One of the best, and most underrated ways to get the most out of a pen test is to be a good pen test client. Seems easy, but you’d be surprised. What does it mean to be a good pen test client?
make sure all the pre-test tasks, like provisioning of credentials, needed approvals etc, are completed well ahead of time. You ain’t paying the pentester to stand around and wait for access to be provisioned - so don’t. They also don’t want to stand around. They want to be pentesting.
be responsive to questions and clarifications requested during the engagement. Pentesters have a tiny time window in which to maximize the value they can give you. Help them, don’t hinder them.
give feedback on reports. Good, bad, neutral. Whatever, a lot of work goes into writing them (it should anyway, no ChatGPT you sneaky buggers), make people feel like their work has been reviewed accordingly.
don’t fight to have things removed from the report because they are embarrassing. Fix the issue, have the tester retest and move on. You can say “we had a bug and our testing found it”, which is why you had a pen test in the first place. Putting pressure on people to hide finds isn’t fair.
if you want a non-standard report format, mention that before the test begins. It’s your right to ask for the test results to be delivered to you however you please - in a spreadsheet for example, but asking a tester to reformat a report completely after delivery is lame. Don’t do it.
Tego jeszcze nie było - darmowy kurs kohortowy z podstaw bezpieczeństwa dla tych, którzy chcieliby się przekonać, czy pentesty to coś dla nich. Prowadzi @kacperszurek, więc jakość gwarantowana:
🔐 Get ready to join penetration tester Laura Knight on an electrifying journey through the world of cybersecurity in "Pen Test Diaries"! 🔍💻
💥 Dive into her thrilling experiences, based on real-world scenarios, unraveling the technical and non-technical aspects of fortifying an organization's security measures.
🛡️ Follow Laura's gripping adventures and discoveries as she uncovers vulnerabilities, all in a riveting, fictionalized narrative. 📖✨
Perfect for tech aficionados or those intrigued by the dynamic world of penetration testing.
🔒 Delve into the gripping tales of true cybersecurity challenges in the InfoSec Diaries – where real-world incidents, investigations, and penetrating test discoveries come to life.
📘 Discover these compelling stories, now available in Paperback, Kindle, and Audiobook formats.
Good morning #Fediverse. Hope your weekend was great and you had a nice relaxing time.
Let’s kick off the week with our #KoffeeWithKyle chat. For today, let’s discuss what we have planned for today and the week ahead.
For me, just the usual work stuff. Have to check into this PenTest assessment as it’s still going and has not finished. 🤔 Also didn’t get to do what I wanted this weekend.
The penetration testing industry has exploded in the last decade, as more and more organisations seek assurance that their cybersecurity strategies are being effectively implemented.
The Pen Test Diaries allow you to follow penetration tester Laura Knight through the technical, and non-technical processes involved in testing an organisations information security measures.
Based on the author's real world experiences, the diaries tell fictionalised versions of penetration testing discoveries. A must read for anyone interested in computer security or the penetration testing field.
The penetration testing industry has exploded in the last decade, as more and more organisations seek assurance that their cybersecurity strategies are being effectively implemented.
The Pen Test Diaries allow you to follow penetration tester Laura Knight through the technical, and non-technical processes involved in testing an organisations information security measures.
Based on the author's real world experiences, the diaries tell fictionalised versions of penetration testing discoveries. A must read for anyone interested in computer security or the penetration testing field.
“Recently, one of our pen testers found a bastion host during an #Azure assumed-breach #pentest. We were given the credentials of an employee within Azure Active Directory. The pen tester was able to log into SSH with Azure #ActiveDirectory credentials. So, he got onto the bastion host, which was a #Linux box. One of the users on that box made their home directory world readable for everyone. He rifled through that user’s directory and found credentials for Snowflake, a third-party database service. He used those credentials to connect to the 3rd-party provider and gained access to production #data.” - @sethsec on a recent episode of the Cloud Security Podcast.
Did you know there are white hat grizzly bear hackers in Yellowstone?
These bears were so good at breaking into things, they became habituated (and thus dangerous) to humans. Rather than be euthanized, they live at this wildlife center and perform regular testing to QA bear-resistant products.
Nowy odcinek "Cyber, Cyber…" - tym razem o testach penetracyjnych, czyli po co się je przeprowadza, jak wyglądają w dużych i małych organizacjach, czego oczekują klienci itp.
The penetration testing industry has exploded in the last decade, as more and more organisations seek assurance that their cybersecurity strategies are being effectively implemented.
The Pen Test Diaries allow you to follow a penetration tester through the technical, and non-technical processes involved in testing an organisations information security measures.
Based on the author's real world experiences, the diaries tell fictionalised versions of penetration testing discoveries. A must read for anyone interested in computer security or the penetration testing field.