Explore the optimization of pentesting resources in this APPSEC Cali 2018 conference talk by Kiran Shirali, Senior Security Engineer at eBay. Learn about Hunter, an open-source tool developed to grade websites and REST endpoints for low-risk security issues. Discover how eBay reduced pentesting budget by 10-15% by implementing Hunter as a precursor to full pentests. Gain insights into the tool's grading system, its position between minimal security checks and comprehensive SDLC processes, and how it can benefit both managers and pentesters. Understand the journey behind Hunter's creation, its architecture, and scoring model. Ideal for security professionals looking to streamline their pentesting processes and allocate resources more efficiently.
Overview
Syllabus
Introduction
What is a Pentest
External vs Internal
Pentest Team
Engagement
Security
scoping call
system
report
walkthrough
internal systems
developer shop
final reports
easy to find issues
business logic flaws
how do you optimize
checklists
evangelize
no more fancy tools
easy to use
what is hunter
what is hunter not
SSL Versions
ILook Architecture
Frontend UI
HTTP endpoint
Local host
Test Site
Security Headers
MidLevel Rating
Headers
Policy
Scoring Model
CSP Policy
Cipher List
Legacy Applications
Pentest Results
Impact of Prereqs
More Slides
Future Plans
Outro
Taught by
OWASP Foundation
