Monday 13 January 2020

Book Review - Penetration Testing - A guide for business and IT managers

Another book review on behalf of the British Computer Society, who kindly provided me with a hard-copy of this book: -

Penetration Testing - A guide for business and IT managers

This book is written as a series of standalone chapters, each authored by one of a series of experienced practitioners, and can be consumed in whole or in part. Each chapter can then be used as a source of reference for a particular aspect of a penetration testing activity.

As the title suggests, the book is intended to be a guide for the leadership team of any business and, as such, uses brevity and clarity to facilitate understanding. It's not intended to be a detailed reference guide for a penetration tester - other materials exist to meet this requirement - but it does provide a useful insight into the wider discipline of security and penetration testing.

It is logically organised, introducing the subject of penetration testing before digging into the rules and regulations surrounding a project, in terms of the regulatory framework and contractual obligations.

This latter topic is crucial, in terms of ensuring that the scope of the testing activity is well-defined and that the testers are commercially and legally covered for their planned activities.

In later chapters, more attention is paid to scoping testing activities, in terms of ensuring that the organisation is aligned with the expected outcomes, and that the test coverage is appropriately sized and scaled.

As a former software services professional, I also appreciated the compare/contrast between "best" and "good" practices, especially as perfection is often the enemy of the good, to misquote a common phrase. In other words, whilst "best" practice may be desirable, "good enough" is perhaps a more realistic and timely aiming point, especially as financial budgets and timescales are often tight.

As one would expect, there is focus upon the tooling that a tester would use, including Burpsuite, nmap, Nessus and Wireshark, whilst also focusing on community-driven offerings such as Open Web Application Security Project (OWASP). Again, these are covered at a reasonably high-level, and the authors would expect testers to be aware of individual tools, in terms of fit, coverage, support and licensing models.

Towards the end of the book, attention is paid to test reporting and, equally importantly, the action planning that needs to follow on from testing, as well as the requirement to schedule a follow-up testing activity to check the actual results against the planned remediations.

In conclusion, whilst the audience for this book is clearly intended to be project or organisation leaders, it's brief enough to serve as a useful introduction to the practice of penetration testing, and would serve as a grounding for anyone intending to develop their career into this subject domain.

Therefore, I'm comfortable in recommending this book, and would rate it 9/10 for context, brevity and completeness.

No comments:

Visual Studio Code - Wow 🙀

Why did I not know that I can merely hit [cmd] [p]  to bring up a search box allowing me to search my project e.g. a repo cloned from GitHub...