Ed Skoudis' keynote at DerbyCon 2014 entitled "How to Give the Best Pen Test of Your Life" left me hanging. I wanted to ask questions, get clarification, and most importantly suggest an alternative view of the purpose and goals of pen testing. This presentation is a follow-on or rebuttal to that presentation. The goal is to promote a conversation about pen testing that takes it to a higher level than ordinarily considered. I review, based on Skoudis' presentation, the key components of the "perfect" pen test, but take it farther to discuss the purpose, goals, and desired outcomes for pen testing. I present my notion of an ideal pen test, what it could/should be, how I came to this conclusion, and offer some direction for the future of pen testing.

Jeff has compiled a rich knowledge base in cryptography, information security, and most recently PCI. With PCI impacting nearly every business vertical, he has served as a QSA and trusted advisor for both VeriSign and AT&T Consulting. As an NSA cryptographer, he oversaw completion of some of the first software-based cryptosystems ever produced for the high-profile government agency. Current Position: As Tenable’s PCI SME and a Security Strategist, Jeff offers over thirty years of information security experience and knowledge to help customers align Tenable products and services with the best practices that are required to maintain a viable security program. Jeff also hosts a PCI discussion forum at Tenable and offers answers and interpretation to anyone with questions about security and compliance - particularly to meet PCI validation requirements.

Back to BSides Columbus Ohio 2015 video list