A penetration testing methodology is the manner in which a penetration test is organized and executed. Penetration testing methodologies help to methodically identify security vulnerabilities in an organization. Think of this type of testing as your live-fire exercise for a Cyber-attack.
These methodologies outline the process a company may take to discover those vulnerabilities across the vertical of their IT critical assets, offerings, and processed. While companies can use their own custom processes, there are many readily established, industry-recognized methodologies that can be a great starting point for organizations. Some organizations use these developed methods as an “out of the box” solution, while others use them as a baseline to build on.
The top four penetration testing methodologies that are industry-recognized and respected are:
- OSSTMM
- OWASP
- NIST
- PTES
What Is OSSTMM?
The Open Source Security Testing Methodology Manual, or OSSTMM, is one of the most recognizable penetration testing methodologies in the industry. It is a peer-reviewed methodology maintained by the Institute for Security and Open Methodologies (ISECOM). OSSTMM allows companies to tailor their penetration tests to their specific needs while providing developers accessibility to more secure portions of their environment for development. OSSTMM contains checks to ensure adherence to regulations and laws. With a combination of technical direction, customizability for several environments, and broad support for several organization types, OSSTMM is a universal go-to among penetration testing methodologies.
What Is OWASP?
OWASP, or Open Web Application Security Project, is a set of standards and guidelines for the security of web applications, and is often the starting point for IT personnel when initially venturing into the realm of penetration testing. OWASP provides several resources on its own to improve the security posture of both internal and external web applications by providing companies with a comprehensive list of vulnerability categories for web applications, as well as ways to mitigate or remediate them.
What Is PTES?
PTES is the Penetration Testing Execution Standard, and provides a high-level overview of a penetration test, consisting of the following seven steps:
Pre-engagement Interactions
Intelligence Gathering
Threat Modeling
Vulnerability Analysis
Exploitation
Post Exploitation
Reporting
What Is NIST?
NIST stands for the National Institute of Standards and Technology. Generally speaking, NIST is more of a security framework than a penetration testing methodology. NIST provides companies with baseline standards for configuring technologies and stacks within their environment, which can be applied to penetration testing. In relation to penetration testing, NIST Special Publication 800-115 contains standards and best practices for conducting an internal security assessment.
Why Are Penetration Methodologies Important?
Penetration testing methodologies are a great way for companies to implement regular security assessments into their organization. Following the established methodologies described above, allows for an easier implementation at companies where knowledge and experience with penetration tests may be limited, or where existing infrastructure within a company has made penetration testing difficult in the past. As with any solution to security threats, care should be taken to ensure that the methodology used fits the needs of the organization without adding unnecessary work for developers and other personnel.
The four methodologies referenced above have been sufficiently tested and refined to be broadly applicable to most organizations. While there is occasionally a need for newly designed methodologies in companies with niche or esoteric software necessities, the creation of an independent methodology should be used as a last resort so as to avoid unnecessary research and work for IT personnel.
Caution should be taken when it comes to selecting a framework for penetration testing. While each of these frameworks can provide structure and organization to daily technological operations, if implemented poorly, they can use up too much time and effort, creating an unnecessary workload for what should be a simple process. To avoid this, BrillianSe Group urges companies not to regard penetration testing as a standard project with daily standups and updates. Flexibility within these methodologies is fundamental to success within implementation, as each organization will have individual and independent needs surrounding these tests.
Feedback from security assessments allows an organization to change and adapt according to results. Reports should never contain the same information twice, as an organization should update the security posture following every completed assessment. Penetration testing is no exception. When followed flexibly and updated regularly, penetration testing methodologies work for those who use them and bring simplicity and success to an organization’s process of cyber security assessment.