Presentation Material

Abstract

Security penetration testing is more than necessary. If not all, most organisations either have their own penetration testing team in-house or they have third party pentesters. In any fast paced organisation with multiple product lines and development planning timelines, it becomes challenging for security teams to efficiently manage all these pentest activities and effectively produce security assessment reports and track them.

In order to solve above challenges I have developed a solution called ‘Managing Pentest (MPT: Pentest in Action)’

MPT helps us solve various problems:

• Asset DB to know all organisation assets that are in pentest process. You can’t secure what you are not aware of!
• Tracking each pentest
• Pentesting activity knowledge which comprises of what particular let say application does, or the purpose of hardware that we are testing
• When next pentester takes over the testing all they have to do is view the asset and associated information which is already there.
• Time taken for each pentest
• Real time tracking of activity
• Issue status
• Common issues that are observed

MPT also has security pentest analytics which helps us not only track and view everything in single pane of glass but also helps with:

• Finding improvement areas to boost pen tester productivity
• Understand the current risk posture
• Understand recurring issues
• Average amount of time taken for each pentest vs asset size
• Average high/medium/low fixing time
• Most number of vulnerabilities fixed in a year
• Class of new vulnerabilities discovered
• Developer trends
• Open findings
• Critical assessments
• Asset health
• Top pentester reported findings
• Average busy time for each pentester

AI Generated Summary^{may contain errors}

Here is a summarized version of the content:

The speaker presents a tool that helps manage penetration testing (pen testing) and vulnerability management. The tool has three main components:

1. Travel X: A dashboard where issues are identified,

   • Issues have descriptions, a severity rating,, ,and remediation steps
   • Issue status can be updated by developers

2. Developer Corner: Where developers can view and update issue statuses

   • Developers can change the status of an issue to “closed” or “risk accepted”

3. Analytics: Provides insights based on data from Travel X and Developer Corner

   • Current risk posture for all assets
   • Recurring issues over time
   • Average time taken for each pen test vs asset size
   • Newly discovered vulnerabilities
   • Open findings and asset health

The speaker also addresses two questions:

1. Integration with existing platforms: The tool can import data from other platforms, such as CSV exports from Monday.com or timesheets, to correlate data.

2. Availability and scan time: The MPT tool is available on GitHub, open-source, and does not perform scans itself. Scan time depends on the pen testing scanners used.