A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Checklist Pentesting; Not checklist hacking - Trenton Ivey - @trentonivey (BSides Chicago 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)

Checklist Pentesting; Not checklist hacking
Trenton Ivey
@trentonivey

BSides Chicago 2014

When most pentesters hear “Checklist Based Security”, they cringe a little. We all know that hacking is an art form. Condensing something as complex as a pentest down to a set of boxes seems inadequate.Others industries have found that, when used correctly, checklists have many positive effects. This is even more true when individuals or teams must make critical decisions while under pressure. Research shows that hospitals have saved thousands of lives (and dollars) just by implementing checklists in surgery. Hundreds of well thought out checklists are at pilots fingertips if anything goes terribly wrong in flight. Checklists work; pentesters just need to find the right ones.This talk demonstrates the ways good checklists can make a pentester’s life easier. I will look at some of the checklists my team has been using for the last year. I will show how these checklists have helped us find and exploit more vulnerabilities, even as engagement timelines have shrunk. I will demonstrate (and release) a checklist and note-taking framework that we have made using home grown and open source code. Since implementing this framework, our notes are much more comprehensive and our reports have become much easier to write.This talk also discusses some of the dangers surrounding the misuse of checklists. No one would trust me to perform a surgery if I said I had the appropriate checklist. In the same way, pentesters cannot depend on checklists to provide the necessary skills to complete a successful engagement. Our team has developed a phrase in the last year: “Checklist pentesting, not checklist hacking.” I hope to share this approach with everyone at Bsides Chicago.

Back to BSides Chicago 2014 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast