So you want to be a pentester?

Presented at DerbyCon 3.0 All in the Family (2013), Sept. 28, 2013, 4:30 p.m. (25 minutes)

When many pen testers, myself included, are just starting out they focus their testing efforts on the “cool” stuff (the latest exploit, pwning the database, getting root, etc.) and pay little attention to the other “not so cool” aspects of pen testing. This is reiterated in many of the CON talks – the new tool, the new exploit, etc. and always seems to be the biggest draw. My talk: ‘So you want to be a Pen Tester?’ is a unique and perfect example of the phrase “Dare to be Different” – one of my favorite mantra’s and a philosophy I strive to live by. Rather than focusing on tools/exploits, my talk will hone in on the pen testing life cycle, understanding good reports/bad reports, and how a commercial pen tester can differentiate themselves from the competition. Intended audience – intro to expert level “white hat” pen testers. Although not technically a tool, my version of the pen testing framework (Mind Map) will be released in conjunction with this talk.

Presenters:

• Raymond Gabler
  Official Bio: Senior security leader, with over 16 years’ experience in information security engineering and architecture. Experienced in leading teams both from a project management and technical perspective, defining security roadmaps, understanding business requirements, engineering secure solutions, security testing & evaluations, and designing & testing business continuity/disaster recovery solutions for a variety of clients to include small security boutiques to large government contractors. Strong relationships with business teams to include executive level management, helping them understand how security can be used as a business enabler. Certifications include: CISSP, CRISC, CISM, C|CISO and ITIL 2011 Foundation. Outside of work, I am an avid community leader holding positions on several neighborhood committees, an amateur podcast host, and blogger. Additionally, I stay active by taking martial arts (I am currently a level 6 Krav Maga student and phase A certified instructor). Con Bio: Not sure if I have “hacked all the things” but I am doing my part to “drink all the booze” Work Experience – “Jack of all trades”, I have done it all from hands-on engineering to high level infosec leadership and everything in between. 16+ yrs of infosec experience – just proves I am old and hopefully wise. Certifications – Yes I have them (CISSP, CRISC, CISM, C|CISO and ITIL 2011 Foundation), but no one cares unless you are hiring – are you hiring? Speaking Experience – I teach Infosec at local community college and speak at cons, mini cons, and meet-ups so I am comfortable and more importantly entertaining in front of an audience. Derby Experience – Unfortunately couldn’t make DerbyCon #1 but did attend the Reunion (#2), Got my hugs (I am very huggable teddy bear), gave some hugs, and totally got zombified. Certified Bad Ass – Level 6 (brown belt) student and certified instructor in Krav Maga.

Links:

• https://infocon.org/cons/DerbyCon/DerbyCon 3 2013/video/So You Want To Be A Pentester Raymond Gabler.mp4

Similar Presentations:

• GrrCON 2014 / Application Pen Testing
• BSidesDC 2017 / “PCI for Pen Testers”
• DEF CON 16 (2008) / Pen-Testing is Dead, Long Live the Pen Test