penetration testing execution standard
DESCRIPTION
TRANSCRIPT
Penetration Testing Execution Standard
Iftach Ian AmitVP Consulting - Security Art
Founder - PTESDC9723
March 22nd, 2011
Agenda
• Why?
• Who?
• How?
• You!
PTES - Why?
PTES - Why?
RAPE!
PTES - Why?
RAPE!
Someone call the police...
PTES
• Common language for organizations and service providers
• Set the bar for a common standard to be used
• Eliminate hacks (as in run Nessus, generate report, send to customer, charge $10,000)
PTES - Who?
• As always - started during a long night of drinking...
• Nickerson (@indi303), Kennedy (author of SET), me (@iiamit), Gates (@carnal0wnage), Val (@attackresearch), Nick (@c7five), Robin (@digininja), Wim (@wimremes), Stefan (@stfn42), lots more... www.pentest-standard.org
PTES - How?• Basically, define the basic 7 elements of a pentest:
• Pre-engagement
• Intelligence gathering
• Threat modeling
• Vulnerability Analysis
• Exploitation
• Post exploitation
• Reporting
PTES - How?• Basically, define the basic 7 elements of a pentest:
• Pre-engagement
• Intelligence gathering
• Threat modeling
• Vulnerability Analysis
• Exploitation
• Post exploitation
• Reporting
PTES - How?• Basically, define the basic 7 elements of a pentest:
• Pre-engagement
• Intelligence gathering
• Threat modeling
• Vulnerability Analysis
• Exploitation
• Post exploitation
• Reporting
“old” pentesting scope
Pre-Engagement
Pre-Engagement
Pre-Engagement
Intelligence Gathering
Intelligence Gathering
Intelligence Gathering
Threat Modeling
Threat Modeling
Vulnerability Analysis
Vulnerability Analysis
Exploitation
Exploitation
Post-Explotation
Post-Explotation
Reporting
Reporting
Reporting
PTES - initial reactions
PTES - initial reactions
• You have to be kidding me
PTES - initial reactions
• You have to be kidding me
• No one does that
PTES - initial reactions
• You have to be kidding me
• No one does that
• I can’t do this all by myself
PTES - initial reactions
• You have to be kidding me
• No one does that
• I can’t do this all by myself
• This is a lot of work
PTES - initial reactions
• You have to be kidding me
• No one does that
• I can’t do this all by myself
• This is a lot of work
• Is this going into PCI/ISO/[someStandard]?
PTES - initial reactions
• You have to be kidding me
• No one does that
• I can’t do this all by myself
• This is a lot of work
• Is this going into PCI/ISO/[someStandard]?
• We already do that
Now what?
Now what?
YOU!
Now what?
YOU!Yes, you...
Roadmap
Roadmap
• Catch up on all the “official” news at www.pentest-standard.org
Roadmap
• Catch up on all the “official” news at www.pentest-standard.org
• Volunteer! (we need working hands...)
Roadmap
• Catch up on all the “official” news at www.pentest-standard.org
• Volunteer! (we need working hands...)
• Previous milestone - Shmoocon (Feb 2011)
Roadmap
• Catch up on all the “official” news at www.pentest-standard.org
• Volunteer! (we need working hands...)
• Previous milestone - Shmoocon (Feb 2011)
• Next milestone - ph-neutral (May 2011)
Roadmap
• Catch up on all the “official” news at www.pentest-standard.org
• Volunteer! (we need working hands...)
• Previous milestone - Shmoocon (Feb 2011)
• Next milestone - ph-neutral (May 2011)
• Drop the bomb - BlackHat?