Presentation is loading. Please wait.

Presentation is loading. Please wait.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

Published byAnna Burtt Modified over 10 years ago

Similar presentations

Presentation on theme: "PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC."— Presentation transcript:

1 PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC

2 AGENDA  Penetration testing ??  Certificated  Penetration testing for?  Methodology  System & Network  Web  Mobile  Tools  Commercial  Free Tools  Report  Ex.  Q&A

3 PENETRATION TESTING

4 VULNERABILITY ASSESSMENT

5 PENETRATION TESTING

6 PENETRATION TESTING TYPE  Internal  External 1.Black box 2.White box 3.Grey box Reference : http://www.giac.org/cissp-papers/197.pdf

7 PENETRATION TESTING : CERTIFICATED  Certified Penetration Testing Engineer (CPTE)

8 PENETRATION TESTING : CERTIFICATED  The Offensive Security Certified Professional (OSCP)

9 PENETRATION TESTING : CERTIFICATED  CEH: Certified Ethical Hacking

10 PENETRATION TESTING : CERTIFICATED BIG NAME  Certified Penetration Testing Consultant (CPTC)  GIAC Web Application Penetration Tester (GWAPT)  GIAC Penetration Tester (GPEN)  Certified Information Systems Security Professional (CISSP)  Certified Information Security Manager (CISM)  Certified Information Systems Auditor - CISA

11 PENETRATION TESTING FOR?

12 PENETRATION TESTING : METHODOLOGY  ขั้นตอน หรือวิธีการ เพื่อ ?

13 PENETRATION TESTING : METHODOLOGY  Information Gathering  Information Analysis and Planning  Vulnerability Detection  Penetration  Attack/Privilege Escalation  Analysis and reporting  Clean-up Information Gathering Vulnerability Detection Penetration Attack/ Privilege Escalation Information Analysis and Planning Analysis and Reporting Clean Up

14 PENETRATION TESTING : METHODOLOGY SYSTEM & NETWORK

15 PENETRATION TESTING : METHODOLOGY WEB APPLICATION  OWASP 2013 A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards

16 PENETRATION TESTING : METHODOLOGY MOBILE

17 PENETRATION TESTING: TOOLS - COMMERCIAL  Nessus Vulnerability Scanner - Tenable Network Security  Rapid 7 Nexpose + Metasploit Professional  CORE Impact Pro  Immunity CANVAS Professional  IBM APPSCAN  ACUNETIX  HP WebInspect  Havij Advanced SQL Injection  ETC

18 PENETRATION TESTING: TOOLS - FREE  Tenable Nessus Home  Rapid 7 Nexpose Community  NMAP  Blackbuntu Linux  Firefox Addon  Metasploit  Kali Linux  ETC

19 REPORT  Executive  Technical

20 BENEFIT OF PENETRATION TESTING  Manage Risk Properly  Increase Business Continuity  Minimize Client-side Attacks  Protect Clients, Partners And Third Parties  Comply With Regulation or Security Certification  Evaluate Security Investment  Protect Public Relationships And Brand Issues

21 Q & A

Download ppt "PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Web Vulnerability Assessments

Web Vulnerability Assessments
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.

Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
Red Team “You keep using that word, I do not think it means what you think it means” – Inigo Montoya.

Red Team “You keep using that word, I do not think it means what you think it means” – Inigo Montoya.
Advanced Security Center Overview Northern Illinois University.

Advanced Security Center Overview Northern Illinois University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.

Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Vulnerability Assessment & Penetration Testing By: Michael Lassiter Jr.

Vulnerability Assessment & Penetration Testing By: Michael Lassiter Jr.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
The Business of Penetration Testing

The Business of Penetration Testing
Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.

Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
Web Application Testing with AppScan Terry Labach.

Web Application Testing with AppScan Terry Labach.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Similar presentations

Ads by Google