30. Penetration Testing: Following Curiosity Beyond Validation

<p><span style="font-weight: 400;">In this episode of Cyber Security Inside, Tom and Camille discuss the ins and outs of penetration testing with Director of Threat Research at Akamai Technologies, Moshe Zioni. Moshe has over 20 years of experience researching security and brings a lot of real-world insight to topics like: </span></p> <p> </p> <p><span style="font-weight: 400;">•  Red teams</span></p> <p><span style="font-weight: 400;">•  Bug bounty programs</span></p> <p><span style="font-weight: 400;">•  How penetration testing and red teams differ</span></p> <p><span style="font-weight: 400;">•  What the perimeters are around penetration testing</span></p> <p><span style="font-weight: 400;">•  White box, black box, and grey box penetration testing</span></p> <p><span style="font-weight: 400;">•  HackerOne and BugCrowd</span></p> <p><span style="font-weight: 400;">•  Responsible disclosure</span></p> <p> </p> <p><span style="font-weight: 400;">...and more. Don’t miss it!</span></p> <p> </p> <p><strong>Here are some key take-aways:</strong></p> <p><span style="font-weight: 400;">•  Internal validation and penetration testing are almost opposites in a sense. The former is designed to ensure the product is working the way it should when used the way it’s meant to be used. You’re limited to a finite set of actions. The latter is designed to see what happens when you introduce the unexpected or unintended into the mix.</span></p> <p> </p> <p><span style="font-weight: 400;">•  A good QA person will always ask ‘What will happen if I do that? How can I crash the system?’. The difference in penetration testing and adversarial research is that the questions and curiosity won’t end there. </span></p> <p> </p> <p><span style="font-weight: 400;">•  Red teaming and penetration testing differ in that, with red teams, the company knows it’s being attacked and is looking to detect the attack while it’s happening. With penetration testing, the system is being tested individually, sometimes with firewalls and other security param