Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Penetration Testing is Stupid - BsidesSF 2013
Search
Brett Hardin
February 25, 2013
Technology
2.3k
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Penetration Testing is Stupid - BsidesSF 2013
Brett Hardin
February 25, 2013
More Decks by Brett Hardin
See All by Brett Hardin
Building Your House on Sand
bretthardin
2
1.5k
Bad Version of Builders vs. Breakers
bretthardin
1
92
Builders vs. Breakers - AppSec 2012
bretthardin
2
1.5k
Security the Wrong Way
bretthardin
2
270
BSidesSanFrancisco2011 - Misdirection: The Rise and Fall and Rise of Regulatory Compliance
bretthardin
1
250
Security? Who Cares! - Privacy is Dead
bretthardin
1
210
OWASP - Top 10
bretthardin
0
1.1k
Other Decks in Technology
See All in Technology
kintone の AI コワーカーを、 Anthropic にエージェントを"ホストさせて"作った話 #devkinmeetup
sugimomoto
0
100
アカウントが増えてからでは遅い? ~ マルチアカウント統制の勘所 ~
kenichinakamura
0
220
ゼロをイチにする仕事が終わったあと
smasato
0
340
ヘルスケア領域における AI 活用と その安全性担保のための取り組み (Leveraging AI in Healthcare and Our Efforts to Ensure Its Safety) - Google I/O Extended Tokyo 2026, July 11, 2026
zettaittenani
0
280
Foxgloveについて 実際にExtensionを開発して公開するまでの話 / About Foxglove: The Story of Developing and Releasing an Extension
ry0_ka
0
210
インフラと開発の垣根を超えていき!〜元AWSインフラエンジニアがAWS開発で奮闘している話〜
hatahata021
1
170
DMM.com 購入改善推進チーム におけるCodeRabbitを用いた レビューフロー改善の一例
ysknsid25
2
620
凡エンジニアがこの先生きのこるためには。〜TypeScript完全に理解したい〜
alchemy1115
2
170
AIと共生する開発者プラットフォーム:バクラクのモノレポ×マイクロサービス基盤
sakajunquality
2
3.4k
Gen3R: 3D Scene Generation Meets Feed-Forward Reconstruction
spatial_ai_network
0
120
最近評価が難しくなった
maroon8021
0
340
ruby.wasmとPicoRuby.wasmに対応した仮想DOMライブラリを作ってる話 #kaigieffect_kaigi
sue445
PRO
0
140
Featured
See All Featured
How Software Deployment tools have changed in the past 20 years
geshan
0
34k
Impact Scores and Hybrid Strategies: The future of link building
tamaranovitovic
0
330
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
360
30k
[RailsConf 2023] Rails as a piece of cake
palkan
59
6.7k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
8.2k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
254
22k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
133
19k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
49
10k
Game over? The fight for quality and originality in the time of robots
wayneb77
1
220
Into the Great Unknown - MozCon
thekraken
41
2.6k
Context Engineering - Making Every Token Count
addyosmani
9
1k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
25
2k
Transcript
Penetration Testing is stupid
Brett Hardin @miscsecurity
None
None
pentesters
Why Who Where When What PENETRATION TESTING Why Who Where
When What
Why Who Where When What PENETRATION TESTING What
Audience Participation Educated Guess?
A live test of the effectiveness of security defenses through
mimicking the actions of real-life attackers. ISACA
test security defenses
mimicking real-life attackers
MIMIC THE REAL
Gunter Ollmann of Damballa on Real Attacks
Submit CV 2000
USB Keys 2005 2000
Buy the machine 2009+ 2005 2000
Penetration tests are unique
Penetration testers are friendly
Penetration tests don’t simulate attacks
Why Who Where When What PENETRATION TESTING Who
The Average Penetration tester
performed by
Jack Nicholson
I’M A PROFESSIONAL TRUST ME.
I’LL TRY ‘PASSWORD’
I’LL TRY ‘PA55WORD’
LET ME IN. PLEASE.
YOU WILL LET ME IN.
WE’RE FRIENDS
WHY CAN’T I GET IN?
LOOK, A WAY IN.
THEY WERE SO DUMB
I’M GONNA REDRUM HIM
pentesters
The average penetration tester
The average are common
The average are necessary
The average are cheap
The average are simple to copy
The average follow methodologies
The best penetration testers
The best are rare
The best invent new attacks
The best are expensive
The best are overkill
The best mimic the real
The average mimic tools
MIMIC THE REAL
MIMIC THE REAL
Why Who Where When What PENETRATION TESTING When
ATTACKS happen when you’re asleep
ATTACKS happen when you’re on vacation
ATTACKS happen when you have no budget
ATTACKS happen when during business hours
ATTACKS happen when you are not ready
ATTACKS happen when you are ready PENTESTS
Date&Time&Resources
None
Attackers aren’t limited by resources
MIMIC THE REAL
MIMIC THE REAL
Why Who Where When What PENETRATION TESTING Where
Rules of Engagement
Internet
Web Application only
On-site
Dialup
The Wi-fi’s
‘puters
News Flash
Attackers don’t care
Limits
Attackers aren’t limited by resources previously learned
Attackers aren’t limited by resources Revision
Attackers aren’t limited
Phone
MIMIC THE REAL
Why Who Where When What PENETRATION TESTING Why
Penetration testing isn’t important
Penetration testing isn’t important to most organizations
Penetration testing doesn’t secure you
Penetration testing tests defenses
required We’ve Convinced Everyone* it’s
TANGENT ALERT
Penetration Testers love to diss vendors
Penetration Testers are vendors
BACK TO YOUR REGULARLY SCHEDULED PROGRAM
Penetration testing proves two things
Penetration testing proves vulnerability One
Penetration testing proves vulnerability adjective One
Penetration testing identifies a few* risky issues Two
Penetration testing identifies a few* risky issues * Actual Results
may vary Two
known and unknown
new exploits aren’t needed
known exploits work
low-hanging fruit
expensive & rare New Exploits
MIMIC THE REAL
When pen testing isn’t stupid
No more defensive ideas
No more low-hanging fruit
Management wants to assess security controls
check&balance
Why Who Where When What < Attackers are unique
Why Who Where When What < Different attack methods
Why Who Where When What < Unlimited by time
Why Who Where When What No Rules of Engagement <
Why Who Where When What < Doesn’t protect you
Penetration Tests don’t mimic real attacks summary
Penetration Tests don’t secure you summary
Penetration Tests test your defenses summary
Thanks.
Brett Hardin http://bretthard.in