Maturing The Penetration Testing Profession

Presented at DerbyCon 2.0 Reunion (2012), Sept. 30, 2012, 11 a.m. (50 minutes)

How do you define a penetration test, or identify a penetration tester? Generally, highly skilled professions have well defined requirements of both the professionals and the work they provide. Penetration testing, however, has virtually no definition, requirements or standardization and can cover anything from vulnerability scans to exploit development. While not the only profession in the information security field to lack definition, it is arguably the worst. The end result is often low quality, unsatisfactory assessments that leave organizations still vulnerable to unsophisticated attacks.

This talk will cover the current efforts of some groups organized to assist in professionalizing the penetration testing field, including the National Board of Information Security Examiners (NBISE) Operational Security Testers (OST) panel and the Council for Registered Ethical Security Testers (CREST). While different initiatives, the end goals of these groups are to provide frameworks for penetration testers, managers and customers to operate within, hopefully ensuring more consistent and measurable tests.

Presenters:

• David McGuire
  David McGuire is a Senior Security Engineer with Veris Group, LLC where he leads penetration testing and vulnerability assessment efforts for commercial clients and major Federal agencies, including the Department of Justice (DOJ) and the Department of Homeland Security (DHS). He specializes in penetration testing methodologies, tools and techniques and wireless & mobile device security. David has extensive experience in conducting large scale, highly specialized and technically difficult network vulnerability assessments, penetration tests and adversarial (red team) network operations. In addition, he has considerable experience in training participants from various disciplines in computer security, adversarial network operations and penetration testing methodologies, including at major industry conferences such as the Black Hat. Previously, David was the senior technical lead at a large Department of Defense (DoD) Red Team, providing mission planning and direction through numerous large scale operations. David has a Bachelor’s Degree in Computer Information Technology and is a CREST Certified Infrastructure Tester, GIAC Certified Penetration Tester (GPEN), GIAC Certified Web Application Penetration Tester (GWAPT) and Offensive Security Certified Professional (OSCP).

Similar Presentations:

• DEF CON 23 (2015) / I Hunt Penetration Testers: More Weaknesses in Tools and Procedures
• A New HOPE (2022) / Hack the Planet... Step 1, Step 2, Step
• DEF CON 24 (2016) / Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools