This presentation represents a capstone to previous years' work by the author on the subject of vulnerabilities that exist in penetration testing tools, procedures, and learning materials. These vulnerabilities and common practices have been shown to unnecessarily put client systems and data at risk. Systems and infrastructure used by penetration testing teams are also at risk of compromise, through immediately disruptive attacks or worse: quietly and over a long period of time.
In this work, Wesley presents a comprehensive set of recommendations that can be used to build secure penetration testing operations. This includes technical recommendations, policies, procedures, and guidance on how to communicate and work with client organizations about the risks and mitigations. The goal is to develop testing capabilities that are more professionally sound, and that protect client organizations and pentesting infrastructure, while avoiding a negative impact on the speed, agility, and creativity that good testers are able to apply to engagements with current practices.