Common Penetration Testing Methodologies
MITRE ATT&CK
The MITRE ATT&CK framework is an invaluable resource for understanding adversary tactics, techniques, and procedures (TTPs). It's a continuously evolving knowledge base, updated regularly with new findings from real-world observations of cyber adversary behavior. This framework serves various purposes, from red teaming and threat hunting to incident response and security assessment, offering a practical approach to cybersecurity.
OWASP WSTG
The OWASP Web Security Testing Guide (WSTG) is a community-driven, comprehensive guide for web application security testing. It provides detailed scenarios for testing vulnerabilities, methodologies for both automated and manual testing, and best practices for secure coding and application design. Its community-driven approach ensures it stays updated with the latest threats and countermeasures.
NIST SP 800-115
Special Publication (SP) 800-115 by NIST offers comprehensive guidelines covering the technical, management, and reporting aspects of information security testing. It emphasizes a holistic approach, aligning testing processes with business objectives and regulatory requirements, and provides detailed guidance on reporting and follow-up for identified vulnerabilities.
OSSTMM
The Open Source Security Testing Methodology Manual (OSSTMM), now in its third version, with a fourth in draft, provides a robust framework for repeatable and consistent security testing. It covers a wide range of areas including operational security metrics, trust analysis, various forms of security testing (such as human, physical, wireless), and compliance regulations. The OSSTMM is notable for its comprehensive approach to security testing, emphasizing a structured and methodical process.
PTES
The Penetration Testing Execution Standard (PTES) is a detailed framework that encompasses the entire process of a penetration test, from pre-engagement interactions to post-exploitation and reporting. It guides testers on the latest attack types, methods, and tools. PTES is distinguished by its focus on the entire lifecycle of penetration testing, offering a thorough perspective on each stage of the testing process.
ISSAF
The Information Systems Security Assessment Framework (ISSAF) provides a comprehensive penetration testing methodology with a range of phases, from information gathering to covering tracks. It's unique in its detailed coverage of every aspect of the penetration testing process, including less commonly discussed areas like compromising remote users/sites and maintaining access. ISSAF's thoroughness makes it an invaluable resource for deep and comprehensive security assessments.