Web Security Testing Guide
Penetration Testing Methodologies Summary
OWASP Testing Guide PCI Penetration Testing Guide Penetration Testing Execution Standard NIST 800-115 Penetration Testing Framework Information Systems Security Assessment Framework (ISSAF) Open Source Security Testing Methodology Manual (OSSTMM)
Penetration Testing Execution Standard (PTES)
PTES defines penetration testing as 7 phases.
Pre-engagement Interactions Intelligence Gathering Threat Modeling Vulnerability Analysis Exploitation Post Exploitation Reporting
Instead of simply methodology or process, PTES also provides hands-on technical guidelines for what/how to test, rationale of testing and recommended testing tools and usage.
PTES Technical Guidelines PCI Penetration Testing Guide
Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3 defines the penetration testing. PCI also defines Penetration Testing Guidance. PCI DSS Penetration Testing Guidance
The PCI DSS Penetration testing guideline provides a very good reference of the following area while it’s not a hands-on technical guideline to introduce testing tools.
Penetration Testing Components Qualifications of a Penetration Tester Penetration Testing Methodologies Penetration Testing Reporting Guidelines
PCI DSS Penetration Testing Requirements
The PCI DSS requirement refer to Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3
Based on industry-accepted approaches Coverage for CDE and critical systems Includes external and internal testing Test to validate scope reduction Application-layer testing Network-layer tests for network and OS
Penetration Testing Framework
The Penetration testing framework provides very comprehensive hands-on penetration testing guide. It also list usage of the testing tools in each testing category. The major area of penetration testing includes -
Network Footprinting (Reconnaissance) Discovery & Probing Enumeration Password cracking Vulnerability Assessment AS/400 Auditing Bluetooth Specific Testing Cisco Specific Testing Citrix Specific Testing Network Backbone Server Specific Tests VoIP Security Wireless Penetration Physical Security Final Report - template
Penetration Testing Framework Technical Guide to Information Security Testing and Assessment (NIST800-115) Information Systems Security Assessment Framework (ISSAF)
The ISSAF is a very good reference source of penetration testing though Information Systems Security Assessment Framework (ISSAF) is not an active community. It provides comprehensive penetration testing technical guidance. It covers the area below.
Project Management Guidelines And Best Practices - Pre-Assessment, Assessment And Post Assessment Assessment Methodology Review Of Information Security Policy And Security Organization Evaluation Of Risk Assessment Methodology Technical Control Assessment Technical Control Assessment - Methodology Password Security Password Cracking Strategies Unix /Linux System Security Assessment Windows System Security Assessment Novell Netware Security Assessment Database Security Assessment Wireless Security Assessment Switch Security Assessment Router Security Assessment Firewall Security Assessment Intrusion Detection System Security Assessment VPN Security Assessment Anti-Virus System Security Assessment And Management Strategy Web Application Security Assessment Storage Area Network (SAN) Security Internet User Security As 400 Security Source Code Auditing Binary Auditing Social Engineering Physical Security Assessment Incident Analysis Review Of Logging / Monitoring & Auditing Processes Business Continuity Planning And Disaster Recovery Security Awareness And Training Outsourcing Security Concerns Knowledge Base Legal Aspects Of Security Assessment Projects Non-Disclosure Agreement (NDA) Security Assessment Contract Request For Proposal Template Desktop Security Check-List - Windows Linux Security Check-List Solaris Operating System Security Check-List Default Ports - Firewall Default Ports - IDS/IPS Links Penetration Testing Lab Design
Open Source Security Testing Methodology Manual (OSSTMM)
OSSTMM is a methodology to test the operational security of physical locations, workflow, human security testing, physical security testing, wireless security testing, telecommunication security testing, data networks security testing and compliance. OSSTMM can be supporting reference of IOS 27001 instead of a hands-on penetration testing guide.
OSSTMM includes the following key sections:
Operational Security Metrics Trust Analysis Work Flow. Human Security Testing Physical Security Testing Wireless Security Testing Telecommunications Security Testing Data Networks Security Testing Compliance Regulations Reporting with the STAR (Security Test Audit Report)
References
PCI Data Security Standard - Penetration TestingGuidance Pentest Standard Open Source Security Testing Methodology Manual (OSSTMM) NIST - SP 800-115 HIPAA 2012 Penetration Testing Framework 0.59 OWASP Mobile Security Testing Guide Security Testing Guidelines for Mobile Apps Kali ISSTF Information Supplement: Requirement 11.3 Penetration Testing