Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Penetration Testing is Stupid - BsidesSF 2013

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Brett Hardin Brett Hardin
February 25, 2013
Technology
2.3k
2

Penetration Testing is Stupid - BsidesSF 2013

Avatar for Brett Hardin

Brett Hardin

February 25, 2013

More Decks by Brett Hardin

See All by Brett Hardin
Building Your House on Sand
Avatar for Brett Hardin bretthardin
2
1.5k
Bad Version of Builders vs. Breakers
Avatar for Brett Hardin bretthardin
1
91
Builders vs. Breakers - AppSec 2012
Avatar for Brett Hardin bretthardin
2
1.5k
Security the Wrong Way
Avatar for Brett Hardin bretthardin
2
270
BSidesSanFrancisco2011 - Misdirection: The Rise and Fall and Rise of Regulatory Compliance
Avatar for Brett Hardin bretthardin
1
250
Security? Who Cares! - Privacy is Dead
Avatar for Brett Hardin bretthardin
1
210
OWASP - Top 10
Avatar for Brett Hardin bretthardin
0
1.1k

Other Decks in Technology

See All in Technology
Bucharest Tech Week 2026 - Reinventing testing practices in the AI era
Avatar for Eric Deandrea edeandrea
PRO
1
170
MUSUBI 田中裕一『AIと共に行う「しごとのリデザイン」- スモールバックオフィス編』AI Ops Lab #4
Avatar for MUSUBI musubi
0
270
GitHub Copilot 最新アップデート – 「一歩先」の実践活用術
Avatar for zhang.william moulongzhang
5
1.5k
「勝手に広まる」人気 AI エージェントを爆速で作ろう!(AWS Summit Japan 2026講演資料)
Avatar for みのるん minorun365
PRO
9
2k
LayerXにおけるセキュリティ管理の現在地と次の一手
Avatar for tosho tosho
0
250
自分が詳しくない領域でAIを使う #プロヒス2026
Avatar for konifar konifar
13
5.3k
Flow 不死:AI 時代 DevOps 的不變本質
Avatar for Cheng-Wei Chen cheng_wei_chen
2
330
[AWS Summit Japan 2026]迷っているあなたへ_小さな一歩が、やがて自分を助けてくれる
Avatar for sh_fk2 sh_fk2
1
170
入門!AWS Blocks
Avatar for Yosuke Suzuki ysuzuki
1
160
LayerX コーポレートエンジニアリング室におけるサプライチェーンセキュリティへの取り組み / Supply Chain Security at LayerX Corporate Engineering
Avatar for Yuya Takeyama yuyatakeyama
2
680
小さく始める AI 活用推進 ― 日経電子版 Web チームの事例/nikkei-tech-talk47
Avatar for 日本経済新聞社 エンジニア採用事務局 nikkei_engineer_recruiting
0
300
20260619 私の日常業務での生成 AI 活用
Avatar for Masaru Ogura masaruogura
1
230

Featured

See All Featured
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
Avatar for Akash Hashmi akashhashmi
0
370
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
225
10k
Conquering PDFs: document understanding beyond plain text
Avatar for Ines Montani inesmontani
PRO
4
2.8k
The SEO Collaboration Effect
Avatar for Kristina Bergwall kristinabergwall1
1
490
The Impact of AI in SEO - AI Overviews June 2024 Edition
Avatar for Aleyda Solis aleyda
5
1.1k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.8k
Lessons Learnt from Crawling 1000+ Websites
Avatar for Charles Meaden charlesmeaden
PRO
1
1.3k
Ten Tips & Tricks for a 🌱 transition
Avatar for Manu Carrasco Molina stuffmc
0
140
Impact Scores and Hybrid Strategies: The future of link building
Avatar for Tamara Novitovic tamaranovitovic
0
310
Leveraging Curiosity to Care for An Aging Population
Avatar for Cassini Nazir cassininazir
1
270
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
37
6.5k
A brief & incomplete history of 
UX Design for the World Wide Web: 1989–2019
Avatar for Jason CranfordTeague jct
2
400

Transcript

  1. Penetration Testing is stupid

  2. Brett Hardin @miscsecurity

  3. None
  4. None

  5. pentesters

  6. Why Who Where When What PENETRATION TESTING Why Who Where

    When What

  7. Why Who Where When What PENETRATION TESTING What

  8. Audience Participation Educated Guess?

  9. A live test of the effectiveness of security defenses through

    mimicking the actions of real-life attackers. ISACA

  10. test security defenses

  11. mimicking real-life attackers

  12. MIMIC THE REAL

  13. Gunter Ollmann of Damballa on Real Attacks

  14. Submit CV 2000

  15. USB Keys 2005 2000

  16. Buy the machine 2009+ 2005 2000

  17. Penetration tests are unique

  18. Penetration testers are friendly

  19. Penetration tests don’t simulate attacks

  20. Why Who Where When What PENETRATION TESTING Who

  21. The Average Penetration tester

  22. performed by

  23. Jack Nicholson

  24. I’M A PROFESSIONAL TRUST ME.

  25. I’LL TRY ‘PASSWORD’

  26. I’LL TRY ‘PA55WORD’

  27. LET ME IN. PLEASE.

  28. YOU WILL LET ME IN.

  29. WE’RE FRIENDS

  30. WHY CAN’T I GET IN?

  31. LOOK, A WAY IN.

  32. THEY WERE SO DUMB

  33. I’M GONNA REDRUM HIM

  34. pentesters

  35. The average penetration tester

  36. The average are common

  37. The average are necessary

  38. The average are cheap

  39. The average are simple to copy

  40. The average follow methodologies

  41. The best penetration testers

  42. The best are rare

  43. The best invent new attacks

  44. The best are expensive

  45. The best are overkill

  46. The best mimic the real

  47. The average mimic tools

  48. MIMIC THE REAL

  49. MIMIC THE REAL

  50. Why Who Where When What PENETRATION TESTING When

  51. ATTACKS happen when you’re asleep

  52. ATTACKS happen when you’re on vacation

  53. ATTACKS happen when you have no budget

  54. ATTACKS happen when during business hours

  55. ATTACKS happen when you are not ready

  56. ATTACKS happen when you are ready PENTESTS

  57. Date&Time&Resources

  58. None

  59. Attackers aren’t limited by resources

  60. MIMIC THE REAL

  61. MIMIC THE REAL

  62. Why Who Where When What PENETRATION TESTING Where

  63. Rules of Engagement

  64. Internet

  65. Web Application only

  66. On-site

  67. Dialup

  68. The Wi-fi’s

  69. ‘puters

  70. News Flash

  71. Attackers don’t care

  72. Limits

  73. Attackers aren’t limited by resources previously learned

  74. Attackers aren’t limited by resources Revision

  75. Attackers aren’t limited

  76. Phone

  77. MIMIC THE REAL

  78. Why Who Where When What PENETRATION TESTING Why

  79. Penetration testing isn’t important

  80. Penetration testing isn’t important to most organizations

  81. Penetration testing doesn’t secure you

  82. Penetration testing tests defenses

  83. required We’ve Convinced Everyone* it’s

  84. TANGENT ALERT

  85. Penetration Testers love to diss vendors

  86. Penetration Testers are vendors

  87. BACK TO YOUR REGULARLY SCHEDULED PROGRAM

  88. Penetration testing proves two things

  89. Penetration testing proves vulnerability One

  90. Penetration testing proves vulnerability adjective One

  91. Penetration testing identifies a few* risky issues Two

  92. Penetration testing identifies a few* risky issues * Actual Results

    may vary Two

  93. known and unknown

  94. new exploits aren’t needed

  95. known exploits work

  96. low-hanging fruit

  97. expensive & rare New Exploits

  98. MIMIC THE REAL

  99. When pen testing isn’t stupid

  100. No more defensive ideas

  101. No more low-hanging fruit

  102. Management wants to assess security controls

  103. check&balance

  104. Why Who Where When What < Attackers are unique

  105. Why Who Where When What < Different attack methods

  106. Why Who Where When What < Unlimited by time

  107. Why Who Where When What No Rules of Engagement <

  108. Why Who Where When What < Doesn’t protect you

  109. Penetration Tests don’t mimic real attacks summary

  110. Penetration Tests don’t secure you summary

  111. Penetration Tests test your defenses summary

  112. Thanks.

  113. Brett Hardin http://bretthard.in