Penetration testing must die

•

1 recomendación•879 vistas

BSidesLondon 20th April 2011 - Rory Mccune (@raesene) ----------- "Penetration testing" has become a staple of a the security programmes of a lot of companies around the world and particularly in the UK. Unfortunately in most cases it's poorly understood, the value for customers is minimal and it bears absolutely no resemblence to what a modern attacker would do. So it's time for it to die. ------ for more info about Rory Mccune go to www.7elements.co.uk

Tecnología

PENETRATION TESTING MUST DIE
Rory McCune

INTRODUCTION
• IT/Information Security person for the last 15 years
• Currently a director of 7 Elements ( http://www.7elements.co.uk )
• IT Security consultancy based in Scotland.
• Scottish chapter lead for the OWASP project.

AGENDA
• Why must it die
• Overloaded Terminology.
• Clients aren’t ready.
• Mission Impossible.
• How do you fix it?
• Better Terms.
• Better Scoping.

WHAT’S IN A NAME?
• First thing is to define what we mean by penetration testing
• One definition from Wikipedia “A penetration test, occasionally pentest, is a
method of evaluating the security of a computer system or network by
simulating an attack from a malicious source, known as a Black Hat Hacker, or
Cracker.”

CHARACTERISTICS OF A PENETRATION TEST
• Black-Box
• When we’re assuming the role of an attacker (unless it’s an insider) the
testing should be black box
• Goal based
• Trying to compromise the target system/network/company
• Trade off against coverage of every possible avenue
• Realistic
• Mimicking the “real thing”
• Although…. Which Real thing?

OVERLOADED TERMINOLOGY
• Like many things in security the term “penetration test” is overloaded
• Vulnerability Scans as Penetration Tests
• Web Application Security Assessments as Penetration Tests
• Code Reviews as Penetration Tests
• …

CLIENTS AREN’T READY
• What’s the purpose of a penetration test?
• From above it’s to mimic an attack
• Trade off realism against coverage
• Test controls that should be in place
• Implies that clients are ready for that
• Know what controls should be in place
• Think that they’re operating effectively
• Some (most?) clients want coverage not proof

MISSION IMPOSSIBLE
• Accurately mimicking high-end attackers is increasingly difficult
• Where’s the data?
• Are all their 3 rd parties in-scope?
• Is their cloud providers infrastructure in-scope?
• Out-of bounds methods
• Spear Phishing? Home and work e-mail?
• Renting botnets with zombies already onsite?
• Purchase 0-days for discovered software?
• Time
• Time to develop 0-days for discovered software?

FIXING THE PROBLEM - TERMS
• Use different terms for differing job types
• Vulnerability Scan
• Vulnerability Assessment
• Security Assessment
• Penetration Test

FIXING THE PROBLEM - SCOPING
• Threat modelling needs to be done first.
• Right type of test for the customer
• Assessment style testing for establishing controls in place (less developed
customers).
• Penetration style testing for mature companies to prove what they think
should be in place.
• The Underwriters Lab Approach
• Testing specifies the type of attacker being emulated.
• Specifies what’s not in-scope.
• Resistant for a specified duration.

Más contenido relacionado

La actualidad más candente

Luis Grangeia IBWAS

Luis Grangeia

Type mock isolator

MaslowB

Entrepreneurship for hackers

snyff

DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...

DevSecCon

How to Destroy a Database

John Ashmead

You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/MzwU50A59GD Database security is arguably the most important part of an information security program that many people aren’t paying attention to. Some might assume that network or server security controls are adequate to protect databases. They’re not. Furthermore, gaps in IT governance processes often lead to security policies that aren’t enforced which can directly impact database systems. This is not only creating tangible business risks but it’s also creating numerous compliance gaps. Join IDERA and Kevin Beaver as he walks through how you can be more proactive with database security. He’ll share specific database security oversights he’s finding in his work along with some tips on how to better integrate databases into your overall information risk management initiatives.

Database Security Risks You Might Not Have Considered, but Need To

IDERA Software

DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling

DevSecCon

Many companies develop strong software development practices that include ongoing testing throughout the development lifecycle but fail to account for the testing of security-related use cases. This leads to security controls being tacked on to an application just before it goes to production. With security controls implemented in this manner, more security vulnerabilities will be found with less time to correct them. As more applications move to cloud-based architectures, this will become an even greater problem as some of the protection enjoyed by applications hosted on-premise no longer exists. Jeremy Faircloth discusses a better approach—ensuring that testing throughout the development lifecycle includes the appropriate focus on security controls. Jeremy illustrates this through the establishment of security-related use cases, static code analysis, dynamic analysis, fuzzing, availability testing, and other techniques. Save yourself from last minute security issues by proactively testing the security of your application!

Ensuring Security through Continuous Testing

TechWell

Allegory of the cave(1)

setuid0

Securing the container DevOps pipeline by William Henry

DevSecCon

Black Duck and Tech Contracts Academy discussed the implications of open source software in tech contracts. The topic of open source has been at the forefront of the technology industry for many years, but as the use of open source in commercial applications explodes, so do concerns about addressing license and ownership issues in contract negotiations. David Tollen is the founder of Tech Contracts Academy (www.TechContracts.com) and of Sycamore Legal P.C., in San Francisco. He’s the author of The Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses, and Other IT Contracts for Lawyers and Businesspeople. He will dive into these topics from the perspective of both buyers and sellers and aims to educate on Intellectual Property (IP) protection and other terms and how they should work during contract negotiations.

Buyer and Seller Perspectives on Open Source in Tech Contracts

Black Duck by Synopsys

Man in the Binder

nitayart

Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME

jeffmcjunkin

La actualidad más candente (13)

Luis Grangeia IBWAS

Type mock isolator

Entrepreneurship for hackers

DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...

How to Destroy a Database

Database Security Risks You Might Not Have Considered, but Need To

DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling

Ensuring Security through Continuous Testing

Allegory of the cave(1)

Securing the container DevOps pipeline by William Henry

Buyer and Seller Perspectives on Open Source in Tech Contracts

Man in the Binder

Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME

Similar a Penetration testing must die

WTF is Penetration Testing

NetSPI

The_Pentester_Blueprint.pdf

gcara4

Top Security Challenges Facing Credit Unions Today

Chris Gates

Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive. Key Takeaways: -Great places in the user journey to inject security tests - Ways to augment existing test approaches to cover security concerns - Typical security tools that are free, cheap, and easy for software testers

Zen and the art of Security Testing

TEST Huddle

Ethical Hacking and Defense Penetration

Jay Nagar

Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors

Ryan Elkins

This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits. Session 9 of 10 This Webinar focuses on Vulnerability Assessment • Ongoing identification of potential risks and areas of weakness • Hazard Assessment and Risk Identification • Problems in Vulnerability Assessment • Use of Penetration Testing • Network Vulnerability Testing • Web Vulnerability Testing • Wireless War Driving / Walking • Phone Network Testing • Social Engineering Testing • Walk-throughs and Dumpster Diving • Physical Security Auditing

Cyber security series vulnerability assessments

Jim Kaplan CIA CFE

WTF is Penetration Testing

Scott Sutherland

Intro to INFOSEC

Sean Whalen

Started In Security Now I'm Here

Christopher Grayson

2018 FRSecure CISSP Mentor Program Session 9

FRSecure

Software runs today’s business; however, security implications are often misunderstood, creating significant organizational risk. Poorly configured servers, 3rd-party software, and continuous release cycles put additional pressure on already stressed teams. Hackers no longer just exploit vulnerabilities in code -- faulty cloud deployments, weak database structures, and business logic problems are also easy targets for attackers. To reduce risk, you’ve got to audit your system in the same way an attacker would. This presentation demonstrates how attackers compromise the modern enterprise. For each attack demonstrated, mitigation practices will be discussed. WARNING: software will be harmed during this presentation. Viewer discretion advised.

How an Attacker "Audits" Your Software Systems

Security Innovation

Vulnerability Assessments, Penetration Tests and Red Teaming – Do you know what these tactics are all about? In this session, we will present our understanding of these practices in terms of when to apply them and what to expect. Nowadays, organizations run on top of hundreds, if not thousands, of Information Technology assets with some of them on premise and others cloud based. Having control over all of this is a challenging task. Based on our extensive experience with securing our customers, I will show what real findings and attack trends look like while hopefully, shedding some light on how to be prepared to resist current attacks.

Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...

Core Security

ISOL 536 Security Architecture and Design Threat Modeling Session 6a “Processing Threats” Agenda • When to find threats • Playing chess • How to approach software • Tracking threats and assumptions • Customer/vendor • The API threat model • Reading: Chapter 7 When to Find Threats • Start at the beginning of your project – Create a model of what you’re building – Do a first pass for threats • Dig deep as you work through features – Think about how threats apply to your mitigations • Check your design & model matches as you get close to shipping Attackers Respond to Your Defenses Playing Chess • The ideal attacker will follow the road you defend – Ideal attackers are like spherical cows — they’re a useful model for some things • Real attackers will go around your defenses • Your defenses need to be broad and deep “Orders of Mitigation” Order Threat Mitigation 1st Window smashing Reinforced glass 2nd Window smashing Alarm 3rd Cut alarm wire Heartbeat signal 4th Fake heartbeat Cryptographic signal integrity By Example: • Thus window smashing is a first order threat, cutting alarm wire, a third-order threat • Easy to get stuck arguing about orders • Are both stronger glass & alarms 1st order mitigations? (Who cares?!) • Focus on the concept of interplay between mitigations & further attacks How to Approach Software • Depth first – The most fun and “instinctual” – Keep following threats to see where they go – Can be useful skill development, promoting “flow” • Breadth first – The most conservative use of time • Best when time is limited – Most likely to result in good coverage Tracking Threats and Assumptions • There are an infinite number of ways to structure this • Use the one that works reliably for you • (Hope doesn’t work reliably) Example Threat Tracking Tables Diagram Element Threat Type Threat Bug ID Data flow #4, web server to business logic Tampering Add orders without payment checks 4553 “Need integrity controls on channel” Info disclosure Payment instruments sent in clear 4554 “need crypto” #PCI Threat Type Diagram Element(s) Threat Bug ID Tampering Web browser Attacker modifies our JavaScript order checking 4556 “Add order- checking logic to server” Data flow #2 from browser to server Failure to authenticate 4557 “Add enforce HTTPS everywhere” Both are fine, help you iterate over diagrams in different ways Example Assumption Tracking Assumption Impact if it’s wrong Who to talk to Who’s following up Follow-up by date Bug # It’s ok to ignore denial of service within the data center Availability will be below spec Alice Bob April 15 4555 • Impact is sometimes so obvious it’s not worth filling out • Who to talk to is not always obvious, it’s ok to start out blank • Tracking assumptions in bugs helps you not lose track • Treat the assumption as a bug – you need to resolve it The Customer/Vendor Boundary • There is always.

ISOL 536Security Architecture and DesignThreat Modeling.docx

bagotjesusa

What is penetration testing and career path

Vikram Khanna

Penetration testing & Ethical Hacking

S.E. CTS CERT-GOV-MD

Vulnerability assessment and penetration testing

Abu Sadat Mohammed Yasin

Did you lock the door before leaving your house this morning? If you did, you threat modeled without even realizing it. Threat modeling is identifying potential threats (house robbery) and implementing measures to mitigate the risk (locking your door). Protecting valuable assets, no matter if personal assets or business-related assets such as the software you are developing, threat modeling should become an instinctual and necessary part of your process. Our talk highlights how nearly 50% of security flaws can be mitigated through threat modeling. We help you prevent and mitigate risks by utilizing a reliable and hard-hitting analysis technique that can be applied to individual applications or across an entire portfolio. We show you how to effectively apply these techniques at the start of the design phase and throughout every phase of the development lifecycle so you can maximize the ROI of your security efforts. Topics covered include: • Threat Modeling 101 • The propagating effect of poor design • Tabletop exercise – a world with and without threat modeling • Best practices and metrics for every stakeholder

Threat Modeling - Locking the Door to Vulnerabilities

Security Innovation

Software security is best built in. This presentation introduces three essential things to help you design more secure software. In order to have a secure foundation, you can create and select security requirements for your applications using evil user stories and utilizing existing material for example from OWASP. Another useful skill is threat modeling which helps you to assess security already in the design phase. Threat modeling helps you deliver better software, prioritize your preventive security measures, and focus penetration testing to the most risky parts of the system. The presentation covers various methods, such as the STRIDE model, for finding security and privacy threats. You will also learn what kind of security related testing you can do without having any infosec background.

What Every Developer And Tester Should Know About Software Security

Anne Oikarinen

penetration testing

Shitesh Sachan

Similar a Penetration testing must die (20)

WTF is Penetration Testing

The_Pentester_Blueprint.pdf

Top Security Challenges Facing Credit Unions Today

Zen and the art of Security Testing

Ethical Hacking and Defense Penetration

Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors

Cyber security series vulnerability assessments

WTF is Penetration Testing

Intro to INFOSEC

Started In Security Now I'm Here

2018 FRSecure CISSP Mentor Program Session 9

How an Attacker "Audits" Your Software Systems

Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...

ISOL 536Security Architecture and DesignThreat Modeling.docx

What is penetration testing and career path

Penetration testing & Ethical Hacking

Vulnerability assessment and penetration testing

Threat Modeling - Locking the Door to Vulnerabilities

What Every Developer And Tester Should Know About Software Security

penetration testing

Más de Security BSides London

Security YMCA

Security BSides London

Your money, your media a DRMtastic (reverse|re) eng. tutorial

Security BSides London

You built a security castle and forgot the bridge…now users are climbing your...

Security BSides London

BSidesLondon 20th April 2011 - David Rook (@securityninja) ----------------------- This demonstration filled talk will start by discussing the problems with the security code review approaches most people follow and the reasons why I created Agnitio. This will include a look at existing manual and automated static analysis procedures and tools. The talk will move onto exploring the Principles of Secure Development and how the principles have been mapped to over 60 different checklist items in Agnitio. ---- for more about David go to http://www.securityninja.co.uk/ ---- for more about Agnito go to http://sourceforge.net/projects/agnitiotool/

Agnitio: its static analysis, but not as we know it

Security BSides London

BSidesLondon 20th April 2011 - Jim Shields (@JimShout) Note: watch this video before the presentation http://vimeo.com/22580155 --------------------------- addressing the human factor with Jim from Twist & Shout, Jim not only shared his technical expertise recording the BSides sessions but also share some useful insight of "user awareness" ------ due to copyright issues, many of the images/clips cannot be shown ------------ for more about Jim www.twistandshout.co.uk

The Funny Thing About Information Security

Security BSides London

Breaking out of restricted RDP

Security BSides London

BSidesLondon 20th April 2011 - Steve Lord (@stevelord) ---------------------------------------------------------------- The majority of Penetration testing teams have staff falling into 3 of four categories: Nessus Monkeys, Experts-in-Training and Jaded Cynicists. This is a talk about improving penetration testing skills to get to the rare fourth Jedi master level normally occupied by less than 1% of the team where nothing is impossible. The talk will be backed up by video footage from actual penetration tests as well as live demos and a Q&A session. ---- for more about Steve http://www.mandalorian.com

Breaking, Entering and Pentesting

Security BSides London

BSidesLondon 20th April 2011 - Xavier Mertens (@xme) ======================== Your IT infrastructure generates thousands(millions?) of events a day. They are stored in several places under multiple forms and contain a lot of very interesting information. Using free tools, This presentation will give you some ideas how to properly manage this continuous flow of information and how to make them more valuable. for more about Xavier http://blog.rootshell.be

All your logs are belong to you!

Security BSides London

BSidesLondon 20th April 2011 - Justin Clarke (@connectjunkie) ---------------------------------------------------------------------- This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. --- for more about Justin http://www.gdssecurity.com

Practical Crypto Attacks Against Web Applications

Security BSides London

BSidesLondon 20th April 2011 - David Rook and Chris Wysopal (@securityninja & @WeldPond) -------------------------------------------------------------------- From the perspective of both an employee of a financial transaction provider and a security vendor, this presentation will focus on how to effectively sell the business value of application security to executives, middle management, and development groups -----------for more about David & Chris go to http://www.securityninja.co.uk/blog http://www.veracode.com/blog/

Jedi mind tricks for building application security programs

Security BSides London

BSidesLondon 20Th April 2011 - Arron "finux" Finnon --------------------------------------------------------------------- The presentations aim is to talk about how simple it is to deploy DNS Tunnelling infrastructure at little or no cost. Also shows how to establish a ssh connection from target to attacker, and act as a taster for peoples further research. ----- for more about @F1nux go to www.finux.co.uk

Dns tunnelling its all in the name

Security BSides London

BSidesLondon 20th April 2011- @Jimmy Blake ----------------------------------------------------------------- The media hype, both positive and negative, around cloud computing is often sensationalist. The reality is that cloud computing has a place as a tool in the modern computing environment – but how do you realistically balance the benefits with the risks? ---- for more about Jimmy jimmyblake.com

Cloud computing due diligence WTF?

Security BSides London

Más de Security BSides London (12)

Security YMCA

Your money, your media a DRMtastic (reverse|re) eng. tutorial

You built a security castle and forgot the bridge…now users are climbing your...

Agnitio: its static analysis, but not as we know it

The Funny Thing About Information Security

Breaking out of restricted RDP

Breaking, Entering and Pentesting

All your logs are belong to you!

Practical Crypto Attacks Against Web Applications

Jedi mind tricks for building application security programs

Dns tunnelling its all in the name

Cloud computing due diligence WTF?

Último

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Increase engagement and revenue with Muvi Live Paywall! In this presentation, we will explore the five key benefits of using Muvi Live Paywall to monetize your live streams. You'll learn how Muvi Live Paywall can help you: Monetize your live content easily: Set up pay-per-view access to your live streams and start generating revenue from your content. Increase audience engagement: Provide exclusive, premium content behind the paywall to keep your viewers engaged. Gain valuable viewer insights: Track viewer data and analytics to better understand your audience and tailor your content accordingly. Reduce content piracy: Muvi Live Paywall's security features help protect your content from unauthorized distribution. Streamline your workflow: The all-in-one platform simplifies the process of managing and monetizing your live streams. With Muvi Live Paywall, you can take control of your live stream monetization and create a sustainable business model for your content. Learn more about Muvi Live Paywall and start generating revenue from your live streams today!

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Roshan Dwivedi

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Top 10 Most Downloaded Games on Play Store in 2024

SynarionITSolutions

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Real Time Object Detection Using Open CV

Khem

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Penetration testing must die

1. PENETRATION TESTING MUST DIE Rory McCune

2. INTRODUCTION • IT/Information Security person for the last 15 years • Currently a director of 7 Elements ( http://www.7elements.co.uk ) • IT Security consultancy based in Scotland. • Scottish chapter lead for the OWASP project.

3. AGENDA • Why must it die • Overloaded Terminology. • Clients aren’t ready. • Mission Impossible. • How do you fix it? • Better Terms. • Better Scoping.

4. WHAT’S IN A NAME? • First thing is to define what we mean by penetration testing • One definition from Wikipedia “A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker.”

5. CHARACTERISTICS OF A PENETRATION TEST • Black-Box • When we’re assuming the role of an attacker (unless it’s an insider) the testing should be black box • Goal based • Trying to compromise the target system/network/company • Trade off against coverage of every possible avenue • Realistic • Mimicking the “real thing” • Although…. Which Real thing?

6. OVERLOADED TERMINOLOGY • Like many things in security the term “penetration test” is overloaded • Vulnerability Scans as Penetration Tests • Web Application Security Assessments as Penetration Tests • Code Reviews as Penetration Tests • …

7. CLIENTS AREN’T READY • What’s the purpose of a penetration test? • From above it’s to mimic an attack • Trade off realism against coverage • Test controls that should be in place • Implies that clients are ready for that • Know what controls should be in place • Think that they’re operating effectively • Some (most?) clients want coverage not proof

8. MISSION IMPOSSIBLE • Accurately mimicking high-end attackers is increasingly difficult • Where’s the data? • Are all their 3 rd parties in-scope? • Is their cloud providers infrastructure in-scope? • Out-of bounds methods • Spear Phishing? Home and work e-mail? • Renting botnets with zombies already onsite? • Purchase 0-days for discovered software? • Time • Time to develop 0-days for discovered software?

9. FIXING THE PROBLEM - TERMS • Use different terms for differing job types • Vulnerability Scan • Vulnerability Assessment • Security Assessment • Penetration Test

10. FIXING THE PROBLEM - SCOPING • Threat modelling needs to be done first. • Right type of test for the customer • Assessment style testing for establishing controls in place (less developed customers). • Penetration style testing for mature companies to prove what they think should be in place. • The Underwriters Lab Approach • Testing specifies the type of attacker being emulated. • Specifies what’s not in-scope. • Resistant for a specified duration.

Penetration testing must die

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (13)

Similar a Penetration testing must die

Similar a Penetration testing must die (20)

Más de Security BSides London

Más de Security BSides London (12)

Último

Último (20)

Penetration testing must die