Archive for the ‘Testing’ Category

Making sense of pen testing, part two

This is the second in a series of posts looking at the current state of pen testing as I see it and presenting some ideas for the future. Part one is available here.

In this post I will explore some of the issues I see in pen testing, it’s something of a rant that I have regaled a number of pen testing friends with over the last couple of years. If you disagree violently with this let me know, if I’ve missed something let me know, we need to open up this conversation in the industry.

In the next post I start exploring why these problems exist and how they might be improved.

What is wrong with pentesting?

As an informed customer, and an ex-pentester, I see a number of problems with pentesting as delivered today;

  • Too much focus on 0day as a measure of success
  • Too much variation in quality and coverage between testers and between tests
  • Too much unexplained and undefined ‘black magic’

(more…)

Making sense of pen testing, part one

This is the first in a series of posts looking at the current state of pen testing as I see it and presenting some ideas for the future. In this post I will apply a framework to understanding the process of pen testing.

In the next post here I discuss some of the problems I see in pen testing.

Sensemaking

The pentesting process is a form of expert behaviour similar to intelligence analysis where there has been a lot of work understanding the key components of expert performance; this is often broken down into a process flow as follows:

Gather Information → Represent in Expert Schema → Develop Insight → Define Product or Action
(more…)

How to develop a security test strategy, part three

This is the third in a series of posts describing how to put together a security testing stategy and the associated test plans. Part one is here and part two is here.

This is what I want to see covered in security test plans. Whenever I ask the supplier to specify or carry out the security tests I ensure I get to review and approve the test plans and the test outputs as part of the formal project deliverable process. I also try to make sure that the inputs to the test plan are made available to the actual security testers completing the test so they get a better feel for what the context of their test results is. (more…)

How to develop a security test strategy, part two

This is the second in a series of posts describing how to put together a security testing stategy and the associated test plans. Part one is here and part three is here.

What do you need to write a security test plan?

The folowing documents comprise the list of what I would expect as inputs to the creation of the individual security test plans. This is a good point to go and review your overall security delivery plan. Does it include these documents as deliverables? Does the supplier have any of these as standard off-the-shelf products? (more…)

How to develop a security test strategy, part one

This is the first of a series of posts describing how to put together a security testing strategy and the associated test plans. Part two is here and part three is here.

What is a security test strategy

A security test strategy is a key document deliverable to get into the master plan for delivery. It sets the expectations for everyone involved and gives the project managers and programme managers the material they need to build and run their own plans. (more…)

Twitter RSS