SlideShare a Scribd company logo

Monetizing pentest process

Download as PPTX, PDF
Aldo Elam Majiah
Aldo Elam Majiah

Monetizing pentest process

Technology
1 of 14
MONETIZING PENTEST PROCESS Creating an Effective and Efficient Penetration Testing Activities
STRATEGY TO DEVELOP EFFECTIVE WORKPLACE  Employee will be satisfied with these factors: work environment, duties and responsibilities, refreshment & recreation facility, grievance handling procedure, fun at workplace, health & safety facility.  On the other hand, they will not be satisfied with factors like workload & overtime, fatigue & boredom of job, attitude of supervisor. *Strategy to Develop an Effective Workplace Environment, Samantaray Pravamayee, Centurion University of Technology & Management
CREATING EFFECTIVE PENTEST PROGRAM  The hard way: crest certification  The easier way: pentest process monetization
THE HARD WAY  Crest certifications
PENTEST PROGRAM *CREST
PROS: LOCAL PENTEST VENDOR – NONE IN INDONESIA YET
CONS:  Could end up like other certifications bodies which only procedural  Does not touch on consultant level  Only documentations
THE EASY (EASIER?) WAY  Pentest process monetization
PENTEST FRAMEWORKS FOR COMPANIES WHERE ENGLISH IS A THIRD LANGUAGE Report templates: finding, draft, progress Frameworkweb: Owasp Fwnetwork: OSSTMM Otherpentest frameworks Pentesterskills R&D Certifications Service delivery excellence
GIVING INCENTIVES FOR A SUCCESSFUL PEN- TEST REPORT For example, we have 3 mandays pentest: After the report is created, the report is reviewed and the reviewer give scoring e.g.; “good enough” and “not good enough”: Good enough report receives Rp. 150 rb / mandays Report not good enough receives Rp. 50 rb / mandays
WHAT TO SCORE IN REPORT  Quality of pentest  Are the findings good?  Are all parts covered?  Is the risk rating for each finding correct?  Quality of report  Formatting  Description  There is URL or IP information  Whether this is an external or internal pentest  Information about whether this is an UAT or production  Threat and risk  Pictures of hacking activities are relevant  Standards  If the standards are updated  If the standards are relevant  Note: Be careful not to give incentives if a pentest could be completed earlier
 Create a finding template for newly found vulnerabilities  Each finding templates must be taken from real world pen-test  Finding templates must be evaluated and reviewed  The finding report must be sanitized GIVING INCENTIVES FOR A NEW FINDING TEMPLATES
OTHER THOUGHTS?  May take a while to list new ways to monetize all pen-test process
Thank you

Recommended

Shrini Kulkarni - Software Metrics - So Simple, Yet So Dangerous
Shrini Kulkarni - Software Metrics - So Simple, Yet So Dangerous Shrini Kulkarni - Software Metrics - So Simple, Yet So Dangerous
Shrini Kulkarni - Software Metrics - So Simple, Yet So Dangerous
TEST Huddle
 
From Defect Reporting To Defect Prevention
From Defect Reporting To Defect PreventionFrom Defect Reporting To Defect Prevention
From Defect Reporting To Defect Prevention
Sune Gynthersen
 
Ready, set, go! - Anna Royzman
Ready, set, go! - Anna RoyzmanReady, set, go! - Anna Royzman
Ready, set, go! - Anna Royzman
QA or the Highway
 
Penetration Testing; A customers perspective
Penetration Testing; A customers perspectivePenetration Testing; A customers perspective
Penetration Testing; A customers perspective
Phil Huggins FBCS CITP
 
Fundamentals of testing
Fundamentals of testingFundamentals of testing
Fundamentals of testing
ANDRI HAIRIYADI, S.Kom.
 
Positivityofnegative
PositivityofnegativePositivityofnegative
Positivityofnegative
pramodkg
 
APM Four seasons of risk - Scotland: Identification
APM Four seasons of risk - Scotland: IdentificationAPM Four seasons of risk - Scotland: Identification
APM Four seasons of risk - Scotland: Identification
Association for Project Management
 
Root cause Analysis of Defects
Root cause Analysis of DefectsRoot cause Analysis of Defects
Root cause Analysis of Defects
David Gevorgyan
 

Recommended

Shrini Kulkarni - Software Metrics - So Simple, Yet So Dangerous
Shrini Kulkarni - Software Metrics - So Simple, Yet So Dangerous Shrini Kulkarni - Software Metrics - So Simple, Yet So Dangerous
Shrini Kulkarni - Software Metrics - So Simple, Yet So Dangerous
TEST Huddle
 
From Defect Reporting To Defect Prevention
From Defect Reporting To Defect PreventionFrom Defect Reporting To Defect Prevention
From Defect Reporting To Defect Prevention
Sune Gynthersen
 
Ready, set, go! - Anna Royzman
Ready, set, go! - Anna RoyzmanReady, set, go! - Anna Royzman
Ready, set, go! - Anna Royzman
QA or the Highway
 
Penetration Testing; A customers perspective
Penetration Testing; A customers perspectivePenetration Testing; A customers perspective
Penetration Testing; A customers perspective
Phil Huggins FBCS CITP
 
Fundamentals of testing
Fundamentals of testingFundamentals of testing
Fundamentals of testing
ANDRI HAIRIYADI, S.Kom.
 
Positivityofnegative
PositivityofnegativePositivityofnegative
Positivityofnegative
pramodkg
 
APM Four seasons of risk - Scotland: Identification
APM Four seasons of risk - Scotland: IdentificationAPM Four seasons of risk - Scotland: Identification
APM Four seasons of risk - Scotland: Identification
Association for Project Management
 
Root cause Analysis of Defects
Root cause Analysis of DefectsRoot cause Analysis of Defects
Root cause Analysis of Defects
David Gevorgyan
 
How to not suck at an audit-2.pdf
How to not suck at an audit-2.pdfHow to not suck at an audit-2.pdf
How to not suck at an audit-2.pdf
Hacken
 
Root cause analysis for incidents (or production defects)
Root cause analysis for incidents (or production defects)Root cause analysis for incidents (or production defects)
Root cause analysis for incidents (or production defects)
Neha B
 
VeeShell presentation
VeeShell presentationVeeShell presentation
VeeShell presentation
Cherniak Soft
 
Web Performance Analysis - TCF Pro 2009
Web Performance Analysis - TCF Pro 2009Web Performance Analysis - TCF Pro 2009
Web Performance Analysis - TCF Pro 2009
Guy Ferraiolo
 
Value added testing (VAT)
Value added testing (VAT)Value added testing (VAT)
Value added testing (VAT)
Harishankar Srinivasan
 
Quality myths
Quality mythsQuality myths
Quality myths
Sreeram Kishore Chavali
 
Test beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisTest beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause Analysis
PractiTest
 
The Value-Adding Tester
The Value-Adding TesterThe Value-Adding Tester
The Value-Adding Tester
Johan Hoberg
 
Tafline Murnane - The Carrot or The Whip-What Motivates Testers? - EuroSTAR 2010
Tafline Murnane - The Carrot or The Whip-What Motivates Testers? - EuroSTAR 2010Tafline Murnane - The Carrot or The Whip-What Motivates Testers? - EuroSTAR 2010
Tafline Murnane - The Carrot or The Whip-What Motivates Testers? - EuroSTAR 2010
TEST Huddle
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like them
PractiTest
 
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
PractiTest
 
01 fundamentals of testing
01 fundamentals of testing01 fundamentals of testing
01 fundamentals of testing
Ilham Wahyudi
 
The Bumpy Road to Actionable SLOs
The Bumpy Road to Actionable SLOsThe Bumpy Road to Actionable SLOs
The Bumpy Road to Actionable SLOs
DevOps.com
 
[Mush Honda] Software Testers From Good to Great
[Mush Honda] Software Testers From Good to Great[Mush Honda] Software Testers From Good to Great
[Mush Honda] Software Testers From Good to Great
Ho Chi Minh City Software Testing Club
 
Manual Testing
Manual TestingManual Testing
Manual Testing
JobItDesk01
 
STLDODN - Agile Testing in a Waterfall World
STLDODN - Agile Testing in a Waterfall WorldSTLDODN - Agile Testing in a Waterfall World
STLDODN - Agile Testing in a Waterfall World
Angela Dugan
 
Testing implementasi 1
Testing implementasi 1Testing implementasi 1
Testing implementasi 1
Sinthia Gusfah
 
Defect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft WebinarDefect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft Webinar
XBOSoft
 
Erik Beolen - The Power of Risk
Erik Beolen - The Power of RiskErik Beolen - The Power of Risk
Erik Beolen - The Power of Risk
TEST Huddle
 
Testing – Why We Do It Badly2
Testing – Why We Do It Badly2Testing – Why We Do It Badly2
Testing – Why We Do It Badly2
adevney
 
Future audit analytics
Future audit analyticsFuture audit analytics
Future audit analytics
Jim Kaplan CIA CFE
 
Enabling CD in Enterprises with Testing
Enabling CD in Enterprises with TestingEnabling CD in Enterprises with Testing
Enabling CD in Enterprises with Testing
Anand Bagmar
 

More Related Content

What's hot

VeeShell presentation
VeeShell presentationVeeShell presentation
VeeShell presentation
Cherniak Soft
 
The Bumpy Road to Actionable SLOs
The Bumpy Road to Actionable SLOsThe Bumpy Road to Actionable SLOs
The Bumpy Road to Actionable SLOs
DevOps.com
 
STLDODN - Agile Testing in a Waterfall World
STLDODN - Agile Testing in a Waterfall WorldSTLDODN - Agile Testing in a Waterfall World
STLDODN - Agile Testing in a Waterfall World
Angela Dugan
 

What's hot (19)

How to not suck at an audit-2.pdf
How to not suck at an audit-2.pdfHow to not suck at an audit-2.pdf
How to not suck at an audit-2.pdf
 
Root cause analysis for incidents (or production defects)
Root cause analysis for incidents (or production defects)Root cause analysis for incidents (or production defects)
Root cause analysis for incidents (or production defects)
 
VeeShell presentation
VeeShell presentationVeeShell presentation
VeeShell presentation
 
Web Performance Analysis - TCF Pro 2009
Web Performance Analysis - TCF Pro 2009Web Performance Analysis - TCF Pro 2009
Web Performance Analysis - TCF Pro 2009
 
Value added testing (VAT)
Value added testing (VAT)Value added testing (VAT)
Value added testing (VAT)
 
Quality myths
Quality mythsQuality myths
Quality myths
 
Test beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisTest beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause Analysis
 
The Value-Adding Tester
The Value-Adding TesterThe Value-Adding Tester
The Value-Adding Tester
 
Tafline Murnane - The Carrot or The Whip-What Motivates Testers? - EuroSTAR 2010
Tafline Murnane - The Carrot or The Whip-What Motivates Testers? - EuroSTAR 2010Tafline Murnane - The Carrot or The Whip-What Motivates Testers? - EuroSTAR 2010
Tafline Murnane - The Carrot or The Whip-What Motivates Testers? - EuroSTAR 2010
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like them
 
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
S.M.A.R.T & F.O.C.U.S Testing - Increasing the value provided by your testing...
 
01 fundamentals of testing
01 fundamentals of testing01 fundamentals of testing
01 fundamentals of testing
 
The Bumpy Road to Actionable SLOs
The Bumpy Road to Actionable SLOsThe Bumpy Road to Actionable SLOs
The Bumpy Road to Actionable SLOs
 
[Mush Honda] Software Testers From Good to Great
[Mush Honda] Software Testers From Good to Great[Mush Honda] Software Testers From Good to Great
[Mush Honda] Software Testers From Good to Great
 
Manual Testing
Manual TestingManual Testing
Manual Testing
 
STLDODN - Agile Testing in a Waterfall World
STLDODN - Agile Testing in a Waterfall WorldSTLDODN - Agile Testing in a Waterfall World
STLDODN - Agile Testing in a Waterfall World
 
Testing implementasi 1
Testing implementasi 1Testing implementasi 1
Testing implementasi 1
 
Defect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft WebinarDefect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft Webinar
 
Erik Beolen - The Power of Risk
Erik Beolen - The Power of RiskErik Beolen - The Power of Risk
Erik Beolen - The Power of Risk
 

Similar to Monetizing pentest process

Testing – Why We Do It Badly2
Testing – Why We Do It Badly2Testing – Why We Do It Badly2
Testing – Why We Do It Badly2
adevney
 
Future audit analytics
Future audit analyticsFuture audit analytics
Future audit analytics
Jim Kaplan CIA CFE
 
Service pemanas air solahart hp 081313462267
Service pemanas air solahart hp 081313462267Service pemanas air solahart hp 081313462267
Service pemanas air solahart hp 081313462267
Service Solahart 081313462267
 
Practical Software Quality and Testing
Practical Software Quality and TestingPractical Software Quality and Testing
Practical Software Quality and Testing
jerrykprague
 
Test Cases Maintaining & Documenting
Test Cases Maintaining & DocumentingTest Cases Maintaining & Documenting
Test Cases Maintaining & Documenting
Seyed Ali Marjaie
 
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
VIJAYA BHASKARA VARMA YARAKARAJU
 
Test Estimation Techniques
Test Estimation TechniquesTest Estimation Techniques
Test Estimation Techniques
Nishant Worah
 
The Leaders Guide to Getting Started with Automated Testing
The Leaders Guide to Getting Started with Automated TestingThe Leaders Guide to Getting Started with Automated Testing
The Leaders Guide to Getting Started with Automated Testing
James Briers
 

Similar to Monetizing pentest process (20)

Testing – Why We Do It Badly2
Testing – Why We Do It Badly2Testing – Why We Do It Badly2
Testing – Why We Do It Badly2
 
Future audit analytics
Future audit analyticsFuture audit analytics
Future audit analytics
 
Enabling CD in Enterprises with Testing
Enabling CD in Enterprises with TestingEnabling CD in Enterprises with Testing
Enabling CD in Enterprises with Testing
 
Service pemanas air solahart hp 081313462267
Service pemanas air solahart hp 081313462267Service pemanas air solahart hp 081313462267
Service pemanas air solahart hp 081313462267
 
Fundamentals of testing
Fundamentals of testingFundamentals of testing
Fundamentals of testing
 
Assessmentsaudit322112 13008159137665-phpapp01
Assessmentsaudit322112 13008159137665-phpapp01Assessmentsaudit322112 13008159137665-phpapp01
Assessmentsaudit322112 13008159137665-phpapp01
 
Patrick A Bohr Slide Show Resume
Patrick A Bohr Slide Show ResumePatrick A Bohr Slide Show Resume
Patrick A Bohr Slide Show Resume
 
Patrick A Bohr
Patrick A BohrPatrick A Bohr
Patrick A Bohr
 
Software Testing - Part 1 (Techniques, Types, Levels, Methods, STLC, Bug Life...
Software Testing - Part 1 (Techniques, Types, Levels, Methods, STLC, Bug Life...Software Testing - Part 1 (Techniques, Types, Levels, Methods, STLC, Bug Life...
Software Testing - Part 1 (Techniques, Types, Levels, Methods, STLC, Bug Life...
 
Practical Software Quality and Testing
Practical Software Quality and TestingPractical Software Quality and Testing
Practical Software Quality and Testing
 
Sanitized tb swstmppp1516july
Sanitized tb swstmppp1516julySanitized tb swstmppp1516july
Sanitized tb swstmppp1516july
 
Test Cases Maintaining & Documenting
Test Cases Maintaining & DocumentingTest Cases Maintaining & Documenting
Test Cases Maintaining & Documenting
 
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
 
Resume
ResumeResume
Resume
 
Testing Intelligence
Testing IntelligenceTesting Intelligence
Testing Intelligence
 
Test Estimation Techniques
Test Estimation TechniquesTest Estimation Techniques
Test Estimation Techniques
 
resume_alcantara
resume_alcantararesume_alcantara
resume_alcantara
 
Creating a compliance assessment program on a tight budget
Creating a compliance assessment program on a tight budgetCreating a compliance assessment program on a tight budget
Creating a compliance assessment program on a tight budget
 
3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...
3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...
3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...
 
The Leaders Guide to Getting Started with Automated Testing
The Leaders Guide to Getting Started with Automated TestingThe Leaders Guide to Getting Started with Automated Testing
The Leaders Guide to Getting Started with Automated Testing
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Monetizing pentest process

  • 1. MONETIZING PENTEST PROCESS Creating an Effective and Efficient Penetration Testing Activities
  • 2. STRATEGY TO DEVELOP EFFECTIVE WORKPLACE  Employee will be satisfied with these factors: work environment, duties and responsibilities, refreshment & recreation facility, grievance handling procedure, fun at workplace, health & safety facility.  On the other hand, they will not be satisfied with factors like workload & overtime, fatigue & boredom of job, attitude of supervisor. *Strategy to Develop an Effective Workplace Environment, Samantaray Pravamayee, Centurion University of Technology & Management
  • 3. CREATING EFFECTIVE PENTEST PROGRAM  The hard way: crest certification  The easier way: pentest process monetization
  • 4. THE HARD WAY  Crest certifications
  • 6. PROS: LOCAL PENTEST VENDOR – NONE IN INDONESIA YET
  • 7. CONS:  Could end up like other certifications bodies which only procedural  Does not touch on consultant level  Only documentations
  • 8. THE EASY (EASIER?) WAY  Pentest process monetization
  • 9. PENTEST FRAMEWORKS FOR COMPANIES WHERE ENGLISH IS A THIRD LANGUAGE Report templates: finding, draft, progress Frameworkweb: Owasp Fwnetwork: OSSTMM Otherpentest frameworks Pentesterskills R&D Certifications Service delivery excellence
  • 10. GIVING INCENTIVES FOR A SUCCESSFUL PEN- TEST REPORT For example, we have 3 mandays pentest: After the report is created, the report is reviewed and the reviewer give scoring e.g.; “good enough” and “not good enough”: Good enough report receives Rp. 150 rb / mandays Report not good enough receives Rp. 50 rb / mandays
  • 11. WHAT TO SCORE IN REPORT  Quality of pentest  Are the findings good?  Are all parts covered?  Is the risk rating for each finding correct?  Quality of report  Formatting  Description  There is URL or IP information  Whether this is an external or internal pentest  Information about whether this is an UAT or production  Threat and risk  Pictures of hacking activities are relevant  Standards  If the standards are updated  If the standards are relevant  Note: Be careful not to give incentives if a pentest could be completed earlier
  • 12.  Create a finding template for newly found vulnerabilities  Each finding templates must be taken from real world pen-test  Finding templates must be evaluated and reviewed  The finding report must be sanitized GIVING INCENTIVES FOR A NEW FINDING TEMPLATES
  • 13. OTHER THOUGHTS?  May take a while to list new ways to monetize all pen-test process

Editor's Notes

  1. This strategy is taken from worldwide research. Original paper stated above.
  2. Following crest standard should enhance the overall pentest process of the company as well as employee.
  3. The expensive approach is registering to be crest certified company, then we can just adopt their standard. Good for marketing also. Good for consultants because they need to
  4. Short term solution to creating effective pentest solution is to give incentives for every pentest project. After a consultant creates a report for a pentest project, a supervisor evaluates, reviews, and give a score to the report. If the report is good, pentester receives incentives. If not, give smaller incentives or none.