SlideShare a Scribd company logo

Automating Penetration Tests

Download as PPT, PDF
F
fredcobain

The document discusses automating penetration tests. It describes the current penetration test process and identifies problems with it, such as the information analysis and planning phase being time consuming without dedicated tools. Automating penetration tests could help address these problems by standardizing the methodology, enforcing its use, and simplifying monotonous tasks. Some technical challenges of automating penetration tests include modeling the penetration test process, developing and maintaining exploits for different systems, and ensuring exploits work under various configurations.

Technology
1 of 52
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Automating Penetration Tests: Iván Arce iarce@core-sdi.com A new challenge for the IS industry? Máximiliano Cáceres max@core-sdi.com
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Agenda • The Penetration Test • Problems in the current Penetration Test practice • Automating Penetration Tests • The Technical Challenges • Overcoming the Technical Challenges • Conclusions
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test The Penetration Test • What is it? • What is it good for? • How is it actually done?
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test The Penetration Test • Rationale: – “Improving the security of your site by breaking into it”, Dan Farmer & Wietse Venema, 1993 http://www.fish.com/security/admin-guide-to-cracking.html • A plausible definition: – “A localized and time-constrained attempt to breach the information security architecture using the attacker’s techniques”
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test Key Underlying Concepts from our Definition • “Localized” – Implies definition of scope • “Time-constrained” – A pentest does not last forever • “Attempt to breach the security” – A pentest is not a full security audit • “Using the attacker’s techniques” – Implies definition of the attacker’s role
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test Requirements and Goal • Scope • Security architecture • Attacker’s profile • Results
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test The Goal • To improve information security awareness • To assess risk • To mitigate risk immediately • To reinforce the IS process • To assist in decision making processes
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test The Scope: What will be tested? • IT infrastructure • Security architecture – Prevention capabilities – Detection capabilities – Response capabilities – Policies and procedures • Business processes
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test The Scope: When it will be tested? Start Duration • Weakest/Strongest moment • Normal operational state • Periodically, random date within limits • Before/After specific projects
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test Security Architecture • Security Infrastructure (PKI/FWs/IDSes) • Network security • Host security • Workstation security • Application security • Physical security • Human security
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test The Attacker’s Profile • External – With zero previous knowledge – With some degree of knowledge • Internal – With zero previous knowledge – With some degree of knowledge • Associate
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test The Result: Final Report • Clear description of scope and methodology • Reproducible and accountable process • High level analysis and description (suitable for upper/non technical management) • General recommendations and conclusions • Detailed findings
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Information Gathering The Penetration Test How is it usually done? • Information Gathering • Information Analysis and Planning • Vulnerability Detection • Penetration • Attack/Privilege Escalation • Analysis and reporting • Clean-up Vulnerability Detection Penetration Attack/ Privilege Escalation Information Analysis and Planning Analysis and Reporting Clean Up
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test Information Gathering • Organizational intelligence • Access point discovery • Network discovery • Infrastructure fingerprinting
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test Information Analysis and Planning • Understanding of component relationships • High level attack planning • Target identification • Time & effort estimation • Alternative attacks
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test Vulnerability Detection • Automated vulnerability scanning • Manual scanning • In-house research • Target acquisition
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test Penetration Phase • Known/available exploit selection • Exploit customization • Exploit development • Exploit testing • Attack
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test Attack/ Privilege Escalation Phase • Final target compromise: SUCCESS! • Intermediate target: full compromise, pivoting • Intermediate target: partial compromise, pivoting • Point of attack/attacker profile switching • Back to information gathering phase
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test Analysis and Reporting Phase • Information gathering and consolidation • Analysis and extraction of general conclusions and recommendations • Generation of deliverables • Final presentation
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Penetration Test Clean Up Phase • Definition of specific clean up tasks • Definition of specific clean up procedures • Clean up execution
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Problems in the current penetration test practice
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Problems in the current Penetration Test practice Information Gathering Phase: OK • Public organization information • M&A, SEC fillings, patent grants,etc. • Job openings • Employee information • Web browsing • Web crawling • Mailing list and newsgroups posts • Nmap, traceroute, firewall, ping sweeps, etc • NIC registrations • DNS records • SNMP scanning • OS fingerprinting • Banner grabbing • War dialers • Social engineering • Dumpster diving • Etcetera
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Problems in the current Penetration Test practice Information Analysis and Planning Phase: Not OK • Difficult and time consuming task of consolidating all the information gathered and extract high level conclusions that will help to define an attack strategy • Hard to keep an up to date general overview of the components and their interaction • No specific tools aimed at addressing this phase • Experienced and knowledgeable resources required for this stage, overall time constraint could limit the extent of their work • No formal processes or tools to help estimate time and efforts
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Problems in the current Penetration Test practice Vulnerability Detection Phase: OK • Large variety of tools available: – Commercial Vulnerability scanners – Free & Open source scanners – Application level testing tools – OS specific testing tools • Large amount of information available: – Publicly known vulnerability information – Vulnerability database – Various sources of security advisories (vendors, CERTs, information security companies, etc.) – SecurityFocus.com – Bugtraq, NT bugtraq, pentest mailing list – Newsgroups, papers, CVE • In-house research is not avoidable
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Problems in the current Penetration Test practice Penetration Phase: Not OK • Although there are some tools available, they generally require customization and testing • Publicly available exploits are generally unreliable and require customization and testing (quick hacks, proof of concept code) • In-house developed exploits are generally aimed at specific tasks or pen test engagements (mostly due to time constraints) • Knowing that a vulnerability exist does not always imply that it can be exploited easily, thus it is not possible to successfully penetrate even though it is theoretically possible (weakens the overall result of the engagement) • Knowledge and specialization required for exploit and tool development • Considerable lab infrastructure required for successful research, development and testing (platforms, OS flavors, OS versions, applications, networking equipment, etc.)
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Problems in the current Penetration Test practice Attack/ Privilege Escalation Phase: Not OK • Some tools and exploits available, usually require customization and testing (local host exploits, backdoors, sniffers, sniffing/spoofing libraries, etc.) • Monotonous and time consuming task: setting up the new “acquired” vantage point (installing software and tools, compiling for the new platforms, taking into account configuration specific details, etc.) • Pivoting might be a key part for success in a pen test yet it is the less formalized process • Considerable lab infrastructure required for research, development, customization and testing • Lack of a security architecture for the penetration test itself.
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Problems in the current Penetration Test practice Analysis and Reporting Phase: Not OK • Maintaining a record of all actions, commands, inputs and outputs of all tasks performed during the pentest is left as methodology to be enforced by the team members, that does not guarantee accountability and compliance. • Gathering and consolidating all the log information from all phases, including all the program and tools used, is time consuming, boring and prone to error • Organizing the information in a format suitable for analysis and extraction of high level conclusions and recommendations is not trivial • Analysis and definitions for general conclusions and recommendations require experienced and knowledgeable resources • The actual writing of final reports is usually considered the boring leftovers of the penetration test, security expertise and experience is required to ensure quality but such resources could be better assigned to more promising endeavors • No specialized tools dedicated to cover the issues raised above
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Problems in the current Penetration Test practice Clean Up Phase: Not OK • A detailed and exact list of all actions performed must be kept, yet there are just rudimentary tools for this • Clean up of compromised hosts must be done securely and without affecting normal operations (if possible) • The clean up process should be verifiable and non- repudiable, the current practice does not address this problem. • Often clean up is left as a backup restore job for the pentest customer, affecting normal operations and IT resources.
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Automating Penetration Tests
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Automating Penetration Test Automating Penetration Tests • Why? • What is it good for? • What are the technical challenges? • How could they be addressed?
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Automating Penetration Test Rationale • Penetration tests are becoming a common practice that involve a mix of hacker handiwork, monotonous tasks and non formal knowledge. Automating penetration tests will bring professionalism to the practice.
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Automating Penetration Test APT: What is it good for? • To make available valuable resources for the more important phases: high level overview and analysis, strategic attack planning, results analysis and recommendations. • To encompass all the penetration test phases under a single framework • To define and standardize the methodology • To enforce following of the methodology and ensure quality • To improve the security of the practice • To simplify and speed up monotonous and time consuming tasks
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Technical Challenges
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Technical Challenges The Technical Challenges (1/3) • Modeling penetration testing, considering all phases in an intuitive and usable fashion • Building a tool that reflects the model capable of adopting arbitrary methodologies defined and redefined by the user • Development and maintenance of a wide range of exploits for different platforms, operating systems and applications and multiple combinations of versions
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Technical Challenges The Technical Challenges (2/3) • Assurance that the developed code is functional under different network and host configurations (reliability) • Addressing the attack/privilege escalation phase in a seamless way. • Handling interactions between different exploits • Building a framework that lets the team develop and customize new or existing exploits quickly
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Technical Challenges The Technical Challenges (3/3) • Not having to re-invent the wheel each time a new vulnerability is discovered • Keeping such a beast manageable in terms of size and complexity • Providing different degrees of ‘stealth- ness’ (to comply with pen-test requirements) • Having autonomous capabilities (worm- like?) • Having mechanism for acquiring and reusing knowledge and experience from successive penetration tests
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com The Technical Challenges And more… • Buffer overflows – Exec/no-exec stack – Multiple platforms/Multiple Operating systems – Encoding, compression, encryption, etc. • Sniffing/Spoofing • IP Stack based attacks
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Overcoming the technical challenges
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Overcoming the Technical Challenges The model • Simplify and abstract all the components of the system and their relations • Provide a base on which to construct • Provide a common language to talk about the different components
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Overcoming the Technical Challenges The model Agent Module Host Network Module Module Host Host Network Host Host NetService NetService NetService Account Account NetService NetService Agent Module Module Module Module Module
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Agents and Modules • Agents – “The pivoting point” or “the vantage point” • Run modules • Installable on any compromised host • Local stealth techniques for hiding (ala rootkit) • Some autonomy (worm-like) and limited life-span • Secure (shouldn’t render the client infrastructure more insecure than before the pentest) • Remotely control other agents • Clean up functionality (uninstall) • Modules – “Any executable task” • Information gathering, information analysis, attacks, reporting, scripting of other modules • Simple and easy to extend • Have every tool together, under the same framework Overcoming the Technical Challenges
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Syscall Proxying • Provides a uniform layer for the interaction with the underlying system • All modules ultimately access any resource through this layer • Changing this layer with a proxy effectively simulates the remote execution of the module Overcoming the Technical Challenges Module Syscall stub Local server Remote server Local execution remote execution RPC
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Using a Virtual Machine • Isolates the particular characteristics of the “pivoting host” platform from the module – This effectively eliminates all the burden related to the setup of a vantage point – Just port the VM • Provides a comfortable environment for the development of new exploits – Productivity is higher on interpreted languages than on compiled ones • Provides a simple way of scripting (automating) any task, even higher level ones • Lots of free and powerful VMs are available (Perl, Python, Squeak) Overcoming the Technical Challenges
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com APIs and Helpers Libraries • Any common and general use functionality related to the coding of exploits should evolve into an API – Prioritizes code-reuse and sharing – Simplifies exploit code, focused on the particular vulnerability and not on common vulnerability- writing tasks – Makes the life of the exploit developer easier (just build on top of existing code) – API’s can evolve independently of written exploits • Some examples – Shellcode building for different platforms – Sniffing and packet parsing – Spoofing (packet crafting) – Application layer protocols • HTTP, FTP, DNS, SMTP, SNMP, etc Overcoming the Technical Challenges
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Component Communications Overcoming the Technical Challenges • Use crypto protocols to provide privacy & mutual authentication • Define an abstract “transport” than can be interchangeable and mounted on top of any networking protocol – Firewall piercing • Fragmentation (recent ipf bug) • Application layer (HTTP, DNS) – Stealth • IDS evasion • Chaining (ala source-routing) of different transports in between agents – Provides a way of “jumping” between vantage points, allowing communication across diverse security domains (with different security policies)
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Logging and Reporting • Since a single-tool / single-framework is used for all the pen-test related tasks, it’s easy to keep logs of every single activity • Use a common document format (such as XML) that can be easily transformed into what is best for the particular customer or that follows the company style (HTML, PDF, DOC) • Getting the information together and building a report can be done by a module that accesses the objects in the model Overcoming the Technical Challenges
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Scripting • Scripting of modules – Module “macros” – Autonomous action (for more worm-like attacks, or for scenarios where online communication with agents before compromise might not be possible) – A more constructive approach to module development. Build higher level attacks/strategies using available modules • If a scripting language is used (with a VM) is possible to take advantage of its capabilities to script the execution of modules Overcoming the Technical Challenges
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Knowledge Base • A database of information on common attack strategies and success configurations on common customer scenarios • Guidelines on how to do a specific pentest depending on target characteristics – IT Infrastructure: Platforms, Network characteristics, Firewalling strategy (screened host, packet filtering, appl. proxy, DMZ) – Technology: ASP, PHP, DCOM, SOAP, Perl-CGI, etc. – Business / Services: web portal, mail, online store, corporate services, etc. • Full activity logs – Easier to identify common strategies & trends along different projects Overcoming the Technical Challenges
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Conclusions
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Conclusions • The current state of the penetration test practice is far from optimal • Automating them may bring them to a new level of quality • But in doing so we will face many technical problems • It may be a new challenge for the IS industry in the near future
Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Automating Penetration Tests © 2001 CORE SDI Inc. http://www.core-sdi.com Thank You! Iván Arce iarce@core-sdi.com Maximiliano Cáceres max@core-sdi.com

Recommended

[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
The Linux Foundation
 
TAC_Web_General_Overview_04Mar02.ppt
TAC_Web_General_Overview_04Mar02.pptTAC_Web_General_Overview_04Mar02.ppt
TAC_Web_General_Overview_04Mar02.ppt
stuartmaguire1
 
Web application Testing
Web application TestingWeb application Testing
Web application Testing
OWASP Foundation
 
verification_planning_systemverilog_uvm_2020
verification_planning_systemverilog_uvm_2020verification_planning_systemverilog_uvm_2020
verification_planning_systemverilog_uvm_2020
Sameh El-Ashry
 
4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work
Ievgenii Katsan
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security program
Outpost24
 

Recommended

[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
The Linux Foundation
 
TAC_Web_General_Overview_04Mar02.ppt
TAC_Web_General_Overview_04Mar02.pptTAC_Web_General_Overview_04Mar02.ppt
TAC_Web_General_Overview_04Mar02.ppt
stuartmaguire1
 
Web application Testing
Web application TestingWeb application Testing
Web application Testing
OWASP Foundation
 
verification_planning_systemverilog_uvm_2020
verification_planning_systemverilog_uvm_2020verification_planning_systemverilog_uvm_2020
verification_planning_systemverilog_uvm_2020
Sameh El-Ashry
 
4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work
Ievgenii Katsan
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security program
Outpost24
 
Questions for successful test automation projects
Questions for successful test automation projectsQuestions for successful test automation projects
Questions for successful test automation projects
Daniel Ionita
 
JDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceJDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of Excellence
Black Duck by Synopsys
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
Precisely
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security Testing
Cenzic
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
4 Best Practices for Delivering Exceptional VDI User Experience
4 Best Practices for Delivering Exceptional VDI User Experience4 Best Practices for Delivering Exceptional VDI User Experience
4 Best Practices for Delivering Exceptional VDI User Experience
eG Innovations
 
Comprehensive Performance Testing: From Early Dev to Live Production
Comprehensive Performance Testing: From Early Dev to Live ProductionComprehensive Performance Testing: From Early Dev to Live Production
Comprehensive Performance Testing: From Early Dev to Live Production
TechWell
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security Governance
Can Demirel
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testing
Adrian Munteanu
 
OWASP
OWASPOWASP
OWASP
Pen Testeronyguy
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
Digital Bond
 
How to become a testing expert
How to become a testing expertHow to become a testing expert
How to become a testing expert
gaoliang641
 
Defense Against Multi-Network Breaches.pdf
Defense Against Multi-Network Breaches.pdfDefense Against Multi-Network Breaches.pdf
Defense Against Multi-Network Breaches.pdf
Tuan Yang
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to Development
Erika Barron
 
Why we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibilityWhy we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibility
Recruit Technologies
 
Measure and increase developer productivity with help of Severless by Kazulki...
Measure and increase developer productivity with help of Severless by Kazulki...Measure and increase developer productivity with help of Severless by Kazulki...
Measure and increase developer productivity with help of Severless by Kazulki...
Vadym Kazulkin
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard37
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
Mohamed Sweelam
 

More Related Content

Similar to Automating Penetration Tests

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
4 Best Practices for Delivering Exceptional VDI User Experience
4 Best Practices for Delivering Exceptional VDI User Experience4 Best Practices for Delivering Exceptional VDI User Experience
4 Best Practices for Delivering Exceptional VDI User Experience
eG Innovations
 
Comprehensive Performance Testing: From Early Dev to Live Production
Comprehensive Performance Testing: From Early Dev to Live ProductionComprehensive Performance Testing: From Early Dev to Live Production
Comprehensive Performance Testing: From Early Dev to Live Production
TechWell
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security Governance
Can Demirel
 
How to become a testing expert
How to become a testing expertHow to become a testing expert
How to become a testing expert
gaoliang641
 

Similar to Automating Penetration Tests (20)

Questions for successful test automation projects
Questions for successful test automation projectsQuestions for successful test automation projects
Questions for successful test automation projects
 
JDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceJDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of Excellence
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security Testing
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
4 Best Practices for Delivering Exceptional VDI User Experience
4 Best Practices for Delivering Exceptional VDI User Experience4 Best Practices for Delivering Exceptional VDI User Experience
4 Best Practices for Delivering Exceptional VDI User Experience
 
Comprehensive Performance Testing: From Early Dev to Live Production
Comprehensive Performance Testing: From Early Dev to Live ProductionComprehensive Performance Testing: From Early Dev to Live Production
Comprehensive Performance Testing: From Early Dev to Live Production
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security Governance
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testing
 
OWASP
OWASPOWASP
OWASP
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
How to become a testing expert
How to become a testing expertHow to become a testing expert
How to become a testing expert
 
Defense Against Multi-Network Breaches.pdf
Defense Against Multi-Network Breaches.pdfDefense Against Multi-Network Breaches.pdf
Defense Against Multi-Network Breaches.pdf
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to Development
 
Why we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibilityWhy we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibility
 
Measure and increase developer productivity with help of Severless by Kazulki...
Measure and increase developer productivity with help of Severless by Kazulki...Measure and increase developer productivity with help of Severless by Kazulki...
Measure and increase developer productivity with help of Severless by Kazulki...
 

Recently uploaded

UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Paige Cruz
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 

Recently uploaded (20)

JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 

Automating Penetration Tests