Description: When a CISO pays good money for a thorough pentesting, she wants results. Not necessarily the ones that the pentester had in mind, either. Whether the time allotted is too short, the pentester has to achieve multiple objectives, or they disagree on the severity of the findings, both the CISO and the pentester have to agree on both sides of the engagement. We discuss numerous aspects of voluntary pwnage: the differences between a security assessment and a penetration test, what color of box works best, tweaking the objectives for more targeted results, and ensuring a happy ending.
@shrdlu has worked as a CISO since 25 years past the epoch, both in the public and private sectors, and has grown to enjoy the exquisite pain of being on the receiving end of a pentest. It should be noted that @shrdlu is not speaking on behalf of any employers, past, present or future, did not test the presentation on any live animals, and will not be dispensing any sort of legal or medical advice.
Twitter: @shrdlu
Tags: securitytube , defcon , def con , hacking , hackers , information security , convention , computer security , DC 19 , defcon-19 , dc-19 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Beyond merely unethical - some of her suggestions appear criminal (falsely labeling documents to avoid open government laws, creating known incomplete reports for compliance reporting, etc.) Weird presentation.