Penetration Testing Methodologies
What is Penetration Testing?
Penetration Testing, by definition, is “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.”
Want to skip the read and go straight to the video? Look no further, just click here.
The Purpose of Penetration Testing Methodologies
The key purpose of Penetration Testing is to find and exploit vulnerabilities in a system before an attacker does. By doing this, organisations can determine the risks associated with these vulnerabilities and take steps to mitigate them. The three key purposes of penetration testing methodologies are to provide consistency, address vulnerabilities and provide an in-depth aspect to testing.
Top Three Penetration Testing Methodologies
There are three main types of penetration testing methodologies: OSSTMM, OWASP and NIST.
The Open Source Security Testing Methodology Manual, also known as OSSTMM is a methodology that covers multiple types of security testing from social engineering to network security. It is developed and maintained by the institute for security and open methodologies. (ISECOM)
The OWASP Web Security Testing Guide (WSTG) is a comprehensive guide for testing web application security which has developed in collaboration with a large range of volunteers within the industry. Whilst primarily known for Web Application Security, OWASP also offers guides on mobile security testing and firmware testing.
In 2008, NIST released the special publication (SP)800-115 a ‘Technical Guide to Information Security Testing and Assessment’. This document focuses primarily on infrastructure testing and provides a guide to the basic aspects of conducting security assessments.
Our Penetration Testing Methodologies at Pentest People
Here at Pentest People we use a variety of methodologies, with aspects of Web Application testing and using OWASP. Solely for infrastructure testing, we use NIST. As well as following the general methodologies, we as a business put a spin on aspects to provide a more in-depth overview of vulnerabilities of Penetration Testing.
Methodologies: A quick breakdown
I’d say the main purpose is to provide consistency in assessments. So basically, so you’re at least addressing I mean as a set of vulnerabilities but there’s quite a lot of variation on methodologies as a whole to provide a more in depth aspect.
So there’s a variety of methodologies available, the top three are OSSTmm OWASP and nest.
At pentest people we use a variety of methodologies we take into consideration methodologies like Owasp in aspects, so web app testing, and more so, NIST for infrastructure assessments, but we also have our own little spin on assessments to provide a more in-depth overview of vulnerabilities on a penetration test. I hope that provides a good overview of methodologies in penetration.