Presentation Material
Abstract
Is your pentest report filled with low risk items? Are these projects that you pentest too short for a full-fledged secure SDLC process or are they third party systems that you have little control over? We at eBay had a similar problem wherein more than 25% of our pentesting resources used to get bogged down by these low risk items. We understand that it takes time to find, document and report these items (some which get entangled in a never ending remediation cycle). So we built Hunter to help us get ahead of some of these time sinks. Hunter is a simple open source tool that grades any website or rest endpoint. It quickly checks for certain low risk items and provides the requester with a grade (A – F). You can use hunter as a precursor to your pentest. Non security product development managers don’t understand security jargon, but they love to see a grade A on their product. The use of Hunter sits in between doing nothing before a pentest and a full-fledged secure SDLC process that might be an overkill. This talk is about our journey of why we built Hunter and how we saved about 10 – 15% of our pentesting budget. This talk is aimed at managers and pentesters who want to optimize their team’s resources and attendees will walk away with the knowledge of how they can leverage this open source tool.
AI Generated Summary
The talk addresses the problem of inefficient resource allocation in a large-scale penetration testing program, specifically for numerous internal applications. A significant portion (20-25%) of findings from pen tests consisted of basic configuration issues like outdated TLS versions, weak ciphers, and missing or misconfigured security headers. These “easy to find” issues were termed “pen test noise,” consuming valuable time that could be spent on more valuable business logic flaws.
Initial attempts to solve this with checklists and self-certification failed due to teams’ lack of security expertise or ineffective implementation. Consequently, a lightweight internal tool named “Hunter” was developed. Hunter is a web-based scanner that grades an HTTP endpoint’s basic security configuration (A-C) based on weighted checks for TLS protocol versions, cipher strength, and the correct implementation of headers like HSTS and CSP, as well as cookie flags. It is not a replacement for a secure SDLC or a pen tester’s toolkit but is intended as a mandatory, simple prerequisite for teams before a formal pen test engagement begins.
The implementation of Hunter, requiring an “A” grade for engagement, demonstrably reduced the volume of basic configuration findings in reports by a double-digit percentage for internal systems. This optimization allowed the internal and external pen testing teams to process more engagements per cycle and focus on complex, high-value vulnerabilities. Consultants also reported higher job satisfaction due to the increased challenge. Future development plans for Hunter include externalizing the scoring model for configurability, integrating with LDAP/SSO for request tracking, and adding historical scan result storage to monitor regression.