Description

A CISO’s Guide to Pentesting

References

• https://en.wikipedia.org/wiki/Penetration_test
• https://partner-security.withgoogle.com/docs/pentest_guidelines#assessment-methodology
• https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies
• https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf 
• https://pentest-standard.readthedocs.io/en/latest/
• https://www.isecom.org/OSSTMM.3.pdf
• https://s2.security/the-mage-platform/
• https://bishopfox.com/platform
• https://www.pentera.io/
• https://www.youtube.com/watch?v=g3yROAs-oAc 

****************************

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we're going to explore a number of things a CISO needs to know about pentesting.  As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.

Now to get a good understanding of pentesting we are going over the basics every CISO needs to understand.  

• What is it
• Where are good places to order it
• What should I look for in a penetration testing provider
• What does a penetration testing provider need to provide
• What’s changing on this going forward

First of all, let's talk about what a pentest is NOT.  It is not a simple vulnerability scan.  That's something you can do yourself with any number of publicly available tools.  However, performing a vulnerability scan, and then acting on remediating what you find, is an important prerequisite for a pentest.  Why pay hundreds of dollars per hour for someone to point out what you can find yourself in your bunny slippers sipping a latte?

Now let’s start with providing a definition of a penetration test.  According to Wikipedia a penetration test or pentest is an authorized simulated cyber-attack on a computer system performed to evaluate the security of a system.  It’s really designed to show weaknesses in a system that can be exploited.  Let’s think of things we want to test.  It can be a website, an API, a mobile application, an endpoint, a firewall, etc.  There’s really a lot of things you can test, but the thing to remember is you have to prioritize what has the highest likelihood or largest impact to cause the company harm.  You need to focus on high likelihood and impact because professional penetration tests are not cheap.  Usually, they will usually cost between $10,000-$30,000 but if you have a complex system, it’s not unheard of to go up to $100,000.  As a CISO you need to be able to defend this expenditure of resources.  So, you will usually define a clear standard that our company will perform penetration tests on customer facing applications, PCI applications, and Financially Significan