Monday, November 22, 2010

Ruxcon 2010 & my talk: "No Holds Barred" Penetration Testing

EDIT: My Rapidshare link broke so I've resubmitted it using Google Docs.

Well my talk at Ruxcon is said and done. My slides can be found here.

Truth be told, it went better than I expected. I was worried that since I was not posting 0day code or providing a tool that there would be no interest. I don't think anyone was more suprised at seeing a fully packed room than me.

What started was going to be a series of grumblings about my views on penetration testing today ended up being more clearly focused on client side penetration testing.

I know plenty of consultancies are technically capable and some might even have done client sides, but to the best of my knowledge I hadn't heard of any in Australia doing so. And if they did, they kept their cards very close to their chest. Or more to my thinking - they have done it but I think the repeatability might have been lacking.

Obviously a lot of this is just guesswork on my behalf and there was a limit to how much research I can do this on this front - so a good chunk of the talk was based purely on my own experiences in the field as someone who has hired pentesters and now working at a consultancy where we do pentesting (amoungst other things).

One of my gripes is that we are lagging behind our competitors in the sense we aren't actually doing client side penetration tests (as a general rule) in AU, at least not on the scale that happens in other countries. I think this means that there is a significant gap in terms of the coverage and assurance that our penetration testing coverage truly provides.

I want to raise awareness of this issue and really try and provide some suggestions how both parties can lift their game and get more of these happening. How both parties can try selling the service, when it is appropriate, how to justify in a business context, provide ROI (yes, it is possible), etc.

On Ruxcon, I have to say I was really impressed with the quality lineup, the registration, the management of the event - even little things, like the way the bartab, water even the toilets was handled. Hell, even Black Hat @ Caesar's Palace ran out of water. What does that tell you?

The CTF ran flawlessly (barring minor performance issues) which when you compare to previous years, are still trivial in comparison. If I had to come up with one gripe, it would be that the area infront of the bar was too small for the size and we wound up having to really yell to be heard, so I've subsequently lost my voice. I forgot to mention I like the fact that despite corporate sponsorship, there was no blatant advertising, no "vendor streams" and no bias towards speakers who happen to work for sponsors. AusCERT take note!

I've said it before but I must say it again - it was by far and away the best Ruxcon ever. If you have to pick one conference in Australia, make this your one.


- J.


@RobertWinkel said...

Your Ruxcon presentation was great. Thanks for the slides.
I have done some client-side proof of concept "pentesting" before against an Aussie gov client, where there was no exploitation allowed - just a ping back to a box I owned, to prove that client staff could be phished. It's not a full client-side pentest, but a step in the right direction.
Do you have any pointers or advice for creating a robust client-side penetration testing framework / methodology / ROI?

Jarrod said...

I just replied to your comment on Twitter about this. You are now number 3 person who has asked me about this and the short answer I gave at Ruxcon is "no".

The best framework I've seen is here:

But, I think it is something that you need to draw down from and cherry pick the bits that work for you. I definitely don't see this as a one size fits all, given that the legality of this stuff ranges from state to state, country to country.

- J.