Trusted Call~Girls In Shahdara Delhi ꧁❤ 9667422720 ❤꧂Escorts
How to get a well done penetration test
1. How to get a well done penetration test
And not to overpay
Kir Ermakov
DSEC Pentest Day, 2017
2. 2
#:whoami
- Known as ‘isox’
- vulners.com founder
- QIWI Group CTO ( prev. – CISO)
- Web penetration tester
- Member of “hall-of-fames” (Yandex,
Mail.ru, Apple and so on)
- JBFC community participant
- Security skeptic
4. 4
Penetration test as designed
- Perimeter and internal recon
- Vulnerability assessment
- Independent security controls check
- Hands-on vulnerabilities discovery and exploitation
- Hack me plz
5. 5
Regular pentest
- Presale activity before real
financial penetration
- First critical found – stop and
report
- Total show off
- Hack for profit
6. 6
Pentest performers skills
- Over 9000 pentest companies
- Usually disgusting
- Script kiddies with Nessus
- Sometimes with Metasploit
- Proudly CEH certified
- Totally lazy
7. 7
Why so bad?
- Incompetence of the customers
- Advertised service has led to the quality degradation
- Pentest tools evolution
…even my grandma can ‘exploit something’
8. 8
Stop. Think. Act.
Questions to ask yourself:
• What kind of pentest do I need?
• Do I really have security controls to check?
• What is my business goal?
• Am I ready to pay for good quality?
10. 10
Pentest scope
- Recon
- Vulnerability assessment
- Exploitations PoC
- Internal security
- And almost everything
11. 11
It depends on your security level
- No need to make a “Red Team” for the noobies
- No need to make a recon for the professionals
- No need to check the compliance if you have no internal one
- No need to make it at all if your security team is lame
12. 12
Performer
- Ask other CISO’s for the advice
- Only 3 companies can perform
well in Russia (IMHO)
- Make a challenge
- Don’t mess with ”Company”, mess
with a team
- All high-grade pentesters are well
known
13. 13
Getting best performance
• Don’t try to test them!
• Help them!
• Share your knowledge!
• Trust your pentester!
• Don’t limit their scope and actions!
14. 14
One line lifehacks
• Mix different teams. You will be surprised
• Interest them
• Different systems – different pentest teams
• Sharing recon = 50% speed up
• Don’t ask for the ”total” proofs. PoC is enough.
15. 15
And what about the money?
- RUR 400k to 1,5kk is OK
- Red Team costs near 3kk
- More != better
- Perform tenders
- PR = discount
16. 16
Thanks
- isox@vulners.com
- Feel free to ask me about pentest for your company. I will guide
you without charge
- https://vulners.com
- We are really trying to make this world better
- Stop paying for features, that are available for free