Are You In Yet? The CISO's View of Pentesting

Presented at DEF CON 19 (2011), Aug. 5, 2011, 5 p.m. (20 minutes)

When a CISO pays good money for a thorough pentesting, she wants results. Not necessarily the ones that the pentester had in mind, either. Whether the time allotted is too short, the pentester has to achieve multiple objectives, or they disagree on the severity of the findings, both the CISO and the pentester have to agree on both sides of the engagement. We discuss numerous aspects of voluntary pwnage: the differences between a security assessment and a penetration test, what color of box works best, tweaking the objectives for more targeted results, and ensuring a happy ending.

Presenters:

• Shrdlu
  @shrdlu has worked as a CISO since 25 years past the epoch, both in the public and private sectors, and has grown to enjoy the exquisite pain of being on the receiving end of a pentest. It should be noted that @shrdlu is not speaking on behalf of any employers, past, present or future, did not test the presentation on any live animals, and will not be dispensing any sort of legal or medical advice. Twitter: @shrdlu

Links:

• https://defcon.org/html/defcon-19/dc-19-speakers.html#Shrdlu
• https://infocon.org/cons/DEF CON/DEF CON 19/DEF CON 19 video and slides/DEF CON 19 - Shrdlu - Are You In Yet The CISOs View of Pentesting - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=dSgNMZCZf0I

Similar Presentations:

• May Contain Hackers (MCH2022) / A CISO approach to pentesting; why so many reports are never used
• BSidesLV 2019 / CISO Unconference
• BSidesLV 2019 / Meet the CISO