The Future of Offensive Pentesting with Mark Goodwin

Summary

Podcast Summary: The Future of Offensive Pentesting with Mark Goodwin

Title: Software Engineering Daily
Episode: The Future of Offensive Pentesting with Mark Goodwin
Release Date: December 12, 2024
Host: Gregor Van
Guest: Mark Goodwin, Director of Operations at Bishop Fox

1. Introduction to Offensive Penetration Testing and Bishop Fox

The episode begins with Gregor Van welcoming Mark Goodwin to the show. Mark introduces himself, highlighting his background as a former US Air Force officer specializing in cyberspace operations. He has been with Bishop Fox for four and a half years, where he oversees operations that focus on offensive security testing.

Key Points:

Offensive Penetration Testing (Pen Testing): Actively probing systems to identify and exploit vulnerabilities, mirroring tactics used by real-world attackers. The objective is to uncover security weaknesses and provide actionable insights to bolster defenses.
Bishop Fox: An 18-year-old professional services firm renowned for its offensive security testing. The company emphasizes continuous training, tool development, and maintaining cutting-edge offensive capabilities.

Notable Quote:

"I consider it the future of offensive pen testing to be able to stay up with nation state actors, follow emerging threats and identify attack surface that customers may not know about." – Mark Goodwin [03:40]

2. Evolution of the Cosmos Platform

Gregor delves into Bishop Fox's Cosmos platform, a significant development in their service offerings. Initially, Bishop Fox was predominantly consultative, but Cosmos represents a shift towards a scalable, platform-based approach to continuous offensive security.

Key Points:

Genesis of Cosmos: Launched around March 2020, initially named CAST (Continuous Attack Surface Testing), Cosmos aims to automate and scale offensive security efforts without compromising on quality.
Three Core Components:
1. Automated Attack Surface Discovery: Continuously identifying and mapping out all potential attack vectors across a customer's digital footprint.
2. Automated Application Pen Testing: Focusing primarily on web applications, automating the detection of vulnerabilities while reserving critical findings for human analysis.
3. Internal Pen Testing (Future Development): Planned enhancements to include internal network assessments, enabling deeper penetration testing within a client's infrastructure.

Notable Quote:

"We don't want to build Ultron, we're building Ironman, to propel us forward." – Mark Goodwin [04:58]

3. Automation and Scalability in Pen Testing

Mark elaborates on how Cosmos leverages automation to handle large-scale attack surfaces, enabling Bishop Fox to serve enterprise clients with extensive digital infrastructures.

Key Points:

Efficiency Through Automation: Automates routine tasks like subdomain enumeration and initial vulnerability scanning, freeing up human operators to focus on critical and complex issues.
Prioritization of Vulnerabilities: Uses intelligent filtering to identify and report high-impact vulnerabilities, ensuring clients receive actionable and relevant findings without being overwhelmed by noise.
Integration with Threat Intelligence: Continuously updates the platform with emerging threats, leveraging resources like CISA KEV (Known Exploitable Vulnerabilities) and industrial research to stay ahead of adversaries.

Notable Quote:

"We're continuously looking for Attack Surface to bring in. We're scanning customers to make sure that we're having a right picture of their attack surface." – Mark Goodwin [24:38]

4. Handling Subdomain Takeovers

Subdomain takeover is a critical focus area for Cosmos, given its potential to expose organizations to significant risks.

Key Points:

Definition and Impact: Subdomain takeover occurs when an attacker gains control of a subdomain due to misconfigurations, allowing malicious activities like phishing or credential harvesting.
Automated Detection: Cosmos automates the identification of vulnerable subdomains, ensuring timely remediation before they can be exploited.
Case Study: Reference to a recent incident involving Watchtower in Singapore, illustrating the real-world implications of subdomain vulnerabilities.

Notable Quote:

"If I was hosting something clients.example.com and then for whatever reason I misconfigured... it can now become a phishing angle or a way to harvest credentials." – Mark Goodwin [16:08]

5. Collaboration and Customer Engagement

Mark emphasizes the importance of collaboration between Bishop Fox and its clients to maximize the effectiveness of their pen testing services.

Key Points:

Customer Involvement: Encourages clients to actively participate in verifying and managing their attack surfaces within the Cosmos platform.
Transparent Communication: Maintains open lines of communication to ensure clients understand the findings and the necessary remediation steps.
Building Trust: Moves away from the traditional "hand over a report and walk away" model to a more integrated, collaborative approach, fostering trust and long-term partnerships.

Notable Quote:

"We're here to help. We want to keep you safe. The best way to do that is open communication." – Mark Goodwin [28:35]

6. Managing Stress and Workload with Cosmos

The introduction of Cosmos has implications for the workforce at Bishop Fox, particularly in managing the stress and workload associated with offensive security operations.

Key Points:

Reduction of Manual Effort: Automation handles repetitive tasks, allowing security professionals to focus on higher-level analysis and creative problem-solving.
Prioritization Framework: By automating the identification and prioritization of vulnerabilities, Cosmos helps in managing the backlog of work, ensuring that critical issues are addressed promptly.
Supportive Leadership: Ensures that team leaders are equipped to make informed decisions about vulnerability prioritization, alleviating individual stress.

Notable Quote:

"Because we're leveraging five plus years and lots of operators and analyst input, we're able to say we believe as a service we're looking at the most important things. So it takes off that stress off the individual and really puts it on the shoulders of the leaders to make sure that we're making those right choices." – Mark Goodwin [32:15]

7. Regulatory Compliance and SOC 2

Gregor inquires about the impact of regulatory frameworks like SOC 2 on Bishop Fox's operations and Cosmos platform.

Key Points:

Compliance as a Driver: SOC 2 compliance has necessitated rigorous internal processes and best practices, ensuring that Cosmos operates within defined security standards.
Enhanced Service Quality: The adherence to regulatory requirements has streamlined operations, making the platform more reliable and trustworthy for clients.
Focus on Data Protection: Aligns with Bishop Fox's mission to protect customer data, reinforcing the importance of maintaining high-security standards.

Notable Quote:

"SOC 2 forces you to figure out, hey, here are the non-negotiables and how do we make sure we're doing these right so that we can continue to fly and do the right things." – Mark Goodwin [35:50]

8. Future Directions and Innovations

Looking ahead, Mark shares insights into the future developments planned for Cosmos, highlighting the integration of advanced technologies and continuous enhancement of service offerings.

Key Points:

Next Phase of Cosmos: Transitioning to a more self-service model, allowing clients to interact with and analyze their data more independently.
Expansion of Service Lines: Introducing Cosmos Chasm for continuous attack surface management and Cosmos Capt for ongoing web application pen testing.
Incorporation of AI and LLMs: Exploring the use of artificial intelligence and large language models to further automate and enhance vulnerability detection and analysis.
Staying Ahead of Threats: Continuously adapting to emerging threats by leveraging threat intelligence and maintaining agility in response strategies.

Notable Quote:

"Emerging threats are going to be the thing that continues to set us apart and set continuous pen testing apart." – Mark Goodwin [41:52]

9. Personal Insights and Advice

In the concluding segment, Gregor asks Mark for personal reflections and advice based on his extensive experience in the cybersecurity field.

Key Points:

Embrace Continuous Learning: Encourages professionals to continually enhance their technical skills and understanding of complex problem sets.
Importance of Leadership: Leaders should strive to understand the technical challenges faced by their teams to foster effective collaboration and support.
Value of Hard Training: Highlights the benefits of rigorous training and the importance of partnering with highly skilled individuals to drive success.

Notable Quote:

"Embrace that hard training and know that it's worth it because from my experience, those individual contributors will lean in and partner with you." – Mark Goodwin [42:45]

10. Conclusion

Gregor wraps up the episode by thanking Mark for his insightful contributions, emphasizing the value of Bishop Fox's innovative approach to offensive penetration testing and the promising future of the Cosmos platform.

Key Points:

Collaborative Future: Reiterates the importance of collaboration between security firms and their clients.
Continued Innovation: Anticipates ongoing advancements in automation and threat intelligence to enhance pen testing capabilities.
Commitment to Security: Affirms Bishop Fox's dedication to maintaining high-security standards and protecting clients from evolving threats.

Notable Quote:

"It's a really good call out. It's changing the mindset of what a service such as Bishop Fox can do, which is its collaborative like end to end and security." – Gregor Van [44:24]

Conclusion

This episode of Software Engineering Daily provides an in-depth exploration of the future of offensive penetration testing through the lens of Bishop Fox's innovative Cosmos platform. Mark Goodwin offers valuable insights into the evolution of automated pen testing, the significance of collaboration with clients, and the ongoing challenges and advancements in the cybersecurity landscape. Listeners gain a comprehensive understanding of how continuous offensive security measures are shaping the industry's approach to safeguarding digital assets against sophisticated threats.

Summary

Podcast Summary: The Future of Offensive Pentesting with Mark Goodwin

1. Introduction to Offensive Penetration Testing and Bishop Fox

Key Points:

Offensive Penetration Testing (Pen Testing): Actively probing systems to identify and exploit vulnerabilities, mirroring tactics used by real-world attackers. The objective is to uncover security weaknesses and provide actionable insights to bolster defenses.
Bishop Fox: An 18-year-old professional services firm renowned for its offensive security testing. The company emphasizes continuous training, tool development, and maintaining cutting-edge offensive capabilities.

Notable Quote:

"I consider it the future of offensive pen testing to be able to stay up with nation state actors, follow emerging threats and identify attack surface that customers may not know about." – Mark Goodwin [03:40]

2. Evolution of the Cosmos Platform

Key Points:

Genesis of Cosmos: Launched around March 2020, initially named CAST (Continuous Attack Surface Testing), Cosmos aims to automate and scale offensive security efforts without compromising on quality.
Three Core Components:
1. Automated Attack Surface Discovery: Continuously identifying and mapping out all potential attack vectors across a customer's digital footprint.
2. Automated Application Pen Testing: Focusing primarily on web applications, automating the detection of vulnerabilities while reserving critical findings for human analysis.
3. Internal Pen Testing (Future Development): Planned enhancements to include internal network assessments, enabling deeper penetration testing within a client's infrastructure.

Notable Quote:

"We don't want to build Ultron, we're building Ironman, to propel us forward." – Mark Goodwin [04:58]

3. Automation and Scalability in Pen Testing

Mark elaborates on how Cosmos leverages automation to handle large-scale attack surfaces, enabling Bishop Fox to serve enterprise clients with extensive digital infrastructures.

Key Points:

Efficiency Through Automation: Automates routine tasks like subdomain enumeration and initial vulnerability scanning, freeing up human operators to focus on critical and complex issues.
Prioritization of Vulnerabilities: Uses intelligent filtering to identify and report high-impact vulnerabilities, ensuring clients receive actionable and relevant findings without being overwhelmed by noise.
Integration with Threat Intelligence: Continuously updates the platform with emerging threats, leveraging resources like CISA KEV (Known Exploitable Vulnerabilities) and industrial research to stay ahead of adversaries.

Notable Quote:

"We're continuously looking for Attack Surface to bring in. We're scanning customers to make sure that we're having a right picture of their attack surface." – Mark Goodwin [24:38]

4. Handling Subdomain Takeovers

Subdomain takeover is a critical focus area for Cosmos, given its potential to expose organizations to significant risks.

Key Points:

Definition and Impact: Subdomain takeover occurs when an attacker gains control of a subdomain due to misconfigurations, allowing malicious activities like phishing or credential harvesting.
Automated Detection: Cosmos automates the identification of vulnerable subdomains, ensuring timely remediation before they can be exploited.
Case Study: Reference to a recent incident involving Watchtower in Singapore, illustrating the real-world implications of subdomain vulnerabilities.

Notable Quote:

"If I was hosting something clients.example.com and then for whatever reason I misconfigured... it can now become a phishing angle or a way to harvest credentials." – Mark Goodwin [16:08]

5. Collaboration and Customer Engagement

Mark emphasizes the importance of collaboration between Bishop Fox and its clients to maximize the effectiveness of their pen testing services.

Key Points:

Customer Involvement: Encourages clients to actively participate in verifying and managing their attack surfaces within the Cosmos platform.
Transparent Communication: Maintains open lines of communication to ensure clients understand the findings and the necessary remediation steps.
Building Trust: Moves away from the traditional "hand over a report and walk away" model to a more integrated, collaborative approach, fostering trust and long-term partnerships.

Notable Quote:

"We're here to help. We want to keep you safe. The best way to do that is open communication." – Mark Goodwin [28:35]

6. Managing Stress and Workload with Cosmos

The introduction of Cosmos has implications for the workforce at Bishop Fox, particularly in managing the stress and workload associated with offensive security operations.

Key Points:

Reduction of Manual Effort: Automation handles repetitive tasks, allowing security professionals to focus on higher-level analysis and creative problem-solving.
Prioritization Framework: By automating the identification and prioritization of vulnerabilities, Cosmos helps in managing the backlog of work, ensuring that critical issues are addressed promptly.
Supportive Leadership: Ensures that team leaders are equipped to make informed decisions about vulnerability prioritization, alleviating individual stress.

Notable Quote:

"Because we're leveraging five plus years and lots of operators and analyst input, we're able to say we believe as a service we're looking at the most important things. So it takes off that stress off the individual and really puts it on the shoulders of the leaders to make sure that we're making those right choices." – Mark Goodwin [32:15]

7. Regulatory Compliance and SOC 2

Gregor inquires about the impact of regulatory frameworks like SOC 2 on Bishop Fox's operations and Cosmos platform.

Key Points:

Compliance as a Driver: SOC 2 compliance has necessitated rigorous internal processes and best practices, ensuring that Cosmos operates within defined security standards.
Enhanced Service Quality: The adherence to regulatory requirements has streamlined operations, making the platform more reliable and trustworthy for clients.
Focus on Data Protection: Aligns with Bishop Fox's mission to protect customer data, reinforcing the importance of maintaining high-security standards.

Notable Quote:

"SOC 2 forces you to figure out, hey, here are the non-negotiables and how do we make sure we're doing these right so that we can continue to fly and do the right things." – Mark Goodwin [35:50]

8. Future Directions and Innovations

Looking ahead, Mark shares insights into the future developments planned for Cosmos, highlighting the integration of advanced technologies and continuous enhancement of service offerings.

Key Points:

Next Phase of Cosmos: Transitioning to a more self-service model, allowing clients to interact with and analyze their data more independently.
Expansion of Service Lines: Introducing Cosmos Chasm for continuous attack surface management and Cosmos Capt for ongoing web application pen testing.
Incorporation of AI and LLMs: Exploring the use of artificial intelligence and large language models to further automate and enhance vulnerability detection and analysis.
Staying Ahead of Threats: Continuously adapting to emerging threats by leveraging threat intelligence and maintaining agility in response strategies.

Notable Quote:

"Emerging threats are going to be the thing that continues to set us apart and set continuous pen testing apart." – Mark Goodwin [41:52]

9. Personal Insights and Advice

In the concluding segment, Gregor asks Mark for personal reflections and advice based on his extensive experience in the cybersecurity field.

Key Points:

Embrace Continuous Learning: Encourages professionals to continually enhance their technical skills and understanding of complex problem sets.
Importance of Leadership: Leaders should strive to understand the technical challenges faced by their teams to foster effective collaboration and support.
Value of Hard Training: Highlights the benefits of rigorous training and the importance of partnering with highly skilled individuals to drive success.

Notable Quote:

"Embrace that hard training and know that it's worth it because from my experience, those individual contributors will lean in and partner with you." – Mark Goodwin [42:45]

10. Conclusion

Key Points:

Collaborative Future: Reiterates the importance of collaboration between security firms and their clients.
Continued Innovation: Anticipates ongoing advancements in automation and threat intelligence to enhance pen testing capabilities.
Commitment to Security: Affirms Bishop Fox's dedication to maintaining high-security standards and protecting clients from evolving threats.

Notable Quote:

"It's a really good call out. It's changing the mindset of what a service such as Bishop Fox can do, which is its collaborative like end to end and security." – Gregor Van [44:24]

wavePod

Powered by Wave AI

Summary

Podcast Summary: The Future of Offensive Pentesting with Mark Goodwin

1. Introduction to Offensive Penetration Testing and Bishop Fox

2. Evolution of the Cosmos Platform

3. Automation and Scalability in Pen Testing

4. Handling Subdomain Takeovers

5. Collaboration and Customer Engagement

6. Managing Stress and Workload with Cosmos

7. Regulatory Compliance and SOC 2

8. Future Directions and Innovations

9. Personal Insights and Advice

10. Conclusion

Conclusion

Summary

Podcast Summary: The Future of Offensive Pentesting with Mark Goodwin

1. Introduction to Offensive Penetration Testing and Bishop Fox

2. Evolution of the Cosmos Platform

3. Automation and Scalability in Pen Testing

4. Handling Subdomain Takeovers

5. Collaboration and Customer Engagement

6. Managing Stress and Workload with Cosmos

7. Regulatory Compliance and SOC 2

8. Future Directions and Innovations

9. Personal Insights and Advice

10. Conclusion

Conclusion