My activities with testing the UMA-protocol gave me a good insight in how companies specialized in identitymanagement deal with these protocols.
The funny thing is, I had not yet looked at how the IT-security companies look towards identityprotocols like UMA, OpenID and OAuth. Functional testing and document reviewing is one thing, but penetration testing (pentesting) requires a different method of approach.
When I found out InfoSecurity Benelux 2011 was going to take place in Utrecht I registered and attended this exposition.
Why? To find out more about the possibilities in the Netherlands to learn and practise pentesting.
Together with a mate of mine we spent a day exploring the Dutch security-ecosystem, ranging from network to antivirus companies. And more important, IT-security companies.
We visited stands, listened to keynotes and had valuable discussions with Dutch keyplayers in IT-security.
Starting with the stands, they were organized like any exposition, with the big networkcompanies like Cisco having the biggest stands and the IT-security companies the smaller ones.
Also, like any ecosystem, companies (read predators) were luring their customers (read prey) with goodies, lovely ladies (yes, I saw those too) or a F1-racing car experience (seen that before).
In half an hour both our bags were full of security-goodies and folders and we had seen some very good looking ladies (not only the promo-girls).
Then it was time for business: explore the pentest-community.
Companies like Fox-IT (remember the DigiNotar-blog), Madison Gurkha (lockpicking isn't my thing :-) ) and Dionach were on our list and they did not disappoint us.
We also found out a lot of pentesting certifiers were there, like the already mentioned Dionach with their TIGER-scheme, but also Certified Ethical Hacker (CEH)- certifiers (TSTC) and 'free' online trainers (Certified Secure).
It reminded me of the time when I visited the earlier testexhibitions where visitors were blown away with the newest testapproaches like ISEB, ISQTB, TMAP and TestFrame.
IMHO, every approach has its (dis)advantages, and a good pentester should have sufficient knowledge of these different approaches when needed. However, we have to start somewhere, so more digging in this type of certification-world will be necessary.
The afternoon was spent on listening to keynotes addressing recent security developments like the mobile banking facilities of a particular Bank, the security of social media and the history of PKI.
Very interesting stuff, and the presenters gave a clear insight in how they operate in their business with security.
Before we knew it, it was already 16.00 O'clock and exhibition stands were broken down. There was still one thing I had to do.
I had to visit the exhibition of CRYPSYS Data Security, a Dutch ICT Security Distributor for the Benelux with over 20 years of experience. And, more important, with a recent interest in my blog and tweets :-). So, I had to meet these people, although they're no pentestspecialists.
Not a wasted time, because CRYPSYS gave me a good understanding of how they do business and were very patient with my questions. A company for me to watch and learn from.
Then it was over, a few drinks and back in the train going home.
It was a very interesting day at InfoSecurity Benelux 2011, discovering new challenges, learning interesting stuff and meeting great people.
Certainly a follow-up for 2012.