Tuesday, May 4, 2010

Presentation: "The Future of Penetration Testing" at RMISC

EA Principal Consultant David Campbell will be delivering a presentation at the 4th annual Rocky Mountain Information Security Conference tomorrow, 5 May 2010 in Denver, CO.

 The slide deck (pdf) is posted and the abstract of the presentation is as follows:


For many years now penetration testing has been an essential component of an effective information security risk management program. PCI DSS even requires that penetration testing be performed at regular intervals. The “blackbox” or “zero knowledge” approach used by most internal penetration testing teams and external consultancies seeks to identify exploitable vulnerabilities which could lead to a compromise. This testing methodology was borne out of a desire to emulate the attacker’s view of the enterprise, in order to identify high impact vulnerabilities and remediate them with priority.

While blackbox testing captures many attributes of the “attacker’s eye view” of the threat landscape, it fails to adequately account for the fact that an Advanced Persistent Threat may have considerably more time to spend penetrating a target than a security consultancy which charges by the day or by the hour. In order to level the playing field, a paradigm shift is necessary in the industry. Penetration testing performed using a “greybox” approach, in which the security assessor is provided with source code or other relevant software artifacts during an engagement is a highly effective alternative to “zero knowledge” testing. This presentation will showcase real world cases where critical vulnerabilities were identified during greybox engagements, which had previously been overlooked by multiple blackbox assessments.

Attendees of this session should expect to gain an understanding of why not all penetration testing activities are created equally, and how to choose the right type of penetration testing to satisfy their risk mitigation requirements while managing budget, time and compliance constraints.