Security hacks are happening everywhere and it is almost impossible to keep up with all new developments. So how do you test your own security in such a dynamic cybersecurity landscape? The days of narrow-scoped and limited penetration tests are over, responsible disclosure, bug bounty programs and red and blue teams are the new way of continuously testing your security. This webinar will help you adapt this new testing paradigm. Main points that will be covered: • Limits of 'old' penetration testing; • Continuous testing to stay on top; • Leveraging the hacker community through a bug bounty program • Responsible disclosure and handling incidents Presenter: Arthur Donkers (arthur@1secure.nl): Interested in infosec, technology, organization and combining these all into one solution Critical Security Architect Trainer for PECB (ISO27001, 27005, 31000). Convinced that Infosec is a means to an end, not a purpose in itself. Link of the recorded session published on YouTube: https://youtu.be/Kck8zBY27Hg

2. Arthur Donkers
Security Officer
Interested in infosec, technology, organization and combining these all into
one solution. Critical Security Architect Trainer for PECB (ISO27001, 27005,
31000) Convinced that Infosec is a means to an end, not a purpose in itself.
Contact Information
+ 31-6-53315102
arthur@1secure.nl
www.1secure.nl
nl.linkedin.com/in/arthurdonkers

3. Cyber Security Testing
How to align security testing to your
agile cyber strategy

4. Agenda
What is this all about?
Who am I?
Out with the old!
In with the new!

5. Securitytesting in Cyber space
Does classical penetration testing still fit in the
rapidly moving cyberspace?
Or do we need a new approach?

6. Who am I?
Arthur Donkers
Independent security consultant
Security tester for mobile, IoT and hardware
Trainer for PECB (ISO27001, 27005, 31000)
arthur@1secure.nl

7. These are my opinions
This presentation is based on MY personal
experiences with MY client and MY projects.
Your mileage may vary, I just want to make you
think about your current security testing
strategy.

8. … one more thing ...
I’m not a big fan of the term cyber, I think it is an
empty term…

9. Classic testing strategies
Classic security testing follows the waterfall
project delivery model:
SECURITY TEST

10. Classic testing strategies
this means:
- Test after delivery of product (but hopefully
before actual deployment);
- Within a set scope (only the product);
- Within a limited timeframe (before release
date);
- With limited resources (people and money)

11. Classic testing strategies
which leads to:
- time crunch (prioritizing individual tests, features
left untested);
- limited security assessment (product is not
assessed in its final environment);
- Too little time to test (time crunch);
- No testers available due to time shift (limited
resource);
- No time to fix things (no feedback).

12. Classic testing strategies
Trying to swim upstream…

13. Classic testing strategies
Same issues apply to regular testing as well,
this is often part of a (mandatory) compliance
program:
- Limit scope (don’t test the scary stuff);
- Limit time (need to be recertified yesterday);
- Don’t care about the actual execution (having
ANY test executed often considered
sufficient).

14. Classic testing strategies
Tick in the box exercise!

15. So now what?
Modern development of products needs to
adapt quickly and follow a risk based approach.
This is often referred to as Agile Development

16. Agile testing strategy
Security testing needs to be integrated into the
incremental and continuous delivery cycle

17. Agile testing strategy
Security testing is not a separate step anymore:
- follow at least the risks identified in the agile
cycle (and any additional risks identified);
- embed security testers in project (secure
development);
- focus and prioritize (there is no 100%)
- automate and tool up

18. Agile testing strategy
Supporting environment (just an example):

19. Agile security management
For your regular testing you should:
- employ a red team (for continuous testing);
- don’t limit the scope (let them think and work
like a hacker);
- actively and continuously manage the
vulnerabilities and associated risks.

20. Agile security management
What is ‘red team’ exactly?
“Penetration testers assess organization security, often
unbeknownst to client staff. This type of Red Team provides
a more realistic picture of the security readiness than
exercises, role playing, or announced assessments. The Red
Team may trigger active controls and countermeasures
within a given operational environment.” (Wikipedia)

21. Agile security management
So it is a simulated attack, without the
limitations of a regular penetration test to yield
better and more complete results:
A simulated hacker attack

22. Agile security management
Continuous security testing uses the same
approach, but in a continuous flow instead of an
exercise.

23. Agile security management
• Continuous security testing becomes part of your
operational security process (vulnerability
management) and gives you a realtime and
continuous view on your current security posture.
• This helps you to prioritize risk mitigation and
resource allocation (put $$$ where it has the
most effect).
• And it fits very well into the continuous
improvent which is part of ISO27001 

24. But wait! There’s more!

25. What then?
All organizations have limited resources (people,
time, money).
Leverage the hacker community via a bugbounty
program.

26. Bug bounty program
Reward hackers for reporting bugs to you
’They’ have the time and dedication to look for
bugs.
You must set the right terms and conditions.
And make sure you can handle the bug reports
that will be pouring in (both in volume and
quality!).
If done properly, this could be an addition to
your continuous testing team!

27. Bug bounty program
Make sure you have at least:
- set up a (responsible) disclosure policy;
- set up a reward system (separate the wheat
from the chaff);
- set up an incident handling process (things
may/will go wrong and/or trigger alarms).

28. Responsible disclosure
Allow for people to report bugs and
vulnerabilities to you:
- without ‘punishing’ the reporter;
- in a safe (and sometime anonymous) way;
- using clear communication protocols.
So you can resolve these bugs and
vulnerabilities before they bite you!

29. Bug bounty program
You can run your own bug bounty program,
Or have a specialized company do it for you, like

30. Incident handling process
In a continuous security testing strategy, the
incident handling is necessary to catch all things
that slip through the cracks.
This is not an omission, but a result of the fact
that you cannot test and secure everything.
But you should prepare yourself!

31. Incident handling process

32. Wrapping up
Old skool testing does not fit the bill anymore!
Perform continuous testing;
Think like a hacker using red team approach;
Leverage the hacker community through bug
bounty program;
Prepare for incidents.

33. More info at:
www.agilesecurity.nl

35. THANK YOU
?
+ 31-6-53315102
arthur@1secure.nl
www.1secure.nl
nl.linkedin.com/in/arthurdonkers