Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Penetration Testing is Stupid - BsidesSF 2013
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Brett Hardin
February 25, 2013
Technology
2.3k
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Penetration Testing is Stupid - BsidesSF 2013
Brett Hardin
February 25, 2013
More Decks by Brett Hardin
See All by Brett Hardin
Building Your House on Sand
bretthardin
2
1.5k
Bad Version of Builders vs. Breakers
bretthardin
1
92
Builders vs. Breakers - AppSec 2012
bretthardin
2
1.5k
Security the Wrong Way
bretthardin
2
270
BSidesSanFrancisco2011 - Misdirection: The Rise and Fall and Rise of Regulatory Compliance
bretthardin
1
250
Security? Who Cares! - Privacy is Dead
bretthardin
1
210
OWASP - Top 10
bretthardin
0
1.1k
Other Decks in Technology
See All in Technology
環境凍結という Toil を倒す -セルフサービス型 Ephemeral テスト環境の 設計と実践
shirouz
1
2.3k
SREとQA 二人三脚で進めるSLO運用/sre-qa-slo
sugitak
0
470
Mastraエージェント、どのクラウドにデプロイする?
minorun365
PRO
2
180
ヘルスケア領域における AI 活用と その安全性担保のための取り組み (Leveraging AI in Healthcare and Our Efforts to Ensure Its Safety) - Google I/O Extended Tokyo 2026, July 11, 2026
zettaittenani
0
280
クラウド上のデータ復旧で見落としがちな制約: 医療系 SaaS の BCP 設計から得た教訓
kakehashi
PRO
0
3.4k
美しいコードを書くためにF#を学んでみた話
yud0uhu
1
410
Terraform共通モジュールをチーム横断で“変えられる”運用へ ― リリースと適用の分離
kekke_n
1
2.9k
完全自律ロボットを作りたくて、先に開発を自律させた話(ROS Japan UG #63 LT)
rryz09
0
500
SRE Lounge Hiroshimaへの招待
grimoh
0
640
Control Planeで育てるBtoB SaaSの認証基盤 - SRE NEXT 2026
pokohide
1
2.3k
End-to-Endで考える信頼性 —LINEアプリにおけるクライアント開発×SRE連携の実践
maruloop
4
4.1k
関数型の考えを TypeScript に持ち込んで、テストしやすい純粋関数を増やす / Pure at the Core, Effects at the Edge: Bringing Functional Thinking into TypeScript
kaminashi
1
110
Featured
See All Featured
Avoiding the “Bad Training, Faster” Trap in the Age of AI
tmiket
0
190
What does AI have to do with Human Rights?
axbom
PRO
1
2.2k
How to Build an AI Search Optimization Roadmap - Criteria and Steps to Take #SEOIRL
aleyda
1
2.1k
The B2B funnel & how to create a winning content strategy
katarinadahlin
PRO
1
420
GraphQLとの向き合い方2022年版
quramy
50
15k
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
3
3.6k
DevOps and Value Stream Thinking: Enabling flow, efficiency and business value
helenjbeal
1
260
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
2k
Testing 201, or: Great Expectations
jmmastey
46
8.2k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.4k
Practical Orchestrator
shlominoach
191
11k
Transcript
Penetration Testing is stupid
Brett Hardin @miscsecurity
None
None
pentesters
Why Who Where When What PENETRATION TESTING Why Who Where
When What
Why Who Where When What PENETRATION TESTING What
Audience Participation Educated Guess?
A live test of the effectiveness of security defenses through
mimicking the actions of real-life attackers. ISACA
test security defenses
mimicking real-life attackers
MIMIC THE REAL
Gunter Ollmann of Damballa on Real Attacks
Submit CV 2000
USB Keys 2005 2000
Buy the machine 2009+ 2005 2000
Penetration tests are unique
Penetration testers are friendly
Penetration tests don’t simulate attacks
Why Who Where When What PENETRATION TESTING Who
The Average Penetration tester
performed by
Jack Nicholson
I’M A PROFESSIONAL TRUST ME.
I’LL TRY ‘PASSWORD’
I’LL TRY ‘PA55WORD’
LET ME IN. PLEASE.
YOU WILL LET ME IN.
WE’RE FRIENDS
WHY CAN’T I GET IN?
LOOK, A WAY IN.
THEY WERE SO DUMB
I’M GONNA REDRUM HIM
pentesters
The average penetration tester
The average are common
The average are necessary
The average are cheap
The average are simple to copy
The average follow methodologies
The best penetration testers
The best are rare
The best invent new attacks
The best are expensive
The best are overkill
The best mimic the real
The average mimic tools
MIMIC THE REAL
MIMIC THE REAL
Why Who Where When What PENETRATION TESTING When
ATTACKS happen when you’re asleep
ATTACKS happen when you’re on vacation
ATTACKS happen when you have no budget
ATTACKS happen when during business hours
ATTACKS happen when you are not ready
ATTACKS happen when you are ready PENTESTS
Date&Time&Resources
None
Attackers aren’t limited by resources
MIMIC THE REAL
MIMIC THE REAL
Why Who Where When What PENETRATION TESTING Where
Rules of Engagement
Internet
Web Application only
On-site
Dialup
The Wi-fi’s
‘puters
News Flash
Attackers don’t care
Limits
Attackers aren’t limited by resources previously learned
Attackers aren’t limited by resources Revision
Attackers aren’t limited
Phone
MIMIC THE REAL
Why Who Where When What PENETRATION TESTING Why
Penetration testing isn’t important
Penetration testing isn’t important to most organizations
Penetration testing doesn’t secure you
Penetration testing tests defenses
required We’ve Convinced Everyone* it’s
TANGENT ALERT
Penetration Testers love to diss vendors
Penetration Testers are vendors
BACK TO YOUR REGULARLY SCHEDULED PROGRAM
Penetration testing proves two things
Penetration testing proves vulnerability One
Penetration testing proves vulnerability adjective One
Penetration testing identifies a few* risky issues Two
Penetration testing identifies a few* risky issues * Actual Results
may vary Two
known and unknown
new exploits aren’t needed
known exploits work
low-hanging fruit
expensive & rare New Exploits
MIMIC THE REAL
When pen testing isn’t stupid
No more defensive ideas
No more low-hanging fruit
Management wants to assess security controls
check&balance
Why Who Where When What < Attackers are unique
Why Who Where When What < Different attack methods
Why Who Where When What < Unlimited by time
Why Who Where When What No Rules of Engagement <
Why Who Where When What < Doesn’t protect you
Penetration Tests don’t mimic real attacks summary
Penetration Tests don’t secure you summary
Penetration Tests test your defenses summary
Thanks.
Brett Hardin http://bretthard.in