Penetration Testing, Vulnerability Management

Pen Testing is Dead. Long Live Pen Testing

Share

By Mike Landeck

A few years ago I was working with one of the savviest executives I have ever known. No one could negotiate a deal like he could. 

Early one morning we were involved in a series of discussions on how we could leverage what he accurately predicted would be a boom in cybersecurity spending when I asked him how we would be able to foresee the cybersecurity spending bubble bursting. His response was sobering: “When unqualified people start being hired for senior positions you know the bubble is about to break.”

Flash forward to today. With the shortage of skilled cyber workers, nowhere is the hiring of unqualified people more prominent than in the area of penetration testing. This is true, so much so in fact, that the industry seems to have even changed the expectation of the service to match the lack of skilled people currently available to fill the jobs. What we used to call a “vulnerability scan” is now too often being sold to unknowing or underfunded organizations as a “pen test. “

While a vulnerability scan of your website is absolutely an important part of your overall security plan, an automated scanner will never be able to replace the intuition, savvy, and understanding of a manual penetration test executed by a competent person. As with everything else in life, with pen testing you get what you pay for.

That said, the shortage of skilled professionals to test the security of websites still exists, so if you’re passionate about learning, there are some really exciting opportunities in the field, at all levels of experience.

If you’re new to pen testing, everyone needs a little help getting started. For enthusiastic beginners who want a hands-on day of putting the building blocks in place to begin their pen testing journey, I have put together a fun and educational curriculum for a workshop at Cyber Security World 2017 to help people acquire some foundational skills to build upon. The class will use real software—not something created just to be hacked—and will walk students through how to perform a full inspection of the software, test it, and ultimately exploit it using the tools in Kali Linux.

I, along with my colleague, Brandon Archer, will provide step-by-step instructions that attendees can take back to their workplaces, begin performing rudimentary assessments, and use to grow their skills using templates that will be provided for documenting and reporting the findings.

And in case you just want to run a vulnerability scanner, we’ll teach you how to effectively run a good quality open source scanner as well. Happy vulnerability hunting!


Mike Landeck is an application security testing expert and has consulted on security in the SDLC to dozens of commercial products. He has led the security implementation and then operationalized two of the Country’s largest cloud-based healthcare IT projects. Mike has been responsible for the overall security of systems with financial transactions of over $4 billion per month, as well security programs regulated by HIPAA, SOX, PCI, FISMA (NIST 800-53) the IRS (FTI IRS 1075) and FedRAMP.

Mike and Brandon will lead a workshop on Web Application Security Testing with Kali Linux at Cyber Security World on Tuesday, June 27, 2017.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.