SlideShare a Scribd company logo

Penetration Testing; A customers perspective

Download as PPTX, PDF
Phil Huggins FBCS CITP
Phil Huggins FBCS CITP

A short presentation to my internal peer group on some of the potential shortcomings of current penetration testing practices and what might be done about it.

Technology
1 of 8
A customers perspective 1 Internal Practitioners Conference, May 2013 Phil Huggins
I have been  Infrastructure penetration tester - late 90s  Application penetration tester – early 00s  Security Architect – till now  Client-side advice  LargeGovernment & Commercial Programmes of work  Handling: ▪ System suppliers ▪ Pen test suppliers ▪ Client andThird Party security stakeholders ▪ ClientOperational teams ▪ Client Project teams  I am an unusual customer of pen tests  I understand what I’m buying and why. 2
3 Gather Information Expert Schema Insight Define Action Scan & Exploit Characterise Vulnerabilities Understand Causes & Impacts Recommend Prioritised Mitigations SENSEMAKING PENETRATION TESTING
 Team of technical guys with CREST,TIGER or CHECK certifications  A written methodology owned by the test company  A lot of pen testing tools  A week or two of technical work  A week of report writing 4
 Executive summary  At least one graph  Names of the pen testers involved  Description of the commercial scope  Extensive prose account of what was done  Screen shots of tools / error messages  A table of vulnerabilities  Mapped to CVE numbers  Some form of risk / RAG status  A technical resolution  A description of recommended further work 5
 High day rates for good testers  Poor margins as salaries are high  Quality can be very variable  Same testers over time  Between testers  Across companies  Focus on fail results  What tests were conducted and passed?  Focus on 0-day  What threat model was used?  Skipping the insight  Little or no understanding of causes and impacts  Only two parts of the report actually required  Summary  Vulnerability table 6
 Better customers  Security requirements  Better information gathering:  Automation of low hanging fruit  Recording of manual testing  Supply of automation scripts, raw results & manual recordings to customer  Better insight  Explicit threat model  Understanding of operational processes  Understanding of customer business  Better reporting  Vulnerability tables in excel  Record full scope  Vulnerability Metrics: ▪ Ease of exploit ▪ Complexity of fix ▪ Extent of compromise 7
http://blog.blackswansecurity.com 8

Recommended

Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testing
rrice2000
 
Positivityofnegative
PositivityofnegativePositivityofnegative
Positivityofnegative
pramodkg
 
Kasper Hanselman - Imagination is More Important Than Knowledge
Kasper Hanselman - Imagination is More Important Than KnowledgeKasper Hanselman - Imagination is More Important Than Knowledge
Kasper Hanselman - Imagination is More Important Than Knowledge
TEST Huddle
 
Defect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft WebinarDefect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft Webinar
XBOSoft
 
Root cause Analysis of Defects
Root cause Analysis of DefectsRoot cause Analysis of Defects
Root cause Analysis of Defects
David Gevorgyan
 
Advanced Defect Management
Advanced Defect ManagementAdvanced Defect Management
Advanced Defect Management
Sabarinath Venugopalan
 
Mt s13 defect_management
Mt s13 defect_managementMt s13 defect_management
Mt s13 defect_management
TestingGeeks
 
Defect MgmtBugDay Bangkok 2009: Defect Management
Defect MgmtBugDay Bangkok 2009: Defect ManagementDefect MgmtBugDay Bangkok 2009: Defect Management
Defect MgmtBugDay Bangkok 2009: Defect Management
guest476528
 

Recommended

Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testing
rrice2000
 
Positivityofnegative
PositivityofnegativePositivityofnegative
Positivityofnegative
pramodkg
 
Kasper Hanselman - Imagination is More Important Than Knowledge
Kasper Hanselman - Imagination is More Important Than KnowledgeKasper Hanselman - Imagination is More Important Than Knowledge
Kasper Hanselman - Imagination is More Important Than Knowledge
TEST Huddle
 
Defect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft WebinarDefect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft Webinar
XBOSoft
 
Root cause Analysis of Defects
Root cause Analysis of DefectsRoot cause Analysis of Defects
Root cause Analysis of Defects
David Gevorgyan
 
Advanced Defect Management
Advanced Defect ManagementAdvanced Defect Management
Advanced Defect Management
Sabarinath Venugopalan
 
Mt s13 defect_management
Mt s13 defect_managementMt s13 defect_management
Mt s13 defect_management
TestingGeeks
 
Defect MgmtBugDay Bangkok 2009: Defect Management
Defect MgmtBugDay Bangkok 2009: Defect ManagementDefect MgmtBugDay Bangkok 2009: Defect Management
Defect MgmtBugDay Bangkok 2009: Defect Management
guest476528
 
Put Risk Based Testing in place right now!
Put Risk Based Testing in place right now!Put Risk Based Testing in place right now!
Put Risk Based Testing in place right now!
SQALab
 
Grace slideshare
Grace slideshareGrace slideshare
Grace slideshare
Grace Lukezic
 
Test Team Responsibilities
Test Team ResponsibilitiesTest Team Responsibilities
Test Team Responsibilities
ANKUR-BA
 
Better Software Classic Testing Mistakes
Better Software Classic Testing MistakesBetter Software Classic Testing Mistakes
Better Software Classic Testing Mistakes
nazeer pasha
 
Negative Testing
Negative TestingNegative Testing
Negative Testing
Mindfire Solutions
 
Session 08 - Test Case Design and Technique
Session 08 - Test Case Design and TechniqueSession 08 - Test Case Design and Technique
Session 08 - Test Case Design and Technique
PoojaLQA
 
Risk and Testing
Risk and TestingRisk and Testing
Risk and Testing
NolaCita
 
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
Ho Chi Minh City Software Testing Club
 
But Did You Test It
But Did You Test ItBut Did You Test It
But Did You Test It
Ruth Blakely
 
Introduction to Software Testing - Part 2
Introduction to Software Testing - Part 2Introduction to Software Testing - Part 2
Introduction to Software Testing - Part 2
Sachin-QA
 
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
Ho Chi Minh City Software Testing Club
 
IoT Device Security
IoT Device SecurityIoT Device Security
IoT Device Security
Witekio
 
Practical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsPractical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing Methods
Reuben Korngold
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
Cigital
 
Java performance monitoring
Java performance monitoringJava performance monitoring
Java performance monitoring
Manigandan Venkataraman
 
Test beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisTest beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause Analysis
PractiTest
 
Manual Testing
Manual TestingManual Testing
Manual Testing
JobItDesk01
 
From Defect Reporting To Defect Prevention
From Defect Reporting To Defect PreventionFrom Defect Reporting To Defect Prevention
From Defect Reporting To Defect Prevention
Sune Gynthersen
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like them
PractiTest
 
Introduction to Hacktivism
Introduction to HacktivismIntroduction to Hacktivism
Introduction to Hacktivism
Phil Huggins FBCS CITP
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]
Phil Huggins FBCS CITP
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber Threats
Phil Huggins FBCS CITP
 

More Related Content

What's hot

Better Software Classic Testing Mistakes
Better Software Classic Testing MistakesBetter Software Classic Testing Mistakes
Better Software Classic Testing Mistakes
nazeer pasha
 
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
Ho Chi Minh City Software Testing Club
 
Practical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsPractical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing Methods
Reuben Korngold
 

What's hot (19)

Put Risk Based Testing in place right now!
Put Risk Based Testing in place right now!Put Risk Based Testing in place right now!
Put Risk Based Testing in place right now!
 
Grace slideshare
Grace slideshareGrace slideshare
Grace slideshare
 
Test Team Responsibilities
Test Team ResponsibilitiesTest Team Responsibilities
Test Team Responsibilities
 
Better Software Classic Testing Mistakes
Better Software Classic Testing MistakesBetter Software Classic Testing Mistakes
Better Software Classic Testing Mistakes
 
Negative Testing
Negative TestingNegative Testing
Negative Testing
 
Session 08 - Test Case Design and Technique
Session 08 - Test Case Design and TechniqueSession 08 - Test Case Design and Technique
Session 08 - Test Case Design and Technique
 
Risk and Testing
Risk and TestingRisk and Testing
Risk and Testing
 
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
 
But Did You Test It
But Did You Test ItBut Did You Test It
But Did You Test It
 
Introduction to Software Testing - Part 2
Introduction to Software Testing - Part 2Introduction to Software Testing - Part 2
Introduction to Software Testing - Part 2
 
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
 
IoT Device Security
IoT Device SecurityIoT Device Security
IoT Device Security
 
Practical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsPractical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing Methods
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
 
Java performance monitoring
Java performance monitoringJava performance monitoring
Java performance monitoring
 
Test beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisTest beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause Analysis
 
Manual Testing
Manual TestingManual Testing
Manual Testing
 
From Defect Reporting To Defect Prevention
From Defect Reporting To Defect PreventionFrom Defect Reporting To Defect Prevention
From Defect Reporting To Defect Prevention
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like them
 

Viewers also liked

Viewers also liked (20)

Introduction to Hacktivism
Introduction to HacktivismIntroduction to Hacktivism
Introduction to Hacktivism
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber Threats
 
Measuring black boxes
Measuring black boxesMeasuring black boxes
Measuring black boxes
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
 
Resilience is the new cyber security
Resilience is the new cyber securityResilience is the new cyber security
Resilience is the new cyber security
 
First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]
 
Security Metrics [2008]
Security Metrics [2008]Security Metrics [2008]
Security Metrics [2008]
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
 
Delivering Secure Projects
Delivering Secure ProjectsDelivering Secure Projects
Delivering Secure Projects
 
Probability Calibration
Probability CalibrationProbability Calibration
Probability Calibration
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Intelligence-led Cybersecurity
Intelligence-led Cybersecurity Intelligence-led Cybersecurity
Intelligence-led Cybersecurity
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
 
PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
UK Legal Framework (2003)
UK Legal Framework (2003)UK Legal Framework (2003)
UK Legal Framework (2003)
 

Similar to Penetration Testing; A customers perspective

Resume_Pallavi_Updated
Resume_Pallavi_UpdatedResume_Pallavi_Updated
Resume_Pallavi_Updated
Pallavi Nayak
 
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
VIJAYA BHASKARA VARMA YARAKARAJU
 

Similar to Penetration Testing; A customers perspective (20)

Risk Driven Testing
Risk Driven TestingRisk Driven Testing
Risk Driven Testing
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Risk Based Testing: Deferring the Right Bugs
Risk Based Testing: Deferring the Right BugsRisk Based Testing: Deferring the Right Bugs
Risk Based Testing: Deferring the Right Bugs
 
Independent verification & validation presented by Maneat v02
Independent verification & validation presented by Maneat v02Independent verification & validation presented by Maneat v02
Independent verification & validation presented by Maneat v02
 
Resume_Pallavi_Updated
Resume_Pallavi_UpdatedResume_Pallavi_Updated
Resume_Pallavi_Updated
 
How to build confidence in your release cycle
How to build confidence in your release cycleHow to build confidence in your release cycle
How to build confidence in your release cycle
 
Test_Engineer
Test_EngineerTest_Engineer
Test_Engineer
 
! Testing for agile teams
! Testing for agile teams! Testing for agile teams
! Testing for agile teams
 
Test Management Montioring Control
Test Management Montioring ControlTest Management Montioring Control
Test Management Montioring Control
 
Test Management Montioring Control
Test Management Montioring ControlTest Management Montioring Control
Test Management Montioring Control
 
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
Rakesh Resume
Rakesh ResumeRakesh Resume
Rakesh Resume
 
Fundamentals_of_Software_testing.pptx
Fundamentals_of_Software_testing.pptxFundamentals_of_Software_testing.pptx
Fundamentals_of_Software_testing.pptx
 
Software Testing Interview Questions For Experienced
Software Testing Interview Questions For ExperiencedSoftware Testing Interview Questions For Experienced
Software Testing Interview Questions For Experienced
 
Kumari Meenu_Test Analyst
Kumari Meenu_Test AnalystKumari Meenu_Test Analyst
Kumari Meenu_Test Analyst
 
Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]
Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]
Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Agile testing practice
Agile testing practiceAgile testing practice
Agile testing practice
 

Recently uploaded

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 

Penetration Testing; A customers perspective

  • 1. A customers perspective 1 Internal Practitioners Conference, May 2013 Phil Huggins
  • 2. I have been  Infrastructure penetration tester - late 90s  Application penetration tester – early 00s  Security Architect – till now  Client-side advice  LargeGovernment & Commercial Programmes of work  Handling: ▪ System suppliers ▪ Pen test suppliers ▪ Client andThird Party security stakeholders ▪ ClientOperational teams ▪ Client Project teams  I am an unusual customer of pen tests  I understand what I’m buying and why. 2
  • 4.  Team of technical guys with CREST,TIGER or CHECK certifications  A written methodology owned by the test company  A lot of pen testing tools  A week or two of technical work  A week of report writing 4
  • 5.  Executive summary  At least one graph  Names of the pen testers involved  Description of the commercial scope  Extensive prose account of what was done  Screen shots of tools / error messages  A table of vulnerabilities  Mapped to CVE numbers  Some form of risk / RAG status  A technical resolution  A description of recommended further work 5
  • 6.  High day rates for good testers  Poor margins as salaries are high  Quality can be very variable  Same testers over time  Between testers  Across companies  Focus on fail results  What tests were conducted and passed?  Focus on 0-day  What threat model was used?  Skipping the insight  Little or no understanding of causes and impacts  Only two parts of the report actually required  Summary  Vulnerability table 6
  • 7.  Better customers  Security requirements  Better information gathering:  Automation of low hanging fruit  Recording of manual testing  Supply of automation scripts, raw results & manual recordings to customer  Better insight  Explicit threat model  Understanding of operational processes  Understanding of customer business  Better reporting  Vulnerability tables in excel  Record full scope  Vulnerability Metrics: ▪ Ease of exploit ▪ Complexity of fix ▪ Extent of compromise 7