Loading…
Attending this event?
THE MUST ATTEND EVENT FOR CYBERSECURITY PROFESSIONALS
← Back to schedule
Modernizing the Application Penetration Engagement and Reporting Lifecycle
Friday September 27, 2024 3:30pm - 4:15pm PDT
Room: Grand Ballroom
There exists an abundance of resources addressing the general topic of writing penetration test reports, but few – if any – address the systems and processes holistically within the lifecycle of an engagement. Further, there is an absence of resources and standards that examine the unique challenges and requirements for the reporting of application security tests compared to penetration tests targeting networks and systems. Existing standards and frameworks for report creation also lack consideration for the contemporary needs and challenges of both mature and immature security teams and organizations. These divergent needs themselves dictate for multiple reporting processes, considerations, and ultimately deliverables.


This presentation will focus largely on the evolution of the reporting processes and output of an application security testing team working within an offensive security consulting organization. The presentation will follow the timeline in our journey from a legacy reporting ecosystem to our present implementation and beyond. 


Beginning with a discussion of our legacy systems, this presentation will describe our traditional reporting tooling, systems, and processes while highlighting the major challenges and deficiencies. The following key considerations will be centered: ease of use and efficiency, data collection and analytics, error prevention, automation, and client-specific requirements. 

Research was conducted to evaluate alternative systems and approaches in reconstructing a reporting ecosystem. We first sought to determine the key requirements for an ideal report and associated deliverables. A comprehensive comparative review of publicly available application penetration test reports was conducted to identify these key attributes. The results of this analysis will be presented and available publicly in written form. 

A similarly comprehensive approach was taken to evaluate freely available and commercial reporting platforms. This presentation will discuss the methodology and process but will not present a summary comparison of platforms assessed. The chosen commercial platform will be discussed, but this talk is not a promotion or endorsement and will highlight also challenges and limitations.

Finally, we will examine the processes and systems that have been adopted to manage reporting content and processes beyond the reporting platform itself. This includes significant use of the Microsoft 365 and Power platforms which allow us to manage data and automations around the engagement lifecycle. The discussion will cover our successes, challenges, and future endeavors. 











Speakers
avatar for Ryan Armstrong

Ryan Armstrong

Manager of Application Security Services, Digital Boundary Group (DBG)
Ryan Armstrong is the Manager of Application Security Services at Digital Boundary Group (DBG). Ryan began with DBG as an application penetration tester and security consultant following completion of his PhD in Biomedical Engineering at Western University in 2016. With a passion... Read More →
Friday September 27, 2024 3:30pm - 4:15pm PDT
Room: Grand Ballroom
  Breakout: Breaker Track

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share