O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
AppSec, Pentest,
Audit & Assessment
Vlad Styran
CISSP - CISA - OSCP
OWASP Kyiv - Berezha Security
Mission Objectives
What is Application
Security?
What is a Pentest?
How an Audit is
different?
Why an Assessment is
totall...
Application Security (wrong)
OWASP (Top-10)
”requirements”
Application Pentest Dev environment &
toolchain security
Application Security
(true)
A demo of how wrong people could be about
Application Security
Pentest
If you can test pens, you can test anything.
– HD Moore
Mitre ATT&CK Navigator and… how wrong
people could be about Penetration Testing
https://mitre-attack.github.io/attack-navi...
Audit and Assessment
Assessment Audit
Framework or standard Framework or standard
Gaps between AS IS and TO BE Gaps betwee...
Why do we need all four
and when we need them?
Compliance Business Risk
Security Baseline Technology Risk
Time
covered
Space covered
Self-assessment
Qualified 3rd party ...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кібербезпеки
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кібербезпеки
Próximos SlideShares
Carregando em…5
×

0

Compartilhar

В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кібербезпеки

Відео виступу: https://www.youtube.com/watch?list=PLDLqQj8RuUFszVSKOvM7nxhnzO5016-Te&v=of08ANtBNnM
Коротко текстом: https://styran.com/pentest-vs-audit/

  • Seja a primeira pessoa a gostar disto

В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кібербезпеки

  1. 1. AppSec, Pentest, Audit & Assessment Vlad Styran CISSP - CISA - OSCP OWASP Kyiv - Berezha Security
  2. 2. Mission Objectives What is Application Security? What is a Pentest? How an Audit is different? Why an Assessment is totally other thing?
  3. 3. Application Security (wrong) OWASP (Top-10) ”requirements” Application Pentest Dev environment & toolchain security
  4. 4. Application Security (true)
  5. 5. A demo of how wrong people could be about Application Security
  6. 6. Pentest If you can test pens, you can test anything. – HD Moore
  7. 7. Mitre ATT&CK Navigator and… how wrong people could be about Penetration Testing https://mitre-attack.github.io/attack-navigator/enterprise/
  8. 8. Audit and Assessment Assessment Audit Framework or standard Framework or standard Gaps between AS IS and TO BE Gaps between AS IS and TO BE Snapshot in time A historic period Compliance of controls Compliance and/or effectiveness of controls May provide guidance May provide direction, not guidance Evidence and observation Hard evidence Can be DIY Cannot be DIY Requires some subject matter expertise Doesn’t really require subject matter expertise
  9. 9. Why do we need all four and when we need them?
  10. 10. Compliance Business Risk Security Baseline Technology Risk Time covered Space covered Self-assessment Qualified 3rd party assessment Internal audit External audit Security testing Application pentest Vulnerability assessment Infrastructure pentest

Відео виступу: https://www.youtube.com/watch?list=PLDLqQj8RuUFszVSKOvM7nxhnzO5016-Te&v=of08ANtBNnM Коротко текстом: https://styran.com/pentest-vs-audit/

Vistos

Vistos totais

167

No Slideshare

0

De incorporações

0

Número de incorporações

69

Ações

Baixados

0

Compartilhados

0

Comentários

0

Curtir

0

×