When a CISO pays good money for a thorough pentesting, she wants results. Not necessarily the ones that the pentester had in mind, either. Whether the time allotted is too short, the pentester has to achieve multiple objectives, or they disagree on the severity of the findings, both the CISO and the pentester have to agree on both sides of the engagement. We discuss numerous aspects of voluntary pwnage: the differences between a security assessment and a penetration test, what color of box works best, tweaking the objectives for more targeted results, and ensuring a happy ending.
@shrdlu has worked as a CISO since 25 years past the epoch, both in the public and private sectors, and has grown to enjoy the exquisite pain of being on the receiving end of a pentest. It should be noted that @shrdlu is not speaking on behalf of any employers, past, present or future, did not test the presentation on any live animals, and will not be dispensing any sort of legal or medical advice. Twitter: @shrdlu