Comparative Analysis of Penetration Testing Methodologies and Standard Operating Procedures

Introduction

With the improvement of IT segment, step by step security shortcomings and dangers are expanding quickly. To respond to these threats, tries and foundations perform Penetration Tests (PenTest) of security associations as a technique for redesigning their security. After the testing, a security weakness examination is coordinated to strengthen system security attack frameworks are winding up all the more contrasting and refined. A Penetration Test is an undertaking to find the security inadequacies of a PC structure and intentionally attack the system with the legal support, to manage the PC structure even more safely.

There are diverse sorts of techniques and structures accessible now for infiltration testing. Each has interesting attributes and adopts an alternate strategy to entrance testing. A portion of the significant systems that are utilizing now are looked at and talked about underneath.

Open Source Security Testing Methodology Manual (OSSTMM)

OSSTMM can be used for most of the inspection types like penetration testing, ethical hacking and vulnerability assessment.

Get quality help now

Prof. Finch

Verified writer

Proficient in: Engineering

4.7 (346)

“ This writer never make an mistake for me always deliver long before due date. Am telling you man this writer is absolutely the best. ”

+84 relevant experts are online

Hire writer

It contains different penetration testing methodologies and different ways to improve the security and quality of the product (Herzog, 2003).There are 6 testing steps for OSSTMM, they are Information Security Testing, Information security testing, Process Security Testing, Internet Technology Security Testing, Communications Security Testing, Security Testing, Physical Security Testing.

Open Web Application Security Project (OWASP)

OWASP is a non-benefit association focused on rising PC code security. OWASP gives different apparatuses, aides and testing strategies for digital security underneath open source licenses, particularly, the OWASP Testing Guide (OTG) (Meucci, 2008). OTG is part into 3 essential areas, to be specific; the OWASP testing system for net application improvement, the net application testing philosophy, and detailing.

OWASP system is comprised of 5 stages: Information gathering, configuration management tests, Authentication testing, Session management tests, Authorization testing.

Information Systems Security Assessment Framework (ISSAF)

ISSAF makes an endeavour to shroud every single potential space of an penetration check from origination to finishing. The three essential stages are arranging and arrangement, evaluation, and, announcing and tidy up. The testing systems are again ventured into 9 stages: Information Gathering, Network Mapping, Vulnerability Identification, Penetration, Gaining Access and Privilege Escalation, Enumerating Further, Compromise Remote Users/Sites, Maintaining Access, Cover the Tracks.

Penetration Testing Execution Standard (PTES)

PTES defines penetration testing as 7 phases. PTES includes pre-engagement interactions, intelligence gathering, threat modelling, vulnerability analysis, exploitation, post exploitation, and reporting.

PTES gives specialized rules to what/how to check, clarification of testing and proposed testing devices and use.

Comparison:

As talked about over every one of the procedures have distinctive advances or periods of testing. PTES takes points of interest of various resources with the methodology of solidifying with various structures inside it, for example; OWASP for web application testing is referenced and recommended for using when testing web applications. PTES endeavours to make a standard for invasion tests whereby a security proficient has a reference for what's in store at any rate concerning entrance testing prerequisites. OSSTMM is fitting to a broad assortment of appraisals. OWASP has developed the test structure for web applications.

The traits of PTE don't demonstrate enough properties to be considered either a philosophy or system, as a result of insufficient documentation or free structure when appeared differently in relation to the more created systems assessed. It ought to be noticed that PTES can be moreover shaped into a structure therefore PTES masterminds as a benefit post-assessment. Both OSSTMM and OWASP agree with the pre-evaluation portrayal, for example it didn't change arrangement post-assessment. Viability is characterized as how a system can be comprehended, adjusted, upgraded or changed.

Penetration Testing Methodologies

SOP for PenTesting

Standard Operating Procedure (SOP) of an association is to empower the labourers to finish their normal exercises and to diminish the complexities of strategies. SOP ought to guarantee most extreme viability, security and no vulnerabilities. SOP for an association is depicted beneath:

Conclusion

Normal Penetration testing will keep up a safe and safe framework for the association. There are a few pen testing procedures accessible yet were not ready to be summed up crosswise over issue spaces. So it is critical to apply a penetration testing procedure that is reasonable for every association and foundation so as to accomplish the greatest effectiveness. A fruitful penetration test can't do anything useful for the improvement of the security framework. Moves ought to be made to understand the vulnerabilities in the framework to get most extreme favourable position.

SOP of PenTest ought to constantly helpful for any review types. SOP should deal with the dangers and dangers in security. Non-powerless framework ought to be acquired in the wake of completing every one of the periods of SOP. Each association ought to pursue a SOP for the safe working of their information and data.

References

1. Uzunov, A.V., Fernandez, E.B. and Falkner, K., 2012. “Engineering Security into Distributed Systems: A Survey of Methodologies.” J. UCS, 18(20), pp.2920-3006.
2. Von Solms, R. and Van Niekerk, J., 2013. “From information security to cyber security”. computers & security, 38, pp.97-102.
3. Weidman, G., 2014. “Penetration testing: a hands-on introduction to hacking”. California: No Starch Press.
4. Wilhelm, T., 2013. “Professional penetration testing: Creating and learning in a hacking lab”. Amsterdam: Newnes.
5. Wilhelm, T. and Andress, J., 2010. “Ninja hacking: Unconventional penetration testing tactics and techniques”. New York: Elsevier.
6. Herzog, P., 2003. “OSSTMM 2.1 Open-Source Security Testing Methodology Manual”. ISECOM.
7. Meucci, M., 2008. “OWASPTestingGuideV3.0”.OWASP.
8. Shanley, A., “Edith Cowan University: Selection of penetration testing methodologies: A comparison and evaluation”.
9. Wai, C. T., 2002. “Conducting a Penetration Test on an Organization”.
10. Weidman, G., “Penetration Testing: A Hands-On Introduction to Hacking”.
11. Sharpe, I., “Hacking: Basic Security, Penetration Testing and How to Hack”.
12. Shackleford, D., “A Penetration Testing Maturity and Scoring Model”.
13. Klevinsky, T. J., Laliberte, S., Gupta, A., “Hack I.T. - Security Through Penetration Testing”.
14. CynergisTek, Inc.. 2018. “Penetration Testing Methods and Frameworks.” [ONLINE] Available at: https://cynergistek.com/penetration-testing-methods-frameworks/.