How Slack Hires a Red Team (and you can too!)

What is a pentest or a red team? Before we go any further, we should define our terms, though you may find they’re often used interchangeably: Pentest: A penetration test, colloquially known as a pentest, attempts to use attacker methods to assess the exploitability, number, and impact of vulnerabilities so the target organization can remediate.…

John Sonnenschein
11 min readadvanced
--
View Original

Overview

The article discusses how Slack hires a red team for security assessments and provides guidance for organizations looking to implement similar practices. It covers key concepts such as the differences between penetration testing and red teaming, the importance of readiness for a pentest, and how to effectively engage with vendors.

What You'll Learn

1

How to assess your organization's readiness for a pentest

2

Why defining the scope of a pentest is crucial for success

3

How to effectively communicate the value of security investments using pentest reports

4

When to schedule regular pentests to maintain security posture

Prerequisites & Requirements

  • Basic understanding of security concepts and vulnerabilities

Key Questions Answered

What is the difference between a pentest and a red team?
A pentest focuses on identifying and exploiting vulnerabilities to assess technical controls, while a red team evaluates the overall security posture, including social and procedural controls, to simulate real-world attacks.
How can organizations determine if they are ready for a pentest?
Organizations should assess their ability to manage and remediate vulnerabilities, evaluate their infrastructure security maturity, and consider their current backlog of security issues before engaging in a pentest.
What should organizations aim to achieve from a pentest?
Organizations may seek to establish confidence in their security practices, provide evidence for certifications, or make a case for security investments. Understanding these goals helps shape the pentest engagement.
How do you find the right pentest vendor?
Finding the right vendor involves understanding your specific environment, seeking individuals with relevant expertise, and ensuring that the vendor can effectively address your security needs based on their experience.

Key Actionable Insights

1
Assess your organization's security readiness before engaging a pentest vendor.
This ensures that you can effectively manage and remediate any vulnerabilities identified during the pentest, preventing additional workload without addressing existing issues.
2
Clearly define the scope and objectives of your pentest engagement.
A well-defined scope helps the pentest team focus on critical assets and ensures that the engagement meets your specific security needs.
3
Use pentest reports to communicate security risks to stakeholders.
These reports can visually demonstrate vulnerabilities and their potential impact, making it easier to justify security investments to decision-makers.

Common Pitfalls

1
Failing to assess the organization's readiness for a pentest can lead to overwhelming new vulnerabilities without addressing existing ones.
This often happens when organizations are eager to test their security but lack the processes to manage new findings effectively.
2
Not clearly defining the scope of the pentest can result in missed critical vulnerabilities or unnecessary disruptions.
Without a clear scope, pentesters may not focus on the most important assets, leading to ineffective assessments.