SANS Penetration Testing

How Not to Fail at a Pen Test: Slides and Stream

Earlier this week, John Strand presented a fantastic webcast that was chock full of pen test tips. This post contains the slides as well as a link to the streaming slides and webcast audio.

Here's the description of the talk:

In this presentation, John and Ed will cover some key components that many penetration tests lack, including why it is important to get caught, why it is important to learn from real attackers, and how to gain access to organizations without sending a single exploit.

One of my favorite slides in the presentation is John's concluding Code of Ethics. Click on the image below to download all of John's slides.

If you'd like to hear the full audio stream, you can access it here. Click on the link, login to your free SANS Portal account, and you can see and hear the stream.

On a directly related note, we'll be running an exciting SANS Pen Test Hackfest event in Washington DC November 13-20, throwing in pretty much everything we have to make for a fun and exciting event, including an evening of missions in CyberCity, 3 nights of NetWars, and chance to earn up to four SANS Pen Test challenge coins. Click the image below for details on this nifty event.

Thank you!
-Ed Skoudis.


Posted August 28, 2014 at 6:19 PM | Permalink | Reply

Andre Gironda

Idk, it feels that the primary themes in the talk are to never get stale and always keep pushing the envelope. However, at the same time, these talks and slide decks from John (and sorry to say, even you, Ed!) are, well, kind of the same each time you guys give them.
If you want to actually see and be a part of progress, then walkthrough the models (e.g., CAPEC) and the methods (e.g., PTES, OSSTMMv4, OWASP Testing Guide, OWASP ASVS, etc) to be sure to include their history, path, focus, what time and effort is involved, and how that changes over time or by situation, and how we can standardize, be more consisitent, be more efficient, and make our time more valuable. There's a wiki page with history for PTES and OWASP ''" who is changing what (which content), when, where (what sections of content and how does it relate to our understanding of top-level categorization), how (how did they come to their new conclusions), and why? What does this mean in terms of pen test progress?

Posted August 28, 2014 at 6:56 PM | Permalink | Reply

Ed Skoudis

Andre'' your points about PTES, OSSTMM are well made. Excellent work there, and looking at the deltas over time is really helpful. Also, if you do look at the talks by John this month and mine from last month, you'll see that John and I do get specific, and the specific areas we chose to focus on are in fact different (I have stuff on pre-test planning and after-test reporting, John focuses on peeling apart low- and medium risk findings during the test, etc.). Thanks for reading, and I appreciate your points.

Posted September 2, 2014 at 9:13 PM | Permalink | Reply

CPT Cooper

Awesome Code of Ethics! I'm interested in the "why it's important to get caught portion", off to hear this stream!

Post a Comment


* Indicates a required field.