Full Report
School’s never out for the Pro! We’re proud to announce that we are now offering our highly successful penetration testing training courses to the UK market from 2012. SensePost has been providing penetration testing training courses to corporates and governments across the globe, and at prestige security events such as Black Hat and OWASP for over a decade. Initially, three courses in London for 2012 have been organised: HBN Extended Edition (4 days) – 13-17, February 2012 HBN W^3 Edition (3 days) – 14-16 March 2012 HBN Unplugged (2 days) – 18-19 April 2012 The first course, HBN Extended Edition is set at an introductory level for technical people without experience in the world of hacking or penetration testing. It presents attendees with the background information, technical skill and basic concepts that are required to get started in this field.
Analysis Summary
As this article is a **press release announcing the availability of professional penetration testing (pentesting) training courses**, the actionable security recommendations derived will focus on the **necessity and process of conducting robust security assessments and penetration testing** itself, rather than providing specific firewall rules or configuration snippets.
The core security best practice promoted here is **proactive security assessment via specialized training and penetration testing capabilities.**
# Best Practices: Establishing Proactive Security Assessment Capabilities
## Overview
These practices focus on the organizational mandate to proactively identify, understand, and remediate security weaknesses by developing or acquiring specialized skills in penetration testing (pentesting) and security assessment, covering web applications, networking, and wireless security.
## Key Recommendations
### Immediate Actions
1. **Identify Critical Skill Gaps:** Conduct an immediate internal assessment of the current security team's technical competency, specifically concerning modern offensive techniques (web application, network infrastructure, wireless environment).
2. **Define Assessment Scope:** Catalog all critical assets (e.g., public-facing web applications, core network segments, internal wireless networks) that require immediate security validation through formal testing.
### Short-term Improvements (1-3 months)
1. **Initial Security Foundation Training:** Enroll technical personnel lacking core security experience (System Administrators, Developers) in introductory penetration testing or ethical hacking courses to establish necessary background knowledge and foundational concepts (analogous to the HBN Extended Edition course).
2. **Intermediate Skill Upskilling:** Target personnel responsible for application security with intermediate training focused explicitly on web application vulnerabilities (HTTP, AJAX, HTML5 attacks) to improve assessment quality.
3. **Establish Internal "Rules of Engagement":** Document the scope, methodology, scheduling, and authorized toolsets for any internal security assessments to ensure tests are legal, structured, and controlled.
### Long-term Strategy (3+ months)
1. **Develop Specialized Testing Capabilities:** Implement structured training pathways for developing specialized skills in key risk areas, such as advanced wireless security auditing (based on defined offensive scenarios) and complex application testing.
2. **Mandate Regular Skill Refreshers:** Establish a recurring program (at least annually) for security personnel to attend advanced, external training to keep pace with evolving attack methodologies publicized at industry events like Black Hat and OWASP.
3. **Integrate Assessment Findings into SDLC:** Ensure that penetration testing results and findings are formally integrated into the Software Development Life Cycle (SDLC) and network configuration processes, requiring sign-off before deployment.
## Implementation Guidance
### For Small Organizations
- **Focus on Fundamentals:** Prioritize introductory courses covering basic concepts and attack vectors for all technical staff responsible for infrastructure management.
- **Outsource Targeted Testing:** Since building a full in-house red team may be impractical, budget for one high-quality, intermediate-level external web application penetration test annually, using their findings to build internal web security knowledge.
### For Medium Organizations
- **Establish a Core Assessment Team:** Dedicate or train 1-2 individuals to attend intermediate/advanced courses to become your internal Subject Matter Experts (SMEs) for web and network testing.
- **Implement Scenario-Based Training:** Utilize structured, results-focused training derived from common offensive scenarios (e.g., wireless breaches) to test the resilience of your actual deployed environments.
### For Large Enterprises
- **Programmatic Training Investment:** Institute a formal budget and schedule to ensure all Information Security Officers, System Administrators, and Security Consultants receive continuous, targeted credentialing appropriate to their roles (introductory, intermediate web, specialized wireless).
- **Leverage Industry Exposure:** Encourage senior staff to participate in or observe training provided at major industry security events to maintain cutting-edge awareness of global threats and defense strategies.
## Configuration Examples
*No specific technical configurations were provided in the press release, as the content focuses on professional services and training delivery.*
## Compliance Alignment
Security assessment and penetration testing capabilities directly support compliance requirements mandated by:
- **NIST Cybersecurity Framework (Identify & Protect Functions):** By understanding adversary techniques, organizations better identify and protect assets.
- **ISO/IEC 27001 (A.12.6.1 - Technical Vulnerability Management):** Formal penetration testing is a critical component required for operationalizing effective vulnerability management.
- **PCI DSS Requirement 11:** Explicitly mandates periodic penetration testing for external-facing interfaces and internal networks.
## Common Pitfalls to Avoid
- **Assuming Knowledge is Static:** Failing to retrain staff because they attended a security course years ago; attack vectors evolve rapidly.
- **Neglecting Application Layer:** Focusing training only on network firewalls while neglecting advanced web application and API assessment skills.
- **Training Without Application:** Sending staff to training without a plan to apply the acquired skills through formal, scoped penetration tests afterward.
## Resources
- **Professional Training Ecosystems:** Pursue training validated by leading security conferences and established industry providers specializing in ethical hacking methodologies.
- **Web Application Assessment Frameworks:** Utilize known standards for structured web security testing (e.g., the OWASP Testing Guide methodology).
- **Wireless Security Methodologies:** Adopt methodical approaches that map offensive scenarios to defensive requirements for wireless infrastructure access.