Kirill Ermakov, profile picture
Uploaded byKirill Ermakov
PPTX, PDF535 views

How to get a well done penetration test

- A penetration test, also known as a pen test, is an authorized simulated attack on a computer system to find security weaknesses and potentially gain access to the system. - When choosing a penetration testing company, customers should carefully consider the company's skills and experience, ask for recommendations from other CISOs, and be willing to pay for high quality rather than just choosing the cheapest option. - To get the most value from a penetration test, customers should work with the testing team to understand their needs, not limit the testing scope, and view penetration testers as security advisors rather than just testers.

Services
Related topics:
Digital Security

Embed presentation

Download to read offline
How to get a well done penetration test And not to overpay Kir Ermakov DSEC Pentest Day, 2017
2 #:whoami - Known as ‘isox’ - vulners.com founder - QIWI Group CTO ( prev. – CISO) - Web penetration tester - Member of “hall-of-fames” (Yandex, Mail.ru, Apple and so on) - JBFC community participant - Security skeptic
3 A penetration test, colloquially known as a pen test, is an authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data. © Wiki
4 Penetration test as designed - Perimeter and internal recon - Vulnerability assessment - Independent security controls check - Hands-on vulnerabilities discovery and exploitation - Hack me plz
5 Regular pentest - Presale activity before real financial penetration - First critical found – stop and report - Total show off - Hack for profit
6 Pentest performers skills - Over 9000 pentest companies - Usually disgusting - Script kiddies with Nessus - Sometimes with Metasploit - Proudly CEH certified - Totally lazy
7 Why so bad? - Incompetence of the customers - Advertised service has led to the quality degradation - Pentest tools evolution …even my grandma can ‘exploit something’
8 Stop. Think. Act. Questions to ask yourself: • What kind of pentest do I need? • Do I really have security controls to check? • What is my business goal? • Am I ready to pay for good quality?
9 You owe me $10 for this promo
10 Pentest scope - Recon - Vulnerability assessment - Exploitations PoC - Internal security - And almost everything
11 It depends on your security level - No need to make a “Red Team” for the noobies - No need to make a recon for the professionals - No need to check the compliance if you have no internal one - No need to make it at all if your security team is lame
12 Performer - Ask other CISO’s for the advice - Only 3 companies can perform well in Russia (IMHO) - Make a challenge - Don’t mess with ”Company”, mess with a team - All high-grade pentesters are well known
13 Getting best performance • Don’t try to test them! • Help them! • Share your knowledge! • Trust your pentester! • Don’t limit their scope and actions!
14 One line lifehacks • Mix different teams. You will be surprised • Interest them • Different systems – different pentest teams • Sharing recon = 50% speed up • Don’t ask for the ”total” proofs. PoC is enough.
15 And what about the money? - RUR 400k to 1,5kk is OK - Red Team costs near 3kk - More != better - Perform tenders - PR = discount
16 Thanks - isox@vulners.com - Feel free to ask me about pentest for your company. I will guide you without charge  - https://vulners.com - We are really trying to make this world better - Stop paying for features, that are available for free

More Related Content

PPTX
SOC training
byKirill Ermakov
 
PPTX
[Wroclaw #2] Web Application Security Headers
byOWASP
 
PDF
Shields up - improving web application security
byKonstantin Mirin
 
PPTX
Let’s play the game. Yet another way to perform penetration test. Russian “re...
byKirill Ermakov
 
PDF
Web Uygulamalarının Hacklenmesi
byÖmer Çıtak
 
PPTX
XSS (Cross Site Scripting)
byShubham Gupta
 
PDF
10 things I’ve learnt about web application security
byJames Crowley
 
PPTX
Lets talk about bug hunting
byKirill Ermakov
 
SOC training
byKirill Ermakov
 
[Wroclaw #2] Web Application Security Headers
byOWASP
 
Shields up - improving web application security
byKonstantin Mirin
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
byKirill Ermakov
 
Web Uygulamalarının Hacklenmesi
byÖmer Çıtak
 
XSS (Cross Site Scripting)
byShubham Gupta
 
10 things I’ve learnt about web application security
byJames Crowley
 
Lets talk about bug hunting
byKirill Ermakov
 

What's hot

PPTX
Basics of getting Into Bug Bounty Hunting
byMuhammad Khizer Javed
 
PPTX
Bug bounty
byn|u - The Open Security Community
 
PPTX
11 Commandments of Cyber Security for the Home
byzaimorkai
 
PDF
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
byOWASP Ottawa
 
PDF
Implementing ossec
byJeronimo Zucco
 
PDF
Threat Hunting with Cyber Kill Chain
bySuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
PPTX
"Introduction to Bug Hunting", Yasser Ali
byHackIT Ukraine
 
PDF
[OWASP Poland Day] OWASP for testing mobile applications
byOWASP
 
PDF
Defeating Cross-Site Scripting with Content Security Policy (updated)
byFrancois Marier
 
PDF
Problems with parameters b sides-msp
byMike Saunders
 
PDF
Java EE 6 Security in practice with GlassFish
byMarkus Eisele
 
ODP
Csrf not-all-defenses-are-created-equal
bydrewz lin
 
PPTX
[OWASP Poland Day] Saving private token
byOWASP
 
PDF
42 minutes to secure your code....
bySebastien Gioria
 
PPTX
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
byMazin Ahmed
 
PPTX
Lviv js2017 (eleks)
byАндрей Вандакуров
 
PDF
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 
PPTX
Phu appsec13
bydrewz lin
 
PPTX
Devouring Security XML Attack surface and Defences
bygmaran23
 
PDF
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
bydrewz lin
 
Basics of getting Into Bug Bounty Hunting
byMuhammad Khizer Javed
 
Bug bounty
byn|u - The Open Security Community
 
11 Commandments of Cyber Security for the Home
byzaimorkai
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
byOWASP Ottawa
 
Implementing ossec
byJeronimo Zucco
 
Threat Hunting with Cyber Kill Chain
bySuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
"Introduction to Bug Hunting", Yasser Ali
byHackIT Ukraine
 
[OWASP Poland Day] OWASP for testing mobile applications
byOWASP
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
byFrancois Marier
 
Problems with parameters b sides-msp
byMike Saunders
 
Java EE 6 Security in practice with GlassFish
byMarkus Eisele
 
Csrf not-all-defenses-are-created-equal
bydrewz lin
 
[OWASP Poland Day] Saving private token
byOWASP
 
42 minutes to secure your code....
bySebastien Gioria
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
byMazin Ahmed
 
Lviv js2017 (eleks)
byАндрей Вандакуров
 
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 
Phu appsec13
bydrewz lin
 
Devouring Security XML Attack surface and Defences
bygmaran23
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
bydrewz lin
 

Similar to How to get a well done penetration test

PPTX
Pen Testing Explained
byRand W. Hirt
 
PDF
pentration testing.pdf
byRamya Nellutla
 
PDF
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
byUISGCON
 
PDF
Ceh v5 module 22 penetration testing
byVi Tính Hoàng Nam
 
PPTX
Penentration testing
bytahreemsaleem
 
PDF
Penetration Testing Guide
byBadawy Abd El-Aziz
 
PDF
The Art of Penetration Testing in Cybersecurity.
byExpeed Software
 
PPTX
Introduction to Penetration testing and Penetration Testing Proccess.pptx
byMakaraLong
 
PPTX
2023 HackRedCon Penetration Testing from the CISOs Perspective
byScott Stanton
 
PDF
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
byTruShield Security Solutions
 
PDF
Toreon - pentesting - why every company should do this!
bySebastien Deleersnyder
 
PDF
Next generation pentest your company cannot buy
byVlad Styran
 
PDF
What is Penetration Testing?
byRapid7
 
PPTX
Increasing Value Of Security Assessment Services
byChris Nickerson
 
PDF
What is pentest
byitissolutions
 
PPTX
Btpro-Penetration Testing Service
byBtpro BilgiTeknolojileri
 
PDF
So, you wanna be a pen tester ctsc2017
byAdrien de Beaupre
 
PDF
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
bySoftware Guru
 
PPTX
Assessing a pen tester: Making the right choice when choosing a third party P...
byJason Broz, CIPP/US
 
PPTX
Advice for CyberSecurity Penetration testing
bydp40991
 
Pen Testing Explained
byRand W. Hirt
 
pentration testing.pdf
byRamya Nellutla
 
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
byUISGCON
 
Ceh v5 module 22 penetration testing
byVi Tính Hoàng Nam
 
Penentration testing
bytahreemsaleem
 
Penetration Testing Guide
byBadawy Abd El-Aziz
 
The Art of Penetration Testing in Cybersecurity.
byExpeed Software
 
Introduction to Penetration testing and Penetration Testing Proccess.pptx
byMakaraLong
 
2023 HackRedCon Penetration Testing from the CISOs Perspective
byScott Stanton
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
byTruShield Security Solutions
 
Toreon - pentesting - why every company should do this!
bySebastien Deleersnyder
 
Next generation pentest your company cannot buy
byVlad Styran
 
What is Penetration Testing?
byRapid7
 
Increasing Value Of Security Assessment Services
byChris Nickerson
 
What is pentest
byitissolutions
 
Btpro-Penetration Testing Service
byBtpro BilgiTeknolojileri
 
So, you wanna be a pen tester ctsc2017
byAdrien de Beaupre
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
bySoftware Guru
 
Assessing a pen tester: Making the right choice when choosing a third party P...
byJason Broz, CIPP/US
 
Advice for CyberSecurity Penetration testing
bydp40991
 

More from Kirill Ermakov

PDF
Vulners: Google for hackers
byKirill Ermakov
 
PPTX
Подход QIWI к проведению тестирования на проникновение
byKirill Ermakov
 
PPTX
Why vulners? Short story about reinventing a wheel
byKirill Ermakov
 
PPTX
Почему вам не нужен SOC
byKirill Ermakov
 
PDF
Security awareness for information security team
byKirill Ermakov
 
PDF
Vulners report: comparing vulnerability world 2016 to 2017
byKirill Ermakov
 
PPTX
Под капотом Vulners
byKirill Ermakov
 
PDF
Vulnerability Funalitics with vulners.com
byKirill Ermakov
 
Vulners: Google for hackers
byKirill Ermakov
 
Подход QIWI к проведению тестирования на проникновение
byKirill Ermakov
 
Why vulners? Short story about reinventing a wheel
byKirill Ermakov
 
Почему вам не нужен SOC
byKirill Ermakov
 
Security awareness for information security team
byKirill Ermakov
 
Vulners report: comparing vulnerability world 2016 to 2017
byKirill Ermakov
 
Под капотом Vulners
byKirill Ermakov
 
Vulnerability Funalitics with vulners.com
byKirill Ermakov
 

Recently uploaded

PDF
Ultraviolet Treatment|Ultra Violet Products.pdf
byUltra Violet Products
 
PDF
Clean Agent Fire Extinguisher Details and Insights
byPalladium Safety Solutions
 
PPTX
Fantasy Sports App Development Pricing Guide | BR Softech
byolivia andersen
 
PPTX
Background Checks Malaysia – Hire with Confidence
byAngel Checks
 
PDF
Using Data Enrichment to Improve Product Recommendations.pdf
byAndrew Leo
 
PDF
Biography of Angel DeBlasio, Homemaker/Housewife
byAngel DeBlasio
 
PDF
Understanding the Unique Plumbing Demands of Santa Clara's Business Landscape
byCPI Service, Plumbing, Heating & Cooling
 
DOCX
How a Content Clipping Agency Turns Every Video Into Viral Assets.docx
byjenwhite023
 
PDF
Chaorum-- dental-- implant-- system-.pdf
byhassanELMesallamy
 
PPTX
Locus_of_Control_Presentation AHAD SHAH.pptx
bysyedabdulahads84
 
PDF
High-Performance Supermarket Open Chillers Guide
byLokesh Singh
 
PDF
Marketing with Shopify Built-In Marketing Tools
byLiquid Web Developers
 
PPTX
Amuse3D explores the science of 3D printing drones.pptx
byAmuse3D
 
PPTX
Precise shop drawings for smooth project execution
byS E C D Technical Services LLC UAE
 
PDF
Comprehensive School Management Software Solutions by Converthink
byConverthink solutions
 
PDF
Flutter Mobile App Development Solutions | JSB Global Infotech
byJSB Global Infotech Pvt. Ltd.
 
PDF
Embalmers_ Professionals Preserving Dignity and Tradition.pdf
bykalpana6412
 
PDF
Top Digital Marketing Trends 2025 | Pat’s Marketing
byPat's Marketing
 
PPTX
SDS_Training.pptx for safty data sheet for safty
byVajbayeeelangovan
 
PDF
Where to Stay for Vivid Sydney
bysavoyhotelau
 
Ultraviolet Treatment|Ultra Violet Products.pdf
byUltra Violet Products
 
Clean Agent Fire Extinguisher Details and Insights
byPalladium Safety Solutions
 
Fantasy Sports App Development Pricing Guide | BR Softech
byolivia andersen
 
Background Checks Malaysia – Hire with Confidence
byAngel Checks
 
Using Data Enrichment to Improve Product Recommendations.pdf
byAndrew Leo
 
Biography of Angel DeBlasio, Homemaker/Housewife
byAngel DeBlasio
 
Understanding the Unique Plumbing Demands of Santa Clara's Business Landscape
byCPI Service, Plumbing, Heating & Cooling
 
How a Content Clipping Agency Turns Every Video Into Viral Assets.docx
byjenwhite023
 
Chaorum-- dental-- implant-- system-.pdf
byhassanELMesallamy
 
Locus_of_Control_Presentation AHAD SHAH.pptx
bysyedabdulahads84
 
High-Performance Supermarket Open Chillers Guide
byLokesh Singh
 
Marketing with Shopify Built-In Marketing Tools
byLiquid Web Developers
 
Amuse3D explores the science of 3D printing drones.pptx
byAmuse3D
 
Precise shop drawings for smooth project execution
byS E C D Technical Services LLC UAE
 
Comprehensive School Management Software Solutions by Converthink
byConverthink solutions
 
Flutter Mobile App Development Solutions | JSB Global Infotech
byJSB Global Infotech Pvt. Ltd.
 
Embalmers_ Professionals Preserving Dignity and Tradition.pdf
bykalpana6412
 
Top Digital Marketing Trends 2025 | Pat’s Marketing
byPat's Marketing
 
SDS_Training.pptx for safty data sheet for safty
byVajbayeeelangovan
 
Where to Stay for Vivid Sydney
bysavoyhotelau
 

How to get a well done penetration test

  • 1.
    How to geta well done penetration test And not to overpay Kir Ermakov DSEC Pentest Day, 2017
  • 2.
    2 #:whoami - Known as‘isox’ - vulners.com founder - QIWI Group CTO ( prev. – CISO) - Web penetration tester - Member of “hall-of-fames” (Yandex, Mail.ru, Apple and so on) - JBFC community participant - Security skeptic
  • 3.
    3 A penetration test,colloquially known as a pen test, is an authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data. © Wiki
  • 4.
    4 Penetration test asdesigned - Perimeter and internal recon - Vulnerability assessment - Independent security controls check - Hands-on vulnerabilities discovery and exploitation - Hack me plz
  • 5.
    5 Regular pentest - Presaleactivity before real financial penetration - First critical found – stop and report - Total show off - Hack for profit
  • 6.
    6 Pentest performers skills -Over 9000 pentest companies - Usually disgusting - Script kiddies with Nessus - Sometimes with Metasploit - Proudly CEH certified - Totally lazy
  • 7.
    7 Why so bad? -Incompetence of the customers - Advertised service has led to the quality degradation - Pentest tools evolution …even my grandma can ‘exploit something’
  • 8.
    8 Stop. Think. Act. Questionsto ask yourself: • What kind of pentest do I need? • Do I really have security controls to check? • What is my business goal? • Am I ready to pay for good quality?
  • 9.
    9 You owe me$10 for this promo
  • 10.
    10 Pentest scope - Recon -Vulnerability assessment - Exploitations PoC - Internal security - And almost everything
  • 11.
    11 It depends onyour security level - No need to make a “Red Team” for the noobies - No need to make a recon for the professionals - No need to check the compliance if you have no internal one - No need to make it at all if your security team is lame
  • 12.
    12 Performer - Ask otherCISO’s for the advice - Only 3 companies can perform well in Russia (IMHO) - Make a challenge - Don’t mess with ”Company”, mess with a team - All high-grade pentesters are well known
  • 13.
    13 Getting best performance •Don’t try to test them! • Help them! • Share your knowledge! • Trust your pentester! • Don’t limit their scope and actions!
  • 14.
    14 One line lifehacks •Mix different teams. You will be surprised • Interest them • Different systems – different pentest teams • Sharing recon = 50% speed up • Don’t ask for the ”total” proofs. PoC is enough.
  • 15.
    15 And what aboutthe money? - RUR 400k to 1,5kk is OK - Red Team costs near 3kk - More != better - Perform tenders - PR = discount
  • 16.
    16 Thanks - isox@vulners.com - Feelfree to ask me about pentest for your company. I will guide you without charge  - https://vulners.com - We are really trying to make this world better - Stop paying for features, that are available for free