Functional Testing: A New Era of Pentesting

The document discusses the differences between penetration testing and functional testing in the cloud. It notes that while penetration testing focuses on finding technical vulnerabilities, functional testing takes a more holistic approach by also evaluating identity and access management, security groups, and the overall security posture. Functional testing incorporates standard penetration testing tactics but also looks for systemic vulnerabilities and how securely credentials are managed, since over 75% of cloud breaches involve stolen credentials. The document argues that moving to the cloud requires new skill sets for security engineers, including training in functional testing and cloud-specific platforms like AWS and GCP. It promotes an approach of first educating people, then evaluating security, deploying controls, and maintaining continuous monitoring and evaluation of operations and culture.

Uploaded by

Tom Donald Clarke

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

67 views24 pages

Functional Testing: A New Era of Pentesting

Uploaded by

Tom Donald Clarke

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 24

Functional Testing

A New Era of Pentesting

● Introduction
● Recap: Penetration Testing
Agenda ●
●
Recap: Cloud Services
Security Issues & Trends
● Contrast: Pentest vs Functional Test
● Moving Forward: Offsec & Cloud Tech
$ whoami > Moos1e.txt
● Manager of Pentest Community
○ Cobalt.io (Cobalt Labs)
● Founder
○ Offensive Security Interviews
● Adjunct Professor (Online)
○ CityU of Seattle
○ National University
● Author
○ AWS Penetration Testing by Packt
● Ph.D. Student @ DSU
○ Ph.D. of Cyber Operations
● Masters of Cybersecurity
○ Focus in ethical hacking and
pentesting
● OSCP
Penetration Testing (Pentesting)

Penetration testing, also known as pentesting,

pentest or ethical hacking, is an authorized
simulated cyberattack on a computer system,
performed to evaluate the security of the
system.
Pentesting Cont...
Penetration testing is more than just
“hacking things”. In fact, penetration
testing is a lot more research and writing
than actual hacking. Copious amounts of
research and discussion have to take
place before any hands hit the keyboards.

Additionally, once a pentest is concluded,

reporting and discussion on how to fix the
issues must take place!
Pentesting Cont...

Reality Check

● It’s about people and processes

● Technical skills play a major role
○ Soft skills play a vital role

You have to concurrently be able to walk the

walk, and talk the talk
Cloud Services

Market Share Majority DoD Market Share Familiar Service

Cloud Breaches

1. Misconfigurations maintain as the largest 1. Lack of training in security groups and

issue. security controls within cloud services
a. Continuous rise in cloud market does not 2. Lack of understanding the use of cloud
match the upkeep for training staff on secrets
cloud
3. Moving faster than staffing education can
2. Key’s left in open repositories
keep up
a. AWS Keys are a BIG HIT
3. Many companies move to cloud
a. Remote Workforce (COVID)
b. Budget Cuts
c. Want to stay up to date
d. Scaling
What Causes Confusion?
Threat TTPs
Pentesting Functional Testing
● Typically looks for vulnerabilities in: ● Understands security is built into services.
○ Software ● Incorporates standard pentesting
○ Networks tactics
○ Applications
● Adds Flare
○ System Vulnerabilities
○ Looks for systemic vulnerabilities
● Mix between automated and manual
○ Evaluates IAM and Groups
○ Scanning tools (Nessus, Qualysis, Burp)
○ Analyzes and Evaluates security posture
○ Open Source Tools from QA Perspective.
○ Public Exploits
● 77% of cloud breaches involved breached
○ Manual Testing
credentials.
○ Must have credentials prior to testing!
Pentesting Functional Testing
Doesn’t Work Works
Thinking Outside The Box
● Certain cloud services require new skill
sets.
○ Steep learning curve
■ GCP
○ STEEPEST
■ AWS
● Train Cloud Security Engineers
○ Functional Testing
○ Pentesting
○ Offensive Security
● Integrate Security Awareness
○ Educate 1st
○ Evaluate 2nd
○ Deploy 3rd
○ Continuous monitoring and evaluating
■ Operations
■ Culture
Follow Me
LinkedIn: Jon Helmus
Twitter: @Moos1e_Moose
Medium: @jonathanchelmus
Offensive Security Interviews
- www.offsecinterviews.com

Cobalt.io (Cobalt Labs)

- Currently looking for freelance pentesters!
- Reach out to the Managers of Community
- Elizabeth Ramirez
- Jon Helmus

Complete Infrastructure Penetration Testing
No ratings yet
Complete Infrastructure Penetration Testing
96 pages
00a -- Cloud.Penetration.Testing 2023
No ratings yet
00a -- Cloud.Penetration.Testing 2023
3 pages
Pentesting Presentation
100% (1)
Pentesting Presentation
99 pages
Chapter 1 - Introduction
No ratings yet
Chapter 1 - Introduction
49 pages
Immediate download CompTIA PenTest+ Certification All-in-One Exam Guide (Exam PT0-001) 1st Edition ebooks 2024
100% (3)
Immediate download CompTIA PenTest+ Certification All-in-One Exam Guide (Exam PT0-001) 1st Edition ebooks 2024
65 pages
Cloud Security and Ai-Driven DevOps: Next-Generation Software Engineering
From Everand
Cloud Security and Ai-Driven DevOps: Next-Generation Software Engineering
Haruna Ozemoya Ogweda
No ratings yet
Module 05
No ratings yet
Module 05
60 pages
Cloud Pentesting
No ratings yet
Cloud Pentesting
4 pages
CPENT-brochure (1)
No ratings yet
CPENT-brochure (1)
20 pages
Introduction to Cybersecurity
No ratings yet
Introduction to Cybersecurity
11 pages
Extending HCM Redwood Applications Using Visual Builder Studio
No ratings yet
Extending HCM Redwood Applications Using Visual Builder Studio
46 pages
Pentest 1
No ratings yet
Pentest 1
41 pages
Penetration Testing
No ratings yet
Penetration Testing
2 pages
Web Designing Notes Unit IV Aligned
No ratings yet
Web Designing Notes Unit IV Aligned
45 pages
Cloud_pen_test_1733290350
No ratings yet
Cloud_pen_test_1733290350
19 pages
Advanced Penetration Testing_ Beyond the Basics
No ratings yet
Advanced Penetration Testing_ Beyond the Basics
2 pages
Connor Wallace - Penetration Testing - Penetration Testing - A Hands-On Guide For Beginners (2020)
No ratings yet
Connor Wallace - Penetration Testing - Penetration Testing - A Hands-On Guide For Beginners (2020)
141 pages
Module 2 Threat Management and Cybersecurity Resources
No ratings yet
Module 2 Threat Management and Cybersecurity Resources
47 pages
pentest_Notes_Mod_1
No ratings yet
pentest_Notes_Mod_1
27 pages
Ethical Hacking 2 Week Security
No ratings yet
Ethical Hacking 2 Week Security
31 pages
rethink-your-traditional-pentests
No ratings yet
rethink-your-traditional-pentests
7 pages
1) Introduction To Penetration Testing
No ratings yet
1) Introduction To Penetration Testing
8 pages
CBTS Penetration Testing Security IFS 230223
No ratings yet
CBTS Penetration Testing Security IFS 230223
2 pages
CSM_Module 4.2
No ratings yet
CSM_Module 4.2
34 pages
04. Security Testing Worklfow (1)
No ratings yet
04. Security Testing Worklfow (1)
18 pages
Phillip-Wylie---Hacking-Your-Pentesting-Career
No ratings yet
Phillip-Wylie---Hacking-Your-Pentesting-Career
41 pages
Intro To Pentesting
No ratings yet
Intro To Pentesting
51 pages
MSE_Pen Testing_honors_HJ
No ratings yet
MSE_Pen Testing_honors_HJ
40 pages
Reading Comprehension Quiz - Application Software
No ratings yet
Reading Comprehension Quiz - Application Software
3 pages
Hacker’s Guide to Machine Learning Concepts
From Everand
Hacker’s Guide to Machine Learning Concepts
Trilokesh Khatri
No ratings yet
LECTURE 7 NETWORK SECURITY TESTING
No ratings yet
LECTURE 7 NETWORK SECURITY TESTING
7 pages
The Pentesting Matrix Decoding Traditional and Modern Approaches
No ratings yet
The Pentesting Matrix Decoding Traditional and Modern Approaches
22 pages
IT 3rd Semester Selected Portion PDF
100% (3)
IT 3rd Semester Selected Portion PDF
71 pages
Pharmacy Management System Project Report.
50% (2)
Pharmacy Management System Project Report.
26 pages
Beginners
No ratings yet
Beginners
8 pages
COMPLETE INFRASTRUCTURE PENETRATION TESTING
No ratings yet
COMPLETE INFRASTRUCTURE PENETRATION TESTING
14 pages
Doc 3
No ratings yet
Doc 3
4 pages
2-Ethical Hacking Methodology
No ratings yet
2-Ethical Hacking Methodology
21 pages
1 - MSF-I - Introduction To MSF
No ratings yet
1 - MSF-I - Introduction To MSF
28 pages
Sat - 15.Pdf - Online Subjective Answer Checker
No ratings yet
Sat - 15.Pdf - Online Subjective Answer Checker
11 pages
Top 30 Penetration Tester (Pentester) Interview Questions and Answers
100% (1)
Top 30 Penetration Tester (Pentester) Interview Questions and Answers
13 pages
Pentration testing
No ratings yet
Pentration testing
7 pages
Change Log
No ratings yet
Change Log
9 pages
Definitive Guide To Penetration Testing
100% (1)
Definitive Guide To Penetration Testing
19 pages
Dnyaneshwari Sonone S Resume
No ratings yet
Dnyaneshwari Sonone S Resume
1 page
4 First Version
No ratings yet
4 First Version
6 pages
Introductiontopentesting 190926185918
No ratings yet
Introductiontopentesting 190926185918
14 pages
California Standard Correlation 2023
No ratings yet
California Standard Correlation 2023
5 pages
Network Automation Using Python (Final)
0% (1)
Network Automation Using Python (Final)
70 pages
Jay Dave
No ratings yet
Jay Dave
2 pages
001+-+1+defining What A Pentest Is
No ratings yet
001+-+1+defining What A Pentest Is
6 pages
PT07 20 Aws Pentesting Preview
No ratings yet
PT07 20 Aws Pentesting Preview
11 pages
penetration_testing_en
No ratings yet
penetration_testing_en
5 pages
Haloocom - Omni Channel Solution 2.0
No ratings yet
Haloocom - Omni Channel Solution 2.0
15 pages
Asynchronous Io Linux Thread
No ratings yet
Asynchronous Io Linux Thread
1 page
Towards Pentesting Automation Using The Metasploit Framework
No ratings yet
Towards Pentesting Automation Using The Metasploit Framework
8 pages
Demystifying Penetration Testing
No ratings yet
Demystifying Penetration Testing
35 pages
Microsoft Excel 2016 Intermediate Course Outline
No ratings yet
Microsoft Excel 2016 Intermediate Course Outline
3 pages
Kali Linux, Ethical Hacking And Pen Testing For Beginners
From Everand
Kali Linux, Ethical Hacking And Pen Testing For Beginners
BHARAT NISHAD
No ratings yet
Introductiontopentesting 190926185919
No ratings yet
Introductiontopentesting 190926185919
14 pages
Penetration Testing Course
No ratings yet
Penetration Testing Course
10 pages
Pentest Studyguide Pt0-001 Samplelesson
75% (4)
Pentest Studyguide Pt0-001 Samplelesson
44 pages
Penetration Testing
No ratings yet
Penetration Testing
3 pages
Sphinx Windows Firewall Control
No ratings yet
Sphinx Windows Firewall Control
4 pages
Microsoft Actualtests AI-100 v2019-10-04 by Sebastian 67q
No ratings yet
Microsoft Actualtests AI-100 v2019-10-04 by Sebastian 67q
61 pages
Detecting and Blocking Onion Router Traffic Using Deep Packet Inspection
No ratings yet
Detecting and Blocking Onion Router Traffic Using Deep Packet Inspection
7 pages
(Bookflare - Net) - Cloud Computing Simply in Depth by Ajit Singh PDF
100% (1)
(Bookflare - Net) - Cloud Computing Simply in Depth by Ajit Singh PDF
135 pages
Nufuzetme 1
No ratings yet
Nufuzetme 1
6 pages
Domain 8: - Software Development Security
No ratings yet
Domain 8: - Software Development Security
3 pages
Questionnaire HRIS Implementation
100% (1)
Questionnaire HRIS Implementation
3 pages
Choosing A GIS: T Bernhardsen
No ratings yet
Choosing A GIS: T Bernhardsen
12 pages
Pentest Best Practices Checklist
No ratings yet
Pentest Best Practices Checklist
17 pages
02 HUAWEI Imaster NCE-IP Data Sheet - 20200722
No ratings yet
02 HUAWEI Imaster NCE-IP Data Sheet - 20200722
5 pages
PenTest Guide
No ratings yet
PenTest Guide
4 pages
SQL Assignment Employee Database: Submitted By: Komal Ummat L-2010-AE-16-MCA MCA-1 (2 Semester)
No ratings yet
SQL Assignment Employee Database: Submitted By: Komal Ummat L-2010-AE-16-MCA MCA-1 (2 Semester)
10 pages
Infrastructure Pentesting PDF
No ratings yet
Infrastructure Pentesting PDF
13 pages
Penetration Testing Overview
No ratings yet
Penetration Testing Overview
4 pages
IJCRT2310497
No ratings yet
IJCRT2310497
6 pages
Labs PenTesting Fundamentals Coalfire
No ratings yet
Labs PenTesting Fundamentals Coalfire
38 pages
HAC - Pentest Solutions Brief HackerOne - L1R7 RGB
No ratings yet
HAC - Pentest Solutions Brief HackerOne - L1R7 RGB
2 pages
Test (Chapter 5)
No ratings yet
Test (Chapter 5)
4 pages
Vulnerability Exploitation and Defense: Penetration Testing (Lec # 4)
No ratings yet
Vulnerability Exploitation and Defense: Penetration Testing (Lec # 4)
4 pages
Operation Guide - SAP Portafolio and Project Management V1.1 PDF
No ratings yet
Operation Guide - SAP Portafolio and Project Management V1.1 PDF
34 pages
ISO 20000-1:2011 Audit Checklist
83% (35)
ISO 20000-1:2011 Audit Checklist
14 pages
Mastering Nikto: A Comprehensive Guide to Web Vulnerability Scanning: Security Books
From Everand
Mastering Nikto: A Comprehensive Guide to Web Vulnerability Scanning: Security Books
Erwin Dirks
No ratings yet
Penetration Testing Fundamentals -1: Penetration Testing Study Guide To Breaking Into Systems
From Everand
Penetration Testing Fundamentals -1: Penetration Testing Study Guide To Breaking Into Systems
Devi Prasad
No ratings yet
Itec413 15
100% (1)
Itec413 15
33 pages
Infra Pentesting
No ratings yet
Infra Pentesting
13 pages
Informatica MDM Intregration With PIM - Design Blueprint v1.0
100% (1)
Informatica MDM Intregration With PIM - Design Blueprint v1.0
22 pages
AZURE AZ 500 STUDY GUIDE-1: Microsoft Certified Associate Azure Security Engineer: Exam-AZ 500
From Everand
AZURE AZ 500 STUDY GUIDE-1: Microsoft Certified Associate Azure Security Engineer: Exam-AZ 500
Mamta Devi
No ratings yet