Penetration Testing Execution Standard

•

3 j'aime•3,209 vues

Iftach Ian Amit

Technologie

PTES - Why?

RAPE!

Someone call the police...

PTES

• Common language for organizations and
service providers
• Set the bar for a common standard to be
used
• Eliminate hacks (as in run Nessus, generate
report, send to customer, charge $10,000)

PTES - Who?
• As always - started during a long night of
drinking...
• Nickerson (@indi303), Kennedy (author of
SET), me (@iiamit), Gates
(@carnal0wnage),Val (@attackresearch),
Nick (@c7ﬁve), Robin (@digininja), Wim
(@wimremes), Stefan (@stfn42), lots
more... www.pentest-standard.org

PTES - How?
• Basically, deﬁne the basic 7 elements of a pentest:
• Pre-engagement
• Intelligence gathering
• Threat modeling
• Vulnerability Analysis
• Exploitation
• Post exploitation
• Reporting

PTES - How?
• Basically, deﬁne the basic 7 elements of a pentest:
• Pre-engagement
• Intelligence gathering
• Threat modeling
• Vulnerability Analysis
“old” pentesting scope
• Exploitation
• Post exploitation
• Reporting

PTES - initial reactions
• You have to be kidding me

PTES - initial reactions
• You have to be kidding me
• No one does that

PTES - initial reactions
• You have to be kidding me
• No one does that
• I can’t do this all by myself

PTES - initial reactions
• You have to be kidding me
• No one does that
• I can’t do this all by myself
• This is a lot of work

PTES - initial reactions
• You have to be kidding me
• No one does that
• I can’t do this all by myself
• This is a lot of work
• Is this going into PCI/ISO/[someStandard]?

Roadmap
• Catch up on all the “ofﬁcial” news at
www.pentest-standard.org

Roadmap
• Catch up on all the “ofﬁcial” news at
www.pentest-standard.org
• Volunteer! (we need working hands...)

Roadmap
• Catch up on all the “ofﬁcial” news at
www.pentest-standard.org
• Volunteer! (we need working hands...)
• Previous milestone - Shmoocon (Feb 2011)

Roadmap
• Catch up on all the “ofﬁcial” news at
www.pentest-standard.org
• Volunteer! (we need working hands...)
• Previous milestone - Shmoocon (Feb 2011)
• Next milestone - ph-neutral (May 2011)

Contenu connexe

Tendances

Spc trainingPRASHANT KSHIRSAGAR

Norma de Calidad de Mantenimiento al Software AplicativoJack Daniel Cáceres Meza

Norma iso 14598ehe ml

Myths and Challenges of Behaviour Driven DevelopmentPankaj Nakhat

Test and Behaviour Driven Development (TDD/BDD)Lars Thorup

Qc 7 toolsBenardus Simangunsong

ISTQB foundation level - day 2Shuchi Singla AKT,SPC4,PMI-ACP,ITIL(F),CP-AAT

SqaDaiina Navaa

A brief history of software development methodologiesIntetics

Test Strategy and PlanningSachin-QA

Agile Patterns and Anti-PatternsRichard Cheng

STLC-ppt-1.pptxsahithisammeta

Scrum gathering Paris 2013 - test automation strategy for Scrum ProjectsEliane Collins

How to Learn The History of Software Testing Keizo Tatsumi

Entregables de pruebasJesús E. CuRias

Acceptance Test Driven DevelopmentMike Douglas

Behavior Driven Development Pros and ConsIosif Itkin

A importância dos testes unitários: do código legado ao pipeline de testes em...Rodrigo Oliveira, Msc, PMP

DevCamp - O papel de um testador em uma equipe ágilElias Nogueira

4M Analysis PosterOperational Excellence Consulting

Tendances (20)

Spc training

Norma de Calidad de Mantenimiento al Software Aplicativo

Norma iso 14598

Myths and Challenges of Behaviour Driven Development

Test and Behaviour Driven Development (TDD/BDD)

Qc 7 tools

ISTQB foundation level - day 2

Sqa

A brief history of software development methodologies

Test Strategy and Planning

Agile Patterns and Anti-Patterns

STLC-ppt-1.pptx

Scrum gathering Paris 2013 - test automation strategy for Scrum Projects

How to Learn The History of Software Testing

Entregables de pruebas

Acceptance Test Driven Development

Behavior Driven Development Pros and Cons

A importância dos testes unitários: do código legado ao pipeline de testes em...

DevCamp - O papel de um testador em uma equipe ágil

4M Analysis Poster

Similaire à Penetration Testing Execution Standard

Sexy defenseIftach Ian Amit

WTF is Penetration TestingScott Sutherland

DefCamp 2013 - MSF Into The Worm HoleDefCamp

[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...GangSeok Lee

The DevOps Panel - Innotech Austin CD SummitErnest Mueller

PyData Texas 2015 KeynotePeter Wang

Just the basics_strata_2013Ken Mwai

Vulnerability management and threat detection by the numbersEoin Keary

Dev secops opsec, devsec, devops ?Kris Buytaert

Network Forensics Backwards and ForwardsSavvius, Inc

Technical Vulnerabilities of Electronic Health RecordsHealth Informatics New Zealand

Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramFRSecure

Goto Chicago; Journeys To Cloud Native Architecture: Sun, Sea And Emergencies...OpenCredo

Next generation pentest your company cannot buyVlad Styran

Владимир Стыран - Пентест следующего поколения, который ваша компания не може...UISGCON

ISACA Ethical Hacking Presentation 10/2011Xavier Mertens

Future of BI Deck Lauren Campbell Assoc CIPD

IT security for all. Bootcamp slidesWallarm

Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA

Similaire à Penetration Testing Execution Standard (20)

Sexy defense

WTF is Penetration Testing

DefCamp 2013 - MSF Into The Worm Hole

[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...

The DevOps Panel - Innotech Austin CD Summit

PyData Texas 2015 Keynote

Just the basics_strata_2013

Vulnerability management and threat detection by the numbers

Dev secops opsec, devsec, devops ?

Network Forensics Backwards and Forwards

Technical Vulnerabilities of Electronic Health Records

Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program

Goto Chicago; Journeys To Cloud Native Architecture: Sun, Sea And Emergencies...

Next generation pentest your company cannot buy

Владимир Стыран - Пентест следующего поколения, который ваша компания не може...

ISACA Ethical Hacking Presentation 10/2011

Future of BI Deck

IT security for all. Bootcamp slides

Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck

Plus de Iftach Ian Amit

Cyber Risk Quantification - CyberTLVIftach Ian Amit

Devsecops at CimpressIftach Ian Amit

BSidesTLV Closing KeynoteIftach Ian Amit

Social Media Risk MetricsIftach Ian Amit

ISTS12 KeynoteIftach Ian Amit

From your Pocket to your Heart and BackIftach Ian Amit

Painting a Company Red and BlueIftach Ian Amit

"Cyber" security - all good, no need to worry?Iftach Ian Amit

Armorizing applicationsIftach Ian Amit

Seeing Red In Your Future?Iftach Ian Amit

Hacking cyber-iamitIftach Ian Amit

Passwords good badugly181212-2Iftach Ian Amit

BitcoinIftach Ian Amit

Cyber stateIftach Ian Amit

Advanced Data Exfiltration - the way Q would have done itIftach Ian Amit

Infecting Python BytecodeIftach Ian Amit

Exploiting Second lifeIftach Ian Amit

Dtmf phreakingIftach Ian Amit

Cheating in Computer GamesIftach Ian Amit

Telecommunication basics dc9723Iftach Ian Amit

Plus de Iftach Ian Amit (20)

Cyber Risk Quantification - CyberTLV

Devsecops at Cimpress

BSidesTLV Closing Keynote

Social Media Risk Metrics

ISTS12 Keynote

From your Pocket to your Heart and Back

Painting a Company Red and Blue

"Cyber" security - all good, no need to worry?

Armorizing applications

Seeing Red In Your Future?

Hacking cyber-iamit

Passwords good badugly181212-2

Bitcoin

Cyber state

Advanced Data Exfiltration - the way Q would have done it

Infecting Python Bytecode

Exploiting Second life

Dtmf phreaking

Cheating in Computer Games

Telecommunication basics dc9723

Dernier

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays

MINDCTI Revenue Release Quarter One 2024MIND CTI

TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc

Apidays New York 2024 - The value of a flexible API Management solution for O...apidays

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93

Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021

Exploring Multimodal Embeddings with MilvusZilliz

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh

Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez

Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software

CNIC Information System with Pakdata Cf In Pakistandanishmna97

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz

Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra

AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin

MS Copilot expands with MS Graph connectorsNanddeep Nachan

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney

Dernier (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

MINDCTI Revenue Release Quarter One 2024

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Apidays New York 2024 - The value of a flexible API Management solution for O...

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Six Myths about Ontologies: The Basics of Formal Ontology

Exploring Multimodal Embeddings with Milvus

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Vector Search -An Introduction in Oracle Database 23ai.pptx

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

CNIC Information System with Pakdata Cf In Pakistan

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Strategies for Landing an Oracle DBA Job as a Fresher

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

AWS Community Day CPH - Three problems of Terraform

MS Copilot expands with MS Graph connectors

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Penetration Testing Execution Standard

1. Penetration Testing Execution Standard Iftach Ian Amit VP Consulting - Security Art Founder - PTES DC9723 March 22nd, 2011

2. Agenda • Why? • Who? • How? • You!

3. PTES - Why?

4. PTES - Why? RAPE!

5. PTES - Why? RAPE! Someone call the police...

6. PTES • Common language for organizations and service providers • Set the bar for a common standard to be used • Eliminate hacks (as in run Nessus, generate report, send to customer, charge $10,000)

7. PTES - Who? • As always - started during a long night of drinking... • Nickerson (@indi303), Kennedy (author of SET), me (@iiamit), Gates (@carnal0wnage),Val (@attackresearch), Nick (@c7ﬁve), Robin (@digininja), Wim (@wimremes), Stefan (@stfn42), lots more... www.pentest-standard.org

8. PTES - How? • Basically, deﬁne the basic 7 elements of a pentest: • Pre-engagement • Intelligence gathering • Threat modeling • Vulnerability Analysis • Exploitation • Post exploitation • Reporting

9. PTES - How? • Basically, deﬁne the basic 7 elements of a pentest: • Pre-engagement • Intelligence gathering • Threat modeling • Vulnerability Analysis • Exploitation • Post exploitation • Reporting

10. PTES - How? • Basically, deﬁne the basic 7 elements of a pentest: • Pre-engagement • Intelligence gathering • Threat modeling • Vulnerability Analysis “old” pentesting scope • Exploitation • Post exploitation • Reporting

11. Pre-Engagement

12. Pre-Engagement

13. Pre-Engagement

14. Intelligence Gathering

15. Intelligence Gathering

16. Intelligence Gathering

17. Threat Modeling

18. Threat Modeling

19. Vulnerability Analysis

20. Vulnerability Analysis

21. Exploitation

22. Exploitation

23. Post-Explotation

24. Post-Explotation

25. Reporting

26. Reporting

27. Reporting

28. PTES - initial reactions

29. PTES - initial reactions • You have to be kidding me

30. PTES - initial reactions • You have to be kidding me • No one does that

31. PTES - initial reactions • You have to be kidding me • No one does that • I can’t do this all by myself

32. PTES - initial reactions • You have to be kidding me • No one does that • I can’t do this all by myself • This is a lot of work

33. PTES - initial reactions • You have to be kidding me • No one does that • I can’t do this all by myself • This is a lot of work • Is this going into PCI/ISO/[someStandard]?

34. PTES - initial reactions • You have to be kidding me • No one does that • I can’t do this all by myself • This is a lot of work • Is this going into PCI/ISO/[someStandard]? • We already do that

35. Now what?

36. Now what? YOU!

37. Now what? YOU! Yes, you...

38. Roadmap

39. Roadmap • Catch up on all the “ofﬁcial” news at www.pentest-standard.org

40. Roadmap • Catch up on all the “ofﬁcial” news at www.pentest-standard.org • Volunteer! (we need working hands...)

41. Roadmap • Catch up on all the “ofﬁcial” news at www.pentest-standard.org • Volunteer! (we need working hands...) • Previous milestone - Shmoocon (Feb 2011)

42. Roadmap • Catch up on all the “ofﬁcial” news at www.pentest-standard.org • Volunteer! (we need working hands...) • Previous milestone - Shmoocon (Feb 2011) • Next milestone - ph-neutral (May 2011)

43. Roadmap • Catch up on all the “ofﬁcial” news at www.pentest-standard.org • Volunteer! (we need working hands...) • Previous milestone - Shmoocon (Feb 2011) • Next milestone - ph-neutral (May 2011) • Drop the bomb - BlackHat?

Penetration Testing Execution Standard

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Penetration Testing Execution Standard

Similaire à Penetration Testing Execution Standard (20)

Plus de Iftach Ian Amit

Plus de Iftach Ian Amit (20)

Dernier

Dernier (20)

Penetration Testing Execution Standard