Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Penetration Testing; A customers perspective


Published on

A short presentation to my internal peer group on some of the potential shortcomings of current penetration testing practices and what might be done about it.

Published in: Technology
  • D0WNL0AD FULL ▶ ▶ ▶ ▶ ◀ ◀ ◀ ◀
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Penetration Testing; A customers perspective

  1. 1. A customers perspective1Internal Practitioners Conference, May 2013Phil Huggins
  2. 2. I have been Infrastructure penetration tester - late 90s Application penetration tester – early 00s Security Architect – till now Client-side advice LargeGovernment & Commercial Programmes of work Handling:▪ System suppliers▪ Pen test suppliers▪ Client andThird Party security stakeholders▪ ClientOperational teams▪ Client Project teams I am an unusual customer of pen tests I understand what I’m buying and why.2
  3. 3. 3GatherInformationExpertSchemaInsightDefineActionScan & ExploitCharacteriseVulnerabilitiesUnderstandCauses &ImpactsRecommendPrioritisedMitigationsSENSEMAKINGPENETRATION TESTING
  4. 4.  Team of technical guys with CREST,TIGER orCHECK certifications A written methodology owned by the testcompany A lot of pen testing tools A week or two of technical work A week of report writing4
  5. 5.  Executive summary At least one graph Names of the pen testers involved Description of the commercial scope Extensive prose account of what was done Screen shots of tools / error messages A table of vulnerabilities Mapped to CVE numbers Some form of risk / RAG status A technical resolution A description of recommended further work5
  6. 6.  High day rates for goodtesters Poor margins as salaries arehigh Quality can be veryvariable Same testers over time Between testers Across companies Focus on fail results What tests were conductedand passed? Focus on 0-day What threat model was used? Skipping the insight Little or no understanding ofcauses and impacts Only two parts of thereport actually required Summary Vulnerability table6
  7. 7.  Better customers Security requirements Better informationgathering: Automation of low hangingfruit Recording of manual testing Supply of automationscripts, raw results & manualrecordings to customer Better insight Explicit threat model Understanding of operationalprocesses Understanding of customerbusiness Better reporting Vulnerability tables in excel Record full scope Vulnerability Metrics:▪ Ease of exploit▪ Complexity of fix▪ Extent of compromise7
  8. 8. http://blog.blackswansecurity.com8