Penetration Testing Profile
- My first steps into penetration testing started with UNRESTRICTED, SIMULATED attack testing with an elite team in APAC in 2000. This position lasted 5 years before Verizon Business acquired Trusecure’s Asia Pacific professional services. I contributed significantly in finding quite often exotic vulnerabilities in customer networks. The Monetary Authority of Singapore mandated our team as penetration testing service providers for any financial institution wishing to do business in Singapore.
- I was the native English speaker in the team and so took on the task of communicating findings to stakeholders of different levels of IT experience.
- My publication (Security De-Engineering Taylor-Francis Publications - ISBN-10: 1439868344) included 3 chapters on penetration testing and the work received rave reviews from some of the most influential people in the field.
- PwC in 2007 was my first step into application security with blind OWASP testing (DAST) for 8 clients in banking and there was one telco. Since that time blind Appsec has featured heavily in internal and external engagements.
- Through the next 15 years, I performed external and internal appsec and vulnerability assessments, developed vulnerability management capabilities (full risk treatment cycles) at the HLD and LLD phases, leading into Security Operations and service management integration.
- The technologies I worked with: multiple assessment tools, many of which are integrated into Kali Linux today. Symantec CCS. Rapid 7 Insight VM, Tenable SC, Qualys, OpenVAS, Nessus (unauthneicated VA scans), Mcafee VM (formerly Foundstone).
- I developed a tool for Oracle Database 10g, 11g, 12c vulnerability assessment with DBA credentials which was used in several larger organisations in Indonesia.
- In small consultancies I was seen as the go-to resource for penetration testing because of good reviews from their clients.
- Of all the security capabilities, vulnerability management is the one with which I had most exposure in 20 years.
- Various public sector agencies - performed pre-cursor tests in lieu of independent 3rd party penetration tests
Latest Blog Post
What Is Your VA Scanner Really Doing?
April 20, 2021, 1:05 p.m.
It's clear from social media and first hand reports, that the awareness of what VA (Vulnerability Assessment) scanners are really doing in testing scenarios is quite low. So I setup up a test box with Ubuntu 18 and exposed some services which are well known to the hacker community and also still popular in production business use cases: Secure Shell (SSH) and an Apache web service.
This post isn't an attack on VA products at all. It's aimed at setting a more healthy expectation, and I will cover a test scenario with a packet sniffer (Wireshark), Nessus Professional, and OpenVAS, that illustrates the point.
I became aware 20 years ago, from validating VA scanner output, that a lot of what VA scanners barf out is alarmist (red flags, CRITICAL [fix NOW!]) and also based purely on guesswork - when the scanner "sees" a service, it grabs a service banner (e.g. "OpenSSH 7.6p1 Ubuntu 4ubuntu0.3"), looks in its database for public disclosed vulnerability with that version, and flags vulnerability if there are any associated CVEs. Contrary to popular belief, there is no actual interaction in the way of further investigating or validating vulnerability. All vulnerability reporting is based on the service banner. So if i change my banner to "hi OpenVAS", nothing will be reported. And in security, we like to advise hiding product names and versions - this helps with drive-by style automated attacks, in a much more effective way than for example, changing default service ports.
Security De-engineering, published by Taylor Francis, covers ubiquitous problems in information security and offers a solution in the final chapter
Areas covered: Penetration testing, Hackers, CASEs (Checklists and Standards Evangelists), IDS, Cloud Security, jobs in security, Identity Management, and organisational elements.