Ammar WK, profile picture
Uploaded byAmmar WK
PDF, PPTX724 views

Pen-testing is Dead?

Ahmad Muammar discusses the misconceptions surrounding penetration testing, arguing that it is not dead but evolves alongside practices like bug bounty programs and red team assessments. He emphasizes that while these methods serve distinct purposes, they should complement each other to ensure thorough security evaluations. The presentation highlights the importance of adapting penetration testing to modern development practices, such as Agile methodologies and Industry 4.0 technologies.

Embed presentation

Download as PDF, PPTX
Ahmad Muammar WK, OSCE, OSCP, eMAPT Pen-testing is Dead Information Security Awareness Night ?
Ahmad Muammar.WK, OSCE, OSCP, eMAPT ✤ Professional hacker/Penetration tester ✤ Doing offensive security/hacking since 2002; Doing it professionally since 2007. ✤ Founder of echo.or.id & idsecconf.org ✤ Web: http://me.ammar.web.id ✤ email: me@ammar.web.id, y3dips@echo.or.id ✤ twitter: @y3dips
Pen-testing is Dead? ✤ Pen-Testing is Dead, Long Live the Pen Test - Taylor Banks & Carric - Defcon 16 (2008) ✤ Penetration Testing Is Dead! (Long Live Penetration Testing!) - Katie Moussouris (Chief Policy Officer - HackerOne) - Pen Test Hackfest Summit & Training (November 2014)
U Say Dead? ✤ Misconception ✤ Bug Bounty Programs ✤ Red Team Arise ✤ Agile Development ✤ Industry 4.0 Technology
Misconception: U say Pen-test? ✤ We all say “Pen-test” and we all do Pen-test! ✤ Honestly, it was Vulnerability Assessment.
Misconception: Pen-test.. ✤ It should be equal to “Hackers” Activity. ✤ Unlimited scope, unlimited timeframe, unlimited attack vector. (?) ✤ Validate vulnerability (POC), gaining Access, “mass owning”, +social engineering.
Bug-Bounty Killed Pen-Test? ✤ Bug Bounty limited to online target. ✤ Bug Bounty not cover a development state (UAT, SIT). ✤ Bug Bounty not suitable to test private system (send 2FA token for e-banking login to all bounty hunters?).
Bug-Bounty Needed Pen-Test ✤ Some problems for un-prepared company: ✤ A poorly-implemented Bug Bounty will just spoil your relations with the security community and create a bad reputation for your company. ✤ Make sure to have enough technical and human resources to handle, analyze and properly follow-up the submissions. ✤ Hard to specify “Criminals” amongs bounty hunters. ✤ “pen-test 1st, do bounty afterwards”.
RedTeam Slaughtered Pen-Test? ✤ A Red Team Assessment is similar to a penetration test in many ways but is more targeted (simulate an APT). ✤ The goal is to test the organization's detection and response capabilities. ✤ Target are often have penetration tests done, have patched most vulnerabilities, and have generally positive penetration test results. Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues - https://blog.rapid7.com/2016/06/23/penetration-testing-vs-red-teaming-the-age-old-debate-of-pirates-vs-ninja-continues/
RedTeam comply Pen-Test ✤ You would not want to use a Penetration Test to judge how well your incident response is and you would not want to perform a Red Team assessment to discover vulnerabilities. Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues - https://blog.rapid7.com/2016/06/23/penetration-testing-vs-red-teaming-the-age-old-debate-of-pirates-vs-ninja-continues/
Pen-test wont work in Agile? Images taken from: https://www.seguetech.com/waterfall-vs-agile-methodology/
Pen-test won’t work in Agile? “Penetration Testing in Agile Software Development Cycle (scrum framework)” Martin Tomanek and Tomas Klima - https://arxiv.org/ftp/arxiv/papers/1504/1504.00942.pdf
Pen-test also work in Agile “Penetration Testing in Agile Software Development Cycle (scrum framework)” Martin Tomanek and Tomas Klima - https://arxiv.org/ftp/arxiv/papers/1504/1504.00942.pdf
Industry 4.0 won’t need Pen-test? Images taken from: https://www.researchgate.net/profile/Fernando_Deschamps/publication/319944621/figure/download/fig1/AS:613928782532631@1523383436460/ Technologies-for-industry-40.png
Internet-Connected Medical Washer-Disinfector Found Vulnerable to Hacking
Ahmad Muammar WK, OSCE, OSCP, eMAPT Pen-testing is not Dead! Information Security Awareness Night

More Related Content

PDF
A Journey Into Pen-tester land: Myths or Facts!
byAmmar WK
 
PDF
How To [relatively] Secure your Web Applications
byAmmar WK
 
PDF
Enabling effective hunt teaming and incident response
byjeffmcjunkin
 
PDF
Simplified Security Code Review Process
bySherif Koussa
 
PDF
Opsec for security researchers
byvicenteDiaz_KL
 
PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
PPTX
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
byClare Nelson, CISSP, CIPP-E
 
PPTX
Crowd-Sourced Threat Intelligence
byAlienVault
 
A Journey Into Pen-tester land: Myths or Facts!
byAmmar WK
 
How To [relatively] Secure your Web Applications
byAmmar WK
 
Enabling effective hunt teaming and incident response
byjeffmcjunkin
 
Simplified Security Code Review Process
bySherif Koussa
 
Opsec for security researchers
byvicenteDiaz_KL
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
byClare Nelson, CISSP, CIPP-E
 
Crowd-Sourced Threat Intelligence
byAlienVault
 

What's hot

PDF
Click and Dragger: Denial and Deception on Android mobile
bygrugq
 
PPTX
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
byCODE BLUE
 
PDF
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
PDF
Defender economics
byaddelindh
 
PPTX
Modlishka - Is a Mantis Eating 2FA's Lunch?
byLance Peterman
 
ODP
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
byjeffmcjunkin
 
PDF
(SACON) Shomiron das gupta - threat hunting use cases
byPriyanka Aash
 
PDF
It's Okay To Touch Yourself - DerbyCon 2013
byBen Ten (0xA)
 
PDF
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
byMITRE - ATT&CKcon
 
PDF
Weaponizing OSINT – Hacker Halted 2019 – Michael James
byEC-Council
 
PPTX
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
byFrode Hommedal
 
PDF
Infographic analytics infographic_illustrations_120617
byRichard Smiraldi
 
PDF
2020 FRSecure CISSP Mentor Program - Class 9
byFRSecure
 
PDF
Security of Voice Controlled Device
byFaysal Hossain Shezan
 
PDF
OSINT Basics for Threat Hunters and Practitioners
byMegan DeBlois
 
PPTX
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
byShawn Tuma
 
PPTX
I am my worst enemy — A first person look at Insider Threat
byAhmed Masud
 
PPT
Cf.Objective.2009
byBill Shelton
 
PDF
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
byAbhinav Mishra
 
PDF
2019 FRecure CISSP Mentor Program: Session Two
byFRSecure
 
Click and Dragger: Denial and Deception on Android mobile
bygrugq
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
byCODE BLUE
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
Defender economics
byaddelindh
 
Modlishka - Is a Mantis Eating 2FA's Lunch?
byLance Peterman
 
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
byjeffmcjunkin
 
(SACON) Shomiron das gupta - threat hunting use cases
byPriyanka Aash
 
It's Okay To Touch Yourself - DerbyCon 2013
byBen Ten (0xA)
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
byMITRE - ATT&CKcon
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
byEC-Council
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
byFrode Hommedal
 
Infographic analytics infographic_illustrations_120617
byRichard Smiraldi
 
2020 FRSecure CISSP Mentor Program - Class 9
byFRSecure
 
Security of Voice Controlled Device
byFaysal Hossain Shezan
 
OSINT Basics for Threat Hunters and Practitioners
byMegan DeBlois
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
byShawn Tuma
 
I am my worst enemy — A first person look at Insider Threat
byAhmed Masud
 
Cf.Objective.2009
byBill Shelton
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
byAbhinav Mishra
 
2019 FRecure CISSP Mentor Program: Session Two
byFRSecure
 

Similar to Pen-testing is Dead?

PPTX
Penetration Testing for Cybersecurity Professionals
by211 Check
 
PPTX
Why Pentesting is Vital to the Modern DoD Workforce
byGlobal Knowledge Training
 
PDF
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
bySoftware Guru
 
PDF
WTF is Penetration Testing
byScott Sutherland
 
PDF
WTF is Penetration Testing
byNetSPI
 
PDF
Introduction to penetration testing
byAmine SAIGHI
 
PDF
Pen testing and how does it help strengthen cybersecurity
byTestingXperts
 
PPTX
WTF is Penetration Testing v.2
byScott Sutherland
 
PPTX
Pen Testing Explained
byRand W. Hirt
 
PDF
pentration testing.pdf
byRamya Nellutla
 
PPTX
Module 2 Threat Management and Cybersecurity Resources (1).pptx
bytahreerbassam2014
 
PDF
Dpc june-2014 pentesting-for-fun-and-profit
bycfing99
 
ODP
Dpc june-2014 pentesting-for-fun-and-profit
bycfing99
 
PDF
Secrets of Top Pentesters
byamiable_indian
 
PPTX
AISA Sydney Presentation - Would PT add value to the SDLC and why
byGergana (Kiryakova) Winzer
 
PDF
What is pentest
byitissolutions
 
PPTX
Pen Testing Services.pptx
byMaqwareCorp
 
PDF
Penetrating Networks for CompTIA Pentest+
byNetCom Learning
 
PDF
J1803067477
byIOSR Journals
 
PDF
Future of Penetration Testing Trends to Watch.
bykandrasupriya99
 
Penetration Testing for Cybersecurity Professionals
by211 Check
 
Why Pentesting is Vital to the Modern DoD Workforce
byGlobal Knowledge Training
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
bySoftware Guru
 
WTF is Penetration Testing
byScott Sutherland
 
WTF is Penetration Testing
byNetSPI
 
Introduction to penetration testing
byAmine SAIGHI
 
Pen testing and how does it help strengthen cybersecurity
byTestingXperts
 
WTF is Penetration Testing v.2
byScott Sutherland
 
Pen Testing Explained
byRand W. Hirt
 
pentration testing.pdf
byRamya Nellutla
 
Module 2 Threat Management and Cybersecurity Resources (1).pptx
bytahreerbassam2014
 
Dpc june-2014 pentesting-for-fun-and-profit
bycfing99
 
Dpc june-2014 pentesting-for-fun-and-profit
bycfing99
 
Secrets of Top Pentesters
byamiable_indian
 
AISA Sydney Presentation - Would PT add value to the SDLC and why
byGergana (Kiryakova) Winzer
 
What is pentest
byitissolutions
 
Pen Testing Services.pptx
byMaqwareCorp
 
Penetrating Networks for CompTIA Pentest+
byNetCom Learning
 
J1803067477
byIOSR Journals
 
Future of Penetration Testing Trends to Watch.
bykandrasupriya99
 

More from Ammar WK

PDF
Vvdp-fgd-bssn
byAmmar WK
 
PDF
Cybercrime: A threat to Financial industry
byAmmar WK
 
PDF
Bugbounty vs-0day
byAmmar WK
 
PDF
Advanced Persistent Threat
byAmmar WK
 
PDF
Mobile hacking, pentest, and malware
byAmmar WK
 
PDF
Hacker? : it's not about Black or White
byAmmar WK
 
PDF
Introduction to IOS Application Penetration Testing
byAmmar WK
 
PDF
Burp suite
byAmmar WK
 
PDF
Web Hacking (basic)
byAmmar WK
 
PDF
Network Packet Analysis
byAmmar WK
 
PDF
Packet analysis (Basic)
byAmmar WK
 
PDF
Network security
byAmmar WK
 
PDF
Penetration testing
byAmmar WK
 
PDF
Information Security Professional
byAmmar WK
 
PPT
Handout infosec defense-mechanism-y3dips
byAmmar WK
 
PDF
Layer 7 denial of services attack mitigation
byAmmar WK
 
PDF
How To Become A Hacker
byAmmar WK
 
PDF
y3dips - Who Own Your Sensitive Information?
byAmmar WK
 
PDF
idsecconf2010-hacking priv8 network
byAmmar WK
 
PDF
Mastering Network HackingFU - idsecconf2008
byAmmar WK
 
Vvdp-fgd-bssn
byAmmar WK
 
Cybercrime: A threat to Financial industry
byAmmar WK
 
Bugbounty vs-0day
byAmmar WK
 
Advanced Persistent Threat
byAmmar WK
 
Mobile hacking, pentest, and malware
byAmmar WK
 
Hacker? : it's not about Black or White
byAmmar WK
 
Introduction to IOS Application Penetration Testing
byAmmar WK
 
Burp suite
byAmmar WK
 
Web Hacking (basic)
byAmmar WK
 
Network Packet Analysis
byAmmar WK
 
Packet analysis (Basic)
byAmmar WK
 
Network security
byAmmar WK
 
Penetration testing
byAmmar WK
 
Information Security Professional
byAmmar WK
 
Handout infosec defense-mechanism-y3dips
byAmmar WK
 
Layer 7 denial of services attack mitigation
byAmmar WK
 
How To Become A Hacker
byAmmar WK
 
y3dips - Who Own Your Sensitive Information?
byAmmar WK
 
idsecconf2010-hacking priv8 network
byAmmar WK
 
Mastering Network HackingFU - idsecconf2008
byAmmar WK
 

Recently uploaded

PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 

Pen-testing is Dead?

  • 1.
    Ahmad Muammar WK,OSCE, OSCP, eMAPT Pen-testing is Dead Information Security Awareness Night ?
  • 2.
    Ahmad Muammar.WK, OSCE, OSCP,eMAPT ✤ Professional hacker/Penetration tester ✤ Doing offensive security/hacking since 2002; Doing it professionally since 2007. ✤ Founder of echo.or.id & idsecconf.org ✤ Web: http://me.ammar.web.id ✤ email: me@ammar.web.id, y3dips@echo.or.id ✤ twitter: @y3dips
  • 4.
    Pen-testing is Dead? ✤Pen-Testing is Dead, Long Live the Pen Test - Taylor Banks & Carric - Defcon 16 (2008) ✤ Penetration Testing Is Dead! (Long Live Penetration Testing!) - Katie Moussouris (Chief Policy Officer - HackerOne) - Pen Test Hackfest Summit & Training (November 2014)
  • 5.
    U Say Dead? ✤Misconception ✤ Bug Bounty Programs ✤ Red Team Arise ✤ Agile Development ✤ Industry 4.0 Technology
  • 6.
    Misconception: U sayPen-test? ✤ We all say “Pen-test” and we all do Pen-test! ✤ Honestly, it was Vulnerability Assessment.
  • 7.
    Misconception: Pen-test.. ✤ Itshould be equal to “Hackers” Activity. ✤ Unlimited scope, unlimited timeframe, unlimited attack vector. (?) ✤ Validate vulnerability (POC), gaining Access, “mass owning”, +social engineering.
  • 8.
    Bug-Bounty Killed Pen-Test? ✤Bug Bounty limited to online target. ✤ Bug Bounty not cover a development state (UAT, SIT). ✤ Bug Bounty not suitable to test private system (send 2FA token for e-banking login to all bounty hunters?).
  • 9.
    Bug-Bounty Needed Pen-Test ✤Some problems for un-prepared company: ✤ A poorly-implemented Bug Bounty will just spoil your relations with the security community and create a bad reputation for your company. ✤ Make sure to have enough technical and human resources to handle, analyze and properly follow-up the submissions. ✤ Hard to specify “Criminals” amongs bounty hunters. ✤ “pen-test 1st, do bounty afterwards”.
  • 11.
    RedTeam Slaughtered Pen-Test? ✤A Red Team Assessment is similar to a penetration test in many ways but is more targeted (simulate an APT). ✤ The goal is to test the organization's detection and response capabilities. ✤ Target are often have penetration tests done, have patched most vulnerabilities, and have generally positive penetration test results. Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues - https://blog.rapid7.com/2016/06/23/penetration-testing-vs-red-teaming-the-age-old-debate-of-pirates-vs-ninja-continues/
  • 12.
    RedTeam comply Pen-Test ✤You would not want to use a Penetration Test to judge how well your incident response is and you would not want to perform a Red Team assessment to discover vulnerabilities. Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues - https://blog.rapid7.com/2016/06/23/penetration-testing-vs-red-teaming-the-age-old-debate-of-pirates-vs-ninja-continues/
  • 13.
    Pen-test wont workin Agile? Images taken from: https://www.seguetech.com/waterfall-vs-agile-methodology/
  • 14.
    Pen-test won’t workin Agile? “Penetration Testing in Agile Software Development Cycle (scrum framework)” Martin Tomanek and Tomas Klima - https://arxiv.org/ftp/arxiv/papers/1504/1504.00942.pdf
  • 15.
    Pen-test also workin Agile “Penetration Testing in Agile Software Development Cycle (scrum framework)” Martin Tomanek and Tomas Klima - https://arxiv.org/ftp/arxiv/papers/1504/1504.00942.pdf
  • 16.
    Industry 4.0 won’tneed Pen-test? Images taken from: https://www.researchgate.net/profile/Fernando_Deschamps/publication/319944621/figure/download/fig1/AS:613928782532631@1523383436460/ Technologies-for-industry-40.png
  • 18.
  • 19.
    Ahmad Muammar WK,OSCE, OSCP, eMAPT Pen-testing is not Dead! Information Security Awareness Night