Your SlideShare is downloading. ×
  • Like
Penetration Testing; A customers perspective
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Penetration Testing; A customers perspective


A short presentation to my internal peer group on some of the potential shortcomings of current penetration testing practices and what might be done about it.

A short presentation to my internal peer group on some of the potential shortcomings of current penetration testing practices and what might be done about it.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. A customers perspective1Internal Practitioners Conference, May 2013Phil Huggins
  • 2. I have been Infrastructure penetration tester - late 90s Application penetration tester – early 00s Security Architect – till now Client-side advice LargeGovernment & Commercial Programmes of work Handling:▪ System suppliers▪ Pen test suppliers▪ Client andThird Party security stakeholders▪ ClientOperational teams▪ Client Project teams I am an unusual customer of pen tests I understand what I’m buying and why.2
  • 3. 3GatherInformationExpertSchemaInsightDefineActionScan & ExploitCharacteriseVulnerabilitiesUnderstandCauses &ImpactsRecommendPrioritisedMitigationsSENSEMAKINGPENETRATION TESTING
  • 4.  Team of technical guys with CREST,TIGER orCHECK certifications A written methodology owned by the testcompany A lot of pen testing tools A week or two of technical work A week of report writing4
  • 5.  Executive summary At least one graph Names of the pen testers involved Description of the commercial scope Extensive prose account of what was done Screen shots of tools / error messages A table of vulnerabilities Mapped to CVE numbers Some form of risk / RAG status A technical resolution A description of recommended further work5
  • 6.  High day rates for goodtesters Poor margins as salaries arehigh Quality can be veryvariable Same testers over time Between testers Across companies Focus on fail results What tests were conductedand passed? Focus on 0-day What threat model was used? Skipping the insight Little or no understanding ofcauses and impacts Only two parts of thereport actually required Summary Vulnerability table6
  • 7.  Better customers Security requirements Better informationgathering: Automation of low hangingfruit Recording of manual testing Supply of automationscripts, raw results & manualrecordings to customer Better insight Explicit threat model Understanding of operationalprocesses Understanding of customerbusiness Better reporting Vulnerability tables in excel Record full scope Vulnerability Metrics:▪ Ease of exploit▪ Complexity of fix▪ Extent of compromise7
  • 8. http://blog.blackswansecurity.com8