Last week SANS held two WhatWorks summits in Las Vegas. One covered penetration testing and ethical hacking, and the other covered web application security.

 

Jeremiah Grossman was the keynote speaker for the web application security summit, and he posted his post-summit thoughts on his blog.

The format favored enterprise speakers rather than experts, which made it less about the newest attacks/threats and more about how enterprises went about solving problem X. This was great because I don’t think we have to push as hard anymore to promote general webappec awareness. In my opinion the early adopters are here and we should be supporting them in being mentors and evangelists. We need to continue facilitating knowledge exchange.

Based on that statement, I wished I could have covered the SANS WhatWorks summits, but I was already in Myrtle Beach covering Hacker Halted. There are lots of good information / discussion bits in his post, so check it out – Summary: SANS WhatWorks in Web Application Security Summit 2008.

 

Valsmith, whom lead a training class with HD Moore on tactical exploitation also posted his blog – Post SANS 2008 Recap.

A good pen test is one which you should never pass. If you ask us to test a network or a product, chances are very high that we WILL break it. So really a pen test is about discovering what your exposure and risk is so that you can make decisions and plans on what to accept and how to deal with it. Many people, however approach it from view point of finding out if they can be hacked or not. They simply want to know the next patch to applied and happily remain ignorant of the bigger picture of their situation.

Here’s the not so secret secret: A well funded, determined attacker will ALWAYS win. They don’t have rules to follow and they will get you in the end.

To me, a penetration test shows the potential security impact to the system being tested. From there, the owner will need to factor in things like likelihood, complexity, and the worth of the data to formulate a risk rating. Penetration tests are one piece to the puzzle, and I’m happy to see that companies are starting have them done. But like Valsmith mentions, a penetration test should not be a checklist item that you want to pass, and you do nothing with the results. It does you and your company no good if you take it like that.

 

Lastly, the Ethical Hacker Network folks interviewed Ed Skoudis, Johnny Long, and HD Moore.