SlideShare a Scribd company logo

Penetration testing must die

Security BSides London
Security BSides London

BSidesLondon 20th April 2011 - Rory Mccune (@raesene) ----------- "Penetration testing" has become a staple of a the security programmes of a lot of companies around the world and particularly in the UK. Unfortunately in most cases it's poorly understood, the value for customers is minimal and it bears absolutely no resemblence to what a modern attacker would do. So it's time for it to die. ------ for more info about Rory Mccune go to www.7elements.co.uk

Technology
1 of 11
PENETRATION TESTING MUST DIE Rory McCune
INTRODUCTION • IT/Information Security person for the last 15 years • Currently a director of 7 Elements ( http://www.7elements.co.uk ) • IT Security consultancy based in Scotland. • Scottish chapter lead for the OWASP project.
AGENDA • Why must it die • Overloaded Terminology. • Clients aren’t ready. • Mission Impossible. • How do you fix it? • Better Terms. • Better Scoping.
WHAT’S IN A NAME? • First thing is to define what we mean by penetration testing • One definition from Wikipedia “A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker.”
CHARACTERISTICS OF A PENETRATION TEST • Black-Box • When we’re assuming the role of an attacker (unless it’s an insider) the testing should be black box • Goal based • Trying to compromise the target system/network/company • Trade off against coverage of every possible avenue • Realistic • Mimicking the “real thing” • Although…. Which Real thing?
OVERLOADED TERMINOLOGY • Like many things in security the term “penetration test” is overloaded • Vulnerability Scans as Penetration Tests • Web Application Security Assessments as Penetration Tests • Code Reviews as Penetration Tests • …
CLIENTS AREN’T READY • What’s the purpose of a penetration test? • From above it’s to mimic an attack • Trade off realism against coverage • Test controls that should be in place • Implies that clients are ready for that • Know what controls should be in place • Think that they’re operating effectively • Some (most?) clients want coverage not proof
MISSION IMPOSSIBLE • Accurately mimicking high-end attackers is increasingly difficult • Where’s the data? • Are all their 3 rd parties in-scope? • Is their cloud providers infrastructure in-scope? • Out-of bounds methods • Spear Phishing? Home and work e-mail? • Renting botnets with zombies already onsite? • Purchase 0-days for discovered software? • Time • Time to develop 0-days for discovered software?
FIXING THE PROBLEM - TERMS • Use different terms for differing job types • Vulnerability Scan • Vulnerability Assessment • Security Assessment • Penetration Test
FIXING THE PROBLEM - SCOPING • Threat modelling needs to be done first. • Right type of test for the customer • Assessment style testing for establishing controls in place (less developed customers). • Penetration style testing for mature companies to prove what they think should be in place. • The Underwriters Lab Approach • Testing specifies the type of attacker being emulated. • Specifies what’s not in-scope. • Resistant for a specified duration.
Penetration testing must die

Recommended

Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?
Security Innovation
 
Hacker vs tools
Hacker vs toolsHacker vs tools
Hacker vs tools
Geoffrey Vaughan
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
Security Innovation
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
FINOS
 
DECEPTICONv2
DECEPTICONv2DECEPTICONv2
DECEPTICONv2
👀 Joe Gray
 
Secured Development
Secured DevelopmentSecured Development
Secured Development
Burhan Khalid
 
Introduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryIntroduction to LavaPasswordFactory
Introduction to LavaPasswordFactory
Christopher Grayson
 
Lets talk about bug hunting
Lets talk about bug huntingLets talk about bug hunting
Lets talk about bug hunting
Kirill Ermakov
 

Recommended

Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?
Security Innovation
 
Hacker vs tools
Hacker vs toolsHacker vs tools
Hacker vs tools
Geoffrey Vaughan
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
Security Innovation
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
FINOS
 
DECEPTICONv2
DECEPTICONv2DECEPTICONv2
DECEPTICONv2
👀 Joe Gray
 
Secured Development
Secured DevelopmentSecured Development
Secured Development
Burhan Khalid
 
Introduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryIntroduction to LavaPasswordFactory
Introduction to LavaPasswordFactory
Christopher Grayson
 
Lets talk about bug hunting
Lets talk about bug huntingLets talk about bug hunting
Lets talk about bug hunting
Kirill Ermakov
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia
 
Type mock isolator
Type mock isolatorType mock isolator
Type mock isolatorMaslowB
 
Entrepreneurship for hackers
Entrepreneurship for hackersEntrepreneurship for hackers
Entrepreneurship for hackers
snyff
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
John Ashmead
 
Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To
IDERA Software
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon
 
Ensuring Security through Continuous Testing
Ensuring Security through Continuous TestingEnsuring Security through Continuous Testing
Ensuring Security through Continuous Testing
TechWell
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)
setuid0
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
DevSecCon
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
Black Duck by Synopsys
 
Man in the Binder
Man in the BinderMan in the Binder
Man in the Bindernitayart
 
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMENegative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMEjeffmcjunkin
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
The_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfThe_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdf
gcara4
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
TEST Huddle
 
Ethical Hacking and Defense Penetration
Ethical Hacking and Defense PenetrationEthical Hacking and Defense Penetration
Ethical Hacking and Defense Penetration
Jay Nagar
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Cyber security series vulnerability assessments
Cyber security series vulnerability assessmentsCyber security series vulnerability assessments
Cyber security series vulnerability assessments
Jim Kaplan CIA CFE
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
Scott Sutherland
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
Sean Whalen
 

More Related Content

What's hot

Type mock isolator
Type mock isolatorType mock isolator
Type mock isolatorMaslowB
 
Entrepreneurship for hackers
Entrepreneurship for hackersEntrepreneurship for hackers
Entrepreneurship for hackers
snyff
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
John Ashmead
 
Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To
IDERA Software
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon
 
Ensuring Security through Continuous Testing
Ensuring Security through Continuous TestingEnsuring Security through Continuous Testing
Ensuring Security through Continuous Testing
TechWell
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)
setuid0
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
DevSecCon
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
Black Duck by Synopsys
 
Man in the Binder
Man in the BinderMan in the Binder
Man in the Bindernitayart
 
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMENegative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMEjeffmcjunkin
 

What's hot (13)

Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
Type mock isolator
Type mock isolatorType mock isolator
Type mock isolator
 
Entrepreneurship for hackers
Entrepreneurship for hackersEntrepreneurship for hackers
Entrepreneurship for hackers
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
 
Ensuring Security through Continuous Testing
Ensuring Security through Continuous TestingEnsuring Security through Continuous Testing
Ensuring Security through Continuous Testing
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
 
Man in the Binder
Man in the BinderMan in the Binder
Man in the Binder
 
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMENegative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
 

Similar to Penetration testing must die

WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
The_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfThe_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdf
gcara4
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
TEST Huddle
 
Ethical Hacking and Defense Penetration
Ethical Hacking and Defense PenetrationEthical Hacking and Defense Penetration
Ethical Hacking and Defense Penetration
Jay Nagar
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Cyber security series vulnerability assessments
Cyber security series vulnerability assessmentsCyber security series vulnerability assessments
Cyber security series vulnerability assessments
Jim Kaplan CIA CFE
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
Scott Sutherland
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
Sean Whalen
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
2018 FRSecure CISSP Mentor Program Session 9
2018 FRSecure CISSP Mentor Program Session 92018 FRSecure CISSP Mentor Program Session 9
2018 FRSecure CISSP Mentor Program Session 9
FRSecure
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
Security Innovation
 
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Core Security
 
ISOL 536Security Architecture and DesignThreat Modeling.docx
ISOL 536Security Architecture and DesignThreat Modeling.docxISOL 536Security Architecture and DesignThreat Modeling.docx
ISOL 536Security Architecture and DesignThreat Modeling.docx
bagotjesusa
 
What is penetration testing and career path
What is penetration testing and career pathWhat is penetration testing and career path
What is penetration testing and career path
Vikram Khanna
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
apidays
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 

Similar to Penetration testing must die (20)

WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
The_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfThe_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdf
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Ethical Hacking and Defense Penetration
Ethical Hacking and Defense PenetrationEthical Hacking and Defense Penetration
Ethical Hacking and Defense Penetration
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
Cyber security series vulnerability assessments
Cyber security series vulnerability assessmentsCyber security series vulnerability assessments
Cyber security series vulnerability assessments
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
2018 FRSecure CISSP Mentor Program Session 9
2018 FRSecure CISSP Mentor Program Session 92018 FRSecure CISSP Mentor Program Session 9
2018 FRSecure CISSP Mentor Program Session 9
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
 
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
 
ISOL 536Security Architecture and DesignThreat Modeling.docx
ISOL 536Security Architecture and DesignThreat Modeling.docxISOL 536Security Architecture and DesignThreat Modeling.docx
ISOL 536Security Architecture and DesignThreat Modeling.docx
 
What is penetration testing and career path
What is penetration testing and career pathWhat is penetration testing and career path
What is penetration testing and career path
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 

More from Security BSides London

Security YMCA
Security YMCASecurity YMCA
Security YMCA
Security BSides London
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Security BSides London
 
You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...
Security BSides London
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
Security BSides London
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information Security
Security BSides London
 
Breaking out of restricted RDP
Breaking out of restricted RDPBreaking out of restricted RDP
Breaking out of restricted RDP
Security BSides London
 
Breaking, Entering and Pentesting
Breaking, Entering and Pentesting Breaking, Entering and Pentesting
Breaking, Entering and Pentesting
Security BSides London
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
Security BSides London
 
Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications
Security BSides London
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
Security BSides London
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
Security BSides London
 
Cloud computing due diligence WTF?
Cloud computing due diligence WTF?Cloud computing due diligence WTF?
Cloud computing due diligence WTF?
Security BSides London
 

More from Security BSides London (12)

Security YMCA
Security YMCASecurity YMCA
Security YMCA
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorial
 
You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information Security
 
Breaking out of restricted RDP
Breaking out of restricted RDPBreaking out of restricted RDP
Breaking out of restricted RDP
 
Breaking, Entering and Pentesting
Breaking, Entering and Pentesting Breaking, Entering and Pentesting
Breaking, Entering and Pentesting
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
Cloud computing due diligence WTF?
Cloud computing due diligence WTF?Cloud computing due diligence WTF?
Cloud computing due diligence WTF?
 

Recently uploaded

How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 

Recently uploaded (20)

How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 

Penetration testing must die

  • 1. PENETRATION TESTING MUST DIE Rory McCune
  • 2. INTRODUCTION • IT/Information Security person for the last 15 years • Currently a director of 7 Elements ( http://www.7elements.co.uk ) • IT Security consultancy based in Scotland. • Scottish chapter lead for the OWASP project.
  • 3. AGENDA • Why must it die • Overloaded Terminology. • Clients aren’t ready. • Mission Impossible. • How do you fix it? • Better Terms. • Better Scoping.
  • 4. WHAT’S IN A NAME? • First thing is to define what we mean by penetration testing • One definition from Wikipedia “A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker.”
  • 5. CHARACTERISTICS OF A PENETRATION TEST • Black-Box • When we’re assuming the role of an attacker (unless it’s an insider) the testing should be black box • Goal based • Trying to compromise the target system/network/company • Trade off against coverage of every possible avenue • Realistic • Mimicking the “real thing” • Although…. Which Real thing?
  • 6. OVERLOADED TERMINOLOGY • Like many things in security the term “penetration test” is overloaded • Vulnerability Scans as Penetration Tests • Web Application Security Assessments as Penetration Tests • Code Reviews as Penetration Tests • …
  • 7. CLIENTS AREN’T READY • What’s the purpose of a penetration test? • From above it’s to mimic an attack • Trade off realism against coverage • Test controls that should be in place • Implies that clients are ready for that • Know what controls should be in place • Think that they’re operating effectively • Some (most?) clients want coverage not proof
  • 8. MISSION IMPOSSIBLE • Accurately mimicking high-end attackers is increasingly difficult • Where’s the data? • Are all their 3 rd parties in-scope? • Is their cloud providers infrastructure in-scope? • Out-of bounds methods • Spear Phishing? Home and work e-mail? • Renting botnets with zombies already onsite? • Purchase 0-days for discovered software? • Time • Time to develop 0-days for discovered software?
  • 9. FIXING THE PROBLEM - TERMS • Use different terms for differing job types • Vulnerability Scan • Vulnerability Assessment • Security Assessment • Penetration Test
  • 10. FIXING THE PROBLEM - SCOPING • Threat modelling needs to be done first. • Right type of test for the customer • Assessment style testing for establishing controls in place (less developed customers). • Penetration style testing for mature companies to prove what they think should be in place. • The Underwriters Lab Approach • Testing specifies the type of attacker being emulated. • Specifies what’s not in-scope. • Resistant for a specified duration.