Thursday, December 18, 2008

2009: Year of Pentesting?

So 2009 is starting to look like a serious year for the pentesting scene. We saw such a huge variety and depth of vulnerabilities in 2008 that most folks are recognizing the importance to seeing if their systems are truly as secure as they assume. Did the patch take? Are there machines not configured as policy and procedure dictates? Can we even tell if someone were to attack?

Recently, I've had the good fortune of re-using some of my scripts and programming that I cook up during a pentest. I will release a couple of Perl scripts and a couple of Python modules in January in conjunction with a public webcast. I will be demonstrating writing custom modules for CORE's Impact product in a webcast on January 22, 2009. Then I'll be teaching SANS's Security 560: Penetration Testing / Ethical Hacking course (by Ed Skoudis) about once a month if the schedule doesn't change much. I'll also be spending some time in Edmonton to teach the SANS Security 504: Incident Handling / Hacking Techniques February 23-28. I still keep a full listing of events I will be speaking at on the corporate website, but it's moved to http://www.bluenotch.com/events/.

Oh, and if you haven't seen the Sec 560 course, SANS has an on-demand free demonstration. If you check out the www.sans.org/athome section, you can register for a free SANS @HOME session which has lecture and exercises to see if the course would be what you expect. I imagine SANS is also giving a discount to the course if you attend the free @HOME session then the actual course. The first time SANS did this for Sec 560 it immediately filled up, so register quickly!