[AusNOG] Pen Testing Tools

Karl Kloppenborg karl at hyperconnect.com.au
Thu Dec 1 10:10:54 EST 2016


Everyone,

If you're doing pen testing involving vulnerability scanning, SQL
injection, malicious code injection then setup an environment that
replicates as closely to production as possible.

There's a suite of deployment tools and methodologies out there that allow
you to get these as close as possible. (Docker, kubernetes, rancher, CI/CD
processes. Etc )

Once you're at least semi confident tables and other data won't drop and
that your backups are solid and working then you can test on production.

There's zero excuses to not have a staging or production replica you could
test on without affecting actual production.

Take queue from companies like Netflix, Shopify and google who have tools
like OSS toxiproxy and OSS chaos monkey who regularly destroy things in
production with the purpose that production should never go down.
(Like Netflix who regularly replicates whole availability zone outages at
random using OSS chaos gorilla)


But seriously, get everyone in the company aware of your pen testing.....


--karl.
On Thu., 1 Dec. 2016 at 9:59 am, Robert Hudson <hudrob at gmail.com> wrote:

For anyone doubting that you need to seek official approval before starting
to test things...

https://en.wikipedia.org/wiki/Randal_L._Schwartz#Intel_case

On 1 December 2016 at 09:52, Bob Purdon <bobp at purdon.id.au> wrote:



Ø  Be aware that running penetration tools just to see what happens can
lead to spectacular outages and questions of who authorised this.

Absolutely – I have seen something as simple as an nmap port scan tickle a
latent bug and cause widespread service interruptions.

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20161130/5426f5f2/attachment.html>


More information about the AusNOG mailing list