A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Do We Still Need Pen Testing? - Jeff Man BSides Columbus Ohio 2015  (Hacking Illustrated Series InfoSec Tutorial Videos)

Do We Still Need Pen Testing?
Jeff Man
BSides Columbus Ohio 2015

Ed Skoudis' keynote at DerbyCon 2014 entitled "How to Give the Best Pen Test of Your Life" left me hanging. I wanted to ask questions, get clarification, and most importantly suggest an alternative view of the purpose and goals of pen testing. This presentation is a follow-on or rebuttal to that presentation. The goal is to promote a conversation about pen testing that takes it to a higher level than ordinarily considered. I review, based on Skoudis' presentation, the key components of the "perfect" pen test, but take it farther to discuss the purpose, goals, and desired outcomes for pen testing. I present my notion of an ideal pen test, what it could/should be, how I came to this conclusion, and offer some direction for the future of pen testing.

Jeff has compiled a rich knowledge base in cryptography, information security, and most recently PCI. With PCI impacting nearly every business vertical, he has served as a QSA and trusted advisor for both VeriSign and AT&T Consulting. As an NSA cryptographer, he oversaw completion of some of the first software-based cryptosystems ever produced for the high-profile government agency. Current Position: As Tenable’s PCI SME and a Security Strategist, Jeff offers over thirty years of information security experience and knowledge to help customers align Tenable products and services with the best practices that are required to maintain a viable security program. Jeff also hosts a PCI discussion forum at Tenable and offers answers and interpretation to anyone with questions about security and compliance - particularly to meet PCI validation requirements.

Back to BSides Columbus Ohio 2015 video list

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast