SlideShare una empresa de Scribd logo

Is Penetration Testing Worth It

V
vikasraina

Yes and Nos of Penetration Testing

1 de 2
Vikas Raina©    Security Expert Advisory Council©  Is Penetration testing worth it?        Scope: Come‐on lets be practical and do a real pen test.  There are security experts generally who insist penetration testing is essential for network  security, and you have no hope of being secure unless you do it regularly. And there are  contrarian security experts who tell you penetration testing is a waste of time; you might as  well throw your money away. Both of these views are wrong. The reality of penetration testing  is more complicated and nuanced.   Penetration testing is a broad term. It might mean breaking into a network to demonstrate you  can. It might mean trying to break into a network to document vulnerabilities. It might  involve a remote attack, physical penetration of a data center or social engineering attacks.  It might use commercial or proprietary vulnerability scanning tools, or rely on skilled white‐ hat hackers. It might just evaluate software version numbers and patch levels, and make  inferences about vulnerabilities.   It's going to be expensive, and you'll get a thick report when the testing is done, Tools and  right people play a major role. Becoz management wants to see what’s Bad really to Business.  And that's the real problem. You really don't want a thick report documenting all the ways  your network is insecure. You don't have the budget to fix them all, so the document will sit  around waiting to make someone look bad. Or, even worse, it'll be discovered in a breach  lawsuit. Do you really want an opposing attorney to ask you to explain why you paid to  document the security holes in your network, and then didn't fix them? Probably the safest  thing you can do with the report, after you read it, is shred it.   Given enough time and money, a pen test will find vulnerabilities; there's no point in proving  it. And if you're not going to fix all the uncovered vulnerabilities, there's no point  uncovering them. But there is a way to do penetration testing usefully. For years I've been  saying security consists of protection, detection and response‐‐and you need all three to have  good security. Before you can do a good job with any of these, you have to assess your  security. And done right, penetration testing is a key component of a security assessment.   I like to restrict penetration testing to the most commonly exploited critical  vulnerabilities, like those found on the SANS Top 20 list. If you have any of those  vulnerabilities, you really need to fix them.   If you think about it, penetration testing is an odd business. Is there an analogue to it  anywhere else in security? Sure, militaries run these exercises all the time, but how about in  business? Do we hire burglars to try to break into our warehouses? Do we attempt to commit  fraud against ourselves? No, we don't.   Penetration testing has become big business because systems are so complicated and poorly  understood. We know about burglars and kidnapping and fraud, but we don't know about computer  criminals. We don't know what's dangerous today, and what will be dangerous tomorrow. So we  hire penetration testers in the belief they can explain it.   There are two reasons why you might want to conduct a penetration test. One, you want to know  whether a certain vulnerability is present because you're going to fix it if it is. And two,  you need a big, scary report to persuade your boss to spend more money. If neither is true,  I'm going to save you a lot of money by giving you this free penetration test: You're  vulnerable.      
Vikas Raina©    Security Expert Advisory Council©  Moral: Now, go do something useful about it,  Like The security team behind Google's mobile platform, Android, has tried to raise its  profile among security researchers by appealing for their vigilance in monitoring the platform  and do a real check  Thanks  Vikas Raina  Sr Leader and Security Expert   Domain: Corporate Information Security and Digital Forensic Investigation  Certf’s : CISSP®, CCSP®,CCNP®, C |EH, ITIL, PRINCE‐2©, DFCA©  “Security advice is a daily burden, applied to the whole population, while an upper  bound on the benefit is the harm suffered by the fraction that become victims  annually. When that fraction is small, designing security advice that is beneficial  is very hard.” 

Recomendados

Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004Anton Chuvakin
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSPriyanka Aash
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple TeamPriyanka Aash
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilJonathan Marcil
 
Cyber Security Testing - Protect Your Business From Cyber Threats
Cyber Security Testing - Protect Your Business From Cyber ThreatsCyber Security Testing - Protect Your Business From Cyber Threats
Cyber Security Testing - Protect Your Business From Cyber ThreatsBugRaptors
 
Network Security in a Virtualized Environment
Network Security in a Virtualized EnvironmentNetwork Security in a Virtualized Environment
Network Security in a Virtualized EnvironmentLiveAction Next Generation Network Management Software
 
GartnerComodo_AEP_Newsletter2016
GartnerComodo_AEP_Newsletter2016GartnerComodo_AEP_Newsletter2016
GartnerComodo_AEP_Newsletter2016Eric Staudinger
 

Recomendados

Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004Anton Chuvakin
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSPriyanka Aash
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple TeamPriyanka Aash
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilJonathan Marcil
 
Cyber Security Testing - Protect Your Business From Cyber Threats
Cyber Security Testing - Protect Your Business From Cyber ThreatsCyber Security Testing - Protect Your Business From Cyber Threats
Cyber Security Testing - Protect Your Business From Cyber ThreatsBugRaptors
 
Network Security in a Virtualized Environment
Network Security in a Virtualized EnvironmentNetwork Security in a Virtualized Environment
Network Security in a Virtualized EnvironmentLiveAction Next Generation Network Management Software
 
GartnerComodo_AEP_Newsletter2016
GartnerComodo_AEP_Newsletter2016GartnerComodo_AEP_Newsletter2016
GartnerComodo_AEP_Newsletter2016Eric Staudinger
 
IIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended UseIIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended UseKaspersky
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?MITRE - ATT&CKcon
 
Digital strategy - security
Digital strategy - securityDigital strategy - security
Digital strategy - securityNansje
 
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...MITRE - ATT&CKcon
 
Toreon - pentesting - why every company should do this!
Toreon - pentesting - why every company should do this!Toreon - pentesting - why every company should do this!
Toreon - pentesting - why every company should do this!Sebastien Deleersnyder
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert TrendSC Leung
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
BeyondCorp Myths: Busted
BeyondCorp Myths: BustedBeyondCorp Myths: Busted
BeyondCorp Myths: BustedIvan Dwyer
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling MisconceptionsCigital
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutDevSecCon
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Nucleus small
Nucleus smallNucleus small
Nucleus smallStijn Jans
 
Information Security Do's and Dont's (2015)
Information Security Do's and Dont's (2015)Information Security Do's and Dont's (2015)
Information Security Do's and Dont's (2015)Alexey Kachalin
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalRed Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalInfosec
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeamDan Vasile
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE - ATT&CKcon
 
ITIL With Information Security
ITIL With Information SecurityITIL With Information Security
ITIL With Information Securityvikasraina
 
SIEM
SIEMSIEM
SIEMvikasraina
 

Más contenido relacionado

La actualidad más candente

IIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended UseIIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended UseKaspersky
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?MITRE - ATT&CKcon
 
Digital strategy - security
Digital strategy - securityDigital strategy - security
Digital strategy - securityNansje
 
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...MITRE - ATT&CKcon
 
Toreon - pentesting - why every company should do this!
Toreon - pentesting - why every company should do this!Toreon - pentesting - why every company should do this!
Toreon - pentesting - why every company should do this!Sebastien Deleersnyder
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert TrendSC Leung
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
BeyondCorp Myths: Busted
BeyondCorp Myths: BustedBeyondCorp Myths: Busted
BeyondCorp Myths: BustedIvan Dwyer
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling MisconceptionsCigital
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutDevSecCon
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Information Security Do's and Dont's (2015)
Information Security Do's and Dont's (2015)Information Security Do's and Dont's (2015)
Information Security Do's and Dont's (2015)Alexey Kachalin
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalRed Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalInfosec
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeamDan Vasile
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE - ATT&CKcon
 

La actualidad más candente (20)

IIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended UseIIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended Use
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?
 
Digital strategy - security
Digital strategy - securityDigital strategy - security
Digital strategy - security
 
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
 
Toreon - pentesting - why every company should do this!
Toreon - pentesting - why every company should do this!Toreon - pentesting - why every company should do this!
Toreon - pentesting - why every company should do this!
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert Trend
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
 
BeyondCorp Myths: Busted
BeyondCorp Myths: BustedBeyondCorp Myths: Busted
BeyondCorp Myths: Busted
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Nucleus small
Nucleus smallNucleus small
Nucleus small
 
Information Security Do's and Dont's (2015)
Information Security Do's and Dont's (2015)Information Security Do's and Dont's (2015)
Information Security Do's and Dont's (2015)
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalRed Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a Criminal
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeam
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
 

Destacado

ITIL With Information Security
ITIL With Information SecurityITIL With Information Security
ITIL With Information Securityvikasraina
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsAnton Chuvakin
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...IBM Security
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...Anton Chuvakin
 

Destacado (10)

ITIL With Information Security
ITIL With Information SecurityITIL With Information Security
ITIL With Information Security
 
SIEM
SIEMSIEM
SIEM
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...How to Choose the Right Security Information and Event Management (SIEM) Solu...
How to Choose the Right Security Information and Event Management (SIEM) Solu...
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
 
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 

Similar a Is Penetration Testing Worth It

Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?Rapid7
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51martinvoelk
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSouth Tyrol Free Software Conference
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals211 Check
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability ManagementGFI Software
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools usedZoe Gilbert
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
 
Pen testing and how does it help strengthen cybersecurity
Pen testing and how does it help strengthen cybersecurityPen testing and how does it help strengthen cybersecurity
Pen testing and how does it help strengthen cybersecurityTestingXperts
 
What is VAPT & Why is it Important for Your Business.pptx
What is VAPT & Why is it Important for Your Business.pptxWhat is VAPT & Why is it Important for Your Business.pptx
What is VAPT & Why is it Important for Your Business.pptxBluechipComputerSyst
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Cracking the Code: The Role of VAPT in Cybersecurity
Cracking the Code: The Role of VAPT in CybersecurityCracking the Code: The Role of VAPT in Cybersecurity
Cracking the Code: The Role of VAPT in CybersecurityShyamMishra72
 
Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesImportance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesElanusTechnologies
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 
The goal of a Code Review Security Aardwolf Security.docx
The goal of a Code Review Security Aardwolf Security.docxThe goal of a Code Review Security Aardwolf Security.docx
The goal of a Code Review Security Aardwolf Security.docxAardwolf Security
 
How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..Sprintzeal
 

Similar a Is Penetration Testing Worth It (20)

Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Penetration Testing Guide
Penetration Testing GuidePenetration Testing Guide
Penetration Testing Guide
 
Information Security
Information SecurityInformation Security
Information Security
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools used
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
Pen testing and how does it help strengthen cybersecurity
Pen testing and how does it help strengthen cybersecurityPen testing and how does it help strengthen cybersecurity
Pen testing and how does it help strengthen cybersecurity
 
What is VAPT & Why is it Important for Your Business.pptx
What is VAPT & Why is it Important for Your Business.pptxWhat is VAPT & Why is it Important for Your Business.pptx
What is VAPT & Why is it Important for Your Business.pptx
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Cracking the Code: The Role of VAPT in Cybersecurity
Cracking the Code: The Role of VAPT in CybersecurityCracking the Code: The Role of VAPT in Cybersecurity
Cracking the Code: The Role of VAPT in Cybersecurity
 
Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesImportance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best Practices
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 
The goal of a Code Review Security Aardwolf Security.docx
The goal of a Code Review Security Aardwolf Security.docxThe goal of a Code Review Security Aardwolf Security.docx
The goal of a Code Review Security Aardwolf Security.docx
 
How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..How to Become a Cyber Security Analyst in 2021..
How to Become a Cyber Security Analyst in 2021..
 

Is Penetration Testing Worth It

  • 1. Vikas Raina©    Security Expert Advisory Council©  Is Penetration testing worth it?        Scope: Come‐on lets be practical and do a real pen test.  There are security experts generally who insist penetration testing is essential for network  security, and you have no hope of being secure unless you do it regularly. And there are  contrarian security experts who tell you penetration testing is a waste of time; you might as  well throw your money away. Both of these views are wrong. The reality of penetration testing  is more complicated and nuanced.   Penetration testing is a broad term. It might mean breaking into a network to demonstrate you  can. It might mean trying to break into a network to document vulnerabilities. It might  involve a remote attack, physical penetration of a data center or social engineering attacks.  It might use commercial or proprietary vulnerability scanning tools, or rely on skilled white‐ hat hackers. It might just evaluate software version numbers and patch levels, and make  inferences about vulnerabilities.   It's going to be expensive, and you'll get a thick report when the testing is done, Tools and  right people play a major role. Becoz management wants to see what’s Bad really to Business.  And that's the real problem. You really don't want a thick report documenting all the ways  your network is insecure. You don't have the budget to fix them all, so the document will sit  around waiting to make someone look bad. Or, even worse, it'll be discovered in a breach  lawsuit. Do you really want an opposing attorney to ask you to explain why you paid to  document the security holes in your network, and then didn't fix them? Probably the safest  thing you can do with the report, after you read it, is shred it.   Given enough time and money, a pen test will find vulnerabilities; there's no point in proving  it. And if you're not going to fix all the uncovered vulnerabilities, there's no point  uncovering them. But there is a way to do penetration testing usefully. For years I've been  saying security consists of protection, detection and response‐‐and you need all three to have  good security. Before you can do a good job with any of these, you have to assess your  security. And done right, penetration testing is a key component of a security assessment.   I like to restrict penetration testing to the most commonly exploited critical  vulnerabilities, like those found on the SANS Top 20 list. If you have any of those  vulnerabilities, you really need to fix them.   If you think about it, penetration testing is an odd business. Is there an analogue to it  anywhere else in security? Sure, militaries run these exercises all the time, but how about in  business? Do we hire burglars to try to break into our warehouses? Do we attempt to commit  fraud against ourselves? No, we don't.   Penetration testing has become big business because systems are so complicated and poorly  understood. We know about burglars and kidnapping and fraud, but we don't know about computer  criminals. We don't know what's dangerous today, and what will be dangerous tomorrow. So we  hire penetration testers in the belief they can explain it.   There are two reasons why you might want to conduct a penetration test. One, you want to know  whether a certain vulnerability is present because you're going to fix it if it is. And two,  you need a big, scary report to persuade your boss to spend more money. If neither is true,  I'm going to save you a lot of money by giving you this free penetration test: You're  vulnerable.      
  • 2. Vikas Raina©    Security Expert Advisory Council©  Moral: Now, go do something useful about it,  Like The security team behind Google's mobile platform, Android, has tried to raise its  profile among security researchers by appealing for their vigilance in monitoring the platform  and do a real check  Thanks  Vikas Raina  Sr Leader and Security Expert   Domain: Corporate Information Security and Digital Forensic Investigation  Certf’s : CISSP®, CCSP®,CCNP®, C |EH, ITIL, PRINCE‐2©, DFCA©  “Security advice is a daily burden, applied to the whole population, while an upper  bound on the benefit is the harm suffered by the fraction that become victims  annually. When that fraction is small, designing security advice that is beneficial  is very hard.”