Finally got around to uploading and converting my DEFCON 16 presentation with co-presenter Carric, entitled “PenTesting is Dead, Long Live the PenTest!”
Part problem dissection, part solution discussion, part political rant, peppered with a bit of humor and wit.
This talk explores the death and subsequent re-birth of the penetration test. Comprised of conclusions drawn from the collective experiences of two seasoned pen-testers, our talk is filled with facts, fun and rhetoric. We will describe the landscape, the problems, and offer real solutions…
In our talk, we will explore the problems with modern-day pen-tests and pen-testers, and ways to stand out amongst the frauds selling their lackluster vuln-scan services under the guise of a true penetration test.
We discuss penetration tests that are overly tool-driven and/or lacking in methodology as well as pen-testers who lack the experience and creativity to identify the architectural problems that real attackers frequently exploit.
Along the way, we'll discuss the difficulties faced by real penetration testers and complement these with real-world war-stories to provide both context and comic relief.
Most importantly, we'll discuss how to solve these problems, through contributions to open methodologies, transparency in process, and shifts in technological paradigms. We'll tell you how to deal with the latest technologies, even those that change day-by-day. For those that take penetration testing seriously, this talk will be a fun, informative and enlightening presentation on the things we need to do to keep pen-testing worthwhile. Attendees will learn how to perform pentests accurately and obtain compelling and valuable results that ensure real return on investment for their clients.
Carric and I presented to a full room, and we got lots of good feedback and close to an hour of q&a in the after-preso breakout session.
The presentation is approximately 52 min in length, so grab a cup of coffee, settle in and enjoy! If you'd like to discuss any of the issues we raised in our presentation, please feel free to opine below, and / or email me directly (all perspectives welcome)!