Monday, July 25, 2016

2016-029: Jarrod Frates, steps when scheduling a pentest, and the questions you forgot to ask...

Jarrod Frates has been doing pentests as a red-team member for a long time. His recent position at InGuardians sees him engaging many companies who have realized that a typical 'pentest puppymill' or pentest from certain companies just isn't good enough.

Jarrod has also gone on more than a few engagements where he has found the client in question has no clue of what a 'real' pentest is, and worse, they often have the wrong idea of how it should go.

This week, I sat down with Jarrod, and we talked about what needs to occur before the pentest, even before you contact the pentesting firm... even, in fact, before you should even consider a pentest. 

We discuss what a pentest is, and how it's different from a 'vulnerability assessment', or code audit. Jarrod and I discuss the overarching requirements of the pentest (are you doing it 'just because', or do you need to check a box for compliance).  We ask questions like

Who should be involved setting scope? 

Should Social Engineering always be a part of a pentest?

Who should be notified if/when a pentest is to occur?

Should your SOC be told when one occurs?

What happens if the pentest causes incident response to be called (like if someone finds a malware/botnet infection)?

And how long do you want the engagement to be?

And depending on the politics involved, these things can affect the quality of the pentest, and the cost as well...

It was a great discussion with Jarrod, a seasoned professional, and veteran of many engagments. If your organziation is about to engage a company for a pentest, you'd be wise to take a moment and listen to this.

Direct Link:





Comments, Questions, Feedback:

Support Brakeing Down Security #Podcast on #Patreon:

#Twitter: @brakesec @boettcherpwned @bryanbrake



#Player.FM :

#Stitcher Network:

#TuneIn Radio App:



Here is a new episode of Brakeing Down Security Podcast!

No comments: