How to get a well done penetration test
•Download as PPTX, PDF•
4 likes•528 views
And not to overpay
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to How to get a well done penetration test
Similar to How to get a well done penetration test (20)
More from Kirill Ermakov
More from Kirill Ermakov (8)
Recently uploaded
Recently uploaded (20)
How to get a well done penetration test
- 1. How to get a well done penetration test And not to overpay Kir Ermakov DSEC Pentest Day, 2017
- 2. 2 #:whoami - Known as ‘isox’ - vulners.com founder - QIWI Group CTO ( prev. – CISO) - Web penetration tester - Member of “hall-of-fames” (Yandex, Mail.ru, Apple and so on) - JBFC community participant - Security skeptic
- 3. 3 A penetration test, colloquially known as a pen test, is an authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data. © Wiki
- 4. 4 Penetration test as designed - Perimeter and internal recon - Vulnerability assessment - Independent security controls check - Hands-on vulnerabilities discovery and exploitation - Hack me plz
- 5. 5 Regular pentest - Presale activity before real financial penetration - First critical found – stop and report - Total show off - Hack for profit
- 6. 6 Pentest performers skills - Over 9000 pentest companies - Usually disgusting - Script kiddies with Nessus - Sometimes with Metasploit - Proudly CEH certified - Totally lazy
- 7. 7 Why so bad? - Incompetence of the customers - Advertised service has led to the quality degradation - Pentest tools evolution …even my grandma can ‘exploit something’
- 8. 8 Stop. Think. Act. Questions to ask yourself: • What kind of pentest do I need? • Do I really have security controls to check? • What is my business goal? • Am I ready to pay for good quality?
- 9. 9 You owe me $10 for this promo
- 10. 10 Pentest scope - Recon - Vulnerability assessment - Exploitations PoC - Internal security - And almost everything
- 11. 11 It depends on your security level - No need to make a “Red Team” for the noobies - No need to make a recon for the professionals - No need to check the compliance if you have no internal one - No need to make it at all if your security team is lame
- 12. 12 Performer - Ask other CISO’s for the advice - Only 3 companies can perform well in Russia (IMHO) - Make a challenge - Don’t mess with ”Company”, mess with a team - All high-grade pentesters are well known
- 13. 13 Getting best performance • Don’t try to test them! • Help them! • Share your knowledge! • Trust your pentester! • Don’t limit their scope and actions!
- 14. 14 One line lifehacks • Mix different teams. You will be surprised • Interest them • Different systems – different pentest teams • Sharing recon = 50% speed up • Don’t ask for the ”total” proofs. PoC is enough.
- 15. 15 And what about the money? - RUR 400k to 1,5kk is OK - Red Team costs near 3kk - More != better - Perform tenders - PR = discount
- 16. 16 Thanks - isox@vulners.com - Feel free to ask me about pentest for your company. I will guide you without charge - https://vulners.com - We are really trying to make this world better - Stop paying for features, that are available for free