0
A customers perspective1Internal Practitioners Conference, May 2013Phil Huggins
I have been Infrastructure penetration tester - late 90s Application penetration tester – early 00s Security Architect ...
3GatherInformationExpertSchemaInsightDefineActionScan & ExploitCharacteriseVulnerabilitiesUnderstandCauses &ImpactsRecomme...
 Team of technical guys with CREST,TIGER orCHECK certifications A written methodology owned by the testcompany A lot of...
 Executive summary At least one graph Names of the pen testers involved Description of the commercial scope Extensive...
 High day rates for goodtesters Poor margins as salaries arehigh Quality can be veryvariable Same testers over time B...
 Better customers Security requirements Better informationgathering: Automation of low hangingfruit Recording of manu...
http://blog.blackswansecurity.com8
Upcoming SlideShare
Loading in...5
×

Penetration Testing; A customers perspective

183

Published on

A short presentation to my internal peer group on some of the potential shortcomings of current penetration testing practices and what might be done about it.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
183
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Penetration Testing; A customers perspective"

  1. 1. A customers perspective1Internal Practitioners Conference, May 2013Phil Huggins
  2. 2. I have been Infrastructure penetration tester - late 90s Application penetration tester – early 00s Security Architect – till now Client-side advice LargeGovernment & Commercial Programmes of work Handling:▪ System suppliers▪ Pen test suppliers▪ Client andThird Party security stakeholders▪ ClientOperational teams▪ Client Project teams I am an unusual customer of pen tests I understand what I’m buying and why.2
  3. 3. 3GatherInformationExpertSchemaInsightDefineActionScan & ExploitCharacteriseVulnerabilitiesUnderstandCauses &ImpactsRecommendPrioritisedMitigationsSENSEMAKINGPENETRATION TESTING
  4. 4.  Team of technical guys with CREST,TIGER orCHECK certifications A written methodology owned by the testcompany A lot of pen testing tools A week or two of technical work A week of report writing4
  5. 5.  Executive summary At least one graph Names of the pen testers involved Description of the commercial scope Extensive prose account of what was done Screen shots of tools / error messages A table of vulnerabilities Mapped to CVE numbers Some form of risk / RAG status A technical resolution A description of recommended further work5
  6. 6.  High day rates for goodtesters Poor margins as salaries arehigh Quality can be veryvariable Same testers over time Between testers Across companies Focus on fail results What tests were conductedand passed? Focus on 0-day What threat model was used? Skipping the insight Little or no understanding ofcauses and impacts Only two parts of thereport actually required Summary Vulnerability table6
  7. 7.  Better customers Security requirements Better informationgathering: Automation of low hangingfruit Recording of manual testing Supply of automationscripts, raw results & manualrecordings to customer Better insight Explicit threat model Understanding of operationalprocesses Understanding of customerbusiness Better reporting Vulnerability tables in excel Record full scope Vulnerability Metrics:▪ Ease of exploit▪ Complexity of fix▪ Extent of compromise7
  8. 8. http://blog.blackswansecurity.com8
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×