SlideShare a Scribd company logo

Penetration Testing; A customers perspective

Download as PPTX, PDF
Phil Huggins FBCS CITP
Phil Huggins FBCS CITP

A short presentation to my internal peer group on some of the potential shortcomings of current penetration testing practices and what might be done about it.

Technology
1 of 8
A customers perspective 1 Internal Practitioners Conference, May 2013 Phil Huggins
I have been  Infrastructure penetration tester - late 90s  Application penetration tester – early 00s  Security Architect – till now  Client-side advice  LargeGovernment & Commercial Programmes of work  Handling: ▪ System suppliers ▪ Pen test suppliers ▪ Client andThird Party security stakeholders ▪ ClientOperational teams ▪ Client Project teams  I am an unusual customer of pen tests  I understand what I’m buying and why. 2
3 Gather Information Expert Schema Insight Define Action Scan & Exploit Characterise Vulnerabilities Understand Causes & Impacts Recommend Prioritised Mitigations SENSEMAKING PENETRATION TESTING
 Team of technical guys with CREST,TIGER or CHECK certifications  A written methodology owned by the test company  A lot of pen testing tools  A week or two of technical work  A week of report writing 4
 Executive summary  At least one graph  Names of the pen testers involved  Description of the commercial scope  Extensive prose account of what was done  Screen shots of tools / error messages  A table of vulnerabilities  Mapped to CVE numbers  Some form of risk / RAG status  A technical resolution  A description of recommended further work 5
 High day rates for good testers  Poor margins as salaries are high  Quality can be very variable  Same testers over time  Between testers  Across companies  Focus on fail results  What tests were conducted and passed?  Focus on 0-day  What threat model was used?  Skipping the insight  Little or no understanding of causes and impacts  Only two parts of the report actually required  Summary  Vulnerability table 6
 Better customers  Security requirements  Better information gathering:  Automation of low hanging fruit  Recording of manual testing  Supply of automation scripts, raw results & manual recordings to customer  Better insight  Explicit threat model  Understanding of operational processes  Understanding of customer business  Better reporting  Vulnerability tables in excel  Record full scope  Vulnerability Metrics: ▪ Ease of exploit ▪ Complexity of fix ▪ Extent of compromise 7
http://blog.blackswansecurity.com 8

Recommended

Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testing
rrice2000
 
Positivityofnegative
PositivityofnegativePositivityofnegative
Positivityofnegative
pramodkg
 
Kasper Hanselman - Imagination is More Important Than Knowledge
Kasper Hanselman - Imagination is More Important Than KnowledgeKasper Hanselman - Imagination is More Important Than Knowledge
Kasper Hanselman - Imagination is More Important Than Knowledge
TEST Huddle
 
Defect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft WebinarDefect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft Webinar
XBOSoft
 
Root cause Analysis of Defects
Root cause Analysis of DefectsRoot cause Analysis of Defects
Root cause Analysis of Defects
David Gevorgyan
 
Advanced Defect Management
Advanced Defect ManagementAdvanced Defect Management
Advanced Defect Management
Sabarinath Venugopalan
 
Mt s13 defect_management
Mt s13 defect_managementMt s13 defect_management
Mt s13 defect_management
TestingGeeks
 
Defect MgmtBugDay Bangkok 2009: Defect Management
Defect MgmtBugDay Bangkok 2009: Defect ManagementDefect MgmtBugDay Bangkok 2009: Defect Management
Defect MgmtBugDay Bangkok 2009: Defect Management
guest476528
 

Recommended

Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testing
rrice2000
 
Positivityofnegative
PositivityofnegativePositivityofnegative
Positivityofnegative
pramodkg
 
Kasper Hanselman - Imagination is More Important Than Knowledge
Kasper Hanselman - Imagination is More Important Than KnowledgeKasper Hanselman - Imagination is More Important Than Knowledge
Kasper Hanselman - Imagination is More Important Than Knowledge
TEST Huddle
 
Defect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft WebinarDefect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft Webinar
XBOSoft
 
Root cause Analysis of Defects
Root cause Analysis of DefectsRoot cause Analysis of Defects
Root cause Analysis of Defects
David Gevorgyan
 
Advanced Defect Management
Advanced Defect ManagementAdvanced Defect Management
Advanced Defect Management
Sabarinath Venugopalan
 
Mt s13 defect_management
Mt s13 defect_managementMt s13 defect_management
Mt s13 defect_management
TestingGeeks
 
Defect MgmtBugDay Bangkok 2009: Defect Management
Defect MgmtBugDay Bangkok 2009: Defect ManagementDefect MgmtBugDay Bangkok 2009: Defect Management
Defect MgmtBugDay Bangkok 2009: Defect Management
guest476528
 
Put Risk Based Testing in place right now!
Put Risk Based Testing in place right now!Put Risk Based Testing in place right now!
Put Risk Based Testing in place right now!
SQALab
 
Grace slideshare
Grace slideshareGrace slideshare
Grace slideshare
Grace Lukezic
 
Test Team Responsibilities
Test Team ResponsibilitiesTest Team Responsibilities
Test Team Responsibilities
ANKUR-BA
 
Better Software Classic Testing Mistakes
Better Software Classic Testing MistakesBetter Software Classic Testing Mistakes
Better Software Classic Testing Mistakes
nazeer pasha
 
Negative Testing
Negative TestingNegative Testing
Negative Testing
Mindfire Solutions
 
Session 08 - Test Case Design and Technique
Session 08 - Test Case Design and TechniqueSession 08 - Test Case Design and Technique
Session 08 - Test Case Design and Technique
PoojaLQA
 
Risk and Testing
Risk and TestingRisk and Testing
Risk and Testing
NolaCita
 
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
Ho Chi Minh City Software Testing Club
 
But Did You Test It
But Did You Test ItBut Did You Test It
But Did You Test It
Ruth Blakely
 
Introduction to Software Testing - Part 2
Introduction to Software Testing - Part 2Introduction to Software Testing - Part 2
Introduction to Software Testing - Part 2
Sachin-QA
 
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
Ho Chi Minh City Software Testing Club
 
IoT Device Security
IoT Device SecurityIoT Device Security
IoT Device Security
Witekio
 
Practical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsPractical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing Methods
Reuben Korngold
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
Cigital
 
Java performance monitoring
Java performance monitoringJava performance monitoring
Java performance monitoring
Manigandan Venkataraman
 
Test beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisTest beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause Analysis
PractiTest
 
Manual Testing
Manual TestingManual Testing
Manual Testing
JobItDesk01
 
From Defect Reporting To Defect Prevention
From Defect Reporting To Defect PreventionFrom Defect Reporting To Defect Prevention
From Defect Reporting To Defect Prevention
Sune Gynthersen
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like them
PractiTest
 
Introduction to Hacktivism
Introduction to HacktivismIntroduction to Hacktivism
Introduction to Hacktivism
Phil Huggins FBCS CITP
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]
Phil Huggins FBCS CITP
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber Threats
Phil Huggins FBCS CITP
 

More Related Content

What's hot

Better Software Classic Testing Mistakes
Better Software Classic Testing MistakesBetter Software Classic Testing Mistakes
Better Software Classic Testing Mistakes
nazeer pasha
 
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
Ho Chi Minh City Software Testing Club
 
Practical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsPractical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing Methods
Reuben Korngold
 

What's hot (19)

Put Risk Based Testing in place right now!
Put Risk Based Testing in place right now!Put Risk Based Testing in place right now!
Put Risk Based Testing in place right now!
 
Grace slideshare
Grace slideshareGrace slideshare
Grace slideshare
 
Test Team Responsibilities
Test Team ResponsibilitiesTest Team Responsibilities
Test Team Responsibilities
 
Better Software Classic Testing Mistakes
Better Software Classic Testing MistakesBetter Software Classic Testing Mistakes
Better Software Classic Testing Mistakes
 
Negative Testing
Negative TestingNegative Testing
Negative Testing
 
Session 08 - Test Case Design and Technique
Session 08 - Test Case Design and TechniqueSession 08 - Test Case Design and Technique
Session 08 - Test Case Design and Technique
 
Risk and Testing
Risk and TestingRisk and Testing
Risk and Testing
 
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
[HCMC STC Jan 2015] Making IT Count – Agile Test Metrics
 
But Did You Test It
But Did You Test ItBut Did You Test It
But Did You Test It
 
Introduction to Software Testing - Part 2
Introduction to Software Testing - Part 2Introduction to Software Testing - Part 2
Introduction to Software Testing - Part 2
 
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
[HCMC STC Jan 2015] Risk-Based Software Testing Approaches
 
IoT Device Security
IoT Device SecurityIoT Device Security
IoT Device Security
 
Practical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing MethodsPractical Application Of Risk Based Testing Methods
Practical Application Of Risk Based Testing Methods
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
 
Java performance monitoring
Java performance monitoringJava performance monitoring
Java performance monitoring
 
Test beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisTest beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause Analysis
 
Manual Testing
Manual TestingManual Testing
Manual Testing
 
From Defect Reporting To Defect Prevention
From Defect Reporting To Defect PreventionFrom Defect Reporting To Defect Prevention
From Defect Reporting To Defect Prevention
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like them
 

Viewers also liked

Viewers also liked (20)

Introduction to Hacktivism
Introduction to HacktivismIntroduction to Hacktivism
Introduction to Hacktivism
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber Threats
 
Measuring black boxes
Measuring black boxesMeasuring black boxes
Measuring black boxes
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
 
Resilience is the new cyber security
Resilience is the new cyber securityResilience is the new cyber security
Resilience is the new cyber security
 
First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]
 
Security Metrics [2008]
Security Metrics [2008]Security Metrics [2008]
Security Metrics [2008]
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
 
Delivering Secure Projects
Delivering Secure ProjectsDelivering Secure Projects
Delivering Secure Projects
 
Probability Calibration
Probability CalibrationProbability Calibration
Probability Calibration
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Intelligence-led Cybersecurity
Intelligence-led Cybersecurity Intelligence-led Cybersecurity
Intelligence-led Cybersecurity
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
 
PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
UK Legal Framework (2003)
UK Legal Framework (2003)UK Legal Framework (2003)
UK Legal Framework (2003)
 

Similar to Penetration Testing; A customers perspective

Resume_Pallavi_Updated
Resume_Pallavi_UpdatedResume_Pallavi_Updated
Resume_Pallavi_Updated
Pallavi Nayak
 
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
VIJAYA BHASKARA VARMA YARAKARAJU
 

Similar to Penetration Testing; A customers perspective (20)

Risk Driven Testing
Risk Driven TestingRisk Driven Testing
Risk Driven Testing
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Risk Based Testing: Deferring the Right Bugs
Risk Based Testing: Deferring the Right BugsRisk Based Testing: Deferring the Right Bugs
Risk Based Testing: Deferring the Right Bugs
 
Independent verification & validation presented by Maneat v02
Independent verification & validation presented by Maneat v02Independent verification & validation presented by Maneat v02
Independent verification & validation presented by Maneat v02
 
Resume_Pallavi_Updated
Resume_Pallavi_UpdatedResume_Pallavi_Updated
Resume_Pallavi_Updated
 
How to build confidence in your release cycle
How to build confidence in your release cycleHow to build confidence in your release cycle
How to build confidence in your release cycle
 
Test_Engineer
Test_EngineerTest_Engineer
Test_Engineer
 
! Testing for agile teams
! Testing for agile teams! Testing for agile teams
! Testing for agile teams
 
Test Management Montioring Control
Test Management Montioring ControlTest Management Montioring Control
Test Management Montioring Control
 
Test Management Montioring Control
Test Management Montioring ControlTest Management Montioring Control
Test Management Montioring Control
 
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
Fear, Uncertainty And Doubt Overcoming These In Choosing An Offshore Qa & Tes...
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
Rakesh Resume
Rakesh ResumeRakesh Resume
Rakesh Resume
 
Fundamentals_of_Software_testing.pptx
Fundamentals_of_Software_testing.pptxFundamentals_of_Software_testing.pptx
Fundamentals_of_Software_testing.pptx
 
Software Testing Interview Questions For Experienced
Software Testing Interview Questions For ExperiencedSoftware Testing Interview Questions For Experienced
Software Testing Interview Questions For Experienced
 
Kumari Meenu_Test Analyst
Kumari Meenu_Test AnalystKumari Meenu_Test Analyst
Kumari Meenu_Test Analyst
 
Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]
Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]
Q Labs Webinar on Testcase Prioritization [Feb 20, 2009]
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Agile testing practice
Agile testing practiceAgile testing practice
Agile testing practice
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

Penetration Testing; A customers perspective

  • 1. A customers perspective 1 Internal Practitioners Conference, May 2013 Phil Huggins
  • 2. I have been  Infrastructure penetration tester - late 90s  Application penetration tester – early 00s  Security Architect – till now  Client-side advice  LargeGovernment & Commercial Programmes of work  Handling: ▪ System suppliers ▪ Pen test suppliers ▪ Client andThird Party security stakeholders ▪ ClientOperational teams ▪ Client Project teams  I am an unusual customer of pen tests  I understand what I’m buying and why. 2
  • 4.  Team of technical guys with CREST,TIGER or CHECK certifications  A written methodology owned by the test company  A lot of pen testing tools  A week or two of technical work  A week of report writing 4
  • 5.  Executive summary  At least one graph  Names of the pen testers involved  Description of the commercial scope  Extensive prose account of what was done  Screen shots of tools / error messages  A table of vulnerabilities  Mapped to CVE numbers  Some form of risk / RAG status  A technical resolution  A description of recommended further work 5
  • 6.  High day rates for good testers  Poor margins as salaries are high  Quality can be very variable  Same testers over time  Between testers  Across companies  Focus on fail results  What tests were conducted and passed?  Focus on 0-day  What threat model was used?  Skipping the insight  Little or no understanding of causes and impacts  Only two parts of the report actually required  Summary  Vulnerability table 6
  • 7.  Better customers  Security requirements  Better information gathering:  Automation of low hanging fruit  Recording of manual testing  Supply of automation scripts, raw results & manual recordings to customer  Better insight  Explicit threat model  Understanding of operational processes  Understanding of customer business  Better reporting  Vulnerability tables in excel  Record full scope  Vulnerability Metrics: ▪ Ease of exploit ▪ Complexity of fix ▪ Extent of compromise 7