Research indicates that current trends in information security threats outpaces the security controls that reduce and or eliminate information security vulnerabilities. This document examines the approach of achieving maximum information security defensibility, by utilizing effective offensive testing. Compared are the differences in the effectiveness of security testing by performing a controlled test – referred to as “vanilla” testing, and a responsibly orchestrated blackhat test. Contrary to popular industry belief, realistic “adversarial” testing can be accomplished in a responsible manner without the consequences of “bringing down the house,” contrary to popular belief. Offered, are arguments, costs associated with testing, and counterpoints against organizational decisions that disallow certain types of testing. Blackhat based testing is similar to what a malicious and structured attacker would perform and it is believed that by performing “blackhat” testing, we are taking a “realistic” approach to vulnerability testing. This is the proper route to take to ensure fully scoping the potential vulnerabilities in a given environment in an effort to maintain proper defensibility.
For those seeking more information about the RWSP:
The RWSP is based on an individual's ability to handle and react to real-world security situations. Security within the RWSP is approached from both an offensive and defensive perspective. The RWSP is a peer reviewed certification that is composed of three (3) primary components:
1) The Real World Security: Attack, Defend, and Repel training course is an intensive, hands-on course for intermediate to advanced security professionals. Students are split into two (2) teams allowing for one (1) day focused on offensive aspects and one (1) day focused on defensive aspects. The simulations are real, but based on a fictional storyline. The training course allows for the practical demonstration of skills and allows the students of the course to review the participation, leadership, and contributions of each RWSP candidate students.
2) Knowledge Metric: Immediately following the completion of the Real World Security: Attack, Defend, and Repel course a knowledge metric (test) is given to those individuals wishing to become a candidate for the RWSP certification. After successfully passing the knowledge metric with a 70% or better, the individual becomes an RWSP candidate.
3)Peer Reviewed RWSP Project: This practical written project is an information security focused around a topic of interest to the RWSP candidate. Initially, RWSP candidates are given 60 days to complete the project based on a given collegiate writing standard, such as APA or MLA. In this format, papers are expected to cover the subject thoroughly and end up at approximately 15 pages.