When it comes to penetration testing, organisations have many different methodologies and standards to choose from. Each has its benefits and drawbacks.
In this blog post, we will take a look at five of the most popular penetration testing methodologies and standards: NIST, OWASP, OSSTMM, PTES, and ISSAF. We’ll discuss what each one entails.
Why follow a security testing methodology/standard?
They give your testing process great structure and direction. Adhering to a well-defined methodology or standard helps ensure that your penetration testing is comprehensive and effective.
It also makes it easier to compare the results of different tests, as well as to audit and improve your testing process over time.
Furthermore, many compliance requirements (such as PCI DSS) mandate the use of a specific methodology or standard.
1. NIST – Cybersecurity Framework (CSF)
CSF takes a risk-based approach to data security. It was developed by NIST and has five core functions:
1. Identify – Understand your organisation’s assets, vulnerabilities, and risks.
2. Protect – Implement safeguards to reduce vulnerabilities and risks.
3. Detect – Monitor for indicators of compromise and incidents.
4. Respond – Take appropriate actions when a breach occurs.
5. Recover – Get systems operational quickly.
2. OWASP Web Security Testing Guide
1. Information Gathering – Collect information about the target application/system.
2. Configuration Testing – Test for insecure configurations and deployments.
3. Client-side Testing – Test for vulnerabilities in the client-side code.
4. Authentication Testing – Test for weak authentication and session management.
5. Authorisation Testing – Test for unauthorised access.
6. Session Management Testing – Test for session hijacking and session fixation.
7. Input Validation Testing – Test for insecure input handling.
8. Business Logic Testing – Test for logic flaws in the application.
9. Cryptography Testing – tests for easily breakable encryption.
10. Identity Management Testing – Test for insecure management of identities.
11. API Testing – Test for vulnerabilities in APIs.
12. Testing for Error Handling – Test for insecure error handling.
This document explains the procedure for each stage of testing in detail. OSSTMM is mainly sought-after for its repeatability and accuracy. It covers:
● Wireless Security Testing – for networks and networked devices
● Trust Analysis – for systems and services
● Operational Security Metrics – for processes and procedure
● Compliance Regulations – for organisational policies
● Workflow – for the management of testing projects
● Reporting – for the analysis and presentation of results
● Telecommunications Security Testing – for data communications
● Data Networks Security Testing – for data centre and network infrastructure
● Testing Physical Security – for premises and personnel security
This is a framework for penetration tests. It includes a list of recommended practices and procedures that should be followed during the test. It devised a 7-step take on penetration testing that is widely used today.
1. Pre-engagement Interactions: In this stage, the tester should establish the scope and objectives of the test with the client.
2. Intelligence Gathering: Here the tester should collect useful information on the target systems such as IP addresses, usernames, etc.
3. Threat Modelling: In this stage, the tester should identify the threats that exist for the target system.
4. Vulnerability Analysis: In this stage, the tester should identify the vulnerabilities that exist for the target system.
5. Exploitation: Here, the tester must attempt to exploit any flaws that were discovered in the previous stage.
6. Post-Exploitation: In this stage, the tester should gather information about the system that was exploited.
7. Reporting: In this stage, the tester should report the findings of the test to the client.
ISSAF is a framework for penetration testing that was formed with the intent of coming up with a standard approach and set of tools to use. It’s no longer updated, but many pen testers still use it.
The five phases of this methodology are well organised and may be used to investigate unique circumstances in further detail.
The five phases under ISSAF are:
Phase-II: Assessment may be used for penetration testing and it includes:
● Information Gathering
● Network Mapping
● Vulnerability Assessment
● Gaining Access
● Compromising Remote Users/Sites
● Enumerating Further
● Privilege Escalation
● Covering Up Tracks
● Maintaining Access
Penetration testing is an important component of every security program. By understanding the different methodologies and standards, you can create a more comprehensive and effective test. NIST, OWASP, OSSTMM, PTES, and ISSAF are all great resources to help you get started.
Remember to always tailor your approach to the specific needs of your organisation and target systems. With a little practice, you’ll be conducting penetration tests like a pro in no time.
Ankit Pahuja is the Marketing Lead & Evangelist at Astra Security. Ever since his adulthood (literally, he was 20 years old), he began finding vulnerabilities in websites & network infrastructures. Starting his professional career as a software engineer at one of the unicorns enables him in bringing “engineering in marketing” to reality. Working actively in the cybersecurity space for more than 2 years makes him the perfect T-shaped marketing professional. Ankit is an avid speaker in the security space and has delivered various talks in top companies, early-age startups, and online events.