Automation of Penetration Testing and the future

Presented at BSidesLV 2016, Aug. 2, 2016, noon (30 minutes).

The push for automation and commoditization is changing penetration testing as we know it. And change is not always a good thing.

This talk will cover the use of automation and the reason for the trend. We will delve into what this means for skilled penetration testers / exploit developers and the probable outcome of bigger and more breaches. We will also explore the current trend of paying for a "9-5 job" in infosec in relation to automation.

What are the potential costs of automating more for less?

The sacrifice of quality and integrity as cheaper, faster, crappier pentests being pushed/sold

Losing skilled people and top end talent as we scan all the things

The increased potential of exploit devs being sold on the black market for short term gain, long term pain.

The negative impact on the group/society

Recently, a panel discussion at Derbycon 2015 raised concerns around what the future holds for pentesters and the integrity of the practice. Currently the security market pays for talent and skills, but they do not pay for the building of skills. This talk will reiterate these ideas but also present the probable future of a skills loss. That future being; people that can run scanners, a gap in middle talent and a small end talent of exploit devs/vulnerability researchers, ultimately ending up in a complete eradication of top tier talent. With new courses rolling out, and the demand high, are we breeding a new generation looking to InfoSec for a lucrative 9-5 job in pentest puppy mills

For those of us already working in InfoSec, we understand our roles in terms of passion and dedication, and the constant commitment to ongoing learning to keep our knowledge honed. However, in the eyes of the consumer, there is little difference between a vulnerability scan and a pen test. What they do notice is pricing. That is creating a lucrative market in a competitive field with the idea that anybody can do them, and the cheaper, the better. Welcome to the culture of "good enough."


Presenters:

  • Haydn Johnson
    Haydn Johnson has over 4 years of information security experience, including network/web penetration testing, vulnerability assessments, identity and access management, and cyber threat intelligence. He has a Masters in Information Technology, the OSCP and GXPN certification. Haydn regularly contributes to the InfoSec community primarily via Twitter and has spoken at multiple conferences, namely Circle City Con, BSides Las Vegas and SecTor. Originally from Australia, he called Canada home.

Links:

Similar Presentations: