Thursday October 24, 2013 11:00am - 11:45am

HackersForCharity.org Room (Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757)
Attack Track

Security audits, whether internal or customer-driven, are becoming more common and more frequent for software development programs. In many cases audit activities such as risk assessments, security scanning and penetration testing are required for program certification and accreditation. Going through a security audit can be a challenging situation filled with misunderstanding and frustration that can put a software program under considerable stress. This fact is exacerbated by some alarming trends being notice in the degradation of quality in security testing, and the lack of quality assurance governing such testing activities.

With this increase in security audit activity, the security testing field has exploded with new practitioners in a discipline that was previously held almost exclusively by elite technical experts. This rapid growth is likely a contributing factor in declining quality as well as a plethora of rubber stamping certifications, poor training, and industry ignorance. Over the past two years, my team has assisted several large software development programs in preparing for and accommodating extensive security audits. We have noticed and collected evidence pointing to a problem in quality of security testing activities and results. These issues are costing engineering teams significant dollars to deal with the false positives, unjustified severities and overreaching scopes of poor quality audits. Many real-world examples of poor quality penetration testing results are presented in this talk in order to help describe and identify the problem.

The purpose of this talk is not to point fingers or stroke our own egos by implying that we are better than those whose mistakes are highlighted. Instead it is a call to quality assurance in the relatively new field of security auditing and penetration testing. Penetration testing is widely considered to be an art form or black magic by many in the software engineering world. And there is truth to the fact that, similar to a home inspection, two testers will not produce the exact same list of findings. However, our findings point to an overall degradation in the skill and knowledge of penetration testers that can, if not corrected, turn pen-testing from a so-called black art into a quackery selling “snake-oil”.

This presentation concludes with guidance for security practitioners in improving their security testing knowledge and skills taking personal responsibility for maintaining the highest standards of excellence. We suggest assurance methods based on sound engineering principle that should be implemented by security assessment teams. We also encourage those interested in or new to the field to base their careers on proven methods, quality certifications and most of all a passion for bettering the industry.

Loading more stuff…

Hmm…it looks like things are taking a while to load. Try again?

Loading videos…