Pen-Testing is Dead, Long Live the Pen Test

Presented at DEF CON 16 (2008), Aug. 10, 2008, 3 p.m. (50 minutes).

This talk explores the death and subsequent re-birth of the penetration test. Comprised of conclusions drawn from the collective experiences of two seasoned pen-testers, our talk is filled with facts, fun and rhetoric. We will describe the landscape, the problems, and offer real solutions. In our talk, we will explore the problems with modern-day pen-tests and pen-testers, and ways to stand out amongst the frauds selling their lackluster vuln-scan services under the guise of a true penetration test. We discuss penetration tests that are overly tool-driven and/or lacking in methodology as well as pen-testers who lack the experience and creativity to identify the architectural problems that real attackers frequently exploit. Along the way, we'll discuss the difficulties faced by real penetration testers and complement these with real-world war-stories to provide both context and comic relief. Most importantly, we'll discuss how to solve these problems, through contributions to open methodologies, transparency in process, and shifts in technological paradigms. We'll tell you how to deal with the latest technologies, even those that change day-by-day. For those that take penetration testing seriously, this talk will be a fun, informative and enlightening presentation on the things we need to do to keep pen-testing worthwhile. Attendees will learn how to perform pentests accurately and obtain compelling and valuable results that ensure real return on investment for their clients.

Presenters:

  • Carric - DEFCON Goon
    Carric is a Goon. Buy him beer.
  • Taylor Banks / dr.kaos - Security Evangelist   as Taylor Banks
    Taylor Banks is a security evangelist and privacy pundit with over 15 years in the information technology industry, the last 10 focused exclusively on information security and privacy. Since 1998, he has been designing, implementing, teaching and managing secure information systems for Federal Government, US Military, private universities and public companies, from start-ups to Fortune 100. Taylor, aka "dr.kaos," is also the PoC for the Atlanta DEFCON Group (DC404), and in 2005 founded "kaos theory security research," creators of the Anonym.OS LiveCD. Between 1999 and 2002, Taylor worked at SecureIT (later acquired by VeriSign) providing CheckPoint, Nokia, NAI, Web Security and Applied Hacking training to hundreds of enterprise customers, as well as review, design and development of secure network architecture and related security policies for numerous Fortune 500 organizations. During that time, Mr. Banks devised testing methodologies and audit procedures, and helped found the VeriSign FIRE team to provide penetration tests and security audits for internal departments and enterprise customers. In 2003, Taylor trained the US Marine Corps 13-member Computer Emergency Response Team (MARCERT) to perform penetration tests and security audits to assess and improve the security of their own military and public networks. The MARCERT team subsequently entered DEFCON's prestigious CTF competition, ranking 3rd at the conclusion of the DEFCON XI conference. Since 2007, Taylor has been focused on virtualization and its impact on enterprise information security.

Links:

Similar Presentations: