Penetration Testing mailing list archives
Methodology
From: Alex Fiuvertiz <fiuvertiz () gmail com>
Date: Fri, 20 Nov 2009 08:50:33 +0100
Hi, It seems like there are a lot of different methodologies out there when it comes down to perfoming penetration tests. But how often are people/pentesters out there use the industry/official "standards" (se example list below)? Are you/they using them mostly for the client's sake when writing reports and to make sure you don't overlook anything? Or are you ignoring them totally, trust your experience, and just hack away and have your own ultimate methodology and report format? PTF? Perhaps more of a techincal reference (http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html) OSSTMM ? NIST? ISSAF? Foundstone's methodology? xxxxx? I realize the methodologies above can't be compared quite simply, but at least they give you a hint of what I mean. Do you use any of these? Why? Why not? (this question does not focus on the web application penetration testing methods, although that could be interesting as well) Regards, Alex ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Methodology Alex Fiuvertiz (Nov 23)