Protecting Pentests: Recommendations for Performing More Secure Tests

Black Hat USA 2017

Presented by: Wesley McGrew
Date: Wednesday July 26, 2017
Time: 17:05 - 17:30
Location: Mandalay Bay GH

This presentation represents a capstone to previous years' work by the author on the subject of vulnerabilities that exist in penetration testing tools, procedures, and learning materials. These vulnerabilities and common practices have been shown to unnecessarily put client systems and data at risk. Systems and infrastructure used by penetration testing teams are also at risk of compromise, through immediately disruptive attacks or worse: quietly and over a long period of time.

In this work, Wesley presents a comprehensive set of recommendations that can be used to build secure penetration testing operations. This includes technical recommendations, policies, procedures, and guidance on how to communicate and work with client organizations about the risks and mitigations. The goal is to develop testing capabilities that are more professionally sound, and that protect client organizations and pentesting infrastructure, while avoiding a negative impact on the speed, agility, and creativity that good testers are able to apply to engagements with current practices.

Wesley McGrew

Dr. Wesley McGrew oversees and participates in penetration testing in his role of Director of Cyber Operations for HORNE Cyber Solutions. He has presented on topics of penetration testing, vulnerabilities, and malware analysis at DEF CON and Black Hat USA. He teaches a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley graduated from Mississippi State University's Department of Computer Science and Engineering and previously worked at the Distributed Analytics and Security Institute. He holds a Ph.D. in computer science for his research in vulnerability analysis of SCADA HMI systems.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats