network security testingc.ymcdn.com/sites/ · network security testing ... web app exploits network...
TRANSCRIPT
Network Security Testing—Are There Really Different Types of Testing?
July 28, 2015Start Time: 9 am US Pacific / 12 noon US Eastern / 5 pm London Time
WebCONFERENCES
#ISSAWebConf
Brought to you by:
Title goes here 2WebCONFERENCE:
#ISSAWebConf
Network Testing—Are There Really Different Types of Testing?
Network Security Testing—Are There Really Different Types of Testing?
Welcome Conference Moderator
July 28, 2015Start Time: 9 am US Pacific
12 noon US Eastern
5 pm London Time
#ISSAWebConf WebCONFERENCES
Jorge Orchilles
Vice President, South Florida ISSA
Network Security Testing—Are There Really Different Types of Testing?
• John KindervagVice President & Principal Analyst, Forrrester
Research
• Eric RaistersCISSP, CSSLP
• Ira WinklerPresident, Secure Mentem, CISSP
• Donald ShinSr. Technical Business Development Manager, IXIA
Speaker Introduction
Title goes here 4WebCONFERENCE:
#ISSAWebConf
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
Network Testing—Are There Really Different Types of Testing?
Network Security Testing—
Are There Really Different Types of Testing?
+1 469.221.5372
@Kindervag
#ISSAWebConf
WebCONFERENCES
John KindervagVice President, Principal Analyst serving Security & Risk Professionals at Forrester Research
Materials omitted due to licensing and reproduction rights.
Network Security Testing—
Are There Really Different Types of Testing?
#ISSAWebConf
WebCONFERENCES
Eric RaistersCISSP, CSSLP
Approach SUT as an attacker
Process (from SANS Ethical Hacking)
Planning
Scoping
Reconnaissance
Scanning
Exploitation
Documentation/Reporting
Pen Test Basics
Network Testing—Are There Really Different Types of Testing? 8
Approach SUT as an attacker
In-house developed apps/services
White-box testing
Deployed systems/purchased products
Includes virtual servers and cloud deployments
Pen Test Purpose
Network Testing—Are There Really Different Types of Testing? 9
SUT object
Network – mis-configs, weak settings
Web apps/services – OWASP Top 10
Mobile apps/services – permissions, data leakage
Attack methods
Known vulnerability scans - automated
Exploitation proof - manual
Pen Test Types
Network Testing—Are There Really Different Types of Testing? 10
Kali Linux
Samurai Web Test Framework
Pwnie Express
Pen Test Toolkits
Network Testing—Are There Really Different Types of Testing? 11
Look for known vulnerabilities
Nessus (OpenVAS)
Nexpose
Core Impact
Burp Suite (free and commercial)
Zed Attack Proxy (OWASP)
Vulnerability Scan
Network Testing—Are There Really Different Types of Testing? 12
Prove a found vulnerability is exploitable
Metasploit (freed and commercial)
CANVAS
Network Exploits
Network Testing—Are There Really Different Types of Testing? 13
Burp Suite (free and commercial)
Zed Attack Proxy (OWASP)
Paros proxy
w3af
Netsparker
Web App Exploits
Network Testing—Are There Really Different Types of Testing? 14
Pwnie Express
zANTI
Hackcode
AndroRAT
Android Exploits
Network Testing—Are There Really Different Types of Testing? 15
Standard Linux pentest tools
iNalyser
iPhone Exploits
Network Testing—Are There Really Different Types of Testing? 16
Pen testing is important
Vulnerability scans are not enough
Exploit testing proves that a vulnerability is important enough to fix
Consider contracting experts
Consider a bug bounty program
If you don’t do it, the hackers will
Summary
Network Testing—Are There Really Different Types of Testing? 17
sectools.org
n0where.net/directory
OWASP.prg
kali.org
Eric Raisters
Resources
Network Testing—Are There Really Different Types of Testing? 18
Eric RaistersCISSP, CSSLP
Question and Answer
Title goes here 20WebCONFERENCE:
#ISSAWebConf
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
Network Testing—Are There Really Different Types of Testing?
Eric RaistersCISSP, CSSLP
Thank You
Title goes here 21WebCONFERENCE:
#ISSAWebConf
Network Testing—Are There Really Different Types of Testing?
Network Security Testing—
Are There Really Different Types of Testing?
#ISSAWebConf
WebCONFERENCES
Ira WinklerPresident, Secure Mentem, CISSP
Ira WinklerPresident, Secure Mentem, CISSP
@irawinkler
Question and Answer
Title goes here 39WebCONFERENCE:
#ISSAWebConf
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
Network Testing—Are There Really Different Types of Testing?
Ira WinklerPresident, Secure Mentem, CISSP
+1-443-603-02500
@irawinkler
Thank You
Title goes here 40WebCONFERENCE:
#ISSAWebConf
Network Testing—Are There Really Different Types of Testing?
Network Security Testing—
Are There Really Different Types of Testing?
www.ixiacom.com
#ISSAWebConf
WebCONFERENCES
Donald ShinSr. Technical Business Development Manager, IXIA
Donald ShinSr. Technical Business Development Manager
IXIAwww.ixiacom.com
Question and Answer
Title goes here 63WebCONFERENCE:
#ISSAWebConf
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
Network Testing—Are There Really Different Types of Testing?
Donald Shin Sr. Technical Business Development Manager
IXIAwww.ixiacom.com
Thank You
Title goes here 64WebCONFERENCE:
#ISSAWebConf
Network Testing—Are There Really Different Types of Testing?
• John KindervagVice President & Principal Analyst, Forrester
Research
• Eric RaistersCISSP, CSSLP
• Ira WinklerPresident, Secure Mentem, CISSP
• Donald ShinSr. Technical Business Development Manager, IXIA
Open Panel with Audience Q&A
Title goes here 65WebCONFERENCE:
#ISSAWebConf
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
Network Testing—Are There Really Different Types of Testing?
Thank you Citrix for donating
the Webcast service
Closing Remarks
Title goes here 66WebCONFERENCE:
#ISSAWebConf
Thank You
Network Testing—Are There Really Different Types of Testing?
• Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz.
• After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.
• On-Demand Viewers Quiz Link:http://www.surveygizmo.com/s3/2241426/ISSA-Web-Conference-July-28-2015-Network-Security-Testing-Are-There-Really-Different-Types-of-Testing
CPE Credit
Title goes here 67WebCONFERENCE:
#ISSAWebConf
Network Testing—Are There Really Different Types of Testing?