The format favored enterprise speakers rather than experts, which made it less about the newest attacks/threats and more about how enterprises went about solving problem X. This was great because I don’t think we have to push as hard anymore to promote general webappec awareness. In my opinion the early adopters are here and we should be supporting them in being mentors and evangelists. We need to continue facilitating knowledge exchange.
Based on that statement, I wished I could have covered the SANS WhatWorks summits, but I was already in Myrtle Beach covering Hacker Halted. There are lots of good information / discussion bits in his post, so check it out – Summary: SANS WhatWorks in Web Application Security Summit 2008.
A good pen test is one which you should never pass. If you ask us to test a network or a product, chances are very high that we WILL break it. So really a pen test is about discovering what your exposure and risk is so that you can make decisions and plans on what to accept and how to deal with it. Many people, however approach it from view point of finding out if they can be hacked or not. They simply want to know the next patch to applied and happily remain ignorant of the bigger picture of their situation.
Here’s the not so secret secret: A well funded, determined attacker will ALWAYS win. They don’t have rules to follow and they will get you in the end.
To me, a penetration test shows the potential security impact to the system being tested. From there, the owner will need to factor in things like likelihood, complexity, and the worth of the data to formulate a risk rating. Penetration tests are one piece to the puzzle, and I’m happy to see that companies are starting have them done. But like Valsmith mentions, a penetration test should not be a checklist item that you want to pass, and you do nothing with the results. It does you and your company no good if you take it like that.