Penetration Testing mailing list archives
Re: Pentesting Methodology/Framework
From: Dan Crowley <dcrowley () coresecurity com>
Date: Tue, 09 Nov 2010 08:41:59 -0500
Hi Kurt, The ISSAF seems rather broad, but suffers from a lack of depth and maturity. However, it is free and if you are just trying to decide what tests you should perform on your organization, this is a great way to build a skeleton of sorts. The latest version of the ISSAF is v0.2 to my knowledge. This should give you an indication of its maturity. However, I'm intrigued to see what future versions will be like. I must admit that I don't know what's in the latest OSSTMM, mainly because I'm not interested in paying for a pen testing methodology. That said, having read the earlier OSSTMM document (which is now free) I was satisfied with its quality overall, though disappointed with its outdated nature and wished that this, too, was free. Latest version is v3.0 and the latest free version is v2.2, IIRC. You may also want to look for Foundstone's "hacker methodology" document (I have only been able to locate outlines, not the full methodology) for a rudimentary structure. Optionally, for a basic structure with some more detail, you may wish to refer to NIST 800-115. Hope this helps! -- Daniel Crowley, CICP, GCIH Technical Specialist Core Security Technologies Direct: +1 (617) 695-1151 Fax: +1 (617) 399-6987 "One machine can do the work of fifty ordinary men. No machine can do the work of an extraordinary man." - Elbert Hubbard On 11/8/2010 8:48 PM, Kurt M.D. John wrote:
Hey guys, What are your thoughts on Information System Security Framework (ISSF) vs. Open Source Security Testing Methodology Manual (OSSTMM)? Thanks, Kurt M. D. John, CISA, C|EH, CPT ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Pentesting Methodology/Framework Kurt M.D. John (Nov 08)
- RE: Pentesting Methodology/Framework Cor Rosielle (Nov 12)
- Re: Pentesting Methodology/Framework Dan Crowley (Nov 12)