SlideShare a Scribd company logo

A customer's perspective on penetration testing and improving the process

Download as PPTX, PDF
Phil Huggins FBCS CITP
Phil Huggins FBCS CITP

A short presentation to my internal peer group on some of the potential shortcomings of current penetration testing practices and what might be done about it.

Technology
1 of 8
A customers perspective 1 Internal Practitioners Conference, May 2013 Phil Huggins
I have been  Infrastructure penetration tester - late 90s  Application penetration tester – early 00s  Security Architect – till now  Client-side advice  LargeGovernment & Commercial Programmes of work  Handling: ▪ System suppliers ▪ Pen test suppliers ▪ Client andThird Party security stakeholders ▪ ClientOperational teams ▪ Client Project teams  I am an unusual customer of pen tests  I understand what I’m buying and why. 2
3 Gather Information Expert Schema Insight Define Action Scan & Exploit Characterise Vulnerabilities Understand Causes & Impacts Recommend Prioritised Mitigations SENSEMAKING PENETRATION TESTING
 Team of technical guys with CREST,TIGER or CHECK certifications  A written methodology owned by the test company  A lot of pen testing tools  A week or two of technical work  A week of report writing 4
 Executive summary  At least one graph  Names of the pen testers involved  Description of the commercial scope  Extensive prose account of what was done  Screen shots of tools / error messages  A table of vulnerabilities  Mapped to CVE numbers  Some form of risk / RAG status  A technical resolution  A description of recommended further work 5
 High day rates for good testers  Poor margins as salaries are high  Quality can be very variable  Same testers over time  Between testers  Across companies  Focus on fail results  What tests were conducted and passed?  Focus on 0-day  What threat model was used?  Skipping the insight  Little or no understanding of causes and impacts  Only two parts of the report actually required  Summary  Vulnerability table 6
 Better customers  Security requirements  Better information gathering:  Automation of low hanging fruit  Recording of manual testing  Supply of automation scripts, raw results & manual recordings to customer  Better insight  Explicit threat model  Understanding of operational processes  Understanding of customer business  Better reporting  Vulnerability tables in excel  Record full scope  Vulnerability Metrics: ▪ Ease of exploit ▪ Complexity of fix ▪ Extent of compromise 7
http://blog.blackswansecurity.com 8

Recommended

Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testingrrice2000
 
Positivityofnegative
PositivityofnegativePositivityofnegative
Positivityofnegativepramodkg
 
Kasper Hanselman - Imagination is More Important Than Knowledge
Kasper Hanselman - Imagination is More Important Than KnowledgeKasper Hanselman - Imagination is More Important Than Knowledge
Kasper Hanselman - Imagination is More Important Than KnowledgeTEST Huddle
 
Defect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft WebinarDefect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft WebinarXBOSoft
 
Root cause Analysis of Defects
Root cause Analysis of DefectsRoot cause Analysis of Defects
Root cause Analysis of DefectsDavid Gevorgyan
 
Advanced Defect Management
Advanced Defect ManagementAdvanced Defect Management
Advanced Defect ManagementSabarinath Venugopalan
 
Mt s13 defect_management
Mt s13 defect_managementMt s13 defect_management
Mt s13 defect_managementTestingGeeks
 
Defect MgmtBugDay Bangkok 2009: Defect Management
Defect MgmtBugDay Bangkok 2009: Defect ManagementDefect MgmtBugDay Bangkok 2009: Defect Management
Defect MgmtBugDay Bangkok 2009: Defect Managementguest476528
 

Recommended

Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testingrrice2000
 
Positivityofnegative
PositivityofnegativePositivityofnegative
Positivityofnegativepramodkg
 
Kasper Hanselman - Imagination is More Important Than Knowledge
Kasper Hanselman - Imagination is More Important Than KnowledgeKasper Hanselman - Imagination is More Important Than Knowledge
Kasper Hanselman - Imagination is More Important Than KnowledgeTEST Huddle
 
Defect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft WebinarDefect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft WebinarXBOSoft
 
Root cause Analysis of Defects
Root cause Analysis of DefectsRoot cause Analysis of Defects
Root cause Analysis of DefectsDavid Gevorgyan
 
Advanced Defect Management
Advanced Defect ManagementAdvanced Defect Management
Advanced Defect ManagementSabarinath Venugopalan
 
Mt s13 defect_management
Mt s13 defect_managementMt s13 defect_management
Mt s13 defect_managementTestingGeeks
 
Defect MgmtBugDay Bangkok 2009: Defect Management
Defect MgmtBugDay Bangkok 2009: Defect ManagementDefect MgmtBugDay Bangkok 2009: Defect Management
Defect MgmtBugDay Bangkok 2009: Defect Managementguest476528
 
Put Risk Based Testing in place right now!
Put Risk Based Testing in place right now!Put Risk Based Testing in place right now!
Put Risk Based Testing in place right now!SQALab
 
Grace slideshare
Grace slideshareGrace slideshare
Grace slideshareGrace Lukezic
 
Test Team Responsibilities
Test Team ResponsibilitiesTest Team Responsibilities
Test Team ResponsibilitiesANKUR-BA
 
Better Software Classic Testing Mistakes
Better Software Classic Testing MistakesBetter Software Classic Testing Mistakes
Better Software Classic Testing Mistakesnazeer pasha
 
Negative Testing
Negative TestingNegative Testing
Negative TestingMindfire Solutions
 
Session 08 - Test Case Design and Technique
Session 08 - Test Case Design and TechniqueSession 08 - Test Case Design and Technique
Session 08 - Test Case Design and TechniquePoojaLQA
 
Risk and Testing
Risk and TestingRisk and Testing
Risk and TestingNolaCita
 
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test MetricsHo Chi Minh City Software Testing Club
 
But Did You Test It
But Did You Test ItBut Did You Test It
But Did You Test ItRuth Blakely
 
Introduction to Software Testing - Part 2
Introduction to Software Testing - Part 2Introduction to Software Testing - Part 2
Introduction to Software Testing - Part 2Sachin-QA
 
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
[HCMC STC Jan 2015] Risk-Based Software Testing ApproachesHo Chi Minh City Software Testing Club
 
IoT Device Security
IoT Device SecurityIoT Device Security
IoT Device SecurityWitekio
 
Practical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsPractical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsReuben Korngold
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application SecurityCigital
 
Java performance monitoring
Java performance monitoringJava performance monitoring
Java performance monitoringManigandan Venkataraman
 
Test beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisTest beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisPractiTest
 
Manual Testing
Manual TestingManual Testing
Manual TestingJobItDesk01
 
From Defect Reporting To Defect Prevention
From Defect Reporting To Defect PreventionFrom Defect Reporting To Defect Prevention
From Defect Reporting To Defect PreventionSune Gynthersen
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like themPractiTest
 
Introduction to Hacktivism
Introduction to HacktivismIntroduction to Hacktivism
Introduction to HacktivismPhil Huggins FBCS CITP
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]Phil Huggins FBCS CITP
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber ThreatsPhil Huggins FBCS CITP
 

More Related Content

What's hot

Put Risk Based Testing in place right now!
Put Risk Based Testing in place right now!Put Risk Based Testing in place right now!
Put Risk Based Testing in place right now!SQALab
 
Test Team Responsibilities
Test Team ResponsibilitiesTest Team Responsibilities
Test Team ResponsibilitiesANKUR-BA
 
Better Software Classic Testing Mistakes
Better Software Classic Testing MistakesBetter Software Classic Testing Mistakes
Better Software Classic Testing Mistakesnazeer pasha
 
Session 08 - Test Case Design and Technique
Session 08 - Test Case Design and TechniqueSession 08 - Test Case Design and Technique
Session 08 - Test Case Design and TechniquePoojaLQA
 
Risk and Testing
Risk and TestingRisk and Testing
Risk and TestingNolaCita
 
But Did You Test It
But Did You Test ItBut Did You Test It
But Did You Test ItRuth Blakely
 
Introduction to Software Testing - Part 2
Introduction to Software Testing - Part 2Introduction to Software Testing - Part 2
Introduction to Software Testing - Part 2Sachin-QA
 
IoT Device Security
IoT Device SecurityIoT Device Security
IoT Device SecurityWitekio
 
Practical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsPractical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsReuben Korngold
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application SecurityCigital
 
Test beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisTest beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisPractiTest
 
From Defect Reporting To Defect Prevention
From Defect Reporting To Defect PreventionFrom Defect Reporting To Defect Prevention
From Defect Reporting To Defect PreventionSune Gynthersen
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like themPractiTest
 

What's hot (19)

Put Risk Based Testing in place right now!
Put Risk Based Testing in place right now!Put Risk Based Testing in place right now!
Put Risk Based Testing in place right now!
 
Grace slideshare
Grace slideshareGrace slideshare
Grace slideshare
 
Test Team Responsibilities
Test Team ResponsibilitiesTest Team Responsibilities
Test Team Responsibilities
 
Better Software Classic Testing Mistakes
Better Software Classic Testing MistakesBetter Software Classic Testing Mistakes
Better Software Classic Testing Mistakes
 
Negative Testing
Negative TestingNegative Testing
Negative Testing
 
Session 08 - Test Case Design and Technique
Session 08 - Test Case Design and TechniqueSession 08 - Test Case Design and Technique
Session 08 - Test Case Design and Technique
 
Risk and Testing
Risk and TestingRisk and Testing
Risk and Testing
 
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
 
But Did You Test It
But Did You Test ItBut Did You Test It
But Did You Test It
 
Introduction to Software Testing - Part 2
Introduction to Software Testing - Part 2Introduction to Software Testing - Part 2
Introduction to Software Testing - Part 2
 
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
 
IoT Device Security
IoT Device SecurityIoT Device Security
IoT Device Security
 
Practical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsPractical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing Methods
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
 
Java performance monitoring
Java performance monitoringJava performance monitoring
Java performance monitoring
 
Test beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisTest beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause Analysis
 
Manual Testing
Manual TestingManual Testing
Manual Testing
 
From Defect Reporting To Defect Prevention
From Defect Reporting To Defect PreventionFrom Defect Reporting To Defect Prevention
From Defect Reporting To Defect Prevention
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like them
 

Viewers also liked

First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]Phil Huggins FBCS CITP
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Phil Huggins FBCS CITP
 
First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]Phil Huggins FBCS CITP
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]Phil Huggins FBCS CITP
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...Phil Huggins FBCS CITP
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]Phil Huggins FBCS CITP
 
PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems Phil Huggins FBCS CITP
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 

Viewers also liked (20)

Introduction to Hacktivism
Introduction to HacktivismIntroduction to Hacktivism
Introduction to Hacktivism
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber Threats
 
Measuring black boxes
Measuring black boxesMeasuring black boxes
Measuring black boxes
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
 
Resilience is the new cyber security
Resilience is the new cyber securityResilience is the new cyber security
Resilience is the new cyber security
 
First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]
 
Security Metrics [2008]
Security Metrics [2008]Security Metrics [2008]
Security Metrics [2008]
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
 
Delivering Secure Projects
Delivering Secure ProjectsDelivering Secure Projects
Delivering Secure Projects
 
Probability Calibration
Probability CalibrationProbability Calibration
Probability Calibration
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Intelligence-led Cybersecurity
Intelligence-led Cybersecurity Intelligence-led Cybersecurity
Intelligence-led Cybersecurity
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
 
PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
UK Legal Framework (2003)
UK Legal Framework (2003)UK Legal Framework (2003)
UK Legal Framework (2003)
 

Similar to A customer's perspective on penetration testing and improving the process

Risk Driven Testing
Risk Driven TestingRisk Driven Testing
Risk Driven TestingJorge Boria
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Risk Based Testing: Deferring the Right Bugs
Risk Based Testing: Deferring the Right BugsRisk Based Testing: Deferring the Right Bugs
Risk Based Testing: Deferring the Right Bugsindus329
 
Independent verification & validation presented by Maneat v02
Independent verification & validation presented by Maneat v02Independent verification & validation presented by Maneat v02
Independent verification & validation presented by Maneat v02Dr. Pierpaolo Mangeruga
 
Resume_Pallavi_Updated
Resume_Pallavi_UpdatedResume_Pallavi_Updated
Resume_Pallavi_UpdatedPallavi Nayak
 
How to build confidence in your release cycle
How to build confidence in your release cycleHow to build confidence in your release cycle
How to build confidence in your release cycleDiUS
 
! Testing for agile teams
! Testing for agile teams! Testing for agile teams
! Testing for agile teamsDennis Popov
 
Test Management Montioring Control
Test Management Montioring ControlTest Management Montioring Control
Test Management Montioring Controldrishtipuro1234
 
Test Management Montioring Control
Test Management Montioring ControlTest Management Montioring Control
Test Management Montioring Controlsethnainaa
 
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...VIJAYA BHASKARA VARMA YARAKARAJU
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
Fundamentals_of_Software_testing.pptx
Fundamentals_of_Software_testing.pptxFundamentals_of_Software_testing.pptx
Fundamentals_of_Software_testing.pptxMusaBashir9
 
Software Testing Interview Questions For Experienced
Software Testing Interview Questions For ExperiencedSoftware Testing Interview Questions For Experienced
Software Testing Interview Questions For Experiencedzynofustechnology
 
Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]
Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]
Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]Vipul Gupta
 
Agile testing practice
Agile testing practiceAgile testing practice
Agile testing practiceMary Jiang
 

Similar to A customer's perspective on penetration testing and improving the process (20)

Risk Driven Testing
Risk Driven TestingRisk Driven Testing
Risk Driven Testing
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Risk Based Testing: Deferring the Right Bugs
Risk Based Testing: Deferring the Right BugsRisk Based Testing: Deferring the Right Bugs
Risk Based Testing: Deferring the Right Bugs
 
Independent verification & validation presented by Maneat v02
Independent verification & validation presented by Maneat v02Independent verification & validation presented by Maneat v02
Independent verification & validation presented by Maneat v02
 
Resume_Pallavi_Updated
Resume_Pallavi_UpdatedResume_Pallavi_Updated
Resume_Pallavi_Updated
 
How to build confidence in your release cycle
How to build confidence in your release cycleHow to build confidence in your release cycle
How to build confidence in your release cycle
 
Test_Engineer
Test_EngineerTest_Engineer
Test_Engineer
 
! Testing for agile teams
! Testing for agile teams! Testing for agile teams
! Testing for agile teams
 
Test Management Montioring Control
Test Management Montioring ControlTest Management Montioring Control
Test Management Montioring Control
 
Test Management Montioring Control
Test Management Montioring ControlTest Management Montioring Control
Test Management Montioring Control
 
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
Rakesh Resume
Rakesh ResumeRakesh Resume
Rakesh Resume
 
Fundamentals_of_Software_testing.pptx
Fundamentals_of_Software_testing.pptxFundamentals_of_Software_testing.pptx
Fundamentals_of_Software_testing.pptx
 
Software Testing Interview Questions For Experienced
Software Testing Interview Questions For ExperiencedSoftware Testing Interview Questions For Experienced
Software Testing Interview Questions For Experienced
 
Kumari Meenu_Test Analyst
Kumari Meenu_Test AnalystKumari Meenu_Test Analyst
Kumari Meenu_Test Analyst
 
Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]
Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]
Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Agile testing practice
Agile testing practiceAgile testing practice
Agile testing practice
 

Recently uploaded

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Recently uploaded (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

A customer's perspective on penetration testing and improving the process

  • 1. A customers perspective 1 Internal Practitioners Conference, May 2013 Phil Huggins
  • 2. I have been  Infrastructure penetration tester - late 90s  Application penetration tester – early 00s  Security Architect – till now  Client-side advice  LargeGovernment & Commercial Programmes of work  Handling: ▪ System suppliers ▪ Pen test suppliers ▪ Client andThird Party security stakeholders ▪ ClientOperational teams ▪ Client Project teams  I am an unusual customer of pen tests  I understand what I’m buying and why. 2
  • 4.  Team of technical guys with CREST,TIGER or CHECK certifications  A written methodology owned by the test company  A lot of pen testing tools  A week or two of technical work  A week of report writing 4
  • 5.  Executive summary  At least one graph  Names of the pen testers involved  Description of the commercial scope  Extensive prose account of what was done  Screen shots of tools / error messages  A table of vulnerabilities  Mapped to CVE numbers  Some form of risk / RAG status  A technical resolution  A description of recommended further work 5
  • 6.  High day rates for good testers  Poor margins as salaries are high  Quality can be very variable  Same testers over time  Between testers  Across companies  Focus on fail results  What tests were conducted and passed?  Focus on 0-day  What threat model was used?  Skipping the insight  Little or no understanding of causes and impacts  Only two parts of the report actually required  Summary  Vulnerability table 6
  • 7.  Better customers  Security requirements  Better information gathering:  Automation of low hanging fruit  Recording of manual testing  Supply of automation scripts, raw results & manual recordings to customer  Better insight  Explicit threat model  Understanding of operational processes  Understanding of customer business  Better reporting  Vulnerability tables in excel  Record full scope  Vulnerability Metrics: ▪ Ease of exploit ▪ Complexity of fix ▪ Extent of compromise 7