Methodology

[Alex Fiuvertiz <fiuvertiz () gmail com>]

Hi,

It seems like there are a lot of different methodologies out there
when it comes down to perfoming penetration tests.
But how often are people/pentesters out there use the
industry/official "standards" (se example list below)?
Are you/they using them mostly for the client's sake when writing
reports and to make sure you don't overlook anything?

Or are you ignoring them totally, trust your experience, and just hack
away and have your own ultimate methodology and report format?


PTF? Perhaps more of a techincal reference
(http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html)
OSSTMM ?
NIST?
ISSAF?
Foundstone's methodology?
xxxxx?

I realize the methodologies above can't be compared quite simply, but
at least they give you a hint of what I mean.
Do you use any of these? Why? Why not? (this question does not focus
on the web application penetration testing methods, although that
could be interesting as well)

Regards, Alex

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------