Designing an Efficient Penetration Test Suite

How do you define the scope of penetration testing for a web application project? Is it the OWASP Top Ten, formal guidelines established by organizations such as NIST, security stories developed by the product owner and the security team, or recommendations made by your development team? The answer is all the above depending on the client, your development environment, and your capacity to take the risk.

This presentation will share experiences gained from penetration testing of a web application hosted by a Government agency providing professional licenses to its prospective clients. The nature of the project touched numerous areas such as CJIS (Criminal Justice Information Service), Personal Identifiable Information (PII), Access Control (Authorization in particular), and adherence to the security standard’s office guidelines. The challenge was to identify and prioritize the test suite that will cover these specific areas in a constrained time period. To enhance the coverage, the test suite had to include DAST (using ZAP) and some specific general scenarios.

The audience will take away some approaches that when applied can lead to a well balanced (both effective and efficient) penetration testing.

SCHEDULE
Doors open at 5:30. The talk will begin about 6pm.

ENTRY
There are doors on Washington and Broadway. Both of them auto-lock at 6pm. From 6 to 6:15pm, only the door on Broadway will be available. Take the elevator to the 11th floor.

NO ENTRY AFTER 6:15 PM
It will not be possible to enter the building after 6:15.

ACKNOWLEDGEMENTS
Our host again this month is NedSpace, a co-working space in downtown Portland--a friendly place to work when you don't want to work from home.

FOOD
We don't yet have a sponsor for July, so there may not be food this time. Plan accordingly. (If you know a company that might like to sponsor, please put them in touch with us.)