2. STRATEGY TO DEVELOP EFFECTIVE
WORKPLACE
Employee will be satisfied with these factors: work
environment, duties and responsibilities, refreshment &
recreation facility, grievance handling procedure, fun at
workplace, health & safety facility.
On the other hand, they will not be satisfied with factors
like workload & overtime, fatigue & boredom of job,
attitude of supervisor.
*Strategy to Develop an Effective Workplace Environment, Samantaray Pravamayee, Centurion University of
Technology & Management
3. CREATING EFFECTIVE PENTEST PROGRAM
The hard way: crest certification
The easier way: pentest process monetization
9. PENTEST FRAMEWORKS FOR COMPANIES
WHERE ENGLISH IS A THIRD LANGUAGE
Report templates:
finding, draft, progress
Frameworkweb:
Owasp
Fwnetwork:
OSSTMM
Otherpentest
frameworks
Pentesterskills
R&D
Certifications
Service delivery
excellence
10. GIVING INCENTIVES FOR A SUCCESSFUL PEN-
TEST REPORT
For example, we have 3 mandays pentest:
After the report is created, the report is reviewed and the reviewer
give scoring e.g.; “good enough” and “not good enough”:
Good enough report receives
Rp. 150 rb / mandays
Report not good enough
receives Rp. 50 rb / mandays
11. WHAT TO SCORE IN REPORT
Quality of pentest
Are the findings good?
Are all parts covered?
Is the risk rating for each finding correct?
Quality of report
Formatting
Description
There is URL or IP information
Whether this is an external or internal pentest
Information about whether this is an UAT or production
Threat and risk
Pictures of hacking activities are relevant
Standards
If the standards are updated
If the standards are relevant
Note: Be careful not to give incentives if a pentest could be
completed earlier
12. Create a finding template for newly found
vulnerabilities
Each finding templates must be taken from real
world pen-test
Finding templates must be evaluated and reviewed
The finding report must be sanitized
GIVING INCENTIVES FOR A NEW FINDING
TEMPLATES
13. OTHER THOUGHTS?
May take a while to list new ways to monetize all
pen-test process
This strategy is taken from worldwide research. Original paper stated above.
Following crest standard should enhance the overall pentest process of the company as well as employee.
The expensive approach is registering to be crest certified company, then we can just adopt their standard. Good for marketing also. Good for consultants because they need to
Short term solution to creating effective pentest solution is to give incentives for every pentest project. After a consultant creates a report for a pentest project, a supervisor evaluates, reviews, and give a score to the report. If the report is good, pentester receives incentives. If not, give smaller incentives or none.