1 00:00:12,880 --> 00:00:17,600 welcome back 2 00:00:14,960 --> 00:00:19,840 uh we are joined by liam now to talk 3 00:00:17,600 --> 00:00:21,600 about working with penetration testers 4 00:00:19,840 --> 00:00:23,760 as a developer 5 00:00:21,600 --> 00:00:25,599 liam is a former software developer who 6 00:00:23,760 --> 00:00:28,480 switched to the dark side and started 7 00:00:25,599 --> 00:00:30,720 pen testing many moons ago 8 00:00:28,480 --> 00:00:32,480 formerly a director at assurance liam 9 00:00:30,720 --> 00:00:35,520 now runs the research and development 10 00:00:32,480 --> 00:00:38,000 program for the pen testers at cyber cx 11 00:00:35,520 --> 00:00:41,040 liam is enthusiastic about ducks so 12 00:00:38,000 --> 00:00:44,160 please get all the duck emojis in now 13 00:00:41,040 --> 00:00:45,280 take it away liam 14 00:00:44,160 --> 00:00:46,960 thank you 15 00:00:45,280 --> 00:00:48,239 all right welcome 16 00:00:46,960 --> 00:00:51,039 um 17 00:00:48,239 --> 00:00:52,399 yeah thanks for the intro and 18 00:00:51,039 --> 00:00:55,199 uh 19 00:00:52,399 --> 00:00:56,239 all right who am i uh talked about that 20 00:00:55,199 --> 00:00:59,359 a little bit 21 00:00:56,239 --> 00:01:00,960 before um 22 00:00:59,359 --> 00:01:02,879 my name's liam 23 00:01:00,960 --> 00:01:05,199 you can find me on twitter 24 00:01:02,879 --> 00:01:06,479 i am presenting to you from where 25 00:01:05,199 --> 00:01:09,680 injuryland 26 00:01:06,479 --> 00:01:10,720 um i am the research and development 27 00:01:09,680 --> 00:01:12,720 director 28 00:01:10,720 --> 00:01:14,479 for the security testing and insurance 29 00:01:12,720 --> 00:01:16,880 practice which is essentially the pen 30 00:01:14,479 --> 00:01:18,479 testers at cyber cx 31 00:01:16,880 --> 00:01:20,479 and i'm also 32 00:01:18,479 --> 00:01:21,759 acting director of the appsec team at 33 00:01:20,479 --> 00:01:23,119 the moment 34 00:01:21,759 --> 00:01:24,640 and 35 00:01:23,119 --> 00:01:28,400 what what are we talking about why are 36 00:01:24,640 --> 00:01:30,400 we here uh why am i here well 37 00:01:28,400 --> 00:01:32,079 i like to think of myself as a 38 00:01:30,400 --> 00:01:34,079 professional and for me that doesn't 39 00:01:32,079 --> 00:01:36,079 necessarily mean wearing a suit and 40 00:01:34,079 --> 00:01:38,240 collar means 41 00:01:36,079 --> 00:01:39,759 actually caring about the outcomes of my 42 00:01:38,240 --> 00:01:41,920 work and 43 00:01:39,759 --> 00:01:42,880 the customer experiences for you know 44 00:01:41,920 --> 00:01:45,200 when you're 45 00:01:42,880 --> 00:01:48,000 working as a pen tester consultant 46 00:01:45,200 --> 00:01:50,720 i get frustrated when 47 00:01:48,000 --> 00:01:52,560 i see engagements not go as well as they 48 00:01:50,720 --> 00:01:54,880 could 49 00:01:52,560 --> 00:01:55,920 i get frustrated when i see customers 50 00:01:54,880 --> 00:01:57,840 not getting 51 00:01:55,920 --> 00:01:59,920 value or 52 00:01:57,840 --> 00:02:02,880 uh spending too much money really 53 00:01:59,920 --> 00:02:04,880 because like pen testing is expensive uh 54 00:02:02,880 --> 00:02:07,840 mario's talk earlier on appsec you know 55 00:02:04,880 --> 00:02:10,560 talked about how important uh budget and 56 00:02:07,840 --> 00:02:13,120 cost is in information security 57 00:02:10,560 --> 00:02:15,599 um because like let's be honest like we 58 00:02:13,120 --> 00:02:18,400 we love security but every dollar spent 59 00:02:15,599 --> 00:02:20,560 on security is a dollar that's not spent 60 00:02:18,400 --> 00:02:22,319 on adding a feature or making it out 61 00:02:20,560 --> 00:02:24,400 more accessible or something actually 62 00:02:22,319 --> 00:02:27,760 constructive so what i'm hoping to 63 00:02:24,400 --> 00:02:29,680 achieve in this talk is to try and 64 00:02:27,760 --> 00:02:32,000 make things more efficient and avoid 65 00:02:29,680 --> 00:02:34,800 wasted effort 66 00:02:32,000 --> 00:02:37,040 so just for a bit of context if you're 67 00:02:34,800 --> 00:02:39,360 not familiar with it this is the owasp 68 00:02:37,040 --> 00:02:41,519 software assurance maturity model um 69 00:02:39,360 --> 00:02:44,400 shout out to owasp who were another 70 00:02:41,519 --> 00:02:46,000 great community run organization uh they 71 00:02:44,400 --> 00:02:46,879 just released their latest version of 72 00:02:46,000 --> 00:02:49,120 the 73 00:02:46,879 --> 00:02:51,680 os top 10 so if you're keen about web 74 00:02:49,120 --> 00:02:52,879 security go check that out it's great 75 00:02:51,680 --> 00:02:54,720 um 76 00:02:52,879 --> 00:02:57,440 but the reason i'm mentioning this is 77 00:02:54,720 --> 00:02:59,680 just to point out that like pen testing 78 00:02:57,440 --> 00:03:00,640 is a really small 79 00:02:59,680 --> 00:03:02,560 it's in 80 00:03:00,640 --> 00:03:04,879 part it's an important part but it's 81 00:03:02,560 --> 00:03:06,400 only a small part of the the much bigger 82 00:03:04,879 --> 00:03:07,360 security puzzle 83 00:03:06,400 --> 00:03:08,560 um 84 00:03:07,360 --> 00:03:10,560 so 85 00:03:08,560 --> 00:03:12,640 i know some pen testers seem to think 86 00:03:10,560 --> 00:03:14,400 that like pen testing is security and 87 00:03:12,640 --> 00:03:17,360 security is pen testing but that's 88 00:03:14,400 --> 00:03:18,800 definitely not the case 89 00:03:17,360 --> 00:03:20,640 and 90 00:03:18,800 --> 00:03:22,879 so if we think about 91 00:03:20,640 --> 00:03:24,239 developers and pen testers like we we 92 00:03:22,879 --> 00:03:26,080 have different 93 00:03:24,239 --> 00:03:27,840 expertise we have different experience 94 00:03:26,080 --> 00:03:29,360 we have different backgrounds i mean 95 00:03:27,840 --> 00:03:31,760 everyone does that can be said for 96 00:03:29,360 --> 00:03:33,200 everyone and that's like i was gonna say 97 00:03:31,760 --> 00:03:35,440 that's okay but that's that's more than 98 00:03:33,200 --> 00:03:37,599 okay like that's as it should be you 99 00:03:35,440 --> 00:03:39,599 know people um 100 00:03:37,599 --> 00:03:41,519 specialize in different things 101 00:03:39,599 --> 00:03:44,239 and what what i'm not trying to do with 102 00:03:41,519 --> 00:03:45,920 this talk is to turn developers into pen 103 00:03:44,239 --> 00:03:47,840 testers like what i'm trying to work on 104 00:03:45,920 --> 00:03:50,319 is that that bit of overlap so like when 105 00:03:47,840 --> 00:03:54,400 we're working together um 106 00:03:50,319 --> 00:03:56,560 how can that part run more smoothly 107 00:03:54,400 --> 00:03:58,640 and if it seems like the talk is a 108 00:03:56,560 --> 00:03:59,680 little bit one-sided in it where it's 109 00:03:58,640 --> 00:04:02,239 all about 110 00:03:59,680 --> 00:04:05,040 his things developers can do to work 111 00:04:02,239 --> 00:04:07,360 better with pen testers um remember that 112 00:04:05,040 --> 00:04:09,840 like in the shadow world there is a 113 00:04:07,360 --> 00:04:12,080 reverse version of this talk called 114 00:04:09,840 --> 00:04:14,560 you know working with developers 115 00:04:12,080 --> 00:04:17,120 as a pen tester and it includes a whole 116 00:04:14,560 --> 00:04:18,239 bunch of advice for how pen testers can 117 00:04:17,120 --> 00:04:20,320 do their job 118 00:04:18,239 --> 00:04:21,359 better and work with developers like 119 00:04:20,320 --> 00:04:23,280 things like 120 00:04:21,359 --> 00:04:24,880 remember that security testing isn't 121 00:04:23,280 --> 00:04:26,560 actually everyone's highest priority 122 00:04:24,880 --> 00:04:28,639 even if it's yours and 123 00:04:26,560 --> 00:04:30,960 remember that some features are actually 124 00:04:28,639 --> 00:04:32,960 more important than perfect security but 125 00:04:30,960 --> 00:04:34,479 anyway enough about the shadow talk back 126 00:04:32,960 --> 00:04:35,759 onto the real talk 127 00:04:34,479 --> 00:04:37,360 um 128 00:04:35,759 --> 00:04:40,400 so 129 00:04:37,360 --> 00:04:43,840 it seems silly to define what a pen test 130 00:04:40,400 --> 00:04:47,280 is but i think in the tech industry in 131 00:04:43,840 --> 00:04:49,360 general um terminology isn't often a 132 00:04:47,280 --> 00:04:51,360 source of miscommunication because like 133 00:04:49,360 --> 00:04:52,960 the same words mean different things to 134 00:04:51,360 --> 00:04:55,120 different people um 135 00:04:52,960 --> 00:04:58,320 samantha mentioned in her talk earlier 136 00:04:55,120 --> 00:05:00,720 about the difficulty of defining privacy 137 00:04:58,320 --> 00:05:04,479 i've got a slightly easier task 138 00:05:00,720 --> 00:05:06,960 defining pen testing so for me 139 00:05:04,479 --> 00:05:09,919 pen testing is 140 00:05:06,960 --> 00:05:11,680 a type of test that follows a 141 00:05:09,919 --> 00:05:13,520 methodology and the methodology looks 142 00:05:11,680 --> 00:05:15,120 something like this so 143 00:05:13,520 --> 00:05:17,600 if something doesn't follow this 144 00:05:15,120 --> 00:05:18,720 complete methodology so like for example 145 00:05:17,600 --> 00:05:21,280 if we're doing a threat and risk 146 00:05:18,720 --> 00:05:24,160 assessment on an application 147 00:05:21,280 --> 00:05:26,000 it's important work um you know straight 148 00:05:24,160 --> 00:05:28,240 modeling is 149 00:05:26,000 --> 00:05:29,919 a great critically important task 150 00:05:28,240 --> 00:05:31,759 everyone should do more threat modeling 151 00:05:29,919 --> 00:05:33,360 i love threat modeling 152 00:05:31,759 --> 00:05:35,840 just doing threat modeling is not a pen 153 00:05:33,360 --> 00:05:37,440 test and you know by the same token 154 00:05:35,840 --> 00:05:38,639 if you specialize in vulnerability 155 00:05:37,440 --> 00:05:40,720 research 156 00:05:38,639 --> 00:05:42,960 super interesting i love it 157 00:05:40,720 --> 00:05:44,560 it's not pen testing 158 00:05:42,960 --> 00:05:46,080 and pen testing's not vulnerability 159 00:05:44,560 --> 00:05:48,000 research 160 00:05:46,080 --> 00:05:50,320 same you know like 161 00:05:48,000 --> 00:05:52,000 despite some of the marketing materials 162 00:05:50,320 --> 00:05:54,160 coming out of certain bug bounty 163 00:05:52,000 --> 00:05:56,080 companies like bug bounties and not pen 164 00:05:54,160 --> 00:05:57,520 testing and pen testing is not bug 165 00:05:56,080 --> 00:06:00,560 bounties 166 00:05:57,520 --> 00:06:02,400 and the same thing for you know 167 00:06:00,560 --> 00:06:03,919 simple activities like vulnerability 168 00:06:02,400 --> 00:06:06,319 scanning 169 00:06:03,919 --> 00:06:08,639 this one in particular it can be a 170 00:06:06,319 --> 00:06:10,960 little bit frustrating because there are 171 00:06:08,639 --> 00:06:13,600 organizations out there that will 172 00:06:10,960 --> 00:06:15,680 sell people of onscan and say here's 173 00:06:13,600 --> 00:06:16,880 your pen test results 174 00:06:15,680 --> 00:06:18,479 um 175 00:06:16,880 --> 00:06:20,960 it's it's a bit of a challenge for our 176 00:06:18,479 --> 00:06:23,759 industry because it's 177 00:06:20,960 --> 00:06:24,880 not a pen test if you're not doing like 178 00:06:23,759 --> 00:06:27,360 the full 179 00:06:24,880 --> 00:06:29,680 the full activity 180 00:06:27,360 --> 00:06:32,639 um and thinking about this methodology 181 00:06:29,680 --> 00:06:34,639 an interesting thing for me at least 182 00:06:32,639 --> 00:06:37,680 because i love nerding out about this 183 00:06:34,639 --> 00:06:38,960 sort of stuff is that as you work from 184 00:06:37,680 --> 00:06:41,199 from left to right throughout the 185 00:06:38,960 --> 00:06:45,280 methodology um 186 00:06:41,199 --> 00:06:46,840 you need humans more and more so 187 00:06:45,280 --> 00:06:48,400 scripts 188 00:06:46,840 --> 00:06:52,880 and 189 00:06:48,400 --> 00:06:55,039 bots or you know ai if you in marketing 190 00:06:52,880 --> 00:06:56,720 uh are really good at doing discovery 191 00:06:55,039 --> 00:06:59,520 and enumeration 192 00:06:56,720 --> 00:07:01,919 um but as you get 193 00:06:59,520 --> 00:07:03,680 more and more towards the right you you 194 00:07:01,919 --> 00:07:05,680 really need more and more humans because 195 00:07:03,680 --> 00:07:08,639 humans understand 196 00:07:05,680 --> 00:07:10,560 context humans understand risk 197 00:07:08,639 --> 00:07:12,639 humans understand 198 00:07:10,560 --> 00:07:15,120 other human factors they know how to 199 00:07:12,639 --> 00:07:17,440 communicate better with other humans 200 00:07:15,120 --> 00:07:20,479 so 201 00:07:17,440 --> 00:07:22,960 pen testing does require 202 00:07:20,479 --> 00:07:24,240 a human to do it like it you know 203 00:07:22,960 --> 00:07:27,440 needs saying that you know you can't 204 00:07:24,240 --> 00:07:29,360 just have fully automated pen testing 205 00:07:27,440 --> 00:07:31,520 um 206 00:07:29,360 --> 00:07:34,720 and so who who who is this human that 207 00:07:31,520 --> 00:07:38,000 does it um can i just 208 00:07:34,720 --> 00:07:40,479 hack my own stuff um the answer to can 209 00:07:38,000 --> 00:07:41,360 you hack your own stuff is 210 00:07:40,479 --> 00:07:42,240 yeah 211 00:07:41,360 --> 00:07:45,039 yes 212 00:07:42,240 --> 00:07:45,759 absolutely please hack your own stuff 213 00:07:45,039 --> 00:07:47,680 like 214 00:07:45,759 --> 00:07:50,000 pen testers did not have a monopoly on 215 00:07:47,680 --> 00:07:53,199 security testing um they shouldn't have 216 00:07:50,000 --> 00:07:55,199 a monopoly on security testing um 217 00:07:53,199 --> 00:07:56,960 anyone can hack stuff like you don't 218 00:07:55,199 --> 00:07:58,479 have to wear a black hoodie you know you 219 00:07:56,960 --> 00:08:01,520 don't have to work for a pen testing 220 00:07:58,479 --> 00:08:03,039 company uh everyone can hack 221 00:08:01,520 --> 00:08:05,759 everything 222 00:08:03,039 --> 00:08:08,000 that they have permission to hack 223 00:08:05,759 --> 00:08:10,479 um so you know if it's if it's your own 224 00:08:08,000 --> 00:08:13,520 system assuming you do have permission 225 00:08:10,479 --> 00:08:16,639 to hack that so yeah absolutely do your 226 00:08:13,520 --> 00:08:18,080 own security testing um it's not really 227 00:08:16,639 --> 00:08:20,240 pen testing though what you're doing 228 00:08:18,080 --> 00:08:22,879 though like it's it's security testing 229 00:08:20,240 --> 00:08:24,080 but it's not a pen test in fact 230 00:08:22,879 --> 00:08:26,560 the 231 00:08:24,080 --> 00:08:29,599 person who builds the system is probably 232 00:08:26,560 --> 00:08:30,800 actually the worst person to pen test it 233 00:08:29,599 --> 00:08:33,680 because 234 00:08:30,800 --> 00:08:35,680 you know about how you built it so you 235 00:08:33,680 --> 00:08:37,039 have certain assumptions that you made 236 00:08:35,680 --> 00:08:38,719 as you build it 237 00:08:37,039 --> 00:08:40,719 um which means you're gonna have really 238 00:08:38,719 --> 00:08:42,479 big blind spots 239 00:08:40,719 --> 00:08:43,919 about it so 240 00:08:42,479 --> 00:08:46,080 really this sort of testing should be 241 00:08:43,919 --> 00:08:48,800 done by someone other than the person 242 00:08:46,080 --> 00:08:48,800 who built it 243 00:08:49,279 --> 00:08:52,839 right so 244 00:08:50,959 --> 00:08:55,440 pen test follows a 245 00:08:52,839 --> 00:08:57,279 methodology it needs to be done by 246 00:08:55,440 --> 00:08:59,600 someone who specializes in it like you 247 00:08:57,279 --> 00:09:01,600 can't just uh take any 248 00:08:59,600 --> 00:09:03,600 person with a tech background and throw 249 00:09:01,600 --> 00:09:06,000 a methodology in front of them and say 250 00:09:03,600 --> 00:09:09,120 now pen test this like you do need 251 00:09:06,000 --> 00:09:11,600 experience training um and at least for 252 00:09:09,120 --> 00:09:13,519 the purposes of this talk um i'm gonna 253 00:09:11,600 --> 00:09:15,760 say that a pen test is a sort of 254 00:09:13,519 --> 00:09:17,600 engagement based activity and that it's 255 00:09:15,760 --> 00:09:19,920 project you know it has a beginning it 256 00:09:17,600 --> 00:09:21,120 has an end um 257 00:09:19,920 --> 00:09:23,360 some people are interested in the 258 00:09:21,120 --> 00:09:24,399 concept of continuous pen testing you 259 00:09:23,360 --> 00:09:26,959 know 260 00:09:24,399 --> 00:09:29,040 is that a pen test is that sort of a 261 00:09:26,959 --> 00:09:32,240 different part of the abstract program 262 00:09:29,040 --> 00:09:33,920 you're sort of arguing semantics 263 00:09:32,240 --> 00:09:35,600 i'm just going to dodge that question 264 00:09:33,920 --> 00:09:38,320 for today 265 00:09:35,600 --> 00:09:39,200 and move into 266 00:09:38,320 --> 00:09:41,360 why 267 00:09:39,200 --> 00:09:43,519 why why why would we want to do a pen 268 00:09:41,360 --> 00:09:44,959 test like i've seen a whole bunch of 269 00:09:43,519 --> 00:09:48,240 different reasons 270 00:09:44,959 --> 00:09:51,200 that customers have had for uh 271 00:09:48,240 --> 00:09:52,880 for what i do it um 272 00:09:51,200 --> 00:09:55,120 many many more than this 273 00:09:52,880 --> 00:09:57,760 um 274 00:09:55,120 --> 00:09:59,920 the most common one these days is that 275 00:09:57,760 --> 00:10:02,640 it's really hard to sell a product 276 00:09:59,920 --> 00:10:04,560 without having it pen tested um and 277 00:10:02,640 --> 00:10:06,480 what's what's interesting uh there's a 278 00:10:04,560 --> 00:10:08,320 lot of talk in some of the earlier 279 00:10:06,480 --> 00:10:11,040 presentations about government 280 00:10:08,320 --> 00:10:13,120 legislation and 281 00:10:11,040 --> 00:10:15,200 this one hasn't so much been pushed by 282 00:10:13,120 --> 00:10:17,279 government because business themselves 283 00:10:15,200 --> 00:10:19,279 have got a lot more serious about it 284 00:10:17,279 --> 00:10:20,800 like as part of 285 00:10:19,279 --> 00:10:23,680 good governance you know if you're 286 00:10:20,800 --> 00:10:25,279 buying a sas 287 00:10:23,680 --> 00:10:27,279 if you're going to pay for a sas 288 00:10:25,279 --> 00:10:28,320 services offer provider you know you can 289 00:10:27,279 --> 00:10:29,760 say 290 00:10:28,320 --> 00:10:32,000 can you show us your pen test report 291 00:10:29,760 --> 00:10:32,959 please and if they say now what you're 292 00:10:32,000 --> 00:10:36,160 going to say 293 00:10:32,959 --> 00:10:37,680 um i'm going to go with another vendor 294 00:10:36,160 --> 00:10:39,839 so it's sort of business to business 295 00:10:37,680 --> 00:10:41,600 compliance is is driving a lot of 296 00:10:39,839 --> 00:10:43,760 testing and security which 297 00:10:41,600 --> 00:10:45,440 in my mind is a good thing 298 00:10:43,760 --> 00:10:47,519 all of these have one thing in common 299 00:10:45,440 --> 00:10:49,680 and that is they're all about risk 300 00:10:47,519 --> 00:10:51,360 management right 301 00:10:49,680 --> 00:10:53,600 so 302 00:10:51,360 --> 00:10:56,079 what risk in particular it's the risk 303 00:10:53,600 --> 00:10:58,800 that the system has vulnerabilities that 304 00:10:56,079 --> 00:10:58,800 you don't know about 305 00:10:59,040 --> 00:11:02,640 okay so 306 00:11:01,760 --> 00:11:04,560 when 307 00:11:02,640 --> 00:11:06,880 so when would you not do a pen test so 308 00:11:04,560 --> 00:11:08,800 like if you already know 309 00:11:06,880 --> 00:11:10,399 about vulnerabilities you don't need 310 00:11:08,800 --> 00:11:12,480 someone else to tell you about it like 311 00:11:10,399 --> 00:11:16,800 you need to be working on fixing those 312 00:11:12,480 --> 00:11:18,720 um another question we get sometimes is 313 00:11:16,800 --> 00:11:21,200 hey we've been hacked we don't really 314 00:11:18,720 --> 00:11:23,200 know how it happens but can you maybe do 315 00:11:21,200 --> 00:11:25,200 a pen test and figure out 316 00:11:23,200 --> 00:11:26,800 the vulnerability so we can fix it and 317 00:11:25,200 --> 00:11:29,760 it's like you don't you don't need pen 318 00:11:26,800 --> 00:11:31,360 testers you need incident responders um 319 00:11:29,760 --> 00:11:32,959 they're gonna do a much better job of 320 00:11:31,360 --> 00:11:34,079 figuring out and you know if you think 321 00:11:32,959 --> 00:11:35,519 there's a chance that there's still 322 00:11:34,079 --> 00:11:37,440 people live in your environment you 323 00:11:35,519 --> 00:11:40,079 don't you don't need more attackers you 324 00:11:37,440 --> 00:11:41,519 need fewer attackers 325 00:11:40,079 --> 00:11:43,279 so 326 00:11:41,519 --> 00:11:45,279 you pen test when it makes sense to from 327 00:11:43,279 --> 00:11:47,680 a risk managed point of view so 328 00:11:45,279 --> 00:11:49,200 uh what high-risk scenario is like i've 329 00:11:47,680 --> 00:11:50,959 never had a pen test done before you 330 00:11:49,200 --> 00:11:53,519 don't have a security baseline it's like 331 00:11:50,959 --> 00:11:55,200 you probably should do some testing um 332 00:11:53,519 --> 00:11:57,279 i'm about to release a new product i'm 333 00:11:55,200 --> 00:12:00,079 about to release a new feature 334 00:11:57,279 --> 00:12:02,240 it makes sense to to have testing done 335 00:12:00,079 --> 00:12:04,240 to lower your risk there 336 00:12:02,240 --> 00:12:05,839 all right so 337 00:12:04,240 --> 00:12:07,120 you have established that you probably 338 00:12:05,839 --> 00:12:08,800 need to 339 00:12:07,120 --> 00:12:11,040 get a pen test you need to know some 340 00:12:08,800 --> 00:12:12,959 things about yourself so 341 00:12:11,040 --> 00:12:14,959 what is it that you're trying to test is 342 00:12:12,959 --> 00:12:18,079 like this is a pretty easy question to 343 00:12:14,959 --> 00:12:20,160 answer and the obviously the more stuff 344 00:12:18,079 --> 00:12:21,920 that's in scope the more work it's going 345 00:12:20,160 --> 00:12:22,880 to take right that that should be pretty 346 00:12:21,920 --> 00:12:25,600 obvious 347 00:12:22,880 --> 00:12:27,279 slightly less obvious question is like 348 00:12:25,600 --> 00:12:28,480 exactly what about it 349 00:12:27,279 --> 00:12:30,800 do you want to know like what are you 350 00:12:28,480 --> 00:12:32,560 trying to test so like in infosec we 351 00:12:30,800 --> 00:12:34,320 always talk about the cia triad like 352 00:12:32,560 --> 00:12:36,959 that's the get out of jail free card 353 00:12:34,320 --> 00:12:39,040 it's the obvious one we want to test for 354 00:12:36,959 --> 00:12:41,519 these sort of things um sometimes you 355 00:12:39,040 --> 00:12:43,839 want to test for your ability to detect 356 00:12:41,519 --> 00:12:45,440 and respond to attacks 357 00:12:43,839 --> 00:12:48,240 um 358 00:12:45,440 --> 00:12:50,480 unknown unknowns as old mate rumsfeld 359 00:12:48,240 --> 00:12:52,000 called them like where are the gaps like 360 00:12:50,480 --> 00:12:53,360 we think we've got everything secured 361 00:12:52,000 --> 00:12:54,480 but like we don't know what we don't 362 00:12:53,360 --> 00:12:57,360 know 363 00:12:54,480 --> 00:13:00,240 um or like i'm not actually sure what 364 00:12:57,360 --> 00:13:02,160 i'm trying to secure about this thing 365 00:13:00,240 --> 00:13:04,240 and you know what that's that's actually 366 00:13:02,160 --> 00:13:05,839 fine for an answer like if you don't 367 00:13:04,240 --> 00:13:08,160 know like cool you've found a good 368 00:13:05,839 --> 00:13:10,639 question that you you need to answer and 369 00:13:08,160 --> 00:13:12,320 part of answering this is doing some 370 00:13:10,639 --> 00:13:14,320 basic threat modeling 371 00:13:12,320 --> 00:13:16,160 everyone seems a little bit scared of 372 00:13:14,320 --> 00:13:18,240 threat modelling like i think it's sold 373 00:13:16,160 --> 00:13:21,120 as this big complex 374 00:13:18,240 --> 00:13:23,200 activity um it doesn't have to be like 375 00:13:21,120 --> 00:13:26,000 so here's a mini talk how to do threat 376 00:13:23,200 --> 00:13:27,040 modeling in 10 seconds 377 00:13:26,000 --> 00:13:28,720 what are the bad things you want to 378 00:13:27,040 --> 00:13:30,480 avoid congratulations you're doing 379 00:13:28,720 --> 00:13:33,040 threat modelling done 380 00:13:30,480 --> 00:13:36,399 all right if that was too fast 381 00:13:33,040 --> 00:13:37,360 here's the 30 second version of it 382 00:13:36,399 --> 00:13:39,600 what 383 00:13:37,360 --> 00:13:41,519 might be affected 384 00:13:39,600 --> 00:13:43,519 who might do it 385 00:13:41,519 --> 00:13:45,760 how might they do it 386 00:13:43,519 --> 00:13:48,480 cool you've done straight modeling 387 00:13:45,760 --> 00:13:50,160 okay another thing to know about 388 00:13:48,480 --> 00:13:53,040 yourself 389 00:13:50,160 --> 00:13:54,160 is how mature is the target and 390 00:13:53,040 --> 00:13:55,600 this requires like a little bit of 391 00:13:54,160 --> 00:13:58,959 honesty like everyone likes to think 392 00:13:55,600 --> 00:14:00,079 that their stuff is super cool and super 393 00:13:58,959 --> 00:14:01,279 high level 394 00:14:00,079 --> 00:14:03,279 um 395 00:14:01,279 --> 00:14:06,000 it's not always the case like how 396 00:14:03,279 --> 00:14:09,120 security focused are you like and and 397 00:14:06,000 --> 00:14:10,480 you know honestly you know i are you 398 00:14:09,120 --> 00:14:13,120 uh 399 00:14:10,480 --> 00:14:15,120 handling super ridiculously important 400 00:14:13,120 --> 00:14:17,199 data or is it just 401 00:14:15,120 --> 00:14:18,959 you know uh 402 00:14:17,199 --> 00:14:21,279 of medium importance 403 00:14:18,959 --> 00:14:22,000 um how risk adverse or accepting are you 404 00:14:21,279 --> 00:14:23,839 like 405 00:14:22,000 --> 00:14:24,959 a lot of people seem to think oh we're 406 00:14:23,839 --> 00:14:26,320 very risk 407 00:14:24,959 --> 00:14:28,800 averse you know we're focused on 408 00:14:26,320 --> 00:14:31,440 security it's like no if you're a 409 00:14:28,800 --> 00:14:33,760 startup who you know has another startup 410 00:14:31,440 --> 00:14:35,920 working on the same sort of idea 411 00:14:33,760 --> 00:14:37,920 um and the most important thing for you 412 00:14:35,920 --> 00:14:40,560 is to get product to market like your 413 00:14:37,920 --> 00:14:42,880 risk accepting like 414 00:14:40,560 --> 00:14:45,279 i'm not saying ignore security 415 00:14:42,880 --> 00:14:47,760 but it's not your number one priority 416 00:14:45,279 --> 00:14:50,320 um do you have a baseline for the work 417 00:14:47,760 --> 00:14:52,240 um do you have a blue team do you have 418 00:14:50,320 --> 00:14:53,440 people who are working in like detection 419 00:14:52,240 --> 00:14:54,720 and response 420 00:14:53,440 --> 00:14:55,920 it's fine if you don't some 421 00:14:54,720 --> 00:14:58,160 organizations aren't big enough to 422 00:14:55,920 --> 00:14:59,440 justify having a blue team but it's 423 00:14:58,160 --> 00:15:00,959 these are things that you need to know 424 00:14:59,440 --> 00:15:03,040 about yourself 425 00:15:00,959 --> 00:15:05,519 when you're trying to decide 426 00:15:03,040 --> 00:15:07,199 what's going to be the best um 427 00:15:05,519 --> 00:15:09,920 the best way to engage and the best way 428 00:15:07,199 --> 00:15:12,560 to run pen tests 429 00:15:09,920 --> 00:15:15,600 and who's even gonna who's gonna do this 430 00:15:12,560 --> 00:15:17,040 pen test so if you work for a big 431 00:15:15,600 --> 00:15:19,040 multinational 432 00:15:17,040 --> 00:15:20,880 if you work for google for microsoft 433 00:15:19,040 --> 00:15:23,360 apple uh if you work for like one of 434 00:15:20,880 --> 00:15:24,639 australia's big four banks um you 435 00:15:23,360 --> 00:15:26,160 already have an answer to this question 436 00:15:24,639 --> 00:15:28,399 like your pen test is going to be done 437 00:15:26,160 --> 00:15:30,160 by your internal pen test team 438 00:15:28,399 --> 00:15:32,160 if you work for any organization that's 439 00:15:30,160 --> 00:15:34,480 smaller than those and doesn't have an 440 00:15:32,160 --> 00:15:36,000 internal pen testing capability you're 441 00:15:34,480 --> 00:15:38,079 going to get an external partner to do 442 00:15:36,000 --> 00:15:41,120 it 443 00:15:38,079 --> 00:15:42,639 and who are they so this this would if 444 00:15:41,120 --> 00:15:44,399 this talk was a sales pitch this would 445 00:15:42,639 --> 00:15:46,800 be the bit where i'd do the sales pitch 446 00:15:44,399 --> 00:15:48,959 about my company um 447 00:15:46,800 --> 00:15:51,040 i'm not going to do that that's fine 448 00:15:48,959 --> 00:15:52,480 um i will say 449 00:15:51,040 --> 00:15:54,240 in the 450 00:15:52,480 --> 00:15:56,160 security industry in general so this 451 00:15:54,240 --> 00:15:57,759 isn't just a pen testing 452 00:15:56,160 --> 00:16:00,480 problem 453 00:15:57,759 --> 00:16:02,240 assessing the quality of 454 00:16:00,480 --> 00:16:04,000 security services 455 00:16:02,240 --> 00:16:06,000 is a hard problem like 456 00:16:04,000 --> 00:16:07,920 you know tech is a pretty hot industry 457 00:16:06,000 --> 00:16:09,920 right now cyber security is a 458 00:16:07,920 --> 00:16:13,120 particularly hot area of the tech 459 00:16:09,920 --> 00:16:15,440 industry there's a lot of money um 460 00:16:13,120 --> 00:16:17,519 and so there's a lot of 461 00:16:15,440 --> 00:16:19,839 people attracted to that money 462 00:16:17,519 --> 00:16:23,360 it's hard to tell 463 00:16:19,839 --> 00:16:24,480 who's there selling snake oil 464 00:16:23,360 --> 00:16:26,320 and i'm not going to be able to solve 465 00:16:24,480 --> 00:16:29,040 that problem for you today 466 00:16:26,320 --> 00:16:31,040 but i will emphasize that when you're 467 00:16:29,040 --> 00:16:33,519 getting a pen test partner 468 00:16:31,040 --> 00:16:35,680 um this is a really high trust 469 00:16:33,519 --> 00:16:37,680 relationship like the people who are 470 00:16:35,680 --> 00:16:39,279 performing pen tests for you 471 00:16:37,680 --> 00:16:41,120 are going to have the sort of access 472 00:16:39,279 --> 00:16:43,279 that you only give to the most trusted 473 00:16:41,120 --> 00:16:45,120 members of your own staff 474 00:16:43,279 --> 00:16:47,360 so you know someone who's going to 475 00:16:45,120 --> 00:16:49,600 become a domain admin of your windows 476 00:16:47,360 --> 00:16:52,079 enterprise someone who's might get root 477 00:16:49,600 --> 00:16:53,519 access to your aws account 478 00:16:52,079 --> 00:16:55,920 um 479 00:16:53,519 --> 00:16:56,959 think about that and then think 480 00:16:55,920 --> 00:16:58,560 how 481 00:16:56,959 --> 00:17:00,079 how much do you want to know about the 482 00:16:58,560 --> 00:17:03,199 people who are doing this like you 483 00:17:00,079 --> 00:17:06,400 probably don't want some yahoo 484 00:17:03,199 --> 00:17:08,319 to be your next domain admin 485 00:17:06,400 --> 00:17:10,319 um 486 00:17:08,319 --> 00:17:11,039 but as i said it's a it's a hard problem 487 00:17:10,319 --> 00:17:14,160 to 488 00:17:11,039 --> 00:17:16,640 to assess um our industry has tried 489 00:17:14,160 --> 00:17:18,079 uh various different approaches to like 490 00:17:16,640 --> 00:17:19,760 make it more transparent you know 491 00:17:18,079 --> 00:17:21,199 there's different certifications for pen 492 00:17:19,760 --> 00:17:22,959 testers 493 00:17:21,199 --> 00:17:25,280 organizations have tried 494 00:17:22,959 --> 00:17:27,679 certifying organizations 495 00:17:25,280 --> 00:17:28,640 um like there's the crest program 496 00:17:27,679 --> 00:17:30,400 i 497 00:17:28,640 --> 00:17:31,679 without getting into it 498 00:17:30,400 --> 00:17:32,799 none of them have been completely 499 00:17:31,679 --> 00:17:36,160 successful 500 00:17:32,799 --> 00:17:38,559 um there's problems with all of them um 501 00:17:36,160 --> 00:17:41,440 but i will give you one bit of advice 502 00:17:38,559 --> 00:17:43,280 that is pretty universal in that if you 503 00:17:41,440 --> 00:17:45,039 want to know who's good talk to your 504 00:17:43,280 --> 00:17:47,280 peers like 505 00:17:45,039 --> 00:17:48,960 have you had pen testing done who did it 506 00:17:47,280 --> 00:17:50,720 were they good what was your experience 507 00:17:48,960 --> 00:17:53,679 like um 508 00:17:50,720 --> 00:17:55,679 most of the good pen testing firms in 509 00:17:53,679 --> 00:17:58,160 australia and internationally trade on 510 00:17:55,679 --> 00:17:59,280 their reputation you know like we do 511 00:17:58,160 --> 00:18:01,200 quality work 512 00:17:59,280 --> 00:18:02,720 and our customers tell 513 00:18:01,200 --> 00:18:04,720 their peers that they do quality work 514 00:18:02,720 --> 00:18:06,480 and that's what sort of keeps the ball 515 00:18:04,720 --> 00:18:08,720 rolling 516 00:18:06,480 --> 00:18:10,320 but there are sharks out there 517 00:18:08,720 --> 00:18:12,320 all right so 518 00:18:10,320 --> 00:18:14,480 you can have a pen test done you've sort 519 00:18:12,320 --> 00:18:16,799 of thought about who might do it 520 00:18:14,480 --> 00:18:17,760 but the most important thing is working 521 00:18:16,799 --> 00:18:20,320 out the 522 00:18:17,760 --> 00:18:22,640 scope of the test 523 00:18:20,320 --> 00:18:25,360 so if you google a thing called the 524 00:18:22,640 --> 00:18:28,080 project management triple constraint 525 00:18:25,360 --> 00:18:30,240 you'll find all these slightly different 526 00:18:28,080 --> 00:18:32,080 variations of the definition of the 527 00:18:30,240 --> 00:18:33,760 triple constraint but they all seem to 528 00:18:32,080 --> 00:18:35,280 agree that the triple constraint comes 529 00:18:33,760 --> 00:18:36,400 down to cost 530 00:18:35,280 --> 00:18:38,000 time 531 00:18:36,400 --> 00:18:40,160 scope 532 00:18:38,000 --> 00:18:41,200 and quality 533 00:18:40,160 --> 00:18:44,000 these 534 00:18:41,200 --> 00:18:46,720 four things make up the triple 535 00:18:44,000 --> 00:18:46,720 constraint 536 00:18:47,120 --> 00:18:49,360 so 537 00:18:48,080 --> 00:18:51,760 ignoring the fact that project 538 00:18:49,360 --> 00:18:54,720 management makes no sense at all 539 00:18:51,760 --> 00:18:56,799 time scope cost quality we can simplify 540 00:18:54,720 --> 00:18:59,280 this a little bit in this uh in a pen 541 00:18:56,799 --> 00:19:01,039 testing uh model because when you're 542 00:18:59,280 --> 00:19:02,320 sort of working on a consultancy model 543 00:19:01,039 --> 00:19:04,080 like whether they're 544 00:19:02,320 --> 00:19:06,720 internal pen testers external pen 545 00:19:04,080 --> 00:19:10,480 testers um you typically have a day rate 546 00:19:06,720 --> 00:19:12,960 so time is cost that's simple um quality 547 00:19:10,480 --> 00:19:15,600 is probably not that much of a variable 548 00:19:12,960 --> 00:19:17,600 because if you say hey i just need a pen 549 00:19:15,600 --> 00:19:21,360 test for compliance purposes can you 550 00:19:17,600 --> 00:19:24,080 just do a really bad job of it please um 551 00:19:21,360 --> 00:19:25,039 most pen testing companies will say um 552 00:19:24,080 --> 00:19:27,840 no 553 00:19:25,039 --> 00:19:29,280 because we put our name on the report 554 00:19:27,840 --> 00:19:31,760 and then you show that report to other 555 00:19:29,280 --> 00:19:33,760 people and if it's later shown to be 556 00:19:31,760 --> 00:19:35,520 fraudulent we look really bad we get the 557 00:19:33,760 --> 00:19:38,799 bad reputation 558 00:19:35,520 --> 00:19:40,400 we don't get follow-on work from anyone 559 00:19:38,799 --> 00:19:42,720 so 560 00:19:40,400 --> 00:19:44,000 at least the reputable pentest companies 561 00:19:42,720 --> 00:19:46,000 will not 562 00:19:44,000 --> 00:19:48,080 do poor quality work and we're not 563 00:19:46,000 --> 00:19:49,679 saying that you know this is one of the 564 00:19:48,080 --> 00:19:51,280 areas where the perfect is the enemy of 565 00:19:49,679 --> 00:19:53,120 the good like no 566 00:19:51,280 --> 00:19:54,960 no test is there a hundred percent 567 00:19:53,120 --> 00:19:57,200 complete it's all done from a risk 568 00:19:54,960 --> 00:19:59,840 managed point of view 569 00:19:57,200 --> 00:20:01,840 but quality doesn't really hopefully 570 00:19:59,840 --> 00:20:03,280 vary that much so it pretty much comes 571 00:20:01,840 --> 00:20:06,080 down to 572 00:20:03,280 --> 00:20:07,200 scope is cost and cost is scope so the 573 00:20:06,080 --> 00:20:09,039 more scope 574 00:20:07,200 --> 00:20:10,799 there is the more it's going to cost so 575 00:20:09,039 --> 00:20:12,240 getting that scope right is absolutely 576 00:20:10,799 --> 00:20:14,000 critical 577 00:20:12,240 --> 00:20:15,840 um now there's different types of 578 00:20:14,000 --> 00:20:17,919 penetration tests you know talk about 579 00:20:15,840 --> 00:20:18,880 white box testing black box testing red 580 00:20:17,919 --> 00:20:22,320 team 581 00:20:18,880 --> 00:20:24,799 red team is a relatively 582 00:20:22,320 --> 00:20:27,120 misunderstood term there's this like 583 00:20:24,799 --> 00:20:30,159 perception among some people that like a 584 00:20:27,120 --> 00:20:33,679 red team is like a pen test but better 585 00:20:30,159 --> 00:20:35,840 and that's not really the case 586 00:20:33,679 --> 00:20:37,200 at all so to to better understand sort 587 00:20:35,840 --> 00:20:38,880 of the difference between some of these 588 00:20:37,200 --> 00:20:40,799 types of testing 589 00:20:38,880 --> 00:20:42,480 thinking about 590 00:20:40,799 --> 00:20:45,039 target's knowledge of attack and 591 00:20:42,480 --> 00:20:48,159 attackers knowledge of the target 592 00:20:45,039 --> 00:20:50,000 so a red team or at my work we call them 593 00:20:48,159 --> 00:20:51,840 adversary simulations 594 00:20:50,000 --> 00:20:54,400 to try and help alleviate some of the 595 00:20:51,840 --> 00:20:57,039 misunderstandings um 596 00:20:54,400 --> 00:20:58,240 and red team or adversary simulation 597 00:20:57,039 --> 00:21:01,760 sits here 598 00:20:58,240 --> 00:21:05,679 so it's very close to what would happen 599 00:21:01,760 --> 00:21:06,960 in in the case of like real attackers so 600 00:21:05,679 --> 00:21:08,640 target doesn't know they're being 601 00:21:06,960 --> 00:21:10,000 attacked but also 602 00:21:08,640 --> 00:21:11,120 that you don't get any insider 603 00:21:10,000 --> 00:21:13,360 information 604 00:21:11,120 --> 00:21:14,400 and uh like a white box pen test which 605 00:21:13,360 --> 00:21:16,000 is where 606 00:21:14,400 --> 00:21:18,080 the testers get given as much 607 00:21:16,000 --> 00:21:20,320 information as possible about the 608 00:21:18,080 --> 00:21:21,679 environment to allow them to do the test 609 00:21:20,320 --> 00:21:23,600 it's sort of at the opposite end of the 610 00:21:21,679 --> 00:21:25,520 spectrum up here 611 00:21:23,600 --> 00:21:27,440 and a lot of people ask 612 00:21:25,520 --> 00:21:29,520 like real world attackers don't get the 613 00:21:27,440 --> 00:21:31,440 insider info like why would i give it to 614 00:21:29,520 --> 00:21:33,360 pen testers like isn't that cheating 615 00:21:31,440 --> 00:21:35,679 it's like yeah it's it's absolutely 616 00:21:33,360 --> 00:21:37,280 cheating but if you come back to this 617 00:21:35,679 --> 00:21:39,280 methodology of everything that's 618 00:21:37,280 --> 00:21:40,880 included in a pen test we've only got a 619 00:21:39,280 --> 00:21:43,039 certain amount of time to do all these 620 00:21:40,880 --> 00:21:45,919 activities so if we can shrink the 621 00:21:43,039 --> 00:21:48,400 amount of time spent on these initial 622 00:21:45,919 --> 00:21:50,240 tasks and if you spend less time doing 623 00:21:48,400 --> 00:21:52,000 discovery it means you can spend more 624 00:21:50,240 --> 00:21:54,159 time doing volume discovery and that 625 00:21:52,000 --> 00:21:57,039 that's one of the key differences 626 00:21:54,159 --> 00:21:59,520 between a pen test and a red test uh red 627 00:21:57,039 --> 00:22:01,679 team is that with a pen test you're 628 00:21:59,520 --> 00:22:04,720 trying to find as many vulnerabilities 629 00:22:01,679 --> 00:22:06,400 as possible in the time that you have 630 00:22:04,720 --> 00:22:09,440 you're not trying to be like a real 631 00:22:06,400 --> 00:22:10,960 world attacker whereas with a red team 632 00:22:09,440 --> 00:22:12,720 you are trying to be more like a real 633 00:22:10,960 --> 00:22:14,720 world attacker you're trying to achieve 634 00:22:12,720 --> 00:22:15,600 a specific objective so that might be 635 00:22:14,720 --> 00:22:19,039 you know 636 00:22:15,600 --> 00:22:20,640 get access to the hr documents it's like 637 00:22:19,039 --> 00:22:22,159 cool i might do that through phishing i 638 00:22:20,640 --> 00:22:23,760 might do that through physically going 639 00:22:22,159 --> 00:22:25,280 inside an office 640 00:22:23,760 --> 00:22:27,600 might do it through you know hacking 641 00:22:25,280 --> 00:22:29,840 your hr system there's a whole bunch of 642 00:22:27,600 --> 00:22:32,159 different ways and red teaming is all 643 00:22:29,840 --> 00:22:34,320 about chaining vulnerabilities together 644 00:22:32,159 --> 00:22:36,159 to achieve that objective 645 00:22:34,320 --> 00:22:38,400 but you're not trying to find as many 646 00:22:36,159 --> 00:22:40,640 vulnerabilities as possible 647 00:22:38,400 --> 00:22:42,720 on a red team engagement you're just 648 00:22:40,640 --> 00:22:44,880 trying to achieve the goal 649 00:22:42,720 --> 00:22:46,400 whereas with a pen test you are trying 650 00:22:44,880 --> 00:22:48,480 to find as many vulnerabilities as 651 00:22:46,400 --> 00:22:50,159 possible and so as a result you don't 652 00:22:48,480 --> 00:22:51,679 work like a real world attacker like 653 00:22:50,159 --> 00:22:52,880 real world attackers need to be a bit 654 00:22:51,679 --> 00:22:54,320 stealthy 655 00:22:52,880 --> 00:22:55,760 during a pen test you're not trying to 656 00:22:54,320 --> 00:22:57,120 be stealthy 657 00:22:55,760 --> 00:22:59,919 you're actually the opposite you're 658 00:22:57,120 --> 00:23:02,400 being as noisy as possible like 659 00:22:59,919 --> 00:23:05,679 you should be showing up all over logs 660 00:23:02,400 --> 00:23:07,679 during a regular pen test 661 00:23:05,679 --> 00:23:09,520 so this is this is the last slide about 662 00:23:07,679 --> 00:23:11,760 red teaming 663 00:23:09,520 --> 00:23:14,159 it's good for certain types of 664 00:23:11,760 --> 00:23:17,280 engagements uh it helps flash out those 665 00:23:14,159 --> 00:23:20,080 sort of unknown unknowns and if one of 666 00:23:17,280 --> 00:23:22,240 your objectives is to test your internal 667 00:23:20,080 --> 00:23:23,600 blue team capability 668 00:23:22,240 --> 00:23:24,880 red teams 669 00:23:23,600 --> 00:23:26,000 are what you want 670 00:23:24,880 --> 00:23:28,480 but 671 00:23:26,000 --> 00:23:29,360 it's more expensive it takes longer and 672 00:23:28,480 --> 00:23:31,039 you're going to find less 673 00:23:29,360 --> 00:23:32,559 vulnerabilities so unless you have the 674 00:23:31,039 --> 00:23:34,480 maturity 675 00:23:32,559 --> 00:23:36,799 to be running a red team it's not going 676 00:23:34,480 --> 00:23:38,320 to be the best value and so 677 00:23:36,799 --> 00:23:40,640 an obvious follow-up question is like 678 00:23:38,320 --> 00:23:42,720 can we get a bit of both um can we do a 679 00:23:40,640 --> 00:23:44,320 sort of hybrid approach 680 00:23:42,720 --> 00:23:46,480 the answer is of course you know the 681 00:23:44,320 --> 00:23:48,559 customer's always right we can do a 682 00:23:46,480 --> 00:23:50,720 hybrid approach but it's probably not a 683 00:23:48,559 --> 00:23:52,400 great idea to do it because you'll end 684 00:23:50,720 --> 00:23:54,960 up doing things like 685 00:23:52,400 --> 00:23:56,240 seeing if your blue team can detect 686 00:23:54,960 --> 00:23:57,840 if there were pen testers in your 687 00:23:56,240 --> 00:23:59,520 environment which 688 00:23:57,840 --> 00:24:02,720 like who cares you want your blue team 689 00:23:59,520 --> 00:24:04,559 to detect real type of attacks 690 00:24:02,720 --> 00:24:06,320 there is another type of hybrid approach 691 00:24:04,559 --> 00:24:08,799 called a purple team which is pretty 692 00:24:06,320 --> 00:24:11,120 much a red team but the red team sits 693 00:24:08,799 --> 00:24:12,559 down next to the blue team and they go 694 00:24:11,120 --> 00:24:13,919 okay we did this 695 00:24:12,559 --> 00:24:16,159 did you detect it let's look at your 696 00:24:13,919 --> 00:24:17,279 logs together oh cool you found it in 697 00:24:16,159 --> 00:24:18,400 logs all right now i'm going to do the 698 00:24:17,279 --> 00:24:20,159 next thing 699 00:24:18,400 --> 00:24:23,120 did it appear in your logs and it's sort 700 00:24:20,159 --> 00:24:24,559 of the objective of a purple team is 701 00:24:23,120 --> 00:24:25,919 leveling up 702 00:24:24,559 --> 00:24:27,440 your blue team 703 00:24:25,919 --> 00:24:29,919 different type of hybrid approach purple 704 00:24:27,440 --> 00:24:32,000 team makes sense trying to do a hybrid 705 00:24:29,919 --> 00:24:36,080 between white box and red teaming 706 00:24:32,000 --> 00:24:36,080 doesn't make sense so much 707 00:24:36,559 --> 00:24:40,240 other things that we can adjust in the 708 00:24:38,240 --> 00:24:41,840 scope what type of environment are we 709 00:24:40,240 --> 00:24:43,600 gonna 710 00:24:41,840 --> 00:24:45,679 target for the test like 711 00:24:43,600 --> 00:24:48,320 target all your environments 712 00:24:45,679 --> 00:24:49,919 probably going to take too long 713 00:24:48,320 --> 00:24:51,200 and there's no one-size-fits-all answer 714 00:24:49,919 --> 00:24:52,400 to this like 715 00:24:51,200 --> 00:24:54,320 um 716 00:24:52,400 --> 00:24:56,720 it makes more sense to test in prod a 717 00:24:54,320 --> 00:24:58,400 lot of the time but there's always that 718 00:24:56,720 --> 00:25:00,240 risk that you might break something 719 00:24:58,400 --> 00:25:02,799 during a pen test and cause availability 720 00:25:00,240 --> 00:25:05,279 issues to prod but on the other hand 721 00:25:02,799 --> 00:25:07,200 real world attackers test in prod and 722 00:25:05,279 --> 00:25:08,799 they test and test and they test in dev 723 00:25:07,200 --> 00:25:11,360 they'll try and target any of your 724 00:25:08,799 --> 00:25:12,480 environments 725 00:25:11,360 --> 00:25:14,240 this is something you need to work 726 00:25:12,480 --> 00:25:17,679 through about what makes the most sense 727 00:25:14,240 --> 00:25:17,679 for your specific environment 728 00:25:17,760 --> 00:25:20,640 and 729 00:25:18,960 --> 00:25:23,360 okay what sort of authentication are we 730 00:25:20,640 --> 00:25:26,159 going to give the pen testers so a 731 00:25:23,360 --> 00:25:27,919 really common misunderstanding is 732 00:25:26,159 --> 00:25:30,000 hey so the thing that we're most 733 00:25:27,919 --> 00:25:32,960 concerned about is 734 00:25:30,000 --> 00:25:34,880 an unauthenticated attacker can do 735 00:25:32,960 --> 00:25:36,960 bad things so like say you've got what 736 00:25:34,880 --> 00:25:38,720 should be a mainly read-only website so 737 00:25:36,960 --> 00:25:40,400 you know it's a brochure website it's a 738 00:25:38,720 --> 00:25:41,840 blog 739 00:25:40,400 --> 00:25:43,679 something that where most most of your 740 00:25:41,840 --> 00:25:44,960 users are unauthenticated 741 00:25:43,679 --> 00:25:47,279 um 742 00:25:44,960 --> 00:25:49,120 does that mean that the type of testing 743 00:25:47,279 --> 00:25:51,360 that you should be doing and the type of 744 00:25:49,120 --> 00:25:52,720 access you should give to testers is 745 00:25:51,360 --> 00:25:55,120 uh 746 00:25:52,720 --> 00:25:57,520 just unauthenticated testing like in 747 00:25:55,120 --> 00:25:59,840 intuitively you'd say yeah 748 00:25:57,520 --> 00:26:03,440 but in reality 749 00:25:59,840 --> 00:26:05,840 what you're really testing is 750 00:26:03,440 --> 00:26:06,880 can unauthenticated 751 00:26:05,840 --> 00:26:10,080 users 752 00:26:06,880 --> 00:26:12,400 do things that authenticated users can 753 00:26:10,080 --> 00:26:15,279 and the easiest way to test that is to 754 00:26:12,400 --> 00:26:16,480 give the testers access 755 00:26:15,279 --> 00:26:18,880 to an 756 00:26:16,480 --> 00:26:19,919 authenticated account 757 00:26:18,880 --> 00:26:22,880 and then they can see if they can 758 00:26:19,919 --> 00:26:24,720 replicate that in an unauthenticated way 759 00:26:22,880 --> 00:26:26,159 otherwise they're sort of like flailing 760 00:26:24,720 --> 00:26:27,679 around a little bit in the dark trying 761 00:26:26,159 --> 00:26:30,480 to figure out what functionality is 762 00:26:27,679 --> 00:26:31,520 there that they might be able to access 763 00:26:30,480 --> 00:26:33,679 so 764 00:26:31,520 --> 00:26:35,200 similar sort of thing when it comes to 765 00:26:33,679 --> 00:26:37,440 assessing what sort of roles you want to 766 00:26:35,200 --> 00:26:39,120 include in a pen test like you say oh 767 00:26:37,440 --> 00:26:41,279 look we trust our admins so we just want 768 00:26:39,120 --> 00:26:42,799 to test unprivileged users it's like no 769 00:26:41,279 --> 00:26:45,520 but what you want to test is if your 770 00:26:42,799 --> 00:26:46,559 unprivileged users can perform 771 00:26:45,520 --> 00:26:50,559 privileged 772 00:26:46,559 --> 00:26:53,440 actions so again it makes sense to 773 00:26:50,559 --> 00:26:56,240 include admin roles if possible now the 774 00:26:53,440 --> 00:26:59,039 number of roles that you test 775 00:26:56,240 --> 00:27:00,880 is going to have a huge impact on 776 00:26:59,039 --> 00:27:02,799 how much testing is actually required 777 00:27:00,880 --> 00:27:04,000 it's like related to the the handshake 778 00:27:02,799 --> 00:27:06,400 problem you know like if you have two 779 00:27:04,000 --> 00:27:08,480 roles two people as one handshake 780 00:27:06,400 --> 00:27:10,000 three people is 781 00:27:08,480 --> 00:27:11,840 three handshakes 782 00:27:10,000 --> 00:27:14,080 it it goes up and up and up the more 783 00:27:11,840 --> 00:27:15,360 roles that you include and 784 00:27:14,080 --> 00:27:16,799 so if you've got something like this 785 00:27:15,360 --> 00:27:18,640 this is from like 786 00:27:16,799 --> 00:27:20,960 sap um 787 00:27:18,640 --> 00:27:22,640 this is a matrix of like roles to users 788 00:27:20,960 --> 00:27:24,559 and a security architect will say oh 789 00:27:22,640 --> 00:27:26,159 this is this is really good this is nice 790 00:27:24,559 --> 00:27:28,320 fine-grained principle of least 791 00:27:26,159 --> 00:27:30,480 privilege applied and a tester will look 792 00:27:28,320 --> 00:27:32,320 at this and go like oh my god like 793 00:27:30,480 --> 00:27:35,279 you want me to test all of these like 794 00:27:32,320 --> 00:27:36,880 this will take me a year so 795 00:27:35,279 --> 00:27:39,520 at the end of the day you need to make a 796 00:27:36,880 --> 00:27:42,080 risk-based decision on what makes sense 797 00:27:39,520 --> 00:27:43,760 to test in terms of roles 798 00:27:42,080 --> 00:27:45,520 pick the most 799 00:27:43,760 --> 00:27:47,840 commonly used roles 800 00:27:45,520 --> 00:27:50,480 and go with them is is usually the 801 00:27:47,840 --> 00:27:52,320 approach that you go with um similar to 802 00:27:50,480 --> 00:27:54,399 roles is like the interfaces of your app 803 00:27:52,320 --> 00:27:57,039 so like you've got a user facing in 804 00:27:54,399 --> 00:27:59,120 interface um some apps will have the 805 00:27:57,039 --> 00:28:01,520 admins log into the same interface other 806 00:27:59,120 --> 00:28:04,240 apps will have like a totally separate 807 00:28:01,520 --> 00:28:06,880 out-of-band admin interface like do we 808 00:28:04,240 --> 00:28:09,600 want to test that as well um 809 00:28:06,880 --> 00:28:11,039 yeah you probably will like 810 00:28:09,600 --> 00:28:13,440 fewer people use it but this is the 811 00:28:11,039 --> 00:28:16,480 high-risk part of the app and uh this is 812 00:28:13,440 --> 00:28:18,000 where a lot of people get popped 813 00:28:16,480 --> 00:28:19,679 and people think cool this is our whole 814 00:28:18,000 --> 00:28:21,120 application the user facing interface 815 00:28:19,679 --> 00:28:24,799 and optionally the admin facing 816 00:28:21,120 --> 00:28:26,720 interface it's like did you forget about 817 00:28:24,799 --> 00:28:28,320 this little guy 818 00:28:26,720 --> 00:28:29,840 because a lot of people don't consider 819 00:28:28,320 --> 00:28:32,000 this in scope for when they're testing 820 00:28:29,840 --> 00:28:35,279 systems and 821 00:28:32,000 --> 00:28:37,440 when your infrastructure is in the cloud 822 00:28:35,279 --> 00:28:39,200 that means potentially other people can 823 00:28:37,440 --> 00:28:40,559 access that if you've misconfigured 824 00:28:39,200 --> 00:28:43,679 anything in your cloud environment if 825 00:28:40,559 --> 00:28:46,559 you've got open s3 buckets if you've got 826 00:28:43,679 --> 00:28:46,559 roles not right 827 00:28:46,720 --> 00:28:49,360 guess what you'll get hacked just the 828 00:28:48,080 --> 00:28:51,440 same as if you've got hacked through the 829 00:28:49,360 --> 00:28:53,120 front door of your web app the good news 830 00:28:51,440 --> 00:28:55,440 for testing cloud environments is 831 00:28:53,120 --> 00:28:56,480 because they're all the same 832 00:28:55,440 --> 00:28:58,960 it's 833 00:28:56,480 --> 00:29:02,000 relatively efficient to test cloud 834 00:28:58,960 --> 00:29:03,919 environments these days 835 00:29:02,000 --> 00:29:06,880 uh 836 00:29:03,919 --> 00:29:08,240 your web app's got a waff in front of it 837 00:29:06,880 --> 00:29:10,399 should you 838 00:29:08,240 --> 00:29:12,399 test with the waff it's like the waf is 839 00:29:10,399 --> 00:29:14,480 there to slow attackers down 840 00:29:12,399 --> 00:29:16,399 in the real world you want to slow bad 841 00:29:14,480 --> 00:29:18,159 guys down you don't want to slow pan 842 00:29:16,399 --> 00:29:20,000 testers down the best way to approach 843 00:29:18,159 --> 00:29:22,960 with waffs is 844 00:29:20,000 --> 00:29:24,159 disable it for the testers ip addresses 845 00:29:22,960 --> 00:29:25,440 um 846 00:29:24,159 --> 00:29:26,240 if you want to know if the waff was 847 00:29:25,440 --> 00:29:28,480 being 848 00:29:26,240 --> 00:29:31,279 effective if they found issues get them 849 00:29:28,480 --> 00:29:33,440 to retest those issues again um with the 850 00:29:31,279 --> 00:29:35,600 wife present 851 00:29:33,440 --> 00:29:37,760 all right 852 00:29:35,600 --> 00:29:40,000 we've got the engagement uh we're 853 00:29:37,760 --> 00:29:42,480 getting ready to start 854 00:29:40,000 --> 00:29:44,320 best thing to do is talk it up like we 855 00:29:42,480 --> 00:29:45,440 need to communicate there's some really 856 00:29:44,320 --> 00:29:47,679 obvious things that we're going to talk 857 00:29:45,440 --> 00:29:50,000 about so like pen testers are going to 858 00:29:47,679 --> 00:29:51,200 tell you the source ip addresses 859 00:29:50,000 --> 00:29:53,120 the people being tested are going to 860 00:29:51,200 --> 00:29:54,799 provide credentials to the testers and 861 00:29:53,120 --> 00:29:56,480 some documentation 862 00:29:54,799 --> 00:29:59,120 but 863 00:29:56,480 --> 00:30:01,919 some less obvious stuff is like 864 00:29:59,120 --> 00:30:04,000 doing proper introductions so like don't 865 00:30:01,919 --> 00:30:05,760 just say this is alice this is bob they 866 00:30:04,000 --> 00:30:07,120 work on the team it's like this is bob 867 00:30:05,760 --> 00:30:08,799 he's the project manager he's 868 00:30:07,120 --> 00:30:10,000 responsible for the project schedule 869 00:30:08,799 --> 00:30:11,600 like if something's going to affect the 870 00:30:10,000 --> 00:30:14,320 project schedule 871 00:30:11,600 --> 00:30:16,720 tell bob this is alice she wrote the api 872 00:30:14,320 --> 00:30:19,120 she's your technical contact for 873 00:30:16,720 --> 00:30:20,960 questions about the api 874 00:30:19,120 --> 00:30:22,799 uh have a comms plan if we find a 875 00:30:20,960 --> 00:30:24,559 vulnerability 876 00:30:22,799 --> 00:30:26,240 how are you going to tell us about it 877 00:30:24,559 --> 00:30:27,840 how do you want to know and then during 878 00:30:26,240 --> 00:30:30,399 the engagement 879 00:30:27,840 --> 00:30:32,799 follow that that story a great thing is 880 00:30:30,399 --> 00:30:34,080 if you can get testers embedded into 881 00:30:32,799 --> 00:30:36,960 your 882 00:30:34,080 --> 00:30:39,760 your work slack uh or teams like 883 00:30:36,960 --> 00:30:41,440 whatever you're using internally um 884 00:30:39,760 --> 00:30:43,679 talk it up 885 00:30:41,440 --> 00:30:45,679 keep change to a minimum during the test 886 00:30:43,679 --> 00:30:47,760 like try not to keep changing things 887 00:30:45,679 --> 00:30:49,360 while people are testing it 888 00:30:47,760 --> 00:30:50,960 um 889 00:30:49,360 --> 00:30:52,640 if someone reports a vulnerability 890 00:30:50,960 --> 00:30:55,600 during the engagement that's actually a 891 00:30:52,640 --> 00:30:57,120 pretty high risk scenario because 892 00:30:55,600 --> 00:30:58,799 they've told you about it early so you 893 00:30:57,120 --> 00:31:02,880 can fix it early but it also means that 894 00:30:58,799 --> 00:31:02,880 you haven't had any risk analysis done 895 00:31:03,039 --> 00:31:06,960 so keep talking to the pen test it's 896 00:31:04,880 --> 00:31:09,519 like hey sue thanks for reporting that 897 00:31:06,960 --> 00:31:11,840 this is the fix we're thinking about 898 00:31:09,519 --> 00:31:14,000 will that work 899 00:31:11,840 --> 00:31:16,320 if you've got any other advice like 900 00:31:14,000 --> 00:31:20,000 keep the communication open uh post 901 00:31:16,320 --> 00:31:22,080 engagement if people um like we often 902 00:31:20,000 --> 00:31:24,000 offer people a 903 00:31:22,080 --> 00:31:25,919 uh follow-up meeting 904 00:31:24,000 --> 00:31:27,039 take take take the pen testers up on the 905 00:31:25,919 --> 00:31:29,760 meeting if there's anything you're not 906 00:31:27,039 --> 00:31:31,679 sure about um again we're thinking about 907 00:31:29,760 --> 00:31:33,740 addressing this issue 908 00:31:31,679 --> 00:31:34,960 what do you think about this approach 909 00:31:33,740 --> 00:31:35,679 [Music] 910 00:31:34,960 --> 00:31:37,200 so 911 00:31:35,679 --> 00:31:40,720 in summary 912 00:31:37,200 --> 00:31:42,799 the key themes i guess from all this is 913 00:31:40,720 --> 00:31:44,080 it's it's uh 914 00:31:42,799 --> 00:31:45,840 this is all about the relationship 915 00:31:44,080 --> 00:31:48,240 between developers and pen testers and 916 00:31:45,840 --> 00:31:51,039 the keys to any good relationship are 917 00:31:48,240 --> 00:31:52,720 open clear communication pen testers 918 00:31:51,039 --> 00:31:55,120 only pretend 919 00:31:52,720 --> 00:31:57,600 to be bad guys we're not actually bad 920 00:31:55,120 --> 00:31:59,840 guys we're actually on your side 921 00:31:57,600 --> 00:32:02,320 so we like to work with you we're not 922 00:31:59,840 --> 00:32:03,440 working against you 923 00:32:02,320 --> 00:32:06,480 and that's me 924 00:32:03,440 --> 00:32:09,279 thank you very much 925 00:32:06,480 --> 00:32:10,720 thank you very much i'm amazed how well 926 00:32:09,279 --> 00:32:13,120 you sped up at the end there without 927 00:32:10,720 --> 00:32:14,720 losing too much that was pretty good 928 00:32:13,120 --> 00:32:16,080 work 929 00:32:14,720 --> 00:32:18,080 thank you 930 00:32:16,080 --> 00:32:20,159 um there are a couple questions for you 931 00:32:18,080 --> 00:32:21,919 so i'll get them across you for uh 932 00:32:20,159 --> 00:32:25,200 answering in the chat 933 00:32:21,919 --> 00:32:27,440 and uh we'll be back in about a little 934 00:32:25,200 --> 00:32:31,960 under 15 minutes at 3 o'clock australian 935 00:32:27,440 --> 00:32:31,960 eastern time with our next talk