| |||||
| |||||
Search Irongeek.com:
Help Irongeek.com pay for bandwidth and research equipment: |
When most pentesters hear “Checklist Based Security”, they cringe a little. We all know that hacking is an art form. Condensing something as complex as a pentest down to a set of boxes seems inadequate.Others industries have found that, when used correctly, checklists have many positive effects. This is even more true when individuals or teams must make critical decisions while under pressure. Research shows that hospitals have saved thousands of lives (and dollars) just by implementing checklists in surgery. Hundreds of well thought out checklists are at pilots fingertips if anything goes terribly wrong in flight. Checklists work; pentesters just need to find the right ones.This talk demonstrates the ways good checklists can make a pentester’s life easier. I will look at some of the checklists my team has been using for the last year. I will show how these checklists have helped us find and exploit more vulnerabilities, even as engagement timelines have shrunk. I will demonstrate (and release) a checklist and note-taking framework that we have made using home grown and open source code. Since implementing this framework, our notes are much more comprehensive and our reports have become much easier to write.This talk also discusses some of the dangers surrounding the misuse of checklists. No one would trust me to perform a surgery if I said I had the appropriate checklist. In the same way, pentesters cannot depend on checklists to provide the necessary skills to complete a successful engagement. Our team has developed a phrase in the last year: “Checklist pentesting, not checklist hacking.” I hope to share this approach with everyone at Bsides Chicago.
15 most recent posts on Irongeek.com:
|
If you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast