Penetration testing methodologies

Summary

• OWASP testing guide
• PCI Penetration testing guide
• Penetration Testing Execution Standard
• Open Source Security Testing Methodology Manual (“OSSTMM”)
• NIST 800-115
• Penetration Testing Framework
• Information Systems Security Assessment Framework (ISSAF)

Penetration Testing Execution Standard (PTES)

PTES defines penetration testing as 7 phases.

• Pre-engagement Interactions
• Intelligence Gathering
• Threat Modeling
• Vulnerability Analysis
• Exploitation
• Post Exploitation
• Reporting

Instead of simply methodology or process, PTES also provides hands-on technical guidelines for what/how to test, rationale of testing and recommended testing tools and usage.

http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines

Open Source Security Testing Methodology Manual (OSSTMM)

PCI Penetration testing guide

Penetration Testing Framework

Technical Guide to Information Security Testing and Assessment (NIST800-115)

Information Systems Security Assessment Framework (ISSAF)

Reference

• https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
• http://www.pentest-standard.org/index.php/Main_Page
• http://www.isecom.org/research/osstmm.html
• http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
• http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-6_kscarfone-rmetzer_security-testing-assessment.pdf
• http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
• https://www.owasp.org/images/0/04/Security_Testing_Guidelines_for_mobile_Apps_-_Florian_Stahl%2BJohannes_Stroeher.pdf
• http://www.mcafee.com/tw/resources/white-papers/foundstone/wp-pen-testing-android-apps.pdf
• https://www.kali.org/