Presentation Material
Abstract
Is your pentest report filled with low risk items? Are these projects that you pentest too short for a full-fledged secure SDLC process or are they third party systems that you have little control over? We at eBay had a similar problem wherein more than 25% of our pentesting resources used to get bogged down by these low risk items. We understand that it takes time to find, document and report these items (some which get entangled in a never ending remediation cycle). So we built Hunter to help us get ahead of some of these time sinks. Hunter is a simple open source tool that grades any website or rest endpoint. It quickly checks for certain low risk items and provides the requester with a grade (A β F). You can use hunter as a precursor to your pentest. Non security product development managers donβt understand security jargon, but they love to see a grade A on their product. The use of Hunter sits in between doing nothing before a pentest and a full-fledged secure SDLC process that might be an overkill. This talk is about our journey of why we built Hunter and how we saved about 10 β 15% of our pentesting budget. This talk is aimed at managers and pentesters who want to optimize their teamβs resources and attendees will walk away with the knowledge of how they can leverage this open source tool.