An introduction to the methodologies

Penetration testing is no longer a single hacker’s ad hoc job. In almost all cases it is a formal process that needs to address the business and security needs of the clients while being reproducible, documented and auditable.

Many security companies will have their own specific penetration testing methodologies, depending on the scale, complexity and scope of their projects. Most of them are similar to – or derived from – the methodologies we’ll discuss in this activity. Having a good understanding of the relevant methodologies will give you the basis for planning and conducting a successful penetration test.

We’ll review a number of penetration testing methodologies here. Most of them are generic and could be applied in any project, while others are specific to particular scenarios, such as Web Apps pentesting.

Of course, given that the computing environments, infrastructure and systems of organisations differ, many real pentesting projects will require a methodology which is adapted to the current scope and requirements. It’s important that you understand the rationale and theory behind the pentesting methodologies so that you’re able to extract what is relevant and adapt the parts required for your project.

The methodologies which we’ll discuss in this activity are:

• Information Systems Security Assessment Framework (ISSAF)
• Open Source Security Testing Methodology Manual (OSSTMM)
• Penetration Testing Execution Standard (PTES)
• Technical Guide to Information Security Testing and Assessment (NIST SP800-115)
• OWASP Testing Guide

A note about tools

Some of the methodologies we will review discuss the tools to be used in each step. It’s worth noting that the cyber security field is a dynamic one, with new technologies being introduced and new tools being developed regularly. As such, you shouldn’t limit yourself to the tools and techniques suggested by the methodology but use them as a starting point for further research and development.