Skip main navigation

An introduction to the methodologies

Why do we need a methodology in ethical hacking?
© Coventry University. CC BY-NC 4.0

Penetration testing is no longer a single hacker’s ad hoc job. In almost all cases it is a formal process that needs to address the business and security needs of the clients while being reproducible, documented and auditable.

Many security companies will have their own specific penetration testing methodologies, depending on the scale, complexity and scope of their projects. Most of them are similar to – or derived from – the methodologies we’ll discuss in this activity. Having a good understanding of the relevant methodologies will give you the basis for planning and conducting a successful penetration test.

We’ll review a number of penetration testing methodologies here. Most of them are generic and could be applied in any project, while others are specific to particular scenarios, such as Web Apps pentesting.

Of course, given that the computing environments, infrastructure and systems of organisations differ, many real pentesting projects will require a methodology which is adapted to the current scope and requirements. It’s important that you understand the rationale and theory behind the pentesting methodologies so that you’re able to extract what is relevant and adapt the parts required for your project.

The methodologies which we’ll discuss in this activity are:

  • Information Systems Security Assessment Framework (ISSAF)
  • Open Source Security Testing Methodology Manual (OSSTMM)
  • Penetration Testing Execution Standard (PTES)
  • Technical Guide to Information Security Testing and Assessment (NIST SP800-115)
  • OWASP Testing Guide

A note about tools

Some of the methodologies we will review discuss the tools to be used in each step. It’s worth noting that the cyber security field is a dynamic one, with new technologies being introduced and new tools being developed regularly. As such, you shouldn’t limit yourself to the tools and techniques suggested by the methodology but use them as a starting point for further research and development.

© Coventry University. CC BY-NC 4.0
This article is from the free online

Ethical Hacking: An Introduction

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education