Member-only story
You know what penetration testing is about, and possibly you have a certification like CEH or OSCP, but you wonder how to be more structured in your penetration testing methodology. At least, this is a question, I am always trying to find a better answer. I would like to mention here few resources which may help you to structure your approach.
Firstly, we may start thinking what would be the advantage of structuring our penetration testing: saved time, mapping dependencies, professional reports, making possible to extend your team (business growth), prerequisite for automation, …. You got the idea.
The first great resource comes from NIST 800 series. It’s SP 800–115 , called “Technical Guide to Information Security Testing and Assessment”. OK, I admit that it’s an old publication (from 2008), but just like many other NIST-800 Series, it’s a great public document. The guide basically talks about:
- Review Techniques
- Target Identification and Analysis Techniques
- Target Vulnerability Validation Techniques
- Security Assessment Planning
- Security Assessment Execution
- Post Testing Activities
Needless to say, it’s a pretty easy to follow document and you don’t get bored while reading (or, am I…
