

A short presentation to my internal peer group on some of the potential shortcomings of current penetration testing practices and what might be done about it.

A short presentation to my internal peer group on some of the potential shortcomings of current penetration testing practices and what might be done about it.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
135
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
10
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. A customers perspective1Internal Practitioners Conference, May 2013Phil Huggins
  • 2. I have been Infrastructure penetration tester - late 90s Application penetration tester – early 00s Security Architect – till now Client-side advice LargeGovernment & Commercial Programmes of work Handling:▪ System suppliers▪ Pen test suppliers▪ Client andThird Party security stakeholders▪ ClientOperational teams▪ Client Project teams I am an unusual customer of pen tests I understand what I’m buying and why.2
  • 3. 3GatherInformationExpertSchemaInsightDefineActionScan & ExploitCharacteriseVulnerabilitiesUnderstandCauses &ImpactsRecommendPrioritisedMitigationsSENSEMAKINGPENETRATION TESTING
  • 4.  Team of technical guys with CREST,TIGER orCHECK certifications A written methodology owned by the testcompany A lot of pen testing tools A week or two of technical work A week of report writing4
  • 5.  Executive summary At least one graph Names of the pen testers involved Description of the commercial scope Extensive prose account of what was done Screen shots of tools / error messages A table of vulnerabilities Mapped to CVE numbers Some form of risk / RAG status A technical resolution A description of recommended further work5
  • 6.  High day rates for goodtesters Poor margins as salaries arehigh Quality can be veryvariable Same testers over time Between testers Across companies Focus on fail results What tests were conductedand passed? Focus on 0-day What threat model was used? Skipping the insight Little or no understanding ofcauses and impacts Only two parts of thereport actually required Summary Vulnerability table6
  • 7.  Better customers Security requirements Better informationgathering: Automation of low hangingfruit Recording of manual testing Supply of automationscripts, raw results & manualrecordings to customer Better insight Explicit threat model Understanding of operationalprocesses Understanding of customerbusiness Better reporting Vulnerability tables in excel Record full scope Vulnerability Metrics:▪ Ease of exploit▪ Complexity of fix▪ Extent of compromise7
  • 8. http://blog.blackswansecurity.com8