[AusNOG] Pen Testing Tools

Shane Chrisp shane at 2000cn.com.au
Thu Dec 1 11:33:46 EST 2016


On 01/12/16 07:10, Karl Kloppenborg wrote:

Hi All,

  In this instance, everyone is aware of the Pen Testing that is going 
to be done by the Audit Process and also in our testing. Everyone is 
going to be involved, and due them having a lot of in house developed 
systems, the developers will be replicating the dev environment to test 
against for those apps.

  As we have been informed thus far, the testing and audit will consist 
of Penetration testing from external, internal and also physical access. 
It also covers area's such as Disaster Recovery, Business Continuance 
and Backups.

Thanks everyone who has replied with suggestions.

Regards
Shane


> Everyone,
>
> If you're doing pen testing involving vulnerability scanning, SQL
> injection, malicious code injection then setup an environment that
> replicates as closely to production as possible.
>
> There's a suite of deployment tools and methodologies out there that
> allow you to get these as close as possible. (Docker, kubernetes,
> rancher, CI/CD processes. Etc )
>
> Once you're at least semi confident tables and other data won't drop and
> that your backups are solid and working then you can test on production.
>
> There's zero excuses to not have a staging or production replica you
> could test on without affecting actual production.
>
> Take queue from companies like Netflix, Shopify and google who have
> tools like OSS toxiproxy and OSS chaos monkey who regularly destroy
> things in production with the purpose that production should never go down.
> (Like Netflix who regularly replicates whole availability zone outages
> at random using OSS chaos gorilla)
>
>
> But seriously, get everyone in the company aware of your pen testing.....
>
>
> --karl.
> On Thu., 1 Dec. 2016 at 9:59 am, Robert Hudson <hudrob at gmail.com
> <mailto:hudrob at gmail.com>> wrote:
>
>     For anyone doubting that you need to seek official approval before
>     starting to test things...
>
>     https://en.wikipedia.org/wiki/Randal_L._Schwartz#Intel_case
>
>     On 1 December 2016 at 09:52, Bob Purdon <bobp at purdon.id.au
>     <mailto:bobp at purdon.id.au>> wrote:
>
>         __ __
>
>         __Ø  __Be aware that running penetration tools just to see what
>         happens can lead to spectacular outages and questions of who
>         authorised this.____
>
>         Absolutely – I have seen something as simple as an nmap port
>         scan tickle a latent bug and cause widespread service
>         interruptions.____
>
>
>         _______________________________________________
>         AusNOG mailing list
>         AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>         http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>     _______________________________________________
>     AusNOG mailing list
>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>




More information about the AusNOG mailing list