Home page logo
/

pen-test logo Penetration Testing mailing list archives

Methodology
From: Alex Fiuvertiz <fiuvertiz () gmail com>
Date: Fri, 20 Nov 2009 08:50:33 +0100

Hi,

It seems like there are a lot of different methodologies out there
when it comes down to perfoming penetration tests.
But how often are people/pentesters out there use the
industry/official "standards" (se example list below)?
Are you/they using them mostly for the client's sake when writing
reports and to make sure you don't overlook anything?

Or are you ignoring them totally, trust your experience, and just hack
away and have your own ultimate methodology and report format?


PTF? Perhaps more of a techincal reference
(http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html)
OSSTMM ?
NIST?
ISSAF?
Foundstone's methodology?
xxxxx?

I realize the methodologies above can't be compared quite simply, but
at least they give you a hint of what I mean.
Do you use any of these? Why? Why not? (this question does not focus
on the web application penetration testing methods, although that
could be interesting as well)

Regards, Alex

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Methodology Alex Fiuvertiz (Nov 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]