Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools
ثبت نشده
چکیده
Following previous presentations on the dangers penetration testers face in using current off-the-shelf tools and practices (Pwn the Pwn Plug and I Hunt Penetration Testers), this paper and presentation explores how widely available learning materials used to train penetration testers lead to inadequate protection of client data and penetration testing operations. Widely available books and other training resources target the smallest set of prerequisites, in order to attract the largest audience. Many penetration testers adopt the techniques used in simplified examples to real world engagements, where the network environment can be much more dangerous. Malicious threat actors are incentivized to attack and compromise penetration testers, and given current practices, can do so easily and with dramatic impact. The accompanying presentation to this paper includes a live demonstration of techniques for hijacking a penetration tester’s normal practices, as well as guidance for examining and securing penetration testing procedures. The tool shown in this demonstration will be released publicly (with code) along with the first presentation of this talk. INTRODUCTION This paper is a companion piece to the talk of the same title. In both this paper and the correlating talk, previous work is presented, followed by a review of the threats to penetration testers. A study was performed on a large body of penetration testing learning materials, illustrating the lack of secure practices being taught— practices that have been observed to be repeated on real engagements. WESLEY MCGREW, PH.D. DIRECTOR OF CYBER OPERATIONS, HORNE CYBER [email protected] @MCGREWSECURITY
منابع مشابه
Mapping of McGraw Cycle to RUP Methodology for Secure Software Developing
Designing a secure software is one of the major phases in developing a robust software. The McGraw life cycle, as one of the well-known software security development approaches, implements different touch points as a collection of software security practices. Each touch point includes explicit instructions for applying security in terms of design, coding, measurement, and maintenance of softwar...
متن کاملPenetration Testing
The TCB shall be found resistant to penetration. Near flawless penetration testing is a requirement for high-rated secure systems — those rated above B1 based on the Trusted Computer System Evaluation Criteria (TCSEC) and its Trusted Network and Database Interpretations (TNI and TDI). Unlike security functional testing, which demonstrates correct behavior of the product's advertised security co...
متن کاملVulnerability scanners
Computer networks are used by organisations and companies as a carrier of communication and services. Disruption of the network service can severally harm the organisation. A vulnerability scanner can find weaknesses in a computer network before a potential attacker does. It scans the network for vulnerabilities by testing weaknesses and by gathering information about different entities active ...
متن کاملExploring the Relationship Between Web Application Development Tools and Security
How should software engineers choose which tools to use to develop secure web applications? Different developers have different opinions regarding which language, framework, or vulnerability-finding tool tends to yield more secure software than another; some believe that there is no difference at all between such tools. This paper adds quantitative data to the discussion and debate. We use manu...
متن کاملUsing the Workflow Technology in Secure Software Engineering Education
Security has become an increasingly important topic in software engineering. In this paper, an approach of using the workflow technology in teaching secure software engineering courses is presented. This approach can free students from lowlevel tools manipulation and command line interactions so that students can focus on learning the important secure software principles. Four case studies usin...
متن کامل