One agenda item that resonated with audiences in every conference location was our session “Into the Hacker’s Mind: How Attackers Look at Your Application.” Different members of the Cobalt Core — Vanessa Sauter, Derek Carlin, and Andreea Cristina Druga — shared insights on how to prepare for a pentest, what tools they use to stress test your assets, and the steps they take to check what vulnerabilities you’re susceptible to.
A successful pentest starts with a clear brief, specific objectives, and information about your application’s functions. Many might argue they want a black-box test to simulate a real attack, but the truth is — as Vanessa Sauter pointed out in her presentation in San Francisco — attackers have no time restraints, whereas pentesters are locked in a time-bound exercise. Black-box testing will always be part of a full pentest engagement anyway. Pentesters conduct intensive reconnaissance and will test for enumeration, authentication, and privilege escalation, despite what information is provided in the brief. ...read more!
