What is Penetration Testing?
Penetration Testing, by definition, is “a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security using the same tools and techniques as an adversary might.”
The Purpose of Penetration Testing Methodologies
The key purpose of Penetration Testing is to find and exploit vulnerabilities in a system before an attacker does. By doing this, organizations can determine the risks associated with these vulnerabilities and take steps to mitigate them. The three key purposes of penetration testing methodologies are to provide consistency, address vulnerabilities, and provide an in-depth aspect to testing.
Top Three Penetration Testing Methodologies
There are three main types of penetration testing methodologies: OSSTMM, OWASP, and NIST.
The Open Source Security Testing Methodology Manual, also known as OSSTMM, is a methodology that covers multiple types of security testing, from social engineering to network security. The institute is in charge of developing and maintaining it for open methodologies and security. (ISECOM)
The OWASP Web Security Testing Guide (WSTG) is a comprehensive guide for testing web application security that has been developed in collaboration with a large range of volunteers within the industry. While primarily known for web application security, OWASP also offers guides on mobile security testing and firmware testing.
In 2008, NIST released the special publication (SP) 800-115, ‘Technical Guide to Information Security Testing and Assessment’. This document focuses primarily on infrastructure testing and provides a guide to the basic aspects of conducting security assessments.
Our Penetration Testing Methodologies at TN Computer Medics
Here at TN Computer Medics we use a variety of methodologies, with aspects of Web Application testing and using OWASP. Only for infrastructure testing do we use NIST. As well as following the general methodologies, we as a business put a spin on aspects to provide a more in-depth overview of the vulnerabilities of Penetration Testing.