Here’s a six minute highlights video of the best moments from last week’s CISO Series Video Chat “Hacking Pentesting: An hour of critical thinking to convert red team exercises into risk reduction”.

Our guests for this discussion were:

Watch the full video

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor PlexTrac

Best Bad Ideas

Congrats to Craig Hurter, director security operations, Colorado Governor’s Office of Information Technology for winning this week’s Best Bad Idea

Other honorable mentions go to:

“Reddit Post your organization is impenetrable and you welcome the challenge.” – Wayne Selk, director, professional services, ConnectWise

“In order to white list the pentester, configure the firewall to permit any and all incoming Internet traffic on the perimeter interface.” – Jeremy Molnar, consultant

“Download other company’s Pentest report who uses similar hardware and delivery it as your company’s pentest report.” – Charles Payne, cyber security engineer

“Cover your data center in the fake spider webs from Halloween. Tell your Board that you have an intricate web of defense. Hand your fav pentester a pair of scissors.” – Dutch Schwartz, principal security specialist, AWS

“Take every bad idea from this show, implement the opposites. Wait for pentesters to be shocked by your four dimensional chess game.” – Dutch Schwartz, principal security specialist, AWS

“Place dunk tank on HQ lobby with sign that reads: Come dunk our CFO! Enter your password to receive 3 balls.” – Dutch Schwartz, principal security specialist, AWS

Best quotes from the chatroom

“Penetration tests are often contracted by organizations expecting the type of results that would come from vulnerability assessments.” – Sandeep Kamble, founder and product manager, AuthSafe

“The hardest part for security testing firms is scaling while maintaining quality. It’s a tough balance from what I’ve seen.” – Bryan William Solari, regional sales manager, west, AppOmni

“I just like to rotate pentest vendors, so you get different approaches each time, then sling in a bug bounty company for good measure.” – Ian Poynter, information security consultant

“Consultants are fixed-scope or fixed-time. An internal team is a continuous process.” – Jim MacLeod, consultant

“Pentesting as a point-in-time exercise corresponds with periodic releases. Teaming (in-house) corresponds with continuous operations.” – Jim MacLeod, consultant